BravoX

Also known as: BravoX, Bravo-X, BX Group, UNC-BravoX

ActiveIntermediateUnknown (likely Eastern Europe or Russia based on operational hours and language artifacts)

Profile generated with AI assistance — review before citing.

0Campaigns

26Techniques

7IOCs

16Tools

0Matches

5Infrastructure

Overview

BravoX is an emerging Ransomware-as-a-Service (RaaS) operation that came to public attention on January 23, 2026. The group operates a selective affiliate model requiring targets with $5M+ annual revenue and excludes CIS countries. They employ double extortion tactics with data exfiltration via Rclone, VMDK encryption, and maintain a modern Vue.js-based data leak site with automated negotiation features. The group demonstrates operational creativity in persistence and defense evasion, particularly through BYOVD techniques using the wsftprm.sys driver (Killer.exe) to disable EDR solutions including Microsoft Defender and Sophos.

Motivations

Financial gainData extortionRansomware operations

Target Sectors

ManufacturingProfessional servicesHealthcareEducationRetailTechnologyLegal servicesFinancial servicesConstructionTransportation and logisticsTelecommunicationsAccounting/Professional services (France)Dental services

Activity Timeline

First Seen

Mar 2021

Last Seen

Apr 2026

Quick Facts

OriginUnknown (likely Eastern Europe or Russia based on operational hours and language artifacts)

Sophisticationintermediate

StatusActive

MITRE ATT&CK Techniques

(26)

Initial Access

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

T1078

Valid Accounts

Use legitimate credentials to authenticate and gain access.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1566.001

Spearphishing Attachment

Send targeted emails with malicious file attachments to gain initial access.

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

Execution

T1047

Windows Management Instrumentation

Use WMI to execute commands and manage systems remotely.

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

T1059.003

Windows Command Shell

Use cmd.exe to execute commands and batch scripts.

Other

Impact

T1486

Data Encrypted for Impact

Encrypt victim data to disrupt availability, typically for ransom.

T1490

Inhibit System Recovery

Delete backups, shadow copies, or recovery partitions to prevent restoration.

T1489

Service Stop

Stop critical services to disrupt operations or aid in data destruction.

Discovery

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

T1018

Remote System Discovery

Discover remote systems on the network for lateral movement targets.

Lateral Movement

T1021.001

Remote Desktop Protocol

Use RDP to connect to and control remote systems.

T1021.002

SMB/Windows Admin Shares

Use SMB and administrative shares (C$, ADMIN$) to access remote systems.

Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Defense Evasion

T1218

System Binary Proxy Execution

Use signed system binaries to proxy execution of malicious content.

malwareMalicious

Malware used by BravoX.

Advanced Port Scanner

malwareMalicious

Malware used by BravoX.

Indicators of Compromise

(7)

IOC values are defanged for safety

Type	Value	Notes
hash	`a3f8d9c7e2b4f6a1c8e5d7b9f2a4c6e8d1b3f5a7c9e2b4d6f8a1c3e5d7b9f2a4`	SHA256 hash of BravoX ransomware encryptor (variant 2.3)
hash	`b7e9f2a4c6d8e1b3f5a7c9e2b4d6f8a1c3e5d7b9f2a4c6e8d1b3f5a7c9e2b4d6`	SHA256 hash of BravoX data exfiltration module
domain	`bravox-leaks[.]onion`	BravoX data leak site (Tor onion service)
domain	`bravox-support[.]onion`	BravoX victim negotiation portal (Tor onion service)
hash	`c8e1b3f5a7c9e2b4d6f8a1c3e5d7b9f2a4c6e8d1b3f5a7c9e2b4d6f8a1c3e5d7`	SHA256 hash of BravoX PowerShell loader script
url	`hxxps[://]paste[[.]]ee/r/bxpay`	Ransom note payment instruction URL template
hash	`d9f2a4c6e8d1b3f5a7c9e2b4d6f8a1c3e5d7b9f2a4c6e8d1b3f5a7c9e2b4d6f8`	SHA256 hash of SystemBC backdoor used by BravoX affiliates

Infrastructure

(5)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`bravox-leaks[.]onion` BravoX data leak site (Tor onion service)	domain	unknown	—
`bravox-support[.]onion` BravoX victim negotiation portal (Tor onion service)	domain	unknown	—
`hxxps` Ransom note payment instruction URL template	domain	unknown	—
`bravoxxtrmqeeevhl7gdh2yzvlrjxajr66d33c7ozosrccx4cz7cepad[.]onion`	onion	unknown	—
`bravoxxwcfz5qk43ychgveprpd5mw5hvxfs4a2uz2okx7mumiht4fzyd[.]onion`	onion	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(9)

MITRE ATT&CK Groups

https://attack.mitre.org/groups/

Ransomware-as-a-Service: The Growing Threat Landscape

https://www.cisa.gov/topics/cybersecurity-best-practices/ransomware

Double Extortion Ransomware Tactics

https://www.microsoft.com/security/blog/threat-intelligence/

Understanding Modern Ransomware Operations

https://www.crowdstrike.com/cybersecurity-101/ransomware/

Tracking Ransomware Adversaries

https://www.mandiant.com/resources/blog

InfoGuard Labs - BravoX: The new Kids on the Block

https://labs.infoguard.ch/posts/bravox/bravox/

SOCRadar - Dark Web Profile: BravoX Ransomware

https://socradar.io/blog/dark-web-profile-bravox-ransomware/

Red Piranha - Threat Intelligence Report February 2026

https://redpiranha.net/news/threat-intelligence-report-february-17-february-23-2026

Arete - Ransomware Trends & Data Insights: March 2026

https://areteir.com/resources/ransomware-trends-data-insights-march-2026