[April-16-2025] Daily Cybersecurity Threat Report

Posted on

1. Executive Summary

This report details significant cybersecurity incidents observed within the last 24 hours, focusing on ransomware, Distributed Denial-of-Service (DDoS) attacks, initial access brokerage, and website defacement activities. Key events include a ransomware attack by the Qilin group targeting an Italian manufacturing company and another by INC RANSOM against a German architecture firm, both employing double extortion tactics. A coordinated DDoS campaign by the pro-Russian hacktivist group NoName057(16) impacted multiple Polish organizations across critical sectors, including energy, telecommunications, IT, and transportation, likely motivated by geopolitical factors related to Poland’s support for Ukraine. Additional hacktivist DDoS activity was noted from AnonSec targeting Indian banks (potentially part of the #OpIndia campaign), RuskiNet targeting an Israeli banking association, and Al Ahad targeting non-profits in the UK and USA. Website defacement was carried out by BHZ against a UK entity, and an initial access broker, Jasobeam, was observed selling access to an Argentinian media company on an underground forum. These incidents highlight the persistent threats from financially motivated ransomware operators exploiting vulnerabilities and legitimate tools, the continued prevalence of politically motivated DDoS attacks by hacktivist groups responding to geopolitical events, and the ongoing operation of specialized actors like Initial Access Brokers within the cybercrime ecosystem.

Summary of Notable Incidents (16 April 2025)

Time (UTC)Threat ActorCategoryVictim OrganizationVictim CountryVictim IndustryKey Details
2025-04-16 09:29QilinRansomwareGovoni Giuseppe e Daniele sas pItalyMachinery ManufacturingData exfiltration claimed, double extortion.
2025-04-16 08:57NoName057(16)DDoS Attackbeyond.plPolandIT ServicesPart of coordinated campaign against Polish entities.
2025-04-16 08:51NoName057(16)DDoS Attacknetia s.a.PolandNetwork & TelecommunicationsPart of coordinated campaign against Polish entities.
2025-04-16 08:46NoName057(16)DDoS Attackorlen railwayPolandTransportation & LogisticsPart of coordinated campaign against Polish entities.
2025-04-16 08:42NoName057(16)DDoS Attackpgnig bioevolutionPolandRenewables & EnvironmentPart of coordinated campaign against Polish entities.
2025-04-16 07:46NoName057(16)DDoS Attackbaltic power sp. z o.o.PolandRenewables & EnvironmentPart of coordinated campaign against Polish entities.
2025-04-16 07:40NoName057(16)DDoS Attackorlen s.a.PolandOil & GasPart of coordinated campaign against Polish entities.
2025-04-16 06:28AnonSecDDoS AttackTHE KALYAN JANATA SAHAKARI BANK LTDIndiaBanking & MortgagePart of coordinated campaign against Indian banks (#OpIndia likely).
2025-04-16 06:23AnonSecDDoS AttackThe Khamgaon Urban Co-operative Bank Ltd​IndiaBanking & MortgagePart of coordinated campaign against Indian banks (#OpIndia likely).
2025-04-16 06:13AnonSecDDoS AttackPravara Sahakari Bank Ltd.IndiaBanking & MortgagePart of coordinated campaign against Indian banks (#OpIndia likely).
2025-04-16 06:10AnonSecDDoS AttackReserve Bank of IndiaIndiaBanking & MortgagePart of coordinated campaign against Indian banks (#OpIndia likely).
2025-04-16 05:40INC RANSOMRansomwareibL – Ingenieurbüro für Landentwicklung GmbHGermanyArchitecture & PlanningClaimed exfiltration of 56 GB data, double extortion.
2025-04-16 04:09JasobeamInitial AccessUnidentified Media CompanyArgentinaBroadcast MediaSale of AnyDesk access advertised on XSS forum.
2025-04-16 03:23BHZDefacementCloud Twelve ClubUKGovernment & Public SectorWebsite defacement claimed.
2025-04-16 01:21RuskiNetDDoS AttackAssociation of Banks in IsraelIsraelBanking & MortgageDDoS attack claimed by pro-Russian affiliated group.
2025-04-16 00:58Al AhadDDoS AttackWorld Association of Nuclear Operators (WANO)UKNon-profit & Social OrganizationsDDoS attack claimed against nuclear safety organization.
2025-04-16 00:58Al AhadDDoS AttackNationwide Police ScorecardUSANon-profit & Social OrganizationsDDoS attack claimed against police accountability organization.

2. Detailed Incident Analysis

This section provides detailed analysis of the incidents recorded, organized by the responsible threat actor. Each subsection includes a profile of the threat actor based on available intelligence and specifics of the incident(s).

2.1 Qilin

Threat Actor Profile: Qilin

  • Background: Qilin (also known as Agenda) is a Ransomware-as-a-Service (RaaS) operation active since at least July 2022.1 Initially based on the Go-based Agenda ransomware, it evolved into a more sophisticated Rust-based variant.3 The group operates a double extortion model, exfiltrating sensitive data before encryption and threatening to publish it on their darknet leak site if the ransom (often millions of dollars in cryptocurrency) is not paid.1
  • Motivations: Primarily financial gain through ransom payments.1 They have shown a focus on sectors perceived as likely to pay, such as healthcare.4
  • Tactics, Techniques, and Procedures (TTPs):
  • Initial Access: Exploiting vulnerabilities in public-facing applications (e.g., Fortinet SSL VPN, Veeam CVE-2023-27532) 3, targeting external remote services 3, spear-phishing links 1, and potentially using valid accounts obtained via leaks or underground purchases.1
  • Execution & Persistence: Uses command-line interfaces and scripting interpreters.1 Establishes persistence via scheduled tasks.1 Can accept command-line arguments for customization.3
  • Privilege Escalation & Credential Access: Employs process injection.1 Uses embedded Mimikatz module to target LSASS, winlogon, wininit for token manipulation and SYSTEM-level access.3 Extracts credentials from files and Group Policy Preferences.1
  • Defense Evasion: Modifies group policies or registry keys.1 Injects code into legitimate processes.1 Employs multi-phase indicator removal, including clearing system event logs (PowerShell, System).3 May impair security tools.3
  • Discovery & Lateral Movement: Spreads via removable media.1 Enumerates domain accounts and hosts.3 Uses remote services like SMB/Admin Shares for lateral movement.3
  • Impact: Encrypts data (Data Encrypted for Impact – T1486).3 Inhibits system recovery (T1490).3 May trigger system shutdown/reboot (T1529).3
  • Targets: Global reach, targeting diverse industries including healthcare, manufacturing, education, energy, aerospace, government, telecommunications, finance, media/publishing, and architecture/planning.1 Notable victim countries include the US, UK, Germany, France, Canada, Japan, and Italy.1

Incident Details:

  • Title: Govoni Giuseppe e Daniele sas falls victim to Qilin Ransomware
  • Timestamp: 2025-04-16T09:29:54Z
  • Victim: govoni giuseppe e daniele sas p (govonisabbiatrici.it)
  • Victim Country: Italy
  • Victim Industry: Machinery Manufacturing
  • Category: Ransomware
  • Details: The Qilin group claims to have compromised the organization and obtained unspecified data. This aligns with their standard double extortion strategy, where data exfiltration precedes encryption.1 The publication on their Tor-based leak site serves to pressure the victim into payment.
  • Published URL: http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=9f6489a4-4568-38a9-9859-97f5fc911963
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/671befb9-0fb8-4ce9-b0d2-7ae3f1b51144.png

The targeting of a manufacturing entity in Italy is consistent with Qilin’s broad industry focus and known operations in European countries.1 Manufacturing, particularly involving machinery, can be sensitive to operational disruptions caused by ransomware, potentially increasing the perceived pressure to pay the ransom.

2.2 NoName057(16)

Threat Actor Profile: NoName057(16)

  • Background: A pro-Russian hacktivist group (also known as NoName05716, 05716nnm, Nnm05716) active since March 2022, emerging shortly after Russia’s invasion of Ukraine.6 Operates alongside other pro-Russian groups like Killnet.7 Known for leveraging crowdsourcing for its attacks, similar initially to the IT Army of Ukraine.8
  • Motivations: Primarily political and ideological, aiming to disrupt and destabilize Ukraine and NATO member states or countries critical of Russia’s actions.6 They often justify attacks based on specific geopolitical events, such as Poland recognizing Russia as a state sponsor of terrorism or perceived anti-Russian actions by target nations.7 The group values recognition and publicizes its attacks via Telegram.7
  • TTPs:
  • Primary Method: Distributed Denial-of-Service (DDoS) attacks.6
  • Attack Tool: Utilizes a custom tool named “DDOSIA,” developed in Golang (previously Python), which is a multi-threaded application issuing numerous network requests (HTTP, HTTP/2, TCP GET/POST/SYN) based on C2 instructions.7 DDOSIA is distributed via a crowdsourced model, incentivizing participation with financial rewards for top contributors.11 Earlier versions involved spreading the Bobik bot via RedLine Stealer.6
  • Attack Characteristics: Primarily HTTPS application-layer DDoS attacks, often short bursts (e.g., 10 minutes) but sometimes prolonged.10 Attacks are direct-path and typically do not use spoofed source IPs.10 They often target specific website functionalities like search bars, which are resource-intensive for servers.9
  • Communication & Coordination: Uses Telegram channels extensively to announce targets, claim responsibility, post proof of downtime (check-host.net links), share pro-Russian propaganda, and recruit volunteers.7
  • Targets: Focuses on Ukraine and NATO member states, particularly Eastern European countries like Poland, Lithuania, Czech Republic, Latvia, and Estonia, as well as Denmark, Italy, Spain, Slovenia, Canada, and others.6 Targeted sectors include government, financial institutions, transportation (including railways, cargo, shipping), energy, IT services, telecommunications, media/news websites, and critical infrastructure.6 Target selection often aligns with current political events, such as elections or specific government decisions.7

Incident Details (Coordinated Campaign against Poland):

The series of DDoS attacks against Polish organizations on April 16, 2025, represents a concentrated campaign typical of NoName057(16)’s operations against countries perceived as opposing Russian interests.7 Poland has been a frequent target due to its strong support for Ukraine.7 This coordinated effort across multiple critical sectors (IT, Telecom, Transport, Energy) aims to cause maximum disruption and send a political message.6 The use of check-host.net links as proof is a standard practice for the group.7

  1. Title: NoName targets the website of Beyond.pl
  • Timestamp: 2025-04-16T08:57:30Z
  • Victim: beyond.pl (beyond.pl)
  • Victim Country: Poland
  • Victim Industry: Information Technology (IT) Services
  • Category: DDoS Attack
  • Details: Claimed DDoS attack with proof of downtime provided. Targets IT services infrastructure.
  • Published URL: https://t.me/nnm05716eng/218
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/7b8f184c-8b86-4954-8636-2e3fceadbe4f.png
  • https://d34iuop8pidsy8.cloudfront.net/72f9a826-a9fa-45d2-94ba-48f6822e22c9.png
  1. Title: NoName targets the website of Netia
  • Timestamp: 2025-04-16T08:51:43Z
  • Victim: netia s.a. (netia.pl)
  • Victim Country: Poland
  • Victim Industry: Network & Telecommunications
  • Category: DDoS Attack
  • Details: Claimed DDoS attack with proof of downtime provided. Targets a major telecommunications provider.
  • Published URL: https://t.me/nnm05716eng/218
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/a96b3b5e-35e8-424e-bd90-3c108d80dd3c.png
  • https://d34iuop8pidsy8.cloudfront.net/84ade14d-8e86-4e8b-9949-6e41ca1b6604.png
  1. Title: NoName targets the website of ORLEN Railway
  • Timestamp: 2025-04-16T08:46:52Z
  • Victim: orlen railway (kolej.orlen.pl)
  • Victim Country: Poland
  • Victim Industry: Transportation & Logistics
  • Category: DDoS Attack
  • Details: Claimed DDoS attack with proof of downtime provided. Targets railway transport linked to a major energy company (Orlen).
  • Published URL: https://t.me/nnm05716eng/218
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/d56523c5-18b0-4dd2-bfe4-4677fec89914.png
  • https://d34iuop8pidsy8.cloudfront.net/9fc37eb6-015a-4abd-9de1-1e69d88cd4fe.png
  1. Title: NoName targets the website of PGNiG Bioevolution
  • Timestamp: 2025-04-16T08:42:56Z
  • Victim: pgnig bioevolution (bioevolution.orlen.pl)
  • Victim Country: Poland
  • Victim Industry: Renewables & Environment
  • Category: DDoS Attack
  • Details: Claimed DDoS attack with proof of downtime provided. Targets renewable energy subsidiary of Orlen.
  • Published URL: https://t.me/nnm05716eng/218
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/09460d5c-b97a-4d51-ab41-6c2c138ba8f9.png
  • https://d34iuop8pidsy8.cloudfront.net/019751cd-10c0-4462-a516-98fc383d4a7e.png
  1. Title: NoName targets the website of Baltic Power
  • Timestamp: 2025-04-16T07:46:21Z
  • Victim: baltic power sp. z o.o. (balticpower.pl)
  • Victim Country: Poland
  • Victim Industry: Renewables & Environment
  • Category: DDoS Attack
  • Details: Claimed DDoS attack with proof of downtime provided. Targets offshore wind farm project.
  • Published URL: https://t.me/nnm05716eng/217
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/654d94cc-9f24-47f4-ac1f-291821aeefa6.png
  • https://d34iuop8pidsy8.cloudfront.net/c7593dc0-375b-41be-a82c-11790b78f7f0.png
  1. Title: NoName targets the website of ORLEN S.A.
  • Timestamp: 2025-04-16T07:40:14Z
  • Victim: orlen s.a. (orlen.pl)
  • Victim Country: Poland
  • Victim Industry: Oil & Gas
  • Category: DDoS Attack
  • Details: Claimed DDoS attack with multiple proofs of downtime provided. Targets the main website of the major Polish energy company.
  • Published URL: https://t.me/nnm05716rus/574
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/dbc98993-48ab-4f20-85c4-7577437d3cb3.png
  • https://d34iuop8pidsy8.cloudfront.net/074cf4d4-dd64-488a-ae12-d0936c336826.png

The concentrated nature of these attacks within a two-hour window against prominent Polish entities across diverse but critical sectors underscores the group’s capability to orchestrate disruptive campaigns intended to signal political displeasure.6

2.3 AnonSec

Threat Actor Profile: AnonSec

  • Background: The name “AnonSec” leverages the notoriety of the decentralized hacktivist collective “Anonymous”.12 Anonymous originated in the early 2000s and is known for cyberattacks against governments, corporations, and other institutions, often motivated by anti-censorship, free speech, and social justice issues.12 However, Anonymous is not a formal group, and many different actors or cells operate under its banner, with varying motivations and capabilities.12 Some groups using the “Anonymous” name, like Anonymous Sudan, have shown complex or potentially misleading affiliations and motivations.15 Therefore, AnonSec is likely a specific cell or group adopting the Anonymous persona.
  • Motivations: Hacktivist motivations are broad, including political protest, social commentary, ideology, revenge, or seeking notoriety.12 The targeting of Indian banks suggests participation in campaigns like #OpIndia, which often involve hacktivists from neighboring countries or those with specific grievances targeting Indian government, financial, or educational institutions, frequently linked to political or religious tensions.14
  • TTPs:
  • Primary Method: DDoS attacks are a common and characteristic tactic for Anonymous-affiliated groups and hacktivists in general.12
  • Infrastructure: May use publicly available tools, botnets of compromised devices, or potentially rented server infrastructure for higher traffic output, similar to tactics observed with Anonymous Sudan.15
  • Communication: Claims and coordination often occur via platforms like Telegram, as indicated by the published_url format in the incidents.
  • Targets: Anonymous targets are diverse, including governments, corporations, and specific organizations they oppose.12 #OpIndia campaigns specifically target Indian entities.14 This specific AnonSec activity focuses on the Indian Banking & Mortgage sector.

Incident Details (Coordinated Campaign against Indian Banks):

The simultaneous DDoS attacks claimed by AnonSec against multiple Indian financial institutions, including the Reserve Bank of India, strongly suggest participation in a coordinated campaign, likely under the #OpIndia banner.14 Such campaigns often see various hacktivist groups uniting to target Indian websites in response to perceived grievances or geopolitical events.14 While the “AnonSec” name invokes the broader Anonymous collective, this specific activity points to a focused operation targeting India’s financial sector. The use of the Anonymous brand provides visibility but doesn’t necessarily indicate affiliation with other Anonymous operations or a specific level of sophistication.12

  1. Title: AnonSec targets the website of THE KALYAN JANATA SAHAKARI BANK LTD
  • Timestamp: 2025-04-16T06:28:58Z
  • Victim: the kalyan janata sahakari bank ltd (kalyanjanata.co.in)
  • Victim Country: India
  • Victim Industry: Banking & Mortgage
  • Category: DDoS Attack
  • Details: Claimed DDoS attack with proof of downtime provided. Targets a cooperative bank.
  • Published URL: https://t.me/c/2389372004/235
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/26867a49-0943-4101-89d1-a1d4e9d9b367.jpg
  1. Title: AnonSec targets the website of The Khamgaon Urban Co-operative Bank Ltd​
  • Timestamp: 2025-04-16T06:23:26Z
  • Victim: the khamgaon urban co-operative bank ltd​ (khamgaonbank.com)
  • Victim Country: India
  • Victim Industry: Banking & Mortgage
  • Category: DDoS Attack
  • Details: Claimed DDoS attack with proof of downtime provided. Targets another cooperative bank.
  • Published URL: https://t.me/c/2389372004/235
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/1aa26b90-f936-4ae3-b2ab-8d8058d466e0.jpg
  1. Title: AnonSec targets the website of Pravara Sahakari Bank Ltd.
  • Timestamp: 2025-04-16T06:13:52Z
  • Victim: pravara sahakari bank ltd. (pravarabank.com)
  • Victim Country: India
  • Victim Industry: Banking & Mortgage
  • Category: DDoS Attack
  • Details: Claimed DDoS attack with proof of downtime provided. Targets a third cooperative bank.
  • Published URL: https://t.me/c/2389372004/235
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/7509bfb1-fb17-454b-9f99-d4467f2e22c7.png
  1. Title: AnonSec targets the website of Reserve Bank of India
  • Timestamp: 2025-04-16T06:10:45Z
  • Victim: reserve bank of india (rbi.org.in)
  • Victim Country: India
  • Victim Industry: Banking & Mortgage
  • Category: DDoS Attack
  • Details: Claimed DDoS attack with proof of downtime provided. Targets India’s central bank.
  • Published URL: https://t.me/c/2389372004/235
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/2280f0da-203c-43fb-a3a3-24c7a0769996.png

The targeting pattern suggests a deliberate effort to disrupt India’s financial sector, fitting the profile of hacktivist campaigns aimed at causing disruption and gaining attention for a cause.14

2.4 INC RANSOM

Threat Actor Profile: INC RANSOM

  • Background: A ransomware operation observed since August 2023.18 Operates a RaaS model and employs double extortion (data exfiltration + encryption).18 Believed to have Russian origins.18 Notably, they sometimes position their actions misleadingly as a “service” to victims, claiming to reveal security weaknesses.20
  • Motivations: Primarily financial gain.19 They target organizations across various sectors, particularly those with critical operations or low tolerance for downtime, to maximize pressure for ransom payment.19
  • TTPs:
  • Initial Access: Known to use spear-phishing emails 18 and exploit vulnerabilities in public-facing applications, such as CVE-2023-3519 (Citrix NetScaler) 18 and potentially CVE-2023-48788 (Fortinet EMS).19 Valid accounts are also a potential vector.18
  • Execution & Persistence: Uses command and scripting interpreters.18 Leverages legitimate tools like PSExec (often disguised, e.g., as “winupd”) and Remote Monitoring and Management (RMM) software like AnyDesk for execution and persistence.18
  • Privilege Escalation & Credential Access: Uses tools like Lsassy.py to dump credentials from memory 18 and techniques like pass-the-hash.19
  • Defense Evasion: Employs obfuscated files.18 Attempts to delete Volume Shadow Copies (VSS) using tools like ESENTUTL.EXE to hinder recovery.19
  • Discovery & Lateral Movement: Deploys network scanning tools like NETSCAN.EXE and Advanced IP Scanner.18 Uses RDP and remote access tools like AnyDesk for lateral movement.18
  • Collection & Exfiltration: Stages data using tools like 7-Zip.18 Exfiltrates data using cloud sync tools like MEGASync (MEGAsyncSetup64.EXE).18
  • Impact: Encrypts critical files.18 Delivers ransom notes, sometimes via connected printers, demanding payment via their Tor portal.19 Threatens to leak exfiltrated data.19
  • Targets: Exhibits broad, opportunistic targeting across multiple industries globally, including healthcare, education, government, manufacturing, retail, energy, finance, and architecture/planning.18 Victims have been reported in North America, Europe, and Asia.18 They maintain a Tor-based leak site listing victims, with over 120 entities named since mid-2023 19 and an estimated total victim count exceeding 214.18

Incident Details:

  • Title: ibL – Ingenieurbüro für Landentwicklung GmbH falls victim to INC RANSOM Ransomware
  • Timestamp: 2025-04-16T05:40:07Z
  • Victim: ibl – ingenieurbüro für landentwicklung gmbh (iblinfo.de)
  • Victim Country: Germany
  • Victim Industry: Architecture & Planning
  • Category: Ransomware
  • Details: The group claims to have exfiltrated 56 GB of data from the German architecture and planning firm. This significant data volume claim aligns with their double extortion model, increasing pressure on the victim to pay to prevent a data leak.18 The use of a dedicated leak site (.onion address) is standard for INC RANSOM.20
  • Published URL: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/blog/disclosures/67f8dedc516e69ca61924455
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/3f8a62d3-cc6b-4938-b874-bf6ac70b3dbe.png

INC RANSOM’s operational security relies heavily on exploiting known vulnerabilities for initial access.18 Their documented use of CVE-2023-3519 in Citrix and potential use of CVE-2023-48788 in Fortinet EMS highlights the critical need for organizations to maintain rigorous patch management, especially for internet-facing infrastructure.19 Furthermore, the group’s reliance on legitimate tools like AnyDesk, PSExec, NetScan, and MEGASync for post-compromise activities demonstrates a common “Living Off The Land” (LOTL) approach.18 This tactic complicates detection efforts, as malicious activity can blend with normal administrative tasks, emphasizing the need for behavioral monitoring, egress traffic analysis, and strict controls over potentially dual-use tools.19

2.5 Jasobeam (Initial Access Broker)

Threat Actor Profile: Jasobeam

  • Background: Jasobeam operates as an Initial Access Broker (IAB). IABs are specialized cybercriminals who gain unauthorized access to corporate networks and then sell that access to other threat actors, typically on underground forums.22 These forums, such as XSS.is (where this incident was posted) and Exploit, serve as marketplaces connecting IABs with buyers like ransomware groups.22
  • Motivations: Purely financial; IABs profit by monetizing the access they obtain.22 They act as a critical supplier in the cybercrime supply chain.
  • TTPs: The core TTP involves gaining initial access through various means (e.g., exploiting vulnerabilities, phishing, credential theft/stuffing) and then advertising the access for sale. The types of access sold vary widely and can include RDP, VPN credentials, web shells, compromised accounts for remote access software (like AnyDesk in this case), or even details on exploitable vulnerabilities like SQL injection or RCE.22 Pricing depends on the perceived value of the target and the level of access obtained.22
  • Targets: IABs are generally opportunistic, targeting organizations across various sectors and geographies where they can find and sell access.22 This specific listing targets an Argentinian media company.

Incident Details:

  • Title: Alleged access sale to an unidentified media company in Argentina
  • Timestamp: 2025-04-16T04:09:42Z
  • Victim: Unidentified Media Company
  • Victim Country: Argentina
  • Victim Industry: Broadcast Media
  • Category: Initial Access
  • Details: The threat actor Jasobeam claims to be selling AnyDesk access to the network of an Argentinian media company. The sale is advertised on the XSS.is underground forum, a prominent Russian-language platform frequented by sophisticated cybercriminals.23 The availability of AnyDesk access suggests potential for remote control, data exfiltration, or deployment of further malware like ransomware.
  • Published URL: https://xss.is/threads/136267/
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/8e615794-0552-4ef5-9987-7afc1da66bbc.png

This incident highlights the critical role IABs play in facilitating larger cyberattacks.22 By specializing in gaining initial access, they lower the barrier for entry for other malicious actors, such as ransomware gangs, who can purchase confirmed access rather than expending resources on breaching defenses themselves.22 The advertisement on a major forum like XSS.is increases the likelihood that this access will be purchased and utilized for malicious purposes.23 The specific mention of AnyDesk access underscores the risks associated with poorly secured remote administration tools.

2.6 BHZ

Threat Actor Profile: BHZ

  • Background: Based on the incident type (website defacement), BHZ appears to be a hacktivist group or individual actor. Specific information about BHZ’s origins or history is not available in the provided context, but defacement is a common tactic for groups seeking to make political or social statements, or simply gain notoriety.24
  • Motivations: Hacktivist motivations for defacement can include promoting political or social causes, protesting against the target organization or its perceived values, revenge, ideology, embarrassing the victim, or thrill-seeking.13 Targeting a specific entity like the Cloud Twelve Club could be symbolic, perhaps related to perceived elitism or specific policies/affiliations of the club.
  • TTPs: The primary TTP is website defacement, which involves altering the visual content of a target website to display the attacker’s message.24 This is typically achieved by exploiting vulnerabilities in the web application (e.g., SQL injection, cross-site scripting) or the underlying server, or by compromising administrative credentials for the website.14 Defacers often use known, relatively unsophisticated techniques and publicly available tools, though some create their own.24 Claims are often posted on platforms like Telegram.
  • Targets: Defacement targets are often chosen based on their symbolic value, the potential attention the defacement might receive, or simply the ease of compromise.24 This incident targets a UK-based entity, potentially a private members’ club, listed under “Government & Public Sector” perhaps erroneously or due to some public function.

Incident Details:

  • Title: BHZ tragets the website of Cloud Twelve Club
  • Timestamp: 2025-04-16T03:23:30Z
  • Victim: cloud twelve club (cloudtwelve.co.uk)
  • Victim Country: UK
  • Victim Industry: Government & Public Sector (Note: Likely a private club/wellness center)
  • Category: Defacement
  • Details: The group BHZ claims responsibility for defacing the website of the Cloud Twelve Club. The claim was published on Telegram, a common platform for hacktivist announcements.
  • Published URL: https://t.me/c/2328912113/41
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/ee217f70-e3c6-4559-9352-0836383986c7.png

Website defacement serves as a visible form of digital protest or vandalism.13 While often less impactful in terms of direct data loss compared to ransomware, it successfully achieves the goal of drawing attention, broadcasting a message (even if just “hacked by BHZ”), and causing reputational damage to the targeted organization by highlighting security weaknesses.14 Such incidents indicate underlying vulnerabilities that allowed the unauthorized modification of the website content.24

2.7 RuskiNet

Threat Actor Profile: RuskiNet

  • Background: The name “RuskiNet” strongly suggests affiliation with the wave of pro-Russian hacktivist groups that emerged or became more active following the 2022 invasion of Ukraine, similar to groups like KillNet and NoName057(16).26 These groups often operate loosely, sharing similar goals and tactics.
  • Motivations: Primarily geopolitical and ideological, supporting Russian state interests and targeting nations or organizations perceived as adversaries or supporters of Ukraine.26 The targeting of an Israeli banking association could stem from various complex geopolitical factors involving Russia-Israel relations, be part of a broader anti-Western/anti-ally campaign, or potentially align with wider hacktivist operations like #OpIsrael where collaborations between pro-Russian and other groups have been observed.16
  • TTPs:
  • Primary Method: DDoS attacks are the hallmark of these pro-Russian groups.11
  • Tools & Infrastructure: Likely utilizes publicly available DDoS scripts, IP stresser services, or participates in larger botnet infrastructures, potentially including crowdsourced platforms like DDOSIA used by NoName057(16).11
  • Communication: Coordination and claims are typically made via Telegram channels.11
  • Targets: While core targets for pro-Russian groups are Ukraine and NATO supporters 26, the scope can sometimes broaden. This incident targets the Israeli banking sector.

Incident Details:

  • Title: RuskiNet targets the website of Association of Banks in Israel
  • Timestamp: 2025-04-16T01:21:51Z
  • Victim: association of banks in israel (ibank.org.il)
  • Victim Country: Israel
  • Victim Industry: Banking & Mortgage
  • Category: DDoS Attack
  • Details: RuskiNet claims responsibility for a DDoS attack against the Association of Banks in Israel, providing proof of downtime via a check-host.net link.
  • Published URL: https://t.me/c/2577273080/195
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/c8d42838-899f-422e-9fd8-43cb39a365fb.png

This incident contributes to the understanding that the pro-Russian hacktivist landscape is composed of numerous distinct, though ideologically aligned, groups.26 While major players like KillNet and NoName057(16) garner significant attention, smaller or newer entities like RuskiNet also contribute to the overall DDoS threat environment. The targeting of an Israeli entity suggests either an expansion of typical pro-Russian targets based on evolving geopolitical alignments or participation in broader hacktivist campaigns that transcend the immediate Russia-Ukraine conflict context.16

2.8 Al Ahad

Threat Actor Profile: Al Ahad

  • Background: Appears to be a hacktivist group primarily using DDoS attacks. The name “Al Ahad” (Arabic for “The One” or “Sunday”) could suggest Middle Eastern or Islamic affiliations. Hacktivism in recent years has seen the rise of large alliances, such as the “Holy League,” which reportedly unites numerous pro-Palestinian, pro-Russian, and anti-Western/anti-India groups (potentially over 80) to conduct coordinated campaigns.29 Al Ahad could potentially be one such member group or operate with similar motivations.
  • Motivations: Likely political or ideological.31 The specific motivations behind targeting the World Association of Nuclear Operators (WANO) and the Nationwide Police Scorecard are unclear but fit general hacktivist patterns of targeting organizations related to controversial issues (nuclear power, policing) or symbols of Western establishment/governance.13 Such attacks align with the anti-Western stance often seen in hacktivist alliances.29 Motivations could range from specific anti-nuclear or anti-police sentiment to broader geopolitical protest.
  • TTPs:
  • Primary Method: DDoS attacks, as demonstrated by the reported incidents.17 Hacktivist groups and alliances also employ website defacement and data leaks.30
  • Communication: Claims are made via Telegram, a common platform for hacktivist coordination and propaganda dissemination.16
  • Tools: Likely uses common DDoS tools or participates in shared botnet infrastructure potentially available to allied groups.
  • Targets: This activity targets non-profit organizations in the UK and USA focused on nuclear safety and police accountability. Broader hacktivist targets vary widely based on ideology and the agendas of coordinating alliances, often including government, critical infrastructure, financial institutions, and symbols of opposing ideologies.13

Incident Details:

  1. Title: Al Ahad targets the website of World Association of Nuclear Operators (WANO)
  • Timestamp: 2025-04-16T00:58:56Z
  • Victim: world association of nuclear operators (wano) (wano.info)
  • Victim Country: UK
  • Victim Industry: Non-profit & Social Organizations
  • Category: DDoS Attack
  • Details: Claimed DDoS attack against the international nuclear safety organization, with proof of downtime.
  • Published URL: https://t.me/qayzerowns/99
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/393ffb2c-9301-47d7-8b87-2d121efbd7ba.png
  1. Title: Al Ahad targets the website of Nationwide Police Scorecard
  • Timestamp: 2025-04-16T00:58:50Z
  • Victim: nationwide police scorecard (policescorecard.org)
  • Victim Country: USA
  • Victim Industry: Non-profit & Social Organizations
  • Category: DDoS Attack
  • Details: Claimed DDoS attack against a US-based police accountability project website, with proof of downtime.
  • Published URL: https://t.me/qayzerowns/100
  • Screenshot(s):
  • https://d34iuop8pidsy8.cloudfront.net/bac6407a-1308-4c58-953b-3f35efba8e9e.png

The targeting of these specific non-profits, rather than broad government or corporate entities, suggests potentially focused ideological motivations related to nuclear power and policing.13 However, these attacks also fit within the broader context of hacktivist alliances like the Holy League conducting campaigns against Western nations (UK, USA).29 Such alliances allow disparate groups with overlapping anti-Western or specific issue-based agendas to pool resources and conduct coordinated attacks, making the threat landscape more complex.30 Even organizations focused on niche issues can become targets if they fall within the ideological scope of active hacktivist groups or alliances.

Analysis of the incidents reported over the past 24 hours reveals several key trends and observations:

  • Concentrated Hacktivist DDoS Campaigns: The flurry of attacks by NoName057(16) against Polish entities in rapid succession demonstrates the capability of organized hacktivist groups to execute targeted, high-tempo DDoS campaigns against multiple critical sectors within a single nation.6 This tactic appears directly linked to geopolitical events and serves as a disruptive form of political signaling, highlighting the vulnerability of nations perceived as adversaries by these groups. The simultaneous attacks by AnonSec against Indian banks further underscore this trend of coordinated DDoS activity, likely part of the recurring #OpIndia campaign.14
  • Persistent and Adaptive Ransomware Threat: Financially motivated ransomware remains a significant threat, exemplified by the Qilin and INC RANSOM incidents. Both groups operate established RaaS platforms and utilize double extortion tactics, exfiltrating data before encryption to maximize leverage.1 Their TTPs demonstrate adaptation, including the exploitation of recently disclosed vulnerabilities in common enterprise software (e.g., Citrix, Fortinet) for initial access 3 and the continued abuse of legitimate administrative and file-sharing tools (LOTL techniques) for post-compromise activities, complicating detection efforts.18
  • Prevalence and Motivations of Hacktivism: A substantial portion of the observed malicious activity originated from hacktivist groups employing DDoS attacks and website defacement. The motivations driving these groups (NoName057(16), AnonSec, BHZ, RuskiNet, Al Ahad) are diverse, spanning pro-Russian geopolitical aims 26, region-specific campaigns (#OpIndia) 14, potential anti-Western sentiment 29, and issue-specific activism (targeting nuclear safety and police accountability organizations).13 This highlights the global, multifaceted nature of hacktivism fueled by ongoing conflicts and social tensions, with DDoS remaining a primary tool for disruption.17
  • Cybercrime Ecosystem Specialization: The Jasobeam incident, involving the sale of initial access on a prominent underground forum (XSS.is), underscores the specialization within the cybercrime ecosystem.22 IABs focus on breaching networks, providing a crucial service to other actors, particularly ransomware groups, who can then focus on monetization. This division of labor enhances the overall efficiency and accessibility of cybercrime.22
  • Attribution Challenges and Potential State Links: While direct state sponsorship was not confirmed for the specific incidents observed today, the pro-Russian alignment of groups like NoName057(16) and RuskiNet fits a pattern where hacktivist activities align with nation-state interests.7 The broader cyber landscape includes instances where state actors may masquerade as independent hacktivists or where groups collaborate, blurring lines and complicating definitive attribution.31 Groups like Anonymous Sudan initially fueled speculation about state backing before being linked to individuals seeking notoriety.16

4. Recommendations & Outlook

Based on the analysis of threats observed during this reporting period, the following recommendations are advised:

  • Enhance DDoS Mitigation Capabilities: Organizations, particularly those in sectors frequently targeted by hacktivists (government, finance, critical infrastructure, energy, transport), should implement and regularly test robust, multi-layered DDoS mitigation strategies. These should include capacity to absorb large volumetric attacks and sophisticated techniques to filter application-layer (Layer 7) attacks, such as those employed by NoName057(16) and other groups.10 Utilize traffic filtering, rate limiting based on source IP and request patterns, and Content Delivery Networks (CDNs) for caching and traffic absorption.15
  • Prioritize Vulnerability and Patch Management: Aggressively identify and remediate known exploited vulnerabilities, especially on internet-facing systems like VPN gateways, firewalls, RMM platforms, and web applications. Maintain a comprehensive and up-to-date asset inventory to facilitate rapid patching when critical vulnerabilities, like those exploited by INC RANSOM and Qilin, are disclosed.3
  • Strengthen Identity and Access Management: Enforce strong password policies and universal Multi-Factor Authentication (MFA) to mitigate credential theft and abuse. Monitor for signs of credential dumping (e.g., Mimikatz, Lsassy.py usage) 3 and unauthorized use of remote access tools like RDP and AnyDesk.19 Be aware of the threat from IABs selling compromised credentials.22
  • Monitor and Control Legitimate Tool Usage: Implement application control and behavioral monitoring (e.g., via EDR solutions) to detect and potentially block the malicious use of legitimate tools often abused by ransomware groups (e.g., PSExec, network scanners like NetScan, file synchronization tools like MEGASync).18 Scrutinize egress network traffic for unusual patterns indicative of data exfiltration.18
  • Bolster Security Awareness Training: Continuously educate employees to recognize and report phishing attempts, a common initial access vector for ransomware.1 Emphasize caution regarding unsolicited communications and attachments.
  • Maintain Robust Backup and Recovery: Ensure regular, tested backups of critical data, including offline or immutable copies, to enable recovery from ransomware attacks. Verify that backup systems are segmented and protected from attacks targeting recovery capabilities, such as the deletion of Volume Shadow Copies (VSS).19
  • Leverage Threat Intelligence: Monitor threat intelligence feeds, security news, and relevant communication channels (including public hacktivist Telegram channels and underground forums where accessible) for early warnings of targeted campaigns, new TTPs, and activity by IABs.8

Outlook:

The threat landscape is expected to remain dynamic. Politically motivated DDoS attacks by hacktivist groups, particularly those aligned with pro-Russian or other geopolitical factions, are likely to continue targeting nations and organizations involved in ongoing conflicts or perceived as adversaries. Expect continued activity from groups like NoName057(16) and emergent cells operating under various banners. Ransomware will persist as a dominant threat, with RaaS groups like Qilin and INC RANSOM continuing operations, refining TTPs, and rapidly weaponizing new vulnerabilities. The cybercrime supply chain, including IABs like Jasobeam, will continue to facilitate these attacks. Organizations must maintain vigilance and adapt their defenses to counter these evolving threats.

Works cited

  1. Threat Actor Profile: Qilin Ransomware Group – Cyble, accessed April 16, 2025, https://cyble.com/threat-actor-profiles/qilin-ransomware-group/
  2. Weekly Intelligence Report – 11 Apr 2025 – cyfirma, accessed April 16, 2025, https://www.cyfirma.com/news/weekly-intelligence-report-11-apr-2025/
  3. Qilin Ransomware: Exposing the TTPs Behind One of the Most Active Ransomware Campaigns of 2024 – Picus Security, accessed April 16, 2025, https://www.picussecurity.com/resource/blog/qilin-ransomware
  4. Cybercrime: A Multifaceted National Security Threat | Google Cloud Blog, accessed April 16, 2025, https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat
  5. FBI Confirms North Korean Lazarus Group Behind $1.5 Billion Bybit Crypto Heist, accessed April 16, 2025, https://www.picussecurity.com/resource/blog/fbi-north-korean-lazarus-group-bybit-crypto-heist
  6. Unmasking NoName057(16): Botnets, DDoSia, and NATO – CybelAngel, accessed April 16, 2025, https://cybelangel.com/unmasking-noname05716/
  7. NoName057(16) – The Pro-Russian Hacktivist Group Targeting NATO | SentinelOne, accessed April 16, 2025, https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/
  8. NoName057 Threat Actor Profile – Quorum Cyber, accessed April 16, 2025, https://www.quorumcyber.com/wp-content/uploads/2024/04/TI-NoName057-Threat-Actor-Profile-1.pdf
  9. Cybersecurity threats: NoName057 targets Italy’s financial sector | White Blue Ocean, accessed April 16, 2025, https://www.whiteblueocean.com/newsroom/ddos-attacks-rock-the-italian-financial-sector/
  10. NoName057(16) – NetScout Systems, accessed April 16, 2025, https://www.netscout.com/blog/asert/noname057-16
  11. Pro-Russian Hacktivists Target Organizations in Austria With DDoS Attack Campaign, accessed April 16, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/pro-russian-hacktivists-target-organizations-in-austria-with-ddos-attack-campaign/
  12. Anonymous (hacker group) – Wikipedia, accessed April 16, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
  13. What is Hacktivism? – Check Point Software, accessed April 16, 2025, https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-hacktivism/
  14. Tactics and Motivations of Modern Hacktivists – CYFIRMA, accessed April 16, 2025, https://www.cyfirma.com/research/tactics-and-motivations-of-modern-hacktivists/
  15. What is Anonymous Sudan? | Anonymous Sudan origins and attacks – Cloudflare, accessed April 16, 2025, https://www.cloudflare.com/learning/ddos/glossary/anonymous-sudan/
  16. U.S. Department of Justice Indicts Hacktivist Group Anonymous Sudan for Prominent DDoS Attacks in 2023 and 2024 – CrowdStrike, accessed April 16, 2025, https://www.crowdstrike.com/en-us/blog/anonymous-sudan-hacktivist-group-ddos-indictment/
  17. Defending against distributed denial of service (DDoS) attacks – ITSM.80.110, accessed April 16, 2025, https://www.cyber.gc.ca/en/guidance/defending-against-distributed-denial-service-ddos-attacks-itsm80110
  18. Is Your Organization Safe From INC Ransom? – Vectra AI, accessed April 16, 2025, https://www.vectra.ai/threat-actors/inc-ransom
  19. Inc Ransom Attack Analysis – ReliaQuest, accessed April 16, 2025, https://reliaquest.com/blog/inc-ransom-attack-analysis/
  20. Inc. Ransom | SentinelOne, accessed April 16, 2025, https://www.sentinelone.com/anthology/inc-ransom/
  21. Dragos Industrial Ransomware Analysis: Q3 2024, accessed April 16, 2025, https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q3-2024/
  22. The use of Initial Access Brokers (IABs) by ransomware groups – Outpost24, accessed April 16, 2025, https://outpost24.com/blog/use-of-initial-access-brokers-by-ransomware-groups/
  23. LockBit’s Conversation on XSS Forum with an Initial Access Broker – Security Boulevard, accessed April 16, 2025, https://securityboulevard.com/2024/03/lockbits-conversation-on-xss-forum-with-an-initial-access-broker/
  24. (PDF) Hacktivism and Website Defacement: Motivations, Capabilities and Potential Threats, accessed April 16, 2025, https://www.researchgate.net/publication/320330579_Hacktivism_and_Website_Defacement_Motivations_Capabilities_and_Potential_Threats
  25. Website defacement and routine activities: considering the importance of hackers’ valuations of potential targets | Request PDF – ResearchGate, accessed April 16, 2025, https://www.researchgate.net/publication/337233852_Website_defacement_and_routine_activities_considering_the_importance_of_hackers’_valuations_of_potential_targets
  26. Under attack: Exposing upscale hacktivist DDoS tactics – SecurityBrief Australia, accessed April 16, 2025, https://securitybrief.com.au/story/under-attack-exposing-upscale-hacktivist-ddos-tactics
  27. killnet-analyst-note.pdf – HHS.gov, accessed April 16, 2025, https://www.hhs.gov/sites/default/files/killnet-analyst-note.pdf
  28. Killnet: Russian Hacktivists DDoS US Airports, Government Websites – Cyber, accessed April 16, 2025, https://westoahu.hawaii.edu/cyber/uncategorized/killnet-russian-hacktivists-ddos-us-airports-government-websites/
  29. Holy League: A Unified Threat Against Western Nations, NATO, India and Israel – Radware, accessed April 16, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/holy-league-a-unified-threat-against-western-nations/
  30. December 16, 2024 Holy League: A Unified Threat Against Western Nations, NATO, India and Israel – Radware, accessed April 16, 2025, https://www.radware.com/getattachment/2a2da1ff-d41e-468a-a263-3b48851ca629/Advisory-Holy-League-Dec-2024.pdf.aspx
  31. Modern Approach to Attributing Hacktivist Groups – Check Point Research, accessed April 16, 2025, https://research.checkpoint.com/2025/modern-approach-to-attributing-hacktivist-groups/
  32. Evolution of DDoS: Return of the Hacktivists | Akamai, accessed April 16, 2025, https://www.akamai.com/site/en/documents/research-paper/the-evolution-of-ddos-return-of-the-hacktivists.pdf

Related Posts