[QILIN] – Ransomware Victim: Double Oak Construction

AI Generated Summary of the Ransomware Leak Page

On 2025-10-27 18:21:26.982480, Double Oak Construction, a United States-based company in the Construction sector, is listed as a ransomware leak victim on a post attributed to the threat group “qilin.” The post presents what appears to be a data-leak style claim, indicating that attackers gained access to the victim’s systems and exfiltrated data. Because no explicit compromise date is provided in the available metadata, the date shown is treated as the post date. The page includes a claim URL and references a data-share portal intended to provide access to exfiltrated materials, aligning with typical double-extortion ransomware behavior. The content centers on publicizing the breach rather than detailing a traditional encryption event in this excerpt.

The leak page contains three images presented as screenshots of internal materials. These images are hosted on a Tor onion domain (address defanged for this report). In addition to the imagery, the body excerpt references a long identifier labeled TOX and an FTP data-share entry, which together imply that a dataset exfiltrated from the network may be accessible via FTP; the exact address and credentials are redacted or defanged here. The page also notes the presence of a dedicated claim URL for readers to engage with the attackers’ post. The available evidence—image attachments, a TOX identifier, and an FTP data-share reference—supports a data-leak style operation rather than a straightforward encryption event, with the victim identified as being in the United States and operating in the Construction industry. There is no ransom amount published in the provided excerpt.