tengu
Ransomware group profile
Description
Tengu is a ransomware-as-a-service (RaaS) group that emerged in late 2025, known for its hands-on intrusion tactics and double extortion model. They extort victims by first stealing sensitive data before encrypting systems, using Tor for ransom negotiations. The group maintains a strong focus on onboarding skilled affiliates to enhance their operations.
Key insights
- •Initial access typically involves exploiting exposed remote services and valid-account abuse.
- •Tengu utilizes a variety of tools including living-off-the-land binaries and custom utilities for data exfiltration.
- •Their extortion model emphasizes double extortion, with encrypted files tagged with a .tengu extension and threats of data leaks.
- •Tengu employs tactics for defense evasion such as disabling Microsoft Defender and clearing event logs.
- •They leverage Tor-based negotiation portals to communicate with victims during ransom negotiations.
Threat Level & Status Breakdown
For tengu · Based on incidents in selected period
Status Breakdown
Recent activity
Monthly attack count for tengu in the selected period
Intelligence
IOCs, YARA/Sigma rules, and related families for tengu
- b400c58e7e227361cc689078ce9163c4
- 3b18e9da970fa7d336b08c5df04668b7
- 511a4780cbd9ed2280b432afc6cbfd1a
- 62c6ba7f5356663c46b8918b6a0994fc
- b8c81e1e17adcaf9e84d76401697b7e5
TTPs & Attack Vectors
Tools, initial access, and MITRE ATT&CK techniques for tengu
T1070
Indicator Removal
T1218
System Binary Proxy Execution
T1059.001
PowerShell
T1059.003
Windows Command Shell
T1486
Data Encrypted for Impact
T1490
Inhibit System Recovery
T1021.001
Remote Desktop Protocol
T1053.005_1
Scheduled Task
Victims(53)
| Company | Domain | Country | Industry | Status | Discovered | |
|---|---|---|---|---|---|---|
| crown-security.com.tw | — | TW Taiwan | Technology | Claimed | 3 months ago | |
| Sileno Companies Inc | sileno.com | CH Switzerland | Manufacturing | Claimed | 3 months ago | |
| Communitymosaic.co.uk | communitymosaic.co.uk | GB United Kingdom | Energy & Utilities | Claimed | 3 months ago | |
| Eos Technology srl | eostechnology.net | IT Italy | Education | Claimed | 3 months ago | |
| DAINTY CLOUD INC | daintycloud.com | US United States | Technology | Claimed | 3 months ago | |
| Al Arif Contracting Co. (L.L.C) | alarifgroups.ae | AE United Arab Emirates | Other | Claimed | 3 months ago | |
| martec.it | martec.it | IT Italy | Technology | Claimed | 3 months ago | |
| www.shora.ma | shora.ma | MA Morocco | Hospitality | Claimed | 3 months ago | |
| femar.it | femar.it | IT Italy | Professional Services | Claimed | 4 months ago | |
| 真言宗智山派 成就院 | — | JP Japan | Manufacturing | Claimed | 4 months ago | |
| 真言宗智山派 成就院 | jyojyuin.o.oo7.jp | JP Japan | Professional Services | Claimed | 4 months ago | |
| Junta Local de Conciliación y Arbitraje | cdmx.gob.mx | MX Mexico | Government & Defense | Claimed | 4 months ago | |
| PT. Mitra Antar Tangguh | mitratangguh.co.id | ID Indonesia | Professional Services | Claimed | 4 months ago | |
| megasilver.com.tw | megasilver.com.tw | TW Taiwan | Technology | Claimed | 4 months ago | |
| all Data | — | ID Indonesia | Technology | Claimed | 4 months ago | |
| We will be back soon | — | — | Technology | Claimed | 4 months ago | |
| b2motorsport.co.il | b2motorsport.co.il | IL Israel | Retail & E-Commerce | Claimed | 4 months ago | |
| Tahkout Group | — | DZ Algeria | Manufacturing | Claimed | 4 months ago | |
| KSP TLM INDONESIA | cooptlmindonesia.com | ID Indonesia | Financial Services | Claimed | 4 months ago | |
| FRUIT-BONTÉ Agroalimentaire | mda-agro.com | FR France | Other | Claimed | 4 months ago |
Page 1 of 3
Affected countries(33)
Countries where this group has been reported to target or leak victims.