Ransomware Group: QILIN

VICTIM NAME: Corban OneSource

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On October 3, 2025, Corban OneSource, a United States-based HR outsourcing provider offering payroll administration, employee benefits management, and HR support, is listed as a victim on a ransomware leak page attributed to the threat actor group qilin. The post characterizes the incident as a data-leak event rather than a traditional encryption attack, asserting that internal information has been exfiltrated and will be made public. It stresses that the risk to client compliance is now at maximum, signaling a pressure tactic aimed at Corban OneSource and its customers. The page does not publish a specific ransom amount, and the post date aligns with the leak entry (October 3, 2025).

The leak page notes the presence of seven image attachments described generally as screenshots or thumbnails of internal documents, presented as evidence of the data access. While the exact contents of these images are not described in the summary, their inclusion is meant to corroborate the attackers’ claims. The page also references a claim URL and lists a contact mechanism that is redacted on the public page, alongside an FTP data-share entry that contains credentials. The narrative asserts that Corban OneSource’s data—including employee personal details and financial information—could be disclosed publicly, with the attackers indicating that additional data will be published soon.

As with many ransomware leak posts, these claims should be treated as unverified statements from the attackers. They underscore Corban OneSource’s HR outsourcing focus and the potential impact on client compliance, but independent verification should come from official communications by the victim and corroborating cyber threat intelligence. The post’s date, the seven attached images, and the stated intention to publish data align with a data-leak posture commonly used by such actors, rather than a confirmed encryption event or sustained service disruption.