Threat Actor Profile
Low
Cybercriminal
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (33)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': None,
'firstseen': '2024-02-22T00:00:00+00:00',
'group': 'donex',
'has_negotiations': False,
'has_ransomnote': False,
'lastseen': '2024-02-27T00:00:00+00:00',
'locations': [{'available': False,
'fqdn': 'g3h3klsev3eiofxhykmtenmdpi67wzmaixredk5pjuttbx7okcfkftqd.onion',
'slug': 'http://g3h3klsev3eiofxhykmtenmdpi67wzmaixredk5pjuttbx7okcfkftqd.onion',
'title': 'Donex ransomeware leakage - ',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': False,
'locations': [{'available': False,
'fqdn': 'g3h3klsev3eiofxhykmtenmdpi67wzmaixredk5pjuttbx7okcfkftqd.onion',
'slug': 'http://g3h3klsev3eiofxhykmtenmdpi67wzmaixredk5pjuttbx7okcfkftqd.onion',
'title': 'Donex ransomeware leakage - ',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 0,
'ransomware_live_group': 'donex',
'tools': {},
'url': 'https://www.ransomware.live/group/donex',
'victims': 5,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'The ransomware uses wmic.exe '
'to query the OS.',
'technique_id': 'T1047',
'technique_name': 'Windows Management '
'Instrumentation'},
{'technique_details': 'Apparent internal use of '
'CMD.exe.',
'technique_id': 'T1059',
'technique_name': 'Command and Scripting '
'Interpreter'},
{'technique_details': 'Performs batch file '
'execution.',
'technique_id': 'T1064',
'technique_name': 'Scripting'},
{'technique_details': 'The process attempted to '
'delete shadow volume copies '
'(VSS).',
'technique_id': 'T1106',
'technique_name': 'Native API'},
{'technique_details': 'The ransomware tries to carry '
'out process loader, malicious '
'functions.',
'technique_id': 'T1129',
'technique_name': 'Shared Modules'}]},
{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_details': 'Paralyzes some types of '
'services.',
'technique_id': 'T1543.003',
'technique_name': 'Windows Services'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'Uses payload data encoding.',
'technique_id': 'T1027',
'technique_name': 'Obfuscated Files or Information'},
{'technique_details': 'Contains obfuscated '
'stackstrings.',
'technique_id': 'T1027.005',
'technique_name': 'Indicator Removal from Tools'},
{'technique_details': 'Discards interesting files '
'and uses them in its '
'execution.',
'technique_id': 'T1027.009',
'technique_name': 'Embedded Payloads'},
{'technique_details': 'Creates files within the user '
'directory. Adversaries use it '
'for purposes of manipulating '
'characteristics of their '
'artifacts to make them appear '
'legitimate.',
'technique_id': 'T1036',
'technique_name': 'Masquerading'},
{'technique_details': 'Execute files in bat.',
'technique_id': 'T1064',
'technique_name': 'Scripting'},
{'technique_details': 'Clears the Windows Operating '
'System event logs.',
'technique_id': 'T1070.001',
'technique_name': 'Clear Windows Event Logs'},
{'technique_details': 'Performs the deletion of '
'shadow file data and also '
'self-exclusion.',
'technique_id': 'T1070.004',
'technique_name': 'File Deletion'},
{'technique_details': 'The adversary abuses '
'utilities that allow the '
'execution of commands to '
'bypass security controls.',
'technique_id': 'T1202',
'technique_name': 'Indirect Command Execution'},
{'technique_details': 'Retrieves and sets file '
'attributes.',
'technique_id': 'T1222',
'technique_name': 'File and Directory Permissions '
'Modification'},
{'technique_details': 'The threat actor uses '
'privilege control mechanisms '
'to bypass privilege control '
'mechanisms to obtain '
'permissions.',
'technique_id': 'T1548',
'technique_name': 'Abuse Elevation Control '
'Mechanism'},
{'technique_details': 'Uses taskkill to terminate '
'processes.',
'technique_id': 'T1562.001',
'technique_name': 'Disable or Modify Tools'},
{'technique_details': 'Graphical window operation.',
'technique_id': 'T1564.003',
'technique_name': 'Hidden Window'}]},
{'tactic_id': 'TA0006',
'tactic_name': 'Credential Access',
'techniques': [{'technique_details': 'Creates an object generally '
'used for keystroke capture '
'purposes.',
'technique_id': 'T1056',
'technique_name': 'Input Capture'}]},
{'tactic_id': 'TA0007',
'tactic_name': 'Discovery',
'techniques': [{'technique_details': 'List some services and check '
'their status.',
'technique_id': 'T1007',
'technique_name': 'System Service Discovery'},
{'technique_details': 'The threat actor attempts to '
'obtain a list of open '
'applications and processes.',
'technique_id': 'T1010',
'technique_name': 'Application Window Discovery'},
{'technique_details': 'Uses ping.exe to check the '
'status of network devices.',
'technique_id': 'T1016',
'technique_name': 'System Network Configuration '
'Discovery'},
{'technique_details': 'Uses ping.exe to check the '
'status of network devices.',
'technique_id': 'T1018',
'technique_name': 'Remote System Discovery'},
{'technique_details': 'Malware attempts to obtain '
'information about the '
'processes running on a '
'system.',
'technique_id': 'T1057',
'technique_name': 'Process Discovery'},
{'technique_details': 'Searches and collects '
'information related to the '
'Operating System.',
'technique_id': 'T1082',
'technique_name': 'System Information Discovery'},
{'technique_details': 'Reads the files, gets the '
'size and enumerates according '
'to Windows.',
'technique_id': 'T1083',
'technique_name': 'File and Directory Discovery'},
{'technique_details': "Enumerates the victim's "
'network shares.',
'technique_id': 'T1135',
'technique_name': 'Network Share Discovery'},
{'technique_details': 'Attempts to detect the '
'virtual machine to make '
'analysis more difficult.',
'technique_id': 'T1518.001',
'technique_name': 'Security Software Discovery'}]},
{'tactic_id': 'TA0009',
'tactic_name': 'Collection',
'techniques': [{'technique_details': 'The actor uses data storage '
'in a central location before '
'performing exfiltration.',
'technique_id': 'T1074',
'technique_name': 'Data Staged'},
{'technique_details': 'The process attempted to '
'detect the presence of '
'forensic and debug utilities.',
'technique_id': 'T1119',
'technique_name': 'Automated Collection'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'The ransomware renames files '
'according to their variant '
'and writes a file for ransom '
'note purposes.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'},
{'technique_details': 'Paralyzes some types of '
'services.',
'technique_id': 'T1489',
'technique_name': 'Service Stop'},
{'technique_details': 'The cmd.exe process invoked '
'by the malware performs the '
'deletion of Windows volume '
'shadow copies.',
'technique_id': 'T1490',
'technique_name': 'Inhibit System Recovery'},
{'technique_details': 'The ransomware deletes '
'various types of user files.',
'technique_id': 'T1485',
'technique_name': 'Data Destruction'}]}],
'url': 'https://www.ransomware.live/group/donex',
'victims': 5,
'vulnerabilities': []}