3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
FSOCIETY

FSOCIETY

ID: 6937f54c4a17dbbd566c01941af2b20f
Cybercrime Cybercriminal
Threat types:
Unknown
Updated: 2026-04-06
Created: 2026-01-27
Progress: 81% Completeness: 77% Freshness: 90%
Operation zone:
Aliases Limited alias preview
fsociety 1337 fsociety1337
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

FSOCIETY (aka Flocker) is an OSINT-reported ransomware-as-a-service (RaaS) cluster associated with double-extortion operations and public leak-site signaling, with reported ecosystem linkage to FunkSec.


Technique Technique name Tactics Evidence
T1486 Data Encrypted for Impact TA0040
  • 2024-06-30 — FSOCIETY is described as a new ransomware group with malware called FLocker (encryption impact implied by ransomware classification). · ref
  • 2025-03-04 — FSOCIETY/Flocker described as operating ransomware with double-extortion posture (encryption + leak threats). · ref
T1565.001 Stored Data Manipulation TA0040
  • 2025-02-16 — INFERENCE (confidence: low): Public extortion messaging and leak-site pressure implies leverage over victim data integrity/availability; verify internally before mapping to destructive data manipulation. · ref
T1657 Financial Theft TA0040
  • 2024-06-30 — Ransomware group operates a Tor leak site and Telegram channel, consistent with an extortion business model that pressures victims to pay. · ref
  • 2024-05-01 — Tracker lists extortion types including double extortion for Flocker/FSOCIETY. · ref
T1567 Exfiltration Over Web Service TA0010
  • 2025-03-04 — INFERENCE (confidence: medium): Double-extortion implies exfiltration to attacker-controlled storage or web services prior to encryption. · ref
T1560 Archive Collected Data TA0009
  • 2025-03-20 — INFERENCE (confidence: medium): RaaS double-extortion operations typically stage data via archiving prior to exfiltration; treat as a hunting focus in absence of unique sample telemetry. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2025-03-20 — INFERENCE (confidence: medium): As a RaaS ecosystem brand, FSOCIETY likely leverages valid-account access acquired by affiliates/IABs; confirm through your identity telemetry. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2025-03-01 — INFERENCE (confidence: medium): Cross-sector victim claims in ransomware ecosystems commonly originate from exploitation of exposed edge services; validate against external exposure and edge logs. · ref
T1059 Command and Scripting Interpreter TA0002
  • 2025-03-20 — INFERENCE (confidence: medium): Commodity scripting and LOLBins are standard for ransomware staging and lateral movement; treat as a detection priority in pre-encryption phases. · ref
T1021.001 Remote Desktop Protocol TA0008
  • 2025-03-20 — INFERENCE (confidence: medium): Ransomware intrusions frequently use RDP for lateral movement in flat environments; pivot from suspicious admin sessions and fan-out patterns. · ref
T1490 Inhibit System Recovery TA0040
  • 2025-03-20 — INFERENCE (confidence: low–medium): Many ransomware operations inhibit recovery by targeting backups and shadow copies; hunt for vssadmin/wmic and backup-console tampering. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-18T18:45:40+00:00

FSOCIETY — RaaS / double‑extortion cluster (aka “Flocker”)

Classification: TLP: WHITE - Open Source Intelligence (OSINT)

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — FSOCIETY (aka “Flocker”)

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — FSOCIETY / Flocker (RaaS / Double‑Extortion Cluster)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-18T18:48:05+00:00

IOC Appendix — FSOCIETY

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-18T18:48:23+00:00

OSINT Library — FSOCIETY


2025-03-04 — Bitdefender — “FSociety/Flocker: ransomware, double‑extortion signals, and victim claims (OSINT profile)”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/3
Address Verification SOCMINT
t.me/fso********* Restricted Not integrated
t.me/fso************* Restricted Not integrated
Address Verification SOCMINT
flock4cvoeqm4c62gyohvmncx6ck2e7ugvyqgyxqtrumklhd5ptwzpqd.onion Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–2 of 2 images
Propaganda Free Preview
Propaganda
Logo / Avatar Free Preview
Logo / Avatar