Threat Group Profile
payload
β Active β last 30 days
Victim claims
44
First seen
Apr 2026
Last activity
10 Jul 2026
Tracked since
Feb 2026
Group overview
Payload is a ransomware group that emerged in early 2026, using Babuk-derived source code targeting both Windows and ESXi systems with cross-platform double-extortion attacks against healthcare, energy, real estate, and agriculture sectors, claiming 12 victims across seven countries within hours of launching its leak site.
Preferred targets
Manufacturing Β· 8
Consumer Services Β· 5
Business Services Β· 4
Education Β· 4
Financial Services Β· 4
Hospitality and Tourism Β· 4
Most targeted countries
DE Β· 4
CH Β· 3
SG Β· 3
MY Β· 3
EG Β· 2
AT Β· 2
Tactics & techniques (MITRE ATT&CK)
Execution
Native API
Stealth
Obfuscated Files or Information
File Deletion
Execution Guardrails
Discovery
Process Discovery
System Information Discovery
File and Directory Discovery
Impact
Data Encrypted for Impact
Service Stop
Inhibit System Recovery
Defense Impairment
Disable or Modify Tools