3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Killada

Killada

ID: 3badcb15c587d360409ed9154b88249958379
Crimeware Ransomware
Threat types: Malware, RaaS
Unknown
Updated: 2026-03-30
Created: 2026-03-29
Progress: 83% Completeness: 80% Freshness: 90%
Operation zone:
Aliases Limited alias preview
Killada Ransomware Killada Sec Ki********
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Killada is an emerging ransomware brand first publicly tracked in March 2026. Current public evidence supports a functional criminal extortion workflow, but the wider operator structure and campaign scope remain unclear.


Technique Technique name Tactics Evidence
T1486 Data Encrypted for Impact TA0040
  • 2026-03-29 — Public tracker classifies Killada as crypto-ransomware and lists encryption behavior together with a branded ransom note. · ref
  • 2026-03-27 — Public sandbox analysis labels the sample as ransomware and shows dropped ransom-note artefacts consistent with encryption-for-impact behavior. · ref
T1204.002 Malicious File TA0002
  • 2026-03-26 — Public sandbox analysis shows manual execution by a user for killada-individual.exe. · ref
T1566 Phishing TA0001
  • 2026-03-26 — INFERENCE (confidence: medium): Public sandbox telemetry shows a Word-opened RTF path and related LNK artefact in an observed execution chain, which is consistent with lure-driven delivery. · ref
T1083 File and Directory Discovery TA0007
  • 2026-03-29 — INFERENCE (confidence: medium): Ransomware execution requires identifying accessible file paths for impact; current public evidence supports this as part of the likely workflow even though direct listing telemetry is not published. · ref
T1059 Command and Scripting Interpreter TA0002
  • 2026-03-27 — INFERENCE (confidence: low): Console host execution appeared in a public sandbox run, suggesting command-line execution context. Direct scripting use is not yet firmly established. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-30T03:02:36+00:00

Killada — Emerging Ransomware Brand with Sparse but Actionable Early Telemetry

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Cybercrime / Ransomware - Origin: Unknown

Author: iQBlack CTI Team


Executive Summary

Killada is an emerging ransomware brand first publicly tracked in March 2026. Open reporting is still thin, but multiple public indicators already support treating it as a real ransomware operation rather than a purely speculative label: a dedicated set of onion extortion links, a named ransom note, a BTC wallet, a TOX identifier, and at least two publicly observed samples associated with the brand.


At this stage, the operation appears immature or early in its lifecycle. Available public references do not yet show a stable victim corpus, a mature leak-site narrative, or a deeply documented affiliate ecosystem. That limits confidence on strategic attribution, country of origin, and operator structure.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for CISO — Killada

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — Killada


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-30T03:06:57+00:00

IOC Appendix — Killada

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-30T03:08:41+00:00

OSINT Library — Killada


2026-03-29 — WatchGuard Technologies — “Ransomware - Killada”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/7
Address Verification SOCMINT
TOX******************************************************************************** Restricted Not integrated
Address Verification SOCMINT
kil*********************************************************** Restricted Not integrated
kil*********************************************************** Restricted Not integrated
kil*********************************************************** Restricted Not integrated
kil*********************************************************** Restricted Not integrated
kil*********************************************************** Restricted Not integrated
kil*********************************************************** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–1 of 1 images
Onion website Free Preview
Onion website