Team XXX is a ransomware threat actor that emerged in mid-2024 and is also referenced as Teamxxx and team_xxx. It is identified as part of a wave of new ransomware groups that expanded the ransomware-as-a-service ecosystem during 2024 and remained notable into 2025. Reporting places the group among newer operators that helped reshape the criminal ransomware market by absorbing technology and personnel from defunct operations, indicating a likely opportunistic and affiliate-driven operating model rather than a clearly attributable state-backed campaign. Available reporting on Team XXX is limited. The group is primarily noted for appearing alongside other newly emerged ransomware brands such as Global, W.A., Kawa4096, and Warlock. It has been publicly associated with victim claims on leak sites, which is consistent with double-extortion ransomware operations that combine data theft, encryption, and public shaming to pressure organizations into payment. Specific tradecraft, malware lineage, initial access methods, and post-compromise techniques are not well established in the available information. There is currently insufficient high-confidence public information to characterize Team XXX’s full targeting profile, geographic focus, victimology, or internal structure in detail. No reliable evidence in the available material supports attribution to a nation state. Team XXX is best understood as an emerging financially motivated ransomware actor active in the broader 2024-2025 ransomware landscape.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as a new ransomware variant/gang emerging in 2024 and associated with victim claims posted in June 2024.
Emerging ransomware group cited as part of a wave of new RaaS actors absorbing resources from defunct operations.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.