Ransomware Group: QILIN

VICTIM NAME: www[.]greneker[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

The leak page is associated with threat group qilin and centers on www[.]greneker[.]com, a US-based manufacturer of mannequins for retail and entertainment venues. The post portrays Greneker as a ransomware victim and frames the incident as a data-leak event rather than solely an encryption action. It claims that internal data has been exfiltrated and may be released publicly or offered for sale, and it includes a claim URL intended to corroborate the post’s assertions. The date shown on the page is August 21, 2025; since a separate compromise date is not provided, this post date is treated as the publication date. The narrative places Greneker within a broader industry context and mentions concerns about offshore production and tariff pressures, while citing internal documents that allegedly reveal damaged or defective mannequins produced under complex supply chains. The text also employs sensational language about the business, which should be interpreted as part of the leak’s rhetoric rather than a factual industry assessment.

The leak page presents 11 images as part of its evidence—likely screenshots or visuals related to internal documents or product outcomes—without detailing their contents in the summary. It also includes lines that resemble contact handles and access credentials, though PII such as emails and credentials are redacted in the public view. A jabber handle and an FTP-like credential string appear in the text, but these items are obfuscated to protect sensitive information. A claim URL accompanies the post, reinforcing the data-leak narrative and its use of a public-facing channel to assert exfiltration. No explicit ransom amount is disclosed in the excerpt provided. Taken together, the page’s contents align with a ransomware data-leak scenario, while continuing to preserve the victim’s name and avoiding propagation of non-essential identifiers beyond what is necessary for attribution.