Orion is a ransomware operation first observed in October 2025 that listed 13 alleged victims on a dark web leak site across financial services, manufacturing, and healthcare, though analysts determined its victim list was recycled from prior LockBit and BlackCat disclosures rather than fresh compromises.