ZeroFox Intelligence Profile

ZeroFox Intelligence Profile - ICARUS

Product Serial: P-2026-06-26a

TLP:CLEAR

This Threat Actor Profile is a baseline analysis for the ransomware and digital extortion (R&DE) collective ICARUS, which has been active since early April 2026.

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report here

Key Findings

ZeroFox first observed ransomware and digital extortion (R&DE) collective ICARUS’s data leak site (DLS) and associated extortion campaigns in late April to early May 2026. Since becoming active, the group has listed at least three confirmed targets and five additional redacted entities on its DLS, suggesting ongoing and expanding operations as of mid-2026.
The operators of "The Underground _ Uwu" Telegram channel have reposted ICARUS's original leak post and have previously claimed affiliations with Scattered Lapsus$ Hunters (SLH); this raises the possibility of an affiliation between ICARUS and SLH. However, ICARUS has not publicly acknowledged or claimed any such affiliation.
ICARUS is very likely financially motivated. Neither its DLS communications nor its observed operational behavior indicate any political stance, ideological messaging, or affiliation with a specific cause.
ZeroFox has observed that ICARUS employs a multitiered extortion model centered on supply chain compromise, data exfiltration, and public disclosure threats.
ZeroFox assesses that ICARUS is likely an operationally immature threat actor group based on multiple observed operational security (OPSEC) lapses. Despite presenting a polished public-facing DLS, the group's operational conduct reflects significant inconsistencies that suggest limited experience relative to more established R&DE collectives.