DMZ//THREAT INTEL
FEED ACTIVELAST SYNC: 06:03:37ZSOURCES: 14CRITICAL: 15
⚠ ACTIVE ALERTS
SYLVANITE CRITICAL — SYLVANITE is a newly named Dragos-tracked threat group identified as a dedicated… /// @MsftSecIntel CRITICAL — We are tracking TeamPCP (UNC6780) activity following the GitHub internal repository… /// @GossiTheDog CRITICAL — The GitHub / TeamPCP breach is now being monetized on BreachForums. Listing is up — $95k… /// @struppigel CRITICAL — SUPPLY CHAIN ALERT: Laravel-Lang PHP packages backdoored May 22-23 via hijacked GitHub… /// @MalwareHunterTeam CRITICAL — Seeing fresh DebugElevator stealer log batches already appearing for sale on Exploit.in —…
15Critical Threats
8Active CVEs
0IOCs Tracked
0New Advisories
INTEL FEED/THREAT ACTORS/GUNRA
TLP:WHITETHREAT ACTOR DOSSIER // GUNRA-RAASFIRST SEEN: APR 2025

GUNRA

ALSO KNOWN AS: None confirmed
FROM:DMZ INTELLIGENCE DESK
ORIGIN:Unknown (initially South Korea-focused; global expansion)
ATTRIBUTION:ORGANIZED CRIME
STATUS:ACTIVE
FIRST OBSERVED:APR 2025
TECHNICALRESOURCESPERSISTENCESTEALTHIMPACT
TECHNICAL57/100
RESOURCES57/100
PERSISTENCE60/100
STEALTH52/100
IMPACT66/100

SUBJECT PROFILE

Gunra first emerged in April 2025 targeting South Korean organizations using a Conti-based locker, then evolved into a full RaaS operation by pivoting to a custom-built encryptor. Confirmed at 32 victims as of March 2026 following a late-2025 lull, with activity surging again after new affiliate recruitment. The group is notable for imposing no restrictions on target industries — including hospitals and critical infrastructure — and operating almost exclusively in darkweb forums including RAMP, Rehub, Tierone, and Darkforums.

Financial extortion via RaaS; no target industry restrictions including hospitals and critical infrastructure

OPERATIONAL HISTORY

Custom-built encryptor (replaced Conti-based locker), dark web affiliate recruitment and penetration tester hiring, indirect/decentralized victim claiming, low public profile, dark web forum operations (RAMP/Rehub/Tierone/Darkforums), flexible geographic restrictions based on affiliate home country

MANUFACTURING
HEALTHCARE
CRITICAL INFRASTRUCTURE
TECHNOLOGY
GOVERNMENT

KNOWN INFRASTRUCTURE

Dark web forum presence on RAMP, Rehub, Tierone, Darkforums; RaaS affiliate panel with built-in lock tool, file management, and negotiation handlers; core developers directly participate in ransom negotiations

ATTRIBUTED CAMPAIGNS

FILE DATE: APR 2025
South Korea Initial Operations
Targeted five South Korean organizations using Conti-based locker before pivoting to custom encryptor and global RaaS expansion.
FILE DATE: MAR 2026
RaaS Expansion — 32 Confirmed Global Victims
After late-2025 lull, Gunra's RaaS transition drove renewed affiliate activity surging ███████████████ 32 confirmed organizations globally with no sector restrictions.
SHARE BRIEF:✕ Post on Xin Share on LinkedIn