Ransomware Group Sarcoma Steals Swiss Government Data

Red Dog Security

04 Jul 2025 — 2 min read

The Swiss government has confirmed that confidential data from multiple federal agencies was compromised following a ransomware attack on Radix, a third-party service provider. The breach is now under investigation, and cybersecurity officials are warning of possible secondary attacks.

Key Details of the Breach

The ransomware group Sarcoma infiltrated Radix’s systems on June 16, 2025, encrypting internal files and stealing a trove of sensitive data. Less than two weeks later, on June 29, the group published 1.3 terabytes of stolen data on its darknet leak site.

According to early assessments, the leaked information includes:

Scanned documents
Financial records
Contracts
Internal communications

Switzerland’s National Cyber Security Centre (NCSC) is currently evaluating the scope of the breach and its potential impact across various federal entities.

About Radix

Radix is a nonprofit organization headquartered in Zurich, specializing in health promotion and lifestyle education. It operates eight competence centers, providing services to:

Federal agencies
Cantonal and municipal governments
Private sector partners

While Radix claims there is no evidence that partner data was leaked, it has notified affected parties out of caution.

Who is Sarcoma?

Sarcoma is a relatively new player in the ransomware ecosystem, first identified in October 2024. Despite its short history, the group has made a quick impact—claiming 36 victims in its first month alone.

One of its earliest and most prominent attacks targeted Unimicron, a major Taiwanese manufacturer of printed circuit boards (PCBs). The group’s typical tactic is to publish stolen data for free if victims refuse to pay ransom—suggesting that negotiations with Radix failed or were never initiated.

Government Warning: Watch for Phishing

In response to the breach, the Swiss government has issued a public warning urging vigilance against phishing attempts and identity fraud. Authorities are particularly concerned about follow-up attacks aimed at harvesting:

Passwords
Bank account details
Login credentials

These secondary attacks often follow major data leaks, using stolen personal information to craft convincing phishing emails or launch credential stuffing campaigns.

Not the First Time

This incident marks the second major breach involving a Swiss government contractor in recent years. In 2023, the ransomware group Play compromised Xplain, an IT services firm supporting several federal agencies. That attack resulted in the leak of 6,500 classified files, sparking widespread criticism over lax third-party security standards.

Why It Matters

The Radix breach underscores the persistent threat of supply-chain attacks on public sector infrastructure. As ransomware groups grow more organized and aggressive, contractors and third-party service providers remain a critical weak link in the security chain.

With Sarcoma now emerging as a serious threat actor, the incident adds pressure on governments to bolster cyber hygiene—not just within their own systems, but across their entire vendor ecosystem.

352 Android Apps Infected with IconAds Adware

Security researchers at Human Security have uncovered a massive ad fraud operation dubbed IconAds, involving 352 malicious Android apps previously available on the Google Play Store. At its peak, the campaign generated over 1.2 billion ad requests per day, primarily targeting users in Brazil, Mexico, and the United States.

AI Chatbots Like ChatGPT Are Providing Fake URLs for Major Companies

Cybersecurity analysts at Netcraft have uncovered a troubling trend: AI chatbots frequently generate incorrect or misleading URLs when asked to provide official website links for major brands. According to researchers, this flaw opens a dangerous new vector for phishing and domain hijacking attacks. Key Findings from Netcraft’s Study The

Hackers Leak Allegedly Stolen Telefónica Data

A hacker is threatening to release 106 GB of data allegedly stolen from Spanish telecommunications giant Telefónica, though the company firmly denies any recent breach or data compromise. The threat actor, operating under the alias “Rey,” claims the intrusion occurred on May 30, during which over 12 hours of data

.es Domains Become 19 Times More Popular Among Phishers

Cybersecurity researchers at Cofense report a dramatic rise in phishing campaigns leveraging .es domains, which are officially reserved for Spanish-language websites or entities based in Spain. The use of these domains by cybercriminals has surged 19-fold since the beginning of 2025, making .es the third most exploited top-level domain (TLD)