Was Al-Safi Oil Company (PURE IN) hit by ransomware?

Al-Safi Oil Company (PURE IN) was listed by the NASIR ransomware operation, and stolen data was published on the group's leak site. Darkfield tracks this disclosure with the original leak post, screenshot and group context.

Who is the NASIR ransomware group?

NASIR is a ransomware operator tracked by Darkfield. See the full operator dossier for its known victims, sectors targeted, IOCs and leak-site infrastructure.

What data was leaked in the Al-Safi Oil Company (PURE IN) breach?

NASIR published data attributed to Al-Safi Oil Company (PURE IN). Darkfield captured the leak post and a screenshot of the listing.

Ransomware victim disclosure

← All victims

Al-Safi Oil Company

listed as Al-Safi Oil Company (PURE IN) · Claimed by NASIR · listed 5 days ago

Age

since listed · data leaked

Status timeline

ListedJun 10, 2026
Data leakeddate unknown

At a glance

Group: NASIR
Status: Data leaked
Sector: Energy/Oil
Listed on leak site: Jun 10, 2026

About the victim

AI dossier — public-source company profile

Al-Safi Oil Company (branded as PURE IN) is an oil and gas enterprise operating in the Middle East region. Limited public information is available about the company's specific operations, scale, or headquarters location.

Industry: Oil & Gas

Attack summary

Severity: medium — Company listed among high-profile targets (government ministries, airport, customs authority); however, no proof files, data samples, or specifics on exfiltrated content are evident in the post. Oil & Gas sector is critical infrastructure, elevating baseline concern despite lack of operational impact detail.

The NASIR group claims to have hacked Al-Safi Oil Company and published data as part of a broader campaign targeting regional government and infrastructure targets. The group has not detailed specific data exfiltration or encryption claims in the available post excerpt.

medium

What the group claims

Al-Safi Oil Company hacked by the Al-Nasir Resistance.

The leak post

captured from the group's site

The Biggest Israel's national Holocaust museum Not safe at all...
### [Kuwait Ministry Of Interior Hacked!](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/kuwait-ministry-interior.html)
No US Allies is Protected Anymore....
### [Dubai Airport - Data Leaked](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/dubai-airport.html)
We have succeeded in obtaining the capability .... And from God comes success. 
### [UAE Customs (Federal Customs Authority) - ACCESS GRANTED !](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/uae-customs.html)
Peace be upon the Resistance and its martyrs. .... God is Great.
### [Al-Safi Oil Company (PURE IN) Hacked](http://yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd.onion/pages/pure-in.html)
We are the sons of the Al-Nasir Resistance .... We are avengers against the wrongdoers.

Screenshot of the leak post

Leak screenshot for Al-Safi Oil Company (PURE IN)

Sources

Source

Indexed 5 days ago

This page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.

Is this your supplier? Your competitor? You?

Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

Disclosure context

About NASIR

NASIR is an emerging ransomware group first observed in June 2026 with a apparent financial motivation, having claimed responsibility for attacks against at least seven known victims across the Middle East region. The group's targeting pattern strongly suggests a geopolitical or regional focus, with victim organizations concentrated in the United Arab Emirates, Israel, Saudi Arabia, and Kuwait, spanning high-value sectors including government, energy and oil, transportation, aviation, and cultural and memorial institutions. Given the limited open-source intelligence currently available on NASIR, its country of origin, affiliation with known threat actor ecosystems, and whether it operates under a Ransomware-as-a-Service model or as an independent closed group have not been publicly confirmed by authoritative sources such as CISA, the FBI, or Mandiant as of this writing. The group's sector targeting — particularly government, energy infrastructure, and aviation — suggests a deliberate focus on critical national infrastructure across Gulf Cooperation Council states and Israel, which may indicate either a financially motivated actor seeking high-value targets capable of large ransom payments, or an actor with ideological or geopolitical objectives. No specific tools, encryption methods, or extortion tactics employed by NASIR have been publicly documented or attributed by reputable security researchers at this time, and no major law enforcement actions against the group have been publicly reported. NASIR should be considered an emerging and closely monitored threat given its critical infrastructure targeting pattern, with the expectation that additional technical attribution and campaign details will surface as the group's operational tempo develops. The group has been linked to 8 public disclosures across our corpus. First observed on a leak site on June 10, 2026; most recent post June 11, 2026. The operation is currently active.

Timeline of this disclosure

June 10, 2026Al-Safi Oil Company (PURE IN) listed by NASIRon the group's public leak site

Other recent disclosures by NASIR

NASIR has been linked to 8 public victims on Darkfield. A sample of the most recent:

See the full NASIR dossier →

Sector and geography

This disclosure adds to ransomware activity in the Energy/Oil sector.

If your organisation is affected

A listing by NASIR means Al-Safi Oil Company (PURE IN) appeared on a ransomware extortion site and data attributed to it has been published. If this is your organisation, or a supplier you depend on, the priority is to confirm the intrusion and contain it before the window to act closes.

Engage your incident-response team and preserve forensic evidence before remediating — do not wipe affected systems first.
Force a password reset and revoke active sessions for exposed accounts; rotate any credentials, API keys or certificates that may have been in the stolen data.
Assess regulatory notification duties (GDPR, NIS2, sector regulators) — many carry a 72-hour reporting clock from awareness.
Monitor for the data appearing on NASIR's leak site and across paste and breach channels, and brief downstream partners who may be exposed through you.

How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.