Introduction
Apos ransomware surfaced in April 2024 and is best characterized as a data‑broker or leak‑only operation, rather than a traditional file‑encryption ransomware. It has not been observed to conduct encryption, but instead focuses on data exfiltration with threats to leak or sell the stolen information. Targets span sectors such as technology, healthcare, manufacturing, business services, telecommunications, and government—with significant victimology in Brazil, the United States, India, France, Paraguay, and Spain. Reporting suggests its activity tapered off after a few incidents, possibly indicating a one-time campaign or short-lived operation. Though some sources list multiple victims, technical details such as encryption algorithms, ransom notes, or extortion pricing are not publicly documented. Apos is sometimes listed among new or industrial-focused threats observed in Q1 2025, but remains poorly defined in public technical intel.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Information pending cataloguing.
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.