APT / THREAT GROUP🕵️ ESPIONAGEADVANCED
REvil
6
aliases
Last seen:Mar 17, 2026
Intelligence Profile
ELF version of win.revil targeting VMware ESXi hypervisors.
Threat Analysis
REvil is a advanced-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of espionage.
The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.
Classified as an advanced threat actor, REvil likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.
Intelligence Reports Mentioning REvil
German Police Unmask REvil Ransomware Leader
SecurityWeek· Apr 7, 2026
German authorities identify REvil and GandCrab ransomware bosses
BleepingComputer· Apr 6, 2026
German police unmask two suspects linked to REvil ransomware gang
The Record· Apr 6, 2026
BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks
The Hacker News· Apr 6, 2026
Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab
Krebs on Security· Apr 5, 2026
External References
Quick Facts
TypeAPT / Threat Group
Motivation🕵️ espionage
Sophisticationadvanced
Aliases6
Also Known As
Sodinokibiwin.revilREvixSodinREvilelf.revil
External Intelligence
Malpedia: win.revilResearch Links
Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.