3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
FLOCKER

FLOCKER

ID: 99da521133d790d17e2d1083cef3675f
Crimeware Ransomware Spyware/Stealer Trojan
Threat types: Ransomware, RaaS, Malware, Data Leak
Unknown
Updated: 2026-02-18
Created: 2026-01-27
Progress: 69% Completeness: 69% Freshness: 70%
Operation zone:
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

FLOCKER is modeled as a ransomware/extortion (RaaS) cluster linked in OSINT to the alias 'FSociety', active since at least April 2024 with a Tor-based extortion portal and public comms channels. Note that 'FLocker' is also a legacy Android screen-locker ransomware family (2015–2016), creating a naming collision risk.


Technique Technique name Tactics Evidence
T1486 Data Encrypted for Impact TA0040
  • 2024-04-25 — OSINT indicates FLOCKER/FSociety is ransomware (crypto-ransomware) and engages in direct/double extortion consistent with encryption-based impact. · ref
  • 2025-03-20 — OSINT describes FSociety/Flocker encrypting victim data as part of RaaS operations. · ref
T1657 Financial Theft TA0040
  • 2024-04-25 — INFERENCE (confidence: medium): Double-extortion implies coercive leverage and reputational pressure, often via leak portals and public victim postings. · ref
T1560 Archive Collected Data TA0009
  • 2025-03-20 — INFERENCE (confidence: medium): Double-extortion workflows commonly require staging/archiving collected data prior to exfiltration; model as cluster-level ransomware behavior. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2025-03-20 — INFERENCE (confidence: medium): Double-extortion requires exfiltration of sensitive data to attacker-controlled infrastructure prior to leak-site pressure. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2026-02-18 — INFERENCE (confidence: medium): As a modern RaaS cluster, likely initial access includes exploitation of public-facing applications/edge services typical of ransomware affiliates. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2026-02-18 — INFERENCE (confidence: medium): RaaS affiliate operations commonly use compromised valid accounts (VPN/SSO) as a primary access and persistence pathway. · ref
T1059 Command and Scripting Interpreter TA0002
  • 2026-02-18 — INFERENCE (confidence: medium): Ransomware affiliates typically rely on command shells and scripting for staging, discovery, and deployment; treat as cluster-level pattern. · ref
T1021.001 Remote Desktop Protocol TA0008
  • 2026-02-18 — INFERENCE (confidence: medium): Ransomware pre-encryption phases commonly involve RDP for lateral movement and hands-on-keyboard activity. · ref
T1021.002 SMB/Windows Admin Shares TA0008
  • 2026-02-18 — INFERENCE (confidence: medium): SMB/Admin shares are commonly used for lateral movement and distributing encryption tooling in ransomware incidents. · ref
T1003 OS Credential Dumping TA0006
  • 2026-02-18 — INFERENCE (confidence: medium): Credential dumping is a common prerequisite to rapid lateral movement and domain-wide ransomware deployment in affiliate intrusions. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-18T19:02:00+00:00

FLOCKER — RaaS/Extortion brand with name-collision to legacy Android “FLocker”

Classification: TLP: WHITE - Open Source Intelligence (OSINT)

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — FLOCKER

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — FLOCKER (FSociety-linked RaaS / extortion cluster)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-18T19:04:08+00:00

IOC Appendix — FLOCKER

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-18T19:04:23+00:00

OSINT Library — FLOCKER


2026-02-18 — WatchGuard Ransomware Tracker — “Ransomware - Flocker (alias FSociety) profile”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/2
Address Verification SOCMINT
t.me/FSO************ Restricted Not integrated
Address Verification SOCMINT
flock4cvoeqm4c62gyohvmncx6ck2e7ugvyqgyxqtrumklhd5ptwzpqd.onion Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.