Threat Intelligence Report February 17 - February 23 2026

BravoX Ransomware

Description

BravoX is a newly emerged Ransomware-as-a-Service (RaaS) operation that first announced itself publicly on 23 January 2026 by posting a Tor-based Data Leak Site (DLS) address.

BravoX operates a double-extortion model, combining file encryption with bulk data exfiltration. Confirmed exfiltration volumes published on the DLS range fromb 460 GB to over 3.1 TB per victim, indicating systematic collection from enterprise file stores. The group threatens progressive data publication on its DLS if ransom demands are not met.

Affiliate recruitment criteria observed prior to the RAMP forum seizure specify a minimum target revenue threshold of USD 5 million and explicitly exclude Commonwealth of Independent States (CIS) countries, a restriction consistent with Russian-speaking threat actors seeking to avoid domestic law enforcement attention. The affiliate revenue split was not confirmed in open-source reporting prior to the forum seizure.

Technical Profile

As of 20 February 2026, no BravoX encryptor binary, file hash of any type, ransom note, encrypted file extension, or any other malware artefact has been recovered, submitted to any analysis platform, or published by any threat intelligence vendor or researcher. No technical analysis of the BravoX payload has been conducted or published.

Data Leak Site Infrastructure (Confirmed via Red Piranha DLS Analysis):

• Technology Stack: Vue 3.5.25 (JavaScript SPA framework), Vite build toolchain, Pinia state management, Vue Router (history mode), Axios 1.13.2 HTTP client, Tailwind CSS, Sonner notification library. Confirmed through Red Piranha source enumeration of the DLS.
   
• Site Structure: Seven routes identified: blog, individual blog posts, news, individual news articles, victim data explorer (/explorer/:id), affiliate management portal (/affiliate), and ransom negotiation contact form (/contact).
   
• Authentication: Cookie-based session authentication is enforced sitewide. Unauthenticated requests to gated content are redirected to a verification gate (/verify). Victim data is not accessible without an authenticated session.
   
• Real-Time Capability: Server-Sent Events (SSE) streaming implemented in DLS codebase, indicating live operational monitoring by BravoX operators.
   
• Affiliate Panel: Dedicated /affiliate route confirms the RaaS model is operationally implemented on the platform, not solely claimed in recruitment posts.
   
• Negotiation Channel: Ransom negotiation conducted via a dedicated /contact module embedded in the DLS. No email, TOX messenger, or other external communication channels have been observed for BravoX.
   

Detailed TTPs (Tactics, Techniques, and Procedures)

No detailed TTPs have been documented for BravoX by any threat intelligence vendor, researcher, or open-source platform as of 20 February 2026.

The only phases that can be confirmed from operational evidence are Data Collection/Exfiltration and Impact, and even these are confirmed only through the group’s own DLS publications rather than through independent incident response analysis or forensic evidence.

Confirmed Operational Activity

Data Exfiltration (Confirmed - DLS Evidence): Large-scale data exfiltration is confirmed across all seven claimed victims through proof-of-data volumes published on the DLS. Confirmed volumes per victim are: Fusion Hill (US, Marketing/Advertising) - 3.1 TB; OEC Bretagne (France, Food Processing) - 859.7 GB; Vatier & Associes (France, Legal) - 463.1 GB. The remaining four victim data volumes are not fully specified in open-source reporting. Exfiltration tooling, protocol, staging mechanism, and timeline have not been confirmed in any published source.

Ransom Extortion via DLS (Confirmed): Staged data leak publication via two active Tor .onion DLS addresses is confirmed. Victim profiles are published with data volume claims and progressive disclosure timelines. Negotiation is conducted exclusively through the DLS /contact module.

RaaS Affiliate Infrastructure (Confirmed): Affiliate management portal confirmed as an active module in the DLS platform. Affiliate recruitment occurred on the RAMP forum prior to its seizure on 28 January 2026, with confirmed criteria of USD 5 million minimum target revenue and CIS country exclusion.

Unknown Attack Chain Phases

The following attack chain phases remain entirely undocumented for BravoX: Initial Access, Execution, Persistence, Privilege Escalation, Defence Evasion, Credential Access, Discovery, Lateral Movement, and Command-and-Control (beyond the Tor-based DLS). These gaps cannot be filled through inference without introducing unverified analytical assumptions. Red Piranha will update this section as confirmed incident response data or payload analysis becomes available.

MITRE ATT&CK TTP Matrix

The table below maps only confirmed or operationally evidenced BravoX activity to the MITRE ATT&CK framework. No entries are included for phases that are unknown. This mapping will be significantly expanded upon the recovery of an encryptor sample or the publication of incident response findings.

Indicators of Compromise (IOCs)

Infrastructure / C2:

• TOR Data Leak Site (Primary, ONLINE): bravoxxtrmqeeevhl7gdh2yzvlrjxajr66d33c7ozosrccx4cz7cepad.onion
   
• TOR Data Leak Site (Secondary, ONLINE): bravoxxwcfz5qk43ychgveprpd5mw5hvxfs4a2uz2okx7mumiht4fzyd.onion
   

Note: Both .onion addresses confirmed operationally active as of 20 February 2026. No C2 IP addresses, clear-web domains, or other network-layer IOCs have been published by any source for BravoX. Any IP addresses attributed to BravoX in third-party feeds should be independently verified before actioning.

Communication Identifiers:

• RaaS Recruitment Forum: RAMP cybercriminal forum - account active September 2025 to 28 January 2026 (date of seizure). The forum is no longer operational.
   

Victim Profile Reporting Period Activity

One new victim was added to the BravoX DLS during the 14–20 February 2026 reporting period:

• OEC Bretagne (France | Food Processing / Chartered Accountants | Published approx. 16 February 2026 | 859.7 GB claimed data including client information, professional contracts, and personal data)

Mitigation Strategies

Recommended CE 5.5 Configuration Actions

• Block BravoX Infrastructure (CE SWG): Add both confirmed .onion addresses (bravoxxtrmqeeevhl7gdh2yzvlrjxajr66d33c7ozosrccx4cz7cepad.onion and bravoxxwcfz5qk43ychgveprpd5mw5hvxfs4a2uz2okx7mumiht4fzyd.onion) to the Crystal Eye Unified Secure Web Gateway (SWG) blocklists
   
• Deploy IDPS Exfiltration Detection Rules (CE IDPS / Threat Hunt Dashboard): In the absence of file-based IOCs, IDPS alerting should focus on exfiltration precursor behaviours consistent with BravoX’s confirmed operational profile: bulk data staging events, large-volume transfers to unusual external endpoints, unexpected compression utility execution (7-Zip, WinRAR, tar) in sensitive directories, and anomalous use of encrypted file transfer clients.
   
• Enforce CEASR Application Allowlisting (CEASR Endpoint): Deploy Crystal Eye Attack Surface Reduction (CEASR) application allowlisting policies aligned to ASD Essential Eight Maturity Level 3.
   
• Activate Red Piranha MDR & Incident Response (CESOC / DFIR): Enable Red Piranha Managed Detection and Response (MDR) services and CESOC 24×7 SOC escalation. Organisations in Healthcare, Legal, Professional Services, Food Processing, and Marketing in the United States, France, and Canada should

Ransomware Victims by Geography

The United States continues to dominate the ransomware landscape, accounting for 47.98% of worldwide victims. The concentration of attacks reflects its economic scale, digital infrastructure maturity, and the financial leverage threat actors can extract from impacted organisations.

A second cluster of heavily targeted countries includes Italy (4.03%), along with Canada, India, Germany, the United Kingdom, and Brazil, each recording 3.23%. Taiwan followed at 2.82%, while Japan stood at 2.42%. Spain and Thailand each contributed 2.02%, indicating consistent multinational targeting across Europe and Asia-Pacific.

Countries contributing 1.61% to 1.21% included Chile, Poland, Indonesia, Egypt, and Mexico, demonstrating ransomware’s reach across emerging and mid-sized economies.

Several countries recorded 0.81% of total activity, including Turkey, France, China, South Africa, Sweden, United Arab Emirates, Kuwait, Argentina, and Romania.

A broader long tail of countries, each represented 0.4% of global victims, including Hong Kong, Fiji, Puerto Rico, South Korea, Austria, Israel, Hungary, Belgium, Denmark, Peru, Sudan, Saudi Arabia, New Zealand, Netherlands, Morocco, Ukraine, Mauritius, Australia, Colombia, Turks and Caicos Islands, Norway, and Korea.