Ransomware Group: QILIN

VICTIM NAME: kecymetals[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On October 4, 2025, a leak page associated with the victim domain kecymetals[.]com emerged from a ransomware actor group identified as qilin. The page frames the incident as a ransomware data-leak notification and provides a claim URL for verification. The victim is described as a United States–based manufacturing organization. The post includes a gallery of 32 images that appear to be screenshots or copies of internal documents or related materials intended to substantiate the breach. Because no explicit compromise date is provided in the data, October 4, 2025, is treated as the post date for the event.

The body excerpt on the page references contact channels and data-exfiltration details, including a Jabber contact line and an FTP datashare reference. In the dataset, actual email addresses and login credentials are redacted, with placeholders such as [REDACTED_EMAIL] shown in place of sensitive information. The presence of an FTP path strongly suggests data exfiltration activity or a means to distribute stolen material, though the provided excerpt does not disclose an explicit ransom amount. The 32 image attachments are not described in detail within the excerpt, but their inclusion indicates a concerted effort to present internal materials as evidence of the breach, consistent with data-leak rather than encryption-only narratives.

Overall, the leak page centers on the victim domain kecymetals[.]com within the United States manufacturing sector. No compromise date beyond the post date is stated in the data, and no ransom figure is given in the excerpt. The page also preserves non-user identifiers by redacting emails and credentials while listing a potential contact channel and a claim URL, aligning with standard ransomware-leak practices that pressure disclosure or payment without exposing specific contact details in the public summary.