Ransomware Group: QILIN

VICTIM NAME: thomasmhughes[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On September 26, 2025, the leak page tied to the domain thomasmhughes[.]com attributes the incident to the threat actor group ‘qilin’ and lists a US-based legal services firm as the victim. The page describes the victim as a practice focusing on employee benefits, ERISA, tax, and pension law, with more than 30 years of experience. The post frames the event as a ransomware-related data-leak and claims that internal documents have been exfiltrated. The attackers imply that stolen data may be released publicly or made available for download, consistent with double-extortion tactics. A post URL is included on the leak page. No separate compromise date is provided; the date shown is the post date (September 26, 2025).

The page presents a gallery consisting of 21 screenshots of internal documents. The leak page does not offer direct downloads, and the image assets are hosted via onion addresses, with no detailed descriptions of their contents. The body excerpt references a Jabber/XMPP contact and a TOX fingerprint, and shows an FTP path that includes redacted credentials; these identifiers in the excerpt are redacted to protect sensitive personal information. A claim URL is listed, and the post attributes the activity to the group ‘qilin’. No explicit ransom amount or encryption status is disclosed in the excerpt, and the industry field remains not specified. The victim name remains thomasmhughes[.]com, illustrating continued exposure of professional services entities to ransomware data-leak campaigns.