01flip
01flip is a ransomware family discovered by Palo Alto Networks Unit 42 and tracked in connection with threat cluster CL-CRI-1036. It is written entirely in Rust and is described as a cross-platform ransomware capable of targeting both Windows and Linux systems. The malware appends the .01flip extension to encrypted files, and ransom notes use the contact email address 01flip(@)proton.me. Reporting states that the campaign has targeted a limited set of victims in the Asia-Pacific region, including organizations in the Philippines and Taiwan, with a focus on critical infrastructure. The activity was investigated beginning in June 2025 after a suspicious Windows executable was intercepted. The operators are described as using a manual, hands-on intrusion approach rather than fully automated deployment. Initial access has been associated with exploitation of vulnerabilities including CVE-2019-11580, and the actors were observed deploying the Sliver adversary emulation framework for persistence and lateral movement, including movement to another Linux machine in late May 2025 via a Sliver implant. The ransomware contains a hardcoded list of file extensions to ignore, including "lockbit"; while this may suggest a possible LockBit link or false flag, no direct connection to LockBit has been established in the reporting. The campaign is assessed as financially motivated and has been linked to data leaks on dark web forums, including a confirmed leak from an affected organization shortly after an attack.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Rust-written ransomware targeting Windows and Linux; observed attack chains include exploitation of known vulnerabilities (example cited: CVE-2019-11580) to gain initial access; attributed in the content to financially motivated actor CL-CRI-1036.
01FLIP is a newly discovered ransomware family that encrypts files and appends the .01flip extension, demanding ransom via email.
Rust-based ransomware targeting organizations in APAC; supports Windows and Linux; associated with data theft/extortion via dark web sales.
01flip is a cross-platform ransomware written in Rust, capable of targeting both Windows and Linux systems. It is used in targeted attacks against critical infrastructure, employing manual intrusion methods and leveraging tools like Sliver C2 for lateral movement and persistence. The malware avoids encrypting files with the 'lockbit' extension, possibly indicating a connection or a false flag related to the LockBit ransomware group. It has been linked to data leaks and extortion on the dark web.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.