Threat Actor Profile
High
Cybercriminal
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
MITRE ATT&CK Techniques (10)
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': '2025-07-05',
'client': '2003264@sit.singaporetech.edu.sg',
'description': None,
'firstseen': '2025-03-24T00:00:00+00:00',
'group': 'sinobi',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2026-03-17T18:16:11.331000+00:00',
'locations': [{'available': True,
'fqdn': 'sinobi6ywgmmvg2gj2yygkb2hxbimaxpqkyk27wti5zjwhfcldhackid.onion',
'slug': 'http://sinobi6ywgmmvg2gj2yygkb2hxbimaxpqkyk27wti5zjwhfcldhackid.onion/leaks',
'title': 'Sinobi',
'type': 'DLS'},
{'available': True,
'fqdn': 'sinobi57mfegeov2naiufkidlkpze263jtbldokimfjqmk2mye6s4yqd.onion',
'slug': 'http://sinobi57mfegeov2naiufkidlkpze263jtbldokimfjqmk2mye6s4yqd.onion/login',
'title': 'Sinobi',
'type': 'Chat'},
{'available': True,
'fqdn': 'sinobia6mw6ht2wcdjphessyzpy7ph2y4dyqbd74bgobgju4ybytmkqd.onion',
'slug': 'http://sinobia6mw6ht2wcdjphessyzpy7ph2y4dyqbd74bgobgju4ybytmkqd.onion/leaks',
'title': 'Sinobi',
'type': 'DLS'},
{'available': True,
'fqdn': 'sinobi7sukclb3ygtorysbtrodgdbnrmgbhov45rwzipubbzhiu5jvqd.onion',
'slug': 'http://sinobi7sukclb3ygtorysbtrodgdbnrmgbhov45rwzipubbzhiu5jvqd.onion/leaks',
'title': 'Sinobi',
'type': 'DLS'},
{'available': True,
'fqdn': 'sinobi23i75c3znmqqxxyuzqvhxnjsar7actgvc4nqeuhgcn5yvz3zqd.onion',
'slug': 'http://sinobi23i75c3znmqqxxyuzqvhxnjsar7actgvc4nqeuhgcn5yvz3zqd.onion/leaks',
'title': 'Sinobi',
'type': 'DLS'},
{'available': True,
'fqdn': 'sinobi7l3wet3uqn4cagjiessuomv75aw3bvgah4jpj43od7xndb7kad.onion',
'slug': 'http://sinobi7l3wet3uqn4cagjiessuomv75aw3bvgah4jpj43od7xndb7kad.onion/leaks',
'title': 'Sinobi',
'type': 'DLS'},
{'available': True,
'fqdn': 'sinobi6ftrg27d6g4sjdt65malds6cfptlnjyw52rskakqjda6uvb7yd.onion',
'slug': 'http://sinobi6ftrg27d6g4sjdt65malds6cfptlnjyw52rskakqjda6uvb7yd.onion/leaks',
'title': 'Sinobi',
'type': 'DLS'},
{'available': True,
'fqdn': 'sinobi6rlec6f2bgn6rd72xo7hvds4a5ajiu2if4oub2sut7fg3gomqd.onion',
'slug': 'http://sinobi6rlec6f2bgn6rd72xo7hvds4a5ajiu2if4oub2sut7fg3gomqd.onion/leaks',
'title': 'Sinobi',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': True,
'fqdn': 'sinobi6ywgmmvg2gj2yygkb2hxbimaxpqkyk27wti5zjwhfcldhackid.onion',
'slug': 'http://sinobi6ywgmmvg2gj2yygkb2hxbimaxpqkyk27wti5zjwhfcldhackid.onion/leaks',
'title': 'Sinobi',
'type': 'DLS'},
{'available': True,
'fqdn': 'sinobi57mfegeov2naiufkidlkpze263jtbldokimfjqmk2mye6s4yqd.onion',
'slug': 'http://sinobi57mfegeov2naiufkidlkpze263jtbldokimfjqmk2mye6s4yqd.onion/login',
'title': 'Sinobi',
'type': 'Chat'},
{'available': True,
'fqdn': 'sinobia6mw6ht2wcdjphessyzpy7ph2y4dyqbd74bgobgju4ybytmkqd.onion',
'slug': 'http://sinobia6mw6ht2wcdjphessyzpy7ph2y4dyqbd74bgobgju4ybytmkqd.onion/leaks',
'title': 'Sinobi',
'type': 'DLS'},
{'available': True,
'fqdn': 'sinobi7sukclb3ygtorysbtrodgdbnrmgbhov45rwzipubbzhiu5jvqd.onion',
'slug': 'http://sinobi7sukclb3ygtorysbtrodgdbnrmgbhov45rwzipubbzhiu5jvqd.onion/leaks',
'title': 'Sinobi',
'type': 'DLS'},
{'available': True,
'fqdn': 'sinobi23i75c3znmqqxxyuzqvhxnjsar7actgvc4nqeuhgcn5yvz3zqd.onion',
'slug': 'http://sinobi23i75c3znmqqxxyuzqvhxnjsar7actgvc4nqeuhgcn5yvz3zqd.onion/leaks',
'title': 'Sinobi',
'type': 'DLS'},
{'available': True,
'fqdn': 'sinobi7l3wet3uqn4cagjiessuomv75aw3bvgah4jpj43od7xndb7kad.onion',
'slug': 'http://sinobi7l3wet3uqn4cagjiessuomv75aw3bvgah4jpj43od7xndb7kad.onion/leaks',
'title': 'Sinobi',
'type': 'DLS'},
{'available': True,
'fqdn': 'sinobi6ftrg27d6g4sjdt65malds6cfptlnjyw52rskakqjda6uvb7yd.onion',
'slug': 'http://sinobi6ftrg27d6g4sjdt65malds6cfptlnjyw52rskakqjda6uvb7yd.onion/leaks',
'title': 'Sinobi',
'type': 'DLS'},
{'available': True,
'fqdn': 'sinobi6rlec6f2bgn6rd72xo7hvds4a5ajiu2if4oub2sut7fg3gomqd.onion',
'slug': 'http://sinobi6rlec6f2bgn6rd72xo7hvds4a5ajiu2if4oub2sut7fg3gomqd.onion/leaks',
'title': 'Sinobi',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'ransomware_live_group': 'sinobi',
'tools': {},
'url': 'https://www.ransomware.live/group/sinobi',
'victims': 268,
'vulnerabilities': [{'CVE': 'CVE-2025-61882',
'CVSS': 9.8,
'Product': 'Oracle E-Business Suite '
'(EBS)',
'Vendor': 'Oracle',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2024-53704',
'CVSS': 9.8,
'Product': 'SonicWall SSL VPN',
'Vendor': 'SonicWall',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2024-40766',
'CVSS': 9.8,
'Product': 'SonicWall SonicOS',
'Vendor': 'SonicWall',
'severity': 'CRITICAL'}]},
'tiaras_source': 'ransomware.live',
'tools': {},
'ttps': [{'tactic_id': 'TA0001',
'tactic_name': 'Initial Access',
'techniques': [{'technique_details': 'Exploitation of '
'vulnerabilities in VPNs '
'(SonicWall).',
'technique_id': 'T1190',
'technique_name': 'Exploit Public-Facing '
'Application'},
{'technique_details': 'Use of valid credentials from '
'MSPs (Managed Service '
'Providers).',
'technique_id': 'T1078',
'technique_name': 'Valid Accounts'}]},
{'tactic_id': 'TA0002',
'tactic_name': 'Execution',
'techniques': [{'technique_details': 'Heavy use of PowerShell for '
'script and in-memory command '
'execution.',
'technique_id': 'T1059.001',
'technique_name': 'Command and Scripting '
'Interpreter: PowerShell'}]},
{'tactic_id': 'TA0003',
'tactic_name': 'Persistence',
'techniques': [{'technique_details': 'Creation or modification of '
'Windows services to ensure '
'malware restart.',
'technique_id': 'T1543.003',
'technique_name': 'Create or Modify System Process: '
'Windows Service'}]},
{'tactic_id': 'TA0005',
'tactic_name': 'Defense Evasion',
'techniques': [{'technique_details': 'Active disabling of EDR '
'solutions (such as VMware '
'Carbon Black).',
'technique_id': 'T1562.001',
'technique_name': 'Impair Defenses: Disable or '
'Modify Tools'},
{'technique_details': 'Removal of event logs.',
'technique_id': 'T1070',
'technique_name': 'Indicator Removal'}]},
{'tactic_id': 'TA0008',
'tactic_name': 'Lateral Movement',
'techniques': [{'technique_details': 'Use of RDP to navigate '
'between servers after '
'privilege escalation.',
'technique_id': 'T1021.001',
'technique_name': 'Remote Services: Remote Desktop '
'Protocol'}]},
{'tactic_id': 'TA0010',
'tactic_name': 'Exfiltration',
'techniques': [{'technique_details': 'Use of Rclone tool to send '
'data to public cloud '
'providers before encryption.',
'technique_id': 'T1567.002',
'technique_name': 'Exfiltration Over Web Service: '
'Exfiltration to Cloud Storage'}]},
{'tactic_id': 'TA0040',
'tactic_name': 'Impact',
'techniques': [{'technique_details': 'Data encryption via '
'AES-128-CTR and Curve-25519, '
'adding the .SINOBI extension.',
'technique_id': 'T1486',
'technique_name': 'Data Encrypted for Impact'},
{'technique_details': 'Deletion of Shadow Copies via '
'vssadmin.exe.',
'technique_id': 'T1490',
'technique_name': 'Inhibit System Recovery'}]}],
'url': 'https://www.ransomware.live/group/sinobi',
'victims': 268,
'vulnerabilities': [{'CVE': 'CVE-2025-61882',
'CVSS': 9.8,
'Product': 'Oracle E-Business Suite (EBS)',
'Vendor': 'Oracle',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2024-53704',
'CVSS': 9.8,
'Product': 'SonicWall SSL VPN',
'Vendor': 'SonicWall',
'severity': 'CRITICAL'},
{'CVE': 'CVE-2024-40766',
'CVSS': 9.8,
'Product': 'SonicWall SonicOS',
'Vendor': 'SonicWall',
'severity': 'CRITICAL'}]}