APT73
APT73 is a ransomware threat group that emerged in mid-April 2024 and has been described as operating a ransomware-as-a-service model.
Profile source: Mallory opens in a new tabAPT73
Family profile
APT73 is a ransomware threat group that emerged in mid-April 2024 and has been described as operating a ransomware-as-a-service model. Despite its name, it is not established as a state-sponsored advanced persistent threat; rather, it appears to be a financially motivated extortion actor that self-branded using APT terminology. Reporting indicates that publicly available knowledge about the group has been limited and in part derived from information associated with LockBit.
APT73 has been linked to attacks across a broad range of sectors, including business services, technology, financial services, public sector, healthcare, manufacturing, transportation and logistics, hospitality, and critical or industrial infrastructure. Victim reporting spans multiple regions, with activity observed against organizations in North America, Europe, Asia, the Middle East, Africa, and South America. The group has been specifically described as targeting industrial and critical infrastructure sectors, consistent with broader ransomware trends affecting operationally significant organizations.
The group is associated with double-extortion style ransomware activity in which victim organizations are allegedly compromised and data theft claims are used to pressure payment. Reported incidents attributed to APT73 include compromises of government, aviation, retail, manufacturing, and technology-related entities. Some reporting also associates a substantial portion of its victim set with prior infostealer exposure, suggesting that stolen credentials or access obtained through commodity credential theft may play a role in victimization, although specific intrusion chains are not firmly established.
APT73 is also associated with leak-site or negotiation infrastructure used to publicize victims and extortion claims. Known aliases include apt73 and group_apt73. No high-confidence evidence in the available information supports attribution to a particular nation-state or intelligence service. The most defensible characterization is that APT73 is an emerging, globally active ransomware/extortion operation with opportunistic targeting and an emphasis on organizations whose disruption or data exposure can increase leverage during negotiations.
Ransomware.live
Operational record
Ransomware.live
Recent claims
MITRE ATT&CK
APT73 in ATT&CK
5 distinct techniquesReporting
Research mentioning APT73
Ransomware Group apt73 Hits: dgcement.com
dgcement.com — an organization based in DZ — has fallen victim to a ransomware attack conducted by the group apt73.
Ransomware Group apt73 Hits: azarestan.com
azarestan.com — an organization based in IR — has fallen victim to a ransomware attack conducted by the group apt73.
Ransomware Group apt73 Hits: vicentetrapani.com
vicentetrapani.com — an organization based in AR — has fallen victim to a ransomware attack conducted by the group apt73.
Ransomware Group apt73 Hits: westernint.com
westernint.com — an organization based in US — has fallen victim to a ransomware attack conducted by the group apt73.
Ransomware Group apt73 Hits: aydeniz.com
aydeniz.com — an organization based in TR — has fallen victim to a ransomware attack conducted by the group apt73.
Ransomware Group apt73 Hits: holidaypalace.com
holidaypalace.com — an organization based in MO — has fallen victim to a ransomware attack conducted by the group apt73.
Ransomware Group apt73 Hits: flazio.com
flazio.com — an organization based in BR — has fallen victim to a ransomware attack conducted by the group apt73.
Ransomware Group apt73 Hits: ritavo.com
ritavo.com — an organization based in AT — has fallen victim to a ransomware attack conducted by the group apt73.