Skip to main content
Mallory
Back to threat actors
Ransomware1 malware family

Fiddling Scorpius

Also known asFiddling Scorpius

Fiddling Scorpius is identified in the provided content as the threat group behind the Play ransomware operation, as tracked by Palo Alto. The content links the group to Play ransomware activity, including the reported attack on the French Rugby Federation three months before the 2023 Rugby World Cup, where systems were encrypted and personally identifiable information was exfiltrated. Play ransomware, also known as PlayCrypt, has been active since at least June 2022 and uses double extortion, combining encryption with data theft and leak-site pressure. Reported initial access methods associated with the operation include valid account abuse, exploitation of public-facing applications such as FortiOS SSL VPN and Microsoft Exchange, phishing and social engineering, and abuse of external remote services including RDP and VPN. The malware is described as written in C++, with anti-debugging and anti-analysis features, and reporting indicates binaries may be recompiled per victim to generate unique hashes. A Linux variant targeting VMware ESXi environments has also been reported. The content also notes commonly reported associations involving the broader Play operation, including Andariel, Balloonfly, Prolific Puma, QuadSwitcher, and Quantum, but does not establish confirmed relationships. Known alias for this actor in the provided content is Fiddling Scorpius; the associated ransomware family is Play, also known as PlayCrypt.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Consumer Services

Where they target

Geographies tied to known operations.

  • 🇫🇷 France
MITRE ATT&CK

Tradecraft

3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

6 of 15 tactics6 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1078
Valid Accounts
TA0003
Persistence
1 technique
T1078
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078
Valid Accounts
TA0005
Stealth
1 technique
T1078
Valid Accounts
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
TA0040
Impact
1 technique
T1486×2
Data Encrypted for Impact
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
PLAYRugby World Cup, France 2023 Fiddling Scorpius, distributors of Play ransomware ... French Rugby Federation systems encrypted three months before kickoff; Personally identifiable information (PII) exfiltrated.2May 28, 2026
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping3

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.