Play
G104027 reportsaliases · Play
27
Reports
9
Techniques
6
Tactics
4
Countries
56%
Hunt coverage
1
Aliases
Analyst assessment — key judgments
- Signature techniques: T1589.001 (Credentials), T1557 (Adversary-in-the-Middle), T1684.001 (Impersonation).
- Primary targeting: US, SG, DE, BR.
- Resurgent after a quiet period: 2 report(s) in last 30d vs 0 prior (+100%).
- Recent movement: 4 new technique(s) in the last 30 days.
- Hunt coverage 56% of 9 observed techniques (4 gap(s)).
- Assessment confidence: medium (61).
Activity & trend
ResurgentLast 30d: 2 vs 0 prior (+100%)· first reported 2025-05-26 · last 2026-07-01
0
7d
2
30d
2
90d
27
All
0.2
Rpts/wk
Reporting timeline · 12 months
Movement — last 30 days
New techniques
T1557T1684.001T1608.006AML.T0073Dropped (90d+)
T1588.006T1657T1684AML.T0016.002Targeting gained
BROverview
Analyst triage
Intelligence summary
Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. Play actors employ a double-extortion model, encrypting systems after exfiltrating data, and are presumed by security researchers to operate as a closed group.(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)
Top co-occurring indicators
Aliases & naming
Targeting · countries
Targeting · named victims
ATT&CK technique matrix
Coverage vs hunt library:
—
Hunt-coverage gaps — prioritized
Top techniques by observation
- T1589.001 · Credentialsconf 703
- T1557 · Adversary-in-the-Middleconf 601
- T1684.001 · Impersonationconf 601
- T1608.006 · SEO Poisoningconf 601
- AML.T0073 · Impersonationconf 601
- T1588.006 · Vulnerabilitiesconf 601
- T1657 · Financial Theftconf 601
- T1684 · Social Engineeringconf 601
- AML.T0016.002 · Generative AIconf 601
Threat catalogue · engineering roadmap
Flagged detection-engineering queue
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
IOC type mix
Tooling / malware families
Relationships
Activity
30-day mention timeline
Recent reporting
| Title | Source | Severity | Collected |
|---|