GuidePoint Security today released new research which assesses with high confidence that the victims claimed by “0APT” are a blend of wholly fabricated generic company names and recognizable organizations that threat actors have not breached.
At a high level, the report focuses on a new “scam” ransomware group, 0APT, which emerged as a Data Leak Site in late January 2026 and quickly claimed 200+ victims within a week – but GuidePoint Research and Intelligence Team (GRIT) finds these claims are largely fabricated.
GRIT has observed no evidence that these victims were impacted by a threat actor associated with “0APT”, including through first-hand reporting.
0APT is likely operating in this deceptive manner to extort uninformed victims, re-extort historical victims from other groups, defraud potential affiliates, or garner interest in a nascent RaaS group. GRIT cannot rule out the possibility that 0APT or associated actors may conduct real attacks in the future.
After security reporting emerged highlighting the number of victim organizations and implausible or fabricated organization names, the Data Leak Site went offline on Feb 8, before returning on Feb 9, with a much narrower slate of 15+ very large multinational organizations.
Alleged victims of 0APT should consider activating internal investigative procedures, but are advised that in the absence of a ransom note, encrypted files, or any form of communication from the group, their post on 0APT is almost certainly entirely fabricated rather than representative of an undetected intrusion.
You can read the new research here: https://www.guidepointsecurity.com/blog/gritrep-0apt-and-the-victims-who-werent/
Like this:
Like Loading...
Related
This entry was posted on February 9, 2026 at 2:39 pm and is filed under Commentary with tags GuidePoint. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
0APT – Scam Ransomware Group – No Evidence Victims Impacted By Threat Actors
GuidePoint Security today released new research which assesses with high confidence that the victims claimed by “0APT” are a blend of wholly fabricated generic company names and recognizable organizations that threat actors have not breached.
At a high level, the report focuses on a new “scam” ransomware group, 0APT, which emerged as a Data Leak Site in late January 2026 and quickly claimed 200+ victims within a week – but GuidePoint Research and Intelligence Team (GRIT) finds these claims are largely fabricated.
GRIT has observed no evidence that these victims were impacted by a threat actor associated with “0APT”, including through first-hand reporting.
0APT is likely operating in this deceptive manner to extort uninformed victims, re-extort historical victims from other groups, defraud potential affiliates, or garner interest in a nascent RaaS group. GRIT cannot rule out the possibility that 0APT or associated actors may conduct real attacks in the future.
After security reporting emerged highlighting the number of victim organizations and implausible or fabricated organization names, the Data Leak Site went offline on Feb 8, before returning on Feb 9, with a much narrower slate of 15+ very large multinational organizations.
Alleged victims of 0APT should consider activating internal investigative procedures, but are advised that in the absence of a ransom note, encrypted files, or any form of communication from the group, their post on 0APT is almost certainly entirely fabricated rather than representative of an undetected intrusion.
You can read the new research here: https://www.guidepointsecurity.com/blog/gritrep-0apt-and-the-victims-who-werent/
Share this:
Like this:
Related
This entry was posted on February 9, 2026 at 2:39 pm and is filed under Commentary with tags GuidePoint. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.