TENGU RANSOMWARE

This intelligence report documents the TENGU ransomware group's operations from Oct 2025–Mar 2026: initial and revamped TOR data-leak sites, ~47 victims (12 currently listed), ~450GB of leaked data, RDP/SMB brute-force as primary initial access, exploitation of Zerologon on a Domain Controller, use of intermittent encryption and affiliate tooling (StealTENGU, ScreenConnect abuse, FortiRDP), published negotiation/chat panels and ransom notes, multiple onion and backup leak domains, and numerous IOCs (IP addresses, hostnames, and a representative remote command) useful for detection and blocking.