🇷🇺 RU2 malware families

Key Group

Also known askey_group

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

4 of 15 tactics9 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0003

Persistence

2 techniques

T1112

Modify Registry

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

T1547.009

Shortcut Modification

TA0004

Privilege Escalation

1 technique

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

T1547.009

Shortcut Modification

TA0112

Defense Impairment

1 technique

T1112

Modify Registry

TA0011

Command and Control

1 technique

T1102

Web Service

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

ChaosWhile the Chaos ransomware variant copied itself to $ user \ $ appdata \ cmd . exe and launched a new process, the new process in turn created a new file in the startup folder.1Jun 14, 2026

UX-CryptorFor example, UX-Cryptor added itself to the registry as shown below.1Jun 14, 2026

IOCS

Observables

2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

2 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

securelistNews

May 21, 2026

Leaked ransomware variants give rise to new cybercrime groups | Securelist

Ransomware group active since April 2022 that rotates across numerous ransomware families and slightly adapts its TTPs with each variant. The group is described as Russian-speaking, operating as an exception inside Russia, and using relatively unsophisticated infrastructure such as GitHub for C2 and Telegram for communications.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables2

Domains, IPs, and hashes tied to this actor, refreshed continuously.