THREAT ADVISORY 0APT – Ransomware Group February 2, 2026

by Chris Roach | Feb 2, 2026 | Threat Advisories

Executive Summary

0APT (also stylized as 0apt) is a newly emerged ransomware group first publicly detected around January 28, 2026. It operates as a Ransomware-as-a-Service (RaaS) syndicate using a double-extortion model (file encryption via AES-256 and data exfiltration, with threats to leak the victim’s data). The group describes itself as a “politically neutral underground syndicate” focused solely on financial gain, with examples of demands such as “a sudden tax on your security negligence”.

However, this appears to be a low-effort operation aimed at building hype or scamming affiliates rather than conducting real attacks. CTI firms have removed most 0APT entries from their trackers, leaving only a handful under “potential” investigation. Organizations should continue to monitor for any changes, but the current assessment is that 0APT poses minimal real risk. If you’re associated with a listed entity, verify internally rather than engaging with the group.

Key Characteristics

• Model: RaaS. Affiliates supply targets; the core group provides tools (phishing C2 infrastructure, locker/encryptor, negotiation/chat support), handles extortion, and takes a revenue share. Access to their darkweb portal reportedly uses browser signatures for filtering.
  • Multiple CTI platforms, including DarkFeed and RansomLook, have conducted reviews and concluded that the majority of listed “victims” are fictitious. Many company names do not correspond to real entities, and some appear to be AI-generated or pulled from sandbox environments rather than actual breaches.
  • No ransomware samples, payloads, IOCs, or YARA rules have been identified or shared by researchers. There’s zero evidence of a functional encryptor or exfiltration tooling.
  • Despite countdown timers expiring for numerous claimed victims, no data has been leaked or published on their site. This is a major red flag for legitimacy in ransomware operations.
  • The group has shifted to recruiting “black hat hackers” or affiliates, which analysts interpret as a potential scam to steal cryptocurrency from would-be partners rather than a genuine RaaS model.
• Leak Site: Dark web Onion/Tor-based “leak blog” or victim portal where victims are listed with countdown timers (“T-MINUS” style, often 14–17+ days). Some victim announcements include claimed data volumes (e.g., 200GB, 450GB) and sample descriptions. Trackers like ransomware.live report ~91 victims listed (as of early February 2026).
  • No independent confirmations from victims, forensic reports, or regulatory filings (e.g., SEC disclosures) have surfaced. Aggregators like Ransomware.live and RedPacket Security list the claims but note they are unverified and based solely on the group’s announcements.
  • A few real companies are interspersed among the fake ones (e.g., Liberia Revenue Authority, Liberia Electricity Corporation), possibly to lend credibility, but even these lack any public acknowledgment of breaches.
• Aggressiveness: Claims extremely high volume of intrusions (e.g., 71 in ~48 hours) (late Jan 2026: 9 on Jan 28, 1 on Jan 29, 61 on Jan 30), with reports of 60 victims added in a single 24-hour period. This suggests rapid affiliate scaling or industrialized operations.
  • Sources that initially reported the surge (e.g., CtrlAltNod claiming 3 exposures) have not provided follow-up evidence, and subsequent intel corrections have downgraded the threat.

Activity Timeline (as of Feb 2, 2026)

• Jan 28: Initial detection; ~8 victims listed (e.g., Metropolis City Municipal, Apex Logistics Solutions, TechnoSoft IT Services, GreenValley Regional College, Sunrise Manufacturing Ltd., Rapid Food Distributors, Dr. Smith Dental Clinics, Orion Legal Partners).
• Jan 30: Surge claims 19+ new victims announced rapidly; 60 global victims added to leak site; total claims reaching dozens to 71 within a short window. Examples include Aegis Defense Systems and Metro General Hospital.
• Early Feb: Continued claims (e.g., Liberia Revenue Authority, Liberia Electricity Corporation). Trackers list 90+. Reports indicate that data from at least 3 companies have already been published/leaked on the site; many others face active countdowns. Some victims reportedly “reach an agreement” quickly (possible payments or unverified resolutions).

Targets and Victims

Broad, opportunistic targeting across critical and high-value sectors worldwide (US, UK, Serbia, South Africa, Liberia, etc.). No strong geographic or sector focus evident; appears to be volume driven.

Notable ‘claimed’ victims (partial list from announcements):

• Healthcare: Metro General Hospital (surgery videos, patient HIV status, billing), Silverline Hospitals, Noble Pharma (clinical trials).
• Defense/Energy/Critical Infra: Aegis Defense Systems (weapon blueprints), Solaris Renewable Energy (patents, grid data), Diamond Deep Drilling (seismic/oil data), National Rail Network (signal codes), Harbor Port Authority (container tracking), Solstice Energy Grid (SCADA).
• Finance/Crypto: Quantum Financial Corp, CryptoVault Exchange (KYC, wallet keys), Silver City Bank.
• Logistics/Transport: Apex Logistics Solutions (~450GB invoices/passports), Rapid Courier Services, Pacific Ocean Cargo.
• Tech/IT/AI/Research: Obsidian Tech Labs (BIOS/prototypes), FutureTech AI (datasets/model weights), NeoTech Solutions (source code/API keys), Quantum Physics Lab.
• Education/Gov/Public: GreenValley Regional College, Summit Education Trust, Metropolis City Municipal, Liberia Revenue Authority/Electricity Corp.
• Others: Visionary Architects (CAD files), IronClad Security (client/access data), Global News Corp (sources/interviews), Sapphire Jewelry, Elite Hospitality, Urban Outfitters, etc.

Claimed data types: Highly sensitive PII (passports, SSNs, medical/HIV records, student data), IP (patents, CAD/blueprints, source code, AI models, weapon/SCADA/seismic/GMO data), financial (KYC/wallet keys/tax returns/SWIFT), corporate (client lists, contracts, surveillance footage), etc.

TTPs, Capabilities, and Verification

• Known/Claimed TTPs: AES-256 encryption. Initial access likely via phishing (affiliate-provided C2).
  • Graduated pressure: intrusion → encryption → countdown/leak threat.
  • No public ransom notes, specific malware variants, YARA rules, CVEs, or IOCs released by researchers yet.
  • No confirmed attribution beyond cybercrime RaaS.
• Verification Status: All activity is based on the group’s own leak site announcements and trackers, aggregating them. No widespread independent confirmation of compromises (e.g., via public data dumps, forensic reports, or victim disclosures). Skepticism exists in threat intel communities (e.g., no leaks observed in some early cases; rapid “agreements” by victims; potential for inflated claims, selective/fake postings, or LARP-style operations to build reputation). A few sources note 3+ actual publications. Monitor leak sites directly for confirmation.

Potential Impact and Risk

High-volume claims pose risks to critical infrastructure (energy, transport, healthcare, defense, finance) via data exposure (PII breaches, IP theft, regulatory violations) even without full encryption/disruption. Rapid scaling could indicate effective recruitment or automation, increasing the likelihood of hits on unprepared organizations. If legitimate, expect more leaks as countdowns expire.

Recommendations

• Prevention: Robust phishing defenses, MFA everywhere, patching, EDR/XDR, network segmentation, offline 3-2-1 backups, least-privilege access, email/web filtering.
• Detection/Monitoring: Monitor dark web/leak sites (e.g., via ransomware.live or commercial intel), anomalous exfil/activity, phishing attempts.
• Response: Assume breach if named; do not pay ransoms (fuels the model); engage IR/forensics; notify regulators/law enforcement (e.g., FBI IC3); test backups.
• General: Treat claims skeptically until verified; prioritize high-value sectors (healthcare, critical infra, finance, IP-heavy orgs).

Sources: Primary X alerts (Hackmanac Jan 28, DailyDarkWeb & JustaBreach Jan 30), ransomware.live group profile, ZATAZ darkweb contact report, DailyDarkWeb article, aggregator reports (DeXpose, Malware.news, RedPacket Security, etc.). No specific IOCs available at this time.

THREAT ADVISORY – Zero-Day Microsoft Office Security Feature Bypass CVE-2026-21509 – 01/27/2026

by Chris Roach | Jan 27, 2026 | Threat Advisories

Executive Summary

Microsoft released an emergency out-of-band security update to address CVE-2026-21509, a high-severity zero-day vulnerability affecting multiple versions of Microsoft Office. The vulnerability allows attackers to bypass critical security features (specifically OLE mitigations) and is currently being actively exploited in the wild.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities (KEV) catalog on January 26, 2026, mandating federal agencies to patch by February 16, 2026.

Vulnerability Details

• CVE ID: CVE-2026-21509
• CVSS Score: 7.8 (High)
• Vulnerability Type: Security Feature Bypass
• Affected Products:
  • Microsoft Office 2016 (32-bit & 64-bit)
  • Microsoft Office 2019 (32-bit & 64-bit)
  • Microsoft Office LTSC 2021 & 2024
  • Microsoft 365 Apps for Enterprise

Operational Intelligence & Attack Vector

• Attack Vector: The vulnerability is triggered when a user opens a specially crafted, malicious Office file. It relies on untrusted inputs to bypass checks that usually prevent dangerous Object Linking and Embedding (OLE) controls from running.
• User Interaction: Required. The user must be convinced to open the file (phishing/social engineering).
• Preview Pane: Microsoft has confirmed the Preview Pane is not an attack vector.
• Active Exploitation: Confirmed by Microsoft Threat Intelligence Center (MSTIC) and CISA. While specific threat actor attribution is currently limited, the immediate addition to the CISA KEV catalog indicates reliable evidence of attacks.

Mitigation & Remediation

Microsoft issued different remediation paths depending on the Office version:

1. Modern Versions (Office 2021, LTSC, Microsoft 365)

• Action: These versions are protected via a service-side update (Experimentation and Configuration Service – ECS).
• Requirement: Users must restart their Office applications for the protection to take effect.

2. Older Versions (Office 2016, 2019)

• Action: Administrators must manually install the out-of-band security updates released on January 26/27.
  • Office 2016: KB5002573
  • Office 2019: Build 10417.20095

3. Registry Workaround (Temporary)

If patching is not immediately possible, Microsoft has provided a registry modification to disable the vulnerable functionality. Note: Backup the registry before modifying.

• Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Common\COM Compatibility\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
• Value: Compatibility Flags (REG_DWORD) = 0x00000400

Recommendations

1. Immediate Patching: Prioritize patching Office 2016 and 2019 instances, as they do not receive the automatic service-side fix.
2. Force Restarts: Issue a communication or policy to force-restart Office applications for Microsoft 365/2021 users to ensure the service-side mitigation is applied.
3. Phishing Awareness: Alert users to be hyper-vigilant regarding unsolicited Office attachments, even from known contacts, due to the required user interaction component.
4. Threat Hunting: Monitor for the creation of the specific registry keys mentioned above if they were not implemented by IT, as attackers sometimes modify COM compatibility flags to facilitate persistence or bypasses.

THREAT ADVISORY – BravoX Ransomware-as-a-Service Group – 01/27/2026

by Chris Roach | Jan 27, 2026 | Threat Advisories

Executive Summary

BravoX is a newly identified Ransomware-as-a-Service (RaaS) group that surfaced in January 2026. The group has quickly transitioned from underground forum discussions to establishing an active extortion infrastructure, including a dedicated Tor-based data leak site (DLS). While the current volume is low, BravoX displays a structured operational model targeting U.S. organizations with revenues exceeding $5 million.

Background & Origin

• First Appearance: January 23, 2026 (Public surface via RAMP forum).
• Origin: Likely Russian-speaking or CIS-aligned. The group explicitly prohibits affiliates from targeting CIS (Commonwealth of Independent States) countries, a standard “flag” for Russian-nexus cybercriminal groups.
• History: The threat actor behind BravoX registered on the RAMP underground forum in September 2025 but maintained a low profile until launching the RaaS program in early 2026.

Operational Model

BravoX operates as a Ransomware-as-a-Service (RaaS). It recruits affiliates to conduct the intrusion and deployment phases while the core developers provide the malware and negotiation infrastructure.

• Affiliate Recruitment: The group is highly selective, requiring potential affiliates to demonstrate proof of access to targets with over $5 million in revenue or provide a financial deposit.
• Extortion Tactics: They employ Double Extortion, threatening to encrypt data and publish stolen exfiltrated data on their leak site if the ransom is not paid.

Targets & Recent Activity

• Geography: Primary focus is the United States.
• Sectors: Early victims include Healthcare and Retail organizations.
• Current Volume: Low. As of late January 2026, the group has listed three victims on its data leak site. This suggests the group is in a “credibility-building” phase to attract high-quality affiliates.

Indicators of Compromise (IOCs)

Note: Due to the group’s recent emergence, specific file hashes are evolving. Defenders should look for behavioral indicators.

• Infrastructure:
  • Tor Data Leak Site: (Specific .onion address is variable/not listed in open sources but is hosted on the Tor network).
• Network Indicators:
  • Outbound traffic to Tor nodes (used for C2 and data exfiltration).
  • Large outbound data transfers (exfiltration) prior to encryption.
• Ransom Note: Likely drops a text file (e.g., RESTORE_FILES.txt or similar) containing instructions to visit their Tor site.

Tactics, Techniques, and Procedures (TTPs)

• Initial Access: Reliance on affiliates leveraging compromised credentials (RDP/VPN) or unpatched vulnerabilities (e.g., in edge devices), given the requirement for affiliates to “demonstrate access”.
• Targeting Constraints: Explicitly avoids CIS countries.
• Revenue Targeting: Focuses on mid-market to enterprise targets ($5M+ revenue) to ensure ransom liquidity.
• Verification: Affiliates must pass a vetting process involving trusted recommendations or deposits, indicating a focus on operational security (OpSec) over rapid expansion.

Recommendations

1. Monitor RAMP Forum Intelligence: Security teams should track RAMP forum posts for new affiliate recruitments or updates to the BravoX decryptor.
2. Geo-Blocking: Ensure robust blocking of connections from high-risk geographies if no business need exists, though BravoX likely uses US-based proxies.
3. Patch External Assets: Since affiliates likely bring their own access, ensure all VPNs and RDP instances are patched and MFA-protected to deny initial entry.
4. Data Loss Prevention (DLP): Tune DLP rules to detect large outbound transfers to unknown IP addresses, as BravoX relies on double extortion (data theft).