Skip to main content

Operator dossier

Kairos is a ransomware operator currently active on public leak sites. Darkfield has indexed 88 public victims claimed by this operator between November 13, 2024 and June 1, 2026. Kairos is a recently emerged ransomware group first observed in November 2024 that appears to be primarily financially motivated, having targeted approximately 75 victims across multiple sectors and countries. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, and it is unknown whether they operate as a Ransomware-as-a-Service model or as an independent entity. Based on available targeting data, Kairos appears to focus their operations primarily on English-speaking countries including the United States, Australia, United Kingdom, and Canada, with additional activity observed in Germany, while their sector targeting spans education, healthcare, agriculture and food production, and business services, though specific attack methodologies, initial access vectors, and encryption techniques have not been publicly documented by major security organizations. Given the group's recent emergence in late 2024, there are no widely reported notable campaigns or high-profile incidents documented by CISA, FBI, or established security research firms. As of current reporting, Kairos appears to remain active based on their recent first observation date, though comprehensive threat intelligence profiles from major security organizations have not yet been published due to the group's nascent operational timeline.

Most-targeted sectors

Most-affected countries

Recent disclosures by Kairos

All 88 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Kairos

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Kairos

88 victims indexed · first seen 2 years ago · last activity 1 month ago

88
Victims indexed
#80 of 364 tracked operators
1y 7m
Active period
Nov 2024 → Jun 2026
20
Countries hit
top United States · 45

At a glance

Status
active
First seen
2 years ago
Last activity
1 month ago
Onion sites
2 known endpoints
Primary sector
Not Found · 27 hits

About

Kairos is a recently emerged ransomware group first observed in November 2024 that appears to be primarily financially motivated, having targeted approximately 75 victims across multiple sectors and countries. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, and it is unknown whether they operate as a Ransomware-as-a-Service model or as an independent entity. Based on available targeting data, Kairos appears to focus their operations primarily on English-speaking countries including the United States, Australia, United Kingdom, and Canada, with additional activity observed in Germany, while their sector targeting spans education, healthcare, agriculture and food production, and business services, though specific attack methodologies, initial access vectors, and encryption techniques have not been publicly documented by major security organizations. Given the group's recent emergence in late 2024, there are no widely reported notable campaigns or high-profile incidents documented by CISA, FBI, or established security research firms. As of current reporting, Kairos appears to remain active based on their recent first observation date, though comprehensive threat intelligence profiles from major security organizations have not yet been published due to the group's nascent operational timeline.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

18 months
2024-11-01T00:00:00+00:00 · 82024-12-01T00:00:00+00:00 · 62025-01-01T00:00:00+00:00 · 62025-02-01T00:00:00+00:00 · 52025-03-01T00:00:00+00:00 · 42025-04-01T00:00:00+00:00 · 52025-05-01T00:00:00+00:00 · 32025-06-01T00:00:00+00:00 · 62025-07-01T00:00:00+00:00 · 32025-08-01T00:00:00+00:00 · 32025-09-01T00:00:00+00:00 · 42025-10-01T00:00:00+00:00 · 42025-12-01T00:00:00+00:00 · 102026-02-01T00:00:00+00:00 · 42026-03-01T00:00:00+00:00 · 42026-04-01T00:00:00+00:00 · 72026-05-01T00:00:00+00:00 · 52026-06-01T00:00:00+00:00 · 1
2024-11-01T00:00:00+00:002026-06-01T00:00:00+00:00

Top countries

🇺🇸 United States
45
🇦🇺 Australia
8
🇬🇧 United Kingdom
7
🇺🇸 United States
6
🇦🇺 Australia
3
🇨🇦 Canada
3
🇩🇪 Germany
2
🇸🇰 Slovakia
2

Top sectors

Healthcare
11
Education
10
Business Services
7
Public Sector
5
Consumer Services
5
Agriculture and Food Production
4
Manufacturing
4
Financial
3

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1204User Execution
  • T1027Obfuscated Files or Information
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known
  • http://nerqnacjmdy3obvevyol7qhazkwkv57dwqvye5v46k5bcujtfa6sduad.onion
  • http://nerqnacjmdy3obvevyol7qhazkwkv57dwqvye5v46k5bcujtfa6sduad.onion/

Source

Updated 1 month ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Kairos posts a victim.

Add Kairos to your watchlist — Pro pings you within 5 minutes of any new Kairos leak-site post, Telegram callout, or affiliate-rebrand inference.