daixin

Ransomware group profile

5Victims

RussiaSource country

50Impact score

Description

Daixin is a financially motivated ransomware and data extortion group that emerged in June 2022, targeting primarily the Healthcare and Public Health sector. They employ a double extortion model, encrypting data and threatening to leak sensitive information unless a ransom is paid, using custom ransomware based on leaked Babuk Locker code. The group has a notable focus on VMware ESXi servers and engages directly with victims during negotiations without involving third-party remediation firms.

Key insights

•Targets primarily the Healthcare sector, including hospitals and outpatient care centers.
•Utilizes a double extortion model: ransomware deployment and data theft.
•Exploits unpatched vulnerabilities in VPN servers for initial access.
•Leverages Secure Shell (SSH) and Remote Desktop Protocol (RDP) for lateral movement within networks.
•Employs Rclone and Ngrok tools for data exfiltration.
•Custom ransomware specifically targets ESXi virtual machine file extensions.
•Known to manipulate VMware vCenter Server to reset passwords for ESXi servers.

Industries

Financial Services Government & Defense Healthcare Hospitality Manufacturing Professional Services Retail & E-Commerce Technology Transportation

Threat Level & Status Breakdown

For daixin · Based on incidents in selected period

1.4threat level

Aggressiveness1.3/ 10

Lethality0/ 10

Criticality3.3/ 10

First seenSep 2025

Last seenSep 2025

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 7, 2026

Recent activity

Monthly attack count for daixin in the selected period

5Total attacks

5peak in Sep

5avg / month

Intelligence

IOCs, YARA/Sigma rules, and related families for daixin

a53a9ca8a074c7108f8412c3f8c1fc5d
77962a384d251f0aa8e3008a88f206d6cb1f7401c759c4614e3bfe865e3e985c
3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab
d520d06d78afcad2e03842cb8db4622d18b92739e89dfb8dadf5743f30dcd903
7007cf53bcd0083baba202d8ac2d9070
e75e5778e71e062ce4a7af673f0b2513854d2367fee0f01a26c0c998863bdf6e
a98dcdee82f6066a4cf2f9d7d161a1bacec8f81d
eae09889399fe4fb8e78b114dba0527de913d12fb1802944a88ed136e3e90577

View full IOC feed500 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for daixin

Other

T1486

T1490

T1078

T1047

T1021

T1071.001

T1562

T1012

T1203

T1059

T1090

Victims(5)

Company	Domain	Country	Industry	Status	Discovered
SGS Co	sgsco.com	US United States	Professional Services	Unknown	9 months ago
Communicare Inc.	communicare.org	US United States	Healthcare	Unknown	9 months ago
Insurance Office of America (US)	—	US United States	Financial Services	Unknown	11 months ago
Gagosian	gagosian.com	US United States	Retail & E-Commerce	Unknown	9 months ago
Gagosian(US, UK)	—	US United States	Hospitality	Unknown	9 months ago

Affected countries(11)

Countries where this group has been reported to target or leak victims.

🇦🇪United Arab Emirates 🇨🇦Canada 🇨🇿Czech Republic 🇩🇪Germany 🇬🇧United Kingdom 🇮🇩Indonesia 🇯🇵Japan 🇲🇾Malaysia 🇳🇱Netherlands Russian Federation 🇺🇸United States