Threat Actor Unknown origin

Kairos

IoCs CSV 1 detection rule

Kairos is an extortion group that emerged with a data-leak site on 13 November 2024, claiming attacks against six organizations, primarily in the US healthcare sector. The group is financially motivated, demanding Bitcoin payments for the secure deletion of stolen files and threatening to leak data if victims do not comply. While no specific TTPs are publicly known, common techniques among extortion groups include phishing and scanning for exposed internet-facing devices. There is a potential link to a user on a Russian-language cybercriminal forum who shares a post-exploitation script, but attribution remains uncertain.

Indicators of Compromise 1

MITRE ATT&CK TTPs 4

Detection Rules

Kairos_SIGMA_Detection
sigma ai_generated
title: Kairos Threat Actor Data Exfiltration Activity
id: 3a1b8a6c-4d2f-4a0e-9f1e-5b7c8d9e7f3a
status: experimental
logsource:
  category: network_connection
  product: firewall
detection:
  outbound_connection:
    DestinationIP: '*'
    DestinationPort: '80' or '443'
    Protocol: 'TCP'
  user_agent_tempsh:
    UserAgent|contains: 'temp.sh'
  ttp_t1071001:
    Description: 'Use of web protocols for command and control or data exfiltration'
  ttp_t1059001:
    CommandExec: '*curl*temp.sh*'
    CommandLine|contains:
      - 'curl'
      - 'wget'
    CommandLine|contains|all:
      - 'temp.sh'
      - '-F'
  ttp_t1021:
    Description: 'Remote services used for lateral movement - possible precursor to exfiltration'
  ttp_t1566:
    Description: 'Phishing enabled initial access - may lead to data theft'
  filter_known_benign:
    DestinationDomain|endswith: 'temp.sh'
condition: >
  (outbound_connection and (user_agent_tempsh or ttp_t1059001)) or
  (ttp_t1071001 and filter_known_benign)
falsepositives:
  - Legitimate use of file upload services like temp.sh for non-malicious purposes
level: critical

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles