Quick Summary
Executive Summary
Quality Dining has been identified as a victim of the Settra ransomware group, with the listing appearing on their dark web portal on June 28, 2026. This incident was detected by SOCRadar’s Dark Web Monitoring service. While the organization is associated with a Taiwan country code, its specific industry sector was not detailed in the available data. This instance is part of a batch of victims claimed by Settra on the same day. Settra’s recent activity shows a small footprint of claimed victims in the 60 days preceding this listing, suggesting it may be a nascent or low-volume operation. Their previous victims span the consumer services, technology, and manufacturing sectors, with a geographic spread including the United States, Taiwan, and Singapore. Quality Dining joins other listed victims such as LifeVantage Corporation, Turbo Data Systems, and DyStar within this group.
Technical Analysis
Security analysis revealed a severe exposure for the qdi.com domain through SOCRadar’s stealer-log telemetry. A sample contained corporate credentials for Microsoft 365 and an internal application subdomain (apps.qdi.com), along with numerous third-party credentials associated with the same employee account. The data suggests a single user dominates these records, exhibiting a pattern consistent with a compromised workstation, with credential freshness concentrated between June 13 and June 26, 2026. Password reuse across multiple services was also observed. For ransomware groups like Settra, the use of credentials harvested by infostealers is a known initial access vector. Threat actors often purchase fresh logs from marketplaces, validate corporate credentials, and use them to access systems via portals like Microsoft 365 or VPNs before deploying ransomware. While this specific instance doesn’t confirm Settra’s direct use of these credentials, the pattern of live Microsoft 365 IdP credentials and internal application logins traced to a single likely compromised endpoint aligns with typical incident kill chains for this threat. CTI teams are advised to initiate forced password resets and Multi-Factor Authentication for affected accounts, isolate and investigate the implicated endpoint, and maintain vigilant monitoring.