HOMETHREATScolossus
APT / THREAT GROUP💰 FINANCIAL

colossus

1
aliases

Intelligence Profile

Colossus ransomware was first observed in September 2021, when ZeroFox researchers uncovered the variant attacking a U.S.-based automotive group. It employs a double-extortion model, using Themida packing and sandbox evasion to disable defenses and deliver encrypted payloads. Victims are urged to visit a support site—hosted at a domain like colossus.support—to negotiate payment, or face large-scale data dumps and increasing ransom amounts tied to countdown timers. Operators demonstrated familiarity with RaaS playbooks, drawing architectural parallels to groups like EpsilonRed, BlackCocaine, and REvil/Sodinokibi.

Threat Analysis

colossus is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like colossus prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Aliases1

Also Known As

colossus

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
colossus — APT / Threat Group | Threat Intelligence | CTIWATCH.COM