Ransomware Group: SAFEPAY

VICTIM NAME: appagroup[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SAFEPAY Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page pertains to an entity identified as Appa Group, an engineering and construction firm based in Germany. The company specializes in the full-cycle development of industrial plants and commercial buildings across sectors such as oil & gas, petrochemicals, power, and infrastructure. The breach was discovered on July 26, 2025, with the attack occurring on the same day, indicating a recent incident. The page includes a screenshot of an internal document or interface, suggesting that sensitive internal information has been compromised. No specific PII or sensitive employee data was identified in the leak, indicating the focus of the breach appears to target company infrastructure or operational data rather than personal information.

The leak is associated with the group called “safepay.” There are indications of data exfiltration, potentially involving corporate documents or internal communications, but explicit details about the nature of the leaked data are limited. The leak webpage does not specify the type of data stolen or published, but the presence of a screenshot suggests internal information or evidence of breach. The compromised domain, appagroup.com, is linked to the affected organization. The event signifies a serious cybersecurity incident affecting a construction and engineering firm operating in the industrial sector, emphasizing the importance of cybersecurity measures in protecting critical infrastructure. Download links or additional leaked data are not explicitly detailed, but the incident underscores ongoing threats from ransomware groups targeting various industries worldwide.