Mad Liberator
Mad Liberator is a ransomware and extortion threat actor that emerged in mid-2024.
Profile source: Mallory opens in a new tabMad Liberator
Family profile
Mad Liberator is a ransomware and extortion threat actor that emerged in mid-2024. The group has been associated with opportunistic intrusions that rely heavily on abuse of legitimate remote access software, particularly AnyDesk, to obtain interactive access to victim systems while blending into normal administrative activity. Reporting indicates that the actor has primarily emphasized data theft and coercive extortion, including operation of a leak site used to pressure victims by threatening publication of stolen information. Some reporting has also linked the group to encryption and double-extortion activity, although data exfiltration appears to be the most consistently observed element.
A notable Mad Liberator tradecraft pattern involves social engineering users into accepting unsolicited remote-support sessions by making the activity appear to be routine IT maintenance. In observed operations, the actor used AnyDesk features to transfer tools, disable local keyboard and mouse input, and exfiltrate files directly through built-in file transfer functionality. The group has also used a fake Windows update-themed decoy program to occupy the victim visually while theft activity proceeds in the background. Post-access activity has included collection of files from cloud-synced storage and mapped network shares, limited internal reconnaissance using common network scanning utilities, and deployment of ransom notes on accessible shared resources.
Mad Liberator has also been identified among ransomware actors observed exploiting or abusing remote monitoring and management tooling for access and control. The group’s operational style suggests preference for low-friction intrusion methods that exploit user trust, legitimate administration channels, and native or widely deployed remote-management capabilities rather than noisy malware-heavy initial access chains. Known aliases include mad_liberator and mad_liberator_ransomware_group.
Ransomware.live