Threat Actor Profile
High Cybercriminal
Description

Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.

Confidence Score
100%
Tags
ransomware ransomware.live
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': None,
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': 'Avaddon is a ransomware malware targeting Windows systems '
                'often spread via malicious spam. The first known attack where '
                'Avaddon ransomware was distributed was in February 2020. '
                'Avaddon encrypts files using the extension .avdn and uses a '
                'TOR payment site for the ransom payment.',
 'firstseen': '2021-02-01T00:00:00+00:00',
 'group': 'avaddon',
 'has_negotiations': True,
 'has_ransomnote': True,
 'lastseen': '2021-09-09T23:46:54.365433+00:00',
 'locations': [{'available': False,
                'fqdn': 'avaddongun7rngel.onion',
                'slug': 'http://avaddongun7rngel.onion',
                'title': '',
                'type': 'DLS'}],
 'negotiation_count': 7,
 'ransomnotes_count': 1,
 'tiaras_metadata': {'has_negotiations': True,
                     'has_ransomnote': True,
                     'locations': [{'available': False,
                                    'fqdn': 'avaddongun7rngel.onion',
                                    'slug': 'http://avaddongun7rngel.onion',
                                    'title': '',
                                    'type': 'DLS'}],
                     'negotiation_count': 7,
                     'ransomnotes_count': 1,
                     'ransomware_live_group': 'avaddon',
                     'tools': {'CredentialTheft': ['Mimikatz', 'SharpDump'],
                               'DefenseEvasion': ['GMER',
                                                  'PowerTool',
                                                  'TDSSKiller'],
                               'DiscoveryEnum': ['SoftPerfect NetScan'],
                               'Exfiltration': ['Anonfiles',
                                                'MEGA',
                                                'ProtonMail',
                                                'Sendspace'],
                               'LOLBAS': [],
                               'Networking': [],
                               'Offsec': ['PowerShell Empire', 'PowerSploit'],
                               'RMM-Tools': []},
                     'url': 'https://www.ransomware.live/group/avaddon',
                     'victims': 146,
                     'vulnerabilities': []},
 'tiaras_source': 'ransomware.live',
 'tools': {'CredentialTheft': ['Mimikatz', 'SharpDump'],
           'DefenseEvasion': ['GMER', 'PowerTool', 'TDSSKiller'],
           'DiscoveryEnum': ['SoftPerfect NetScan'],
           'Exfiltration': ['Anonfiles', 'MEGA', 'ProtonMail', 'Sendspace'],
           'LOLBAS': [],
           'Networking': [],
           'Offsec': ['PowerShell Empire', 'PowerSploit'],
           'RMM-Tools': []},
 'ttps': [],
 'url': 'https://www.ransomware.live/group/avaddon',
 'victims': 146,
 'vulnerabilities': []}
Quick Actions
Back to Threat Actors
Dashboard Home