Space Bears
Space Bears is a ransomware and extortion group first identified in April 2024. Multiple sources in the provided content describe it as associated with the Phobos ransomware-as-a-service (RaaS) ecosystem, and one source notes its leak site is believed to function as a shared publishing point for activity related to Phobos infrastructure. The group operates a dedicated leak site and uses double-extortion tactics, threatening to publish or sell allegedly stolen data if victims do not pay. Several sources describe Space Bears as primarily focused on data theft and extortion, while also sometimes deploying encryption; one source specifically characterizes it as using stealthy encryption and focusing on critical infrastructure. Reported victim activity in the provided content includes claims against Vertel in Australia, Texcomp in Saudi Arabia, Kymco in Taiwan, Quasar Inc. in Georgia, and Comcast material allegedly obtained via Quasar. The group claimed exfiltration of SQL databases, client personal information, financial documents, patent and innovation data, customer and partner data, network project documents, city drawings, communication layouts, city design documentation, and utility plans. Space Bears has also been cited among ransomware groups active against Korean and Japanese organizations, and in broader ransomware reporting affecting industrial and communications-related sectors. Known tactics and behaviors directly mentioned in the content include operating a leak site with countdown timers, threatening public release of stolen data, offering stolen data for sale to third parties, and in some cases publishing data when victims do not pay. The content does not provide confirmed sub-groups. Known alias in the provided material: space_bears.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Pharmaceuticals, Biotechnology & Life Sciences
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware group reported targeting a pharmaceutical/biotech organization.
Ransomware/extortion group operating a leak site and using double extortion; assessed as associated with the Phobos RaaS ecosystem and linked to the ‘Faust’ operator within that ecosystem.
Ransomware group operating a leak site and using double extortion; assessed as associated with the Phobos RaaS ecosystem (including linkage to a 'Faust' operator per the report).
Space Bears is a ransomware group targeting telecommunications and engineering contractors, exfiltrating sensitive internal documents.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.