{
	"id": "e54bf7f7-c7a6-42b8-8b86-319279ac53c5",
	"created_at": "2026-04-06T00:18:57.051827Z",
	"updated_at": "2026-04-10T13:12:17.705796Z",
	"deleted_at": null,
	"sha1_hash": "b0de11762f319423ade3867e01b97c132b6f7eef",
	"title": "New hacker group uses LockBit ransomware variant to target Russian companies",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77550,
	"plain_text": "New hacker group uses LockBit ransomware variant to target\r\nRussian companies\r\nBy Daryna Antoniuk\r\nPublished: 2025-06-09 · Archived: 2026-04-05 13:30:44 UTC\r\nA financially motivated cybercrime group dubbed DarkGaboon has been targeting Russian companies in a series\r\nof ransomware attacks, researchers have found.\r\nThe group was first identified by Russian cybersecurity firm Positive Technologies in January, but researchers\r\nhave traced its operations back to 2023. Since then, DarkGaboon has targeted Russian organizations across\r\nvarious sectors, including banking, retail, tourism and public services.\r\nPositive Technologies was sanctioned by the U.S. in 2021 for allegedly providing IT support to Russia's civilian\r\nand military intelligence agencies.\r\nIn its latest campaign this spring, DarkGaboon was observed deploying LockBit 3.0 ransomware against victims\r\nin Russia, Positive Technologies said in a report last week.\r\nThe version of LockBit used by the group was leaked publicly in 2022 and is now employed by numerous\r\ncybercriminals. However, unlike typical LockBit affiliates operating under the ransomware-as-a-service model,\r\nDarkGaboon appears to function independently, according to the report.\r\nIn its operations, DarkGaboon relies on phishing emails written in Russian. These messages are crafted to appear\r\nurgent and are usually directed at employees in financial departments. They contain malicious attachments\r\ndisguised as legitimate financial documents.\r\nAccording to the report, the lure documents used by DarkGaboon are based on templates downloaded from\r\nlegitimate Russian-language sources. These decoy files have remained relatively unchanged since 2023.\r\nOnce inside a victim's network, the group deploys LockBit 3.0 to encrypt files and leaves behind a ransom note\r\nwritten in Russian containing two contact email addresses. No signs of data exfiltration were found during recent\r\nincidents, according to Positive Technologies.\r\nThe same email addresses listed in the current ransom notes were previously linked to LockBit-based attacks on\r\nRussian financial institutions between March and April 2023.\r\nThe company has not been able to identify the individuals behind DarkGaboon but said the perpetrators are likely\r\nfluent in Russian.\r\nResearchers say the group uses open-source tools such as Revenge RAT, XWorm and LockBit ransomware to\r\nblend in with broader cybercriminal activity, making attribution more difficult.\r\nhttps://therecord.media/new-hacker-group-lockbit-target-russia\r\nPage 1 of 3\n\nRussian entities have previously been targeted with LockBit ransomware variants. In December, hackers\r\nreportedly used it in an attack on the largest dairy processing plant in southern Siberia.\r\nLocal media reported that the cyberattack occurred shortly after the company provided humanitarian aid —\r\nincluding drones — for Russian soldiers fighting in Ukraine. The attack has not been attributed to any specific\r\nthreat actor.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/new-hacker-group-lockbit-target-russia\r\nPage 2 of 3\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/new-hacker-group-lockbit-target-russia\r\nhttps://therecord.media/new-hacker-group-lockbit-target-russia\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://therecord.media/new-hacker-group-lockbit-target-russia"
	],
	"report_names": [
		"new-hacker-group-lockbit-target-russia"
	],
	"threat_actors": [
		{
			"id": "17d2b58c-804e-491a-9195-7070d193ef02",
			"created_at": "2026-01-22T02:00:03.670548Z",
			"updated_at": "2026-04-10T02:00:03.922129Z",
			"deleted_at": null,
			"main_name": "DarkGaboon",
			"aliases": [
				"Vengeful Wolf",
				"room155"
			],
			"source_name": "MISPGALAXY:DarkGaboon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434737,
	"ts_updated_at": 1775826737,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b0de11762f319423ade3867e01b97c132b6f7eef.pdf",
		"text": "https://archive.orkl.eu/b0de11762f319423ade3867e01b97c132b6f7eef.txt",
		"img": "https://archive.orkl.eu/b0de11762f319423ade3867e01b97c132b6f7eef.jpg"
	}
}