Ransomware Group: QILIN

VICTIM NAME: heparks[.]org

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On September 25, 2025, a leak page associated with heparks[.]org—an American public-sector domain—appears to be linked to the ransomware group Qilin. The page identifies the victim domain as heparks[.]org and frames the incident as a data-breach style event affecting a public sector organization in the United States. The post date is documented as September 25, 2025, and no separate compromise date is provided beyond the post date in the available data. The page notes a ransom- or data-claim URL is present and includes a contact channel; a Jabber handle is listed but the address is redacted for publication, and a TOX fingerprint is provided to identify the actor. A reference to an FTP-like entry with credentials appears in the excerpt, though these details are redacted in this sanitized summary, suggesting the attackers had access to internal data transfer points. Overall, the page presents a data-exfiltration narrative rather than a straightforward encryption event.

The leak page features eight image attachments, described in general terms as screenshots or internal documents. The image links are onion-hosted references, and in this sanitized rendering the specific URLs are defanged or not shown. While the exact content of these images is not disclosed in the excerpt, their presence typically serves to corroborate the breached data and to illustrate the scope of the exfiltration. The page centers on heparks[.]org as the affected entity, with other organization names mentioned in the surrounding text not the focus of this summary. The combination of an explicit claim path, redacted contact details, a fingerprint identifier, and multiple screenshots aligns with common ransomware leak-page patterns that accompany data-exfiltration claims in the threat landscape.