In November 2025, a new cyber threat entity identified as TridentLocker emerged. This group has quickly established itself within the cybercrime landscape, accounting for approximately 5.35% of reported ransomware incidents by early December 2025. This activity level places them immediately behind major established groups like Qilin, Akira, and LockBit 5.0.

TridentLocker operates as a “Crypto-Ransomware” group but distinguishes itself by explicitly identifying as a “Data Broker.” Their operational model focuses on Direct Extortion and Double Extortion, leveraging the threat of selling stolen data to third parties if ransom demands are not met.

Operational Profile

The group utilizes the Tor network for its infrastructure, maintaining a hidden service that functions as a leak site and negotiation portal.

• Tor Onion Address: http://tridentfrdy6jydwywfx4vx422vnto7pktao2gyx2qdcwjanogq454ad.onion

Unlike groups that solely dump data to shame victims, the “Data Broker” tag suggests a transactional approach where the primary goal is the monetization of exfiltrated assets, potentially selling them to competitors or other criminal entities.

Victimology

TridentLocker targets a wide range of industries across North America, Europe, and Asia. Confirmed victims and sectors from November and December 2025 include:

Specific Confirmed Victims

• bpost (Belgium): On December 1, 2025, the Belgian postal service bpost was listed as a victim. The group exfiltrated 30.46 GB of data, consisting of 5,140 files. bpost confirmed the breach originated from a third-party exchange platform rather than a direct intrusion into their primary network.
• IQS (USA): On November 29, 2025, TridentLocker claimed an attack on IQS, a technology company.
• Noment Inc. (USA): On December 2, 2025, the group targeted Noment Inc., another US-based technology firm.

Sector and Geographic Breakdown

• Technology: Multiple targets in the USA and Canada (e.g., IQS, Noment Inc.).
• Critical Infrastructure: Oil & Gas sector in the United Kingdom (November 16).
• Manufacturing: Target in Canada (November 15).
• Retail & Wholesale: Target in China (November 9).
• Media & Marketing: Targets in the USA.

Tactics, Techniques, and Procedures (TTPs)

Initial Access

TridentLocker utilizes Supply Chain Compromise as a key vector. The attack on bpost demonstrated the exploitation of a third-party service provider to gain access to sensitive data, bypassing the primary target’s perimeter defenses.

Extortion Strategy

The group employs a Double Extortion model:

1. Encryption: Systems are encrypted to disrupt operations.
2. Data Exfiltration: Data is stolen prior to encryption.
3. Brokerage: Stolen data is threatened to be sold or published if negotiations fail.

Communications

TridentLocker uses direct and urgent language in their ransom notes and public statements to force engagement.

• Statement regarding IQS: “All data will be published unless IQS contacts us for negotiations.”
• Statement regarding Noment Inc.: “The sensitive information of Noment Inc is in our hands. If no contact is made, all data will be published imminently.”

Indicators of Compromise (IOCs)

Technical indicators associated with TridentLocker activity include:

Network Indicators

• Tor Hidden Service: http://tridentfrdy6jydwywfx4vx422vnto7pktao2gyx2qdcwjanogq454ad.onion

Ransom Note Strings Detection rules can be based on the specific phrasing used in their digital extortion notes:

• “All data will be published unless [Company Name] contacts us for negotiations”
• “The sensitive information of [Company Name] is in our hands”
• “If no contact is made, all data will be published imminently”

File Artifacts

• Data Staging: Presence of large data archives (e.g., 30GB+) being staged for exfiltration.
• File Volume: Mass exfiltration events involving thousands of files (e.g., 5,140 files in the bpost incident).