German entity merlo.de has been named as a victim on the LockBit5 ransomware group's data-leak site, according to a verification alert published by RedPacket Security on 2026-04-26. The leak page, dated 2026-04-24, identifies the German organization as the affected party but does not disclose a ransom demand, exfiltration volume, or specific data samples. The listing should be treated as unconfirmed pending independent corroboration, as recent LockBit5 listings have included unverified or fabricated victim claims.

What Happened

LockBit5 added merlo.de to its Tor-based leak blog on 2026-04-24 at 14:21:00, presenting the listing as a data-leak publication rather than an active encryption notification. The post includes a German-language descriptor tied to Merlo's commercial branding, translating as "Merlo telescopic handlers: by professionals for professionals. Telescopic handlers for every application, plus service." This indicates the attackers tied the listing to Merlo's industrial equipment and telescopic handler product line, a niche market in the construction and material-handling sector.

The leak page does not include screenshots, document samples, or downloadable archives in the scraped content, and no ransom amount has been published. Per RedPacket Security's standing notice, none of the allegedly stolen material has been hosted, mirrored, or republished by the security outlet, and the listing is sourced directly from the LockBit5 onion site.

What Was Taken

The scope and nature of the compromised data have not been disclosed by the threat actor at the time of listing. The leak page contains no published file trees, sample documents, employee records, or financial materials. There is no indication of:

• Volume of exfiltrated data (no terabyte or gigabyte figures listed)
• Categories of stolen information (no mention of HR, finance, engineering, or customer records)
• Whether intellectual property tied to telescopic handler designs or proprietary engineering data is involved
• Any timeline for full publication if a ransom is not paid

LockBit affiliates historically follow a double-extortion model in which initial listings serve as a pressure mechanism, with full data drops following non-payment. Defenders should assume that if the breach is genuine, additional data publication may follow.

Why It Matters

Merlo S.p.A. and its German operations sit in the industrial machinery supply chain, producing telescopic handlers used across construction, agriculture, and logistics. A confirmed compromise could expose engineering specifications, dealer pricing data, customer contracts across European construction firms, and supplier records that touch the broader heavy-equipment ecosystem.

The listing also reflects the continued operational tempo of the LockBit brand under its v5 iteration, which has surfaced despite prior international takedown efforts against earlier LockBit infrastructure. The reappearance of LockBit-branded operations targeting European industrial firms underscores that disruption of a ransomware brand rarely eliminates the affiliate ecosystem behind it. Industrial sector defenders should treat any LockBit5 listing involving a manufacturing or equipment vendor as a signal to review third-party access and supplier exposure, even when the listing itself remains unverified.

The Attack Technique

No initial-access vector, malware variant, or tooling has been disclosed for this specific intrusion. LockBit affiliates have historically relied on:

• Exploitation of internet-facing appliances, including VPN gateways and remote access systems with unpatched CVEs
• Valid-credential abuse sourced from infostealer logs and initial-access brokers
• Phishing with malicious attachments leading to loader malware and Cobalt Strike deployment
• Lateral movement via compromised Active Directory and abuse of legitimate administrative tooling

Until merlo.de or German authorities release indicators of compromise, defenders should assume any of these vectors are plausible and prioritize hardening across the full set.

What Organizations Should Do

1. Audit external attack surface for unpatched VPN concentrators, firewalls, and remote-access appliances, prioritizing CVEs known to be exploited by LockBit affiliates and initial-access brokers.
2. Hunt for infostealer infections and credential exposure by monitoring stealer-log marketplaces and forcing rotation of any corporate credentials surfaced in dark-web feeds.
3. Enforce phishing-resistant MFA on all remote access, privileged accounts, and email, and disable legacy authentication that bypasses MFA controls.
4. Validate offline, immutable backups for critical systems and rehearse restoration timelines, ensuring backup infrastructure cannot be reached from production credentials.
5. Segment OT and engineering networks from corporate IT, particularly for manufacturers where design and production systems share infrastructure with email and file servers.
6. Review third-party and supplier access for any organization in the Merlo supply chain, and monitor LockBit5's leak site for follow-on publication that could indicate compromise of shared portals or integrations.

Sources: [LOCKBIT5] - Ransomware Victim: merlo[.]de - RedPacket Security