[April-12-2025] Daily Cybersecurity Threat Report – Part 2

Posted on

1. Executive Summary

The cyber threat landscape over the past 24 hours has been characterized by significant hacktivist activity, persistent ransomware operations employing double extortion tactics, and continued illicit trading on underground forums. Hacktivist groups, notably Anonymous Italia, Dark Storm Team, Al Ahad, and Ghilan Legion, leveraged Distributed Denial of Service (DDoS) and website defacement techniques, primarily targeting entities in Russia, Bulgaria, and Israel. These actions appear strongly correlated with ongoing geopolitical tensions, with platforms like Telegram serving as key channels for communication and claims of responsibility. Anonymous Italia conducted a widespread defacement campaign against Russian organizations across various sectors, while Dark Storm Team and Al Ahad focused DDoS attacks on Bulgarian and Israeli government infrastructure, respectively.

Ransomware groups LYNX and TERMITE were observed targeting organizations in Australia and Norway. Both groups employed double extortion strategies, involving data theft alongside encryption, posting claims on their respective Tor-based leak sites. LYNX, linked to the INC ransomware family, targeted an Australian law firm, while TERMITE, associated with the Babuk ransomware lineage, claimed a significant data breach against a Norwegian retail company.

Underground forums such as BreachForums and Exploit.in, alongside platforms like Telegram, remained active hubs for cybercriminal activity. Incidents included the alleged leak or sale of databases from organizations in Taiwan, Iran, Peru, India, and Algeria, perpetrated by actors including W1ndStre4m, ShadowBits, Gatito_FBI_NZ, Machine1337, and itachi0xff. Additionally, actors like Servicedaily offered bundles of compromised financial and identity data, while Initial Access Brokers (IABs) like samy01 advertised unauthorized network access (e.g., RDWeb for an Austrian manufacturer) on specialized forums. The actor Vortex claimed access to a Tunisian engineering firm via Telegram.

Targeted sectors were diverse, including Government Administration, Manufacturing, Financial Services, Legal, Retail, Telecommunications, Transportation, and Healthcare, indicating a broad threat surface across multiple geographic regions.

2. Hacktivist Activity Analysis

Hacktivism, the use of computer hacking capabilities to promote political or social agendas, remains a prominent feature of the cyber threat landscape.1 These actors, often operating under group banners or as part of decentralized collectives, employ various Tactics, Techniques, and Procedures (TTPs) to achieve their objectives. Common methods include Distributed Denial of Service (DDoS) attacks to disrupt online services, website defacements to broadcast messages or embarrass targets, and data leaks to expose sensitive information or alleged wrongdoing.2 Motivations are typically ideological, driven by perceived injustices, political opposition, or support for specific causes, often linked to geopolitical events or social movements.2 Communication and coordination frequently occur on accessible platforms like Telegram, which are used to announce campaigns, claim responsibility for attacks, and disseminate propaganda.2 The incidents recorded over the past 24 hours demonstrate these characteristics, with campaigns clearly linked to ongoing international conflicts and tensions.

2.1 Anonymous Italia Campaign (Defacements)

Overview: A significant defacement campaign was conducted by actors identifying as “Anonymous Italia.” This group likely operates as a regional contingent adhering to the principles and decentralized structure of the global Anonymous collective.8 The broader Anonymous movement, originating in the early 2000s, is characterized by its anti-establishment, anti-censorship, and anti-corruption stance, advocating for freedom of speech, privacy rights, and social justice.4 Historically, Anonymous has targeted governments, corporations, and other institutions perceived as oppressive, corrupt, or unethical, using cyberattacks as a form of online protest or “hacktivism”.1 Their operations often coincide with major geopolitical events or social movements.10

Targets & Tactics: This specific campaign involved numerous website defacements primarily targeting Russian entities across a wide array of industries, including Leisure & Travel, Manufacturing, Industrial Products, Furniture, Fine Art, Hospitality, Medical Practice, and Building/Construction. A single Bulgarian entity in the Hospitality sector was also targeted. Website defacement is a classic hacktivist TTP aimed at disrupting the target’s online presence, spreading a message, and causing public embarrassment.2 The claims and associated screenshots for these defacements were disseminated via Telegram, a platform commonly utilized by hacktivist groups for communication and publicizing their actions.5

Specific Incidents (2025-04-12):

  • BG Sunny (Russia, Leisure & Travel): Claimed defacement of bgsunny.ru.
  • Published URL: https://t.me/AnonSecIta_Ops/620?single
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/418e6d42-8f49-401a-ab72-747913ab6376.png
  • Hettich (Russia, Manufacturing): Claimed defacement of sensys-shop.ru.
  • Published URL: https://t.me/AnonSecIta_Ops/618
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/e9903581-d770-40ec-91d5-4ab390a56cd7.png
  • AVANTGARDE+ (Russia, Manufacturing & Industrial Products): Claimed defacement of avangard-plus.com.
  • Published URL: https://t.me/AnonSecIta_Ops/616
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/612f7ef4-ed45-4fc3-9afe-f7948c39d10f.png
  • Sunny View South (Bulgaria, Hospitality & Tourism): Claimed defacement of svsbg.ru.
  • Published URL: https://t.me/AnonSecIta_Ops/614
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/77990547-a6a9-42fa-a434-5741aa333d0c.png
  • Hettich Shop (Russia, Furniture): Claimed defacement of atira-shop.ru.
  • Published URL: https://t.me/AnonSecIta_Ops/612
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/f90eb49b-981f-4d9f-a8c6-63ca8312d461.png
  • Russian Academy of Arts (Russia, Fine Art): Claimed defacement of art-history.ru.
  • Published URL: https://t.me/AnonSecIta_Ops/608
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/7a948e14-4c92-463e-a891-cefd2023b892.png
  • Restora (Russia, Hospitality & Tourism): Claimed defacement of trialcafe.ru.
  • Published URL: https://t.me/AnonSecIta_Ops/610
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/9c0b5dee-a66c-46d0-b283-2ec188286593.png
  • ADEL (Russia, Manufacturing & Industrial Products): Claimed defacement of adellock-shop.ru.
  • Published URL: https://t.me/AnonSecIta_Ops/605
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/f226a00e-924c-4b38-96fe-a0f2b4afce3c.png
  • GT Eyecare (Russia, Medical Practice): Claimed defacement of wingline-shop.ru.
  • Published URL: https://t.me/AnonSecIta_Ops/604?single
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/35f684f2-a54c-4965-859e-9c3ecd72376e.png
  • private-designers.rf (Russia, Building and construction): Claimed defacement of частные-дизайнеры.рф.
  • Published URL: https://t.me/AnonSecIta_Ops/601
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/b9b71ab2-9db8-47d4-b198-44221a37241b.png

Analysis: The concentration of attacks against Russian targets across diverse sectors suggests a coordinated campaign. This pattern is consistent with historical Anonymous operations responding to geopolitical events, such as the conflict in Ukraine, or protesting specific government actions.11 The use of defacement aligns with typical hacktivist methods for expressing dissent and achieving visibility.3 Given Anonymous Italia’s affiliation with the broader Anonymous movement known for political motivations 8, it is highly probable that this campaign represents a form of digital protest against the Russian state or its perceived policies. The inclusion of a single Bulgarian target could be opportunistic, based on vulnerability, or potentially linked to perceived Russian affiliations or influence within the targeted entity, although the primary focus remains clearly on Russia.

2.2 Dark Storm Team Campaign (DDoS)

Overview: Dark Storm Team emerged in late 2023, identifying as a pro-Palestinian hacktivist collective.12 The group gained notoriety for targeting governments and organizations perceived as supporters of Israel.12 Their primary TTP involves launching large-scale DDoS attacks, a methodology noted to resemble that of pro-Russian hacktivist groups like Killnet.12 While professing ideological motivations, Dark Storm Team has also marketed itself as a provider of hacker-for-hire services, including DDoS attacks and database breaches, indicating a potential blend of political activism and financial opportunism.12 High-profile targets claimed by the group include major US airports (JFK, LAX) and the social media platform X (formerly Twitter).12

Targets & Tactics: In the reporting period, Dark Storm Team targeted Bulgarian government websites, specifically the Municipalities of Varna and Plovdiv, using DDoS attacks. Evidence of the attacks, in the form of check-host.net reports showing downtime, was provided alongside the claims made via their Telegram channel. This method of operation—using DDoS, targeting government entities, and publicizing claims with proof links on Telegram—is consistent with their established practices.17

Specific Incidents (2025-04-12):

  • Municipality of Varna (Bulgaria, Government Administration): DDoS attack targeting varna.bg. Proof link: https://check-host.net/check-report/24e44bebkebd.
  • Published URL: https://t.me/DarkStormTeam3/233
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/26284559-0972-4889-a662-84e06c54d9af.png
  • Municipality of Plovdiv (Bulgaria, Government Administration): DDoS attack targeting plovdiv.bg. Proof link: https://check-host.net/check-report/24e448c5kcaa.
  • Published URL: https://t.me/DarkStormTeam3/233 (Same Telegram post as Varna)
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/5a0d0420-c6f2-46ba-8574-707c43a51ee5.png

Analysis: The targeting of Bulgarian government entities represents a potential broadening of Dark Storm Team’s typical target scope, which historically focuses on Israel and its direct supporters.12 As Bulgaria is a member of NATO and the EU, these attacks might signify an adoption of tactics similar to those used by pro-Russian groups like Killnet, which frequently target NATO members perceived as adversaries.12 By attacking a NATO/EU country, Dark Storm Team could be aiming to exert indirect pressure related to the Israeli-Palestinian conflict or signal alignment with broader anti-Western hacktivist coalitions.16

Furthermore, the group’s operational model appears complex. Their simultaneous engagement in politically framed attacks and commercial hacker-for-hire services, coupled with activities like promoting their own cryptocurrency (DARKSTORM/SOL) during the high-profile attack on X 20, suggests that their hacktivist identity may serve, at least partially, as a facade or marketing tool for financially motivated cybercrime. This aligns with an observed trend where threat actors adopt hacktivist causes to enhance notoriety, recruit members, or directly profit through associated schemes like cryptocurrency pump-and-dumps.2 The attacks on Bulgarian municipalities could fit within either a broadened political scope or an opportunistic targeting strategy driven by their DDoS-for-hire operations.

2.3 Al Ahad Campaign (DDoS)

Overview: Al Ahad has surfaced as a hacktivist entity conducting DDoS attacks against Israeli government targets. While specific intelligence on this group’s origins or structure is limited in available sources beyond its name appearing in a list 22, its observed actions—targeting Israeli state institutions with disruptive attacks claimed via Telegram—are characteristic of hacktivist operations within the context of the Israeli-Palestinian conflict.2 Numerous pro-Palestinian and anti-Israel hacktivist groups utilize DDoS as a primary tactic and leverage platforms like Telegram for communication and claims.7

Targets & Tactics: The group executed DDoS attacks targeting the websites of four distinct Israeli government ministries: Transport and Road Safety, Education, Justice, and Finance. Proof-of-downtime links from check-host.net were provided for each attack. All claims were consolidated within a single post on the Telegram channel qayzerowns.

Specific Incidents (2025-04-12):

  • Israel Ministry of Transport and Road Safety: DDoS attack on mot.gov.il. Proof: https://check-host.net/check-report/24e33968k4e4.
  • Published URL: https://t.me/qayzerowns/41
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/bb78e0ad-8547-48c3-ab7c-19687b38c17d.png
  • Ministry of Education (Israel): DDoS attack on education.gov.il. Proof: https://check-host.net/check-report/24e337f0k2a7.
  • Published URL: https://t.me/qayzerowns/41
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/aa4e63fc-ecf6-4f2c-ba35-c354300a0990.png, https://d34iuop8pidsy8.cloudfront.net/a2866756-033e-4656-a008-d25de3152fc4.png
  • Ministry of Justice (Israel): DDoS attack on justice.gov.il. Proof: https://check-host.net/check-report/24e3349fk531.
  • Published URL: https://t.me/qayzerowns/41
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/e5aa2f83-15af-4e3b-b391-a266d4bb91e2.png
  • Israel Ministry of Finance: DDoS attack on finance.gov.il. Proof: https://check-host.net/check-report/24e3363ekc98.
  • Published URL: https://t.me/qayzerowns/41
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/5a609353-b2d0-4688-afa2-8842e5024ad7.png

Analysis: The simultaneous targeting of multiple high-profile Israeli government ministries strongly suggests a coordinated campaign driven by anti-Israel sentiment, likely linked to the ongoing Israeli-Palestinian conflict.2 DDoS attacks serve as a common tool for hacktivists in this arena to disrupt government services, generate media attention, and express political protest.3 The consolidation of claims for all four attacks into a single Telegram message points towards either a centrally managed operation or the actions of a single individual or small cell operating under the “Al Ahad” banner. This activity underscores the continued use of cyber means as a vector for conflict expression in the region.

2.4 Ghilan Legion Campaign (DDoS)

Overview: “Ghilan Legion” emerged in this reporting period as a hacktivist group employing DDoS attacks and using Telegram to publicize its claims. The name evokes a hacktivist persona, although it appears distinct from the “Legion” group previously associated with attacks in India and Russia.23 Their observed TTPs—DDoS attacks against public-facing websites coupled with claims on Telegram containing proof-of-downtime links—are standard practice within the hacktivist landscape.2 The group’s specific motivations remain unclear based on the available information, but the nature of their targets suggests potential ideological or geopolitical drivers.

Targets & Tactics: Ghilan Legion conducted DDoS attacks against two disparate targets: the General Control of Public Services in Mali and the Siena mobility transportation service in Italy. Proof-of-downtime links from check-host.net were provided for both incidents. The claims for both attacks were posted together in a single message on the group’s Telegram channel.

Specific Incidents (2025-04-12):

  • General Control of Public Services (Mali, Government Administration): DDoS attack targeting cgsp.ml. Proof link: https://check-host.net/check-http?host=https://cgsp.ml/.
  • Published URL: https://t.me/GhilanLegion/250
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/f03ee83a-9fc4-4761-9e21-8f73586cdbaa.png
  • Siena mobility (Italy, Transportation & Logistics): DDoS attack targeting sienamobilita.it. Proof link: https://check-host.net/check-http?host=https://www.sienamobilita.it/.
  • Published URL: https://t.me/GhilanLegion/250 (Same Telegram post as Mali)
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/15357a4c-e2ae-4987-84be-754bba9272ab.png

Analysis: The selection of targets in Mali and Italy by Ghilan Legion presents an ambiguous picture. The lack of an obvious thematic link between a Malian government service and an Italian transportation entity could indicate several possibilities. The attacks might be opportunistic, targeting organizations based on identified vulnerabilities rather than a specific political agenda. Alternatively, the group may harbor diverse geopolitical motivations spanning different regions. Another plausible explanation is that Ghilan Legion operates as part of a larger hacktivist coalition, such as the ‘Holy League’ 7, which coordinates attacks across numerous member groups against a broad list of perceived adversaries, often including Western nations or their allies. Such alliances allow groups with different primary focuses to contribute to larger campaigns. Without further intelligence on Ghilan Legion’s specific ideology or affiliations, determining the precise driver behind this target selection remains speculative. However, the use of DDoS and Telegram aligns them firmly within the contemporary hacktivist ecosystem.

3. Ransomware Incidents

Ransomware continues to be a significant threat to organizations worldwide. The Ransomware-as-a-Service (RaaS) model dominates the landscape, enabling affiliates to launch attacks using toolkits provided by core operators.24 A prevalent tactic is “double extortion,” where attackers not only encrypt the victim’s data but also exfiltrate sensitive information, threatening to leak it publicly unless a ransom is paid.24 Threat actors employ a variety of TTPs, including phishing, exploitation of vulnerabilities, and compromised credentials for initial access, followed by techniques for lateral movement, privilege escalation, disabling security controls, deleting backups, and data exfiltration prior to encryption.24

3.1 LYNX Ransomware Attack

Incident: The Australian law practice, Bilbie Faraday Harrison, Solicitors, was listed as a victim on the LYNX ransomware group’s Tor-based data leak site. The group claims to have obtained organizational data.

Actor Profile: LYNX emerged as a RaaS operation in mid-2024.27 Technical analysis indicates a strong connection to the INC ransomware family, with significant source code overlap suggesting LYNX may be a rebranded or evolved version, potentially built upon purchased INC source code.25 LYNX operates a sophisticated affiliate program, providing cross-platform ransomware binaries (Windows, Linux, ESXi) and various encryption modes.27 Affiliates reportedly receive an 80% share of ransom payments and handle victim negotiations, with the core LYNX group offering support services like call centers to harass victims.27

Key TTPs associated with LYNX include:

  • Initial Access: Phishing emails, malicious downloads, compromised credentials.24
  • Execution & Encryption: Uses robust encryption (Curve25519, AES-128) 24, appends .LYNX extension 29, utilizes Windows Restart Manager API to terminate processes holding files 27, and attempts privilege escalation if needed.29
  • Defense Evasion: Terminates processes/services (including backup/database services) 25, deletes shadow copies/backups.25
  • Extortion: Employs double extortion, exfiltrating data before encryption and threatening leaks via their dedicated Tor site.24 They may also “drip” data gradually to increase pressure.29

LYNX targets a diverse range of industries globally, including finance, manufacturing, energy, retail, and legal services, primarily focusing on SMBs but capable of hitting larger organizations.24 While claiming to avoid critical sectors like healthcare and government 25, attacks on entities like Romanian energy supplier Electrica 28 demonstrate impact on critical infrastructure. The US and UK are frequent targets 25, but victims span over 20 countries.24

Links:

  • Published URL (Tor): http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion/leaks/67f9dfdbce8dcc3b0d52bfe5
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/6f330b6a-47df-4624-9632-5595647f855c.png

Analysis: The targeting of Bilbie Faraday Harrison, Solicitors aligns closely with LYNX’s operational patterns. Law firms possess highly sensitive and confidential client information, making them attractive targets for double extortion schemes where the threat of data leakage carries significant weight.28 LYNX has previously demonstrated its willingness to attack legal sector organizations.28 The victim’s location in Australia falls within the group’s documented global operational reach.24 As a RaaS operation, the attack was likely carried out by an affiliate using the tools and infrastructure provided by the LYNX operators.24 This incident reinforces LYNX’s position as an active and capable ransomware threat leveraging data exfiltration for maximum impact.

3.2 TERMITE Ransomware Attack

Incident: Bjorklund Norge AS, a retail company based in Norway, has been listed on the TERMITE ransomware group’s Tor leak site. The group claims to have exfiltrated 340 GB of organizational data and has provided sample screenshots on their portal.

Actor Profile: TERMITE is a relatively new ransomware group that emerged in late 2024.31 Security researchers assess that TERMITE is likely a variant or rebranding of the Babuk ransomware.31 Babuk gained notoriety before its source code was leaked in 2021, enabling other actors to adapt its capabilities.31 TERMITE employs data theft and extortion tactics, consistent with the double extortion model commonly associated with Babuk variants.32

Key TTPs associated with TERMITE (partially inferred from Babuk lineage and observed behavior) include:

  • Initial Access: Likely uses common vectors such as phishing, exploitation of software vulnerabilities (potentially including zero-days), or purchased credentials.31
  • Execution & Encryption: Deploys a modified Babuk ransomware strain that encrypts files and appends the .termite extension.33 It may use techniques like delaying termination during shutdown to maximize encryption time.34
  • Defense Evasion: Likely disables security software and deletes backups/shadow copies to hinder recovery, common TTPs for Babuk-derived ransomware.33 It may enumerate and terminate specific services (e.g., VMMS, Veeam).34
  • Exfiltration & Extortion: Exfiltrates significant volumes of sensitive data before or during encryption and uses the threat of leaking this data on their Tor-based leak site to pressure victims into payment.32 Communication with victims occurs via a dedicated portal on their Tor site.31

TERMITE targets a wide range of sectors globally, including manufacturing, healthcare, government, energy, transportation, retail, legal, and finance.31 A high-profile attack attributed to TERMITE involved the supply chain management provider Blue Yonder in November 2024, causing significant disruption to its customers.31 Victims have been identified in North America, Europe, the Middle East, and Australia.31

Links:

  • Published URL (Tor): http://termiteuslbumdge2zmfmfcsrvmvsfe4gvyudc5j6cdnisnhtftvokid.onion/post/67f9834d9b91b4933324ef12
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/decc5777-c62f-468f-8dfe-b2a57001b20f.png

Analysis: The attack against Bjorklund Norge AS demonstrates TERMITE’s continued operational tempo and its broad targeting strategy, hitting diverse industries across different geographic regions.31 The claim of exfiltrating a substantial amount of data (340 GB) aligns with the double extortion model inherited from Babuk, where data theft is central to the extortion process.32 This incident serves as a reminder of the threat posed by ransomware groups leveraging leaked source code to quickly establish operations and target organizations globally. The retail sector, often holding customer data and processing financial transactions, remains an attractive target for such financially motivated attacks.

4. Data Breach & Leak Events

The landscape of data breaches and leaks continues to be active, fueled by various threat actors and motivations. Underground forums like BreachForums and Exploit.in serve as critical marketplaces and dissemination platforms for stolen data.40 Actors leak or offer for sale a wide array of compromised information, including entire databases, user credentials, personally identifiable information (PII), financial records, and intellectual property.50 Motivations driving these incidents range from direct financial gain through data sales or fraud, to espionage conducted by state-sponsored actors, or politically motivated hacktivism aimed at embarrassing or damaging a target organization or government.54

4.1 W1ndStre4m – Lian Yong Property Co. Leak

Incident: An actor using the handle “W1ndStre4m” posted on BreachForums claiming to have leaked a database belonging to Lian Yong Property Co., Ltd, a Taiwanese organization. The allegedly compromised data consists of 96 tables across 3 databases, totaling 27 MB in size.

Actor Profile: Specific intelligence regarding the threat actor “W1ndStre4m” is not available in the provided materials. However, the choice of platform—BreachForums—is significant. BreachForums is a well-established English-language illicit forum known for hosting the trade and leakage of stolen datasets.40 Actors operating on such forums are predominantly financially motivated, seeking to profit from selling compromised data or access.57 The methods used to acquire such data can vary greatly, commonly including the exploitation of web application vulnerabilities (e.g., SQL injection) or the use of stolen credentials.54

Links:

  • Published URL: https://breachforums.st/Thread-DATABASE-www-lianyoug-com-tw-DATABASE-Leak
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/2b307b15-5428-4952-8443-1e4e5651f7c4.png

Analysis: This incident exemplifies the routine nature of data trading within the cybercriminal underground. Forums like BreachForums act as central marketplaces where compromised data, regardless of the scale or the notoriety of the actor, is advertised and exchanged.42 The fact that even a relatively small dataset (27 MB) is offered for leak suggests a broad market exists for various types of compromised information. The posting serves to either distribute the data freely for reputational gain or implicitly offer it for sale, leveraging the forum’s user base of potential buyers or interested parties.

4.2 Servicedaily – Financial/Identity Data Sale

Incident: The threat actor “Servicedaily” advertised a collection of compromised financial and identity data purportedly originating from U.S. sources on BreachForums. The offered data includes sensitive items such as U.S. Social Security Number (SSN) “fullz” (complete PII packages) with high credit scores, Credit Privacy Numbers (CPNs), background reports, driver’s licenses (front and back), high-balance credit cards, bank statements, company checks, as well as paid VPN logins, Remote Desktop Protocol (RDP) access, and logs from U.S., Canadian, and European banks. No specific breached organization is named, implying the data may be aggregated from multiple victims or targets individuals directly.

Actor Profile: While specific details about “Servicedaily” are absent from the provided intelligence, their activity on BreachForums and the nature of the goods offered strongly indicate a financially motivated cybercriminal specializing in resources for identity theft and financial fraud.57 Offerings of “fullz,” stolen financial credentials, and remote access are staples of underground marketplaces catering to fraudsters and other criminals.42

Links:

  • Published URL: https://breachforums.st/Thread-USA-Bank-SSN-Fullz-DL-Dumps-High-Balance-Cc-Cash-App-PayPal-Logs-Available
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/ceb920cf-71b9-4794-9f13-7bbf8505a726.png

Analysis: This posting highlights the maturity and specialization within the cybercrime economy, particularly the market for stolen identity and financial data. The term “fullz” refers to comprehensive packages of PII that enable identity theft and various forms of fraud.51 By bundling diverse data types—PII, financial account details, payment card information, and remote access credentials (VPNs, RDPs)—Servicedaily caters to a wide range of illicit activities, from direct financial theft and account takeovers to facilitating further network intrusions. The availability of such data significantly lowers the barrier to entry for various forms of cybercrime.

4.3 ShadowBits – Mobile Communication Company of Iran Breach Claim

Incident: A threat actor identified as “ShadowBits” posted on the Russian-language forum Exploit.in, claiming to have breached the Mobile Communication Company of Iran (MCI), also known as Hamrahe Avval. The actor alleges that the compromised data includes sensitive subscriber details such as full names, national IDs, birth dates, SIM card information, and service plans.

Actor Profile: Specific information profiling “ShadowBits” is not available. However, the context is notable: the target is a major Iranian telecommunications provider, and the claim is posted on Exploit.in, a prominent Russian-language underground forum known for high-level cybercrime discussions and trading.49 Iranian cyber actors, some potentially state-sponsored, are known to conduct operations involving espionage, data theft targeting critical infrastructure and specific populations, and influence campaigns.61 Their motivations can vary, including intelligence gathering for the Iranian government, disruption, or financial gain through selling data or access.61 Common TTPs include exploiting known vulnerabilities, brute-force attacks (like password spraying), and credential theft.61

Links:

  • Published URL: https://forum.exploit.in/topic/257268/
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/624b2083-a013-4997-bb37-985f8505f98e.png

Analysis: A claimed breach of Iran’s largest mobile operator is highly significant. If legitimate, the exfiltration of detailed subscriber data could have severe implications. Such data is valuable for state-sponsored espionage activities, enabling surveillance, tracking, and social engineering campaigns against Iranian citizens, dissidents, or foreign nationals within Iran.61 Alternatively, financially motivated actors could sell this data on the underground market. The choice of Exploit.in as the platform for the claim suggests the actor is targeting a specific audience within the Russian-speaking cybercrime community, potentially seeking buyers for the data or aiming to establish credibility within that sphere. Given the strategic importance of the target, this incident warrants close monitoring to ascertain the validity of the claim and the potential motivations (state-sponsored vs. criminal) of ShadowBits.66

4.4 Gatito_FBI_NZ – Banco Ripley Perú S.A. Breach Claim

Incident: The threat actor “Gatito_FBI_NZ” claimed on BreachForums to have breached Banco Ripley Perú S.A. The actor alleges that the compromised data includes all transactions made using the Ripley Card.

Actor Profile: No specific profile information is available for “Gatito_FBI_NZ.” The actor operates on BreachForums, a platform heavily associated with the sale and leak of stolen data, suggesting a likely financial motivation.42 Targeting a bank and specifically claiming access to transaction data strongly aligns with financially motivated cybercrime aimed at enabling fraud or selling the valuable data to other criminals.51

Links:

  • Published URL: https://breachforums.st/Thread-DOCUMENTS-BANCO-RIPLEY-PERU-2025-DETAILS-TRANSACTIONS
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/d6b01ae4-c758-4fb6-a78e-ef961c023ff2.png

Analysis: This incident represents another example of threat actors utilizing underground forums like BreachForums to advertise alleged breaches targeting the financial sector. The specific claim of accessing transaction data associated with the bank’s Ripley Card is particularly concerning, as such data is highly sensitive and directly usable for fraudulent activities or understanding customer financial behavior.51 The posting likely aims to attract buyers interested in exploiting this information for financial gain.

4.5 Machine1337 – Federal Bank (India) Leak Claim

Incident: An actor using the handle “Machine1337” posted on DarkForums.st claiming a data leak allegedly sourced from Federal Bank Limited (India) Personal Banking Services. The compromised dataset reportedly contains over 10 million lines, including text messages, destination phone numbers, sender details, and dates.

Actor Profile: Specific intelligence on “Machine1337” is unavailable. The actor posted the claim on DarkForums.st, an underground forum likely serving a similar purpose to BreachForums for trading illicit data.42 The nature of the claimed data—a large volume of communication metadata potentially related to banking services—suggests potential value for social engineering, reconnaissance for targeted attacks, or possibly fraud, depending on the exact content of the messages (which is not explicitly stated beyond metadata).53

Links:

  • Published URL: https://darkforums.st/Thread-Document-DataBase-of%C2%A0Federal-Bank-Personal-Banking-Services
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/dc5a6ad2-2e94-43c6-8020-20f8a453e983.png

Analysis: The alleged leak of over 10 million records related to SMS communications from a bank’s personal banking services raises significant concerns.53 While the description focuses on metadata (phone numbers, sender details, dates), the sheer volume and the context of banking communications make this data potentially valuable for malicious actors. It could be used to map communication patterns, identify customers, craft highly targeted phishing attacks (smishing), or potentially intercept sensitive information like one-time passwords if message content was also compromised. This type of breach poses a direct risk to the security and privacy of the bank’s customers.

4.6 itachi0xff – Algerian Ministry Leak Claim

Incident: Threat actor “itachi0xff” claimed on BreachForums to have leaked a substantial amount of data (17,810 folders, 52,266 files, totaling 34.4 GB) allegedly originating from the Ministry of Pharmaceutical Industry in Algeria. The claimed data includes monthly records, company files, personal data, information on psychotropic drug discrepancies, and inventory declarations.

Actor Profile: Details on “itachi0xff” are not provided in the available intelligence. The actor utilized BreachForums for the claim. The target is a sensitive government ministry in Algeria. The nature of the claimed data—operational records, company information, personal data, and highly sensitive details regarding psychotropic drugs and inventory—makes this potentially very impactful. Motivations could be varied: financial gain from selling the data, hacktivism aimed at embarrassing the Algerian government or protesting its policies, or state-sponsored espionage.54 Recent cyber incidents involving Moroccan and Algerian entities, potentially linked to geopolitical tensions over Western Sahara 56, provide relevant context, although any direct connection between itachi0xff and these events is purely speculative.

Links:

  • Published URL: https://breachforums.st/Thread-Algeria-Massive-Government-Data-Leak-Ministry-of-Pharmaceutical-Industry
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/cc0774e6-1362-40b3-bdc7-65396e476dbe.png

Analysis: This alleged data leak from the Algerian Ministry of Pharmaceutical Industry represents a potentially severe security incident. The claimed volume and types of data, especially concerning psychotropic drug management and personal information, are highly sensitive. Exposure of such data could compromise government operations, endanger individuals whose personal data is included, reveal confidential pharmaceutical industry information, and potentially fuel political instability or be exploited for intelligence purposes.56 The posting on BreachForums ensures high visibility within the cybercrime community, suggesting the actor seeks either notoriety or monetization of the allegedly stolen data. Given the sensitivity of the target and data, and the regional geopolitical climate, this incident warrants significant attention.

5. Initial Access Broker (IAB) Activity

Initial Access Brokers (IABs) represent a specialized segment within the cybercrime ecosystem. These actors focus on gaining unauthorized access to organizational networks and then selling that access to other threat actors.49 Common methods for gaining access include exploiting vulnerabilities in internet-facing systems (like VPNs, RDP, web applications), phishing, or using stolen credentials obtained from infostealer malware logs.49 The access is typically sold on underground forums such as Exploit.in or BreachForums.49 Buyers, often ransomware affiliates, purchase this access to bypass the initial intrusion phase and proceed directly with their own malicious objectives, such as data exfiltration and ransomware deployment.49 Communication and brokering may also occur via platforms like Telegram.72

5.1 samy01 – Austrian RDWeb Access Sale

Incident: A threat actor using the handle “samy01” advertised the sale of unauthorized Remote Desktop Web Access (RDWeb) to an unspecified organization within the manufacturing sector located in Austria. The advertisement was posted on the Exploit.in forum.

Actor Profile: Specific details about “samy01” are not available, but their actions clearly identify them as an IAB.49 They are operating on Exploit.in, a well-known Russian-language forum frequented by sophisticated cybercriminals, including IABs and their customers.49 Selling RDWeb access is a common offering for IABs, as it provides buyers with a direct method for remote interaction with the compromised network.60 The primary motivation for IABs is financial profit from the sale of access.49

Links:

  • Published URL: https://forum.exploit.in/topic/257266/
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/10c1b53a-2a9b-4e01-82d4-651602ebf2c2.png

Analysis: This incident illustrates the routine commoditization of network access within the cybercriminal underground. IABs continuously scan for and exploit vulnerabilities or compromised credentials to gain footholds into organizations, which are then offered for sale on specialized forums.49 The manufacturing sector is a frequent target for various cyber threats, including ransomware, which is often deployed after initial access is purchased from an IAB.28 Therefore, this offering by samy01 represents a latent but significant threat to the targeted Austrian manufacturing company, potentially enabling follow-on attacks by the eventual buyer.

5.2 Vortex – Oasis Technical Corp Access Claim

Incident: An actor or group named “Vortex” claimed via Telegram to have gained access to the website of Oasis Technical Corporation, an engineering company in Tunisia. The claim states they deleted the site’s original content and uploaded their own message. While this action resembles a website defacement, it was categorized as “Initial Access” in the source data, potentially indicating a deeper level of compromise or an implicit offer of access beyond mere surface alteration.

Actor Profile: Information about “Vortex” is not provided in the available intelligence. The use of Telegram for making claims is common across various types of threat actors, including hacktivists publicizing attacks and IABs or data leak actors communicating discreetly or advertising.5 The described actions—gaining access, deleting content, and replacing it with a message—overlap significantly with website defacement, a common hacktivist tactic.2 However, the “Initial Access” categorization suggests the possibility that Vortex gained more substantial control over the web server or associated infrastructure, which could potentially be leveraged for further exploitation or sold to other actors.69

Links:

  • Published URL: https://t.me/Vortexmrc/627
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/c5498a56-9223-4c49-a7cf-6c670bb0df2d.png

Analysis: This incident highlights the sometimes ambiguous nature of claims made on platforms like Telegram. The actions performed by Vortex could be interpreted as a straightforward hacktivist defacement aimed at disruption or sending a message. However, the “Initial Access” label implies a level of system control that goes beyond simple website vandalism. It suggests that Vortex may possess persistent access or credentials that could facilitate more damaging follow-on activities, such as data theft, malware deployment, or selling the access itself. Regardless of the precise intent or level of compromise, the claim signifies a successful intrusion against Oasis Technical Corporation.

Analysis of the cybersecurity incidents reported over the past 24 hours reveals several key trends and noteworthy observations:

  • Prevalence of Geopolitically Motivated Hacktivism: A significant portion of the observed activity involved DDoS attacks and website defacements conducted by hacktivist groups. These campaigns showed strong correlation with ongoing geopolitical conflicts, particularly targeting entities associated with Russia (by Anonymous Italia), Israel (by Al Ahad), and perceived allies or adversaries in related contexts (e.g., Bulgaria by Dark Storm Team, potentially Mali/Italy by Ghilan Legion). This underscores the continued use of cyber means as a tool for political protest and disruption in international disputes.2 Telegram remains the dominant platform for these groups to coordinate, claim attacks, and disseminate propaganda.2
  • Convergence of Hacktivism and Cybercrime: Evidence suggests a blurring of lines between purely ideological hacktivism and financially motivated cybercrime. Groups like Dark Storm Team, while operating under a pro-Palestinian banner, also offer DDoS-for-hire services and have been linked to cryptocurrency promotion schemes timed with major attacks.16 This reflects a broader trend where actors may adopt hacktivist personas to gain notoriety, recruit, mask criminal intentions, or directly monetize their activities through illicit services or scams.2
  • Enduring Ransomware Threat & Evolution: Ransomware, particularly through the RaaS model, remains a persistent and evolving threat. Groups like LYNX and TERMITE demonstrate continued operations, utilizing double extortion tactics (data encryption combined with data theft and leak threats).24 The observed links between these newer groups and older, established ransomware families (INC Ransomware for LYNX, Babuk for TERMITE) highlight the prevalence of source code leaks, reuse, and adaptation within the ransomware ecosystem, allowing new groups to emerge rapidly with sophisticated capabilities.25
  • Central Role of Underground Marketplaces: Forums such as BreachForums, Exploit.in, and DarkForums.st continue to function as vital infrastructure for the cybercrime economy.40 These platforms facilitate the widespread sale and leakage of various types of compromised data (databases, credentials, PII, financial details) and network access (RDP, VPN, web shells). This marketplace dynamic enables specialization among threat actors, with IABs supplying access and data brokers providing compromised information to fuel a wide range of subsequent attacks, including ransomware and fraud.
  • Broad Spectrum of Targets: While hacktivist activity was heavily focused on government entities in specific conflict zones (Israel, Russia, Bulgaria, Mali, Algeria), ransomware and data breach incidents affected a much wider array of sectors and geographies. Victims included organizations in Law, Retail, Manufacturing, Finance, Telecommunications, Technology, Hospitality, Healthcare, and Transportation across North America, Europe, Asia, Australia, and Africa. This highlights the global nature of cyber threats and the diverse motivations driving attacks against different industries.

7. Actionable Intelligence & Recommendations

Based on the threats and TTPs observed in the past 24 hours, organizations should consider the following actions to enhance their cybersecurity posture:

  • Strengthen DDoS Defenses: Given the high volume of hacktivist-driven DDoS attacks targeting government and potentially associated private sector entities, organizations should review and bolster their DDoS mitigation capabilities. This includes working with ISPs or specialized mitigation services and having incident response plans specifically for DDoS events.5
  • Prioritize Vulnerability Management: IABs and ransomware actors frequently exploit known vulnerabilities in internet-facing systems. Implement a robust patch management program, prioritizing critical vulnerabilities in VPN gateways, RDP services, web servers, email servers (like Microsoft Exchange), middleware (like Oracle Fusion), and other externally accessible assets.61 Regularly conduct vulnerability scanning and penetration testing.
  • Enhance Credential Security and MFA: Defend against brute-force, password spraying, and credential stuffing attacks by enforcing strong, unique passwords and implementing phishing-resistant Multi-Factor Authentication (MFA) across all critical services, especially for remote access (VPN, RDWeb, Citrix) and cloud platforms.27 Monitor for signs of MFA fatigue attacks (repeated push notifications) and educate users on denying unsolicited MFA prompts.61 Regularly audit MFA configurations.61
  • Monitor the Cybercriminal Underground: Utilize threat intelligence services or internal capabilities to monitor relevant underground forums (e.g., BreachForums, Exploit.in) and Telegram channels for mentions of the organization’s name, domains, IP addresses, employee credentials, or specific technologies in use. Early detection of leaked data or offered access can enable proactive defense.40
  • Implement Robust Backup and Recovery Strategy: Ensure comprehensive, regularly tested backup procedures are in place. Critically, backups should be segmented from the primary network and stored offline or in immutable storage to protect them from ransomware that actively targets and deletes backups.24 Test recovery processes frequently.
  • Maintain Threat Actor Awareness: Security teams should stay informed about the specific TTPs, motivations, and targets of threat actors relevant to their industry and geographic location. Understanding how groups like Anonymous Italia, Dark Storm Team, LYNX, TERMITE, and potentially state-sponsored actors (e.g., Iranian groups) operate allows for more tailored defensive measures.54
  • Assess Third-Party and Supply Chain Risk: Recognize that compromises at third-party service providers can impact organizational security or operations, as seen with the TERMITE attack on Blue Yonder affecting its customers.31 Implement processes to assess the security posture of critical vendors and partners.

8. Appendix: Incident Summary Table

Date/Time (UTC)CategoryThreat ActorVictim OrganizationVictim CountryVictim IndustryVictim SiteClaim/Content SummaryPublished URLScreenshot URL(s)Platform
2025-04-12T06:21:10ZDefacementAnonymous Italiabg sunnyRussiaLeisure & Travelbgsunny.ruClaims defacement of BG Sunny websitehttps://t.me/AnonSecIta_Ops/620?singlehttps://d34iuop8pidsy8.cloudfront.net/418e6d42-8f49-401a-ab72-747913ab6376.pngTelegram
2025-04-12T06:19:56ZDDoS AttackDark Storm Teammunicipality of varnaBulgariaGovernment Administrationvarna.bgClaims DDoS attack on Municipality of Varna website; provides downtime proofhttps://t.me/DarkStormTeam3/233https://d34iuop8pidsy8.cloudfront.net/26284559-0972-4889-a662-84e06c54d9af.pngTelegram
2025-04-12T06:15:06ZDDoS AttackDark Storm Teammunicipality of plovdivBulgariaGovernment Administrationplovdiv.bgClaims DDoS attack on Municipality of Plovdiv website; provides downtime proofhttps://t.me/DarkStormTeam3/233https://d34iuop8pidsy8.cloudfront.net/5a0d0420-c6f2-46ba-8574-707c43a51ee5.pngTelegram
2025-04-12T06:08:49ZDefacementAnonymous ItaliahettichRussiaManufacturingsensys-shop.ruClaims defacement of Hettich websitehttps://t.me/AnonSecIta_Ops/618https://d34iuop8pidsy8.cloudfront.net/e9903581-d770-40ec-91d5-4ab390a56cd7.pngTelegram
2025-04-12T05:59:23ZDefacementAnonymous Italiaavantgarde+RussiaManufacturing & Industrial Productsavangard-plus.comClaims defacement of AVANTGARDE+ websitehttps://t.me/AnonSecIta_Ops/616https://d34iuop8pidsy8.cloudfront.net/612f7ef4-ed45-4fc3-9afe-f7948c39d10f.pngTelegram
2025-04-12T05:45:35ZDefacementAnonymous Italiasunny view southBulgariaHospitality & Tourismsvsbg.ruClaims defacement of Sunny View South websitehttps://t.me/AnonSecIta_Ops/614https://d34iuop8pidsy8.cloudfront.net/77990547-a6a9-42fa-a434-5741aa333d0c.pngTelegram
2025-04-12T05:43:13ZDefacementAnonymous Italiahettich shopRussiaFurnitureatira-shop.ruClaims defacement of Hettich Shop websitehttps://t.me/AnonSecIta_Ops/612https://d34iuop8pidsy8.cloudfront.net/f90eb49b-981f-4d9f-a8c6-63ca8312d461.pngTelegram
2025-04-12T05:29:38ZDefacementAnonymous Italiarussian academy of artsRussiaFine Artart-history.ruClaims defacement of Russian Academy of Arts websitehttps://t.me/AnonSecIta_Ops/608https://d34iuop8pidsy8.cloudfront.net/7a948e14-4c92-463e-a891-cefd2023b892.pngTelegram
2025-04-12T05:22:22ZDefacementAnonymous ItaliarestoraRussiaHospitality & Tourismtrialcafe.ruClaims defacement of Restora websitehttps://t.me/AnonSecIta_Ops/610https://d34iuop8pidsy8.cloudfront.net/9c0b5dee-a66c-46d0-b283-2ec188286593.pngTelegram
2025-04-12T04:57:51ZData LeakW1ndStre4mlian yong property co., ltdTaiwanOther Industrylianyoug.com.twAlleged database leak (96 tables, 3 DBs, 27MB) from Lian Yong Property Co., Ltdhttps://breachforums.st/Thread-DATABASE-www-lianyoug-com-tw-DATABASE-Leakhttps://d34iuop8pidsy8.cloudfront.net/2b307b15-5428-4952-8443-1e4e5651f7c4.pngBreachForums
2025-04-12T04:36:20ZRansomwareLYNXbilbie faraday harrison, solicitorsAustraliaLaw Practice & Law Firmsbilbie.com.auClaims data theft by LYNX Ransomwarehttp://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion/leaks/67f9dfdbce8dcc3b0d52bfe5https://d34iuop8pidsy8.cloudfront.net/6f330b6a-47df-4624-9632-5595647f855c.pngTor
2025-04-12T04:21:23ZDDoS AttackAl Ahadisrael ministry of transport and road safetyIsraelGovernment Administrationmot.gov.ilClaims DDoS attack on Israel Ministry of Transport website; provides downtime proofhttps://t.me/qayzerowns/41https://d34iuop8pidsy8.cloudfront.net/bb78e0ad-8547-48c3-ab7c-19687b38c17d.pngTelegram
2025-04-12T04:20:51ZDDoS AttackAl Ahadministry of educationIsraelGovernment Administrationeducation.gov.ilClaims DDoS attack on Israel Ministry of Education website; provides downtime proofhttps://t.me/qayzerowns/41https://d34iuop8pidsy8.cloudfront.net/aa4e63fc-ecf6-4f2c-ba35-c354300a0990.png, https://d34iuop8pidsy8.cloudfront.net/a2866756-033e-4656-a008-d25de3152fc4.pngTelegram
2025-04-12T04:13:23ZData LeakServicedailyUSAFinancial ServicesAlleged sale of financial/identity data (SSN fullz, CPNs, DLs, CCs, bank logs, RDPs, VPNs) from US/Intl sourceshttps://breachforums.st/Thread-USA-Bank-SSN-Fullz-DL-Dumps-High-Balance-Cc-Cash-App-PayPal-Logs-Availablehttps://d34iuop8pidsy8.cloudfront.net/ceb920cf-71b9-4794-9f13-7bbf8505a726.pngBreachForums
2025-04-12T03:59:19ZDDoS AttackAl Ahadministry of justiceIsraelLegislative Officejustice.gov.ilClaims DDoS attack on Israel Ministry of Justice website; provides downtime proofhttps://t.me/qayzerowns/41https://d34iuop8pidsy8.cloudfront.net/e5aa2f83-15af-4e3b-b391-a266d4bb91e2.pngTelegram
2025-04-12T03:59:17ZDDoS AttackAl Ahadisrael ministry of financeIsraelGovernment Administrationfinance.gov.ilClaims DDoS attack on Israel Ministry of Finance website; provides downtime proofhttps://t.me/qayzerowns/41https://d34iuop8pidsy8.cloudfront.net/5a609353-b2d0-4688-afa2-8842e5024ad7.pngTelegram
2025-04-12T03:58:06ZData BreachShadowBitsmobile communication company of iranIranNetwork & Telecommunicationsmci.irAlleged data breach of Mobile Communication Company of Iran (MCI); claims subscriber details compromisedhttps://forum.exploit.in/topic/257268/https://d34iuop8pidsy8.cloudfront.net/624b2083-a013-4997-bb37-985f8505f98e.pngExploit.in
2025-04-12T03:45:29ZInitial Accesssamy01AustriaManufacturingAlleged sale of unauthorized RDWeb access to an unidentified Austrian manufacturing organizationhttps://forum.exploit.in/topic/257266/https://d34iuop8pidsy8.cloudfront.net/10c1b53a-2a9b-4e01-82d4-651602ebf2c2.pngExploit.in
2025-04-12T03:34:02ZData BreachGatito_FBI_NZbanco ripley perú s.a.PeruBanking & Mortgagebancoripley.com.peAlleged data breach of Banco Ripley Perú S.A.; claims compromise of Ripley Card transaction datahttps://breachforums.st/Thread-DOCUMENTS-BANCO-RIPLEY-PERU-2025-DETAILS-TRANSACTIONShttps://d34iuop8pidsy8.cloudfront.net/d6b01ae4-c758-4fb6-a78e-ef961c023ff2.pngBreachForums
2025-04-12T03:00:53ZDefacementAnonymous ItaliaadelRussiaManufacturing & Industrial Productsadellock-shop.ruClaims defacement of ADEL websitehttps://t.me/AnonSecIta_Ops/605https://d34iuop8pidsy8.cloudfront.net/f226a00e-924c-4b38-96fe-a0f2b4afce3c.pngTelegram
2025-04-12T02:50:34ZDefacementAnonymous Italiagt eyecareRussiaMedical Practicewingline-shop.ruClaims defacement of GT Eyecare websitehttps://t.me/AnonSecIta_Ops/604?singlehttps://d34iuop8pidsy8.cloudfront.net/35f684f2-a54c-4965-859e-9c3ecd72376e.pngTelegram
2025-04-12T02:41:36ZRansomwareTERMITEbjorklund norge asNorwayRetail Industrybjorklund.noClaims 340 GB data theft by TERMITE Ransomware; samples availablehttp://termiteuslbumdge2zmfmfcsrvmvsfe4gvyudc5j6cdnisnhtftvokid.onion/post/67f9834d9b91b4933324ef12https://d34iuop8pidsy8.cloudfront.net/decc5777-c62f-468f-8dfe-b2a57001b20f.pngTor
2025-04-12T02:18:29ZDefacementAnonymous Italiaprivate-designers.rfRussiaBuilding and constructionчастные-дизайнеры.рфClaims defacement of private-designers.rf websitehttps://t.me/AnonSecIta_Ops/601https://d34iuop8pidsy8.cloudfront.net/b9b71ab2-9db8-47d4-b198-44221a37241b.pngTelegram
2025-04-12T02:13:20ZInitial AccessVortexoasis technical corporationTunisiaMechanical or Industrial Engineeringotc-jbg.comClaims gained access, deleted content, uploaded message on Oasis Technical Corp sitehttps://t.me/Vortexmrc/627https://d34iuop8pidsy8.cloudfront.net/c5498a56-9223-4c49-a7cf-6c670bb0df2d.pngTelegram
2025-04-12T00:41:30ZData BreachMachine1337federal bank limitedIndiaBanking & Mortgagefederalbank.co.inAlleged data leak from Federal Bank Personal Banking Services; claims >10M lines (SMS metadata)https://darkforums.st/Thread-Document-DataBase-of%C2%A0Federal-Bank-Personal-Banking-Serviceshttps://d34iuop8pidsy8.cloudfront.net/dc5a6ad2-2e94-43c6-8020-20f8a453e983.pngDarkForums.st
2025-04-12T00:25:23ZDDoS AttackGhilan Legiongeneral control of public servicesMaliGovernment Administrationcgsp.mlClaims DDoS attack on General Control of Public Services (Mali) website; provides downtime proofhttps://t.me/GhilanLegion/250https://d34iuop8pidsy8.cloudfront.net/f03ee83a-9fc4-4761-9e21-8f73586cdbaa.pngTelegram
2025-04-12T00:25:10ZDDoS AttackGhilan Legionsiena mobilityItalyTransportation & Logisticssienamobilita.itClaims DDoS attack on Siena mobility website; provides downtime proofhttps://t.me/GhilanLegion/250https://d34iuop8pidsy8.cloudfront.net/15357a4c-e2ae-4987-84be-754bba9272ab.pngTelegram
2025-04-12T00:10:39ZData Breachitachi0xffministry of pharmaceutical industryAlgeriaGovernment Administrationmiph.gov.dzAlleged data leak from Ministry of Pharmaceutical Industry (Algeria); claims 34.4 GB (records, files, personal data)https://breachforums.st/Thread-Algeria-Massive-Government-Data-Leak-Ministry-of-Pharmaceutical-Industryhttps://d34iuop8pidsy8.cloudfront.net/cc0774e6-1362-40b3-bdc7-65396e476dbe.pngBreachForums

Works cited

  1. What is Hacktivism | Types, Ethics, History & Examples – Imperva, accessed April 12, 2025, https://www.imperva.com/learn/application-security/hacktivism/
  2. Tactics and Motivations of Modern Hacktivists – CYFIRMA, accessed April 12, 2025, https://www.cyfirma.com/research/tactics-and-motivations-of-modern-hacktivists/
  3. Understanding Hacktivism: Definition and Examples – StealthMole Intelligence, accessed April 12, 2025, https://www.stealthmole.com/blog/understanding-hacktivism-definition-and-examples
  4. What is Hacktivism? – Check Point Software, accessed April 12, 2025, https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-hacktivism/
  5. The Growing Threat Posed by Hacktivist Groups – Searchlight Cyber, accessed April 12, 2025, https://slcyber.io/blog/the-growing-threat-posed-by-hacktivist-groups/
  6. (PDF) Becoming a hacktivist. Examining the motivations and the processes that prompt an individual to engage in hacktivism – ResearchGate, accessed April 12, 2025, https://www.researchgate.net/publication/371138711_Becoming_a_hacktivist_Examining_the_motivations_and_the_processes_that_prompt_an_individual_to_engage_in_hacktivism
  7. Exploring Telegram DDoS Groups: Threats, Tools, and Evolving Strategies – SOCRadar, accessed April 12, 2025, https://socradar.io/exploring-telegram-ddos-groups-threats-tools/
  8. Anonymous (hacker group) – Wikipedia, accessed April 12, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
  9. What is the motive of Anonymous group?, accessed April 12, 2025, https://www.anonymoushackers.net/anonymous-news/what-is-the-motive-of-anonymous-group/
  10. Hacktivism 101: A Brief History and Timeline of Notable Incidents | Trend Micro (US), accessed April 12, 2025, https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/hacktivism-101-a-brief-history-of-notable-incidents
  11. Timeline of events associated with Anonymous – Wikipedia, accessed April 12, 2025, https://en.wikipedia.org/wiki/Timeline_of_events_associated_with_Anonymous
  12. Dark Storm Team – Wikipedia, accessed April 12, 2025, https://en.wikipedia.org/wiki/Dark_Storm_Team
  13. What Is Dark Storm, Pro-Palestine Group Allegedly Behind X Cyberattack – NDTV, accessed April 12, 2025, https://www.ndtv.com/world-news/twitter-cyberattack-elon-musk-what-is-dark-storm-pro-palestine-group-allegedly-behind-x-cyberattack-7897600
  14. X outage: Who are hackers ‘behind massive cyber attack’ on Elon Musk’s social media platform? – Sky News, accessed April 12, 2025, https://news.sky.com/story/x-outage-who-are-hackers-claiming-to-have-caused-massive-cyber-attack-on-elon-musks-social-media-platform-13326288
  15. Who is Dark Storm Team, the pro-Palestinian hacktivist group that took down X to protest ‘Musk and Trump’s blatant fascism’? – Business Today, accessed April 12, 2025, https://www.businesstoday.in/technology/news/story/who-is-dark-storm-team-the-pro-palestinian-hacktivist-group-that-took-down-x-to-protest-musk-and-trumps-blatant-fascism-467502-2025-03-11
  16. Cyber Insight DarkStorm Team – Orange Cyberdefense, accessed April 12, 2025, https://www.orangecyberdefense.com/fileadmin/global/CyberIntelligenceBureau/Gangs_Investigations/DARKSTORMTEAM/DarkStormTeam-EN.pdf
  17. Dark Storm Team Claims Responsibility for Cyber Attack on X Platform – What It Means for the Future of Digital Security – Check Point Blog, accessed April 12, 2025, https://blog.checkpoint.com/security/dark-storm-team-claims-responsibility-for-cyber-attack-on-x-platform-what-it-means-for-the-future-of-digital-security/
  18. Dark Web Profile: Killnet – Russian Hacktivist Group – SOCRadar® Cyber Intelligence Inc., accessed April 12, 2025, https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/
  19. Holy League: A Unified Threat Against Western Nations, NATO, India and Israel – Radware, accessed April 12, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/holy-league-a-unified-threat-against-western-nations/
  20. Dark Storm Team: The Hacker Group Behind the DDoS Attack on X (Twitter) – Foresiet, accessed April 12, 2025, https://foresiet.com/blog/dark-storm-team-the-hacker-group-behind-the-ddos-attack-on-x-twitter
  21. Understanding NullBulge, the New AI-Fighting ‘Hacktivist’ Group – Infosecurity Magazine, accessed April 12, 2025, https://www.infosecurity-magazine.com/news/nullbulge-anti-ai-hacktivist-group/
  22. واژه نامه مترجمان – The Washington Institute, accessed April 12, 2025, https://www.washingtoninstitute.org/sites/default/files/pdf/94d6825055d825db4c94eb032af96063.pdf
  23. Legion Hacktivist Group – Wikipedia, accessed April 12, 2025, https://en.wikipedia.org/wiki/Legion_Hacktivist_Group
  24. Lynx Ransomware Group: Tactics, Targets, And Defense Strategies – Cyble, accessed April 12, 2025, https://cyble.com/threat-actor-profiles/lynx-ransomware/
  25. Lynx Ransomware: Exposing How INC Ransomware Rebrands Itself – Picus Security, accessed April 12, 2025, https://www.picussecurity.com/resource/blog/lynx-ransomware
  26. CTI Roundup: New TorNet Backdoor, Lynx Ransomware, and Q4 Trends | Tanium, accessed April 12, 2025, https://www.tanium.com/blog/cti-roundup-new-tornet-backdoor-lynx-ransomware-q4-trends/
  27. Cat’s out of the bag: Lynx Ransomware-as-a-Service | Group-IB Blog, accessed April 12, 2025, https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/
  28. Defending Against Lynx Ransomware (Strategies for 2025), accessed April 12, 2025, https://cybelangel.com/lynx-ransomware-double-extortion/
  29. New Threat on the Prowl: Investigating Lynx Ransomware – Darktrace, accessed April 12, 2025, https://darktrace.com/blog/new-threat-on-the-prowl-investigating-lynx-ransomware
  30. Lynx Ransomware – Blackpoint Cyber, accessed April 12, 2025, https://blackpointcyber.com/wp-content/uploads/2024/11/Lynx.pdf
  31. Dark Web Profile: Termite Ransomware – SOCRadar® Cyber Intelligence Inc., accessed April 12, 2025, https://socradar.io/dark-web-profile-termite-ransomware/
  32. ‘Termite’ Gang Leaks Australian Fertility Clinic Records – BankInfoSecurity, accessed April 12, 2025, https://www.bankinfosecurity.com/termite-gang-leaks-australian-fertility-clinic-records-a-27628
  33. Termite Ransomware – Broadcom Inc., accessed April 12, 2025, https://www.broadcom.com/support/security-center/protection-bulletin/termite-ransomware
  34. Unmasking Termite, the Ransomware Gang Claiming the Blue Yonder Attack, accessed April 12, 2025, https://www.infosecurity-magazine.com/news/termite-ransomware-blue-yonder/
  35. Lynx Ransomware Group Unveiled with Sophisticated Affiliate Program, accessed April 12, 2025, https://www.infosecurity-magazine.com/news/lynx-ransomware-sophisticated/
  36. Meet the Termite Gang: The New Ransomware Threat Behind Starbucks and Blue Yonder Chaos – 63SATS, accessed April 12, 2025, https://63sats.com/blog/meet-the-termite-gang-the-new-ransomware-threat-behind-starbucks-and-blue-yonder-chaos/
  37. New ‘Termite’ ransomware group claims responsibility for Blue Yonder cyberattack, accessed April 12, 2025, https://cyberscoop.com/termite-ransomware-blue-yonder-disruption/
  38. Termite Ransomware | WatchGuard Technologies, accessed April 12, 2025, https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/termite
  39. Termite Ransomware Attack on Blue Yonder: What You Need to Know – SOCRadar, accessed April 12, 2025, https://socradar.io/termite-ransomware-attack-on-blue-yonder/
  40. Alleged Oracle Cloud Supply Chain Attack | Arctic Wolf, accessed April 12, 2025, https://arcticwolf.com/resources/blog/alleged-oracle-cloud-supply-chain-attack/
  41. BreachForums Data Leak Exposes Extensive Member Information – Bitdefender, accessed April 12, 2025, https://www.bitdefender.com/en-us/blog/hotforsecurity/breachforums-data-leak-exposes-extensive-member-information
  42. BreachForums – Wikipedia, accessed April 12, 2025, https://en.wikipedia.org/wiki/BreachForums
  43. BreachForums v1 Data Leak Exposes Members’ Info – CertPro, accessed April 12, 2025, https://certpro.com/breachforums-data-leak/
  44. BreachForums v1 Data Leak Exposes Personal Information of Over 200,000 Members, accessed April 12, 2025, https://foresiet.com/blog/breachforums-v1-data-leak-exposes-personal-information-of-over-200000-members
  45. Notorious data leak site BreachForums seized by law enforcement | Malwarebytes, accessed April 12, 2025, https://www.malwarebytes.com/blog/news/2024/05/notorious-data-leak-site-breachforums-seized-by-law-enforcement
  46. X leaks data on 2.8 billion profiles in alleged insider job – Computing UK, accessed April 12, 2025, https://www.computing.co.uk/news/2025/security/x-leaks-data-on-2-8-billion-profiles
  47. BreachForums Data Leak Exposes Extensive Member Information – Bitdefender, accessed April 12, 2025, https://www.bitdefender.com/en-gb/blog/hotforsecurity/breachforums-data-leak-exposes-extensive-member-information
  48. Breach Forums | Flashpoint, accessed April 12, 2025, https://flashpoint.io/intelligence-101/breach-forums/
  49. The use of Initial Access Brokers (IABs) by ransomware groups – Outpost24, accessed April 12, 2025, https://outpost24.com/blog/use-of-initial-access-brokers-by-ransomware-groups/
  50. Hacker leaks records of 20 million users of AI visual creation platform online – Bitdefender, accessed April 12, 2025, https://www.bitdefender.com/en-us/blog/hotforsecurity/hacker-leaks-records-of-20-million-users-of-ai-visual-creation-platform-online
  51. Hot Topic Data Breach Allegedly Exposes Over 56 Million Customer Accounts – Bitdefender, accessed April 12, 2025, https://www.bitdefender.com/en-au/blog/hotforsecurity/hot-topic-data-breach-allegedly-exposes-over-56-million-customer-accounts
  52. List of data breaches – Wikipedia, accessed April 12, 2025, https://en.wikipedia.org/wiki/List_of_data_breaches
  53. Alleged Data Breach at Federal Bank: 637k+ Records claimed to be Exposed on Dark Web, accessed April 12, 2025, https://www.cyberpeace.org/resources/blogs/alleged-data-breach-at-federal-bank-637k-records-claimed-to-be-exposed-on-dark-web
  54. Why Threat Actors Matter | Analyst1, accessed April 12, 2025, https://analyst1.com/why-threat-actors-matter/
  55. What is a Threat Actor? Motivations, Targeting and Staying Ahead – Critical Start, accessed April 12, 2025, https://www.criticalstart.com/what-is-a-threat-actor-motivations-targeting-and-staying-ahead/
  56. Morocco investigates major data breach allegedly by Algerian hackers, accessed April 12, 2025, https://therecord.media/morocco-investigates-breach-hackers-algeria
  57. How Microsoft names threat actors – Microsoft’s unified security operations platform, accessed April 12, 2025, https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-threat-actor-naming
  58. 2023 in Review: Threat Actors and Motivations – Searchlight Cyber, accessed April 12, 2025, https://slcyber.io/blog/2023-in-review-threat-actors-and-motivations/
  59. What Are TTPs and How Understanding Them Can Help Prevent the Next Incident, accessed April 12, 2025, https://www.exabeam.com/explainers/what-are-ttps/what-are-ttps-and-how-understanding-them-can-help-prevent-the-next-incident/
  60. Initial Access Brokers Are Key to Rise in Ransomware Attacks – Recorded Future, accessed April 12, 2025, https://go.recordedfuture.com/hubfs/reports/cta-2022-0802.pdf
  61. Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations | CISA, accessed April 12, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a
  62. New Tradecraft of Iranian Cyber Group Aria Sepehr Ayandehsazan aka Emennet Pasargad, accessed April 12, 2025, https://www.ic3.gov/CSA/2024/241030.pdf
  63. Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A, accessed April 12, 2025, https://www.picussecurity.com/resource/blog/cisa-alert-aa24-290a-iranian-cyber-actors-brute-force-and-credential-access-attacks
  64. Iranian Cyber Actors Exploit Known Vulnerabilities to Extort US Critical Infrastructure Organizations, Other Victims – National Security Agency, accessed April 12, 2025, https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3157562/iranian-cyber-actors-exploit-known-vulnerabilities-to-extort-us-critical-infras/
  65. Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations – CISA, accessed April 12, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
  66. U.S. Agencies Warn of Iranian Hacking Group’s Ongoing Ransomware Attacks, accessed April 12, 2025, https://thehackernews.com/2024/08/us-agencies-warn-of-iranian-hacking.html
  67. Iranian Threat Actors & Healthcare | HHS.gov, accessed April 12, 2025, https://www.hhs.gov/sites/default/files/iranian-threat-actors-and-healthcare.pdf
  68. Our Investigation of the CNSS Data Leak [Flash Report] – CybelAngel, accessed April 12, 2025, https://cybelangel.com/our-investigation-of-the-cnss-data-leak-flash-report/
  69. Initial Access Brokers Shift Tactics, Selling More for Less – The Hacker News, accessed April 12, 2025, https://thehackernews.com/2025/04/initial-access-brokers-shift-tactics.html
  70. How Initial Access Brokers Lead to Ransomware | Proofpoint US, accessed April 12, 2025, https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
  71. Initial Access Brokers How They’re Changing Cybercrime – CIS Center for Internet Security, accessed April 12, 2025, https://www.cisecurity.org/insights/blog/initial-access-brokers-how-theyre-changing-cybercrime
  72. Threat Intelligence Report – January 2025 | Bitsight, accessed April 12, 2025, https://www.bitsight.com/data/threat-intelligence-reports/january-2025
  73. Exfiltration over Telegram Bots: Skidding Infostealer Logs – BitSight Technologies, accessed April 12, 2025, https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs
  74. Beyond Donations: How Hacktivist Groups Fund Their Operations – KELA Cyber Threat Intelligence, accessed April 12, 2025, https://www.kelacyber.com/wp-content/uploads/2023/08/Research-by-KELA_How-Hacktivist-Groups-Fund-Their-Operations.pdf
  75. Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect | Google Cloud Blog, accessed April 12, 2025, https://cloud.google.com/blog/topics/threat-intelligence/initial-access-brokers-exploit-f5-screenconnect
  76. GOLD MELODY: Profile of an Initial Access Broker – Secureworks, accessed April 12, 2025, https://www.secureworks.com/research/gold-melody-profile-of-an-initial-access-broker
  77. The New Face of Ransomware: Key Players and Emerging Tactics of 2024 – Trustwave, accessed April 12, 2025, https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-new-face-of-ransomware-key-players-and-emerging-tactics-of-2024/

Related Posts