Inside KillSec: Infrastructure Mapping and RaaS Operations with StealthMole
By early 2024, KillSec had moved beyond noisy digital vandalism and into something far more organized: a ransomware-as-a-service operation leaving real-world victims across healthcare, real estate, and beyond. Once dismissed as just another hacktivist collective, KillSec began to distinguish itself through a combination of darknet infrastructure, Telegram-based support channels, and a polished RaaS panel designed for affiliates.
What sets KillSec apart is not just the number of its victims, more than two hundred within a short window, but the way the group markets itself, recruits partners, and manages negotiations. From promoting ESXi-targeting capabilities to announcing “partner sessions” tied to other criminal groups, KillSec presents itself less as a rogue gang and more as a growing ransomware brand.
Through StealthMole’s monitoring and tracking capabilities, we mapped KillSec’s ecosystem, from its Tor leak portal and support channels to its cryptocurrency payment paths and affiliate collaborations. This investigation shows how a once low-profile actor built a sprawling infrastructure that blends propaganda, technical sophistication, and organized monetization.
The sections ahead break down this transformation: how KillSec communicates, where its infrastructure resides, and what its partnerships reveal about the future of RaaS.
Incident Trigger & Initial Investigation
On 16 September 2025, StealthMole’s ransomware monitoring module flagged a new victim announcement by KillSec: Allure Clinics, a healthcare provider based in Saudi Arabia. The breach was more than just another entry on KillSec’s leak portal, it was a rare strike inside Saudi Arabia. Unlike North America or Europe, where ransomware incidents have become routine, the Middle East has seen comparatively fewer cases. In fact, StealthMole’s records show that since 2019, only 68 Saudi organizations have been targeted for ransomware, making Allure Clinics a statistical outlier and a high-value signal for closer analysis.
The investigation began with KillSec’s primary Tor-based blog, where victim announcements are routinely published:
http://ks**************************************************id.onion/
From there, StealthMole tracking revealed a secondary onion service linked to the same operation: a site described in underground chatter as a supporting file server. These two portals formed the backbone of KillSec’s visible infrastructure at the time of the Allure breach.
http://xo***************************************************d.onion/
What began with a healthcare provider in Riyadh unfolded into a map of KillSec’s wider infrastructure, revealing how the group maintains persistence across darknet services, messaging platforms, and payment channels. The Allure case illustrates both the group’s expanding geographic footprint and the value of StealthMole’s visibility in exposing ransomware ecosystems that might otherwise remain hidden.
Actor Identity & Evolution
KillSec, also referred to as Kill Security, first surfaced in underground spaces around 2023, presenting itself with the trappings of a hacktivist collective. Early activity bore the hallmarks of defacements and noisy propaganda rather than financially motivated cybercrime. At this stage, KillSec appeared less threatening, blending into the crowded landscape of groups using anti-establishment rhetoric for clout.
By early 2024, however, the group had undergone a notable shift. Instead of isolated vandalism, KillSec began operating as a Ransomware-as-a-Service (RaaS) syndicate, complete with a structured leak portal, negotiation framework, and affiliate outreach. Within months, victim counts accelerated, culminating in more than 230 confirmed breaches between March 2024 and September 2025.
Part of KillSec’s distinct identity lies in how it communicates and markets itself. Telegram channels linked to the group promote features of its locker, announce ESXi-targeting capabilities, and highlight the presence of “partner sessions” — including one tied to the group Abyss. KillSec further emphasizes its professionalism through a RaaS panel offering affiliate onboarding, revenue sharing, and real-time support, echoing the commercialized structure of more established ransomware brands.
What emerges is an actor that combines propaganda and theatrics with disciplined infrastructure management. KillSec projects chaos in its messaging but demonstrates a consistent strategy in its technical and organizational design. This duality, spectacle on the surface, structure underneath, has allowed the group to scale quickly, grow a victim list across multiple sectors, and position itself as a contender in the crowded ransomware ecosystem.
Infrastructure Mapping
KillSec’s infrastructure demonstrates the hallmarks of a group intent on professionalizing its operations. The leak portal may serve as the anchor, but it is the surrounding ecosystem that brings resilience and reach. Over the course of our investigation, this ecosystem revealed itself as layered: hosting for leaks, communication hubs for outreach and negotiation, and auxiliary services that point to a federation of affiliates rather than a single actor.
Telegram occupies a central place in this design. At least three channels have been identified carrying KillSec branding or activity: t.me/k*****c, t.me/k***k, and t.me/ki****c alongside the dedicated support handle @fa******g. These channels serve multiple purposes: pushing announcements when the leak portal is updated, advertising features of the ransomware itself, and guiding affiliates or victims toward support. In some posts, the group explicitly acknowledges channel migrations (“old got banned”), highlighting an awareness of takedowns and the need to maintain continuity through backup spaces.
The content of these channels underscores KillSec’s attempt to present itself as more than a lone operator. Promotional posts advertise ESXi-targeting capabilities and automated decrypt features, while pinned notes direct users to official contact points. Notably, the support handle KillSec S***p (@fa******g) has been observed not only in public messages but also in ransom-related artifacts, suggesting it is part of the core negotiation infrastructure. The overlap between identifiers on the portal and those appearing in Telegram channels strengthens the view that these comms are integrated into the operation rather than peripheral chatter.
Equally significant is the emergence of “partner sessions” announced through Telegram. In December 2023, one such session was labeled as “KillSec x Abyss”, explicitly marking an affiliate or partner relationship. This kind of announcement signals an embrace of the RaaS model: KillSec is positioning itself as a platform where other groups can operate under its banner. For investigators, these partner references provide rare visibility into the networked nature of the ecosystem, showing how KillSec extends its reach by opening its infrastructure to others.
Together, these elements form an infrastructure that is not improvised but engineered for persistence. Telegram channels extend KillSec’s brand, support handles anchor its negotiation process, and partner sessions reveal a strategy of scaling through collaboration. Rather than a noisy actor relying on a single leak blog, KillSec has built an interlocking system where each component, from portals to channels to affiliates, reinforces the others.
RaaS Features & Panel
KillSec’s evolution into a Ransomware-as-a-Service operation is most clearly reflected in its affiliate-facing infrastructure. Screenshots of the group’s control panel reveal a dashboard environment where affiliates can track launches, negotiations, and balances, evidence that KillSec is not simply publishing victims, but providing a structured environment for others to operate under its umbrella. The presence of a balance ledger and finalized negotiation counters signals a revenue-sharing system designed to incentivize affiliates while centralizing control in KillSec’s hands.
The design of this panel points to a deliberate professionalization. Affiliates are not left to operate in the dark, instead, they are given a framework that mirrors legitimate software-as-a-service products. Metrics such as successful negotiations and ongoing campaigns are visible at a glance, allowing affiliates to measure performance. This not only strengthens KillSec’s appeal but also positions it as a competitor to established RaaS brands that have long relied on affiliate ecosystems to drive scale.
A defining feature of KillSec’s offering is its focus on ESXi environments. Posts on affiliated channels promote the ransomware’s ability to target virtualization hosts, a capability that has become increasingly sought after in the criminal marketplace. By advertising ESXi support, KillSec signals to affiliates that it can deliver high-impact disruptions, particularly against enterprises running virtualized infrastructure. This technical marketing serves a dual purpose: attracting affiliates seeking advanced tooling and amplifying the group’s reputation as a serious player in the RaaS ecosystem.
The embrace of a partner model further illustrates this trajectory. The announcement of a “Partner Session” with a group known as Abyss demonstrates KillSec’s willingness to brand joint operations, lending visibility to affiliates while consolidating them under its infrastructure. This type of arrangement blurs the line between operator and platform: KillSec acts simultaneously as a brand, a service provider, and a broker of criminal collaborations.
What emerges is a portrait of KillSec as a group consciously building a RaaS identity. The panel provides the operational backbone for affiliates, the ESXi locker represents a technical differentiator, and the partner sessions underscore a willingness to scale through collaboration. These elements together elevate KillSec from a marginal hacktivist offshoot to a fully-fledged ransomware platform competing in an increasingly crowded criminal marketplace.
Payment & Negotiation Infrastructure
Beneath the surface of KillSec’s public-facing operations lies the layer where extortion becomes monetization: the payment and negotiation infrastructure. Unlike opportunistic leak groups, KillSec has invested in building a system that channels victims through controlled contact points and enforces its preferred payment model.
Central to this process are the session identifiers observed in portal pages and ransom-related artifacts. These long alphanumeric strings serve as unique markers, linking a specific victim to their negotiation thread. By issuing distinct sessions, KillSec can separate affiliate-led campaigns, monitor activity, and ensure that payments are correctly attributed. In practice, this turns the ransom process into a managed pipeline, where both the victim and the affiliate are bound back to KillSec’s infrastructure.
05**************************************************************19
056a***********************************************************136
05cb************************************************************07
The group pairs these identifiers with encrypted communication channels. A persistent TOX ID has been advertised as a negotiation contact, providing a secure peer-to-peer route for victims unwilling to rely on Telegram. In parallel, the support handle KillSec Supp (@fa*****g) appears across ransom notes and chat captures, reinforcing Telegram as the public entry point for negotiation. The recurrence of these identifiers across multiple mediums, portal pages, Telegram posts, and ransom notes, suggests that they are not opportunistic aliases but integral components of KillSec’s extortion workflow.
On the financial side, KillSec demonstrates a clear preference for Monero as its payment currency. A wallet address captured in related Telegram chatter illustrates this, consistent with the group’s emphasis on privacy-preserving transactions. While a Bitcoin address was also observed in connection with KillSec-tagged content, context indicates it may belong to opportunistic scammers rather than the group itself. This distinction highlights KillSec’s attempt to avoid traceable financial flows and aligns it with other professionalized RaaS operations that increasingly favor Monero.
4*******************************************************************j
Taken together, the identifiers, support handles, and Monero addresses form a tightly interlinked negotiation system. Victims are funneled from public announcements into session-based channels, pushed toward encrypted communication, and ultimately directed to privacy-centric payments. For affiliates, this ensures revenue is accounted for; for KillSec, it ensures control over every step of the extortion lifecycle.
Conclusion
KillSec’s trajectory from a fringe hacktivist collective to a structured ransomware platform encapsulates the shifting dynamics of the cybercriminal ecosystem. In little more than a year, the group has built out an infrastructure that mirrors established syndicates: a branded leak portal, layered communication channels, a RaaS control panel, and payment systems designed to minimize traceability. Along the way, it has recruited affiliates, experimented with partner branding, and extended its victim list beyond traditional hotspots into regions like the Gulf.
What began with a single Saudi healthcare breach unfolded into a broader picture of a group that is not improvising but building deliberately. KillSec’s reliance on redundancy, affiliate engagement, and privacy-centric payment methods illustrates the professionalization of ransomware at even the mid-tier level. For observers, the case demonstrates how quickly new actors can scale when they adopt service models and infrastructure patterns proven by their predecessors.
In mapping KillSec’s ecosystem with StealthMole, what emerges is not just a snapshot of one group but a reflection of the broader ransomware landscape: fragmented in appearance, but increasingly structured in practice. KillSec’s evolution underscores the reality that today’s “newcomers” are capable of reaching maturity at a pace that once took years and in doing so, reshaping the threat environment for both defenders and investigators.
Editorial Note
While every effort has been made to ensure the accuracy of this report, it is important to acknowledge that attribution in cyber investigations is rarely absolute. The connections drawn here are based on a combination of open-source intelligence and data sourced through StealthMole’s platform. As such, all findings should be viewed as probabilistic assessments, subject to change as new evidence emerges.
Beyond attribution, this report aims to highlight how StealthMole’s integrated toolkit including the Dark Web Tracker, Telegram Tracker, Combo/ULP Binder, and Compromised Data Set, enables intuitive and efficient threat actor profiling. By correlating aliases, infrastructure, and behavior across fragmented ecosystems, the platform empowers analysts to transform raw signals into actionable intelligence.
Labels: Malicious Group
.svg)
.svg)
.svg)