Ransomware Group: SPACEBEARS

VICTIM NAME: Acuna Fombona (AFOM)

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the SPACEBEARS Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

Acuna Fombona (AFOM) is identified as the victim in a ransomware leak post attributed to the Spacebears group. AFOM is an Asturian distributor of surgical products based in Spain, with about 50 years of operation serving Spain and Portugal and covering medical specialties such as spinal surgery, traumatology, neurosurgery, thoracic surgery, maxillofacial surgery, ophthalmology, plastic surgery, and ENT. The leak page, dated 2025-10-02, presents AFOM as a data-leak victim rather than a purely encrypted incident and claims that sensitive material, including personal information of employees and clients and financial documents, has been exfiltrated. The page provides one download link for the leaked data and includes three images that are described as screenshots of internal documents, intended to corroborate the breach. The listing notes roughly 360 views on the post.

The leak page emphasizes AFOM’s long-standing role in the regional medical supply ecosystem and highlights the breadth of its operations by listing the medical specialties it serves. It also references a prior download in 2024, and, while it does not publicly disclose a ransom amount on the page, the presentation aligns with common data-leak narratives where data may be released or offered for sale. The post includes three image attachments and a single downloadable file, all presented in a neutral, data-exfiltration context. No explicit ransom demand is shown in the excerpt, and the content is framed as a data-leak rather than a straightforward encryption event.