A nascent ransomware operation known as 0APT has emerged on the dark web, creating a significant stir by claiming over 200 victimized organizations within its initial week of operation in late January 2026. The group established a professional-looking data leak site and marketed itself as a Ransomware-as-a-Service (RaaS) provider, aiming to recruit affiliates. However, preliminary investigations by cybersecurity researchers have revealed that these claims are largely unsubstantiated, with virtually no genuine stolen data appearing on their leak site, suggesting the operation may be designed to defraud aspiring cybercriminals rather than actual organizations.
The 0APT group invested in elaborate infrastructure for its launch, including a data leak site hosted on a vanity TOR domain, a functional RaaS panel for affiliates, and chat systems for negotiations. Each purported victim listing on their site featured elaborate file trees allegedly containing gigabytes of corporate data. Upon attempting to download these files, security researchers encountered exceptionally large file sizes, exceeding 4GB for directory structures that should realistically measure only kilobytes. Furthermore, downloads would terminate automatically after approximately five minutes. Analysts at THE RAVEN FILE identified these tactics as deliberate deceptions, intended to create the illusion of successful data breaches without delivering any tangible evidence of compromised information.
0APT Ransomware Group: A Deception at Scale
Multiple cybersecurity firms, including GuidePoint Security, Halcyon, and SOCRadar, have investigated the 0APT operation and found no corroborating evidence that the listed organizations have suffered actual data breaches. In several instances, claimed victims, such as Epworth HealthCare, have publicly stated that no compromise of their systems was detected. Adding to the suspicion, researchers noted that the 0APT group listed fictional entities, like “Metropolis City Municipal,” a clear nod to DC Comics, further undermining the credibility of their victim claims. The group’s reported rate of adding new victims also far outpaced that of established ransomware operations, with reports indicating the addition of 91 victims in a mere two-day period.
The underlying motivation behind the 0APT operation became clearer when researchers gained access to the group’s RaaS panel. This platform allowed registered affiliates to generate up to five ransomware samples per account, supporting Windows, Linux, and macOS operating systems. The generated Windows executables, compiled using the Rust programming language, were approximately 5.6MB in size, while Linux binaries were around 1.3MB. These samples employed a range of encryption algorithms, including AES256, Salsa20/ChaCha, and the less common Speck cipher, which has been associated with AI-generated code. Ransomware generated by the panel appends the “.0apt” extension to encrypted files and drops a README0apt.txt file containing unique identifiers for the victim.
The operation actively recruited affiliates through prominent “JOIN RAAS” notifications on its platform, collecting fees from cybercriminals who believed they were joining a legitimate and lucrative ransomware ecosystem. Reports suggest that at least one actor involved in the operation has already defrauded interested cybercriminals of approximately $85,000. The RaaS panel featured a comprehensive suite of tools for affiliates, including payment tracking, negotiation chat functionalities, administrative support, and technical documentation. While the ransomware binaries themselves are functional when executed, the entire victim list appears to have been fabricated to entice and retain paying affiliates, creating a seemingly active and successful operation.
The widespread dissemination of these functional ransomware binaries, despite the fabricated victim claims, presents an ongoing risk. Security teams are advised to verify all breach claims through official channels before responding to any ransom demands. In the absence of genuine ransom notes, demonstrable encrypted files, or direct communication from a purported attacker, listings on data leak sites should be treated with extreme skepticism as potentially fabricated. Organizations are strongly encouraged to implement robust monitoring for indicators of compromise associated with 0APT, as the availability of their functional ransomware code circulates within the cybercriminal underground.