Jun 5, 2026
C2 Hosts: 142
Dharma
Also known as: Arena, Crysis, Wadhrama, ncov
According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.
Once they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.
C2 Infrastructure
ISP/Residential 87%
Hosting/VPS 12%
Unknown 1%
Last 7 days
| Date | C2 Hosts |
|---|---|
| Jun 5, 2026 | 142 |
Further Reading
web.archive.org opens in a new tab
web.archive.org
asec.ahnlab.com opens in a new tab
asec.ahnlab.com
blog.trendmicro.com opens in a new tab
blog.trendmicro.com
cyberveille-sante.gouv.fr opens in a new tab
cyberveille-sante.gouv.fr
docs.microsoft.com opens in a new tab
docs.microsoft.com
go.crowdstrike.com opens in a new tab
go.crowdstrike.com
jsac.jpcert.or.jp opens in a new tab
jsac.jpcert.or.jp
mandiant.widen.net opens in a new tab
mandiant.widen.net
nakedsecurity.sophos.com opens in a new tab
nakedsecurity.sophos.com
news.sophos.com opens in a new tab
news.sophos.com
news.sophos.com opens in a new tab
news.sophos.com
research.checkpoint.com opens in a new tab
research.checkpoint.com
s3.documentcloud.org opens in a new tab
s3.documentcloud.org
securelist.com opens in a new tab
securelist.com
services.google.com opens in a new tab
services.google.com
thedfirreport.com opens in a new tab
thedfirreport.com
twitter.com opens in a new tab
twitter.com
acronis.com opens in a new tab
acronis.com
advanced-intel.com opens in a new tab
advanced-intel.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
bleepingcomputer.com opens in a new tab
bleepingcomputer.com
carbonblack.com opens in a new tab
carbonblack.com
cert.ssi.gouv.fr opens in a new tab
cert.ssi.gouv.fr
cronup.com opens in a new tab
cronup.com
crowdstrike.com opens in a new tab
crowdstrike.com
europol.europa.eu opens in a new tab
europol.europa.eu
group-ib.com opens in a new tab
group-ib.com
huntandhackett.com opens in a new tab
huntandhackett.com
justice.gov opens in a new tab
justice.gov
microsoft.com opens in a new tab
microsoft.com
npu.gov.ua opens in a new tab
npu.gov.ua
paloaltonetworks.com opens in a new tab
paloaltonetworks.com
theregister.com opens in a new tab
theregister.com
trellix.com opens in a new tab
trellix.com
trendmicro.com opens in a new tab
trendmicro.com
vice.com opens in a new tab
vice.com
welivesecurity.com opens in a new tab
welivesecurity.com
youtube.com opens in a new tab
youtube.com
zscaler.com opens in a new tab
zscaler.com