Operator dossier

Kairos is a ransomware operator currently active on public leak sites. Darkfield has indexed 86 public victims claimed by this operator between November 13, 2024 and May 15, 2026. Kairos is a recently emerged ransomware group first observed in November 2024 that appears to be primarily financially motivated, having targeted approximately 75 victims across multiple sectors and countries. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, and it is unknown whether they operate as a Ransomware-as-a-Service model or as an independent entity. Based on available targeting data, Kairos appears to focus their operations primarily on English-speaking countries including the United States, Australia, United Kingdom, and Canada, with additional activity observed in Germany, while their sector targeting spans education, healthcare, agriculture and food production, and business services, though specific attack methodologies, initial access vectors, and encryption techniques have not been publicly documented by major security organizations. Given the group's recent emergence in late 2024, there are no widely reported notable campaigns or high-profile incidents documented by CISA, FBI, or established security research firms. As of current reporting, Kairos appears to remain active based on their recent first observation date, though comprehensive threat intelligence profiles from major security organizations have not yet been published due to the group's nascent operational timeline.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Kairos

86 victims indexed · first seen 2 years ago · last activity 5 days ago

Victims indexed

#77 of 348 tracked operators

1y 6m

Active period

Nov 2024 → May 2026

Countries hit

top United States · 37

At a glance

Status: active
First seen: 2 years ago
Last activity: 5 days ago
Onion sites: 2 known endpoints
Primary sector: Not Found · 26 hits

About

Kairos is a recently emerged ransomware group first observed in November 2024 that appears to be primarily financially motivated, having targeted approximately 75 victims across multiple sectors and countries. The group's origin and potential affiliations remain unclear due to limited public documentation from established threat intelligence sources, and it is unknown whether they operate as a Ransomware-as-a-Service model or as an independent entity. Based on available targeting data, Kairos appears to focus their operations primarily on English-speaking countries including the United States, Australia, United Kingdom, and Canada, with additional activity observed in Germany, while their sector targeting spans education, healthcare, agriculture and food production, and business services, though specific attack methodologies, initial access vectors, and encryption techniques have not been publicly documented by major security organizations. Given the group's recent emergence in late 2024, there are no widely reported notable campaigns or high-profile incidents documented by CISA, FBI, or established security research firms. As of current reporting, Kairos appears to remain active based on their recent first observation date, though comprehensive threat intelligence profiles from major security organizations have not yet been published due to the group's nascent operational timeline.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/kairos

Timeline

15 months

2024-11-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 United States

🇦🇺 Australia

🇬🇧 United Kingdom

🇨🇦 Canada

🇩🇪 Germany

🇸🇰 Slovakia

🇸🇪 Sweden

🇹🇼 Taiwan

United States dossier →Australia dossier →United Kingdom dossier →Canada dossier →

Top sectors

Not Found

Education

Healthcare

Agriculture and Food Production

Business Services

Manufacturing

Financial

Public Sector

Not Found dossier →Education dossier →Healthcare dossier →Agriculture and Food Production dossier →

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1204User Execution
T1027Obfuscated Files or Information
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known

http://nerqnacjmdy3obvevyol7qhazkwkv57dwqvye5v46k5bcujtfa6sduad.onion
http://nerqnacjmdy3obvevyol7qhazkwkv57dwqvye5v46k5bcujtfa6sduad.onion/

Source

Updated 5 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.