APT / THREAT GROUP💰 FINANCIALHIGH

Defray

3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.

The distribution of Defray has several notable characteristics:

According to Proofpoint:

"

Defray is currently being spread via Microsoft Word document attachments in email

The campaigns are as small as several messages each

The lures are custom crafted to appeal to the intended set of potential victims

The recipients are individuals or distribution lists, e.g., group@ and websupport@

Geographic targeting is in the UK and US

Vertical targeting varies by campaign and is narrow and selective

"

Threat Analysis

Defray is a high-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like Defray prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, Defray is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Aliases3

Also Known As

GlushkovDefraywin.defray

External Intelligence

Malpedia: win.defray

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Defray — APT / Threat Group | Threat Intelligence | CTIWATCH.COM