Sarcoma ransomware claims breach at giant PCB maker Unimicron
A relatively new ransomware operation named ‘Sarcoma’ has claimed responsibility for an attack against the Unimicron printed circuit boards (PCB) maker in Taiwan.
The cybercriminals have published samples of files allegedly stolen from the company’s systems during the attack and threaten to leak everything next week if a ransom is not paid.
In a new listing added to Sarcoma’s leak site yesterday, the threat actors claim to be holding 377 GB of SQL files and documents exfiltrated from the Taiwanese company.

Unimicron is a public company manufacturing rigid and flexible PCBs, high-density interconnection (HDI) boards, and integrated circuit (IC) carriers.
The company is one of the largest PCB manufacturers in the world, with plants and service centers in Taiwan, China, Germany, and Japan. Its products are extensively used in LDC monitors, computers, peripherals, and smartphones.
Unimicron disclosed in a bulletin published in the Taiwan Stock Exchange (TWSE) portal that on February 1 it suffered disruption from a ransomware attack.
According to the statement, the incident occurred on January 30 and impacted Unimicron Technology (Shenzhen) Corp., its China-based subsidiary.
The firm said the impact of the attack is limited, and informed it has engaged an external cyber forensic team to conduct incident analysis and help with implementing defense measures.
Unimicron did not confirm a data breach, though. Meanwhile, the samples Sarcoma leaked on its extortion portal appear authentic.
BleepingComputer has reached out to Unimicron to ask for an updated statement addressing Sarcoma’s allegations, but a comment wasn’t immediately available.
Rapid rise to high-volume operations
Sarcoma launched its first attacks on October 2024, and quickly grew to one of the most active and prolific ransomware gangs on the same month, claiming 36 victims.
In November 2024, cybersecurity specialists at CYFIRMA warned: “Sarcoma ransomware is rapidly becoming a significant threat due to its aggressive tactics and increasing victim count.”
In December 2024, operational technology cyber threat intelligence company Dragos listed Sarcoma among the most important emerging threats for industrial organizations worldwide.
A report by RedPiranha shares more details about Sarcoma, explaining that its operators employ phishing emails and n-day vulnerabilities exploitation to gain initial access, while they have also conducted supply chain attacks to pivot from service vendors to their clients.
Post-compromise, Sarcoma engages in RDP exploitation, lateral movement, and data exfiltration.
However, the tools the threat group uses have not been analyzed yet, so although the threat group’s operation indicates experience in the field, its exact origin and tactics haven’t been deciphered yet.
Microsoft: Russia's Sandworm APT Exploits Edge Bugs Globally
DPRK hackers dupe targets into typing PowerShell commands as admin
CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability
CVE-2020-29574 CyberoamOS (CROS) SQL Injection Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2022-43939 Hitachi Vantara Pentaho BA Server Authorization Bypass Vulnerability
CVE-2024-49035 Microsoft Partner Center Improper Access Control Vulnerability
CVE-2022-43769 Hitachi Vantara Pentaho BA Server Special Element Injection Vulnerability
CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability
CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability
CVE-2017-0148 Microsoft SMBv1 Server Remote Code Execution Vulnerability
CVE-2024-20953 Oracle Agile Product Lifecycle Management (PLM) Deserialization Vulnerability
MediumRelative Path Confusion
MediumXSLT Injection
LowStrict-Transport-Security Malformed Content (Non-compliant with Spec)
LowMultiple HREFs Redirect Detected (Potential Sensitive Information Leak)
LowStrict-Transport-Security Defined via META (Non-compliant with Spec)
InformationalLoosely Scoped Cookie
InformationalImage Exposes Location or Privacy Data
CWE-66 Improper Handling of File Names that Identify Virtual Resources
HighCWE-649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
CWE-1296 Incorrect Chaining or Granularity of Debug Components
CWE-1084 Invokable Control Element with Excessive File or Data Access Operations
Free online web security scanner