Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
🇷🇺 RU12 malware families

CyberVolk

Also known asCyberVolk

CyberVolk, also known as GLORIAMIST, is a pro-Russian hacktivist group reportedly originating in India. It was first documented in 2024 and has conducted attacks aligned with Russian government interests, primarily against public and government entities and organizations it frames as opposing Russia or supporting Ukraine. Reported activity includes DDoS operations, ransomware attacks, and the use or sale of additional tooling such as infostealers, webshells, RATs, and keyloggers. CyberVolk launched a ransomware-as-a-service operation in June 2024 and later resurfaced in August 2025 with a new RaaS offering called VolkLocker, also referred to as CyberVolk 2.x. VolkLocker is a Golang-based cross-platform ransomware targeting Windows and Linux systems and is managed heavily through Telegram for payload building, command-and-control, victim management, and affiliate operations. Reported capabilities include privilege escalation via the ms-settings UAC bypass, environmental discovery, VM and sandbox checks, drive enumeration, registry modification, deletion of volume shadow copies, and termination of security or analysis-related processes. The ransomware uses AES-256-GCM for file encryption and supports configurable file extensions and timers. Multiple reports state that VolkLocker suffers from a critical implementation flaw: the master encryption key is hard-coded in the binary and also written in plaintext to %TEMP%\system_backup.key, allowing victims in some cases to recover files without paying. Reporting also describes this as likely caused by leftover test artifacts or poor quality control. Earlier CyberVolk ransomware activity was also reported to contain embedded decryption keys in code. SentinelOne reporting further states that CyberVolk has reused, tweaked, and rebranded leaked ransomware source code, including code derived from AzzaSec, and has promoted or aligned with other ransomware families including Doubleface/Invisible, HexaLocker, and Parano. CyberVolk has been described as a pro-Kremlin or pro-Russia hacktivist persona rather than a purely profit-driven ransomware crew, although it operates ransomware and affiliate services commercially. Its infrastructure and operations were reportedly disrupted by Telegram enforcement actions in late 2024 and 2025, after which it reestablished operations and expanded its offerings.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

18 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

8 of 15 tactics22 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0003
Persistence
1 technique
T1505
Server Software Component
T1505.003
Web Shell
TA0004
Privilege Escalation
2 techniques
T1055
Process Injection
T1548
Abuse Elevation Control Mechanism
T1548.002
Bypass User Account Control
TA0005
Stealth
5 techniques
T1027
Obfuscated Files or Information
T1055
Process Injection
T1070
Indicator Removal
T1070.004
File Deletion
T1140
Deobfuscate/Decode Files or Information
T1622
Debugger Evasion
TA0112
Defense Impairment
1 technique
T1601
Modify System Image
TA0006
Credential Access
2 techniques
T1110
Brute Force
T1555
Credentials from Password Stores
TA0007
Discovery
3 techniques
T1082
System Information Discovery
T1083
File and Directory Discovery
T1622
Debugger Evasion
TA0010
Exfiltration
1 technique
T1567
Exfiltration Over Web Service
TA0040
Impact
4 techniques
T1486×4
Data Encrypted for Impact
T1489
Service Stop
T1490
Inhibit System Recovery
T1498
Network Denial of Service
ARSENAL

Associated malware families

12 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
CyberVolkattention turned to CyberVolk - a pro-Russian hacktivist collective - that rolled out ransomware yet embedded the primary decryption keys directly within the code.2Jun 16, 2026
VolkLockerA new version of VolkLocker, wielded by the pro-Russia RaaS group CyberVolk, has some key enhancements but one fatal flaw. VolkLocker is the ransomware-as-a-service (RaaS) offering of CyberVolk, a group first documented in late 2024 that uses multiple ransomware tools to conduct attacks aligned with the interests of the Russian government.2Mar 18, 2026
AzzaSec RansomIn June, the source-code for “AzzaSec Ransom” was leaked and subsequently adopted and adapted by multiple groups aligned with AzzaSec’s mission.1Jun 14, 2026
ChaosThe CyberVolk collective is a prime example of how readily threat actors can access and deploy dangerous ransomware builders such as AzzaSec, Diamond, LockBit, Chaos and others.1Jun 14, 2026
CyberVolk Stealer“CyberVolk Stealer” is distributed in the form of a Python script and is based on LBX-Grabber, an existing Python information stealer, which is in turn built into BLX-Stealer.1Jun 14, 2026

7 additional families tracked in Mallory.

IOCS

Observables

30 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

30 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app
cysecurity newsNews
Jun 16, 2026
Ransomware Gang Apologizes After Mistakenly Attacking CIS Company and Revealing Criminal Errors - CySecurity News - Latest Information Security and Hacking Incidents

Pro-Russian hacktivist collective that deployed ransomware but made a critical implementation error by embedding decryption keys in the code, allowing victims to recover data without paying.

Read more
register securityNews
Jun 2, 2026
'Dumbass' criminal breaks the 'first rule of ransomware club'

Pro-Russian hacktivist crew that launched a ransomware service but made implementation mistakes by hardcoding master keys into executables, enabling victim recovery without payment.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Pro-Russian hacktivist group operating a ransomware-as-a-service offering (VolkLocker) with noted cryptographic/implementation weaknesses enabling free decryption.

Read more
sentinelone blogNews
Jan 6, 2026
12 Months of Fighting Cybercrime & Defending Enterprises | The SentinelLABS 2025 Review

A pro-Russian hacktivist collective known for reusing and rebranding leaked ransomware code, recently active with VolkLocker.

Read more
+15 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping18

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal12

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables30

Domains, IPs, and hashes tied to this actor, refreshed continuously.