DOCUMENTING HYBRID WARFARE / — incidents / UPDATED LATEST: 
Sabotage Watch SABOTAGEWATCHHybrid Threat Monitor
Cyber

Direwolf Ransomware Attack on Taiwan Company

01 August 2025 · Taiwan
Satellite Imagery © Esri

What happened

DireWolf (also written Dire Wolf) is a ransomware group that surfaced in May 2025 and posted its first batch of victims on a Tor leak site on 26 May 2025. Security firm Trustwave SpiderLabs, whose research was published via LevelBlue on 24 June 2025, analysed a sample and described a classic double-extortion operation: the group steals data, encrypts systems, and threatens to publish the stolen files on its leak site if a ransom is not paid, typically within about a month. The custom encryptor, written in Golang, disables Windows event logging, terminates dozens of services and processes, deletes backups and shadow copies, and encrypts files using Curve25519 and ChaCha20 before appending a .direwolf extension.

By mid-2025 the group had listed 16 victims across 11 countries, concentrated in the manufacturing and technology sectors. According to CSO Online, the affected countries included the United States, Thailand, Taiwan, Singapore, Italy and India, with the United States and Thailand reporting the most cases, followed by Taiwan. In at least one case the ransom demand was reported to be around 500,000 US dollars. On 18 August 2025 the Cyber Security Agency of Singapore issued an advisory warning of the ongoing campaign against manufacturing and technology firms across multiple regions.

Taiwan-based companies were among those named on DireWolf's leak site during this period, consistent with the group's stated focus on Asian manufacturing and technology targets. The identity of the specific Taiwanese victim associated with this record could not be confirmed through reputable independent reporting, so it is left unnamed here.

Assessment

The available reputable reporting supports a financially motivated criminal ransomware operation rather than any state-directed activity. DireWolf describes its only goal as money and disclaims any political stance, and no researcher has tied it to a nation-state. Suggestions of Chinese ties are speculative and not established. What is firmly documented is the toolset, the double-extortion model, and a victim spread that includes Taiwan within a broader Asian and global manufacturing and technology footprint. The precise Taiwanese victim and exact attack date for this record remain unverified by independent sources.

This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.