Cyber Threat Actor: Cloak
| Actor Type | Location | Known Incidents |
Criminal
|
Switzerland
|
1 incident |
|---|
Profile
Cloak is the alias used to refer to a threat actor that has been publicly linked to a ransomware operation targeting a Swiss radio broadcaster. The actor’s known location is Switzerland, based on the limited attribution information available from the reported incident. The only concrete activity attributed to Cloak to date is the cyber‑attack against Rhône FM that occurred on April 14 2025, in which the broadcaster’s broadcast servers were encrypted and a ransom demand was issued. This incident provides the sole basis for any factual description of the actor’s behavior, capabilities, or interests.
The Rhône FM intrusion indicates that Cloak focuses on the media sector, at least within the Swiss geographic area, and appears to pursue financial gain through ransomware extortion. During the attack the threat actor deployed ransomware that encrypted critical broadcasting infrastructure, prompting the ransom note and leading to a temporary interruption of service. The broadcaster noted that some files may have been exfiltrated, suggesting that data theft could accompany the encryption routine, although no specific malware family, initial‑access vector, or tooling style was disclosed in the public reports. Because the sources do not detail the exact malware used, the method of compromise, or any post‑exploitation tools, those aspects of Cloak’s TTP repertoire remain undocumented.
No public attribution has tied Cloak to a state‑sponsored program, a known criminal consortium, or any particular ideological motive, and the actor’s affiliations remain unspecified. Consequently, the Rhône FM event stands as the only representative operation that can be cited when discussing the actor’s known campaigns. Until further incidents are reported or additional technical details are released, the profile of Cloak must be confined to the confirmed facts: an actor operating under the alias Cloak, based in Switzerland, observed conducting a ransomware attack against a Swiss radio station with financial extortion as the apparent objective.
