Introduction
Frag is a relatively new ransomware and data extortion group first seen in February 2025. The group operates a dedicated Tor-based leak site where it publishes victim details, including sector, location, and sample stolen files, as part of its double-extortion strategy. Within its first month of activity, Frag claimed over two dozen victims, spanning industries such as manufacturing, aviation, real estate, retail, and legal services, with a global footprint including the United States, the Netherlands, and Singapore. Intrusion methods have included exploitation of known vulnerabilities—such as the Veeam Backup & Replication flaw CVE-2024-40711—and compromised remote access appliances. The group’s operations and targeting style suggest experienced actors, possibly with past involvement in other ransomware projects.
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Information pending cataloguing.
Attribution and Evidence
Information pending cataloguing.
References
References pending cataloguing.