Hokuyo2006 Ransomware Attack by Safepay (May 2026)

Claim Summary

On May 4, 2026, the ransomware group known as Safepay allegedly added the Japanese manufacturing firm Hokuyo2006 (hokuyo2006.co.jp) to its dark web leak site. The threat actor claims to have exfiltrated data from the company, which operates as part of a larger industrial group involved in packaging, logistics, and housing-related businesses. No data volume or sample files have been disclosed at this time. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

Safepay is a relatively obscure ransomware group with a limited public track record. According to available intelligence, the group has an unknown total number of confirmed victims, and no public research or attribution reports exist for them. Their operational security appears minimal, as they have not established a significant reputation for data leaks or ransom negotiations.

Based on observed tools, Safepay allegedly employs a standard set of post-exploitation and data exfiltration utilities:

• Invoke-ShareFinder: For discovering network shares and mapped drives.
• 7-Zip and WinRAR: For compressing stolen data before exfiltration.
• CMSTPLUA: A living-off-the-land binary (LOLBin) used for privilege escalation or bypassing User Account Control (UAC).
• dllhost.exe and Regsvr32.exe: Legitimate Windows processes often abused for code execution and persistence.

These tools suggest a reliance on commodity malware and publicly available scripts rather than custom-developed payloads. The group’s credibility is low due to the absence of verified victim data or public research, but this claim should still be monitored.

Alleged Data Exposure

Safepay claims to have stolen data from Hokuyo2006, but no specific file types, volumes, or sample content have been released. The victim’s role in packaging, logistics, and housing-related manufacturing suggests potential exposure of:

• Operational and supply chain data
• Client or partner contracts
• Internal financial records
• Employee or HR information

Without a data sample or leak confirmation, the scope remains speculative. Ransomware groups often exaggerate claims to pressure victims into payment.

Potential Impact

If the claim is verified, Hokuyo2006 could face:

• Operational disruption: Ransomware encryption may halt production lines, logistics systems, or order management.
• Reputational damage: Clients and partners may question data security practices, especially in Japan’s risk-averse business environment.
• Regulatory scrutiny: Under Japan’s Act on Protection of Personal Information (APPI), data breaches involving personal data require notification to authorities and affected individuals.
• Supply chain risks: As part of a larger industrial group, the breach could cascade to parent or sister companies.

What to Watch For

Yazoul Security recommends the following monitoring actions:

• Check for any public statements from Hokuyo2006 or its parent group regarding the incident.
• Monitor dark web forums for Safepay’s next moves, including potential data sample releases.
• Review network logs for the tools listed above (Invoke-ShareFinder, 7-Zip, WinRAR, CMSTPLUA, dllhost.exe, Regsvr32.exe) if you are in a similar industry.
• If YARA rules become available for Safepay’s payloads, they will be published on our /intel/ page.

Disclaimer

This report is based on unverified claims made by the Safepay ransomware group. Yazoul Security has not independently confirmed the attack, data theft, or any operational impact on Hokuyo2006. Ransomware groups frequently fabricate or exaggerate victim lists to enhance their reputation. All information should be treated as preliminary and subject to change upon verification.