The Making of a Ransomware Brand: Desolator’s Affiliate Expansion and Early Attacks
In mid-2025, a previously unknown threat actor quietly began laying the groundwork for what would soon emerge as a new ransomware-as-a-service (RaaS) operation, Desolator. While public awareness of the group surfaced only after a string of ransomware incidents in late August, StealthMole traced Desolator’s activities months earlier across underground forums and marketplaces.
This report examines how Desolator positioned itself as a new entrant in the RaaS ecosystem, from its early recruitment drives and affiliate-program promotions to the first confirmed attacks attributed to its infrastructure. Drawing from indexed dark web artifacts, onion-site correlations, and communication identifiers, the analysis outlines how a single actor gradually evolved from advertising ransomware tools to orchestrating live campaigns.
The findings illustrate not just the technical emergence of a ransomware family, but the deliberate branding strategy and ecosystem building that transformed Desolator from a forum post into an operational ransomware entity.
Incident Trigger & Initial Investigation
On 1 September 2025, StealthMole’s Ransomware Monitoring tool registered a new dark web entity operating under the name Desolator. The alert was triggered when the crawler indexed a new Tor-hosted leak site:
- http://p***********************************************iqd.onion
The website featured a minimalist interface and a prominent Wall of Shame section listing four corporate victims. Each entry displayed the company name, status, and countdown timer threatening data exposure.
The listings traced a concise timeline of attacks. The earliest breach, dated 27 August 2025, targeted trithucgroup.com, a Vietnam-based IT company. Within the following days, two additional victims: construccionessala.com and construsenales.com, both Colombian construction firms, were added on 28 August, followed by a US technology provider, LEVEL, on 31 August.
No new entries appeared after these initial four, suggesting the group had only just transitioned from preparation to active deployment. Each victim profile followed a uniform layout: a brief statement confirming network compromise, a progress bar indicating time until data release. The absence of accessible leak files or payment instructions hinted that Desolator’s infrastructure was still being configured, or that data publication was contingent on ongoing ransom negotiations conducted off-site.
The website itself operated as a single-service Tor hidden instance, with no detected mirrors or external gateways, reinforcing the assessment that this was an early-stage deployment rather than a fully matured RaaS environment. This pattern, paired with close timing between incidents, suggested that Desolator was not yet functioning as a mature RaaS enterprise but was instead executing its initial proof-of-concept campaign, likely in collaboration with a limited circle of affiliates or testers.
Affiliate Recruitment & Platform Promotion
While Desolator’s leak site marked the group’s first visible campaign activity, traces of its groundwork appeared months earlier across underground forums. StealthMole’s darkweb tracker identified multiple posts between May and August 2025 advertising a new ransomware affiliate program under the same name.
The activity centered on a recurring alias, d**********s_*337, whose posts on the Darknet Army platform documented the progressive construction of Desolator’s RaaS ecosystem.
The earliest known thread, dated 19 May 2025, was titled “Looking for affiliates for ransomware operations (Desolator)”. It outlined a recruitment initiative targeting insiders, access brokers, and network intruders capable of supplying corporate footholds.
The post promised affiliates “no upfront fees,” a 90/10 revenue split, and access to a custom-built ransomware locker supporting Windows, Linux, and ESXi environments. The language of the thread emphasized professionalism and exclusivity, positioning Desolator as a service designed for “pentesters and access brokers who want to make real money.”
Subsequent posts through June and August 2025 expanded on these offers. A 27 June reply invited prospective partners to contact the operator directly via encrypted channels:
- Session ID: 05***************************************************b1e
- Tox ID: 02B******************************************************3A
The same identifiers were later found embedded within Desolator’s onion portal, demonstrating a clear forum-to-field continuity between early recruitment efforts and operational infrastructure.
By August 2025, de*********s_*337 had evolved from promotion to productization. A thread posted on 11 August advertised a “cross-platform ransomware source code (Windows/Linux/ESXi)” for $40,000 USD, accompanied by detailed feature lists and video demonstrations.
Just two weeks later, on 25 August, another listing appeared from the same user offering remote access to a Vietnamese private company for $2,000 USD, again using the identical Tox ID for contact.
This escalation, from recruiting affiliates, to selling ransomware source code, to brokering live access, reflects the deliberate expansion of Desolator’s criminal ecosystem. Rather than emerging abruptly in August, the group had been testing its brand, outreach strategy, and monetization models for months before its first public leaks appeared. By the time the portal went online, Desolator had already established a small but structured affiliate network, one capable of executing coordinated intrusions within days of launch.
Operational Structure & Payment Framework
Beyond its darkweb leak site, Desolator presented itself as a structured service built to sustain long-term affiliate operations. The group has outlined a clear workflow for both affiliates and victims, reflecting a maturing RaaS economy even in its early stage.
Affiliate Workflow
Affiliates were promised a custom-built locker at no upfront cost and were expected to supply initial network access or exfiltrated data. Once a target was compromised, Desolator’s core operators handled ransom negotiations and payment management, distributing proceeds through a revenue-sharing model that allocated either 80% or 90% of collected ransoms to the affiliate and the remainder to the service administrators.
The variation in percentages, visible across multiple portal sections, suggests the program offered tiered commissions based on affiliate experience or target value.
The process described a seven-step structure, encompassing:
- Locker Distribution — affiliates receive a personalized build.
- Data Sharing — operators verify exfiltrated content.
- Negotiations — core team manages victim communication.
- Double Extortion — non-paying victims are listed publicly.
- Sample Decryption — partial file recovery offered upon request.
- Final Payment — ransom split disbursed post-verification.
- Cleanup — affiliates instructed to remove data and binaries after payment confirmation.
The detailed workflow, paired with clear decryption and payment protocols, indicated an intent to professionalize operations, mirroring established RaaS frameworks like LockBit or RansomHub, although on a smaller scale.
Payment Ecosystem
Desolator’s payment system, much like other ransomware groups, was designed around privacy-oriented cryptocurrency transactions. The portal’s FAQ specified Bitcoin (BTC) and Monero (XMR) as the only accepted payment methods, aligning with standard RaaS practices emphasizing trace-resistant financial flows.
However, no static wallet addresses were published publicly; instead, payments were to be negotiated through direct encrypted communication channels, either via:
- Session Messenger: 05*******************************************b1e, or
- Tox Messenger: 02************************************************3A
This method allowed operators to issue unique payment wallets per negotiation, minimizing blockchain traceability and complicating external transaction analysis. While StealthMole did not capture any active wallet addresses, the structured guidance visible on the portal confirms that Desolator followed a double-blind payment protocol, where operators mediate between victims and affiliates to reduce risk exposure on both sides.
Rules, Conduct, and Brand Discipline
Desolator’s internal “Rules & Process” page provided insight into the group’s self-imposed discipline, a common hallmark of ransomware projects attempting to position themselves as credible “business operations.”
The group emphasized data deletion following payment, mandatory coordination through official communication channels, and strict non-disclosure by affiliates regarding the locker’s inner workings. This rule set mirrors the organizational culture of other established RaaS models, where brand reputation and trustworthiness are treated as marketable assets within criminal ecosystems.
Together, Desolator’s payment framework and process guidelines reveal an operation that, despite its brief public lifespan, was designed with longevity in mind. Its structure balanced centralized control over negotiation and payment handling with decentralized affiliate engagement, a hybrid model allowing for scalability while preserving operational secrecy. For a group still conducting its first confirmed leaks, Desolator demonstrated a surprisingly coherent internal economy, signaling ambitions far beyond a short-term campaign.
Conclusion
Desolator’s emergence underscores how quickly new ransomware brands can transition from underground concept to operational reality. Within a span of four months, the group progressed from recruiting affiliates on darknet forums to launching its own leak infrastructure and executing live intrusions across three regions.
Though the scale of its operations remains limited, the consistency of its messaging, payment structure, and technical claims point to an actor intent on building credibility rather than conducting opportunistic attacks.
StealthMole’s analysis places Desolator at the formative edge of the ransomware-as-a-service ecosystem, a group still refining its tools and workflows, yet already demonstrating an understanding of affiliate management, brand positioning, and operational secrecy. Its early leaks, combined with the professional presentation of its onion portal, reveal a strategy focused on sustainability and recognition within the underground economy.
While Desolator’s activity has been dormant since early September, the groundwork it established, infrastructure, recruitment channels, and economic model, remains intact. Continuous monitoring of its identifiers and dark web presence will be critical in determining whether Desolator consolidates into a stable RaaS brand or fragments under competitive and investigative pressure.
For now, the operation represents an instructive case study in how modern ransomware groups manufacture visibility and trust before scaling their attacks.
Editorial Note
While every effort has been made to ensure the accuracy of this report, it is important to acknowledge that attribution in cyber investigations can never be guaranteed with complete certainty. The connections drawn are based on available open-source intelligence and StealthMole platform data. However, attribution remains probabilistic and subject to change as new information emerges.
The primary goal of this report is not just attribution, but to showcase how StealthMole’s platform enables comprehensive, efficient, and intuitive profiling of threat actors through integrated tools such as Dark Web & Telegram Trackers, ULP Binder, the Compromised Data Set and others. These tools allow even independent researchers to connect dots across aliases, infrastructure, and behavioral patterns, transforming fragmented data into actionable intelligence.
To access the unmasked report or full details, please reach out to us separately.
Contact us: support@stealthmole.com
Labels: Malicious Group
.svg)
.svg)
.svg)