Ransomware Group: QILIN

VICTIM NAME: smefazur[.]fr

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

SMEF AZUR, a French company operating in climate engineering with services including refrigeration, air conditioning, and related multi-functional building services, is identified as the victim on the leak page analyzed. The entry is attributed to the ransomware group Qilin and is dated August 13, 2025. The page frames the incident as a data-leak rather than encryption, claiming that attackers gained access to SMEF AZUR’s network and exfiltrated sensitive documents. The materials described are said to include detailed drawings and plans of construction projects the company has completed, suggesting potential exposure of technical designs and project specifics. The post also asserts that a broader data set includes financial information such as contracts, budgets, and banking details, and mentions a publicly accessible list of bank accounts containing personal identifiers. A gallery of 14 screenshots or images is provided to illustrate the claimed data theft, along with a claim URL on the page; however, no ransom amount is disclosed on the page.

From a risk and content perspective, the page translates into a data-leak claim rather than a data-encrypt event, with the post presenting internal drawings, project documentation, and financial records as evidence. The leak pages’ images are intended as thumbnails or previews of the asserted data; there are 14 image attachments in total. PII and sensitive contact details referenced in the surrounding text are redacted in the sanitized version, and the post does not provide a specific compromise date beyond the published date. The page includes a claim URL, indicating a mechanism for readers to verify or pursue further evidence, but does not specify any ransom figure or payment demand on the page itself.