Skip to content
Ransomware group

DireWolf

DireWolf is a ransomware group/malware operation first reported as emerging in May 2025, with first victim postings on its leak site observed on May 26, 2025.

Profile source: Mallory opens in a new tab

DireWolf

Family profile

DireWolf is a ransomware group/malware operation first reported as emerging in May 2025, with first victim postings on its leak site observed on May 26, 2025. Reporting cited in the content describes it as quickly demonstrating mature extortion operations and using double extortion tactics. By late August 2025, one deep-dive reported about 39 confirmed victims, with victim geography spanning more than 11 countries and concentration in Singapore, Thailand, the Philippines, and Taiwan. Additional reported victims include a Pakistani automobile assembly and sales company and Universidad Mayor, a large private university in Chile. The content associates DireWolf with a malicious domain used in campaigns or social engineering, tor-browser[.]io, including subdomains such as www, sitemap, and sitemaps. High-confidence behavior and ecosystem context in the source material indicate ransomware operations in 2025 commonly relied on exfiltration plus encryption and public pressure, though only the double-extortion behavior is directly attributed to DireWolf in the provided content.

Ransomware.live

Operational record

View group record ↗

Reporting

Research mentioning DireWolf

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.