Cyber Threat Actor: Xing Team

Xing Team, also referred to asthe Xing Team ransomware group, is a threat actor that has been observed operating since at least early 2021 and is described in open‑source reporting as a relatively new entrant to the ransomware ecosystem. The group’s name incorporates a Chinese character that translates to “star,” and the threat actor’s location is listed as China in the available context, though this attribution is not definitively proven by public sources. Xing Team has been linked to incidents affecting healthcare organizations in the United States and Saudi Arabia, as well as a pipeline technology and services provider headquartered in Houston, Texas, indicating activity across both the health‑care sector and critical‑infrastructure adjacent industries. The group’s public communications and leak‑site behavior demonstrate a financial motive, relying on the threat of releasing stolen data to coerce payment from victims. Their activity pattern shows a willingness to target entities of varying size, from a small private firm to a large integrated health system, without apparent preference for a particular organizational scale. No public source attributes the group to a state sponsor or a known criminal consortium, leaving its affiliation classified as financially motivated cyber‑criminal activity.

Technical analysis of the LineStar Integrity Services breach revealed that Xing Team employs a rebranded version of the Mount Locker ransomware to encrypt victims’ files, and the group follows a double‑extortion model by exfiltrating data prior to encryption and threatening to publish it on their dark‑web leak site if the ransom is not paid. The threat actor maintains a dedicated leak site where they have posted large data dumps from GlobeMed Saudi, OSF Healthcare, and Coastal Family Health Center, with the released volumes reported as approximately 201 GB, 112 GB, and 506 GB respectively, demonstrating a consistent tactic of using stolen information to increase pressure on targets. The leaked materials have included a variety of file types such as emails, contracts, source code, human‑resources documents, patient records, medical images, and financial spreadsheets, reflecting the broad scope of data the group seeks to obtain. Public sources do not specify the initial‑access vectors used by Xing Team, nor do they detail any additional tooling beyond the Mount Locker‑derived ransomware payload, leaving the precise infection chain unspecified in the available reporting. The group’s leak site activity has been noted by researchers as a means to amplify extortion efforts, with the unredacted data remaining accessible despite occasional redactions by third‑party transparency organizations.

Representative operations attributed to Xing Team include the April 2021 incident at LineStar Integrity Services, in which roughly 70 GB of internal data—including emails, contracts, software code, and employee identification files—were stolen and partially leaked after the organization reportedly did not meet the group’s demands. Another notable case is the June 2021 breach of OSF Healthcare, where 112 GB of patient records, staff information, financial documents, and over 516 000 image files containing explanation‑of‑benefits statements were exfiltrated and released on the leak site following the victim’s alleged refusal to cooperate. The group has also been linked to the May 2021 attacks on GlobeMed Saudi and Coastal Family Health Center, where similar data‑theft and leak patterns were observed, with GlobeMed Saudi reporting containment of the breach within 24 hours and notification of local authorities. While these incidents illustrate the group’s capability to affect both healthcare and pipeline‑related entities, no public attribution to a state sponsor or criminal alliance has been established, and Xing Team remains understood as a financially motivated ransomware actor operating with a double‑extortion approach.