cipherforce
CipherForce is a ransomware and data-extortion operation first observed on 2026-02-23. It operates Tor-based leak infrastructure, including the onion site o3ydbkayttkyg4iw2nc732jxmmex25bjeyqyvuuyngnxmpehdefjr3qd.onion, though reporting states its two known Tor leak sites were offline or unavailable during parts of April 2026 and that it had not posted new victims since 2026-02-23. Available leak-site profiling lists six alleged victims across multiple countries and sectors, but no ransom notes, exploited vulnerabilities, negotiation chats, or indicators of compromise were available in the cited content. The group is directly linked in the reporting to TeamPCP and ShellForce. One cited statement attributed to the operators says: "For those out of the loop, you may already know us as TeamPCP or Shellforce... CipherForce is a newer project we are starting to find affiliates and are hoping to begin publishing companies soon." Supporting reporting further states that TeamPCP launched a proprietary ransomware operation under the CipherForce name, and that TeamPCP partnered with CipherForce, alongside Vect and in some reporting Lapsus$, to leak data and extort victims. The content also states that CI/CD credential theft campaigns attributed to TeamPCP fed a broader monetization chain linked to CipherForce. Based on the provided content, CipherForce should be understood as a financially motivated ransomware/extortion brand associated with the broader TeamPCP/ShellForce ecosystem rather than a separately attributed nation-state actor. Known aliases directly supported by the content are CipherForce, with explicit linkage to TeamPCP and ShellForce as the broader actor/project context.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Transportation
- Commercial & Professional Services
- Software & Services
Where they target
Geographies tied to known operations.
- 🇺🇸 United States
- 🇦🇪 United Arab Emirates
- 🇻🇳 Vietnam
- 🇮🇳 India
- 🇨🇳 China
Tradecraft
39 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Observables
1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as another TeamPCP-affiliated ransomware operator that had been inactive for roughly 70 days.
Named extortion/leak infrastructure referenced as part of the broader TeamPCP-affiliated monetization ecosystem. The content emphasizes that its infrastructure remained offline and no expected public dump occurred.
Named extortion/leak infrastructure associated in the reporting with TeamPCP's monetization ecosystem, noted here as offline and inactive during the period.
Named extortion/leak infrastructure referenced as part of the broader TeamPCP-linked monetization ecosystem, noted here for inactivity and offline leak infrastructure.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.