APT / THREAT GROUP💰 FINANCIAL
global
1
aliases
Intelligence Profile
GLOBAL GROUP is a ransomware-as-a-service operation that emerged in June 2025, reportedly launched by a known Russian-speaking threat actor, featuring AI-driven ransom negotiation and a mobile control panel for affiliates, targeting healthcare, oil and gas, industrial engineering, and automotive sectors.
Threat Analysis
global is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.
Financially motivated threat actors like global prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.
Intelligence Reports Mentioning global
WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private
The Hacker News· Jun 29, 2026
OHIF Viewers DICOM
CISA Alerts· Jun 25, 2026
Europe Evolves Into Ransomware's Favorite Region
Dark Reading· Jun 25, 2026
ESET takes part in Operation Endgame to disrupt Amadey and Stealc
ESET Research· Jun 24, 2026
StrikeShark: investigating a new campaign delivering Cobalt Strike through SharkLoader
Securelist (Kaspersky)· Jun 24, 2026
FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation
The Hacker News· Jun 23, 2026
FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist
Dark Reading· Jun 23, 2026
The Global Namespace Risk: Universal Bucket Hijacking Technique for Cloud Data Exfiltration
Palo Alto Unit 42· Jun 22, 2026
External References
Quick Facts
TypeAPT / Threat Group
Motivation💰 financial
Aliases1
Also Known As
global
DLS Infrastructure
○ OFFLINEvg6xwkmfyirv3l6qtqus7jykcuvgx6imegb73hqny2avxccnmqt5m2id.onion
○ OFFLINEpanelqbinglxczi2gqkwderfvgq6bcv5cbjwxrksjtvr5xv7ozh5wqad.onion
○ OFFLINEgdbkvfe6g3whrzkdlbytksygk45zwgmnzh5i2xmqyo3mrpipysjagqyd.onion
○ OFFLINE7bmz2tc4p2jk23dcyehg37cd7veflk3fyhxrnbxz75vvno2azfy6qayd.onion
Research Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.