CRPxO is a ransomware threat actor observed conducting extortion operations against healthcare-related organizations, including dental practices and a biopharmaceutical company. Reported victims indicate activity affecting entities in the United States and China, with a notable concentration on medical and dental organizations. The group is associated with ransomware incidents that also involve data theft and public claims of leaked victim data, indicating a double-extortion model rather than encryption-only disruption. Observed victimology suggests opportunistic targeting within the healthcare sector, including small and mid-sized clinics and specialty medical providers. High-confidence reporting currently supports identifying CRPxO as a ransomware group responsible for publicly claimed breaches and data leaks. Beyond that, publicly corroborated detail remains limited. There is not enough verified information to confidently assess the group’s nationality, state affiliation, initial access patterns, malware lineage, preferred tooling, or stable mapping to specific sub-groups or alternative aliases beyond the stylized name CRPxO.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting a ransomware attack resulting in a data breach and leak against SF Smile Doctor in the healthcare sector.
Conducting a ransomware attack resulting in a data breach and leak against AMHWA Biopharm Co., Ltd.
Conducting a ransomware attack and associated data leak against a pediatric dentistry organization in the United States.
Conducting a ransomware attack resulting in a data breach against a healthcare organization, with 1.2 GB of data reportedly leaked.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.