[OBSCURA] – Ransomware Victim: New Toyo International Holdings Ltd

AI Generated Summary of the Ransomware Leak Page

On November 1, 2025, a data-leak post surfaced alleging a ransomware incident targeting New Toyo International Holdings Ltd, a Singapore-based manufacturing company that provides specialty packaging materials to tobacco, food and beverage, wine, liquor, and cosmetics industries across Asia Pacific. The post is linked to a leak operation associated with the Obscura branding and claims roughly 2 GB of data has been exfiltrated. The leak status is listed as Pending, with a countdown showing about 6 days, 15 hours, 58 minutes, and 48 seconds remaining. A revenue figure of $221.7kk is shown, and a claim URL is indicated as present. The page states that the leaked data includes employee passports, including those of directors, along with tickets and hotel reservations. The post itself is textual and does not display visible screenshots or media, and metadata indicates there are no images or downloadable files attached to the post. There is no ransom amount disclosed on the page.

According to the body excerpt, New Toyo International Holdings Ltd is described as a long-standing regional provider of specialty packaging materials established in 1975. The company is said to operate two core divisions: Specialty Papers (producing laminated foil paper, coated paper, and metallised paper) and Printed Carton and Labels (focused on gravure and lithography or offset printing for packaging materials). The leak’s text notes a trading arm dealing with tobacco-packaging-related materials and a corrugated cartons production operation. The group is portrayed as having a manufacturing footprint across Singapore, Malaysia, Vietnam, Australia, and China to support customers in Asia Pacific and the Middle East, and it is described as serving international tobacco brands as well as local consumer companies. The narrative also mentions that New Toyo was listed on the Singapore Exchange on April 4, 1997. The leak explicitly states that the data set includes employee passports and related travel documents, while the page itself contains no images or media attachments.

From a threat-intelligence perspective, the page aligns with data-exfiltration/“data leak” patterns common in ransomware campaigns, where actors advertise stolen data and threaten public release. The absence of an explicit ransom figure or encryption claims in the posted text means the attack’s monetization details are not disclosed on the page. The presence of sensitive HR-related material—such as passports and travel records—heightens risk to employees and could enable identity misuse. The post is dated November 1, 2025, and there is no compromise date provided in the available data; the page shows a 2 GB leak size and a pending status with a countdown to the alleged data release. Security teams should monitor for potential follow-on disclosures, verify whether exfiltration occurred, and review HR data handling and access controls to mitigate possible impacts on personnel and operations.