DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/THREAT ACTORS/APT73 / Bashe
TLP:WHITETHREAT ACTOR DOSSIER // APT73-BASHEFIRST SEEN: APR 2024

APT73 / Bashe

ALSO KNOWN AS: Bashe
FROM:DMZ INTELLIGENCE DESK
ORIGIN:Unknown (self-styled 'APT'; LockBit derivative infrastructure)
ATTRIBUTION:ORGANIZED CRIME
STATUS:ACTIVE
FIRST OBSERVED:APR 2024
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL55/100
RESOURCES55/100
PERSISTENCE58/100
STEALTH50/100
IMPACT64/100

SUBJECT PROFILE

APT73, also known as Bashe, is a ransomware group that emerged in mid-April 2024, self-styling as an Advanced Persistent Threat and operating a TOR-based data leak site bearing a striking resemblance to LockBit's infrastructure. The group has surged in activity in May 2026, posting multiple high-profile victims within 48 hours including Turkey's General Directorate of Land Registry (TKGM, a government agency), Thailand's National Astronomical Research Institute (NARIT), and Mexican corn producer Minsa S.A.B. de C.V. — all claimed on May 21–22, 2026. The group previously claimed 50GB stolen from UK investment platform Hargreaves Lansdown in late April 2026.

Financial extortion via double-extortion ransomware; targets high-value organizations globally for maximum ransom leverage

OPERATIONAL HISTORY

Phishing for initial access, data exfiltration prior to encryption, double extortion (encryption + leak site), TOR-based data leak site, ransom deadline pressure mechanism, T1566 phishing, T1486 data encrypted for impact, T1041 exfiltration over C2 channel

FINANCIAL SERVICES
GOVERNMENT
TECHNOLOGY
AGRICULTURE
MANUFACTURING
HEALTHCARE

KNOWN INFRASTRUCTURE

TOR-based dedicated leak site (.onion); LockBit-derived DLS design; direct victim negotiation via onion chat portals; claimed 78+ victims on ransomware.live as of May 2026

ATTRIBUTED CAMPAIGNS

FILE DATE: APR 2024
AlphaNovaCapital Breach
APT73 claimed its first high-profile victim, exfiltrating and leaking sensitive documents from Hong Kong boutique investment firm AlphaNovaCapital.
FILE DATE: APR 2026
Hargreaves Lansdown Claim
APT73 posted UK largest investment platform Hargreaves Lansdown to its leak ██████████████████ stolen including financial records and customer PII; HL denied the breach.
FILE DATE: MAY 2026
May 2026 Multi-Nation Government & Sector Blitz
APT73 listed Turkish government agency TKGM, Thailand's NARIT, Mexican food producer Minsa, and TVN Media Panama on its leak site within a 48-hour window on May 21–22, 2026, signaling an aggressive operational tempo expansion.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn