Booba Project is a ransomware threat actor publicly associated with attacks involving data theft and extortion. Reported victimology indicates targeting of organizations in the business services sector across multiple countries, including Russia and the United States. Observed activity suggests a double-extortion style operation in which data is exfiltrated in conjunction with ransomware deployment and victims are publicly named. Booba Project has been linked to intrusions against organizations such as URA Group and Upstaging, with claimed theft of victim data accompanying the ransomware incidents. The currently available information supports classification as a ransomware group, but does not provide sufficient high-confidence detail to attribute the actor to a specific country, state sponsor, or broader intrusion cluster. No corroborated sub-groups or widely used alternative aliases are currently available from the provided information. Based on reported incidents, Booba Project appears to focus on financially motivated operations characterized by compromise of enterprise environments, theft of data, and extortion pressure through public disclosure of victim claims. Additional technical details on tooling, initial access methods, persistence mechanisms, or command-and-control tradecraft are currently not available.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack and associated data theft against URA Group, with 5 GB of stolen data reported.
Conducting a ransomware attack and associated data theft against Upstaging, with 10 GB of stolen data reported.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.