THREATOPS Actor Dossier
LIVE ← Dashboard

Akira

G10246 reports
aliases · Akira · GOLD SAHARA · PUNK SPIDER · Howling Scorpius
Export dossier:
6
Reports
12
Techniques
7
Tactics
6
Countries
62%
Hunt coverage
4
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1588.006 (Vulnerabilities), T1588.007 (Artificial Intelligence), T1684 (Social Engineering).
  • Primary targeting: US, MX, IR, DE.
  • Steady activity: 2 report(s) in last 30d vs 1 prior (+100%).
  • Hunt coverage 62% of 26 observed techniques (10 gap(s)).
  • Assessment confidence: medium (60).

Activity & trend

SteadyLast 30d: 2 vs 1 prior (+100%)· first reported 2025-08-05 · last 2026-07-13
1
7d
2
30d
3
90d
6
All
0.2
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

Dropped (90d+)
T1588.007T1684T1589.001T1584.008T1053.005T1047T1213.002T1059.007T1583.008T1003.002T1543.003T1555.005
Targeting lost
ATDEIRMXUS

Vulnerabilities in this actor's reporting · 20

Overview

Analyst triage
Intelligence summary

Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.(Citation: Arctic Wolf Akira 2023) Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.(Citation: Arctic Wolf Akira 2023)(Citation: Secureworks GOLD SAHARA) Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.(Citation: BushidoToken Akira 2023)(Citation: CISA Akira Ransomware APR 2024)(Citation: Cisco Akira Ransomware OCT 2024)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected