Skip to main content

Operator dossier

Kill Security 3.0 is a ransomware operator currently active on public leak sites. Darkfield has indexed 11 public victims claimed by this operator between June 4, 2026. Kill Security 3.0 is a financially motivated ransomware group first observed in June 2026, representing an apparent iteration or rebranding of an earlier Kill Security lineage, with operational activity documented against at least 11 confirmed victims across multiple countries and sectors. Given the limited open-source intelligence available on this group at this time, attribution to a specific country of origin or affiliation with known threat actor clusters has not been publicly confirmed by CISA, the FBI, Mandiant, or other reputable security research organizations; however, the group's targeting patterns suggest deliberate sector selection consistent with data-rich, operationally sensitive environments. Based on observed victim telemetry, Kill Security 3.0 has demonstrated a preference for targeting organizations in the United States, United Kingdom, Canada, South Korea, and Morocco, with particular focus on healthcare technology and medical device companies, childcare management software providers, financial services and debt recovery firms, legal services organizations, and behavioral health tracking platforms — a targeting profile that suggests an interest in sensitive personal, financial, and medical data likely leveraged for double extortion purposes. No specific initial access vectors, encryption methodologies, or tooling have been publicly attributed to this group by authoritative sources as of the time of this writing, though the sector focus on data-sensitive industries is consistent with exfiltration-prior-to-encryption tactics commonly employed by contemporary ransomware operators. No major named campaigns, record ransom demands, or law enforcement actions against Kill Security 3.0 have been publicly documented, and its current operational status remains active based on first-observed dating, though the limited victim count suggests the group may still be in early operational phases or selectively targeting victims.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Kill Security 3.0

11 victims indexed · first seen 1 month ago · last activity 1 month ago

11
Victims indexed
#204 of 364 tracked operators
<1m
Active period
Jun 2026 → Jun 2026
Countries hit

At a glance

Status
active
First seen
1 month ago
Last activity
1 month ago
Onion sites
1 known endpoint

About

Kill Security 3.0 is a financially motivated ransomware group first observed in June 2026, representing an apparent iteration or rebranding of an earlier Kill Security lineage, with operational activity documented against at least 11 confirmed victims across multiple countries and sectors. Given the limited open-source intelligence available on this group at this time, attribution to a specific country of origin or affiliation with known threat actor clusters has not been publicly confirmed by CISA, the FBI, Mandiant, or other reputable security research organizations; however, the group's targeting patterns suggest deliberate sector selection consistent with data-rich, operationally sensitive environments. Based on observed victim telemetry, Kill Security 3.0 has demonstrated a preference for targeting organizations in the United States, United Kingdom, Canada, South Korea, and Morocco, with particular focus on healthcare technology and medical device companies, childcare management software providers, financial services and debt recovery firms, legal services organizations, and behavioral health tracking platforms — a targeting profile that suggests an interest in sensitive personal, financial, and medical data likely leveraged for double extortion purposes. No specific initial access vectors, encryption methodologies, or tooling have been publicly attributed to this group by authoritative sources as of the time of this writing, though the sector focus on data-sensitive industries is consistent with exfiltration-prior-to-encryption tactics commonly employed by contemporary ransomware operators. No major named campaigns, record ransom demands, or law enforcement actions against Kill Security 3.0 have been publicly documented, and its current operational status remains active based on first-observed dating, though the limited victim count suggests the group may still be in early operational phases or selectively targeting victims.

Recent victims

Loading…

Onion infrastructure

1 known
  • http://ks5424y3wpr5zlug5c7i6svvxweinhbdcqcfnptkfcutrncfazzgz5id.onion

Source

Updated 1 month ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Kill Security 3.0 posts a victim.

Add Kill Security 3.0 to your watchlist — Pro pings you within 5 minutes of any new Kill Security 3.0 leak-site post, Telegram callout, or affiliate-rebrand inference.