Ransomware Group: CHAOS

VICTIM NAME: amsfulfillment[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the CHAOS Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak post identifies amsfulfillment[.]com as the victim and attributes the incident to the CHAOS group. The victim is described as a US-based business services provider offering full-service order fulfillment, including third-party order management, fulfillment center management, and distribution services, with a focus on serving consumer products brands across B2B retail, online retail, and direct-to-consumer channels. The post date is 2025-09-24 20:48:37.536262; since no separate compromise date is provided, this timestamp is treated as the post date. The page does not explicitly state whether the attack encrypted systems or resulted in a data leak, as the impact field is left blank. The body excerpt references the victim’s domain and includes a defanged HTTP link to the company site (hxxp://www[.]amsfulfillment[[.]]com); a metadata label also points to an onion-service path associated with amssystems.

There are no visual assets or downloadable items on the leak page (images_count = 0; downloads_present = false; link_count = 0). A claim URL is indicated on the page, though its contents are not present in the provided data. The victim is located in the United States, and the post is attributed to the Chaos group. No ransom amount is disclosed in the available data, and there is no explicit compromise date beyond the post timestamp. The metadata’s onion-service reference suggests an additional data channel or staging address may be cited by the attackers, consistent with typical ransomware leakage practices.