3C-INT | [Cyber]Crime Characterization for Intelligence

Progress: 73% Completeness: 74% Freshness: 70%

Operation zone: —

Aliases Limited alias preview

El_Farado

—

Associated Threat Relationships

Limited preview

Related profiles 8
Related files 0

Related profiles

ID	Threat	Origin	Type	Categories
c164422726768147ec76b4d320680707	_Sentap	Unknown	related	Cybercrime
464f51140c3fed3325f5b47dbeca60f630727	Bjorka	Indonesia	related	Cybercrime
8a6704ed919b38fab0bf03ed0005e41e62952	Blako	Unknown	related	Cybercrime
dc6e7baf0a1acfa234a4928e32cef34b55405	DesertStorm	Algeria	ally-of	Cybercrime
69cc5ffdc20c5e83a0f6b788a05a102963856	FunkSec	Russia	member-of	Crimeware
e9ddff11fff52019e77d595b011b083f	MRZ	Unknown	related	Cybercrime
5d0f5219d1a5557d70758202f92e007659518	Scorpion	Russia	ally-of	Cybercrime
5da217af8d9dac2a11d516c9b747c0cf64481	XTN	Niger	related	Cybercrime

Related files

No related files found.

Actor Network Graph

Open Network Graph

Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.

MITRE ATT&CK®

confidence: medium

Actor Techniques page ATT&CK® Diagram

El Farado is a publicly referenced persona assessed as linked to the FunkSec ransomware cluster (FunkLocker), primarily via online promotion and OSINT correlation signals; treat as a cluster-level pivot rather than a standalone operator attribution.

Technique	Technique name	Tactics	Evidence
T1486	Data Encrypted for Impact	TA0040	2025-01-09 — Vendor bulletins describe FunkSec/FunkLocker as a ransomware actor using encryption for impact. · ref
T1657	Financial Theft	TA0040	2025-01-09 — INFERENCE (confidence: medium): As a double-extortion actor, FunkSec pressures victims through coercive messaging and leak threats, consistent with extortion techniques. · ref
T1567.002	Exfiltration to Cloud Storage	TA0010	2025-01-10 — INFERENCE (confidence: medium): Public reporting characterizes FunkSec as double-extortion, implying data theft and external hosting/publishing of victim data as leverage. · ref
T1078	Valid Accounts	TA0001 TA0003 TA0004 TA0005	2025-01-10 — INFERENCE (confidence: low): Ransomware intrusions commonly leverage compromised valid accounts; confirm per incident telemetry before high-confidence attribution. · ref
T1190	Exploit Public-Facing Application	TA0001	2025-10-02 — INFERENCE (confidence: low): Ransomware access frequently involves exploitation of public-facing applications; use as a defensive modeling assumption pending incident proof. · ref
T1059	Command and Scripting Interpreter	TA0002	2025-10-02 — INFERENCE (confidence: medium): Detection guidance for FunkLocker emphasizes common script-driven staging behavior (PowerShell/cmd) typical of ransomware operations. · ref
T1021.001	Remote Desktop Protocol	TA0008	2025-10-02 — INFERENCE (confidence: low): Lateral movement via RDP is common in ransomware playbooks; validate with logon telemetry. · ref
T1021.002	SMB/Windows Admin Shares	TA0008	2025-10-02 — INFERENCE (confidence: low): Lateral movement via SMB/admin shares is common in ransomware playbooks; validate with network/auth logs. · ref
T1490	Inhibit System Recovery	TA0040	2025-02-11 — INFERENCE (confidence: medium): Reporting on FunkLocker and ransomware norms supports a likely recovery-inhibition phase (shadow copies/backups). · ref

Strategic Intelligence

Limited preview

Last updated: 2026-02-20T00:30:42+00:00

Preliminary Strategic Intelligence

El Farado — Alleged FunkSec operator / promoter persona

Classification: TLP:WHITE - Open Source Intelligence (OSINT)

Full strategic intelligence is available in Analyst and Premium plans.

Executive Analyst Brief for CISO

Saved Limited preview

Executive Analyst Brief for CISO — El Farado

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.

Saved successfully.

Hunting Playbook

Saved Limited preview

Hunting Playbook — El Farado (FunkSec/FunkLocker-linked persona)

Upgrade to access the full hunting playbook.

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.

Saved successfully.

IOC Appendix

Saved Limited preview

Last updated: 2026-02-20T00:32:29+00:00

IOC Appendix (TLP:WHITE) — El Farado

Note: This appendix focuses on operationally useful observables and correlation pivots from OSINT. Persona-level indicators can be unstable; prioritize cluster-level artifacts when available.

More IOC context for Research. Full appendix for Analyst and Premium plans.

Saved successfully.

OSINT Library

Saved Limited preview

Last saved: 2026-02-20T00:32:46+00:00

OSINT Library — El Farado

2025-01-10 — Check Point Research — “FunkSec – Alleged Top Ransomware Group Powered by AI”

Full OSINT references available for Research / Analyst.

Saved successfully.

Social Medial & Communication

SOCMINT integrated: 0/2

Telegram 1 0
Clearnet 1 0

Address	Verification	SOCMINT
`t.me/el_******`	Restricted	Not integrated

Address	Verification	SOCMINT
`keybase.io/el_******`	Restricted	Not integrated

Notes: preview mode hides sensitive social/contact details.

Reference Images/Associated Evidence Limited

No images found for this threat.

Threat Actor Characterization

el farado

Related profiles

Related files

Actor Network Graph

MITRE ATT&CK®

Strategic Intelligence

El Farado — Alleged FunkSec operator / promoter persona

Executive Analyst Brief for CISO

Executive Analyst Brief for CISO — El Farado

Hunting Playbook

Hunting Playbook — El Farado (FunkSec/FunkLocker-linked persona)

IOC Appendix

IOC Appendix (TLP:WHITE) — El Farado

OSINT Library

OSINT Library — El Farado

Reference Images/Associated Evidence Limited