[April-10-2025] Daily Cybersecurity Threat Report

Posted on

1. Introduction

This report provides a detailed overview of significant cybersecurity incidents reported within the last 24 hours. The analysis presented herein is based exclusively on the structured incident data feed received on April 10, 2025. The purpose of this document is to offer timely situational awareness regarding the evolving cyber threat landscape, specifically tailored for security professionals, IT management, risk analysts, and compliance officers.

The scope of this report is strictly limited to the incidents and associated data contained within the aforementioned data feed. No external data sources or supplementary research have been incorporated unless explicitly noted (such as in the Threat Actor Profiles section). The findings and analyses presented reflect the information available within the reporting period, maintaining a formal and objective tone throughout.

2. Executive Summary / Daily Incident Overview Table

The following table provides a high-level summary of the cybersecurity incidents reported in the last 24 hours, as detailed in the received data feed. This overview facilitates a rapid assessment of the current threat environment and helps prioritize attention towards the most relevant events.

Incident TitleTarget Organization/EntitySector/IndustryIncident TypeReported Date/TimeKey Impact Summary
Electronic Army Special Forces targets the website of Ho Chi Minh Cityho chi minh cityGovernment & Public SectorDDoS Attack2025-04-10T11:30:19ZWebsite downtime confirmed.
Algas Engineering Pte falls victim to Qilin Ransomwarealgas engineering pteMechanical or Industrial EngineeringRansomware2025-04-10T11:14:18ZClaimed theft of financial statements, passports, tax invoices, project details, contact info.
CASH NETWORK C2 targets the website of CapCutcapcutWriting & EditingDefacement2025-04-10T11:14:07ZWebsite defacement claimed, mirror provided.
Alleged data leak of DLH.netdlh.net enterprises ug (ltd.)Online PublishingData Breach2025-04-10T11:08:08ZAlleged leak of 4.2M user records including IDs, emails, names, passwords, logs.
NoName targets the website of City of Kotkacity of kotkaGovernment & Public SectorDDoS Attack2025-04-10T11:03:48ZWebsite downtime confirmed.
NoName targets the website of City of Porvoocity of porvooGovernment & Public SectorDDoS Attack2025-04-10T10:59:41ZWebsite downtime confirmed.
NoName targets the website of VäestöliittoväestöliittoNon-profit & Social OrganizationsDDoS Attack2025-04-10T10:54:24ZWebsite downtime confirmed.
Alleged data sale of Origin PCorigin pcComputer HardwareData Breach2025-04-10T10:42:59ZAlleged sale of customer data including order details, shipping info, contact info, employee data.
Alleged sale database of The Bangalore Water Supply and Sewerage Board(BWSSB)bangalore water supply and sewerage boardEnergy & UtilitiesData Breach2025-04-10T10:13:56ZAlleged sale of root access and database containing customer/contact details, vehicle info, account details.
Alleged leak of FacebookfacebookSocial Media & Online Social NetworkingData Leak2025-04-10T09:58:45ZClaimed leak of 210 million rows of data including emails, phone numbers, personal info.
Nippon Ceramic Co. falls victim to NightSpire Ransomwarenippon ceramic co.Manufacturing & Industrial ProductsRansomware2025-04-10T09:55:32ZClaimed theft of 45 GB of data, threatened publication.
Alleged database sale of Mitsubishi Motors Vietnammitsubishi motors corporationAutomotiveData Breach2025-04-10T09:27:23ZAlleged sale of customer database including names, contact info, vehicle details, maintenance history.
Alleged data breach of CirclecircleE-LearningData Breach2025-04-10T09:04:10ZAlleged leak of database containing user IDs, names, emails, IPs, educational background, account statuses.
NoName targets the website of City of Helsinkicity of helsinkiGovernment & Public SectorDDoS Attack2025-04-10T08:42:10ZWebsite downtime confirmed.
NoName targets the website of Helsinki Region Transporthelsinki region transportTransportation & LogisticsDDoS Attack2025-04-10T08:38:03ZWebsite downtime confirmed.
Alleged data breach of Russian Standard Bankrussian standard bankFinancial ServicesData Breach2025-04-10T08:29:31ZAlleged leak of database with customer DOB, names, account balance, contact info, address.
3P Corporation Ltd​ falls victim to Space Bears Ransomware3p corporation ltd​Financial ServicesRansomware2025-04-10T08:26:38ZClaimed theft of database including financial documents, employee/client personal info, threatened publication.
Alleged data breach of Abdul Rahman Fakieh Schoolsabdul rahman fakieh schoolsEducationData Breach2025-04-10T08:15:33ZAlleged leak of database including staff/admin IDs, usernames, emails, roles, names, passwords.
Red wolf ceyber targets the website of Central Bank of the Republic of Azerbaijancentral bank of the republic of azerbaijanBanking & MortgageDDoS Attack2025-04-10T06:27:46ZWebsite downtime confirmed.
Alleged sale of loader.cMalware2025-04-10T06:06:09ZAlleged sale of FUD Windows resident loader with Tor-hosted panel.
Alleged Sale of Gmail Prompt Automation Tool Source CodeMalware2025-04-10T05:43:25ZAlleged sale of Gmail prompting tool source code with Telegram bot notification.
Alleged leak of ISRAEL DATABASESData Leak2025-04-10T05:14:11ZClaimed leak of over 2GB of Israeli databases.
Electronic Army Special Forces targets the website of Bến Tre Power Companybến tre power companyElectrical & Electronic ManufacturingDDoS Attack2025-04-10T04:47:41ZWebsite downtime confirmed.
Alleged data breach of Bolivarian National Policebolivarian national policeGovernment AdministrationData Breach2025-04-10T04:35:34ZAlleged leak of national police database (99k+ officers) including IDs, names, contact info, rank, address; attacker claims ongoing system access.
Electronic Army Special Forces targets the website of ​VNPTvnptNetwork & TelecommunicationsDDoS Attack2025-04-10T04:20:21ZWebsite downtime confirmed.
Alleged Sale of Data from Kirkendall Dwyer LLPkirkendall dwyer llpLaw Practice & Law FirmsData Breach2025-04-10T03:51:57ZAlleged sale of data on 700k+ customers and 900k leads including names, contact details, SSNs, legal/medical metadata.
Alleged Sale of Data from Wolters Kluwerwolters kluwerInformation ServicesData Breach2025-04-10T03:40:15ZAlleged sale of database with 2M+ user records including names, contact info, job titles, addresses, account metadata.
Al Ahad targets the website of ZIV Medical Centerziv medical centerHospital & Health CareDDoS Attack2025-04-10T03:00:59ZWebsite downtime confirmed.
Al Ahad targets the website of Laniado Hospitallaniado hospitalMedical PracticeDDoS Attack2025-04-10T02:50:37ZWebsite downtime confirmed.
Al Ahad targets the website of meir.org.ilmeir.org.ilDDoS Attack2025-04-10T02:48:20ZWebsite downtime confirmed.
Al Ahad targets the website of Barzilai Medical Centerbarzilai medical centerHospital & Health CareDDoS Attack2025-04-10T02:30:16ZWebsite downtime confirmed.
Al Ahad targets the website of Assuta Medical Centersassuta medical centersHospital & Health CareDDoS Attack2025-04-10T02:30:13ZWebsite downtime confirmed.
Al Ahad targets the website of Shamir Medical Center (Assaf Harofeh)shamir medical center (assaf harofeh)Medical PracticeDDoS Attack2025-04-10T02:13:08ZWebsite downtime confirmed.
Al Ahad targets the website of Herzliya Medical Centerherzliya medical centerMedical PracticeDDoS Attack2025-04-10T02:04:44ZWebsite downtime confirmed.
Al Ahad targets the website of Assuta Medical Centersassuta medical centersMedical PracticeDDoS Attack2025-04-10T01:52:14ZWebsite downtime confirmed.
Alleged Domain admin access sale to an unidentified organization in ItalyInitial Access2025-04-10T00:53:55ZAlleged sale of Domain Admin access, AnyDesk access, credentials for Italian paper company ($10M revenue).
​Miller & Caggiano falls victim to DragonForce Ransomware​miller & caggianoLaw Practice & Law FirmsRansomware2025-04-10T00:49:53ZClaimed theft of 102.63 GB of data, threatened publication.
Finetech falls victim to INC RANSOM RansomwarefinetechManufacturingRansomware2025-04-10T00:43:10ZClaimed data theft, sample screenshots provided on leak site.
Alleged data sale of BuyAntiVirusKey.combuyantiviruskey.comE-commerce & Online StoresData Breach2025-04-10T00:42:56ZAlleged sale of database (360k+ records) and 500k+ license keys including emails, hashed passwords, customer names.
Service Trade S.p.A. falls victim to DragonForce Ransomwareservice trade s.p.a.Electrical & Electronic ManufacturingRansomware2025-04-10T00:41:15ZClaimed theft of 89.87 GB of data, threatened publication.
Alleged data breach of CITROSOLcitrosolChemical ManufacturingData Breach2025-04-10T00:37:11ZAlleged leak of users.json (768 records) including alarms, contacts, lab records, admin account details.
Alleged data breach of MGPTT (Algeria’s Post & Telecom) + Ministry of Labor ALGERIAministry of post and telecommunicationsGovernment AdministrationData Breach2025-04-10T00:36:04ZAlleged leak of 13GB+ internal data including personal data, confidential documents, databases.
Chesterfield Township falls victim to INC RANSOM ransomwarechesterfield townshipGovernment AdministrationRansomware2025-04-10T00:23:51ZClaimed data theft, sample screenshots provided on leak site.
Silocaf USA LLC falls victim to INC RANSOM Ransomwaresilocaf usa llcFood & BeveragesRansomware2025-04-10T00:14:54ZClaimed theft of 178 GB of data.

3. Detailed Incident Analysis

This section provides in-depth analysis for each cybersecurity incident identified in the reporting period’s data feed.

Incident Title: Electronic Army Special Forces targets the website of Ho Chi Minh City

Incident Title: Algas Engineering Pte falls victim to Qilin Ransomware

Incident Title: CASH NETWORK C2 targets the website of CapCut

Incident Title: Alleged data leak of DLH.net

Incident Title: NoName targets the website of City of Kotka

Incident Title: NoName targets the website of City of Porvoo

Incident Title: NoName targets the website of Väestöliitto

Incident Title: Alleged data sale of Origin PC

Incident Title: Alleged sale database of The Bangalore Water Supply and Sewerage Board(BWSSB)

Incident Title: Alleged leak of Facebook

Incident Title: Nippon Ceramic Co. falls victim to NightSpire Ransomware

Incident Title: Alleged database sale of Mitsubishi Motors Vietnam

Incident Title: Alleged data breach of Circle

Incident Title: NoName targets the website of City of Helsinki

Incident Title: NoName targets the website of Helsinki Region Transport

Incident Title: Alleged data breach of Russian Standard Bank

Incident Title: 3P Corporation Ltd​ falls victim to Space Bears Ransomware

Incident Title: Alleged data breach of Abdul Rahman Fakieh Schools

Incident Title: Red wolf ceyber targets the website of Central Bank of the Republic of Azerbaijan

Incident Title: Alleged sale of loader.c

  • Category: Malware
  • Date: 2025-04-10T06:06:09Z
  • Victim Organization:
  • Victim Industry:
  • Victim Country:
  • Victim Site:
  • Network: openweb
  • Threat Actors: mentalpositive
  • Description: The threat actor claims to be selling loader.c, a fully undetectable (FUD) Windows resident loader that generates unique, device-specific builds to evade antivirus detection (0/60+ on VirusTotal). Written in C (~80KB), it supports Windows 7+ and Server OS, delivering payloads via binary/DLL execution or URL redirection, with a Tor-hosted PHP panel for management.
  • Published URL: https://xss.is/threads/135945/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/c5d5c06a-ec31-44d2-9090-fff596fafd2f.png

Incident Title: Alleged Sale of Gmail Prompt Automation Tool Source Code

  • Category: Malware
  • Date: 2025-04-10T05:43:25Z
  • Victim Organization:
  • Victim Industry:
  • Victim Country:
  • Victim Site:
  • Network: openweb
  • Threat Actors: shadowscript
  • Description: Threat actor is advertising the sale of a Gmail prompting tool along with its full source code. The software is designed to send up to three Gmail prompts per email address and notify via a Telegram bot if any prompt is rejected. It processes inputs in the format “Email | phone1 | phone2 | etc” and uses partial digit matching for validation.
  • Published URL: https://forum.exploit.in/topic/257132/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/71acb1fb-413c-42ea-8a2c-8cf8d72f29a9.png

Incident Title: Alleged leak of ISRAEL DATABASES

Incident Title: Electronic Army Special Forces targets the website of Bến Tre Power Company

Incident Title: Alleged data breach of Bolivarian National Police

  • Category: Data Breach
  • Date: 2025-04-10T04:35:34Z
  • Victim Organization: bolivarian national police
  • Victim Industry: Government Administration
  • Victim Country: Venezuela
  • Victim Site: cpnbve.com
  • Network: openweb
  • Threat Actors: rootkik
  • Description: A threat actor has leaked the Bolivarian Police of Venezuela’s national police database, containing records of 99,666 officers. The exposed data includes ID numbers, full names, gender, rank, phone numbers, email addresses, state, unit, service, status, and home addresses.The attacker also claims to have ongoing access to the police system, allowing them to modify, add, or delete officer records, downgrade ranks, and issue disciplinary faults
  • Published URL: https://breachforums.st/Thread-DATABASE-POLICIA-BOLIVARIANA-DE-VENEZUELA-PNB-DATABASE
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/2e7db62f-c354-4c2b-be7d-075b083cd295.png

Incident Title: Electronic Army Special Forces targets the website of ​VNPT

Incident Title: Alleged Sale of Data from Kirkendall Dwyer LLP

  • Category: Data Breach
  • Date: 2025-04-10T03:51:57Z
  • Victim Organization: kirkendall dwyer llp
  • Victim Industry: Law Practice & Law Firms
  • Victim Country: USA
  • Victim Site: kirkendalldwyer.com
  • Network: openweb
  • Threat Actors: betway
  • Description: The threat actor claims to have breached Kirkendall Dwyer LLP in April 2025, exfiltrating data on over 700,000 customers and 900,000 leads. The compromised data includes names, contact details, Social Security Numbers (SSNs), addresses, phone numbers, birthdates, legal and medical metadata, internal account notes, and more, indicating a severe data exposure.
  • Published URL: https://forum.exploit.in/topic/257131/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/b4c15c00-1657-4302-8899-6f61ba19cd45.png

Incident Title: Alleged Sale of Data from Wolters Kluwer

  • Category: Data Breach
  • Date: 2025-04-10T03:40:15Z
  • Victim Organization: wolters kluwer
  • Victim Industry: Information Services
  • Victim Country: Netherlands
  • Victim Site: wolterskluwer.com
  • Network: openweb
  • Threat Actors: betway
  • Description: The threat actor claims to be selling a database allegedly stolen from Wolters Kluwer in April 2025, containing over 2 million user records.The leaked dataset includes comprehensive personal and professional details such as full names, contact information, birthdates, job titles, addresses, account metadata, GDPR request logs, and marketing interaction data.
  • Published URL: https://forum.exploit.in/topic/257130/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/42522c3d-69b6-4cd8-ae3d-10c03aa76046.png

Incident Title: Al Ahad targets the website of ZIV Medical Center

Incident Title: Al Ahad targets the website of Laniado Hospital

Incident Title: Al Ahad targets the website of meir.org.il

Incident Title: Al Ahad targets the website of Barzilai Medical Center

Incident Title: Al Ahad targets the website of Assuta Medical Centers

Incident Title: Al Ahad targets the website of Shamir Medical Center (Assaf Harofeh)

Incident Title: Al Ahad targets the website of Herzliya Medical Center

Incident Title: Al Ahad targets the website of Assuta Medical Centers

Incident Title: Alleged Domain admin access sale to an unidentified organization in Italy

  • Category: Initial Access
  • Date: 2025-04-10T00:53:55Z
  • Victim Organization:
  • Victim Industry:
  • Victim Country: Italy
  • Victim Site:
  • Network: openweb
  • Threat Actors: redblueapple2
  • Description: A threat actor is selling initial access to an Italian paper production company with approximately $10 million in revenue. The access includes a Domain Admin account, AnyDesk access, and additional credentials. The network spans several /24 subnets, with at least 700GB of company data and multiple databases. Trend Micro AV is present but not on all systems.
  • Published URL: https://xss.is/threads/135943/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/1919aa4e-fb7d-48de-b6cf-0f523f97999d.png

Incident Title: ​Miller & Caggiano falls victim to DragonForce Ransomware

Incident Title: Finetech falls victim to INC RANSOM Ransomware

Incident Title: Alleged data sale of BuyAntiVirusKey.com

Incident Title: Service Trade S.p.A. falls victim to DragonForce Ransomware

Incident Title: Alleged data breach of CITROSOL

Incident Title: Alleged data breach of MGPTT (Algeria’s Post & Telecom) + Ministry of Labor ALGERIA

Incident Title: Chesterfield Township falls victim to INC RANSOM ransomware

Incident Title: Silocaf USA LLC falls victim to INC RANSOM Ransomware

4. Potential Cross-Incident Insights & Emerging Trends

Analysis of the incidents reported within this 24-hour period may reveal potential patterns or emerging trends in the threat landscape. This section synthesizes observations across the reported events to highlight noteworthy concentrations or recurring elements.

A. Sector Targeting Trends

  • Analysis: Based on the targets identified in incidents like those affecting Ho Chi Minh City, City of Kotka, City of Porvoo, City of Helsinki, Russian Standard Bank, 3P Corporation Ltd, Central Bank of Azerbaijan, Bolivarian National Police, Kirkendall Dwyer LLP, Wolters Kluwer, ZIV Medical Center, Laniado Hospital, Barzilai Medical Center, Assuta Medical Centers, Shamir Medical Center, Herzliya Medical Center, Miller & Caggiano, Chesterfield Township, and the Algerian Ministries, there is a discernible pattern related to specific industries. Multiple incidents targeted organizations within the Government & Public Sector, Financial Services/Banking, Healthcare/Medical Practice, and Law Practice sectors.
  • Implications: A concentration of attacks against these particular sectors implies that organizations operating within them should exercise increased vigilance. This could stem from various underlying factors: coordinated campaigns focusing on these sectors (e.g., hacktivist DDoS against government/healthcare, ransomware against finance/legal), the exploitation of technology or vulnerabilities common to these industries, or a perception of these sectors as being particularly lucrative (ransomware) or politically significant (hacktivism). Defensive postures should be reviewed, particularly concerning the attack types observed (e.g., enhanced DDoS protection for government/healthcare, robust data security and ransomware defenses for finance/legal).

B. Common Attack Vectors/TTPs

  • Analysis: A review of the methodologies employed across incidents reveals the recurrence of specific TTPs. DDoS attacks were frequently used, particularly by groups like Electronic Army Special Forces, NoName057(16), Red wolf ceyber, and Al Ahad, often targeting government, critical infrastructure, and healthcare websites, with proof of downtime provided via check-host links. Ransomware attacks by groups like Qilin, NightSpire, Space Bears, DragonForce, and INC RANSOM involved data exfiltration followed by encryption, with threats to publish data on Tor-based leak sites. Data Breaches/Leaks involved threat actors claiming to sell or leak large databases containing sensitive user information (PII, credentials, financial data, contact details) on forums like BreachForums or other platforms. Initial access vectors mentioned include exploiting vulnerabilities (implied in ransomware/breach cases) and potentially compromised credentials (e.g., alleged Domain Admin access sale).
  • Implications: The successful and repeated use of DDoS against public-facing services highlights the ongoing threat of disruption from hacktivist groups. The prevalence of ransomware involving double extortion underscores the critical need for both data encryption prevention and data exfiltration detection/prevention. The frequent appearance of large-scale data breaches/leaks on specific forums indicates active markets for stolen data and compromised access. Organizations should prioritize DDoS mitigation, robust ransomware defenses (including backups and EDR), data loss prevention (DLP) strategies, credential security (MFA, PAM), and monitoring of relevant underground forums.

C. Geographic Focus (If discernible)

  • Analysis: The incident data indicates significant activity targeting organizations in Finland (multiple DDoS attacks by NoName057(16)), Vietnam (DDoS by Electronic Army Special Forces, data breach), Israel (multiple DDoS attacks by Al Ahad, data leak), USA (data breaches, ransomware, initial access sale), and Italy (ransomware, initial access sale). Other targeted countries include Singapore, China, Germany, India, Japan, Russia, Australia, Saudi Arabia, Azerbaijan, Venezuela, Netherlands, and Spain.
  • Implications: The geographic clustering suggests specific regional focuses. The attacks on Finland align with NoName057(16)’s known targeting of NATO/Ukraine supporters. Attacks on Israel align with Al Ahad’s pro-Palestinian stance. The high volume of incidents involving US entities reflects its status as a major target for various cyber threats. Organizations with operations or interests in these specific regions should be particularly vigilant and tailor their threat monitoring.

D. Notable Threat Actor Activity

  • Analysis: Several threat actors were highly active within this 24-hour period. NoName057(16) conducted multiple DDoS attacks against Finnish entities. Al Ahad launched a coordinated DDoS campaign against Israeli medical facilities. Electronic Army Special Forces targeted multiple Vietnamese organizations with DDoS attacks. Ransomware groups INC RANSOM and DragonForce each claimed multiple victims. Actors betway and 247 were each linked to two separate alleged data breach/sale incidents.
  • Implications: The concentrated activity from NoName057(16) and Al Ahad indicates ongoing hacktivist campaigns driven by geopolitical motives. The multiple victims claimed by INC RANSOM and DragonForce highlight the continuous operation of these RaaS groups. The repeated appearance of actors like betway and 247 on breach forums suggests they are actively involved in data theft and monetization. Organizations should prioritize defenses against the specific TTPs associated with these active groups, particularly DDoS mitigation, ransomware prevention/detection, and data breach monitoring/response.

5. Threat Actor Profiles

This section provides detailed profiles for each unique threat actor identified across the analyzed incidents, based on external research from publicly available sources.

Profile: Qilin (aka Agenda)

  • Overview: Qilin, also known as Agenda, is a Ransomware-as-a-Service (RaaS) operation active since July 2022.1 Initially named Agenda, it rebranded to Qilin by September 2022.1 The group is believed to have Russian origins or Russian-speaking members, evidenced by recruitment posts excluding CIS countries from targeting.1 Qilin gained significant attention following high-profile attacks, including one on the UK healthcare service provider Synnovis in June 2024.3 They employ a double extortion model, stealing data before encryption and threatening to leak it on their Tor-based Dedicated Leak Site (DLS) if the ransom is not paid.1 The group actively recruits affiliates, offering attractive commission structures (e.g., 80-85% of ransom payments).2 Ransom demands in 2023 typically ranged from $50,000 to $800,000.1
  • TTPs:
  • Initial Access: Qilin affiliates utilize various methods, including spear-phishing emails 1, exploiting vulnerabilities in exposed applications like Citrix and RDP 1, compromising VPN credentials, particularly where MFA is lacking 3, and potentially using Initial Access Brokers (IABs).3
  • Execution & Persistence: Payloads are executed using stolen credentials.3 Persistence can be achieved through methods like modifying Group Policy Objects (GPOs) to run scripts at logon 3 or using scheduled tasks to execute payloads.3 A malicious DLL (pwndll.dll) injected into svchost.exe has also been observed for persistence.3
  • Defense Evasion: Qilin employs code obfuscation techniques like renaming functions and encrypting strings.1 Payloads terminate security-related processes and services 2 and clear event logs.3 The Qilin.B variant, written in Rust, includes self-deletion capabilities.2 Vulnerable SYS drivers are also used for defense evasion.1
  • Credential Access: A notable technique involves using GPOs to deploy PowerShell scripts (e.g., “IPScanner.ps1”) that harvest credentials stored in Chrome browsers across the network.3 Stolen credentials are used for lateral movement.3
  • Discovery & Lateral Movement: After initial access, attackers may remain dormant (e.g., 18 days observed) before moving laterally.3 Lateral movement occurs via RDP, SMB, and DCE-RPC, sometimes using default credentials.4 WMI requests and SMB share enumeration are used for discovery.4 Network scanning is also employed.7
  • Command & Control (C2): C2 communication has been observed over HTTP and SSL, sometimes using user agents or JA3 fingerprints associated with Cobalt Strike.4 Connections to rare external hosts, including.ru domains and IPs linked to SystemBC, have also been noted.4
  • Exfiltration: Data exfiltration occurs before encryption. Methods include using cloud storage solutions like MEGA (e.g., 30 GB via SSL) 4 and unencrypted FTP (e.g., 102 GB and 783 GB observed to the same IP).4 Exfiltrated data volumes can range from hundreds of gigabytes to over a terabyte.4 WebDAV has also been observed.4
  • Impact (Encryption): Qilin ransomware exists in Golang and Rust variants, targeting Windows and Linux (including VMware ESXi).1 It uses strong encryption (e.g., AES-256 for files, RSA-2048/RSA-4096 for keys, ChaCha20 also mentioned).1 Encrypted files are renamed with custom extensions, and ransom notes (e.g., README-RECOVER-<extension>.txt) are dropped.3 It supports multiple encryption modes and customization.1
  • Targeting: Qilin targets various industries globally, including Manufacturing, Legal/Professional Services, Financial Services, Healthcare, Education, Construction, Technology, and Governments.1 Healthcare represented over 7% of DLS victims as of June 2024.1 Geographic targets include the US, UK, Canada, Australia, and others.1 Attacks appear opportunistic.1 Notable incidents include the Synnovis attack impacting London hospitals 1 and attacks on Lee Enterprises and the Houston Symphony.9
  • Relationships: Microsoft observed the North Korean group Moonstone Sleet deploying Qilin ransomware, a rare instance of this state actor using RaaS malware.8 Potential links to Scattered Spider have also been suggested.2
  • Sources: 1

Profile: NoName057(16)

  • Overview: NoName057(16) is a pro-Russian hacktivist collective active since March 2022 10, shortly after Russia’s invasion of Ukraine.12 Their actions are ideologically and politically driven, focusing on supporting Russia and countering perceived anti-Russian sentiment, particularly from NATO countries supporting Ukraine.10 They operate primarily through Distributed Denial of Service (DDoS) attacks.10 The group uses Telegram extensively to announce targets, claim responsibility, justify attacks based on geopolitical events, and recruit participants.10 They have conducted over 1,500 DDoS attacks since March 2022.16
  • TTPs:
  • Primary Method (DDoS): NoName057(16) specializes in Layer 7 (HTTP/HTTPS) DDoS attacks designed to overwhelm web servers and consume resources.12 They conduct pre-attack reconnaissance to identify high-impact backend pages (like search forms) to target, crafting URLs that mimic legitimate traffic to bypass defenses.12 Attacks often involve flooding targets with concurrent junk HTTPS requests.16 While most attacks are short bursts (around 10 minutes), prolonged attacks lasting a day have been observed.16 Attack volumes are typically in the hundreds of thousands of requests per second (RPS) but are effective due to precise targeting.12
  • Tools & Infrastructure: The group developed and utilizes a custom DDoS tool called “DDoSia,” initially written in Python and later Golang.10 They leverage crowdsourcing through “Project DDoSia,” gamifying participation by offering cryptocurrency payments to volunteers who run the tool and generate attack traffic.13 The DDoSia botnet grew significantly, utilizing free or low-cost public cloud services and CDNs (often associated with nuisance activities) as launchpads.16 They have also been observed using the Bobik botnet.14
  • Operational Characteristics: Attacks often occur in waves, escalating during periods of heightened geopolitical tension or specific events, such as official visits (e.g., Zelensky’s visit to Italy 14) or statements perceived as anti-Russian.15 They strategically time attacks during holidays or weekends when organizations may have reduced staff.14
  • Targeting: Targets are primarily high-profile organizations within NATO member states and other countries supporting Ukraine.10 Key sectors include government entities, financial institutions (banks), transport hubs (airports, ports), critical infrastructure, and media outlets.10 Countries frequently targeted include Italy 14, Poland, Spain, Czech Republic 16, Lithuania 10, Latvia 10, Denmark 11, Canada 11, and the US.11 They have also targeted India during specific operations like #OpIndia.11
  • Relationships: NoName057(16) collaborates with other pro-Russian hacktivist groups like Killnet and XakNet.10 They are also associated with the “Holy League” hacktivist alliance.18
  • Sources: 10

Profile: INC RANSOM (aka GOLD IONIC, Water Anito)

  • Overview: INC Ransom (also tracked as GOLD IONIC or Water Anito) is a ransomware and data extortion group active since at least July 2023.20 They employ a double extortion model, threatening to leak stolen data on their Tor-based blog if ransom demands aren’t met.20 They operate two leak sites: one private for victim communication and one public for data leaks.20 INC positions its extortion as a service to “save the victim’s reputation”.20
  • TTPs:
  • Initial Access: INC gains initial access through various methods, including spear-phishing emails 20, exploiting public-facing application vulnerabilities like CVE-2023-3519 in Citrix NetScaler (Citrix ADC/Gateway) 20, and potentially exploiting other vulnerabilities like CVE-2023-48788 (SQL injection).25 They also use valid credentials purchased from Initial Access Brokers.20
  • Execution & Persistence: Payloads can be executed via compromised accounts. Persistence is maintained using valid accounts and potentially disabling security features like Windows Defender via tools like SystemSettingsAdminFlows.exe.22
  • Defense Evasion: INC uses tools like HackTool.ProcTerminator and ProcessHacker.20 They have been observed specifically terminating Trend Micro-related processes.20 The ransomware attempts to delete Volume Shadow Copies (VSS) to inhibit recovery.21 They utilize legitimate tools (LOLBINs and COTS software) like net.exe, wevtutil, PowerShell, AnyDesk, netscan.exe, and esentutl.exe to blend in with normal network activity.21 Booting into safe mode has also been observed.20
  • Credential Access: The group compromises legitimate accounts, including service accounts (e.g., for SQL backups), potentially via exploited firewalls.24 They use tools like Impacket’s secretsdump.py to gather credentials and employ pass-the-hash techniques for lateral movement.24
  • Discovery & Lateral Movement: After access, they perform network reconnaissance using tools like netscan.exe, Advanced IP Scanner, and standard commands (e.g., dir).21 Lateral movement is achieved using compromised credentials, RDP, and pass-the-hash.23 They may install file encryption executables across multiple endpoints via rapid copy commands.22
  • Collection & Exfiltration: Data is staged on compromised hosts.22 Legitimate tools like 7-Zip or WinRAR are used for archiving.22 Exfiltration occurs using tools like Rclone, Tor, and cloud services like MEGAsync.21
  • Impact (Encryption): INC ransomware uses the AES algorithm.20 It employs partial encryption (fast and medium modes) and multi-threading to speed up the process.20 It encrypts local drives (including hidden/recovery volumes, potentially making systems unbootable) and network shares.21 Ransom notes (.txt and.html) are dropped in folders and sent to network printers.20 Encrypted files typically have a .inc extension.20 A Linux variant exists.20 The group also performs internal defacement by changing desktop wallpapers.20
  • Targeting: INC targets a wide range of industries globally with little discrimination, including healthcare, education, government, technology/IT, manufacturing, professional services, aerospace, automotive, energy, pharmaceuticals, telecommunications, and more.20 Targeted countries span North America, Europe, Asia, and South America, with the US being the most frequent target (approx. 58%).22 A notable victim was Yamaha Motor’s Philippines subsidiary.20
  • Relationships: Trend Micro suggests Lynx Ransomware may be a successor to INC Ransomware.20
  • Sources: 20

Profile: DragonForce

  • Overview: DragonForce ransomware emerged around November/December 2023.28 While its exact origins are unverified, the name links it to the Malaysian hacktivist group DragonForceMalaysia, though this connection is unproven and could be misdirection.30 The group operates a RaaS model, recruiting affiliates via the RAMP underground forum and offering high commission rates (up to 80%).28 They employ double extortion tactics, encrypting data and threatening to leak stolen information on their “DragonLeaks” DLS if demands aren’t met.28 Their DLS features advanced CAPTCHA mechanisms to hinder tracking.28 DragonForce exhibits a high degree of operational professionalism, running like a business.30
  • TTPs:
  • Initial Access: Known methods include phishing attacks and exploiting vulnerabilities in RDP and VPN services.28 They are known to use specific CVEs like CVE-2021-44228, CVE-2023-46805, CVE-2024-21412, CVE-2024-21887, and CVE-2024-21893.29
  • Encryption & Tools: DragonForce ransomware reportedly utilizes the leaked builder code from the LockBit 3.0 ransomware, allowing for customized variant creation.30 While the original DragonForce strain was written in Visual C++, related strains like BlackLock use Go.33 They provide affiliates with a flexible ransomware builder and support services like NTLM/Kerberos hash decryption and ‘call services’ for victim intimidation.28
  • Exfiltration: Significant data exfiltration occurs before encryption as part of their double extortion strategy. Volumes can be substantial, with claims of over 6TB stolen in one KSA incident 28 and 600GB from the Ohio Lottery.30 Data can be uploaded to DragonForce servers via WebDAV or an affiliate’s server.29
  • Communication & Extortion: Victims are assigned an ID and a dedicated TOR-based URL for communication, often using TOX IM.28 The group has been known to release audio recordings of ransom negotiations and even make phone calls to pressure victims.28 Deadlines are set, sometimes strategically timed (e.g., before Ramadan 29).
  • Targeting: DragonForce targets organizations globally, including prominent attacks in Saudi Arabia (KSA) 28, the United States (Ohio Lottery 30), Australia (Yakult Australia 30), New Zealand (Elite Fitness 30), Ireland (Malone & Co 30), and Singapore (Coca-Cola 31). They have also hit government entities, such as Palau (though LockBit notes were also present).32 Targeted industries include real estate, construction, government/lottery, food & beverage, fitness, and accounting.28 The targeting of the Middle East, particularly KSA, may be driven by factors like large attack surfaces in major projects, valuable data, perceived cybersecurity gaps, and geopolitical tensions.28
  • Relationships: DragonForce utilizes the leaked LockBit 3.0 builder.30 They have also been linked to the defacement of the BlackLock ransomware DLS, potentially indicating cooperation or a takeover.33
  • Sources: 28

Profile: NightSpire

  • Overview: NightSpire is a relatively new extortion group, active since early March 2025.6 Individuals associated with the group (‘xdragon128’, ‘cuteliyuan’) appear inexperienced and potentially new to extortion, exhibiting low operational security.6 The group initially focused on data extortion but has evolved to include data encryption, adopting a double extortion model.6 Whether they operate a RaaS model is unclear, though recent forum activity suggests recruitment efforts.6
  • TTPs:
  • Initial Access: Known initial access involves exploiting vulnerable external services like firewalls and VPNs. Specifically, exploitation of CVE-2024-55591 (a FortiOS vulnerability allowing unauthorized admin access) has been observed.6
  • Defense Evasion: NightSpire uses legitimate tools (“living off the land binaries” – LOLBins) like network scanners and FTP clients to evade detection.6
  • Data Exfiltration: Legitimate file transfer tools such as WinSCP and MEGACmd are used for data exfiltration.6
  • Impact (Encryption & Extortion): After exfiltrating data, the group now also encrypts victim systems.6 They employ aggressive extortion tactics, posting victim data quickly on their leak site and offering it for sale. Ransom deadlines can be very short (e.g., two days).6 They use pressure tactics like publishing negotiation excerpts and emailing employees, maintaining a ‘name and shame’ page.6
  • Targeting: NightSpire appears to be financially motivated and targets opportunistically across sectors.6 While the manufacturing sector has seen the most attacks (36% of ~11 victims as of March 2025), the majority of victims (73%) are small to medium-sized businesses (SMBs) with fewer than 1,000 employees.6
  • Relationships: The affiliated usernames ‘xdragon128’ and ‘cuteliyuan’ were previously associated with promoting Rbfs ransomware.6
  • Sources: 6

Profile: Space Bears

  • Overview: Space Bears is a ransomware group that emerged in early 2024 (first seen around April 2024).40 It is reportedly aligned with the Phobos RaaS group.41 Space Bears gained notoriety for its distinctive, corporate-style presentation on its data leak site, using stock images and language mimicking legitimate security services, offering “guarantees” upon ransom payment.41 They employ double extortion tactics.41 The group is believed to operate from Moscow, Russia.41
  • TTPs:
  • Initial Access: Exploiting RDP vulnerabilities and using phishing emails are suspected initial access vectors.40
  • Impact (Encryption & Extortion): The group encrypts victim systems and exfiltrates data, demanding ransom in cryptocurrency to provide decryption tools and prevent data publication on their leak site.40 They have also reportedly used DDoS attacks against non-compliant victims.40
  • Targeting: Space Bears primarily targets large enterprises and critical infrastructure.40 Known victims span various sectors including healthcare (CORTEX Chiropractic), telecommunications (Hytera US), finance, government, agriculture, food & beverage, manufacturing, construction, and IT.40 Targets are located globally, including the US, Ecuador, Singapore, Morocco, Norway, Germany, South Africa, Canada (Haylem, JRT Automatisation), and India (Aptus).42 They made claims against Atos Group, which Atos denied, stating the compromised data mentioning Atos was on external third-party infrastructure.43
  • Relationships: Aligned with the Phobos RaaS operation.41
  • Sources: 40

Profile: Red wolf ceyber (aka Red Wolf Cyber)

  • Overview: Red Wolf Cyber (later rebranded as Red Wolf Ceyber) is a hacktivist group observed launching DDoS attacks in March 2025.18
  • TTPs: The group primarily conducts DDoS attacks.18 Their Telegram channel was shut down after an attack on March 7, but they re-emerged under the new name “Red Wolf Ceyber” on March 12 via a new channel.18
  • Targeting: The group initially targeted South Korea without a specified reason.18 After rebranding, their focus shifted primarily to Ukraine, but they later resumed attacks against South Korean targets, specifically hitting an English legal information domain.18
  • Relationships: No specific relationships mentioned in the provided materials.
  • Sources: 18

Profile: Al Ahad

  • Overview: Al Ahad is identified as a pro-Palestinian hacktivist group active in 2024.19
  • TTPs: The group participates in DDoS attack campaigns, often coordinated through alliances and announced/claimed via Telegram.19
  • Targeting: Al Ahad primarily targets Israel, driven by political and ideological motivations related to the Israeli-Palestinian conflict.19
  • Relationships: Al Ahad is listed as a member of the “Holy League” hacktivist alliance, which unites pro-Russian and pro-Palestinian groups targeting Western nations, NATO, India, and Israel.49
  • Sources: 19

Profile: watchdogs

  • Overview: The term “watchdogs” appears in multiple contexts within the provided materials, often referring to cybersecurity professionals 54, monitoring tools, or legitimate software components, rather than a specific malicious threat actor group. For example, it’s used metaphorically for cybersecurity professionals 54, to describe persistence mechanisms in malware 56, in relation to employee monitoring for productivity 57, and as part of a legitimate executable name (watchdogs.exe) for a video game flagged by AV software.58 One instance mentions a PowerShell script watchdogs.ps1 used to download Cobalt Strike in an attack on ColdFusion servers by an actor self-identifying as “BlackDogs 2023”.59 Another refers to agencies acting as “watchdogs” against cyber threats.60
  • Conclusion: Based on the provided information, “watchdogs” does not consistently refer to a single, identifiable malicious threat actor group responsible for data breaches or specific campaigns in the same way as groups like Qilin or INC Ransom. Its use appears varied and context-dependent. The specific incident associating “watchdogs” with the Origin PC data sale likely refers to the actor’s chosen moniker in that specific context, possibly inspired by the video game or the general term, but it doesn’t map to a widely tracked group with this name based on the available external research.
  • Sources: 54

Profile: 247

  • Overview: The term “247” appears primarily as a numerical reference or part of other identifiers within the provided materials (e.g., report numbers 76, case numbers 78, vendor names like Smarttech247 46, operational times like 24/7 SOCs 46). There is no specific description linking “247” to a distinct threat actor group, its TTPs, motivations, or origins in the context of cyberattacks like the Russian Standard Bank or Abdul Rahman Fakieh Schools incidents mentioned in the source data.
  • Conclusion: Based on the provided information, “247” does not appear to represent a known, profiled threat actor group. Its association with specific incidents likely stems from the actor’s chosen moniker on platforms like BreachForums for those specific posts, rather than representing an established group identity tracked in external threat intelligence.
  • Sources: 46

Profile: Electronic Army Special Forces

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of Electronic Army Special Forces was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (DDoS attacks on Ho Chi Minh City, Bến Tre Power Company, VNPT) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: CASH NETWORK C2

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of CASH NETWORK C2 was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Defacement of CapCut) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: Seacoat

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of Seacoat was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Alleged data leak of DLH.net) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: pirates_gold

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of pirates_gold was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Alleged sale database of BWSSB) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: Dbhandler

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of Dbhandler was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Alleged leak of Facebook) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: mr_jack311

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of mr_jack311 was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Alleged database sale of Mitsubishi Motors Vietnam) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: 0giv

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of 0giv was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Alleged data breach of Circle) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: mentalpositive

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of mentalpositive was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Alleged sale of loader.c) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: shadowscript

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of shadowscript was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Alleged Sale of Gmail Prompt Automation Tool Source Code) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: BanyuwangiXploit

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of BanyuwangiXploit was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Alleged leak of ISRAEL DATABASES) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: rootkik

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of rootkik was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Alleged data breach of Bolivarian National Police) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: betway

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of betway was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Alleged Sale of Data from Kirkendall Dwyer LLP, Alleged Sale of Data from Wolters Kluwer) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: redblueapple2

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of redblueapple2 was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Alleged Domain admin access sale to an unidentified organization in Italy) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: T0r

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of T0r was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Alleged data sale of BuyAntiVirusKey.com) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: M4ster

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of M4ster was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Alleged data breach of CITROSOL) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: PhantomAtlas

  • Overview: No specific information regarding the activities, TTPs, motivations, or origins of PhantomAtlas was found within the provided research materials.1 Any details regarding this actor’s involvement in specific incidents (Alleged data breach of MGPTT + Ministry of Labor ALGERIA) are solely based on the associated incident report derived from the source data.
  • Sources: None applicable from provided materials.

Profile: Night Sky

  • Overview: Night Sky is identified as a China-based ransomware actor that emerged in late 2021 (first seen December 2021).85 They target corporate networks and practice multi-extortion, demanding payment for decryption and non-release of stolen data.85 A blog lists non-paying victims and leaked data.85
  • TTPs:
  • Initial Access: Typically spread via malicious emails (attachments, links, JavaScript) or malicious websites.85 Affiliates handle delivery, so methods can vary.85
  • Encryption: Uses a combination of AES-128 (CBC) and RSA-2048 for encryption.85 Files are appended

Works cited

  1. qilin-threat-profile-tlpclear.pdf – HHS.gov, accessed April 10, 2025, https://www.hhs.gov/sites/default/files/qilin-threat-profile-tlpclear.pdf
  2. Qilin Ransomware – Blackpoint Cyber, accessed April 10, 2025, https://blackpointcyber.com/wp-content/uploads/2025/01/Qilin-3.pdf
  3. Qilin Ransomware | Loginsoft Blog, accessed April 10, 2025, https://www.loginsoft.com/post/qilin-ransomware
  4. Qilin Ransomware: Detection and Analysis – Darktrace, accessed April 10, 2025, https://darktrace.com/blog/a-busy-agenda-darktraces-detection-of-qilin-ransomware-as-a-service-operator
  5. Qilin group observed using custom tool for widespread credentials theft | SC Media, accessed April 10, 2025, https://www.scworld.com/brief/qilin-group-observed-using-custom-tool-for-widespread-credentials-theft
  6. Ransomware in focus: Meet NightSpire – S-RM, accessed April 10, 2025, https://www.s-rminform.com/latest-thinking/ransomware-in-focus-meet-nightspire
  7. Advisories – Qilin Ransomware – MyCERT, accessed April 10, 2025, https://www.mycert.org.my/portal/advisory?id=MA-1300.032025
  8. 2025 Ransomware: Business as Usual, Business is Booming | Rapid7 Blog, accessed April 10, 2025, https://www.rapid7.com/blog/post/2025/04/08/2025-ransomware-business-as-usual-business-is-booming/
  9. CISA reaffirms to safeguard US critical infrastructure against escalating threats from Qilin ransomware group – Industrial Cyber, accessed April 10, 2025, https://industrialcyber.co/cisa/cisa-reaffirms-to-safeguard-us-critical-infrastructure-against-escalating-threats-from-qilin-ransomware-group/
  10. Analysis of the Russian-Speaking Threat Actor NoName 057(16 …, accessed April 10, 2025, https://labs.yarix.com/2022/10/analysis-of-the-russian-speaking-threat-actor-noname-05716/
  11. NoName057(16): Pro-Russian Hacktivist Group – Radware, accessed April 10, 2025, https://www.radware.com/cyberpedia/ddos-attacks/noname057(16)/
  12. Pro-Russian Hacktivists Targeting Canadian Organizations – Radware, accessed April 10, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/pro-russian-hacktivists-targeting-canadian-organizations/
  13. www.quorumcyber.com, accessed April 10, 2025, https://www.quorumcyber.com/wp-content/uploads/2024/04/TI-NoName057-Threat-Actor-Profile-1.pdf
  14. NoName057 targets Italy again after Zelensky’s visit to the country – Security Affairs, accessed April 10, 2025, https://securityaffairs.com/172982/hacktivism/noname057-targets-italy.html
  15. Pro-Russia collective NoName057(16) launched a new wave of DDoS attacks on Italian sites – Security Affairs, accessed April 10, 2025, https://securityaffairs.com/174294/hacktivism/noname05716-launched-ddos-attacks-on-italian-sites.html
  16. NoName057(16) – NetScout Systems, accessed April 10, 2025, https://www.netscout.com/blog/asert/noname057-16
  17. Cybersecurity threats: NoName057 targets Italy’s financial sector | White Blue Ocean, accessed April 10, 2025, https://www.whiteblueocean.com/newsroom/ddos-attacks-rock-the-italian-financial-sector/
  18. Quick Overview of Recent DDoS Attacks Targeting South Korea – S2W, accessed April 10, 2025, https://www.s2w.inc/en/resource/detail/798
  19. Israel ranks second in list of countries targeted by cyberattacks in 2024 — report, accessed April 10, 2025, https://www.timesofisrael.com/israel-ranks-second-in-list-of-countries-targeted-by-cyberattacks-in-2024-report/
  20. Ransomware Spotlight: INC | Trend Micro (US), accessed April 10, 2025, https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-inc
  21. Inc. Ransom | SentinelOne, accessed April 10, 2025, https://www.sentinelone.com/anthology/inc-ransom/
  22. INC Ransom: A Sophisticated Ransomware & Data Extortion Group – Cyble, accessed April 10, 2025, https://cyble.com/threat-actor-profiles/inc-ransom/
  23. Dark Web Profile: INC Ransom – SOCRadar® Cyber Intelligence Inc., accessed April 10, 2025, https://socradar.io/dark-web-profile-inc-ransom/
  24. Inc Ransom Attack Analysis: Extortion Methodologies – ReliaQuest, accessed April 10, 2025, https://www.reliaquest.com/blog/inc-ransom-attack-analysis-extortion-methodologies/
  25. Inc Ransom Attack Analysis – ReliaQuest, accessed April 10, 2025, https://www.reliaquest.com/blog/inc-ransom-attack-analysis/
  26. What Is a Ransomware Attack? – CrowdStrike.com, accessed April 10, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/ransomware/
  27. Ransomware Defense Assessment – CrowdStrike, accessed April 10, 2025, https://www.crowdstrike.com/wp-content/uploads/2023/10/23-SRV-052-Ransomware-Defense-Assessment-DataSheet.pdf
  28. DragonForce Ransomware Hits Saudi Firm, 6TB Data Stolen – Infosecurity Magazine, accessed April 10, 2025, https://www.infosecurity-magazine.com/news/6tb-data-stolen-saudi-cyber-attack/
  29. DragonForce Ransomware Group is Targeting Saudi … – Resecurity, accessed April 10, 2025, https://www.resecurity.com/blog/article/dragonforce-ransomware-group-is-targeting-saudi-arabia
  30. Threat Report: DragonForce Ransomware’s Professional Approach …, accessed April 10, 2025, https://www.armscyber.com/insights/dragonforce-ransomware-a-professional-approach-to-chaos/
  31. DragonForce Ransomware Recovery – Solace Cyber, accessed April 10, 2025, https://solacecyber.co.uk/dragonforce-ransomware/
  32. DragonForce Ransomware – What You Need To Know – Tripwire, accessed April 10, 2025, https://www.tripwire.com/state-of-security/dragonforce-ransomware-what-you-need-know
  33. BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability, accessed April 10, 2025, https://thehackernews.com/2025/03/blacklock-ransomware-exposed-after.html
  34. Resecurity turns the table on BlackLock ransomware – The Register, accessed April 10, 2025, https://www.theregister.com/2025/03/27/security_shop_pwns_ransomware_gang/
  35. THN Weekly Recap: GitHub Supply Chain Attack, AI Malware, BYOVD Tactics, and More, accessed April 10, 2025, https://thehackernews.com/2025/03/thn-weekly-recap-github-supply-chain.html
  36. Ransomware Protection: Calculating Risk & Savings – Zscaler, accessed April 10, 2025, https://www.zscaler.com/resources/ransomware-roi
  37. Technical Analysis of Industrial Spy Ransomware – Zscaler, accessed April 10, 2025, https://www.zscaler.com/blogs/security-research/technical-analysis-industrial-spy-ransomware
  38. Analyzing BlackByte Ransomware’s Go-Based Variants | Zscaler, accessed April 10, 2025, https://www.zscaler.com/blogs/security-research/analysis-blackbyte-ransomware-s-go-based-variants
  39. CryptNet Ransomware | ThreatLabz – Zscaler, accessed April 10, 2025, https://www.zscaler.com/blogs/security-research/technical-analysis-cryptnet-ransomware
  40. Space Bears Ransomware Recovery – Solace Cyber, accessed April 10, 2025, https://solacecyber.co.uk/space-bears-ransomware/
  41. Space Bears Ransomware: What You Need To Know – Tripwire, accessed April 10, 2025, https://www.tripwire.com/state-of-security/space-bears-ransomware-what-you-need-know
  42. Space Bears Ransomware | WatchGuard Technologies, accessed April 10, 2025, https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/space-bears
  43. Ransomware attack exposes database of one of France’s biggest IT companies with over … – Times of India, accessed April 10, 2025, https://timesofindia.indiatimes.com/technology/tech-news/ransomware-attack-exposes-database-of-one-of-frances-biggest-it-companies-with-over-100000-employees/articleshow/116806359.cms
  44. BlackBerry Quarterly Global Threat Report — September 2024, accessed April 10, 2025, https://www.blackberry.com/us/en/solutions/threat-intelligence/2024/threat-report-september
  45. Atos Group Denies Space Bears’ Ransomware Attack Claims – Infosecurity Magazine, accessed April 10, 2025, https://www.infosecurity-magazine.com/news/atos-denies-space-bears-ransomware/
  46. Atos confirms not being compromised by the ransomware group Space Bears, accessed April 10, 2025, https://live.euronext.com/en/products/equities/company-news/2025-01-03-atos-confirms-not-being-compromised-ransomware-group
  47. The New Face of Ransomware: Key Players and Emerging Tactics of 2024 – Trustwave, accessed April 10, 2025, https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-new-face-of-ransomware-key-players-and-emerging-tactics-of-2024/
  48. Ransomware Report: Latest Attacks And News – Cybercrime Magazine, accessed April 10, 2025, https://cybersecurityventures.com/ransomware-report/
  49. December 16, 2024 Holy League: A Unified Threat Against Western Nations, NATO, India and Israel – Radware, accessed April 10, 2025, https://www.radware.com/getattachment/2a2da1ff-d41e-468a-a263-3b48851ca629/Advisory-Holy-League-Dec-2024.pdf.aspx
  50. Holy League: A Unified Threat Against Western Nations, NATO, India and Israel – Radware, accessed April 10, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/holy-league-a-unified-threat-against-western-nations/
  51. Ben Kapon – content writer at kelacyber, accessed April 10, 2025, https://www.kelacyber.com/academy/editorial/team/ben-kapon-3568003/
  52. CYBERDEFENSE REPORT Hacking the Cosmos: Cyber operations against the space sector A case study from the war in Ukraine – ETH Zürich, accessed April 10, 2025, https://ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/cyber-reports-2024-10-hacking-the-cosmos.pdf
  53. Risky Bulletin: The growing influencer problem to national security – Risky Business Media, accessed April 10, 2025, https://risky.biz/risky-bulletin-the-growing-influencer-problem-to-national-security/
  54. Game of Threats: Winning Strategies for Proactive Cyber Defense | HackerNoon, accessed April 10, 2025, https://hackernoon.com/game-of-threats-winning-strategies-for-proactive-cyber-defense
  55. Beware Of The Latest Online Scams – Cybercrime Magazine, accessed April 10, 2025, https://cybersecurityventures.com/security-awareness-training-blog/
  56. McAfee Labs Threats Report – SCADAhacker, accessed April 10, 2025, https://scadahacker.com/library/Documents/Threat_Intelligence/McAfee%20-%20Threat%20Report%202015-3Q.pdf
  57. Emerging Technology Trends and Cyber Security Related Issues – AITP-LA, accessed April 10, 2025, https://aitp-la.org/wp-content/uploads/2014/07/Big-ITMTG0612-Cyber-Information-Energy-BYOD-Trends-vcl.pdf
  58. Avast marked watchdogs.exe as a malware. : r/watch_dogs – Reddit, accessed April 10, 2025, https://www.reddit.com/r/watch_dogs/comments/26pn78/avast_marked_watchdogsexe_as_a_malware/
  59. Ransomware actor exploits unsupported ColdFusion servers—but comes away empty-handed – Sophos News, accessed April 10, 2025, https://news.sophos.com/en-us/2023/10/19/ransomware-actor-exploits-coldfusion-servers-but-comes-away-empty-handed/
  60. Hackers and Hostilities: The Role of Cyber Espionage in Global Conflicts – Indic, accessed April 10, 2025, https://indicrf.org/article/cyber-security-ai-and-defense/hackers-and-hostilities-the-role-of-cyber-espionage-in-global-conflicts
  61. Watchdogs or guard dogs: Do anti-corruption agencies need strong teeth? | Policy and Society | Oxford Academic, accessed April 10, 2025, https://academic.oup.com/policyandsociety/article/34/2/125/6401367
  62. Cyber Security Report 2021, accessed April 10, 2025, https://securitydelta.nl/media/com_hsd/report/426/document/cyber-security-report-2021.pdf
  63. Cyber-physical systems security: Limitations, issues and future trends – PMC, accessed April 10, 2025, https://pmc.ncbi.nlm.nih.gov/articles/PMC7340599/
  64. 3 New Risks That CISOs Will Face in 2024 Steps To Implement Cyber Controls and Processes Closing the Gap: Safeguarding Critical – Cyber Defense Magazine, accessed April 10, 2025, https://www.cyberdefensemagazine.com/newsletters/january-2024/files/downloads/CDM-CYBER-DEFENSE-eMAGAZINE-January-2024.pdf
  65. Overcoming inevitable risks of electronic communication – CCDCOE, accessed April 10, 2025, https://ccdcoe.org/uploads/2018/10/I-accidentally-malware.pdf
  66. Official statement by CD Project RED on the cyberbreach of its internal network and ransomware : r/Games – Reddit, accessed April 10, 2025, https://www.reddit.com/r/Games/comments/lfxosp/official_statement_by_cd_project_red_on_the/
  67. Watch Dogs is “dead and buried” : r/GamingLeaksAndRumours – Reddit, accessed April 10, 2025, https://www.reddit.com/r/GamingLeaksAndRumours/comments/1callme/watch_dogs_is_dead_and_buried/
  68. Weekly Intelligence Report – 07 June 2024 – CYFIRMA, accessed April 10, 2025, https://www.cyfirma.com/news/weekly-intelligence-report-07-june-2024/
  69. Egregor: The New Ransomware Variant to Watch – ReliaQuest, accessed April 10, 2025, https://www.reliaquest.com/blog/egregor-the-new-ransomware-variant-to-watch/
  70. Rocke Evolves Its Arsenal With a New Malware Family Written in Golang | Anomali Labs, accessed April 10, 2025, https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
  71. Cyber Attacks on Data Center Organizations – Resecurity, accessed April 10, 2025, https://www.resecurity.com/blog/article/cyber-attacks-on-data-center-organizations
  72. Nation State Actors and Cyber Attacks in the Emerging 5G Ecosystem – Betacom, accessed April 10, 2025, https://www.betacom.com/news/nation-state-actors-and-cyber-attacks-in-the-emerging-5g-ecosystem/
  73. CySecurity News – Latest Information Security and Hacking Incidents, accessed April 10, 2025, https://www.cysecurity.news/
  74. Healthcare Cybersecurity: Taking a Proactive Route – CySecurity News – Latest Information Security and Hacking Incidents, accessed April 10, 2025, https://www.hcinnovationgroup.com/55236264
  75. Fourth Timeline: current events – SurveillanceCapitalism, accessed April 10, 2025, https://www.surveillancecapitalism.com/?page_id=1128
  76. 2024 National Money Laundering Risk Assessment (NMLRA) – Treasury Department, accessed April 10, 2025, https://home.treasury.gov/system/files/136/2024-National-Money-Laundering-Risk-Assessment.pdf
  77. 2024 National Money Laundering Risk Assessment – Bubble, accessed April 10, 2025, https://002fc127267a1d4437a42f4110ac7dbb.cdn.bubble.io/f1709410611348x346997688226772500/1707373818460.pdf
  78. Case 3:24-md-03098-EMC Document 78 Filed 06/26/24 Page 1 of 186, accessed April 10, 2025, https://files.lbr.cloud/public/2024-09/complaint.pdf?VersionId=SCf2vj1TPKDDTNzq3Oo_WtxUmkx4m4k4
  79. Weekly Security Articles 31-January-2024 – IFATCA, accessed April 10, 2025, https://www.ifatca.org/wp-content/uploads/weekly-security-items-31-january-2024.pdf
  80. Weekly Security Articles 29-December-2022 – ATC GUILD INDIA, accessed April 10, 2025, https://www.atcguild.in/iwen/iwen0223/General/weekly%20security%20items%2029-December-2022.pdf
  81. Cybersecurity Week in Review (20/10/2023) – Smarttech247, accessed April 10, 2025, https://www.smarttech247.com/news/cybersecurity-week-in-review-20-10-2023/
  82. ENISA THREAT LANDSCAPE 2023, accessed April 10, 2025, https://www.enisa.europa.eu/sites/default/files/publications/ENISA%20Threat%20Landscape%202023.pdf
  83. Cyber Threat Intelligence: Cybercrime in the Clear, accessed April 10, 2025, https://projekter.aau.dk/projekter/files/532661531/Master_Thesis_Main.pdf
  84. List of data breaches – Wikipedia, accessed April 10, 2025, https://en.wikipedia.org/wiki/List_of_data_breaches
  85. Night Sky – SentinelOne, accessed April 10, 2025, https://www.sentinelone.com/anthology/night-sky/

SentinelOne Vs. Night Sky Ransomware – Quarantine and Kill, accessed April 10, 2025, https://www.sentinelone.com/resources/sentinelone-vs-night-sky-ransomware-quarantine-and-kill/

Related Posts