Buy Me a Coffee

Sponsored by Hudson Rock Use Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are impacting your business

Logo Doctor Alliance – Streamlined Document and Billing Management for Healthcare Providers

Group: Kazu

Discovered by ransomware.live: 2025-11-11

Estimated attack date: 2025-11-06

Country: US

Data exfiltrated: 353 GB

Ransom: $200 000

Description:

Doctor Alliance (doctoralliance.com) is a U.S.-based healthcare technology platform that helps physicians and medical agencies manage documents, referrals, and billing in one secure online system. Headquartered in Dallas, Texas, it offers services such as electronic document signing, coordination with agencies, and billing support for programs like CPO, CCM, and TCM. The platform integrates with systems like Axxess Home Health to streamline workflow and reduce paperwork, promoting faster document turnaround and improved billing efficiency -- contact me to protect your files !!

🕵️ Infostealer activity detected by HudsonRock

Compromised Employees: 3

Compromised Users: 51

Third Party Employee Credentials: 8

External Attack Surface: 10

Infostealer Distribution

DNS Records:

The following DNS records were found for the victim's domain.

WHOIS Emails
  • abuse support.gandi.net
  • aabd28ccb15f0c92412de8c1ac31d67f-3803312 contact.gandi.net
MX Records
  • aspmx3.googlemail.com.
  • aspmx.l.google.com.
  • alt1.aspmx.l.google.com.
  • alt2.aspmx.l.google.com.
  • aspmx2.googlemail.com.
TXT Records
  • atlassian-domain-verification=4qI57kpZwWtMhBATvnXitponpp0+cyGCbHN2EWE+7hh8JpGhzugBO9Uws4sC8V7B
  • v=spf1 include:amazonses.com include:_spf.google.com include:mail.zendesk.com ~all
Cloud / SaaS Services Detected
Atlassian Amazon SES/WorkMail Zendesk

Leak Screenshot:

Leak Screenshot

Legal Disclaimer: Ransomware.live does not engage in the acquisition, exfiltration, downloading, possession, hosting, access, consultation, redistribution, or disclosure of unlawfully obtained data. This platform indexes only publicly visible information posted by ransomware operators and open web sources without accessing or obtaining the underlying stolen content. The service is provided to support public awareness, legitimate research, and cyber-resilience. No stolen personal or confidential data is collected or distributed via this site.