{
	"id": "b8f9e55d-7a01-4b13-8542-df53dc1a5efc",
	"created_at": "2026-04-06T00:06:39.678795Z",
	"updated_at": "2026-04-10T03:31:48.98543Z",
	"deleted_at": null,
	"sha1_hash": "a49816232079dc184601cc09d88c5fe7f60c6229",
	"title": "An elephant in Kairos: data-leak site emerges for new extortion group - CYJAX",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2537481,
	"plain_text": "An elephant in Kairos: data-leak site emerges for new extortion\r\ngroup - CYJAX\r\nBy Roman Faithfull\r\nPublished: 2024-11-14 · Archived: 2026-04-05 19:09:25 UTC\r\nTable of contents\r\nTactics, techniques, and procedures (TTPs) \r\nIt is nearing 2025, and data-leak sites (DLSs) for extortion groups continue to emerge. November 2024 continues\r\nthis trend, with Cyjax observing the thirteenth most recent materialisation of a DLS for an extortion group calling\r\nitself “Kairos”. At the time of writing, Kairos has claimed attacks against six victims, two of which have\r\nacknowledged significant data breaches in 2024. However, it is unclear whether these are related. \r\nRead on to find out what Cyjax knows so far about this new player in the extortion group ecosystem.\r\nFigure 1.  Kairos DLS landing page, displaying a list of organisations the group claims to have\r\nattacked.\r\nhttps://www.cyjax.com/resources/blog/an-elephant-in-kairos-data-leak-site-emerges-for-new-extortion-group/\r\nPage 1 of 7\n\nContext\r\nExtortion groups commonly use DLS to further extort victims, typically proceeding in multiple stages. The first\r\nthreat is that the victim’s name and news of a successful attack against it will be published on the extortion group’s\r\nwebsite. Should this fail to motivate a victim to pay a ransom, the group’s next step is typically to provide proof of\r\nthe successful theft of its data, such as screenshots of internal file trees, samples of employee or customer PII, or\r\nother sensitive documents. The group may add a countdown at this stage, noting that should the victim fail to pay\r\nby the conclusion, it will make available to DLS visitors all stolen data, either for free or at cost.\r\nHistory and Victimology\r\nThe Kairos DLS emerged on or around 13 November 2024 and has so far claimed attacks against six\r\norganisations, with a focus on the US and the healthcare sector. These are:\r\nUS-based The Physical Medicine and Rehabilitation Center.\r\nTaiwan-based Formosa Certified Public Accountants.\r\nUS-based Clay Platte Family Medicine Clinic.\r\nUS-based Ask Your Accountant Accounting \u0026 Advisory Services.\r\nUS-based healthcare services provider Sunshine Center.\r\nUS-based Kansas Regenerative Medicine Center.\r\nNone of these organisations have released public statements since being named on Kairos’ DLS. However, it is\r\nnotable that Clay Platte Family Medicine and The Physical Medicine and Rehabilitation Center experienced\r\nsignificant data breaches in 2024 which occurred, in June and July, respectively. The organisations did not indicate\r\nthe identity of their attackers in these public statements. Should Kairos’ claims of compromise be legitimate, it is\r\nunclear whether the attacks occurred independently, or if they stemmed from any information exposed during\r\nthese Summer 2024 attacks, or whether they are one and the same.  \r\nIt is notable that Kairos targeted a Taiwan-based organisation. Cyjax recently observed a large increase in\r\nadvertisements for initial access to Taiwanese organisations on cybercriminal forums, the details of which can be\r\nfound in our whitepaper on the 2024 Q3 initial access broker (IAB) market.\r\nhttps://www.cyjax.com/resources/blog/an-elephant-in-kairos-data-leak-site-emerges-for-new-extortion-group/\r\nPage 2 of 7\n\nFigure 2.  Kairos victim post for Formosa Certified Public Accountants\r\nIt is realistically possible that Kairos has successfully attacked other organisations that paid in the first instance of\r\na ransom being demanded. As such, they were not named on the site and are not known to the public. However,\r\nCyjax cannot confirm this. \r\nThe Kairos DLS\r\nThe group’s TOR-hosted DLS consists of three main pages: \r\nLanding page \r\nThe site’s landing page hosts a list of organisations which the group claims to have attacked. This includes a\r\ndescription of each victim, its logo, the likely date on which it was named on the site, the amount of data allegedly\r\nstolen, and a countdown for when “Signing is required”. This likely refers to the time after which the group will\r\npublish stolen data in full if the victim does not pay. Clicking on the victim’s logo directs to a specific page for\r\neach, providing a more detailed description of the organisation and sample images of allegedly stolen data. This\r\ndata includes personally identifiable information (PII), as well as legal, fiscal, and medical documents. \r\nThere is an interesting discrepancy between the dates displayed on the site. On the landing page, each victim post\r\ndisplays 13 November 2024, seemingly indicating the date on which these victims were named on the DLS.\r\nHowever, navigating to the individual victim pages on the DLS gives earlier dates. Of these, Sunny Days, Inc. is\r\nlisted with the earliest of 16 October 2024. Other victim pages list 5 and 11 November 2024. As such, this may\r\nrefer to the date on which Kairos first compromised each victim.\r\nhttps://www.cyjax.com/resources/blog/an-elephant-in-kairos-data-leak-site-emerges-for-new-extortion-group/\r\nPage 3 of 7\n\nFigure 3. Kairos victim post for Sunny Days, Inc listing the 16 October 2024 date.\r\nRules page \r\nThe DLS hosts a “Rules” page, which provides insights into the group’s operation and motivation. Kairos is\r\napparently purely financially motivated, demanding payment in exchange for the safe return of stolen files and to\r\nnot leak them publicly. By way of proof of exfiltration, the group offers to send the victim five stolen files of their\r\nchoosing from a list of those that do not contain “critical” information. \r\nThe rules stipulate that victims must make payment via Bitcoin and have 7 days to comply. Though the specific\r\nmonetary amounts the group demands are not public, it claims that the price is dependent on the victims’ “income,\r\nexpenses, documents, and reports” and is non-negotiable. However, a 20% discount is offered to those who make\r\npayment within 5 days of the initial request. Kairos promises to delete stolen files within 24 hours of receiving a\r\nransom payment. It also claims to provide paying victims with a “security report with recommendations”.\r\nhttps://www.cyjax.com/resources/blog/an-elephant-in-kairos-data-leak-site-emerges-for-new-extortion-group/\r\nPage 4 of 7\n\nFigure 3. Kairos Rules page detailing ransom payment and file deletion\r\nToken page \r\nThirdly, the site has a page with a Token input box. Presumably, victims receive a unique token in the Kairos\r\nransom note, which they can use to navigate to a non-public-facing part of the DLS and initiate communication\r\nwith the group. \r\nData-leak only \r\nThe rules page notes the group provides “Guidelines for Responding to Data Exfiltration and Extortion Demands\r\nUnderstanding the Situation”. Given the lack of reference to encryption in the group’s rules, Cyjax does not\r\nbelieve Kairos operates as a ransomware operation at this time. The group writes that it has conducted a “thorough\r\ninvestigation” of its victims’ networks and downloaded all “confidential, private, proprietary, legal, financial, and\r\ncompromising information” belonging to its customers and employees and demands payment for the “secure\r\ndeletion” of this. The group threatens that should victims not pay, it will make publicly available their stolen data\r\nto visitors of the DLS.\r\nFigure 4. Kairos Rules page detailing “Guidelines for Responding to Data Exfiltration and\r\nExtortion Demands Understanding the Situation”.\r\nTactics, techniques, and procedures (TTPs) \r\nDue to the recent emergence of the group, no publicly available information exists surrounding its TTPs, including\r\nhow Kairos gains initial access to organisations or how it exfiltrates data. However, phishing, and scanning for\r\nexposed internet-facing devices are common techniques used by extortion groups. Many are also known to\r\npurchase initial access from IABs on cybercriminal forums.\r\nAssociations \r\nhttps://www.cyjax.com/resources/blog/an-elephant-in-kairos-data-leak-site-emerges-for-new-extortion-group/\r\nPage 5 of 7\n\nKairos is not known to be associated with any other known threat groups at the time of writing. However, a user of\r\na prominent ransomware-focused Russian-language cybercriminal forum has indicated they use the nickname\r\n“kairos” on the encrypted messaging platform Tox. This user, active on the forum since December 2023, has made\r\nseveral forum contributions. These include the sharing a guide for using their custom post-exploitation script\r\ncalled “DarkSilent” in September 2024. Their profile indicates that they are also active on other gated Russian-language cybercriminal forums.\r\nFigure 5. Cybercriminal forum user claims to use “Kairos” nickname on Tox.\r\nNot enough information exists to confidently attribute the forum user to the Kairos extortion group at this time.\r\nHowever, their DarkSilent guide would potentially provide detailed insights into the group’s TTPs should they\r\nindeed be operated by one and the same entity.\r\nFigure 6. Potential alias for Kairos sharing script for post-exploitation on a cybercriminal forum.\r\nThreat assessment \r\nKairos has claimed attacks against a small number of medium-sized businesses, mostly in the vulnerable\r\nhealthcare sector. At least two of these victims have publicly confirmed data breaches earlier this year, though it is\r\nyet unclear whether these are related to Kairo’s operations. The group operates a well-functioning DLS. There are\r\nhttps://www.cyjax.com/resources/blog/an-elephant-in-kairos-data-leak-site-emerges-for-new-extortion-group/\r\nPage 6 of 7\n\nno known concrete TTPs associated with the group at this time, and so it is unclear to what extent it is technically\r\ncapable.\r\nTo access our full intelligence repository containing detailed profiles like this one, covering extortion groups,\r\nadvanced persistence threat groups (APTs), data brokers, hacktivists, initial access brokers, and more, click here to\r\ntake a test drive of Cymon.\r\nReceive our latest cyber intelligence insights delivered directly to your inbox\r\nSimply complete the form to subscribe to our newsletter, ensuring you stay informed about the latest cyber\r\nintelligence insights and news.\r\nThank you! Your submission has been received!\r\nOops! Something went wrong while submitting the form.\r\nSource: https://www.cyjax.com/resources/blog/an-elephant-in-kairos-data-leak-site-emerges-for-new-extortion-group/\r\nhttps://www.cyjax.com/resources/blog/an-elephant-in-kairos-data-leak-site-emerges-for-new-extortion-group/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.cyjax.com/resources/blog/an-elephant-in-kairos-data-leak-site-emerges-for-new-extortion-group/"
	],
	"report_names": [
		"an-elephant-in-kairos-data-leak-site-emerges-for-new-extortion-group"
	],
	"threat_actors": [
		{
			"id": "fbc8fca3-a0bd-4148-99cf-9e6bae3a6f45",
			"created_at": "2024-11-16T02:00:03.816535Z",
			"updated_at": "2026-04-10T02:00:03.775543Z",
			"deleted_at": null,
			"main_name": "Kairos",
			"aliases": [],
			"source_name": "MISPGALAXY:Kairos",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433999,
	"ts_updated_at": 1775791908,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a49816232079dc184601cc09d88c5fe7f60c6229.pdf",
		"text": "https://archive.orkl.eu/a49816232079dc184601cc09d88c5fe7f60c6229.txt",
		"img": "https://archive.orkl.eu/a49816232079dc184601cc09d88c5fe7f60c6229.jpg"
	}
}