The AiLock ransomware operation, which emerged in early 2025, has posted 32 victims on its Tor-hosted data leak site.
The AiLock ransomware operation, which emerged in early 2025, is an active RaaS group marketing itself as AI-assisted ransomware using a hybrid ChaCha20/NTRUEncrypt encryption scheme and double-extortion tactics . The operation actively recruits affiliates and threatens regulatory reporting if ransoms are unpaid . As of the latest evidence, AiLock has posted 32 victims on its Tor-hosted data leak site (dhnsppqjaaa22lsqxl2tfhji4ca43743kubltnodvsft3hkvai77p6ad.onion), with the first discovered victim on 2026-03-03 and the last discovered victim on 2026-05-11 . The average delay between attack and claim is 404.4 days .
What each collection stream is surfacing most strongly right now — the dark web's leak-site activity, the OSINT feed's vulnerability and reporting signal, and social chatter.
Threat-cluster summary for moneymessage — derived from 100 correlated evidence items. Named victims include First Baptist Medical Center, Pharmerica.com & BrightSpring Health Services, Tri-Way Manufacturing Technologies, Maxco Supply, Goldenbear.com & mjhallandcompany.com, Guess who!
Open WebUI, a self-hosted artificial intelligence platform, has disclosed a batch of 23 vulnerabilities affecting versions prior to 0.9.0. The vulnerabilities span authentication bypass, authorization failures, privilege escalation, information disclosure, and server-side request forgery (SSRF).
Each bar is a day of correlated threat items by severity — today against the recent past, so a spike or a lull is visible at a glance.
Threat-cluster summary for moneymessage — derived from 100 correlated evidence items. Named victims include First Baptist Medical Center, Pharmerica.com & BrightSpring Health Services, Tri-Way Manufacturing Technologies, Maxco Supply, Goldenbear.com & mjhallandcompany.com, Guess who!
The Abyss Locker ransomware operation, first identified in March 2023 and derived from the Babuk source code, has been inactive for 76 days as of the latest observed data-leak site check on 2026-05-13 . The operation's Tor-hosted data-leak site at 3ev4metjirohtdpshsqlkrqcmxq6zu3d7obrdhglpy5jpbr7whmlfgqd.onion remains accessible and lists 87 victims, with the last discovered victim dated 2026-02-26 .
The Anubis ransomware group, operating as a Ransomware-as-a-Service (RaaS) model, is actively posting victims on its Tor-hosted data leak site (om6q4a6cyipxvt7ioudxt24cw4oqu4yodmqzl25mqd2hgllymrgu4aqd.onion) and has been observed targeting organizations across at least 14 sectors including Manufacturing, Financial Services, Healthcare, Energy, Technology, Public Sector, Education, and others . The group's leak site lists numerous named victims such as Micaforce Technology, Ladue Family Dental, Publishers Clearing House, AkzoNobel, Marnell Financial Services, IFL Group, Copec S.A., ViaQuest, Tesla Systems, and many others spanning geographies including the United States, Canada, France, the United Kingdom, and Australia .
The Gentlemen ransomware group has been observed posting multiple new victim entries on the Ransomlook platform, including Dodson & Horrell, Shajarpak Securities, Oriental Diamond, Amstel Securities, Setcar, Focus Design Partners, Value Exchange International, Getece, Electroban Sae, and Qatar National Broadband . These postings were disseminated via the @Ransomlook Mastodon account, which aggregates ransomware leak-site data, and are linked to the Ransomlook.io group page for The Gentlemen .
Open WebUI, a self-hosted artificial intelligence platform, has disclosed a batch of 23 vulnerabilities affecting versions prior to 0.9.0. The vulnerabilities span authentication bypass, authorization failures, privilege escalation, information disclosure, and server-side request forgery (SSRF).
This correlated threat activity (unattributed) indicates exploitation of vulnerabilities in Model Context Protocol (MCP) servers, including path-traversal and remote-code-execution weaknesses . The vulnerabilities have been publicly disclosed and are being actively exploited .
Analysis of NVD and tier4_replay sources reveals a significant body of disclosed vulnerabilities affecting Apache OpenMeetings across versions from 1.0.0 to 3.2.1. A total of 16 distinct CVEs were identified, spanning severity levels from medium to critical.
NVIDIA published advisories addressing a batch of vulnerabilities in the Triton Inference Server, disclosed via NVD entries and echoed by the EUVD Mastodon bot and internal replay sources. The most severe is CVE-2026-24207, a critical authentication bypass (CVSS 9.8) that could enable code execution, privilege escalation, data tampering, denial of service, or information disclosure .
The most-referenced CVEs across this week's evidence. Persistent high counts on older CVEs usually mean they still work against unpatched perimeters.
A series of drone attacks have been reported in Ukraine, with multiple incidents occurring in the eastern part of the country . The attacks have been linked to a group known as "drone_attack" . The group has been active in the region for several months, with previous attacks targeting military and civilian infrastructure .
The pipeline is surfacing additional conflict-adjacent clusters in social and OSINT collection. Treat these as situational-awareness signal rather than fully attributed campaigns.
Clusters posting fresh, high-volume activity in the last three days — the names to watch next.
A recurring pattern this cycle is extortion without encryption — multiple groups stealing and listing data rather than encrypting it. That shifts the detection window earlier, to exfiltration rather than file activity: watch egress, not just files.
High-severity output stands at 355 in the last 24 hours with 11 critical clusters; Business Services leads sector exposure this week. The fastest-moving risk remains data-extortion ransomware paired with a quick vulnerability-exploitation cycle.
Baseline for tomorrow: a drop back toward the 14-day median would signal today was an event, not a trend; sustained elevation suggests an active surge worth standing up watch for.