[April-13-2025] Daily Cybersecurity Threat Report – Part 1

Posted on

Introduction

This report details significant cybersecurity incidents reported over the past 24 hours, ending April 13, 2025. The threat landscape continues to be characterized by high levels of hacktivist activity, particularly Distributed Denial-of-Service (DDoS) attacks driven by geopolitical tensions. Pro-Russian groups like NoName057(16) remain highly active, alongside pro-Palestinian actors and regional groups engaged in cyber conflict. Data breaches and leaks persist as major threats, with underground forums facilitating the sale and distribution of sensitive information, including credentials, personal identifiable information (PII), and financial data. Furthermore, the cybercrime-as-a-service market demonstrates ongoing sophistication, with offerings ranging from advanced malware and evasion tools to potentially high-impact zero-day exploits.

Incident Breakdown

A. Distributed Denial-of-Service (DDoS) Attack Campaigns

DDoS attacks remained a prominent feature of the threat landscape, primarily driven by hacktivist groups leveraging these disruptions for political messaging and demonstrating capability.

1. NoName057(16) Campaign Against Finnish Targets

  • Threat Actor Profile: NoName057(16)
  • Background & Motivation: NoName057(16) is a well-established pro-Russian hacktivist collective that emerged in March 2022, shortly after the start of the Russo-Ukrainian conflict.1 Their declared mission is to retaliate against nations perceived as hostile to Russia, with a particular focus on NATO members and countries supporting Ukraine.1 Their operations are ideologically driven, aiming to destabilize adversaries and promote pro-Kremlin narratives.1 The group operates primarily through Telegram channels, where they announce attacks, mock victims, and recruit volunteers.1
  • Tactics, Techniques, and Procedures (TTPs): NoName057(16) specializes in DDoS attacks, primarily utilizing HTTP/HTTPS application-layer floods.3 They developed and maintain the “DDoSia” tool, written in Golang, which volunteers use to participate in attacks.2 This tool is distributed via Telegram, and participation is often incentivized through cryptocurrency payments, effectively gamifying DDoS activity and crowdsourcing their attack infrastructure.3 They frequently post “proof” of downtime using third-party checking services like check-host.net.6 A key characteristic is their heavy reliance on public cloud services and CDNs as launch platforms, making mitigation challenging as blocking large IP ranges can impact legitimate traffic.3 They are known to conduct reconnaissance to target specific, resource-intensive parts of websites, such as search forms, to maximize disruption with moderate attack volume.7 They often collaborate with other pro-Russian groups like People’s Cyber Army (PCA) and HackNeT.4
  • Observed Campaign Context: The concentrated attacks against Finland align directly with NoName057(16)’s anti-NATO agenda, as Finland is a NATO member and has provided support to Ukraine.9 Targeting diverse sectors like government, transportation, information services, and political organizations aims to cause widespread disruption and project influence.1 This high tempo is sustained through their effective volunteer recruitment and coordination model.3
  • Incidents (Finland):
  • Victim: Traficom (Information Services)
  • Site: extidpevaluointi.traficom.fi
  • Evidence/Links: Proof: https://check-host.net/check-report/24ecf7efka5c, Published: https://t.me/nnm05716rus/530, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/11e3b6d2-90df-4a07-952e-bf9f72c0c1c0.png, https://d34iuop8pidsy8.cloudfront.net/ea98c07b-6573-4fc0-b5f5-7058272b2b38.png]
  • Date: 2025-04-13T08:57:28Z
  • Victim: Association of Finnish Local and Regional Authorities (AFLRA) (Government Relations)
  • Site: kuntaliitto.fi
  • Evidence/Links: Proof: https://check-host.net/check-report/24ecf2d4k7e, Published: https://t.me/nnm05716rus/530, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/5214a391-14b9-4cef-8df4-f8406c7b6ec0.png, https://d34iuop8pidsy8.cloudfront.net/8821062f-9076-4f6f-b40f-d19107af2290.png]
  • Date: 2025-04-13T08:50:03Z
  • Victim: City of Kotka (Government Administration)
  • Site: kotka.fi
  • Evidence/Links: Proof: http://check-host.net/check-report/24ecf2a1kd07, Published: https://t.me/nnm05716rus/530, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/792a02b2-27c1-494f-a404-7adccbb07482.png, https://d34iuop8pidsy8.cloudfront.net/4ff28f31-82eb-43dd-b839-4936c8f3c490.png]
  • Date: 2025-04-13T08:48:49Z
  • Victim: Population Union (Individual & Family Services)
  • Site: vaestoliitto.fi
  • Evidence/Links: Proof: http://check-host.net/check-report/24ecf272kdcb, Published: https://t.me/nnm05716rus/530, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/cd783b93-43f5-419b-899b-82b664335305.png, https://d34iuop8pidsy8.cloudfront.net/d8ebfd9d-e9cc-4222-803c-8e4335cf395d.png]
  • Date: 2025-04-13T08:41:42Z
  • Victim: City of Helsinki (Government & Public Sector)
  • Site: hel.fi
  • Evidence/Links: Proof: http://check-host.net/check-report/24ecf7bbkef5, Published: https://t.me/nnm05716rus/530, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/46561b3c-f715-4e36-8578-a93020ea0ee6.png, https://d34iuop8pidsy8.cloudfront.net/bfacdc40-a766-4f00-9990-9f547b2cbb63.png]
  • Date: 2025-04-13T08:32:57Z
  • Victim: Helsinki Region Transport (HSL) (Transportation & Logistics)
  • Site: hsl.fi
  • Evidence/Links: Proof: https://check-host.net/check-report/24ecf10fk33, Published: https://t.me/nnm05716rus/529, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/60d3b38d-eaf2-4684-829d-a6a9c545cccc.png, https://d34iuop8pidsy8.cloudfront.net/213bc850-aa3d-4f24-8733-76df430e1dc6.png]
  • Date: 2025-04-13T08:11:55Z
  • Victim: Janne Hakkarainen (Business and Economic Development)
  • Site: jannehakkarainen.fi
  • Evidence/Links: Proof: https://check-host.net/check-report/24ecf0fek274, Published: https://t.me/nnm05716rus/529, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/59bef7c8-96de-426a-a97e-e8cf6f5defe8.png, https://d34iuop8pidsy8.cloudfront.net/c72f7d25-1907-4005-9044-d0a4ccf8d195.png]
  • Date: 2025-04-13T08:04:09Z
  • Victim: Arto Lampila (Government & Public Sector)
  • Site: alampila.fi
  • Evidence/Links: Proof: http://check-host.net/check-report/24eceeaak15f, Published: https://t.me/nnm05716rus/529, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/25f50880-608a-43b2-8f83-88c695793ccf.png, https://d34iuop8pidsy8.cloudfront.net/9b0c3040-a4c1-49d4-8db5-2290e86c04eb.png]
  • Date: 2025-04-13T07:49:49Z
  • Victim: The Communist Workers Party (Political Organization)
  • Site: ktpkom.fi
  • Evidence/Links: Proof: http://check-host.net/check-report/24ecee99kd95, Published: https://t.me/nnm05716rus/529, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/b80b3cf6-1823-4378-97bd-75289e534424.png, https://d34iuop8pidsy8.cloudfront.net/82f98a74-3e4c-4638-af9a-4d1e9f460d0f.png]
  • Date: 2025-04-13T07:45:15Z
  • Victim: Perussuomalaiset (Political Organization)
  • Site: oma.perussuomalaiset.fi
  • Evidence/Links: Proof: http://check-host.net/check-report/24ecee76kec9, Published: https://t.me/nnm05716rus/529, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/5d4aa66f-d539-476b-9ebc-fb821d06439e.png, https://d34iuop8pidsy8.cloudfront.net/f37e2844-0758-426e-8a35-06f6fa5229d1.png]
  • Date: 2025-04-13T07:36:39Z

2. Dark Storm Team Attack on Kosovo Ministry of Defense

  • Incident: Dark Storm Team claimed a DDoS attack targeting the website of the Ministry of Defense of the Republic of Kosovo.
  • Victim: Ministry of Defense of the Republic of Kosovo (Government Administration, Kosovo), Site: mod-rks–gov-net
  • Threat Actor Profile: Dark Storm Team
  • Background & Motivation: Dark Storm Team is a hacktivist collective first observed in mid-2023.10 The group exhibits dual motivations: primarily political and ideological, with strong pro-Palestinian and anti-Israel stances, often extending to anti-Western and anti-NATO sentiments.6 They are also considered potentially pro-Russian.10 Alongside hacktivism, they operate commercially, offering DDoS-for-hire services and potentially monetizing data breaches, using high-profile attacks as advertisements.6
  • TTPs: Their primary TTP is conducting DDoS attacks.6 They operate via Telegram channels to claim responsibility, make threats, and market their services.10 Like NoName057(16), they use third-party “proof links” (e.g., check-host.net) to substantiate their claims.6 They employ obfuscation techniques like using botnets, proxies, and VPNs to mask origins.6 There is a history of the group potentially exaggerating the impact of their attacks or falsely claiming responsibility for notoriety.10 They have previously cooperated with pro-Russian hacktivist groups.16
  • Observed Campaign Context: Targeting Kosovo’s Ministry of Defense aligns with a potential anti-NATO or pro-Russian stance, given Kosovo’s geopolitical alignment and NATO’s presence. This attack fits their pattern of targeting government and defense entities in nations perceived as adversaries.6
  • Evidence/Links:
  • Proof of Downtime: https://check-host.net/check-report/24ed9bb6k3e7
  • Published URL: https://t.me/DarkStormTeam3/251
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/335091c6-79c8-4458-8290-1c9a52eeb4e1.png
  • https://d34iuop8pidsy8.cloudfront.net/c2fc6dff-6a9a-438f-9b38-7eac8f2c5f36.png
  • Date: 2025-04-13T09:53:56Z

3. Websec Attack on Municipality of Petah Tikva, Israel

  • Incident: The group “Websec” claimed a DDoS attack taking down the website of the Municipality of Petah Tikva.
  • Victim: Municipality of Petah Tikva (Government & Public Sector, Israel), Site: petah-tikva.munil.il
  • Threat Actor Profile: Websec
  • Background & Motivation: Limited direct information is available on “Websec” as a specific hacktivist group from the provided materials. The name itself relates broadly to web security. However, attacks targeting Israeli government entities are common tactics for pro-Palestinian hacktivist groups, often operating under various banners or as part of larger coalitions like the “Holy League” (a union of pro-Russian and pro-Palestinian groups) 17 or campaigns like #OpIsrael.19 Motivations are typically political, protesting Israeli policies or showing solidarity with Palestine.18
  • TTPs: The claimed attack method is DDoS. Broader hacktivist coalitions involved in similar campaigns also employ website defacement and data leaks.17 General web security concepts 20 provide background on potential vulnerabilities exploited but are not actor-specific.
  • Observed Campaign Context: This attack fits the established pattern of hacktivist operations targeting Israeli websites, particularly government and municipal sites, as part of ongoing cyber conflict related to the Israeli-Palestinian situation.19 Such attacks often increase during periods of heightened tension or coordinated campaigns like #OpIsrael.
  • Evidence/Links:
  • Proof of Downtime: Not provided (Claim only).
  • Published URL: https://t.me/Websechacktivists/591
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/6765b39e-04c9-4964-8de6-7ab057dd4b0f.png
  • Date: 2025-04-13T08:22:24Z

B. Website Defacement Incidents

Website defacement remains a common tactic for hacktivist groups seeking public visibility and to convey political messages. These attacks often target easily accessible websites, particularly in regions experiencing geopolitical conflict. South Asian groups targeting Indian entities were notably active during this period.

1. SYLHET GANG-SG Campaign Against Indian Targets

  • Threat Actor Profile: SYLHET GANG-SG
  • Background & Motivation: SYLHET GANG-SG is identified as a pro-Palestinian hacktivist group originating from Bangladesh.26 Their motivations are primarily political and ideological, frequently targeting entities in India 27, Israel 26, Saudi Arabia 26, China (citing policies against Muslims) 28, and Western nations perceived as allies of Israel, such as France, the UK, and Canada.27 They operate under banners like #OpIndia 28 and participate in broader pro-Palestinian campaigns. They are known to collaborate with other hacktivist groups.29
  • TTPs: The group employs both DDoS attacks 26 and website defacements 28 as primary tactics. They utilize Telegram for communication and attack claims.
  • Observed Campaign Context: The defacements of Indian educational and telecommunications websites align with their documented anti-India stance and participation in #OpIndia campaigns.27 Educational institutions are frequent targets for defacement due to potentially weaker security postures, offering high visibility for the group’s messaging.
  • Incidents (India):
  • Victim: Versatile Telecom (Network & Telecommunications)
  • Site: versatileindia.co.in
  • Evidence/Links: Published: https://t.me/SylhetGangSG1/6209, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/4bf55a14-5645-4a55-9be0-fab3ab20e225.png, https://d34iuop8pidsy8.cloudfront.net/42c98a5f-32e7-4973-91a9-52c8122674c0.png]
  • Date: 2025-04-13T08:04:14Z
  • Victim: Kamarpukur Ramakrishna Vivekananda Academy (Education)
  • Site: krvacademy.in
  • Evidence/Links: Published: https://t.me/SylhetGangSG1/6209, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/b3ccc09d-bb8b-424e-9387-ee869720975a.png, https://d34iuop8pidsy8.cloudfront.net/6cad597a-6a9a-471b-9e02-856068d8ab03.png]
  • Date: 2025-04-13T07:16:54Z
  • Victim: CSJM Innovation Foundation (Education)
  • Site: innovation.csjmu.ac.in
  • Evidence/Links: Published: https://t.me/SylhetGangSG1/6209, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/b55c44db-6555-4ee2-bcfd-e49f072b5af8.png, https://d34iuop8pidsy8.cloudfront.net/63fdbac2-4458-44b9-9f4f-6a5a58e6ba48.png]
  • Date: 2025-04-13T07:09:17Z

2. RABBIT CYBER TEAM Campaign Against Indian Targets

  • Threat Actor Profile: RABBIT CYBER TEAM
  • Background & Motivation: Information on RABBIT CYBER TEAM is limited. They appear to be a hacktivist group active in the South Asian region, targeting Indian entities. They are known to form alliances with other regional hacktivist groups, such as HIME666.32 Their motivations likely stem from regional political or ideological conflicts, similar to other groups operating in the India-Pakistan-Bangladesh cyber conflict arena.
  • TTPs: Website defacement is the observed TTP in this reporting period.
  • Observed Campaign Context: The targeting of Indian professional training academies fits the pattern of opportunistic defacements against accessible websites within a country of political interest for the hacktivist group.
  • Incidents (India):
  • Victim: Rastriya Youth Skill Development Academy (Professional Training)
  • Site: rysda.in
  • Evidence/Links: Published: https://t.me/c/2532077945/254, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/c40ecac5-b7f6-4d35-b932-6a45cdc8a71a.jpg]
  • Date: 2025-04-13T06:22:16Z
  • Victim: Radiant Glow Beauty Academy (Professional Training)
  • Site: rgba.in
  • Evidence/Links: Published: https://t.me/c/2532077945/254, Screenshots: [https://d34iuop8pidsy8.cloudfront.net/94257f08-8103-40ac-bb08-c0222bdf1e22.jpg]
  • Date: 2025-04-13T06:09:07Z

3. Cryptaris Attack on HD Elec, Morocco

  • Incident: The group “Cryptaris” claimed to have defaced the website of HD Elec, an electrical manufacturing company in Morocco.
  • Victim: HD Elec (Electrical & Electronic Manufacturing, Morocco), Site: hdelec.ma
  • Threat Actor Profile: Cryptaris
  • Background & Motivation: Very limited information is available regarding the threat actor “Cryptaris.” The name might suggest an interest in cryptocurrency or cryptography, but this remains speculative. Available context on general cyber threats 33 does not provide specific details on this actor. Motivations are unclear and could range from political statements, financial gain, skill demonstration, or simple vandalism.
  • TTPs: Website defacement is the observed TTP.
  • Observed Campaign Context: Without further information on the actor’s motives or affiliations, this appears as an isolated defacement incident targeting a commercial entity in Morocco.
  • Evidence/Links:
  • Published URL: https://t.me/c/2450476788/122
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/543b0589-1f5a-449f-a8a2-36b1fbbd0930.jpg
  • Date: 2025-04-13T05:55:41Z

C. Malware and Exploit Activity

Activity on underground forums highlighted the ongoing trade in malicious tools and exploits, catering to various cybercriminal needs. Offerings ranged from Remote Access Trojans (RATs) and specialized bots to evasion tools (crypters) and high-impact zero-day exploits.

1. Alleged Sale of GYware RAT by Rsavvalt

  • Offering: A web-based Remote Access Trojan (RAT) named “GYware,” advertised as Fully Undetectable (FUD).
  • Features: Includes a web control panel, file execution, credential harvesting (cookies, passwords, tokens), clipboard hijacking (clipper functionality, often used to steal cryptocurrency addresses), payment card data theft, and automated actions. A notable feature is its claimed self-spreading mechanism, infecting source code files on a victim’s desktop, potentially targeting developers and propagating through shared code.
  • Threat Actor: Rsavvalt (Seller/Developer Alias). Primarily financially motivated.
  • Platform: BreachForums (breachforums.st)
  • Potential Impact: Provides attackers with comprehensive remote control over infected systems, enabling data theft, financial fraud, and further network compromise. The source code infection vector poses a specific risk to software development environments.
  • Evidence/Links:
  • Published URL: https://breachforums.st/Thread-GYware-web-Rat-panel-self-spreading-Best-in-2025
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/869238b2-42f6-406a-867d-b2aa18bbc767.png
  • Date: 2025-04-13T04:02:12Z

2. Alleged Sale of Crypto APK Bot by Arings

  • Offering: A tool described as a “Crypto APK Bot” for creating malicious Android applications.
  • Features: Includes an APK builder, FUD encryption, dropper capabilities, methods to bypass Google Play Protect, auto-granting of permissions, customizable accessibility service templates (often used for overlay attacks to steal credentials), and SMS spamming features.
  • Threat Actor: Arings (Seller/Developer Alias). Financially motivated.
  • Platform: Exploit.in (forum.exploit.in)
  • Potential Impact: Facilitates the creation and distribution of Android malware targeting cryptocurrency users and potentially enabling broader credential theft and SMS fraud. Claims of bypassing Google Play Protect, if accurate, represent a significant threat to the Android ecosystem.
  • Evidence/Links:
  • Published URL: https://forum.exploit.in/topic/257307/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/bb1a0803-d054-446c-8ed1-f9a1c37a32a0.png
  • Date: 2025-04-13T03:50:13Z

3. Alleged Sale of GhostCrypt Crypter Service

  • Offering: A crypter service named “GhostCrypt,” designed to obfuscate malware and evade detection by security software.
  • Features: Advertises advanced obfuscation techniques, evasion of Windows Defender, SmartScreen, and browser protections. Supports common malware delivery methods like EXE and DLL sideloading. Utilizes polymorphic encryption to change the malware’s signature. Claims compatibility with popular stealer and RAT families like LummaC2, Rhadamanthys, and XWorm. Offers features like custom stub sizes, icon spoofing, and a guarantee with free re-encryption if the malware becomes detected.
  • Threat Actor: GhostCrypt (Service/Developer Alias). Financially motivated. It is important to distinguish this crypter service offering from the similarly named ransomware family “GhostCrypt,” which emerged years prior based on open-source code.35 The service advertised here focuses on evasion, not encryption for ransom, suggesting name reuse or an unrelated entity capitalizing on the name.
  • Platform: Exploit.in (forum.exploit.in)
  • Potential Impact: Lowers the effectiveness of signature-based and some heuristic security solutions, enabling less sophisticated actors to deploy known malware strains with a higher chance of success. Increases the overall threat level by making malware harder to detect.
  • Evidence/Links:
  • Published URL: https://forum.exploit.in/topic/257306/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/57abdcc5-1f52-467e-8528-25b980667c3b.png
  • Date: 2025-04-13T03:29:23Z

4. Alleged Sale of Synology NAS Zero-Day Exploit by 0x1

  • Offering: An exclusive zero-day exploit targeting Synology Network Attached Storage (NAS) devices.
  • Features: Claims to completely bypass Synology’s 2-Step Authentication (2FA), allowing full administrative access without needing the secondary authentication factor.
  • Threat Actor: 0x1 (Seller/Developer Alias). Financially motivated. General technical documentation 39 provides context on vulnerabilities but not this specific actor or exploit.
  • Target: Synology Inc. (Information Technology (IT) Services, Taiwan), Site: synology.com
  • Platform: Exploit.in (forum.exploit.in)
  • Potential Impact: Extremely high. A verified zero-day exploit bypassing 2FA on widely used NAS devices would grant attackers privileged access to potentially vast amounts of stored data. This could lead to catastrophic data breaches, ransomware deployment across networks, or the co-option of NAS devices into botnets for further attacks. This requires urgent attention and verification by the vendor and users.
  • Evidence/Links:
  • Published URL: https://forum.exploit.in/topic/257304/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/c026d147-f903-4c3b-8370-92ef9cf037fe.png
  • Date: 2025-04-13T00:15:55Z

D. Data Breach and Data Leak Incidents

The trade in stolen data continued unabated on underground forums, with various actors offering datasets from diverse victims across multiple sectors and geographies.

1. Alleged OCU Ediciones, S.A. Breach by Profanatica

  • Incident: Threat actor “Profanatica” claimed to have breached OCU Ediciones, S.A., a Spanish consumer organization, and threatened to publish the data.
  • Victim: OCU Ediciones, S.A. (Consumer Goods, Spain), Site: ocu.org
  • Data Claimed: Over 500 email credentials and more than 50 confidential documents, including ID numbers, addresses, signatures, and PDF files. The alleged breach date was November 22, 2024.
  • Threat Actor: Profanatica (Alias). Motivations are likely financial (selling data) or potentially disruptive/hacktivist.
  • Platform: BreachForums (breachforums.st)
  • Potential Impact: Compromise of employee or member accounts via stolen credentials, exposure of sensitive personal information leading to identity theft risk, potential for targeted phishing attacks, and reputational damage to the organization.
  • Evidence/Links:
  • Published URL: https://breachforums.st/Thread-DATABASE-OCU-org-Internal-Documents-Credentials-Exposed-%E2%80%93-500-email-credentials-and-confiden–179151
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/96063357-07f7-43fb-988b-048385bc5b77.png
  • Date: 2025-04-13T03:32:51Z

2. Alleged Karaoke World Leak by AhmerAI

  • Incident: Threat actor “AhmerAI” claimed to leak data allegedly sourced from Karaoke World, a Czech company.
  • Victim: Karaoke World (Music, Czech Republic), Site: svetkaraoke.cz
  • Data Claimed: 14,000 records containing names, email addresses, IDs, and telephone numbers.
  • Threat Actor: AhmerAI (Alias). Likely motivated by financial gain or notoriety.
  • Platform: BreachForums (breachforums.st)
  • Potential Impact: Exposure of customer PII increases the risk of spam, phishing campaigns, and potential identity theft for affected individuals.
  • Evidence/Links:
  • Published URL: https://breachforums.st/Thread-DATABASE-svetkaraoke-cz-12-April-2025
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/f6611fb6-fee3-4319-84fd-c30187fffbb7.png
  • Date: 2025-04-13T03:20:40Z

3. Alleged Sale of Arbitrary File Access on Multiple VPNs by mspaint

  • Incident: Threat actor “mspaint” offered for sale the ability to read arbitrary files on the infrastructure of multiple VPN providers across Mexico, Ecuador, and Colombia.
  • Victim: Specific mention of X3 Uninet S.A. (Network & Telecommunications, Mexico), Site: uninet.com.mx. Others unnamed.
  • Data Claimed: Arbitrary file read vulnerability/access on VPN servers.
  • Threat Actor: mspaint (Alias). Financially motivated. Snippet 46 is unrelated.
  • Platform: BreachForums (breachforums.st)
  • Potential Impact: Significant risk to VPN providers and their users. Access could expose sensitive configuration files, potentially VPN user logs or credentials (depending on file system access), or serve as an entry point for deeper network compromise. Targeting core infrastructure like VPNs is a serious threat.
  • Evidence/Links:
  • Published URL: https://breachforums.st/Thread-VPN-Arbitrary-file-read-on-multiple-VPN-South-and-Central-America
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/109f4d9b-a639-41c9-8f07-0627143adcb2.png
  • Date: 2025-04-13T02:32:11Z

4. Alleged Spain Instagram Data Leak by AltaMar

  • Incident: Threat actor “AltaMar” claimed to possess and leak a database of Instagram user data specific to Spain.
  • Victim: Instagram Users (Social Media & Online Social Networking, Spain)
  • Data Claimed: Unspecified Instagram user data.
  • Threat Actor: AltaMar (Alias). Notably, this actor is also linked to the Iberdrola breach (Incident D6), suggesting a focus on Spanish targets or data sources. Likely financially motivated.
  • Platform: BreachForums (breachforums.st)
  • Potential Impact: Depending on the data specifics (e.g., emails, phone numbers associated with accounts), this could facilitate targeted phishing, spam, credential stuffing attacks, or social engineering against Spanish Instagram users.
  • Evidence/Links:
  • Published URL: https://breachforums.st/Thread-SPAIN-INSTAGRAM-DATABASE
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/9c119a1d-e439-4fae-adb7-9859f0e2ccec.png
  • Date: 2025-04-13T02:18:10Z

5. Alleged National School of Commerce (Morocco) Leak by PaniToo

  • Incident: Threat actor “PaniToo” claimed a data leak from the National School of Commerce and Management of Fez (ENCG Fes) in Morocco. The post explicitly notes that the authenticity of this claim has not yet been verified.
  • Victim: National School of Commerce and Management of Fez (ENCG Fes) (Education, Morocco), Site: encg.usmba.ac.ma
  • Data Claimed: Includes names, email addresses, and allegedly full access to the institution’s phpMyAdmin interface.
  • Threat Actor: PaniToo (Alias). Motivation unclear.
  • Platform: BreachForums (breachforums.st)
  • Potential Impact: If verified, the leak exposes student/staff PII. The claimed phpMyAdmin access is particularly concerning, as it could allow direct manipulation of the website’s database, leading to further data compromise, website defacement, or malware injection. Verification is crucial.
  • Evidence/Links:
  • Published URL: http://breachforums.st/Thread-DATABASE-Data-of-Moroccan-University-encg-usmba-ac-ma
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/604fbbc3-4d5c-42dd-b30e-fc5bae16bf64.png
  • Date: 2025-04-13T02:13:39Z

6. Alleged Iberdrola Breach by AltaMar

  • Incident: Threat actor “AltaMar” claimed a major data breach affecting Iberdrola, a large Spanish multinational electric utility company.
  • Victim: Iberdrola (Renewables & Environment, Spain), Site: iberdrola.com
  • Data Claimed: A substantial dataset described as “1.1M IBAN LEADS,” suggesting the exposure of International Bank Account Numbers potentially linked with other customer information.
  • Threat Actor: AltaMar (Alias). Also linked to the Spain Instagram leak (Incident D4), reinforcing a focus on Spanish targets. Financially motivated.
  • Platform: BreachForums (breachforums.st)
  • Potential Impact: Extremely severe. The exposure of 1.1 million IBANs, especially if linked to other PII, creates a massive risk of direct financial fraud, sophisticated phishing attacks targeting customers, and widespread identity theft. Represents a major security incident for Iberdrola and its customers if confirmed.
  • Evidence/Links:
  • Published URL: https://breachforums.st/Thread-IBERDROLA-SPAIN-1-1M-IBAN-LEADS
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/132d3bf6-3da6-4220-b0a5-c75396ef1227.png
  • Date: 2025-04-13T00:15:27Z

7. Alleged Sale of Forex & Crypto Leads by Cleopetra

  • Incident: Threat actor “Cleopetra” advertised the sale of “hot” leads related to Forex and Cryptocurrency trading, specifically targeting individuals in Australia.
  • Victim: Unspecified individuals in Australia involved in Forex/Crypto markets.
  • Data Claimed: Detailed lead information including account name, phone number, email address, account status, trading brand, billing country, associated agent name, first-time depositor status and amount, and total deposited amount in USD.
  • Threat Actor: Cleopetra (Alias). Financially motivated.
  • Platform: BreachForums (breachforums.st)
  • Potential Impact: This type of data is highly valuable for scammers targeting individuals with a demonstrated interest and capacity for financial investment. It enables highly personalized and convincing phishing, investment scams, and social engineering attacks, potentially leading to significant financial losses for the individuals targeted.
  • Evidence/Links:
  • Published URL: https://breachforums.st/Thread-SELLING-Australia-HOT-FX-Crypto-2024
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/20f1552e-f244-4a52-a713-7b2b4b4c409c.png
  • Date: 2025-04-13T00:12:13Z

E. Other Notable Alerts

1. KAL EGY 319 Claim Regarding Cisco Academy Scholarship Site

  • Incident: The group “KAL EGY 319” posted a claim on Telegram asserting they had hacked the control panel of the official website for the Cisco Academy scholarship program, which is affiliated with the Egyptian National Council for Training and Education.
  • Victim: Egyptian National Council for Training and Education (Education, Egypt), specifically the Cisco Academy portal associated with egyptiancouncil.com.
  • Threat Actor Profile: KAL EGY 319
  • Background & Motivation: Appears to be an Egyptian threat actor group. The name was listed alongside other actors in a previous report, but without context.43 Their motivation for this specific claim is unclear – it could range from hacktivism targeting national institutions, an attempt to gain notoriety, or an effort to access sensitive student or administrative data.
  • TTPs: The claim implies compromising the website’s control panel, likely through exploiting a web application vulnerability or using stolen administrative credentials.
  • Observed Campaign Context: Targeting an educational platform’s administrative interface suggests an intent to gain privileged access. This could potentially allow the actor to modify website content, steal user data (students, administrators), disrupt scholarship processes, or use the compromised site for further malicious activities.
  • Evidence/Links:
  • Published URL: https://t.me/KALE3G1Y9/374
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/65bde596-3d1b-49ed-9d1e-56af3df461b1.png
  • https://d34iuop8pidsy8.cloudfront.net/f6a05cec-388e-4fa5-bed8-21c4ca3231b1.png
  • Date: 2025-04-13T09:19:43Z

Threat Actor Focus

Several threat actors were particularly active or notable during this reporting period:

  • NoName057(16): This pro-Russian group dominated the DDoS landscape with its extensive and coordinated campaign against numerous Finnish targets across government, transport, services, and political sectors. Their continued use of the DDoSia tool, facilitated by a gamified volunteer system and abuse of public cloud infrastructure 3, allows them to sustain a high operational tempo. Their targeting aligns precisely with their anti-NATO/pro-Kremlin ideology 1, demonstrating a persistent and capable threat actor focused on geopolitical disruption. Their potential focus on specific backend website components suggests an evolution towards more efficient disruption tactics.7
  • Dark Storm Team: Claiming a DDoS attack against Kosovo’s Ministry of Defense, this group continues to operate at the intersection of politically motivated hacktivism (pro-Palestine, pro-Russia/anti-NATO) and financially driven cybercrime (offering DDoS-for-hire services).6 While their claims should be treated with some caution due to potential past exaggerations 16, they remain a relevant actor targeting entities aligned against their stated interests.
  • SYLHET GANG-SG / RABBIT CYBER TEAM: These groups exemplify ongoing hacktivist activity stemming from South Asian geopolitical tensions. Their multiple website defacements targeting Indian educational and training institutions highlight the use of low-sophistication, high-visibility attacks for political messaging.27 SYLHET GANG-SG’s broader TTPs also include DDoS.26
  • Underground Market Actors (Various Aliases): The activity across BreachForums and Exploit.in underscores the vibrancy and danger of the cybercrime-as-a-service ecosystem. Actors specialize in different niches:
  • Malware/Tool Development & Sales: Rsavvalt (RAT), Arings (Android Bot), GhostCrypt (Crypter), 0x1 (Exploit). These actors provide the means for others to conduct attacks.
  • Data Brokerage: Profanatica, AhmerAI, mspaint, AltaMar, PaniToo, Cleopetra. These actors monetize stolen data. The alleged Synology NAS zero-day offered by “0x1” and the massive Iberdrola IBAN leak claimed by “AltaMar” represent particularly critical threats emerging from this underground economy, highlighting the potential for severe impact from both sophisticated exploits and large-scale data compromises. AltaMar’s focus on Spanish targets across multiple incidents is also noteworthy.

Analysis and Recommendations

Analysis:

The incidents reported on April 13, 2025, reveal several persistent and evolving cyber threats. Geopolitically motivated hacktivism remains a significant driver of disruptive activity, particularly DDoS attacks. Actors like NoName057(16) demonstrate sustained operational capacity, leveraging crowdsourced infrastructure and evolving tactics to target nations opposing their political alignments. Their ability to maintain high attack volumes against diverse sectors underscores the challenge of defending against dedicated hacktivist campaigns fueled by ongoing conflicts.

The reliance of DDoS actors on legitimate cloud infrastructure 3 and their focus on application-layer vulnerabilities 7 complicate traditional mitigation strategies. Simple IP blocking is often insufficient and can cause collateral damage, necessitating more sophisticated, behavioral-based detection and mitigation at the application layer.

The cybercrime-as-a-service market continues to flourish, providing tools and data that lower the barrier to entry for attackers and increase the overall risk landscape. The advertisement of advanced malware with FUD capabilities (GYware), specialized evasion tools (GhostCrypt crypter), and particularly the alleged Synology NAS zero-day exploit, highlights the availability of potent offensive capabilities on underground forums. If legitimate, such exploits pose an immediate and severe threat to users of the affected products.

Data breaches remain a critical concern, with actors targeting a wide spectrum of data across various industries and geographies. The scale and sensitivity of the data claimed in incidents like the Iberdrola breach (1.1 million IBANs) emphasize the potential for catastrophic financial fraud and identity theft following such compromises. The activity of actors like AltaMar, apparently specializing in data from a specific region (Spain), indicates targeted data acquisition efforts. Underground forums like BreachForums continue to serve as central marketplaces, facilitating the monetization of stolen data and perpetuating the breach cycle.

Recommendations:

Based on the observed threats, organizations should prioritize the following security measures:

  1. Enhanced DDoS Mitigation: Implement comprehensive, multi-layered DDoS protection strategies that go beyond volumetric mitigation. Focus on Layer 7 defenses capable of behavioral analysis to identify and block sophisticated application-layer attacks, including those originating from legitimate cloud providers.3 Employ Web Application Firewalls (WAFs) with robust Layer 7 rule sets, rate limiting, and CAPTCHA challenges for sensitive or resource-intensive application functions.1 Develop and maintain a specific DDoS incident response plan.
  2. Advanced Endpoint and Network Security: Deploy Endpoint Detection and Response (EDR) solutions with behavioral detection capabilities to identify malware even when obfuscated by crypters. Monitor for indicators associated with known malware families (e.g., LummaC2, Rhadamanthys, XWorm) mentioned in tool advertisements. Implement network segmentation to contain threats and limit lateral movement. Maintain rigorous vulnerability management and patching processes, prioritizing critical vulnerabilities, especially in widely deployed systems like NAS devices.
  3. Web Application Security: Conduct regular security audits and penetration testing of web applications to identify and remediate vulnerabilities (following frameworks like OWASP Top 10) that could be exploited for defacement or unauthorized access.17 Secure administrative interfaces using strong authentication (MFA) and principle of least privilege access controls.
  4. Credential Security and Data Protection: Mandate the use of strong, unique passwords and enforce phishing-resistant Multi-Factor Authentication (MFA) wherever possible.10 Actively monitor for compromised organizational credentials appearing in breach datasets. Encrypt sensitive data at rest and in transit. Implement data minimization principles and Data Loss Prevention (DLP) technologies to control sensitive information flow.
  5. Proactive Threat Intelligence: Monitor relevant threat intelligence feeds, dark web forums (like BreachForums, Exploit.in), and hacktivist communication channels (like Telegram) for threats targeting your organization, sector, or region.4 Stay informed about hacktivist campaigns tied to geopolitical events. Critically evaluate the authenticity of claims made on underground forums before reacting.
  6. Third-Party Risk Management: Assess the security posture of critical third-party vendors, particularly those providing network infrastructure (e.g., VPNs) or widely used hardware/software components.
  7. Security Awareness Training: Continuously educate employees to recognize and report phishing attempts, malicious links/attachments, and social engineering tactics, which remain common initial infection vectors.28

Works cited

  1. Unmasking NoName057(16) – CybelAngel, accessed April 13, 2025, https://cybelangel.com/unmasking-noname05716/
  2. Noname057(16) – Wikipedia, accessed April 13, 2025, https://en.wikipedia.org/wiki/Noname057(16)
  3. NoName057(16) | NETSCOUT – NetScout Systems, accessed April 13, 2025, https://www.netscout.com/blog/asert/noname057-16
  4. The NoName057(16) collective and DDoS offensives in support of the Russian narrative, accessed April 13, 2025, https://www.telsy.com/en/the-noname05716-collective-and-ddos-offensives-in-support-of-the-russian-narrative/
  5. Dark Web Profile: NoName057(16) – SOCRadar® Cyber Intelligence Inc., accessed April 13, 2025, https://socradar.io/dark-web-profile-noname05716/
  6. Dark Storm Team Claims Responsibility for Cyber Attack on X …, accessed April 13, 2025, https://blog.checkpoint.com/security/dark-storm-team-claims-responsibility-for-cyber-attack-on-x-platform-what-it-means-for-the-future-of-digital-security/
  7. Pro-Russian and Pro-Palestinian Hacktivists Targeting Australian Organizations – Radware, accessed April 13, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/pro-russian-and-pro-palestinian-hacktivists-targeting-australian-organizations/
  8. Peoples Cyber Army Of Russia | Threat Actor Profile – Cyble, accessed April 13, 2025, https://cyble.com/threat-actor-profiles/peoples-cyber-army-of-russia/
  9. Hacktivist Collective NoName057(16) Strikes European Targets – Infosecurity Magazine, accessed April 13, 2025, https://www.infosecurity-magazine.com/news/hacktivist-collective-noname057/
  10. Cyberattack Suspected in Worldwide X Outage | ZeroFox, accessed April 13, 2025, https://www.zerofox.com/intelligence-feed/cyberattack-suspected-in-worldwide-x-outage/
  11. X suffered a DDoS attack. Its CEO and security researchers can’t agree on who did it., accessed April 13, 2025, https://cyberscoop.com/x-ddos-attack-researchers-elon-musk-dark-storm/
  12. Cyber Risk Intelligence Update: Hacktivist Involvement in Israel-Hamas War Reflects Possible Shift in Threat Actor Focus – SecurityScorecard, accessed April 13, 2025, https://securityscorecard.com/research/hacktivist-involvement-in-israel-hamas-war-reflects-possible-shift-in-threat-actor-focus/
  13. X Faces Cyberattack: Dark Storm Team Takes Credit, Musk Blames Ukraine – SOCRadar, accessed April 13, 2025, https://socradar.io/x-faces-cyberattack-dark-storm-team-takes-credit-musk-blames-ukraine/
  14. X Hit with DDoS Attack | Data Privacy + Cybersecurity Insider, accessed April 13, 2025, https://www.dataprivacyandsecurityinsider.com/2025/03/x-hit-with-ddos-attack/
  15. Hacktivism Unveiled Q1 2025: How Hacktivists Zeroed In on the US – Radware, accessed April 13, 2025, https://www.radware.com/blog/threat-intelligence/hacktivism-unveiled-q1-2025/
  16. Global Hacktivist Threats – Graphika, accessed April 13, 2025, https://graphika.com/reports/global-hacktivist-threats
  17. December 16, 2024 Holy League: A Unified Threat Against Western Nations, NATO, India and Israel – Radware, accessed April 13, 2025, https://www.radware.com/getattachment/2a2da1ff-d41e-468a-a263-3b48851ca629/Advisory-Holy-League-Dec-2024.pdf.aspx
  18. Holy League: A Unified Threat Against Western Nations, NATO, India and Israel – Radware, accessed April 13, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/holy-league-a-unified-threat-against-western-nations/
  19. OpIsrael 2025: Hacktivist Coordination Intensifies Ahead of April 7 – Radware, accessed April 13, 2025, https://radware.com/security/threat-advisories-and-attack-reports/opisrael-2025-hacktivist-coordination-intensifies-ahead-of-april-7/
  20. Strategic Cyber Security: Evaluating Nation-State Cyber Attack Mitigation Strategies with DEMATEL – Digikogu, accessed April 13, 2025, https://digikogu.taltech.ee/et/Download/2e332803-30c6-4508-bbb8-87991a8512b3/StrategicCyberSecurityEvaluatingNationState.pdf
  21. An Emerging US (and World) Threat: Cities Wide Open to Cyber Attacks – IOActive, accessed April 13, 2025, https://ioactive.com/pdfs/IOActive_HackingCitiesPaper_CesarCerrudo.pdf
  22. 2014 6th International Conference on Cyber Conflict (CYCON 2014) – CCDCOE, accessed April 13, 2025, https://ccdcoe.org/uploads/2018/10/CyCon_2014.pdf
  23. Sim-Cyberpunk: Serious Play, Hackers and Capture the Flag Competitions, accessed April 13, 2025, https://utoronto.scholaris.ca/bitstreams/a45e77eb-b0c5-43f5-b11e-44ca7dd82748/download
  24. 63RD ACM 26.09.2020 SEMESTER I 20XC11 CALCULUS AND ITS APPLICATIONS 3 2 0 4 20XC12 ENGLISH FOR PROFESSIONAL SKILLS 3 0 0 3 – PSG College of Technology, accessed April 13, 2025, https://www.psgtech.edu/placements/regs/MSc-2020regulations/7_M.Sc%20Cyber%20Security%20Syllabus.pdf
  25. Applying Software Security Assessments in Realistic Contexts, accessed April 13, 2025, https://repository.lib.ncsu.edu/server/api/core/bitstreams/194151c7-1313-42e8-a560-c92977ae5244/content
  26. An Overview of Cyber Attacks in the Middle East 2024[Threat Note] – CybelAngel, accessed April 13, 2025, https://cybelangel.com/cyber-attacks-middle-east-2024/
  27. Evolving Cyber Dynamics Amidst the Israel-Hamas Conflict – Check Point Blog, accessed April 13, 2025, https://blog.checkpoint.com/security/evolving-cyber-dynamics-amidst-the-israel-hamas-conflict/
  28. Tactics and Motivations of Modern Hacktivists – CYFIRMA, accessed April 13, 2025, https://www.cyfirma.com/research/tactics-and-motivations-of-modern-hacktivists/
  29. Misinformation and Hacktivist Campaigns Target the Philippines Amidst Rising Tensions with China – Resecurity, accessed April 13, 2025, https://www.resecurity.com/blog/article/misinformation-and-hacktivist-campaigns-target-the-philippines-amidst-rising-tensions-with-china
  30. State of the UAE – Cybersecurity Report 2024, accessed April 13, 2025, https://www.cpx.net/media/hocl331j/state-of-the-uae-cybersecurity-report.pdf
  31. Reflections of the Israel-Palestine Conflict on the Cyber World – SOCRadar, accessed April 13, 2025, https://socradar.io/reflections-of-the-israel-palestine-conflict-on-the-cyber-world/
  32. Ransomware Spike Highlights Urgent Need for Real-Time Dark, accessed April 13, 2025, https://cyberpress.org/real-time-dark-web-monitoring/
  33. The growing influencer problem to national security – Risky Biz News, accessed April 13, 2025, https://news.risky.biz/risky-bulletin-the-growing-influencer-problem-to-national-security/
  34. CYBERDEFENSE REPORT Hacking the Cosmos: Cyber operations against the space sector A case study from the war in Ukraine – ETH Zürich, accessed April 13, 2025, https://ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/cyber-reports-2024-10-hacking-the-cosmos.pdf
  35. 2017 Ransomware Recap – Datarecovery.com, accessed April 13, 2025, https://datarecovery.com/rd/2017-ransomware-recap/
  36. Prepare against Ransomware – Isaca Roma, accessed April 13, 2025, http://www.isacaroma.it/wp-content/uploads/2019/06/Prepare-against-ramsonware.pdf
  37. Cryptolocker Anatomia di un attacco Strategie di difesa e ripristino, accessed April 13, 2025, https://www.italdata.com/download/7126.pdf
  38. CyberSecurity – res publica – Es geht uns ALLE an ! www.cybersecurityaustria.at, accessed April 13, 2025, http://arge-ahs.ph-noe.ac.at/fileadmin/inf/AG_2018/CyberSecurity_Baden_2018.pdf
  39. Search Results – CVE, accessed April 13, 2025, https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=usb
  40. Search Results – CVE, accessed April 13, 2025, https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=directory
  41. BIG-IP 17.1.2.1 Fixes and Known Issues – MyF5, accessed April 13, 2025, https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-17-1-2-1.html
  42. BIG-IP 17.1.1.1 Fixes and Known Issues – MyF5, accessed April 13, 2025, https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/releasenotes/related/relnote-supplement-bigip-17-1-1-1.html
  43. HACK TUESDAY WEEK 19 – 25 MARCH 2025 – Hackmanac, accessed April 13, 2025, https://hackmanac.com/news/hack-tuesday-week-19-25-march-2025
  44. State of the UAE Cybersecurity Report 2025, accessed April 13, 2025, https://cpx.net/media/thbeuxk5/cpx-state-of-the-uae-report-2025.pdf
  45. Ransomware Decryption – Ransomware Recovery, Data Recovery | CyberSecOp Consulting Services, accessed April 13, 2025, https://cybersecop.com/decrypt-ransomware

Related Posts