ShellCodeX
Tools • Events • News • Insights
Threat Group Profile

safepay

● Active — last 30 days
Victim claims 65
First seen Mar 2026
Last activity 06 Jul 2026
Tracked since

Group overview

SafePay emerged in September 2024 as a rapidly growing ransomware operation that explicitly disavows the RaaS model and manages all operations internally, claiming over 300 victims worldwide by mid-2025 with a high-profile early attack against UK telematics firm Microlise stealing 1.2 TB of data.

Preferred targets

Consumer Services · 10 Business Services · 8 Manufacturing · 6 Technology · 5 Construction · 4 Transportation/Logistics · 4

Most targeted countries

DE · 25 US · 9 IT · 8 GB · 5 JP · 5 ES · 4

Tactics & techniques (MITRE ATT&CK)

Initial Access

Valid Accounts Replication Through Removable Media Drive-by Compromise Exploit Public-Facing Application Phishing: Spearphishing Attachment Phishing: Spearphishing Link Phishing: Spearphishing Voice

Execution

Windows Management Instrumentation Scheduled Task/Job: Scheduled Task Command and Scripting Interpreter Command and Scripting Interpreter: PowerShell Command and Scripting Interpreter: Windows Command Shell Command and Scripting Interpreter: Visual Basic Native API Shared Modules

Persistence

Valid Accounts Account Manipulation Server Software Component: IIS Components Pre-OS Boot: Bootkit Create or Modify System Process: Windows Service Boot or Logon Autostart Execution Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Boot or Logon Autostart Execution: Shortcut Modification

Privilege Escalation

Valid Accounts Access Token Manipulation: Create Process with Token Access Token Manipulation: Parent PID Spoofing

Defense Evasion

Rootkit Obfuscated Files or Information Obfuscated Files or Information: Software Packing Obfuscated Files or Information: Indicator Removal from Tools Obfuscated Files or Information: Dynamic API Resolution Obfuscated Files or Information: Embedded Payloads Obfuscated Files or Information: Encrypted/Encoded File Obfuscated Files or Information: Junk Code Insertion

Credential Access

OS Credential Dumping OS Credential Dumping: NTDS Input Capture Input Capture: Keylogging Brute Force: Password Spraying Credentials from Password Stores Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning

Discovery

Application Window Discovery Query Registry System Network Configuration Discovery System Owner/User Discovery Network Service Discovery System Network Connections Discovery Process Discovery System Information Discovery

Lateral Movement

Remote Services Remote Services: Remote Desktop Protocol Remote Services: SMB/Windows Admin Shares Remote Services: SSH Replication Through Removable Media Internal Spearphishing

Victim Claims Timeline

Back to radar
bbalawgroup.com
🇺🇸 US Business Services bbalawgroup.com
genealogysa.org.au
🇦🇺 AU Consumer Services genealogysa.org.au
lynxprecast.co.uk
🇬🇧 GB Business Services lynxprecast.co.uk
thruwayplumbingservice.com
🇺🇸 US Consumer Services thruwayplumbingservice.com
st-bernards.bham.sch.uk
🇬🇧 GB Education st-bernards.bham.sch.uk