APT / THREAT GROUP💰 FINANCIAL

embargo

1
campaigns
1
aliases

Intelligence Profile

Embargo is a Rust-based ransomware-as-a-service group that emerged in April 2024, primarily targeting US healthcare, manufacturing, and business services organizations using double extortion, assessed as a potential successor to BlackCat/ALPHV with over $34 million in ransom proceeds.

Threat Analysis

embargo is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.

Financially motivated threat actors like embargo prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

Known Campaigns

Embargo — Active Campaign March 2026

Embargo is conducting an active ransomware campaign targeting organizations across 3 countries. Primary targets: Hospitality and Tourism, Technology. 6 confirmed victims recorded in the last 45 days. Campaign status: ACTIVE (last activity 31 Mar 2026).

🎯 Hospitality and Tourism🎯 Technology
ACTIVEMEDIUM2026

Intelligence Reports Mentioning embargo

External References

Quick Facts

TypeAPT / Threat Group
Motivation💰 financial
Aliases1

Also Known As

embargo

DLS Infrastructure

● ONLINEembargobe3n5okxyzqphpmk3moinoap2snz5k6765mvtkk7hhi544jid.onion
○ OFFLINE5ntlvn7lmkezscee2vhatjaigkcu2rzj3bwhqaz32snmqc4jha3gcjad.onion
○ OFFLINE76yl7gfmz2kkjglcevxps4tleyeqnqhfcxh6rnstxj27oxhoxird3hyd.onion
○ OFFLINEyj3eozlkkxkcsprc2fug7tolgtnllruyavuyyar3yzsccjdgvu2bl2yd.onion
○ OFFLINEufjoe7fdwvml52oin7flwlqksvp3fcvfyh2kwsngt7j2yf7xou52w2qd.onion

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
embargo — APT / Threat Group | Threat Intelligence | CTIWATCH.COM