Ransomware Group: QILIN

VICTIM NAME: waxhaw[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On September 25, 2025, waxhaw[.]com published a leak page identifying The Town of Waxhaw in North Carolina as the victim. The page appears to present a data-exfiltration post rather than a traditional encryption notice, and no explicit ransom amount is visible in the excerpt. The materials described are internal municipal records related to procurement and contracts for Waxhaw NC, with a focus on land rights acquisition services, map preparation, and related work for the Waxhaw-Marvin Road and Kensington Drive projects. The posted items are characterized as infrastructure project documents and administrative records, and the page notes that there are nine image attachments associated with these documents.

Beyond the procurement and infrastructure documents, the leak page enumerates additional artifacts, including a cybersecurity course completion certificate; internal supervisor incident reports concerning incidents involving Town of Waxhaw employees; Town of Waxhaw police reports for 2019–2025 covering property damage, injuries at a parade, medical assistance to a parade participant, a traffic accident involving a Town vehicle, and an officer-involved incident; a payroll audit for 2025; and an entry labeled “Passport.” The excerpt also references a jabber contact that is redacted, a TOX code, and an FTP credential pointing to a data-share host (the host address is present but defanged in this summary). The nine image attachments appear to be screenshots or thumbnails of internal documents; some image references originate from onion-hosted addresses, which are also defanged in this summary. The visible content indicates exposure of internal municipal information, with no explicit ransom amount stated in the post.