A new actor called 0APT is causing a stir after they launched a dark web leak site and posted a large number of major companies, both genuine and fake, triggering real incident responses for named companies on the site. However, a preliminary investigation by S-RM has found no evidence to substantiate the group’s claims, nor any indication that data has been compromised. As a result, we recommend that companies listed on the group’s site approach with caution, taking measures to confirm any claims made by the group before initiating large-scale technical responses. S-RM's Cyber Threat Intelligence team responded to several requests to investigate a new threat actor group known as 0APT. Here we share the key outcomes following our investigations.
Companies or comics?
S-RM has confirmed that the threat actor has posted fake companies on their site. The actor appears to have tested or used the site initially to post fake companies, which were likely created or generated by a LLM. For example, on 1 February 2026, 0APT posted a generic entity called Metropolis City Municipal. A cursory investigation identified this city to be fictional, and likely based on Metropolis City Municipal, a small town in the fictional DC Comics Universe. 0APT has since removed this 'company' from their leak site.
In recent days, the threat actor has named some real companies on their leak site, triggering responses at several major organisations. The names and profiles of the companies are immediately suspicious: the companies are major manufacturers, production facilities, hospitals and healthcare providers, ports and logistics, mining and extractives, and aeronautics and aviation. Even during the height of some of the most impactful malicious campaigns in cyber history, such as NotPetya and WannaCry, it has been rare for a threat actor to compromise such a wide array of high profile companies in such a short space of time. S-RM's incident response team has been engaged in response to0APT's claims and are yet to identify a company with any evidence of compromise.
What data is 0APT posting?
As of 5 February, the threat actor is yet to leak data proven to have been taken from the stated victims. The threat actor posts links to a 'filetree' for each entity, but instead of being a genuine text file listing all stolen files as would be expected, the threat actor instead packages 1% of the total amount of data they claim to have stolen and posts this as proof. When downloading these files, they do not contain the proof packs as claimed, and instead appear to contain 'dummy' or 'null' data, in which the files contain content scraped from git repositories, data which appears generated by an LLM, and in some cases the .Zip files are corrupted and do not decompress at all.
Where is the pressure?
When a group successfully extracts large amounts of data from target networks, it is usually followed by extortion, which typically begins with the group leaving a ransom note on the victim’s network. However, at the time of writing, we are yet to see any communications from 0APT, nor have we observed or received reports of a ransom note left by the group.
What should concerned companies do?
Do not pay: There is no evidence to suggest the threat actor behind 0APT has obtained any legitimate data. As such, paying to prevent a leak event is highly unlikely to have any impact on their behaviour.
Do not communicate: The threat actor maintains a contact us page on their dark web leak site. Some companies may be tempted to initiate communications to understand more about the claims. We recommend avoiding communicating with the group unless evidence emerges to suggest their operations are legitimate.
Prepare for the questions: While data leaked to date appears to be fake, the threat actor's claims are still likely to generate concern given their public nature. Potential victims named on the site should have an both internal and external communications plans in place, in case of questions from concerned stakeholders.
S-RM Cyber Threat Intelligence team is monitoring the group's activities closely and will issue subsequent advisories as appropriate.
