arcusmedia is a ransomware threat actor observed conducting extortion-oriented intrusions against organizations in multiple countries. Reported victims span Malaysia, Portugal, France, South Africa, Canada, and the United States, indicating opportunistic or broad targeting rather than a narrowly defined vertical focus. Observed victim sectors include public services, technology, transportation and logistics, hospitality and tourism, and consumer services. The group has been associated with ransomware incidents described as data breaches and accompanied by time-bound extortion deadlines, consistent with financially motivated ransomware operations that combine network compromise, data theft, and pressure tactics. Publicly reported activity shows arcusmedia naming victims and setting deadlines for response, behavior commonly associated with leak-site-based extortion workflows. There is currently no high-confidence public information in the available reporting linking arcusmedia to a specific nation-state sponsor, geographic origin, malware family, or well-established intrusion cluster under another widely used name. No corroborated sub-groups or alternate aliases are established beyond the observed self-identification as arcusmedia. Attribution should therefore be treated as limited to a ransomware actor engaged in multi-country victimization and extortion.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack resulting in a data breach against Perpustam in Malaysia.
Conducting a ransomware attack resulting in a data breach against gemese.pt.
Conducting a ransomware attack resulting in a data breach against Distribox.
Conducting a ransomware attack resulting in a data breach against Be Travel in South Africa's hospitality and tourism sector.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.