Kairos
Kairos is a ransomware/extortion group active on several Russian-language hacking forums that, according to the provided reporting, does not appear to be linked to other hacking groups. The group emerged around July 2024 with a dedicated data leak site (DLS), was first observed in November 2024, and continued operating into 2025 and 2026. Reporting in the provided content attributes at least 59 claimed victims between November 2024 and January 2026, at least 79 claimed victims since first observation, and 27 incidents in May 2026. Kairos operates a time-bound extortion model centered on data exfiltration and staged public disclosure. Victims are initially given seven days to respond to its demands; if no agreement is reached, Kairos publishes an initial leak post. If the dispute remains unresolved, the group says it will notify partners, competitors, and customers and ultimately publish stolen data in full. The content also states Kairos pressures victims with escalation deadlines, discourages contacting law enforcement or incident response firms, and threatens consequences including legal action, contract termination, reputational damage, stock value drops, and potential organizational closure. The provided content links Kairos to claimed victim postings on its leak site, including FriendlyCare Pharmacy in Booval, Queensland, where it allegedly posted sample data including scripts, an incident report, employment correspondence, a licence, and personal and medical information. The content also states Kairos claimed responsibility for Seagrass Boutique Hospitality Group on 12 February 2026. Known aliases in the provided content: kairos.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware group listed among the top incident counts for the month.
Extortion-focused group operating a leak site and threatening full publication of stolen data if victims do not respond within seven days. The group has claimed at least 79 victims since first being observed in November 2024, including Australian organizations such as FriendlyCare Pharmacy and Seagrass Boutique Hospitality Group.
Low-profile but persistent extortion group emphasizing exfiltration-only coercion with time-bound escalation, discouraging law enforcement/IR involvement, and threatening staged disclosure to customers/partners/competitors.
Kairos is mentioned as a ransomware group active in September 2025.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.