Ransomware Group: QILIN

VICTIM NAME: moonsafari

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak page is associated with an entity operating under the alias “moonsafari,” which is primarily a multidisciplinary architecture and urban planning agency. The attack was publicly disclosed on July 24, 2025, with the information made available approximately later that same day. The compromised website appears to be related to the domain “www.moonsafari.archi,” although specific details of the attack are limited. The ransomware group responsible is identified as “qilin.” The page includes a screenshot that depicts some form of internal data or documents, although explicit contents are not detailed in the available summary. Download links or evidence of data exfiltration are present, indicating that sensitive information may have been leaked or compromised. Due to the nature of the leak, the focus is on potential exposure of internal project details, though no PII or personally identifiable information is explicitly revealed.

The attack date is recorded as July 24, 2025, with the discovery timestamp also occurring on the same day, suggesting a swift public disclosure. The description from the leak indicates that the targeted organization operates in a variety of sectors, including architecture, urban planning, and associated fields. The presence of visual evidence such as screenshots hints at internal documents or data, possibly related to ongoing projects or company operations. However, specific details regarding the actual content of the leaks were not provided. The leak page does not specify the attack’s impact beyond data exposure and does not include any PII, focusing instead on the fact that the data has been made publicly accessible by the threat group.