Keypoints
- KillSec began public activity on Telegram in October 2023 and expanded into a public-facing RaaS offering by June 2024.
- The group markets illicit services: unauthorized penetration testing, OSINT for malicious use, and a Ransomware-as-a-Service affiliate program.
- Approximately 20% of reported targets are in the healthcare sector; finance and government are also primary targets.
- Geographic focus includes India (≈29.6% of alleged victims), the USA (≈9.1%), and Bangladesh (≈6.8%), with the rest spread across Asia and other regions.
- Affiliate program requires English or Russian communication, restricts critical infrastructure attacks on paper, but activity shows medical organizations were targeted.
- RaaS details: an advertised C++ locker, Tor-accessible control panel, $250 entry fee for “trusted” affiliates, and a 12% commission on payments.
MITRE Techniques
- [T1650] Acquire Access – Gaining unauthorized access to systems or data. Quote: (‘Gaining unauthorized access to systems or data.’)
- [T1078] Valid Accounts – Using legitimate credentials to access networks and services. Quote: (‘Utilizing valid accounts to access systems.’)
- [T1102] Web Service – Leveraging web services (including Tor panels) to manage or control operations. Quote: (‘Exploiting web services for malicious activities.’)
- [T1021] Remote Services – Using remote access mechanisms to maintain presence on victim systems. Quote: (‘Leveraging remote services to maintain access.’)
- [T1059] Command and Scripting Interpreter – Executing commands and scripts on compromised hosts. Quote: (‘Using command-line interfaces for execution of commands.’)
- [T1120] Peripheral Device Discovery – Enumerating connected devices on compromised systems. Quote: (‘Identifying peripheral devices connected to systems.’)
- [T1083] File and Directory Discovery – Searching file systems for valuable files and directories. Quote: (‘Searching for files and directories on systems.’)
- [T1213] Data from Information Repositories – Extracting data from databases or centralized repositories. Quote: (‘Extracting data from repositories.’)
- [T1005] Data from Local System – Accessing locally stored files and information on victims’ machines. Quote: (‘Accessing data stored on local systems.’)
Indicators of Compromise
- [Domain] Source and hosting context – socradar.io (article and image hosting) and killsec website (mentioned, no public URL)
- [Image filenames] Illustrative content hosted on site – killsec-first-telegram-message.png.webp, killsec-raas.png.webp (used as figures in the report)
- [Platform] Communication/control channels – KillSec Telegram channel (first public message Oct 2023), Tor-accessible RaaS control panel (no .onion provided)
- [Victim names] Alleged targets – Ping An, Yassir (listed as high-profile alleged victims)
————
KillSec emerged publicly in October 2023 and quickly evolved from recruiting talent on Telegram to offering a suite of illicit services that include unauthorized “penetration testing,” OSINT for malicious ends, and a RaaS affiliate program. The group presents a user-friendly Tor-based control panel for affiliates, advertises a C++ locker, and sets participation terms that require English or Russian communication while charging a $250 entry fee and taking a 12% cut of ransom payments.
Their activity profile shows a pronounced focus on healthcare (about 20% of alleged victims), followed by finance and government sectors, and a geographic concentration in India and other Asian countries. Although KillSec’s affiliate rules claim to prohibit attacks on critical infrastructure, observed behavior indicates the group or its affiliates have still targeted healthcare organizations, highlighting a gap between stated policies and real-world actions.
Operationally, the actor uses common intrusion and data-exfiltration techniques—valid account abuse, remote services, command execution, and repository/local-data theft—and runs a recruitment model aimed at scaling impact through affiliates. While the group’s posts emphasize extortion and alleged victim disclosures rather than detailed technical encryption methods so far, their expanding toolset (stresser, stealer, phone features) suggests broadened capabilities beyond simple extortion.