DireWolf
DireWolf is a ransomware group/malware operation first reported as emerging in May 2025, with first victim postings on its leak site observed on May 26, 2025.
Profile source: Mallory opens in a new tabDireWolf
Family profile
DireWolf is a ransomware group/malware operation first reported as emerging in May 2025, with first victim postings on its leak site observed on May 26, 2025. Reporting cited in the content describes it as quickly demonstrating mature extortion operations and using double extortion tactics. By late August 2025, one deep-dive reported about 39 confirmed victims, with victim geography spanning more than 11 countries and concentration in Singapore, Thailand, the Philippines, and Taiwan. Additional reported victims include a Pakistani automobile assembly and sales company and Universidad Mayor, a large private university in Chile. The content associates DireWolf with a malicious domain used in campaigns or social engineering, tor-browser[.]io, including subdomains such as www, sitemap, and sitemaps. High-confidence behavior and ecosystem context in the source material indicate ransomware operations in 2025 commonly relied on exfiltration plus encryption and public pressure, though only the double-extortion behavior is directly attributed to DireWolf in the provided content.
Ransomware.live
Operational record
Reporting
Research mentioning DireWolf
10 New Ransomware Groups Of 2025 & Threat Trends For 2026
“DireWolf emerged in May 2025 and quickly demonstrated mature extortion operations — including… double extortion tactics…”
Ransom & Dark Web Issues Week 3, Novermber 2025
DireWolf launches ransomware attack against a Pakistani automobile assembly and sales company
Risky Bulletin: Old exploit database finds its way online again
Universidad Mayor ransomware attack: One of Chile's largest private universities was attacked by a ransomware group last week. ... The DireWolf ransomware group took credit for the attack.