CMD Organization
CMD Organization is a ransomware and data-extortion threat group that publicly claims intrusions against organizations and uses leak-site shaming to pressure victims.
Profile source: Mallory opens in a new tabCMD Organization
Family profile
CMD Organization is a ransomware and data-extortion threat group that publicly claims intrusions against organizations and uses leak-site shaming to pressure victims. The group has been observed listing victims on extortion infrastructure and publishing sample stolen documents to support its claims. Reporting also associates it with an auction-style monetization model in which allegedly stolen datasets are offered to the highest bidder, indicating a financially motivated operation centered on double-extortion and possible data resale.
Observed victimology includes educational institutions, and the group has appeared in weekly ransomware claim tracking as an active but not top-tier actor, with multiple claimed victims across separate reporting periods in mid-2026. In one publicly reported university intrusion, the group claimed theft of a large volume of sensitive data, issued a cryptocurrency ransom demand, and threatened timed publication of additional material. That incident was also characterized by disruptive actions beyond exfiltration, including deletion of files from affected storage systems, consistent with coercive pressure designed to hinder recovery and increase leverage.
Tactics attributed to CMD Organization include unauthorized network access, data exfiltration, extortion via leak-site publication, deadline-based ransom demands, and destructive or disruptive post-compromise activity such as file deletion. The group’s operating model suggests overlap between ransomware and pure extortion tradecraft: public victim naming, proof-of-compromise releases, and sale or threatened release of stolen information. Available information supports classifying CMD Organization as a cybercriminal extortion actor. No high-confidence public attribution to a nation-state sponsor is currently available.
Ransomware.live
Operational record
Ransomware.live
Recent claims
MITRE ATT&CK
CMD Organization in ATT&CK
7 distinct techniquesReporting
Research mentioning CMD Organization
Mount Royal University hit by ransomware attack, data stolen and deleted | brief | SC Media
The cyberattack, claimed by the threat group CMD Organization, involved the theft of data from the university's "H drive," which contained information for current and former students and employees.
Mount Royal University Confirms Data Stolen in Ransomware Attack - SecurityWeek
The university’s notice, however, came the same day that a ransomware group called CMD Organization added MRU to its Tor-based leak site, claiming the theft of over 10 terabytes of data.
Mount Royal University : vol et destruction de données par CMD Organization, rançon de 30 BTC | CyberVeille
Le groupe CMD Organization a revendiqué l’attaque et publié des échantillons de données volées, incluant des scans de passeports et d’autres documents sensibles. Le groupe a exigé une rançon de 30 BTC avec un délai de six jours avant publication des données.
Mount Royal University says hackers stole and deleted files following June cyberattack - CySecurity News - Latest Information Security and Hacking Incidents
Responsibility for the attack has been claimed by the cybercrime group CMD Organization, which has published samples of what it alleges is stolen university data, including passport scans and other sensitive documents.
teiss - News - Mount Royal University confirms hackers stole and deleted student and staff files
The attack has been claimed by a group calling itself CMD Organization, which has posted samples of allegedly stolen material, including passport scans and other sensitive documents, to its extortion site.
Mount Royal University confirms breach as hackers claim attack
The MRU attack was claimed by the threat group CMD Organization, which has published samples of the allegedly stolen data, including passport scans and other sensitive documents.
Tendances ransomware - Semaine 28/2026 | CyberVeille
La présence de CRPxO et CMD Organization mérite d’être notée, ces groupes n’étant pas apparus dans les données de la semaine précédente.
Tendances ransomware - Semaine 26/2026 | CyberVeille
Icarus, Akira, INC Ransom et CMD Organization complètent le tableau avec respectivement 9, 8, 7 et 5 revendications.