DireWolf is a ransomware group/malware operation first reported as emerging in May 2025, with first victim postings on its leak site observed on May 26, 2025. Reporting cited in the content describes it as quickly demonstrating mature extortion operations and using double extortion tactics. By late August 2025, one deep-dive reported about 39 confirmed victims, with victim geography spanning more than 11 countries and concentration in Singapore, Thailand, the Philippines, and Taiwan. Additional reported victims include a Pakistani automobile assembly and sales company and Universidad Mayor, a large private university in Chile. The content associates DireWolf with a malicious domain used in campaigns or social engineering, tor-browser[.]io, including subdomains such as www, sitemap, and sitemaps. High-confidence behavior and ecosystem context in the source material indicate ransomware operations in 2025 commonly relied on exfiltration plus encryption and public pressure, though only the double-extortion behavior is directly attributed to DireWolf in the provided content.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware operation using double extortion; associated with social-engineering infrastructure (e.g., tor-browser[.]io) and published victim leak-site activity.
Ransomware operation with structured leak-site posting and double-extortion; includes social-engineering infrastructure (e.g., tor-browser[.]io) and recovery-disruption tooling.
Ransomware operation reported launching an attack against a Pakistani automobile assembly and sales company.
Ransomware group responsible for encrypting systems at Universidad Mayor, demanding ransom for file decryption.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.