Ransomware Group: QILIN

VICTIM NAME: Berko İlaç Ve Ki̇mya San Aş

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The ransomware leak page details an incident involving a manufacturing company based in Turkey. The victim, identified as Berko İlaç ve Kimya San. A.Ş., was compromised on May 22, 2025. The incident was discovered the following day, on May 23, 2025. This company operates within the pharmaceutical manufacturing sector and employs at least three staff members. The leak includes a screenshot of relevant data and information related to the incident is available through a designated URL, although specific details about the breach are limited for public viewing.

The leak appears to involve data exfiltration by the threat group named “qilin.” The data stolen includes information related to several third-party entities and the company’s internal operations. The information stealer tools identified include Lumma and StealC, and the compromised data may contain sensitive business information, although explicit details are not disclosed publicly. The leak page highlights the presence of downloadable data and screenshots indicative of internal documentation or data structures. No personal details of employees or PII are explicitly mentioned or shown in the leak, reflecting an effort to avoid exposing sensitive individual information.

The image associated with the leak displays a screenshot of the compromised data or internal system interface, which has been made publicly accessible on the dark web. Overall, the situation underscores a targeted cyberattack against a pharmaceutical manufacturer in Turkey, with data being marketed or held hostage by the threat actors. The public information emphasizes the potential impact on business operations and the exposure of confidential company data without revealing explicit sensitive details or PII of individuals involved.