Ransomware group RansomHouse has listed Trellix, the enterprise cybersecurity giant formed from the merger of McAfee Enterprise and FireEye, on its dark web extortion blog as a victim, days after Trellix confirmed unauthorized access to a portion of its internal source code repository.
The incident has sent shockwaves through the security industry, raising urgent questions about supply chain integrity when even leading threat-detection vendors become targets.
Trellix publicly acknowledged the breach through an official statement published on its website at trellix.com/statement, confirming that threat actors gained unauthorized access to “a portion” of its source code repository. Upon discovery in early May 2026, the company immediately engaged external forensic experts and notified law enforcement authorities.
In its statement, Trellix said: “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited.” The company added that it intends to share further technical details with the broader security community once its investigation concludes.
Critically, Trellix has not publicly disclosed exactly when the breach was first detected, how long the attackers maintained access, or whether any customer data, employee credentials, or internal documentation was exfiltrated alongside the source code. A company spokesperson provided only the prepared statement when pressed by reporters for additional details.
RansomHouse Claims Trellix
The RansomHouse ransomware group has now formally claimed responsibility for the cyberattack against Trellix, listing the company on its dark web blog, a hallmark of the group’s double-extortion pressure tactics.
According to the leak site listing visible in the threat intelligence screenshots, the encryption event was logged on April 17, 2026, and the status was marked as “EVIDENCE DEPENDS ON YOU,” indicating the group is withholding full data publication pending negotiations.
The listing shows 19 evidence files already staged, seven of which appear to be screenshots hosted on an open directory server, and notes that evidence packs are available for download with no password. Trellix’s revenue is estimated at $1.5–2 billion, and the company employs approximately 5,000 staff, making it a high-value target for extortion.
RansomHouse emerged in late 2021 / early 2022 and has steadily grown into one of the more sophisticated ransomware-as-a-service (RaaS) operations targeting large enterprises.
The group is believed to have origins in Russia. It employs a multi-stage extortion model: first, encrypting the victim’s files to demand a ransom, then threatening to publish stolen data on their TOR-hosted forum if payment is refused.
RansomHouse’s technical arsenal is built around two primary tools, MrAgent and Mario (derived from Babuk ransomware source code), both engineered to target virtualized environments, particularly VMware ESXi hypervisors.
In past campaigns, the group exploited vulnerabilities in Citrix remote access software and VMware ESXi infrastructure, abusing weak domain credentials and monitoring gaps to achieve lateral movement and deploy backdoors.
The group is known to use cloud storage services for data exfiltration and has been documented utilizing CDN servers as exfiltration intermediaries.
In one prior case analyzed by Trellix’s own threat research team, RansomHouse received a ransom payment of approximately $1.2 million in Bitcoin on December 12, 2023, after initially demanding $2.56 million and settling at a 50% discount.
The strategic significance of targeting Trellix’s source code repository cannot be overstated. As a major endpoint security and extended detection and response (XDR) vendor protecting over 50,000 business and government customers, including more than 200 million endpoints, any tampering with Trellix’s code pipeline could have cascading downstream effects.
Security analysts note that the breach highlights supply chain exposure risks rather than a single exploitable CVE. Source code access gives sophisticated threat actors a roadmap to discover zero-day vulnerabilities, embed persistent backdoors, or launch targeted attacks against organizations that trust and deploy Trellix products.
While Trellix states its distribution pipeline shows no signs of compromise, the investigation is still active and incomplete. The Dark Reading analysis of this incident specifically categorized it as part of a growing trend of supply chain threats, in which adversaries pivot from attacking end users to targeting the vendors trusted to protect them.
Trellix has confirmed it is working with leading forensic experts and has alerted law enforcement. The company has pledged transparency as the investigation matures, but has yet to issue a detailed technical post-mortem, timeline, or IOC disclosure.
Organizations that rely on Trellix products should closely monitor vendor communications, audit the integrity of software updates, and review any anomalous behavior across endpoints protected by Trellix solutions during the investigation.
FAQ
Q1: Was Trellix customer data stolen in the breach?
Trellix has not confirmed whether customer data was exfiltrated, stating only that source code was accessed with no evidence of exploitation so far.
Q2: Which ransomware group attacked Trellix?
RansomHouse, a Russia-linked RaaS group active since late 2021, has claimed responsibility for the attack against Trellix.
Q3: Are Trellix products currently safe to use?
Trellix says there is no evidence that its source code release or distribution process was altered or exploited, but the investigation remains ongoing.
Q4: How does RansomHouse typically operate?
RansomHouse uses double extortion, encrypting data and threatening public leaks targeting VMware ESXi environments using its MrAgent and Mario malware tools.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
