Md5
4 total370fbcc6711fb983ae4679f02c5ac46129144c2f5acd859adf08d42ffcd74f50fb42dec2c39cd7884ca4cb6b76308f510f7d721e4e5e2ce0a5c629f2fd4ac572
0APT is a Rust-based ransomware family associated with a ransomware-as-a-service (RaaS) operation that surfaced in January 2026.
Profile source: Mallory opens in a new tab0APT
0APT is a Rust-based ransomware family associated with a ransomware-as-a-service (RaaS) operation that surfaced in January 2026. Reporting consistently describes the broader operation as using a coordinated bluff campaign: the operators claimed more than 150-200 victims, but multiple investigations found no verifiable evidence of confirmed intrusions, operational encryption events, or credible exfiltrated data for the listed organizations. Researchers assessed the leak site and exposed RaaS panel were likely designed to project credibility and attract affiliates, and some reporting concluded the scheme may have been intended to defraud aspiring affiliates. Despite those doubts around victim claims, researchers confirmed that 0APT operated a functional affiliate platform and were able to generate ransomware samples directly from the onion-hosted portal.
The RaaS platform supported customized build generation for Windows, Linux, and macOS, with up to five samples per affiliate account in one report. Builds were customized per affiliate using unique build keys and affiliate identifiers while preserving a common core codebase. The platform also included extortion workflow features such as negotiation chat, payment tracking, admin support, and technical documentation. Generated ransomware appends the .0apt extension to encrypted files and drops a ransom note named README0apt.txt; reverse engineering of one analyzed sample observed ransom notes written as README0apt.txt.0apt per directory.
A specifically analyzed sample had SHA-256 3dc4593b14879cb0bb4dc19e85816f09ff6a5f4db8c2957331b557af1fa1a375 and was a 64-bit Rust 1.92.0 executable. On execution, it looks for Config2.txt in the current working directory and falls back to hardcoded defaults if the file is absent. Configuration supports exclusions for extensions, filenames, and folders; default exclusions included many system and operational file types such as .exe, .dll, .sys, .msi, .bat, .com, .vbs, and .0apt, and folders such as /windows, /ProgramData, /Program Files, /Program Files (x86), /temp, /tmp, /cache, /google/chrome, and /mozila/firefox. The default configuration also skips files larger than 1 GB, uses the number of CPU cores for parallel encryption threads, requires at least 500 MB of free RAM, checks memory availability every 100 ms, and includes a one-minute sleep timer.
For cryptography, the sample attempts to read public_key.pem from the current directory and falls back to an embedded 2048-bit RSA public key if missing. Before encryption it checks for allpath.txt; if present, only listed files are encrypted, otherwise it scans broadly for targets. The sample uses hybrid encryption with RSA and AES-256: for each file it generates a 32-byte AES key and 16-byte IV using OsRng, encrypts the AES key with RSA-OAEP, encrypts file contents with AES-256 via a stream-compatible mode, overwrites the file with a structure containing the RSA-encrypted AES key, IV, and ciphertext, flushes with File::sync_all, and renames the file with the .0apt extension. It also contains a hardcoded wallpaper image that it writes as embedded_wallpaper.png into %TEMP% and sets as the desktop wallpaper.
Researchers reported no observed persistence, propagation, or advanced evasion features in the analyzed sample, and assessed it appeared intended for targeted, manually controlled intrusions rather than autonomous spread. Hindi-language strings were observed in debug or execution logs; reporting noted this may suggest Indian linguistic influence but does not support definitive attribution. High-confidence indicators and artifacts mentioned in the reporting include the .0apt file extension, ransom note names README0apt.txt and README0apt.txt.0apt, Config2.txt, public_key.pem, allpath.txt, embedded_wallpaper.png, and the analyzed sample hash 3dc4593b14879cb0bb4dc19e85816f09ff6a5f4db8c2957331b557af1fa1a375.
Ransomware.live
Ransomware.live
370fbcc6711fb983ae4679f02c5ac46129144c2f5acd859adf08d42ffcd74f50fb42dec2c39cd7884ca4cb6b76308f510f7d721e4e5e2ce0a5c629f2fd4ac572Reported operators
"Intel 471 discovered the alleged 0APT malware sample... technical analysis of the malicious file indicated it was more of a work in progress than a fully operational ransomware malware sample."
Exploited software
MITRE ATT&CK
Reporting
A new ransomware operation called 0APT surfaced on the dark web in late January 2026... The platform allowed affiliates to generate five ransomware samples per account, supporting Windows, Linux, and macOS... Generated ransomware appends the .0apt extension and drops README0apt.txt.
The Howler Cell Threat Research Team conducted a detailed technical analysis of 0APT, a Rust-based ransomware family that recently surfaced alongside a coordinated bluff campaign.
"Intel 471 discovered the alleged 0APT malware sample... technical analysis of the malicious file indicated it was more of a work in progress than a fully operational ransomware malware sample."
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.