23 min read

The Group That Didn't Need to Break In: How KillSec3 Exploited What Was Already Exposed

Prepared by: Nick Thanos | Last update: 22 May 2026

Threat actor profile: KillSec3

Threat actor status: ACTIVE

In the 2024-25 financial year, a threat actor group called KillSec3 targeted seven Australian organisations, not by breaking through firewalls or deploying sophisticated malware, but by collecting data that had already been left exposed. KillSec3 scanned for cloud storage platforms misconfigured to allow public access and File Transfer Protocol (FTP) servers, a type of server used to transfer files between computers over a network, left unsecured and reachable from the internet. In several of these incidents, affected organisations did not know they had been compromised until their name appeared on KillSec3's dark web leak site, a website on the encrypted Tor network where stolen data is listed and threatened for release. That discovery gap tells a significant story about how this group operates, who they target and why Australian organisations need to take notice.

KillSec3: Background

KillSec3 is a financially motivated threat actor group that came to light during FY25 as one of 20 ransomware groups that Triskele Labs observed actively targeting Australian and New Zealand businesses during the financial year. Unlike most of their peers in the ransomware ecosystem, KillSec3 became notable for a distinct operational approach as they generally do not encrypt victim environments.

Instead, KillSec3 focuses heavily on data exfiltration, the unauthorised transfer of data from a victim's environment to a location the attacker controls. They then leverage the threat of publishing that data on their dark web leak site as the primary extortion mechanism. This is sometimes referred to as a data theft or single-extortion model, as opposed to the double-extortion model used by groups like DragonForce or Qilin, which both steal data and encrypt systems.

Triskele Labs is aware of KillSec3 targeting at least seven Australian organisations across FY25, and the group appeared in Triskele Labs' list of threat actors for whom more than one direct incident response engagement was conducted during the year.

KillSec3: Tactics and approach

Most ransomware groups invest significant effort in gaining initial access by exploiting vulnerabilities in VPNs, brute-forcing Remote Desktop Protocol (RDP), a technology that allows users to connect to and control a computer remotely, or phishing staff for credentials. KillSec3 frequently skips these steps entirely by targeting a different class of weakness altogether.

Exploiting cloud misconfigurations

KillSec3 was observed actively scanning for misconfigured cloud storage platforms, such as Amazon S3 buckets, Microsoft Azure Blob Storage, or similar services, where data had inadvertently been made publicly accessible due to incorrect permission settings. A misconfigured cloud storage bucket is one where the access controls have been set incorrectly, allowing anyone on the internet to view or download the contents without needing a username or password.

In these instances, the data was not "stolen" in the traditional sense; it was simply downloaded from a location that was already open to the public. The victim organisation may never have known the data was accessible and in many cases, they did not know it had been taken until KillSec3 published it.

Targeting unsecured FTP servers

KillSec3 also targeted exposed FTP servers, servers running the File Transfer Protocol, which is commonly used by organisations to transfer large volumes of files between systems or to external parties. When FTP servers are left accessible from the internet without adequate authentication controls, they can be accessed and their contents downloaded by anyone who finds them.

This tactic requires minimal technical sophistication compared to exploiting software vulnerabilities or conducting social engineering campaigns. It is a volume play, scanning large blocks of internet-facing IP addresses for known open ports and services, KillSec3 can identify multiple potential victims efficiently.

The CrushFTP campaign

KillSec3's activity during FY25 also included involvement in a campaign exploiting CrushFTP, a widely used enterprise file transfer server application. When critical vulnerabilities in CrushFTP were disclosed, KillSec3 was among the threat actor groups that moved quickly to mass-exploit the flaw, exfiltrating data from vulnerable organisations worldwide without deploying ransomware. This reinforces the group's broader pattern of focusing on data access and theft over operational disruption.

KillSec3: Why organisations are exposed

KillSec3's effectiveness stems from targeting a class of vulnerability that many organisations either don't know they have, or don't prioritise fixing: unprotected data stores and misconfigured internet-facing infrastructure.

Many organisations invest in controls designed to prevent attackers from gaining access to internal systems, firewalls, MFA, EDR. But those same controls do not protect data that has already been made publicly accessible through a misconfiguration. Cloud storage and FTP misconfigurations are common, often created during routine IT operations when a file sharing arrangement is stood up quickly or a storage bucket is configured without careful attention to access controls.

The absence of an active intrusion means there are also fewer forensic indicators. No malware is deployed. No credentials are compromised. No lateral movement occurs across the internal network. In many KillSec3 cases investigated by Triskele Labs, the first confirmation of the incident came from the appearance of the victim organisation's name on a dark web leak site, a deeply reactive position to be responding from.

KillSec3: Reducing your exposure

The following defensive actions are directly aligned to the behaviours and access methods observed in KillSec3 incidents across Triskele Labs' FY25 engagements.

Audit your cloud storage configurations regularly
Cloud storage platforms like Amazon S3, Azure Blob Storage, and Google Cloud Storage are routinely misconfigured, often inadvertently, and often without the organisation being aware. Conduct a full audit of all cloud storage resources within your environment to confirm that no buckets or containers have been set to public access. Most cloud platforms provide native tooling to identify publicly accessible resources. This should be a recurring process, not a one-time check, as new storage resources are frequently created during normal IT operations.

Note that Remote Desktop Gateway servers do not natively support MFA, additional configuration and planning is required beyond standard IT management arrangements. Organisations should seek specialist advice if they are uncertain whether their RDG is adequately protected.
Restrict internet-facing FTP and file transfer services
FTP servers should not be directly accessible from the public internet unless there is a specific and necessary business requirement. Where FTP or similar file transfer services must remain internet-facing, enforce strong authentication controls, restrict access to known IP ranges where possible, and ensure all access is logged and monitored. Consider whether modern, more secure alternatives, such as SFTP (Secure File Transfer Protocol, which encrypts data in transit) or managed file transfer platforms, are more appropriate for your use case.
Apply network restrictions to prevent open internet access from internal infrastructure
A core control identified in Triskele Labs' FY25 data is the implementation of network restrictions that prevent internal infrastructure, including storage systems and file servers, from being directly reachable from the public internet. This includes reviewing firewall rules, network segmentation, and access control lists to ensure that internal resources are not inadvertently exposed.
Maintain a rigorous patch management programme for systems and applications
KillSec3 has been observed actively exploiting unpatched vulnerabilities in widely deployed software, with CrushFTP a notable example. Critical CrushFTP flaws disclosed in 2024 and 2025 allowed unauthenticated attackers to bypass authentication and retrieve sensitive files, and KillSec3 was among the threat actors exploiting this vulnerability within days of public disclosure. Organisations should establish a documented patch management programme that defines clear service level agreements for deploying critical patches, typically within 24 to 72 hours of release for actively exploited vulnerabilities on internet-facing systems, and within standard maintenance windows for lower-risk internal assets. Maintain an accurate, current asset inventory so that no system is overlooked, subscribe to vendor security advisories and reputable threat intelligence feeds so that emergency patching can be triggered as soon as a relevant vulnerability is disclosed, and test patches in a non-production environment where the risk profile of the system warrants it. Where a patch cannot be applied immediately, implement compensating controls such as taking the affected service offline, tightening network access, or deploying virtual patching through a web application firewall until the underlying issue can be remediated. Treat patching not as an IT housekeeping task but as a frontline security control, because for vulnerabilities like the CrushFTP series, the window between disclosure and active exploitation is often measured in hours rather than weeks.
Implement Data Loss Prevention (DLP) controls
Data Loss Prevention controls, technologies that monitor for and restrict the unauthorised transfer of sensitive data, are an important layer of defence against exfiltration-focused threat actors. DLP tools can detect when large volumes of data are being transferred to external locations and generate alerts or block those transfers automatically. Implementing DLP across cloud environments and file transfer infrastructure is particularly relevant in the context of KillSec3's tactics.
Strengthen Identity and Access Management (IAM)
Strong Identity and Access Management (IAM), the practice of ensuring that only the right people and systems can access specific data and services with appropriate levels of permission, restricts unnecessary access to sensitive data stores. Review what data is accessible to what accounts, remove excessive permissions, and ensure that service accounts used for cloud storage or file transfer operations are configured with the minimum access required to perform their function, known as the principle of least privilege.
Encrypt sensitive data at rest
Even where misconfigurations occur, encrypting sensitive data at rest, meaning data is stored in an encrypted format that cannot be read without an authorised decryption key, significantly reduces the value of any data that is inadvertently exposed or exfiltrated. This is particularly relevant for cloud storage environments containing personally identifiable information (PII), Protected Health Information (PHI), or other regulated data categories.
Monitor dark web leak sites for early warning
Because KillSec3 victims are frequently unaware of incidents until their data appears on a dark web leak site, organisations should consider whether dark web monitoring is part of their threat intelligence capability. Knowing that your organisation's data has appeared on a leak site before you discover the underlying exposure provides valuable, if unwelcome, early warning that an investigation is required.
Conduct regular vulnerability scanning of internet-facing assets
CrushFTP and similar file transfer platforms can carry critical vulnerabilities that threat actors like KillSec3 move quickly to exploit. Organisations should perform regular vulnerability scanning of all internet-facing services, prioritise the patching of critical vulnerabilities on publicly accessible infrastructure, and monitor vendor advisories for products in active use.

Summary

KillSec3 is an active, financially motivated threat actor group that distinguishes itself from most of its peers through a focus on data exfiltration over encryption. Across the 2024–25 financial year, the group targeted at least seven Australian organisations by scanning for and exploiting cloud storage misconfigurations, unsecured FTP servers, and vulnerabilities in file transfer software such as CrushFTP; in many cases collecting data that had already been made accessible through poor configuration rather than through any sophisticated intrusion.

The group's effectiveness is compounded by the delayed detection typical of these incidents. Many affected organisations only became aware of the compromise when their name appeared on KillSec3's dark web leak site, by which point the data had already been taken.

The controls that most directly address KillSec3's approach are not the same as those that defend against encryption-focused ransomware groups. Preventing KillSec3 requires organisations to look outward, at what data is exposed on the internet, whether cloud storage and file transfer infrastructure is properly secured, and whether sensitive data is encrypted even in storage environments that should already be protected.

If your organisation has experienced a KillSec3 incident or suspects a data exposure related to cloud or FTP misconfigurations, engage your cyber insurer and a reputable DFIR firm promptly. Early investigation is critical to understanding the scope of what was accessed, meeting regulatory notification obligations, and preventing further exposure.

MITRE ATT&CK Mapping

TACTIC	TECHNIQUE	DESCRIPTION
Initial Access	T1190 – Exploit Public-Facing Application	Exploitation of internet-facing file transfer applications including CrushFTP
Initial Access	T1133 – External Remote Services	Exploitation of unsecured FTP servers accessible from the internet
Discovery	T1526 – Cloud Service Discovery	Scanning for misconfigured cloud storage platforms
Discovery	T1083 – File and Directory Discovery	Identifying data available through exposed file servers and cloud buckets
Collection	T1530 – Data from Cloud Storage	Collection of data from publicly accessible cloud storage resources
Collection	T1039 – Data from Network Shared Drive	Collection of data from exposed FTP and file transfer infrastructure
Exfiltration	T1048 – Exfiltration Over Alternative Protocol	Exfiltration of collected data to attacker-controlled infrastructure
Impact	T1657 – Financial Theft	Extortion of victim organisations using threat of publishing stolen data

Common Utilised Tooling:

TOOL	PURPOSE
Cloud storage scanning	Identifying misconfigured buckets and containers with public access
FTP server scanning	Identifying internet-facing file transfer servers with weak or no authentication
CrushFTP vulnerability exploitation	Mass exploitation of known file transfer software vulnerabilities
Dark web leak site	Extortion mechanism, publishing stolen data to pressure victims into payment
Data exfiltration without encryption	Collecting and removing data without triggering operational disruption