Alkaloid Ransomware Attack by apt73 (May 2026)

Claim Summary

On May 21, 2026, the threat actor group known as apt73 allegedly added Alkaloid (alkaloid.com.mk) to their dark web leak site. The group claims to have compromised the healthcare organization, a pharmaceutical company based in Skopje, Northern Macedonia, founded in 1936. According to the leak site entry, apt73 asserts possession of data from Alkaloid, though the volume of data allegedly stolen remains undisclosed. This claim has not been independently verified by Yazoul Security, and we treat it with caution given the group’s limited public track record.

Threat Actor Profile

apt73 is a ransomware group with minimal public documentation. Based on available intelligence, the group’s operational history is sparse, with no confirmed tools, tactics, or procedures (TTPs) formally attributed to them in open-source research. Their claimed victim count is unknown, and no YARA rules or detection guidance currently exist for this group. This lack of transparency raises significant credibility concerns - ransomware groups often fabricate or exaggerate claims to pressure victims into negotiations. Without a verifiable history of successful attacks, Yazoul Security assesses that apt73 may be an emerging or opportunistic actor, potentially repurposing existing ransomware strains or operating as a low-sophistication group. Organizations should monitor for any subsequent disclosure of data samples or technical indicators that could corroborate the claim.

Alleged Data Exposure

The threat actor claims to have accessed data from Alkaloid, but specifics regarding the nature of the compromised information are not provided. Given Alkaloid’s status as a pharmaceutical company in the healthcare sector, potential data types could include:

• Proprietary drug formulations or research data
• Patient or clinical trial records
• Employee and payroll information
• Intellectual property related to manufacturing processes
• Financial and operational documents

However, without confirmation of data volume or sample release, these remain speculative. The group has not published any evidence of exfiltration, such as screenshots or file lists, which is atypical for established ransomware groups that often use such proof to validate their claims.

Potential Impact

If the claim is substantiated, the impact on Alkaloid could be significant:

• Operational Disruption: Ransomware encryption may disrupt pharmaceutical production, supply chain logistics, or distribution networks.
• Regulatory Consequences: As a healthcare entity, Alkaloid may face penalties under data protection laws (e.g., GDPR) if patient or employee data is exposed.
• Reputational Harm: Loss of trust among partners, clients, and the public, particularly given the company’s long history since 1936.
• Intellectual Property Theft: Compromise of proprietary drug research could lead to competitive disadvantage or unauthorized replication.

Given the lack of evidence, these impacts are hypothetical. The group’s credibility is low, and the claim may be a bluff or a misattribution.

What to Watch For

• Data Samples: Monitor for any release of sample files by apt73, which would increase the claim’s credibility.
• Official Statements: Watch for Alkaloid’s public response or confirmation of a security incident.
• Technical Indicators: If the group shares IOCs (e.g., hashes, domains, IPs), these should be analyzed for attribution.
• Negotiation Dynamics: Ransomware groups often escalate pressure by leaking data incrementally; any such activity should be tracked.

Disclaimer

This report is based on unverified claims from the threat actor group apt73. Yazoul Security has not independently confirmed the breach, data exfiltration, or any operational impact on Alkaloid. Ransomware groups routinely fabricate or exaggerate victim lists to coerce payments. All information herein is for intelligence purposes only and should not be acted upon without further verification. No PII, download links, or access credentials are included. For more intelligence, visit our intel page at /intel/.