Ransomware Group: KILLSEC

VICTIM NAME: Doctocliq

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the KILLSEC Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak page centers on Doctocliq, a Mexico-based healthcare software provider, and is attributed to the threat group Killsec. It presents Doctocliq as a victim of a ransomware-associated data-leak operation, aligning with double-extortion patterns where stolen data may be exposed or offered for sale. The page lists a post timestamp of 19 August 2025 as the post date; no separate compromise date is provided, indicating this is the published date of the leak.

The page includes Doctocliq’s branding and a description of its product as a user-friendly, all-in-one platform for medical and dental professionals that integrates scheduling, electronic medical records, finances, and patient communications with the help of artificial intelligence. A Spanish-language description is translated on the page to convey that the platform serves thousands of doctors across 19 countries and aims to empower health professionals in Latin America to grow. The post presents 18 image assets—likely screenshots or internal documents—to illustrate access claims, though the specific contents of those images are not described. A ransom-oriented note advises paying an amount to stop the data release, mentions the possibility of data deletion for payment, and invites negotiation through a session messenger; it also signals that third parties may contact for data purchases. The page references the victim’s branding and domain, defanged here as Doctocliq[.]com.

In translation of the description field, Doctocliq portrays itself as helping thousands of doctors in 19 countries manage clinics more efficiently, profitably, and humanely by connecting scheduling, clinical records, finances, and patient communications via artificial intelligence. It also states an ongoing effort to build digital infrastructure so health professionals in Latin America can lead their own growth, with a growth-oriented, collaborative team ethos. Taken together with the 18 included images, the post fits a ransomware extortion pattern that leverages the victim’s branding to bolster credibility while signaling a data-leak event and a potential ransom settlement.