New ransomware crew Doommageddon debuts with a Mercedes-Benz Turk claim

A previously unseen ransomware crew calling itself Doommageddon announced its arrival this week by posting five victims to its leak site on a single day, led by a claim against Mercedes-Benz Turk, the German carmaker's Turkish operation.

All five listings appeared on 6 July 2026, the first day the group has been observed anywhere. Alongside Mercedes-Benz Turk, the crew named Turkish chemicals manufacturer KOLORKIM KIMYA, Indian technology firm Innovano, Brazilian real-estate business Francisco Imoveis, and Paraguayan credit-ratings agency Solventa & Riskmetrica. Hitting four countries and several sectors in one burst is a common opening move for a new leak site trying to build a reputation fast.

These are unverified extortion claims. Entries on a ransomware leak site are allegations posted by the attackers, not confirmed breaches. None of the named organizations has confirmed an incident, and IntelFusions has not independently verified that any data was stolen. Well-known brand names deserve extra caution: a listing for Mercedes-Benz Turk may reflect data taken from a subsidiary, supplier, dealer, or reseller rather than the carmaker's core systems, a pattern seen repeatedly when small crews attach a famous name to draw attention.

Why a debut like this matters

New ransomware brands appear constantly, and many are rebrands of existing crews or short-lived operations that recycle old data. What makes a debut worth watching is the mix of a marquee victim and a multi-country spread on day one, which suggests the operators already hold stolen data and a working extortion workflow rather than starting from scratch. Whether Doommageddon proves durable or vanishes within weeks will become clearer as it either follows through on its threats to publish or goes quiet.

What defenders should do

Organizations in manufacturing, technology, and financial services, the sectors this crew hit first, should treat the debut as a prompt to check the basics that stop most ransomware intrusions: multi-factor authentication on every remote-access and email account, prompt patching of internet-facing systems, and tested offline backups. If your organization or one of your suppliers appears on a leak site, preserve logs and engage incident responders before deciding whether and how to respond, and assume any exposed data is already in criminal hands.

IntelFusions tracks this group on its Doommageddon threat actor profile. The one-day burst echoes other newcomers we have covered recently, including a crew that named 41 victims in a single day and the new Wallstreet operation that claimed a US police department and rural hospital. Victim details here are drawn entirely from the group's own leak-site postings.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions