Menu
Browse

Cyber Threat Actor: Marquis

Actor Type Location Known Incidents
 Icon
Criminal
1 incident
Profile

Marquis is an alias used to track a threat actor linked to a series of data breaches disclosed on March 1 2026 that impacted organizations across multiple industries and geographic regions. The incidents affected healthcare providers, educational institutions, financial services firms, and technology companies, exposing personal information such as Social Security numbers, medical records, and financial details for hundreds of thousands of individuals in the United States and abroad. Compromised data volumes varied widely, ranging from tens of thousands to over two million records per event, indicating a broad scope of victimization. The actor’s activity was identified through public ransomware‑alert sources that highlighted the scale and cross‑sector nature of the disclosures. No public attribution to a state sponsor or criminal consortium has been established for Marquis, and the actor’s size, structure, or financial motivations remain unspecified in the available reporting. The breaches prompted widespread notification efforts and drew regulatory scrutiny due to the sensitivity of the exposed datasets.

The threat actor’s observed tactics include the use of ransomware to encrypt and exfiltrate data, exploitation of insider threats to gain privileged access, and leveraging supply chain vulnerabilities to reach downstream targets. These methods enabled the actor to move laterally within victim networks and extract large volumes of personal information without relying on a single, uniquely identified malware family. The reliance on insider assistance suggests an ability to recruit or compromise trusted individuals within target organizations, while supply chain exploitation indicates a focus on third‑party relationships as an entry point. No specific tooling frameworks or custom malware signatures have been publicly associated with Marquis in the reported incidents. The combination of ransomware deployment, insider abuse, and supply chain compromise represents the core TTP theme evident in the March 2026 campaign. This profile reflects only the facts explicitly documented in the provided source material.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources