icarus

Ransomware group profile

1Victims

29Impact score

Description

Icarus is a newly emergent ransomware group first encountered in April 2026, distinguished from the earlier Icarus Stealer malware. The group's operations revolve around financial gain through the exploitation of sensitive data, positioning itself as a data broker engaged in extortion tactics.

Key insights

•Icarus engages in double extortion and free data leaks to pressure victims into compliance.
•The group's primary goal is financial profit from the sale or leakage of stolen data.
•Targets include sensitive data such as personally identifiable information, source code, and KYC documents.
•Icarus utilizes bespoke malware for ransomware deployment, with detailed attack vectors not yet disclosed.

Industries

Financial Services Retail & E-Commerce

Threat Level & Status Breakdown

For icarus · Based on incidents in selected period

0.1threat level

Aggressiveness0.3/ 10

Lethality0/ 10

Criticality0/ 10

Status Breakdown

Claimed100.0%1

First seenMay 2026

Last seenMay 2026

Avg ransom—

Payment rate—

Statusactive

Sophistication0

Last updatedJun 2, 2026

Recent activity

Monthly attack count for icarus in the selected period

1Total attacks

1peak in May

1avg / month

Intelligence

IOCs, YARA/Sigma rules, and related families for icarus

0962291d6d367570bee5454721c17e11
d0d388f3865d0523e451d6ba0be34cc4
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2
2aa9e263ee3796d9ce358460a2451b4c
3cedfb74d44f2e84198d23075aef16c34a668ceb
87e8230a9ca3f0c5ccfa56f70276e2f2
207b3a7e6a8d72072a5f56a138ac8e991305441d
cf89d16bb9107c631daabf0c0ee58efb
af7ae505a9eed503f8b8e6982036873e
40ab50289f7ef5fae60801f88d4541fc
534e5f914ae99bf0a342a2f7a7e0724bd0d11ef7
ee002cb9e51bb8dfa89640a406a1090a
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b
1335e6f71cc4e3cf7025233523b4760f8893e9c9
46295cac801e5d4857d09837238a6394
8e82aa751bfeab05ffc5e7ada239e12c424ac1fe14449c0aef7de48fb5f26644
44e0fa1b517dbf802b18faf0785eeea6ac51594b
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
d414dd4f9db345fa8003e32adc81b362
fd67c2f46be33412a98a117d47e59c5473c5797a789aa79bf51437ccf60c0a11
3fd11ff447c1ee23538dc4d9724427a3
2adefcbc041e7d18fcf2d417879dc5a09997aa64d675b7a3c4b6ce33da13f3fe
5af87dfd673ba2115e2fcf5cfdb727ab
57a35d34dec97c850de9224ed89f7fb174624142815e70cf863e08316f0a0ea9
18b7421abf184e46a64874bebbfd875d
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
ce6a63f996df3a1cccb81720e21204b825e0238c
f5f5b37fd514776f455864502c852773
906fc9728c61142a756d107116c96b1e0f18dd92becc56e8a78f3f294eacda39
d6f48cba7d076fb6f2fd6ba993a75b9dc1ecbf0c
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
e4ed441f0f6afb0d8d55af87900ec48f
12876284cd618d55e4d5ade10e3a82c1
41876349cb12d6db992f1309f22df3f0
377d072e137022223a370760763420bb
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

View full IOC feed67 total

TTPs & Attack Vectors

Tools, initial access, and MITRE ATT&CK techniques for icarus

Defense Evasion

T1562

Impair Defenses

T1027

Obfuscated Files or Information

Execution

T1059

Command and Scripting Interpreter

Impact

T1486

Data Encrypted for Impact

T1490

Inhibit System Recovery

Lateral Movement

T1021

Remote Services

T1021.001

Remote Desktop Protocol

T1080

Taint Shared Content

Other

T1203

Persistence

T1078

Valid Accounts

T1547

Boot or Logon Autostart Execution

Victims(1)

Company	Domain	Country	Industry	Status	Discovered
Cazh.id	—	ID Indonesia	Retail & E-Commerce	Claimed	29 days ago

Affected countries(1)

Countries where this group has been reported to target or leak victims.

🇮🇩Indonesia