[December-22-2025] Daily Cybersecurity Threat Report

Posted on

This report provides a comprehensive analysis of the cyber threat landscape for the period centering on December 22, 2025. The analysis is based on 79 distinct intelligence alerts detailing ransomware campaigns, critical infrastructure compromises, and large-scale data breaches .

Executive Summary

The reporting period is characterized by a high volume of ransomware activity and critical infrastructure targeting. Two primary ransomware groups, Qilin and Dire Wolf, are responsible for a significant portion of the attacks, with Qilin targeting Western and Middle Eastern sectors, and Dire Wolf focusing heavily on Southeast Asia .

Simultaneously, there is a concerning trend of Operational Technology (OT) and SCADA system compromises involving heating, gas, and telecommunications infrastructure in Europe and North Africa . In the realm of data breaches, the aviation and government sectors in Indonesia and Thailand are experiencing a concentrated wave of data leaks .

1. Critical Infrastructure & OT/ICS Threats

A distinct and alarming trend in this dataset is the unauthorized access to industrial control systems (ICS) and SCADA networks. These incidents pose physical safety risks beyond standard data theft.

  • Egypt (Telecommunications & SCADA): Threat actor “pryx” claims access to Telecom Egypt’s SCADA network . This access allegedly includes control over Hyper-V hosts and gas-regulated systems . The actor links this breach to a fire at the Ramses Central Exchange that resulted in casualties, alleging the fire coincided with network manipulation .
  • Latvia (Heating Systems): The “Infrastructure Destruction Squad” claims access to the electronic management system of GRANDEG, a manufacturer of pellet stoves . The compromised system reportedly controls combustion processes, fans, and internal temperature stability .
  • Ukraine (Gas Control): The “Z-PENTEST ALLIANCE” claims access to a gas control system in Yurkivka, Ukraine, which monitors Oxygen and CO2 levels in control chambers .
  • Czech Republic (Water/Industrial): The same group, “Z-PENTEST ALLIANCE,” claims access to industrial equipment controlling pumps, valves, and water treatment processes in the Czech Republic .

2. Ransomware Landscape

Ransomware remains the dominant threat vector, with multiple groups conducting “double extortion” attacks (stealing data before encryption).

A. Qilin Ransomware Campaign

The Qilin group is currently the most active threat actor in this dataset, targeting a wide range of industries globally, from food production to healthcare .

Victim OrganizationIndustryCountryDetails
Callipo GroupFood & BevItalyPreviously hit by Medusa in Dec ’25
National Biscuit IndustriesFood & BevOmanData obtained
Besco ElectricalConstructionUSAData obtained
Scenic Solutions LLCEntertainmentUSAData obtained
Lasercomb GmbHManufacturingGermanyData obtained
Hongfa America, Inc.ElectronicsUSAData obtained
Grupo AmanusHealthcareArgentinaData obtained

Note: Qilin also targeted the Estuary Community of Municipalities in France and Lugiano Medical in the USA .

B. Dire Wolf Ransomware (Asia-Pacific Focus)

The Dire Wolf group is executing a coordinated campaign specifically targeting organizations in Thailand, Malaysia, and Taiwan . They typically threaten to publish data within 11 to 29 days .Image of Southeast Asia map

Getty Images

  • Government: The Office of Public Sector Anti-Corruption Commission (PACC) in Thailand (200 GB of data stolen) .
  • Automotive: Sanyang Motor Co., Ltd. in Taiwan (10 GB of data) .
  • Manufacturing: Guan Chong Berhad in Malaysia (1.1 TB of data) .
  • Legal: Adnan Sundra & Low in Malaysia (488 GB of data) .
  • Security: Ranger Investigation Guard Co., Ltd. in Thailand (80 GB of data) .

C. Emerging & Other Strains

  • DEVMAN 2.0: Targeted Clinica Davila (Chile), stealing 250 GB of patient medical records and IDs . They also hit the British Holiday & Home Parks Association .
  • SECUROTROP: Claimed an attack on Spartan Carbide, Inc. (USA), stealing 149 GB of sensitive employee and tax data .
  • BBQLL RaaS: A new Ransomware-as-a-Service (RaaS) program is being promoted, boasting features like BYOVD-based EDR evasion and Linux support .

3. Major Data Breaches & Leaks

Large-scale data dumps are being sold or leaked on forums like BreachForums and Telegram channels.

A. The Aviation Sector (Indonesia & Thailand)

A threat actor known as TEAM MR PLAX has launched a focused campaign against airport infrastructure, leaking operational data such as flight schedules, terminal maps, and passenger services .

  • Hasanuddin Airport (Indonesia)
  • Kualanamu Airport (Indonesia)
  • Juanda International Airport (Indonesia)
  • I Gusti Ngurah Rai International Airport (Thailand/Bali)
  • Soekarno-Hatta International Airport (Thailand/Indonesia context)

B. Government & Citizen Data

  • Indonesia: A massive breach allegation involves 80 million citizen records leaked by actor “motifxf8” . Additionally, 6 million population records and government email accounts are being sold .
  • Venezuela: Threat actor “malconguerra2” claims to have leaked 207.5 GB of data from the Bolivarian National Police (PNB) .
  • France: A 20GB database containing records from multiple French services is being leaked .
  • Thailand: Login credentials for the Department of National Parks (DNP) portal were leaked .

C. Logistics & Commercial

  • Colis Privé (France): A leak of 21 million records including customer addresses and phone numbers .
  • Facebook (India): Alleged sale of 5 million user leads including emails and mobile numbers .

4. Initial Access Markets & Defacement

Cybercriminal marketplaces are active with the sale of entry points into networks, facilitating future attacks.

  • Bulk Access Sales: Actor “SantaAd” is selling unauthorized network access to 1,500 compromised systems, primarily Linux environments .
  • Government Registries: Access to the Honduras National Registry of Persons is up for sale .
  • Education Sector: A specific actor, Digit_4, is aggressively leaking login access to Thai educational institutions, including Mahachulalongkornrajavidyalaya University, ThaiMOOC, and Chiang Rai Rajabhat University .
  • Defacement: Political or nuisance defacements continue, with groups like “Cyb3r Drag0nz” targeting Syrian government servers and “7 Proxies” targeting educational sites in Bangladesh .

5. Threat Actor Profiles

Based on the frequency and severity of incidents in this report, the following actors are high-priority threats:

  1. Qilin: Highly capable, financially motivated, and sector-agnostic. They are currently managing a high volume of victims concurrently .
  2. Dire Wolf: Distinct geographic focus (Southeast Asia). Their ability to exfiltrate massive datasets (up to 1.1 TB from Guan Chong Berhad) indicates robust infrastructure .
  3. Infrastructure Destruction Squad / Z-PENTEST ALLIANCE: These groups are dangerous due to their focus on Operational Technology (OT). Their claims of controlling physical systems (heating, gas, water) represent a kinetic threat .
  4. TEAM MR PLAX: Focused heavily on the disruption of transport/aviation data in Indonesia and Thailand .

6. Conclusion

The current threat landscape is defined by an aggressive convergence of financially motivated ransomware campaigns and ideologically driven sabotage of critical infrastructure. While Qilin demonstrates a “scattershot” approach affecting diverse industries globally, Dire Wolf exhibits a sophisticated, regionally targeted strategy in Southeast Asia. Most critically, the emergence of actors like Z-PENTEST ALLIANCE and Infrastructure Destruction Squad, who claim access to physical control systems (SCADA/OT) in Europe and North Africa, represents a significant escalation from data theft to potential kinetic disruption. Organizations—particularly in manufacturing, aviation, and public utilities—must prioritize the segregation of IT and OT networks and accelerate patch management to mitigate these evolving risks.

Related Posts