Codefinger is a cybercriminal ransomware operator first publicly identified in early 2025 by cybersecurity firm Halcyon. The group's primary motivation is financial gain through extortion. What sets them apart is their unique leveraging of legitimate cloud features, specifically Amazon Web Services (AWS) S3 bucket Server-Side Encryption with Customer-Provided Keys (SSE-C), rather than traditional malware deployment. They target organizations utilizing AWS S3 buckets, particularly those with compromised credentials granting read/write access and enabled SSE-C. This tactic renders data irretrievable without the actor's decryption keys, often accompanied by threats of permanent deletion. The group's origin is currently unknown, with no public attribution to a specific region, operating within the broader ransomware-as-a-service ecosystem.