A new ransomware-as-a-service (RaaS) outfit calling itself 0APT has quickly drawn attention for all the wrong reasons, after loudly claiming to have compromised around 200 victims while failing to provide any verifiable proof of compromise.
Emerging on or around January 28, 2026, the group launched a dark web data leak site (DLS) and rapidly populated it with alleged victims, an unusually aggressive move that immediately raised red flags among researchers.
Despite the professional appearance of its infrastructure, 0APT’s activities increasingly resemble a bluff designed to gain notoriety and lure affiliates, rather than a mature ransomware operation.
On its Tor-based data leak site, 0APT lists nearly 200 supposed victim organizations and presents a victim-detail page for each entry, complete with a left-hand leak notice and a right-hand file tree that appears to host large data archives over 4 GB in size.
None of these files can be reliably downloaded: researchers observed that downloads routinely stall or auto-stop after a few minutes, making it practically impossible to obtain any of the claimed “leaked” data.
Instead of real exfiltrated files, the group’s backend appears to stream meaningless or incomplete data, a tactic that simulates huge leak sizes while never delivering usable content.
This behavior, combined with the absence of even a single screenshot of compromised databases or internal documents on the panel, sharply contrasts with established ransomware gangs that typically publish proof-of-compromise samples to maintain credibility.
Several security teams that investigated companies named on 0APT’s list reported no evidence of intrusion, further undermining the group’s claims.
0APT Ransomware Group
Technically, 0APT has invested effort into building a convincing façade. The group uses a vanity .onion address for its DLS, mimicking the branding and operational style of more established ransomware syndicates.
The site is fronted by NGINX and structured like a typical double-extortion portal, with a branded logo, victim pages, and calls to “JOIN RAAS” to attract affiliates.
Behind the leak site, the operators expose multiple hidden service endpoints such as “COCHAT” for victim or partner contact and “JOCHAT” for RaaS recruitment chat, along with a dedicated RaaS dashboard branded “RaaSDash.”
The panel allows registered affiliates to generate a limited number of Windows and Linux builds, manage negotiations, view payment status, and interact with “Admin Support,” copying the workflow of more mature RaaS programs.
However, several features such as a “SUBMIT DETAILS” section and extra verification checkpoints have appeared and disappeared across panel revisions, suggesting that the backend is still experimental and possibly assembled from off‑the‑shelf web widget packages rather than custom-developed infrastructure.
Test builds generated from the panel produce Windows executables of roughly 5–6 MB and smaller ELF binaries for Linux, which use AES‑256 to encrypt files and append the “.0apt” extension, dropping a README note with a five-part victim ID ending in “0APT-KEY.”
Configuration files such as “allpath.txt” and “config2.txt” allow selective targeting and tuning of encryption behavior, including file size limits, extension filters, and resource usage controls, indicating at least a moderately featured locker design.
Static analysis of early samples shows a broad set of cryptographic and encoding primitives RC4-like PRGA, Salsa20/ChaCha, Speck, multiple SHA families, Base64, and XOR raising the possibility that parts of the codebase or encryption routines were lifted from existing open-source or AI-generated proof‑of‑concept templates rather than written from scratch.
The presence of the lightweight Speck cipher, previously highlighted in AI-generated ransomware such as PromptLock, has fueled speculation that 0APT’s authors may have leaned on generative AI tools or code-generation frameworks during build creation.
Even so, detections remain relatively low, with only a small subset of antivirus engines flagging the earliest Windows and Linux samples at the time of analysis, underscoring the need for layered behavioral defenses.
Dubious credibility and risks to defenders
Several factors make 0APT’s campaign highly suspicious: an implausibly high victim count in a very short period, no verifiable leak data, auto-failing downloads, and a complete lack of credible proof-of-compromise on the public-facing panel.
Researchers have suggested that the operation may be attempting to deceive both sides of the ecosystem pressuring organizations into paying for non‑existent breaches while simultaneously enticing would‑be affiliates to “buy into” a RaaS attack platform that has not proven itself in real‑world attacks.
For defenders, the key takeaway is to treat 0APT claims with caution while still validating them against internal telemetry, logs, and incident response procedures.
If an organization finds its name on the 0APT leak site, current evidence suggests it is more likely facing a reputational bluff than a confirmed compromise but security teams should still perform due diligence to rule out unrelated intrusions and use available indicators and sample hashes to tune detections against any evolving 0APT tooling.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
