Ransomware Group: QILIN

VICTIM NAME: DAOR E&C Co[.], Ltd

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

DAOR E&C Co., Ltd, a South Korean construction company specializing in concrete structures such as bridges, LNG tanks, tunnels, and heavy lifting facilities, is named as the victim on a ransomware leak page associated with the group qilin. The post is dated August 20, 2025, and presents itself as a data-leak notice rather than a simple encryption incident. The leak claims that sensitive internal information has been exfiltrated and will be made available publicly or through download, aligning with common double-extortion ransomware patterns. In this framing, the post describes the event as a data-leak with the intent to disclose confidential material from the company’s systems.

The leak page asserts that more than 400 GB of internal DAOR E&C Co., Ltd data has been prepared for public release. The materials are said to include plans and drawings for numerous projects, as well as purportedly comprehensive personal data for every employee, including senior management and the CEO. The post indicates that personal details such as names, home addresses, phone numbers, emails, and bank accounts are present within the leaked data. The published content is described as containing schematics for projects like bridges, tunnels, and LNG tanks, which the page characterizes as highly sensitive and, in some contexts, strategically valuable. The leak also features 14 image attachments—described generically as internal documents and project schematics—though no direct image links are provided in this summary. For safety, any contact or account details cited in the excerpt have been redacted in this summary.

Regarding the post’s contact and credential references, the excerpt includes a line intended as a point of contact and technical identifiers, but such details are sanitized here (e.g., an email address is redacted). The page notes there is a claim URL present, which would typically direct readers to the leaker’s post or data—but no actual downloadable files are shown within the leak page itself. No explicit ransom amount or deadline is stated within the visible text, and the published metadata does not reveal a separate compromise date beyond the post date of August 20, 2025. Overall, the information presented portrays a data-leak scenario rather than a straightforward encryption event, with the attackers signaling potential public release of materials in a manner consistent with double-extortion tactics.