HOMETHREATSRUBYCARP
APT / THREAT GROUP💰 FINANCIALHIGH

RUBYCARP

🇷🇴Romania-attributed
1
campaigns
1
aliases
Last seen:Mar 17, 2026

Intelligence Profile

RUBYCARP is a financially-motivated threat actor group likely based in Romania, with a history of at least 10 years of activity. They operate a botnet using public exploits and brute force attacks, communicating via public and private IRC networks. RUBYCARP targets vulnerabilities in frameworks like Laravel and WordPress, as well as conducting phishing operations to steal financial assets. They use a variety of tools, including the Perl Shellbot, for post-exploitation activities and have a diverse set of illicit income streams.

Threat Analysis

RUBYCARP is a high-sophistication threat actor attributed to Romania, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like RUBYCARP prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

With high sophistication, RUBYCARP is capable of targeted intrusions using adapted commodity tools alongside custom implants, maintaining operational security and evading standard detection mechanisms.

Known Campaigns

RUBYCARP — Active Operations March 2026

RUBYCARP is a financial threat actor attributed to RO. RUBYCARP is a financially-motivated threat actor group likely based in Romania, with a history of at least 10 years of activity. They operate a botnet using public exploits and brute force attacks, communicating via public and private IRC networks. RUBYCARP targets vulnerabilitie...

ACTIVEMEDIUM2026

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Sophisticationhigh
Origin🇷🇴 Romania
Aliases1
SourceMalpedia

Also Known As

RUBYCARP

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
RUBYCARP — APT / Threat Group | Threat Intelligence | CTIWATCH.COM