Cyber Threat Actor: Femwar02
| Actor Type | Location | Known Incidents |
Activist
|
—
|
1 incident |
|---|
Profile
Femwar02 is the alias used by a threat actor that has been publicly identified in a single reported incident. The group is described as a pro‑Russian entity, which provides the only publicly available characterization of its ideological orientation. No additional aliases or alternative names have been disclosed in open sources. The actor came to attention following a ransomware operation that targeted a major European university in early 2026.
The victim of the attributed activity was La Sapienza University, noted as Europe’s largest institution by the number of students physically present on campus. This target places the actor’s activity within the higher education sector and indicates a geographic focus on Europe. The attack resulted in the encryption of institutional data and the disruption of core information technology services, which forced the university to suspend its online offerings. The incident prompted an ongoing response effort aimed at restoring normal operations, highlighting the disruptive impact of the operation on the victim’s daily functions.
The tactics observed in this event are limited to the deployment of ransomware to encrypt data and render IT systems offline. No specific malware family, initial access vector, or supplementary tooling has been reported in connection with Femwar02’s activity. The described effect—data encryption coupled with service interruption—constitutes the entirety of the publicly known technical profile for the group. Consequently, any further detail about their toolchain or intrusion methods remains undocumented in the available record.
Attribution to Femwar02 is based on the public identification of the group as a pro‑Russian actor in relation to the ransomware incident. No explicit link to a state sponsor, criminal consortium, or other affiliating organization has been made in the sources examined. The pro‑Russian label serves as the sole indicator of the actor’s alleged alignment, without additional clarification on funding, direction, or organizational structure. As a result, the actor’s affiliations remain confined to this self‑described orientation.
The only publicly reported operation associated with Femwar02 is the February 6 2026 ransomware attack on La Sapienza University. This event stands as the representative example of the group’s activity, illustrating its capability to disrupt a large educational institution through data encryption and service denial. No further campaigns or historical operations have been disclosed in open‑source reporting, leaving this incident as the singular documented reference for the actor’s behavior.