Menu
Browse

Cyber Threat Actor: Doppel

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
Russia
1 incident
Profile

The Doppel group, also referred to simply as Doppel, is a threat actor that has been identified in open‑source reporting as operating from Russia. The actor is known for deploying ransomware that bears the group’s name and for conducting operations that involve the theft of sensitive data before any encryption or ransom demand is made. Public sources describe Doppel as a ransomware‑oriented entity that has been observed targeting private sector organizations, though the full scope of its victimology remains limited to the incidents that have been disclosed.

In the only publicly detailed incident attributed to Doppel, a French pharmaceutical laboratory was compromised on 1 November 2020. The actors gained access to the network, deployed their ransomware, and exfiltrated hundreds of internal documents without issuing a ransom note or setting a payment deadline. Months after the breach, the group released a portion of the stolen data on the public internet, and the source material notes that the remaining data may have been sold to other threat actors. This pattern indicates that Doppel’s tactics include data exfiltration followed by public disclosure, with the potential for subsequent monetization through the sale of information rather than through traditional ransom payments. The reported tools and techniques consist of the Doppel ransomware payload and associated data‑collection utilities, but no specific initial‑access vectors or additional malware families are described in the available reports.

Attribution to a geographic location is based on the actor’s presumed Russian origin, as indicated by the threat‑intelligence sources that reference the group’s location. No public evidence links Doppel to a state sponsor or to a larger criminal consortium, and the actor’s affiliations remain unspecified beyond the geographic assumption. The French pharmaceutical incident stands as the most representative operation publicly associated with Doppel, illustrating the group’s focus on stealing proprietary information and leveraging its release to exert pressure or generate indirect profit. No further campaigns or operational details are documented in the material provided.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources