Threat Group Profile
sinobi
Dormant / historical
Victim claims
6
First seen
May 2026
Last activity
05 May 2026
Tracked since
Jul 2025
Group overview
Sinobi is a private vetted-affiliate RaaS group that emerged in mid-2025, believed to be a rebrand of the Lynx/INC ransomware lineage, claiming 176 victims by end of 2025 through double-extortion attacks primarily against mid-market US organizations via compromised SonicWall VPN credentials.
Preferred targets
Technology ยท 2
Healthcare ยท 1
Business Services ยท 1
Construction ยท 1
Most targeted countries
US ยท 3
IN ยท 1
Tactics & techniques (MITRE ATT&CK)
Initial Access
Valid Accounts
Exploit Public-Facing Application
Phishing
Execution
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: Windows Command Shell
Native API
Exploitation for Client Execution
System Services: Service Execution
Persistence
Create or Modify System Process: Windows Service
Privilege Escalation
Exploitation for Privilege Escalation
Defense Evasion
Obfuscated Files or Information
Indicator Removal
Indicator Removal: File Deletion
Impair Defenses: Disable or Modify Tools
Discovery
Network Service Discovery
File and Directory Discovery
Account Discovery: Domain Account
Lateral Movement
Remote Services: Remote Desktop Protocol
Exfiltration
Exfiltration Over Web Service: Exfiltration to Cloud Storage