3C-INT | [Cyber]Crime Characterization for Intelligence

FunkSec

ID: 69cc5ffdc20c5e83a0f6b788a05a102963856

Crimeware Botnet Ransomware Trojan

Threat types: Phishing, Data Leak, Ransomware, Malware

Russia DZA, ARG, AUS, BGD, BRA, COL, EGY, FRA, DEU, ITA, JOR, MEX, MNG, PAK, PRY, ESP, USA, VNM, ZMB

Updated: 2026-04-04

Created: 2026-02-18

Progress: 89% Completeness: 89% Freshness: 90%

Operation zone: Algeria, Argentina, Australia, Bangladesh, Brazil, Colombia, Egypt, France, Germany, Italy, Jordan, Mexico, Mongolia, Pakistan, Paraguay, Spain, United States, Vietnam, Zambia

Aliases Limited alias preview

Funksec Group

—

Associated Threat Relationships

Limited preview

Related profiles 11
Related files 6

Related profiles

ID	Threat	Origin	Type	Categories
c164422726768147ec76b4d320680707	_Sentap	Unknown	member-of	Cybercrime
464f51140c3fed3325f5b47dbeca60f630727	Bjorka	Indonesia	member-of	Cybercrime
8a6704ed919b38fab0bf03ed0005e41e62952	Blako	Unknown	member-of	Cybercrime
9322a25c5e800328c6cd5de77d0c89ae	Cyber Flood	Iran	ally-of	Cybercrime
dc6e7baf0a1acfa234a4928e32cef34b55405	DesertStorm	Algeria	ally-of	Cybercrime
4d2f0e42b048e86a7323dc689171d97c	el farado	Unknown	member-of	Cybercrime
6937f54c4a17dbbd566c01941af2b20f	FSOCIETY	Unknown	related	Cybercrime
6622a1e25709c2f7a760760c63b67d83	Ghost Algeria	Algeria	ally-of	Hacktivist Group
e9ddff11fff52019e77d595b011b083f	MRZ	Unknown	member-of	Cybercrime
5d0f5219d1a5557d70758202f92e007659518	Scorpion	Russia	founder	Cybercrime
5da217af8d9dac2a11d516c9b747c0cf64481	XTN	Niger	member-of	Cybercrime

Related files

Filename	Size	SHA-1	Identified
funksec.exe	5.19 MB	1732202d************************0eda03d7	Malware
ransomware.exe	5.24 MB	b1022afe************************c6abb192	Malware
darkzone.exe	5.17 MB	ff96db4b************************50e51de4	Malware
Ghost.exe	5.19 MB	bc013aac************************cea6c1f0	Malware
file.exe	5.23 MB	082258d1************************a0302cd8	Malware
dev.exe	5.24 MB	aa8e0f87************************6d8235cf	Malware

Free preview hides direct file links and partially masks file hashes.

Actor Network Graph

Open Network Graph

Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.

MITRE ATT&CK®

confidence: medium

Actor Techniques page ATT&CK® Diagram

FunkSec is an emerging ransomware-as-a-service (RaaS) brand (late 2024) using double extortion and a Rust-based encryptor often called FunkLocker; public reporting emphasizes AI-assisted development and mixed operational maturity.

Technique	Technique name	Tactics	Evidence
T1486	Data Encrypted for Impact	TA0040	2025-01-10 — Public reporting profiles FunkSec as a ransomware operation whose core impact is file encryption for extortion. · ref 2025-07-01 — Kaspersky describes a Rust executable integrating full encryption capability as part of the operation. · ref
T1490	Inhibit System Recovery	TA0040	2025-12-16 — Picus reports deletion of Volume Shadow Copies using vssadmin to inhibit restoration (e.g., 'vssadmin delete shadows /all /quiet'). · ref
T1566	Phishing	TA0001	2026-02-18 — Defender-facing guidance lists phishing as a key distribution method consistent with FunkSec-style intrusions. · ref 2025-01-10 — INFERENCE (confidence: medium): As a RaaS brand, FunkSec affiliates likely leverage common phishing-based initial access patterns observed across ransomware ecosystems. · ref
T1078	Valid Accounts	TA0001 TA0003 TA0004 TA0005	2026-02-18 — Defender-facing guidance lists credential abuse / 'stuffed credential attacks' as a distribution method for FunkSec ransomware. · ref 2025-06-03 — INFERENCE (confidence: medium): Broad sector/geography victimology is consistent with opportunistic valid-account access and credential reuse at scale. · ref
T1041	Exfiltration Over C2 Channel	TA0010	2025-07-01 — Kaspersky describes a password mechanism that activates a more aggressive mode including data exfiltration behavior in addition to encryption. · ref 2025-12-16 — INFERENCE (confidence: medium): Double extortion operations require staging and transferring data prior to encryption; exfiltration over network channels is therefore likely. · ref
T1562.001	Disable or Modify Tools	TA0005	2025-07-01 — Kaspersky notes the malware can disable many processes and includes self-cleaning behavior; this aligns with impairment of defenses (process/tool disruption). · ref 2025-12-16 — Picus notes a hardcoded list of processes/services targeted for termination to avoid locked files during encryption; also functions as defense interference. · ref

Strategic Intelligence

Limited preview

Last updated: 2026-02-19T03:08:00+00:00

Preliminary Strategic Intelligence

FUNKSEC — AI-assisted RaaS ransomware operation (FunkLocker)

Classification: TLP: WHITE - Open Source Intelligence (OSINT)

Full strategic intelligence is available in Analyst and Premium plans.

Executive Analyst Brief for CISO

Saved Limited preview

Executive Analyst Brief for CISO — FUNKSEC

Upgrade to access the full executive brief.

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.

Saved successfully.

Hunting Playbook

Saved Limited preview

Hunting Playbook — FUNKSEC

Upgrade to access the full hunting playbook.

Tip: Hover the section title to learn what’s included in Analyst / Premium plans.

Saved successfully.

IOC Appendix

Saved Limited preview

Last updated: 2026-02-18T19:13:20+00:00

IOC Appendix (TLP:WHITE) — FUNKSEC

More IOC context for Research. Full appendix for Analyst and Premium plans.

Saved successfully.

OSINT Library

Saved Limited preview

Last saved: 2026-02-19T03:31:41+00:00

OSINT Library — FUNKSEC

2025-12-16 — Picus Labs — “FunkSec RaaS Operations: Hacktivism Meets Cybercrime”

Full OSINT references available for Research / Analyst.

Saved successfully.

Social Medial & Communication

SOCMINT integrated: 0/16

Clearnet 4 0
Darkweb 12 0

Address	Verification	SOCMINT
`miniapps.ai/fun****`	Restricted	Not integrated
`www.ransomlook.io/gro**********`	Restricted	Not integrated
`funksec.top`	Restricted	Not integrated
`keybase.io/fun*********`	Restricted	Not integrated

Address	Verification	SOCMINT
`7ixfdvqb4eaju5lzj4gg76kwlrxg4ugqpuog5oqkkmgfyn33h527oyyd.onion`	Restricted	Not integrated
`pke2vht5jdeninupk7i2thcfvxegsue6oraswpka35breuj7xxz2erid.onion`	Restricted	Not integrated
`ykqjcrptcai76ru5u7jhvspkeizfsvpgovton4jmreawj4zdwe4qnlid.onion`	Restricted	Not integrated
`funkxxkovrk7ctnggbjnthdajav4ggex53k6m2x3esjwlxrkb3qiztid.onion`	Restricted	Not integrated
`funknqn44slwmgwgnewne6bintbooauwkaupik4yrlgtycew3ergraid.onion`	Restricted	Not integrated
`funkiydk7c6j3vvck5zk2giml2u746fa5irwalw2kjem6tvofji7rwid.onion`	Restricted	Not integrated
`funk4ph7igelwpgadmus4n4moyhh22cib723hllneen7g2qkklml4sqd.onion`	Restricted	Not integrated
`funkyiazgfsrxrib6rnxbhkgfqi7isisfbqnwk2ycf7tpgfhtevlamad.onion`	Restricted	Not integrated
`funksec53xh7j5t6ysgwnaidj5vkh3aqajanplix533kwxdz3qrwugid.onion`	Restricted	Not integrated
`funksecsekgasgjqlzzkmcnutrrrafavpszijoilbd6z3dkbzvqu43id.onion`	Restricted	Not integrated
`funksec7vgdojepkipvhfpul3bvsxzyxn66ogp7q4pptvujxtpyjttad.onion`	Restricted	Not integrated
`funk45xqgrkrtej4743evcgv65oi3w4shwvjx3cvrdtqwul7gzkxuxqd.onion`	Restricted	Not integrated

Notes: preview mode hides sensitive social/contact details.

Reference Images/Associated Evidence Limited

Free Preview

Onion web sites

Free Preview

Onion web sites

Threat Actor Characterization

FunkSec

Associated Threat Relationships

Related profiles

Related files

Actor Network Graph

MITRE ATT&CK®

Strategic Intelligence

FUNKSEC — AI-assisted RaaS ransomware operation (FunkLocker)

Executive Analyst Brief for CISO

Executive Analyst Brief for CISO — FUNKSEC

Hunting Playbook

Hunting Playbook — FUNKSEC

IOC Appendix

IOC Appendix (TLP:WHITE) — FUNKSEC

OSINT Library

OSINT Library — FUNKSEC

Social Medial & Communication

Reference Images/Associated Evidence Limited