HYFLOCK
HYFLOCK is a previously unreported ransomware-as-a-service (RaaS) operation active in 2026 and operating exclusively on Tor at e5hdifgit6ua7k4ggmltume7kbyryksdnlrkc55we33fnshgxfeqgsyd[.]onion. It was observed as part of the criminal RaaS ecosystem and publicly recruited affiliates. On May 14, 2026, an actor using the handle hyflock123 opened a recruitment thread on the Duty-Free forum to launch Hyflock and claimed prior work for LockBit and Qilin; that claimed lineage is self-reported and was not independently corroborated in the content. The operation was described as an all-in-one RaaS platform with affiliate management, a payload builder, victim negotiation chat rooms, payment tracking, and a data leak site. Publicly exposed platform elements indicated a dual-portal model separating attacker and victim access, open registration for affiliate recruitment, and support for Bitcoin, Zcash, and Monero payments. The leak site was described as including screenshot previews of stolen data, file listings by category, selective public/private disclosure controls, and ZoomInfo-based victim company enrichment. Hyflock advertised integrated initial-access purchasing, an access-broker marketplace, automated negotiation rooms, automated revenue sharing, AI-driven victim analysis, and red-team support. It advertised a sliding operator cut of 20% on the first job and 15% on the second job, stabilizing thereafter. Hyflock also claimed its encryptor used an AES-128-CTR and RSA-4096 hybrid scheme and ran at roughly twice the speed of LockBit 3.0, but the performance claim was not independently verified. Researchers reported that HYFLOCK’s public login page exposed an 8,112-line CSS file containing 94 lines of Simplified Chinese developer comments that revealed internal platform components and workflow. The panel UI rendered in English and Russian, with Russian appearing to be the primary interface language, while the Chinese comments were assessed as likely native developer documentation. The reporting also noted otherwise strong operational security controls, including CSP, CSRF protections, X-Frame-Options, authentication redirects, and CAPTCHA-based DDoS protection, undermined by the exposed stylesheet. Known alias in the provided content: hyflock.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
14 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A newly launched ransomware-as-a-service program recruiting affiliates on Duty-Free. It claims former LockBit and Qilin experience and advertises an all-in-one panel with integrated access-broker purchasing, automated negotiation rooms, automated revenue sharing, AI-driven victim analysis, red-team support, GPO deployment, and cloud-backup file encryption.
Referenced negatively by The Gentlemen as not to be taken seriously.
Observed as a Ransomware-as-a-Service criminal operation within the dark web ecosystem.
A previously unreported ransomware-as-a-service operation with a full affiliate platform including payload building, victim negotiation chat rooms, a data leak site, affiliate registration, and cryptocurrency payment support.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.