3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Cicada3301

Cicada3301

ID: 11196e28e27f5da7fabf6449326a641101089
Crimeware Ransomware
Threat types: Propaganda, RaaS, Double Extortion
Unknown CAN, DNK, FRA, JPN, SGP, ESP, CHE, ARE, USA
Updated: 2026-03-19
Created: 2026-02-23
Progress: 87% Completeness: 85% Freshness: 90%
Operation zone: Canada, Denmark, France, Japan, Singapore, Spain, Switzerland, United Arab Emirates, United States
Aliases Limited alias preview
Cicada 3301
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Cicada3301 is publicly described as a ransomware-as-a-service (RaaS) ecosystem that emerged in 2024, operating a double-extortion workflow supported by a leak/negotiation site and affiliate recruitment. Technical reporting describes a Rust-based, cross-platform encryptor targeting Windows and Linux, with some reporting emphasizing ESXi environments.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2024-09-03 — Public reporting describes opportunistic access consistent with exploiting vulnerabilities as an initial access vector in observed cases. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2024-08-30 — INFERENCE (confidence: medium): incident narratives describe post-compromise actions consistent with valid account use and administrative access for staging and execution. · ref
T1105 Ingress Tool Transfer TA0011
  • 2024-09-10 — IR reporting describes delivery and staging of encryptor and scripts consistent with ingress tool transfer. · ref
T1059.001 PowerShell TA0002
  • 2024-09-10 — PowerShell is used to orchestrate execution and staging workflows in described incidents (scripted execution patterns). · ref
T1569.002 Service Execution TA0002
  • 2024-09-10 — Execution through cmd/batch scripts and service stop commands is described as part of pre-impact orchestration. · ref
T1021.001 Remote Desktop Protocol TA0008
  • 2024-09-10 — INFERENCE (confidence: medium): IR reporting describes multi-host execution using remote execution tooling consistent with SMB-based remote services usage. · ref
T1047 Windows Management Instrumentation TA0002
  • 2024-09-10 — INFERENCE (confidence: low): ransomware affiliate playbooks frequently include WMI/PsExec-style remote execution; described orchestration supports this as plausible in cases where remote execution tooling is observed. · ref
T1490 Inhibit System Recovery TA0040
  • 2024-09-03 — Public reporting discusses shadow copy deletion and recovery inhibition behavior as part of the encryptor workflow. · ref
T1489 Service Stop TA0040
  • 2024-09-10 — IR reporting describes service stop operations and VM stop commands preceding encryption to maximize impact. · ref
T1486 Data Encrypted for Impact TA0040
  • 2024-08-30 — Ransomware encryption for impact is described as the core operation, including Linux/ESXi targeting in some reporting. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2024-09-16 — INFERENCE (confidence: medium): double-extortion model implies exfiltration over C2 channels prior to encryption; validate per-incident telemetry. · ref
T1567.002 Exfiltration to Cloud Storage TA0010
  • 2024-09-16 — INFERENCE (confidence: low): affiliates often use cloud services for staging/exfiltration; treat as possible but incident-dependent. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-24T10:35:09+00:00

Cicada3301

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE



Executive Summary

Cicada3301 is publicly described as a ransomware-as-a-service (RaaS) operation that emerged in mid‑2024 with a leak site supporting double extortion. Public technical reporting describes a Rust-based encryptor with cross-platform targeting that includes Windows and Linux, with some reporting explicitly calling out ESXi environments as part of the target surface. Reporting also describes an affiliate program model where operators provide infrastructure and tooling while partners conduct intrusions and deploy the encryptor for impact.


Cicada3301 is modeled as a crimeware RaaS ecosystem rather than an ideological actor. The operating logic is consistent with multi-extortion ransomware: unauthorized access, data theft for leverage, then encryption for disruption and pressure.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — Cicada3301


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Cicada3301


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-24T10:36:51+00:00

IOC Appendix — Cicada3301 (Seed Set)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-24T10:37:19+00:00

OSINT Library — Cicada3301


2024-09-10 — Palo Alto Networks Unit 42 — “Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/16
Address Verification SOCMINT
cicadabv7vicyvgz5khl7v2x5yygcgow7ryy6yppwmxii4eoobdaztqd.onion Restricted Not integrated
cicadacnft7gcgnveb7wjm6pjpjcjcsugogmlrat7u7pcel3iwb7bhyd.onion Restricted Not integrated
cicadaxousmk6nbntd3ucxefmfgt2drhtfdvh7gmdeh3ttvudam6f2ad.onion Restricted Not integrated
cicadafhqpjwm2sblkfbuwn7sglbibuejr3m7fildpqpjv3hghlhb4id.onion Restricted Not integrated
zf6bl4dczp5z7uaba2lhm5wrhrpflwvzsx2nhf7zyf63tpsfzc54tbad.onion Restricted Not integrated
hgannromwuui7n2jvphpteposc3gioqkuo2ncb6fzopasgcq7ixcjeqd.onion Restricted Not integrated
osd6tsgegts2xaqo3o2hrpqatwlslqfyc3msvyksad4iucauif3oqqad.onion Restricted Not integrated
uds75egfqi7mfpxckf2un742qsj6rh3kfrydqaldwgkrqp2a37lk6fyd.onion Restricted Not integrated
wuyfbttjjzsmr5ghl5hoi75ytse3bwrqgk63c6guv3lhw7hwtxbgveid.onion Restricted Not integrated
bmfyfxl74qb6rsukgwymv7e22ua4uvhszsamqwx7jmj57qkamxwlhbid.onion Restricted Not integrated
yaoehn32c2s5pwsuzhaa4lsu2a4seycpwyvn5gfz3bn4i74t2jo3frad.onion Restricted Not integrated
5atqn4dwosjauijzj445mm7t6bqrcvzlzcylpmpnx243jxvlimyb6aid.onion Restricted Not integrated
ruzislhpcuvfzw3t2xfqu7gog3gs5j2u65ysaq3ybqkzri3hjddaqgad.onion Restricted Not integrated
leakshrlgof456tiw4ww5moiqlnrcork7q7r3cjgmsvex6zazpluhlad.onion Restricted Not integrated
cicadapkh4vg2qh4qcoelszhftota5cdcgrwbjcesdyiwjwmsfzgobid.onion Restricted Not integrated
sia5sekp5vokknfigbnef53mrb677lm2vy42wgnespkr5af4z4y4stad.onion Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–3 of 3 images
recruitment (by @KrakenLabs_Team) Free Preview
recruitment (by @KrakenLabs_Team)
Onion website screen Free Preview
Onion website screen
Logo Free Preview
Logo