Menu
Browse

Cyber Threat Actor: Slug

Actor Type Location Known Incidents
 Icon
Criminal
Ireland
1 incident
Profile

Slug is an alias used by a cybercriminal group that has been linked to a ransomware incident targeting AerCap Holdings N.V. in January 2024. The group’s location is noted as Ireland, though no further geographic details are publicly available. The alias appears in open‑source reporting as the name under which the actors claimed responsibility for the attack.

The incident involving AerCap demonstrates that Slug engages in ransomware operations that are consistent with broader trends of actors seeking financial gain from high‑capacity organizations. The group’s claim of exfiltrating one terabyte of data suggests a focus on data theft as leverage for extortion, although no specific ransom demand was disclosed in the reporting. The targeting of a global aviation leasing company indicates an interest in sectors with substantial operational and financial assets, though no explicit sectoral pattern is established beyond this single case.

Observed tactics, techniques, and procedures include the deployment of ransomware that encrypted systems while the victim retained control of its IT environment, followed by a public allegation of large‑scale data theft. The actors reportedly relied on third‑party cybersecurity experts and law enforcement notification for incident response, reflecting a typical ransomware scenario where external assistance is sought. No specific malware families, initial access vectors, or custom tooling are described in the available sources.

Public attribution to a state sponsor or known criminal consortium has not been established for Slug; the group remains unattributed beyond its self‑identified alias. Consequently, any discussion of affiliations or geopolitical ties would be speculative and is omitted here.

The AerCap Holdings N.V. incident serves as the primary publicly reported operation associated with Slug, illustrating the group’s ransomware methodology and alleged data exfiltration capabilities. This case represents the only concrete example of the actor’s activity currently documented in open‑source reporting.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources