Metal Sur Famin Data Breach

Alleged

Ransomware claim involving Metal Sur Famin.

Published: Jun 29, 2026 Qilin
Threat Level
High
Confidence: High

Quick Summary

Alleged
Company
Metal Sur Famin
Industry
Manufacturing
Threat Actor
Qilin
Date of Incident
Jun 29, 2026

Executive Summary

Metal Sur Famin, a manufacturing company based in Argentina, has been identified as a victim of the Qilin ransomware group. The listing on the Qilin ransomware group’s dark web portal was published on June 29, 2026, and was detected by SOCRadar’s Dark Web Monitoring service. Manufacturing companies are often targeted due to their typical combination of flat OT/IT networks and low tolerance for downtime. This makes them attractive targets for ransomware operators. Metal Sur Famin falls within a sector heavily targeted by Qilin, although its geographical location in Argentina represents a smaller segment of victims compared to the group’s primary focus on English-speaking countries.

Technical Analysis

SOCRadar’s analysis indicates a significant exposure for the metalsurfamin.com domain, identified through stealer-log telemetry. This exposure included approximately 14 corporate credential records pointing to identity providers (Microsoft 365/Azure AD, Google Workspace, Microsoft consumer authentication) and around 11 records showing corporate usernames used on third-party platforms, including a remote access tool. The persistence of these credentials across multiple services and dates suggests either unrotated credentials or a compromised endpoint rather than a single incident. The harvested data spans from January to June 2026, indicating sustained credential harvesting over a six-month period. The use of stealer-harvested credentials is a documented initial access vector for ransomware groups like Qilin, who acquire these logs from marketplaces to gain access to corporate accounts. While this specific instance doesn’t confirm Qilin’s direct use of these credentials, the pattern aligns with typical ransomware kill chains. Recommended defensive measures include rotating affected accounts, enforcing MFA on identity providers, and performing endpoint examinations for stealer persistence.