[April-29-2025] Daily Cybersecurity Threat Report

Posted on

1. Executive Summary

This report provides an analysis of significant cybersecurity incidents observed and reported within the last 24 hours. The threat landscape continues to be dynamic, featuring a mix of financially motivated cybercrime and politically driven operations. Key activities documented include the attempted sale of initial network access, multiple data leak incidents impacting various sectors, ongoing ransomware campaigns leveraging the Ransomware-as-a-Service (RaaS) model, and targeted actions by hacktivist groups.

Data leakage and the brokerage of initial access credentials were particularly prominent categories during this reporting period. This underscores the existence of active underground markets where compromised data and network access are traded, fueling subsequent attacks. Ransomware remains a persistent and impactful threat, with established RaaS operations like LYNX and Nova actively compromising organizations and employing double extortion tactics.

Several threat actors were observed, reflecting the diverse motivations present in the cyber domain. Actors associated with RaaS operations (LYNX, Nova) demonstrated continued activity against commercial entities. Threat actors specializing in data breaches and sales (enolajames851, goldshark11, kazu, labyrinth) were involved in significant data compromise events. Initial Access Brokers (IABs) such as LongNight, nightcity, and get_com were active in marketing unauthorized access to corporate systems. Additionally, hacktivist groups, including GHOST’S OF GAZA and Golden Falcon, conducted operations apparently driven by political agendas.

Analysis of the observed incidents reveals several key trends. The persistent focus on credential compromise stands out; multiple incidents involved the direct sale or leakage of user credentials, API keys, or administrative access derived from stolen credentials.1 This pattern highlights that compromising valid accounts remains a primary pathway for threat actors to achieve their objectives, making credential security a critical defense area for organizations.

Furthermore, the activity of RaaS groups like LYNX and Nova exemplifies the ongoing industrialization of cybercrime.7 The RaaS model significantly lowers the barrier to entry for sophisticated attacks, enabling a wider range of actors to deploy ransomware by providing ready-made tools and infrastructure.8 This scalability suggests ransomware will continue to be a pervasive threat across industries.

Finally, the simultaneous occurrence of financially motivated cybercrime (data theft, ransomware, access sales) and geopolitically motivated actions (hacktivism, targeted alerts) demonstrates the complex and multifaceted threat landscape organizations currently navigate.1 Defenders must prepare for adversaries with diverse goals, ranging from profit generation to political disruption or espionage.

2. Incident Summary Table

The following table provides a high-level overview of the cybersecurity incidents reported in the last 24 hours.

Incident TitleCategoryThreat Actor(s)Victim OrganizationVictim CountryNetworkDate Reported (UTC)
Alleged sale of Fortinet admin access…Initial AccessLongNightUnidentified (Saudi Arabian Org) / FortinetSaudi Arabia (implied) / USAopenweb2025-04-29T13:06:14Z
Alleged Sale of Together AI API KeysInitial AccessnightcityTogether AIUSAopenweb2025-04-29T12:15:26Z
Alleged database leak of PinkBlueIndia.comData Leakenolajames851PinkBlueIndia.comIndiaopenweb2025-04-29T12:14:39Z
Alleged data Leak of U.S. Driving Licenses and MetadataData LeakCannibalCorpseUnidentified (Minnesota Citizens)USAopenweb2025-04-29T12:05:15Z
Allegedly leaked a Admission Navigator databaseData Leakenolajames851Admission Navigator (propostuplenie.ru)Russiaopenweb2025-04-29T11:46:24Z
GHOST’S OF GAZA targets the website of Senior Finance ControllerDefacementGHOST’S OF GAZASenior Finance Controller (Bangladesh Navy)Bangladeshtelegram2025-04-29T11:14:45Z
Alleged sale of Binance and Coinbase User CredentialsData LeaklabyrinthBinance / Coinbase UsersGlobalopenweb2025-04-29T10:47:34Z
Alleged Data Leak of U.S. BankData Leakgoldshark11U.S. BankUSAopenweb2025-04-29T09:23:00Z
David Mills, CPA, LLC falls victim to Lynx RansomwareRansomwareLYNXDavid Mills, CPA, LLCUSAtor2025-04-29T08:56:38Z
Alleged sale of WordPress access to an unidentified Magento-based storeInitial Accessget_comUnidentified Magento StoreUnknownopenweb2025-04-29T05:43:57Z
SJ ERP falls victim to Nova RansomwareRansomwareNovaSJ ERPDominican Republictor2025-04-29T04:37:49Z
Golden Falcon claims to be targeting the USA and IsraelAlertGolden falconUSA / IsraelUSA / Israeltelegram2025-04-29T03:27:54Z
Alleged data leak of Nepal Tuberculosis Patient Registry PortalData BreachkazuNepal Tuberculosis Patient Registry PortalNepalopenweb2025-04-29T01:54:32Z

3. Detailed Incident Analysis

This section provides a detailed analysis of each incident identified in the reporting period.

3.1 Incident: Alleged sale of Fortinet admin access to an unidentified Saudi Arabian company

  • Date Reported: 2025-04-29T13:06:14Z
  • Category: Initial Access
  • Network: openweb (xss.is forum)
  • Victim: An unidentified organization in Saudi Arabia is the primary target, utilizing technology from Fortinet, Inc. (USA, Computer & Network Security, fortinet.com).
  • Incident Summary: The threat actor identified as “LongNight” is advertising administrative access to a Fortinet FortiAuthenticator instance on the xss.is cybercrime forum. This access purportedly grants full control over user management and authentication for 500 users within the targeted, unnamed Saudi Arabian organization.
  • Threat Actor Profile: LongNight
  • Background & Motivation: Specific intelligence regarding the threat actor “LongNight” is not available in the reviewed materials. However, the nature of their activity—selling administrative access on a known underground forum—strongly aligns with the profile of an Initial Access Broker (IAB). IABs are typically financially motivated cybercriminals who specialize in breaching networks or systems and then selling that access to other malicious actors.1 The buyers may then use this access for various nefarious purposes, such as deploying ransomware, exfiltrating sensitive data, or conducting espionage. LongNight’s primary motivation appears to be profiting from the sale of this high-privilege access.
  • TTPs: The specific Tactics, Techniques, and Procedures (TTPs) employed by LongNight to gain the initial administrative access remain unknown based on the available information. Common methods utilized by IABs include exploiting unpatched software vulnerabilities 17, executing successful phishing campaigns to steal credentials 1, or brute-forcing weak authentication mechanisms.6 The actor leverages the xss.is forum, a well-established marketplace within the cybercrime ecosystem, to advertise and sell the compromised access.
  • Targeting: This incident demonstrates specific targeting of critical security infrastructure, namely the Fortinet FortiAuthenticator. Compromising such authentication systems offers significant leverage over a victim’s network, potentially enabling widespread unauthorized access and control. The targeting of an organization in Saudi Arabia reflects the global reach of cybercriminal operations. The sale of administrative access to a core security component like FortiAuthenticator represents a severe threat. Gaining control over this system allows an attacker to bypass established security measures, potentially compromise all user accounts managed by the device, manipulate authentication policies, and gain deeper network intrusion capabilities. This highlights the substantial risk posed by IABs who focus on compromising security solutions themselves.
  • Supporting Evidence:
  • Published URL: http://xss.is/threads/136878/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/a2306e04-1c1d-4713-acd4-4dc651e0c0a0.png

3.2 Incident: Alleged Sale of Together AI API Keys

  • Date Reported: 2025-04-29T12:15:26Z
  • Category: Initial Access (API Key Compromise)
  • Network: openweb (xss.is forum)
  • Victim: Together AI (USA, Software Development, together.ai)
  • Incident Summary: A threat actor using the handle “nightcity” claims on the xss.is forum to be selling an API key associated with the Together AI Neural Network platform.
  • Threat Actor Profile: nightcity
  • Background & Motivation: Direct intelligence on the threat actor “nightcity” is not present in the analyzed data. Similar to the previous incident involving “LongNight,” the act of selling an API key on a cybercrime forum strongly suggests financial motivation.1 Compromised API keys provide unauthorized access to services, which can be abused in various ways, including consuming computational resources (leading to financial costs for the legitimate owner), accessing or stealing proprietary data, or manipulating the service itself. The actor’s likely goal is to profit from this sale.
  • TTPs: The method used to obtain the Together AI API key is not specified. Common vectors for API key theft include discovering keys mistakenly hardcoded in publicly accessible code repositories (e.g., GitHub), stealing them from compromised developer workstations or cloud environments via malware, or tricking developers into revealing them through phishing attacks. The sale is advertised on the xss.is forum, indicating participation in the underground economy for stolen digital assets.
  • Targeting: The specific target is Together AI, a platform operating in the Artificial Intelligence sector. Compromised API keys for AI platforms are becoming increasingly attractive to threat actors. Such keys can grant unauthorized access to potentially expensive computational resources needed for model training or inference, or allow access to proprietary AI models and sensitive datasets. This incident reflects the expanding attack surface associated with AI and Machine Learning platforms. As AI becomes more integrated into business operations, securing associated access mechanisms like API keys is crucial. A compromised key can lead directly to financial losses through unauthorized resource consumption or result in the theft of valuable intellectual property. The appearance of such keys for sale indicates a developing market within the cybercrime ecosystem for access to AI resources.
  • Supporting Evidence:
  • Published URL: https://xss.is/threads/136874/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/a7ca4b36-b081-40e8-b496-c3ebeea3c2e4.png

3.3 Incident: Alleged database leak of PinkBlueIndia.com

  • Date Reported: 2025-04-29T12:14:39Z
  • Category: Data Leak
  • Network: openweb (darkforums.st)
  • Victim: PinkBlueIndia.com (India, Retail Industry, pinkblueindia.com)
  • Incident Summary: The threat actor “enolajames851” has posted on the dark web forum “darkforums.st,” claiming to possess the database of the Indian online retail site PinkBlueIndia.com. The actor implies intent to leak or sell this database. While the specific contents are not detailed in the summary, retail databases typically contain sensitive customer information, including Personally Identifiable Information (PII), order history, and potentially credentials or payment details.
  • Threat Actor Profile: enolajames851
  • Background & Motivation: No specific profile for “enolajames851” exists in the provided research materials. However, the action of advertising a stolen database on a dark web forum is characteristic of financially motivated cybercriminals.1 Their objective is typically to monetize the compromised data by selling it to other criminals who can use it for fraud, identity theft, or spam campaigns. Alternatively, some actors leak data to gain notoriety within the underground community. Notably, this same actor is linked to another alleged data leak (Incident 3.5) reported on the same day, suggesting a pattern of ongoing data theft and monetization activity.
  • TTPs: The method used to acquire the PinkBlueIndia.com database is unknown. Common techniques include exploiting vulnerabilities in web applications such as SQL injection, compromising misconfigured servers or cloud storage instances, or utilizing stolen administrator credentials to access database backups or live systems. The actor chose the “darkforums.st” platform, a known venue for trading illicit data, to publicize their claim.
  • Targeting: The target in this instance is an e-commerce website operating in India. Retail businesses are frequent targets for data breaches due to the large volumes of customer data they collect and process, making them attractive to data thieves.1 This incident, combined with the subsequent report involving the same actor targeting a Russian educational platform (Incident 3.5), suggests that “enolajames851” may be engaged in opportunistic attacks across different geographies and sectors, rather than focusing on a specific type of victim. This pattern indicates an actor likely scanning for and exploiting available vulnerabilities to acquire data for sale.
  • Supporting Evidence:
  • Published URL: https://darkforums.st/Thread-Database-Pinkblueindia-db
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/a9f59a62-dac0-4a20-a5cc-7e72be9928c8.png

3.4 Incident: Alleged data Leak of U.S. Driving Licenses and Metadata

  • Date Reported: 2025-04-29T12:05:15Z
  • Category: Data Leak
  • Network: openweb (bhf.pro forum)
  • Victim: Unidentified citizens residing in Minnesota, USA. The specific organization or entity from which the data was compromised is not specified, possibilities include state government agencies (like the DMV), third-party service providers handling citizen data, or potentially data aggregated from multiple smaller breaches.
  • Incident Summary: A threat actor using the handle “CannibalCorpse” claims on the “bhf.pro” forum to have leaked a collection of driving license data belonging to Minnesota residents. The leaked data reportedly includes sensitive elements such as photographs, hologram images, and associated metadata.
  • Threat Actor Profile: CannibalCorpse
  • Background & Motivation: Specific intelligence regarding the threat actor “CannibalCorpse” is absent from the reviewed materials. The chosen moniker might suggest a desire for notoriety or shock value often seen with less sophisticated actors or certain types of hacktivists. However, the act of leaking highly sensitive PII like driver’s license details, especially including photos and security features, is commonly associated with financially motivated cybercriminals.1 Such data is valuable on dark web markets for facilitating identity theft, financial fraud, and creating counterfeit documents. Hacktivism aiming to embarrass a government entity or cause disruption is another possibility 2, but financial gain appears plausible given the nature of the data.
  • TTPs: The origin of the leaked data and the method of acquisition are unclear from the available information. Potential sources include a direct breach of a government database (e.g., Department of Motor Vehicles), compromise of a third-party organization processing this data, or possibly aggregation from phishing campaigns or malware infections targeting individuals. The actor is utilizing the “bhf.pro” forum, another platform known for hosting discussions and sales related to cybercrime activities.
  • Targeting: The direct targets are individuals – citizens of Minnesota. The compromised data type, driver’s licenses, represents foundational PII critical for identity verification in numerous contexts. The leak of driver’s license data, particularly with visual elements like photos and holograms, presents a significant threat. This information can enable highly convincing identity theft schemes and the creation of sophisticated fraudulent documents, posing substantial risks to the affected individuals.4 The lack of a clearly identified breached organization complicates attribution efforts and hinders remediation actions, highlighting the challenge of tracing data breaches when the initial point of compromise remains unknown.
  • Supporting Evidence:
  • Published URL: https://bhf.pro/threads/706577/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/5b6263e3-4de7-4c8f-8042-76eef00c113f.png

3.5 Incident: Allegedly leaked a Admission Navigator database

  • Date Reported: 2025-04-29T11:46:24Z
  • Category: Data Leak
  • Network: openweb (darkforums.st)
  • Victim: Admission Navigator (propostuplenie.ru) (Russia, Education)
  • Incident Summary: The threat actor “enolajames851,” previously noted in Incident 3.3, claims on “darkforums.st” to have obtained and leaked a database belonging to “propostuplenie.ru,” identified as an admission navigator service based in Russia. The compromised data allegedly includes User Identification Numbers, Email Addresses, hashed Passwords, User Names, Phone Numbers, User Roles, and Class Numbers.
  • Threat Actor Profile: enolajames851
  • Background & Motivation: As established in the analysis of Incident 3.3, “enolajames851” appears to be a financially motivated cybercriminal actively involved in acquiring and leaking/selling stolen databases.1 This second alleged leak within the same 24-hour period reinforces the assessment of their ongoing operational activity.
  • TTPs: The method used to compromise the Admission Navigator database is unknown but likely involves common web application attack vectors (e.g., SQL injection), exploitation of server vulnerabilities, or the use of stolen administrative credentials. The actor consistently utilizes the “darkforums.st” platform for disseminating their claims and potentially distributing the data. The types of data reportedly leaked (emails, hashed passwords, phone numbers) are highly sought after for follow-on attacks, such as credential stuffing 1, phishing, and spam campaigns.
  • Targeting: The target is an educational service platform operating in Russia. Educational institutions, while perhaps not always perceived as high-value financial targets, often possess significant amounts of personal data about students (including minors) and staff, and may sometimes have less robust security postures compared to financial institutions, making them attractive targets for opportunistic attackers. This incident further supports the observation that “enolajames851” engages in opportunistic data theft across various sectors and geographies. The leaked data, especially the combination of emails and password hashes, poses a significant downstream risk; attackers frequently use such combinations in credential stuffing attacks against other online services, exploiting common user behavior of password reuse.17 This highlights the cascading effect a single data breach can have across a user’s online footprint.
  • Supporting Evidence:
  • Published URL: https://darkforums.st/Thread-Database-ProPostuplenie-ru
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/fa6c3644-a0f4-4a86-8f4e-8b3c22e2e81b.png

3.6 Incident: GHOST’S OF GAZA targets the website of Senior Finance Controller

  • Date Reported: 2025-04-29T11:14:45Z
  • Category: Defacement
  • Network: telegram
  • Victim: Senior Finance Controller (associated with the Bangladesh Navy, based on the.gov.bd domain), Government Administration sector, Bangladesh. Website: sfcnavy.gov.bd.
  • Incident Summary: The hacktivist group identifying itself as “GHOST’S OF GAZA” has claimed responsibility via Telegram for defacing the official website of the Senior Finance Controller (Navy) of Bangladesh. A link to a mirror site allegedly archiving the defacement was also provided.
  • Threat Actor Profile: GHOST’S OF GAZA
  • Background & Motivation: Available intelligence suggests a connection between “GHOST’S OF GAZA” and the established pro-Palestinian hacktivist collective known as AnonGhost.16 Hacktivist groups are typically driven by political, ideological, or social agendas, employing cyberattacks as a means of protest, disruption, or public messaging against entities they perceive as adversaries or symbols of opposing viewpoints.1 Their activities often surge in response to real-world geopolitical events, such as the Israeli-Palestinian conflict.14 Targeting a government website aligns well with common hacktivist objectives. While some groups with similar names (e.g., GhostSec) have evolved towards RaaS 14, AnonGhost and its affiliates like GHOST’S OF GAZA are primarily recognized for activities like Distributed Denial-of-Service (DDoS) attacks and website defacements.16
  • TTPs: Website defacement, the tactic used here, typically involves exploiting vulnerabilities in the target website’s software, such as outdated Content Management Systems (CMS), vulnerable plugins, SQL injection flaws, or insecure file upload mechanisms. Once access is gained, the attackers replace or modify the website’s content with their own message. The use of Telegram as a platform for announcing claims and coordinating activities is a common practice among hacktivist groups and other threat actors due to its accessibility and features supporting anonymity.
  • Targeting: The specific target is a government financial entity within the Bangladesh Navy. The direct connection between this target and the group’s stated focus (Gaza/Palestine) is not immediately apparent. However, hacktivist targeting can sometimes extend beyond the primary conflict parties to include nations perceived as allies of their opponents, or attacks may be opportunistic, leveraging discovered vulnerabilities regardless of direct political relevance.15 It’s also possible the group name is used broadly by actors with varying agendas. This incident serves as a clear example of typical hacktivist methodology – website defacement intended as a public statement – carried out by a group associated with a specific geopolitical conflict. It underscores that hacktivist campaigns are not always strictly confined to the immediate belligerents but can expand based on perceived political alignments, target availability, or the desire to amplify their message globally. The reliance on platforms like Telegram for disseminating claims remains a standard operational procedure for such groups.
  • Supporting Evidence:
  • Published URL: https://t.me/ghostsofGAZAofficial/57 (Claim/Announcement) & https://ownzyou.com/zone/261781 (Mirror – Corrected from ‘ttps’ in original data)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/99da8023-2c6d-4a8a-b814-650fe6cad1ac.png

3.7 Incident: Alleged sale of Binance and Coinbase User Credentials

  • Date Reported: 2025-04-29T10:47:34Z
  • Category: Data Leak (Credentials)
  • Network: openweb (bhf.pro forum)
  • Victim: Users of the global cryptocurrency exchanges Binance and Coinbase (Financial Services).
  • Incident Summary: An actor using the handle “labyrinth” is advertising on the “bhf.pro” forum what they describe as a “private crypto base.” This dataset allegedly contains email address and password combinations (Mail:Pass format) for users of cryptocurrency platforms, specifically claiming 1700 Binance accounts and 1300 Coinbase accounts.
  • Threat Actor Profile: labyrinth
  • Background & Motivation: The name “Labyrinth Chollima” is strongly associated in threat intelligence reporting with North Korean state-sponsored cyber operations, specifically the Lazarus Group (also tracked under numerous aliases including APT38, Hidden Cobra, Bluenoroff).19 This group represents a highly sophisticated and persistent threat, active since at least 2009.19 Their motivations are multifaceted, including generating revenue for the DPRK regime to bypass international sanctions, conducting espionage, carrying out disruptive attacks, and engaging in destructive cyber warfare.20 Lazarus has been attributed to some of the most significant cyber incidents globally, including the 2014 Sony Pictures hack, the 2016 Bangladesh Bank heist, the 2017 WannaCry ransomware outbreak, and numerous large-scale thefts from cryptocurrency exchanges.20 The Bluenoroff subgroup is specifically linked to their financially motivated campaigns, often targeting banks and crypto platforms.20
  • TTPs: Lazarus/Labyrinth Chollima utilizes a broad and sophisticated arsenal of TTPs. These include advanced social engineering and spear-phishing campaigns, development and deployment of custom malware families, exploitation of zero-day vulnerabilities, intricate supply chain attacks, and direct targeting of financial infrastructure like the SWIFT network and cryptocurrency exchanges.2 While the act of selling individual user credentials in Mail:Pass format on a public forum might seem less sophisticated than their major heists, it aligns perfectly with their known objective of stealing cryptocurrency.20 This activity could represent the monetization of data gathered through broader campaigns, such as large-scale phishing operations or distribution of infostealer malware targeting cryptocurrency users.
  • Targeting: The explicit targets are users of two of the world’s largest cryptocurrency exchanges, Binance and Coinbase. This aligns directly with Lazarus/Labyrinth Chollima’s documented history of targeting the cryptocurrency sector for financial gain.20 Even if this specific sale is conducted by a lower-level affiliate or involves data deemed less valuable than that obtained in major exchange breaches, the association of the name “labyrinth” with this activity is highly significant. It underscores the persistent threat that sophisticated state-sponsored actors pose not only to large financial institutions but also to individual users within the financial ecosystem, particularly in the cryptocurrency space. The potential link to Lazarus Group warrants heightened vigilance regarding credential security among cryptocurrency users.
  • Supporting Evidence:
  • Published URL: https://bhf.pro/threads/706573/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/323cc8fd-cdf1-491a-b499-bc2276bb761a.png

3.8 Incident: Alleged Data Leak of U.S. Bank

  • Date Reported: 2025-04-29T09:23:00Z
  • Category: Data Leak
  • Network: openweb (darkforums.st)
  • Victim: U.S. Bank (USA, Banking & Mortgage, usbank.com)
  • Incident Summary: A threat actor identified as “goldshark11” claims on the “darkforums.st” platform to have leaked a substantial database allegedly originating from U.S. Bank. The actor asserts the compromised data is exceptionally comprehensive, including sensitive PII (names, addresses, dates of birth, email addresses, Social Security Numbers, driver’s license numbers), financial details (income, employer info, bank names, account numbers, ABA codes), and other personal information like military status. The post also references a purported previous breach involving the same victim dated October 12, 2024.
  • Threat Actor Profile: goldshark11
  • Background & Motivation: Specific threat intelligence on “goldshark11” is not available in the reviewed sources. However, the nature of the claimed data—highly sensitive personal and financial information—combined with the use of a dark web forum (“darkforums.st”) for the announcement, strongly points towards a financially motivated cybercriminal operation.1 The primary goal is almost certainly to profit by selling this extensive dataset to other malicious actors who can exploit it for identity theft, financial fraud, account takeovers, targeted phishing, and other illicit activities. The mention of a prior breach could be an attempt by the actor to lend credibility to their claim or suggest persistent targeting or access. General threat actor activities observed elsewhere, such as brute-forcing attacks and exploitation of critical flaws 6, represent potential methods such an actor might use, although no direct link is established.
  • TTPs: The method through which such a comprehensive dataset might have been acquired is unknown. Possibilities range from a direct breach of U.S. Bank’s internal systems, compromise of a key third-party vendor handling sensitive customer data, sophisticated malware campaigns targeting bank employees or customers, or large-scale phishing operations. The actor is utilizing a dark web forum known for trading stolen data to advertise the alleged leak.
  • Targeting: The target is a major financial institution in the United States. Banks and other financial services firms remain prime targets for cybercriminals due to the immense value of the financial and personal data they possess.1 The alleged scope of this data leak, if accurate, is extremely alarming. The combination of PII (including SSNs and driver’s license numbers) with detailed financial information (account numbers, income, employer) provides nearly everything required for comprehensive identity theft and sophisticated financial fraud schemes.4 Such a breach would represent a major security incident with potentially devastating and long-lasting consequences for the affected customers. The reference to a previous breach, while unverified in this context, raises concerns about potential persistent vulnerabilities or sustained adversarial focus on the institution.
  • Supporting Evidence:
  • Published URL: https://darkforums.st/Thread-USA-BANK-2025-DB
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/edde969f-6ff2-4354-8982-284a1f9b51f5.png

3.9 Incident: David Mills, CPA, LLC falls victim to Lynx Ransomware

  • Date Reported: 2025-04-29T08:56:38Z
  • Category: Ransomware
  • Network: tor (Lynx ransomware leak site)
  • Victim: David Mills, CPA, LLC (USA, Accounting, dmillscpa.com)
  • Incident Summary: The Lynx ransomware group has listed David Mills, CPA, LLC, a US-based accounting firm, on its dedicated leak site hosted on the TOR network. The group claims to have successfully breached the firm, exfiltrated sensitive data—including earning reports, payment details, slips, and account details—and encrypted the victim’s files. This represents a typical double extortion attack.
  • Threat Actor Profile: LYNX
  • Background & Motivation: Lynx emerged as a Ransomware-as-a-Service (RaaS) operation in mid-2024 and is widely believed to be a successor or rebrand of the INC ransomware group.7 Operating primarily for financial gain, Lynx employs a double extortion strategy: encrypting victim data to disrupt operations and exfiltrating sensitive information, threatening public release or sale if the ransom is not paid.7 As a RaaS provider, Lynx supplies affiliates with the necessary malware and infrastructure, significantly lowering the technical barrier for conducting ransomware attacks and thus increasing the threat’s reach.8 While the group has made public statements claiming to avoid certain sectors like healthcare and non-profits 7, their actual targeting history includes critical infrastructure (e.g., energy providers in Romania 7), legal firms 7, and now accounting firms, indicating a broad appetite for victims holding valuable data.
  • TTPs: Being a RaaS operation, the initial access vector can vary depending on the affiliate conducting the attack, but phishing is a commonly reported method.24 Once inside a network, the Lynx ransomware payload utilizes robust encryption algorithms (Curve25519 for key exchange, AES-128 for file encryption).8 It primarily targets Microsoft Windows systems but also possesses variants for Linux and VMware ESXi environments, broadening its potential impact.8 Key functionalities include attempts at privilege escalation to gain higher system access 23, termination of security software and critical processes (especially backup and database services) to hinder defenses and recovery 7, clearing Windows event logs to cover tracks 8, and leveraging Windows APIs like Restart Manager (to unlock files) and I/O Completion Ports (for efficient encryption).7 Encrypted files are typically appended with the .LYNX extension.24 The extortion phase relies on TOR-based leak sites where victim data is threatened or partially published.7
  • Targeting: Lynx ransomware attacks have been observed targeting small to medium-sized businesses (SMBs) as well as larger enterprises across a variety of sectors, including finance, architecture, manufacturing, energy, retail, and legal services.7 Their operations have primarily impacted organizations in North America and Europe.7 This attack on a US-based accounting firm fits squarely within their established targeting pattern, as CPA firms typically hold highly sensitive financial data pertaining to their clients, making them attractive targets for extortion. This incident confirms Lynx’s ongoing operations and its focus on organizations possessing valuable financial information. The use of a dedicated leak site and the double extortion tactic are standard operating procedures for organized RaaS groups like Lynx.8 The RaaS model itself implies that numerous independent affiliates could be leveraging Lynx tooling, broadening the overall threat posed by this operation.
  • Supporting Evidence:
  • Published URL: http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion/leaks/680fb93fd5daa03fd3c82485 (TOR Link)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/d01f9c59-a712-4de7-90e3-a2d5f890d165.png

3.10 Incident: Alleged sale of WordPress access to an unidentified Magento-based store

  • Date Reported: 2025-04-29T05:43:57Z
  • Category: Initial Access
  • Network: openweb (xss.is forum)
  • Victim: An unidentified e-commerce store. The store reportedly uses the Magento platform for its core operations, while the access being sold is for its associated WordPress installation (potentially used for a blog, content marketing, or parts of the frontend). The victim’s country and specific industry are unknown.
  • Incident Summary: A threat actor using the handle “get_com” is offering administrative access to a WordPress website on the xss.is forum. The advertisement specifies that the WordPress site is associated with an e-commerce store built on the Magento platform.
  • Threat Actor Profile: get_com
  • Background & Motivation: Specific details about the threat actor “get_com” are not available in the reviewed materials. However, their activity aligns with the profile of an Initial Access Broker (IAB), similar to “LongNight” and “nightcity” discussed earlier. This suggests “get_com” is likely a financially motivated cybercriminal 1 who specializes in compromising websites and systems to sell access to other criminals. E-commerce platforms are frequent targets for IABs because subsequent actors can use the access to steal payment card information (skimming), exfiltrate customer databases, or conduct other fraudulent activities. While direct engagement with such actors carries risks and is generally discouraged, communication attempts (often handled by specialized negotiators) can sometimes yield valuable intelligence about the breach, though payment should be avoided.25
  • TTPs: The method used to compromise the WordPress site is unknown. Common vulnerabilities exploited in WordPress environments include insecure or outdated plugins and themes, weak administrator passwords susceptible to brute-forcing, or successful phishing attacks against site administrators. The mention of Magento is significant; access to an integrated WordPress frontend might provide a pathway to compromise the more critical Magento backend, potentially allowing access to transaction data or customer accounts. The actor is using the xss.is forum, a common marketplace for such illicit sales.
  • Targeting: The target is an e-commerce store, a perennially popular target category for cybercriminals due to the potential for direct financial gain and access to valuable customer data. This incident highlights the security risks associated with using common web platforms like WordPress, especially when they are integrated with sensitive backend systems like Magento. Vulnerabilities in one component (e.g., a WordPress plugin) can potentially expose the entire e-commerce operation. IABs play a crucial role in the cybercrime ecosystem by identifying and selling these initial footholds, enabling other actors to launch more damaging attacks. The interconnectedness of web components (WordPress frontend, Magento backend) can amplify the potential impact of a compromise originating in what might seem like a less critical part of the infrastructure.
  • Supporting Evidence:
  • Published URL: https://xss.is/threads/136858/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/cde963bf-8554-4154-a5b8-4e316c8b42e0.png

3.11 Incident: SJ ERP falls victim to Nova Ransomware

  • Date Reported: 2025-04-29T04:37:49Z
  • Category: Ransomware
  • Network: tor (Nova/RALord leak site)
  • Victim: SJ ERP (Dominican Republic, Information Technology (IT) Services, sj.com.do)
  • Incident Summary: The Nova ransomware group has claimed responsibility for an attack against SJ ERP, an IT services company based in the Dominican Republic that appears to provide Enterprise Resource Planning (ERP) solutions. Posted on their TOR leak site, the group alleges they exfiltrated 7GB of “critical business data” and encrypted a significant volume (70-80GB) of the company’s software assets. This includes SJERP management systems, source code, and DLL setups. The group has threatened to publish the exfiltrated data within 5-6 days if their demands are not met.
  • Threat Actor Profile: Nova
  • Background & Motivation: Nova is identified in recent reporting as a Ransomware-as-a-Service (RaaS) platform, closely associated with, or potentially the parent operation for, the RALord ransomware variant.9 This operation appears to have become active around March 2025.10 Like most RaaS groups, Nova is financially motivated, employing double extortion tactics. They operate an affiliate-based model, reportedly offering affiliates a favorable 85% share of ransom payments, incentivizing participation.10 While the group has publicly stated an intention to avoid targeting schools and non-profits 9, their documented victimology spans various industries, including IT services, healthcare, education, construction, and agriculture.10 Some research also associates the name “Nova” with an information-stealing malware (a fork of SnakeLogger) targeting Russian entities 26; it is currently unclear if this represents the same group, a separate group using the same name, or perhaps an additional tool used by the ransomware operators or their affiliates. The primary ransomware payload associated with this group is reportedly written in the Rust programming language.9
  • TTPs: As a RaaS operation, the initial intrusion methods likely vary depending on the specific affiliate involved but may include exploiting known vulnerabilities (CVEs), network penetration techniques, and phishing campaigns.10 The ransomware payload itself (referred to as RALord or using the .nova extension) performs data exfiltration prior to encryption.10 Encrypted files are appended with extensions like .ralord 9 or potentially .nova.10 The group maintains a TOR-based leak site where they publish victim details, often including commentary on perceived security weaknesses of the victim organization.9 The use of Rust for the payload suggests a focus on performance and potentially evasion capabilities.9 The group actively recruits affiliates with skills in Rust/Python programming, CVE exploitation, and network penetration.10
  • Targeting: This incident targets an IT service provider, specifically an ERP vendor, located in the Dominican Republic. Compromising such a vendor is particularly concerning due to the potential for supply chain attacks; access to ERP source code or internal systems could potentially enable the threat actors to compromise the vendor’s customers who use the ERP software.10 This targeting aligns with the diverse industry focus attributed to the Nova/RALord group.10 This attack highlights the ongoing threat posed by the Nova/RALord RaaS operation, demonstrating their capability to compromise organizations and leverage double extortion, with specific threats directed at valuable intellectual property like source code and software assets. The potential ambiguity surrounding the “Nova” name warrants careful monitoring and attribution efforts by threat intelligence analysts.
  • Supporting Evidence:
  • Published URL: http://novavdivko2zvtrvtllnq45lxhba2rfzp76qigb4nrliklem5au7czqd.onion/SJERP/ (TOR Link)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/46ff4b04-9e84-46f2-8beb-bb51ab4ce421.png

3.12 Incident: Golden Falcon claims to be targeting the USA and Israel

  • Date Reported: 2025-04-29T03:27:54Z
  • Category: Alert / Hacktivism / Potential Espionage
  • Network: telegram
  • Victim: Broad claim targeting organizations or entities within the United States and Israel.
  • Incident Summary: A Telegram channel associated with the group “Golden Falcon” posted a message indicating that the group is actively targeting the USA and Israel. No specific victims or actions were detailed in this alert.
  • Threat Actor Profile: Golden Falcon
  • Background & Motivation: Threat intelligence sources identify “Golden Falcon” as an alias for DustSquad (also known as APT-C-34 or Nomadic Octopus).28 This group is described as Russian-speaking and has been active since at least 2014, with a historical focus primarily on cyber espionage operations.29 Their traditional targets have been concentrated in Central Asia, including government officials, diplomatic entities, private individuals, and dissidents in countries like Kazakhstan and Afghanistan.29 They have also been observed targeting foreign nationals (e.g., Chinese diplomats and students) within Kazakhstan.30 Their primary motivation appears to be information theft and espionage, potentially operating under state sponsorship (suspicions point towards Russia or Kazakhstan, or potentially a mercenary group acting for the Kazakh government).28
  • TTPs: Golden Falcon/DustSquad has demonstrated capabilities beyond basic malware deployment. They are known to use custom-developed malware for both Windows and Android platforms (e.g., Octopus, Paperbug).29 Significantly, they have been linked to the use of sophisticated commercial surveillance tools, including potentially newer versions of HackingTeam’s Remote Control System (RCS) acquired after its source code leak, and have shown interest in acquiring NSO Group’s Pegasus spyware.30 Reports also mention their acquisition of specialized hardware for radio communications interception from a Moscow-based defense contractor.30 Their use of Telegram for communications is confirmed by this incident’s source. While not directly attributed in the snippets, advanced persistence techniques like forging Kerberos tickets (“Golden Ticket” attacks 31) represent the level of capability potentially wielded by such espionage-focused groups if they achieve domain controller compromise.
  • Targeting: The group’s established operational history is heavily focused on Central Asia.29 Therefore, this public declaration of intent to target the USA and Israel marks a significant departure from their known targeting patterns. This shift could potentially signal several things: a change in strategic direction or tasking (if state-sponsored), an attempt to align opportunistically with broader geopolitical tensions and anti-US/Israel sentiment prevalent among some hacktivist groups, a disinformation tactic, or perhaps even misattribution where another entity is using the Golden Falcon name. Given the group’s suspected espionage background and demonstrated use of advanced tools and techniques 30, any claim of targeting US or Israeli interests, even if currently vague, warrants serious attention and monitoring by the intelligence community. The discrepancy between their historical focus and this current claim is a key point of analysis.
  • Supporting Evidence:
  • Published URL: https://t.me/Golden_falcon_team/340
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/2c2e86ac-4867-43c0-a6c8-7dda5f336b03.png

3.13 Incident: Alleged data leak of Nepal Tuberculosis Patient Registry Portal

  • Date Reported: 2025-04-29T01:54:32Z
  • Category: Data Breach (Highly Sensitive Health Data)
  • Network: openweb (darkforums.st)
  • Victim: Nepal Tuberculosis Patient Registry Portal (etbregister.ntpmis.gov.np), operated under the Government Administration / Healthcare sector in Nepal.
  • Incident Summary: A threat actor using the handle “kazu” has posted on the “darkforums.st” dark web forum, claiming to have breached the Nepal Tuberculosis Patient Registry Portal. The actor is offering for sale a database allegedly containing over 159,000 patient records. The claimed data is extremely sensitive Protected Health Information (PHI), reportedly including patient names, caste classifications, gender, age, contact numbers, details of health facilities visited, specific tuberculosis type, drug resistance status, HIV status, treatment regimens, smoking history, and other sensitive medical details.
  • Threat Actor Profile: kazu
  • Background & Motivation: There is no specific information available on the threat actor “kazu” in the reviewed materials.3 However, the act of stealing and attempting to sell a large volume of highly sensitive medical data on a dark web forum strongly indicates a financial motivation.1 PHI, especially detailed clinical information, is considered highly valuable on underground markets. It can be exploited for various illicit purposes, including targeted extortion of individuals, identity theft, insurance fraud, or potentially sold to foreign intelligence services interested in population health data, although direct financial gain through sale to other criminals is the most probable motive in this context.
  • TTPs: The specific method used to breach the Nepal Tuberculosis Patient Registry Portal is unknown. Potential attack vectors could include exploiting vulnerabilities in the web application software powering the portal 17, successful SQL injection attacks targeting the underlying database, compromising the credentials of authorized personnel (e.g., healthcare workers, administrators) through phishing or malware, or exploiting misconfigurations in the server infrastructure. The actor is leveraging the “darkforums.st” platform, a known marketplace for illicit data, to advertise the stolen database.
  • Targeting: The target is a critical public health database managed by the government of Nepal. This database contains extremely sensitive and personal health information related to tuberculosis patients, including co-infection status like HIV. Breaches involving PHI are particularly severe due to the potential for significant harm to the individuals affected, including social stigma, discrimination, and emotional distress, in addition to financial risks. This incident represents a major data breach with potentially devastating privacy implications for over 159,000 individuals in Nepal. The willingness of financially motivated actors to target such vulnerable datasets underscores the critical importance of implementing robust cybersecurity measures for government and healthcare IT systems worldwide, especially those handling sensitive patient information. The scale of the breach makes it a significant national-level security event for Nepal.
  • Supporting Evidence:
  • Published URL: https://darkforums.st/Thread-Selling-Nepal-Health-System-Breach-%E2%80%94-159-000-Patients-Records-etbregister-ntpmis-gov-np
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/7a8bdcbf-1df0-447f-aa6a-7bf63b100de7.png

4. Concluding Observations

  • Summary of Landscape: The cybersecurity threat landscape observed over the past 24 hours was characterized by a high volume of financially motivated criminal activity, particularly data theft for sale on underground markets and the brokerage of initial network access. Ransomware groups leveraging scalable RaaS models continue to pose a significant threat to organizations across various sectors. Concurrently, politically motivated activities, including hacktivist defacements and potentially state-linked espionage group signaling, demonstrate the diverse range of threats organizations face.
  • Prevalent Tactics: Credential compromise emerged as a central theme, manifesting as stolen account credentials, compromised API keys, and the sale of administrative access. This highlights the critical role of identity and access management security. Exploitation of vulnerabilities in web applications remains a common vector for defacements and likely contributed to some of the data breaches. Threat actors consistently utilized specific dark web forums (darkforums.st, xss.is, bhf.pro) and communication platforms (Telegram, TOR leak sites) to advertise illicit goods, communicate, and exert pressure on victims.
  • Targeting: The scope of targeting was broad, affecting individuals through PII and health data leaks, specific industry verticals (Finance, Retail, IT Services, Accounting, AI, Healthcare), and government entities. Victims were located across multiple continents (North America, Asia, Europe, Latin America), illustrating the global nature of cyber threats and the opportunistic approach of many actors who exploit vulnerabilities wherever they are found.
  • Emerging Concerns: The targeting of infrastructure related to Artificial Intelligence (Together AI API keys) and core enterprise systems (Fortinet FortiAuthenticator, SJ ERP software) suggests threat actors are adapting their focus to newly valuable or impactful targets. The potential shift in targeting declared by the historically Central Asia-focused espionage group Golden Falcon towards the US and Israel, if genuine, represents a concerning development that requires close monitoring. The breach of highly sensitive public health data in Nepal underscores the ongoing risk to critical, yet potentially under-resourced, systems holding vulnerable population data.

Works cited

  1. What Is A Cyber Threat Actor? Types Of Threat Actors – Cyble, accessed April 29, 2025, https://cyble.com/knowledge-hub/cyber-threat-actor-and-types/
  2. Cybersecurity Threat Actors – Digital Hands, accessed April 29, 2025, https://www.digitalhands.com/resources/guides/cybersecurity-threat-actors
  3. What is a Cyber Threat Actor? | CrowdStrike, accessed April 29, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
  4. Threat actors – SpyCloud, accessed April 29, 2025, https://spycloud.com/glossary/threat-actors/
  5. Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization | CISA, accessed April 29, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-046a
  6. Over 4,000 ISP IPs Targeted in Brute-Force Attacks to Deploy Info Stealers and Cryptominers – The Hacker News, accessed April 29, 2025, https://thehackernews.com/2025/03/over-4000-isp-networks-targeted-in.html
  7. Defending Against Lynx Ransomware (Strategies for 2025) – CybelAngel, accessed April 29, 2025, https://cybelangel.com/lynx-ransomware-double-extortion/
  8. Lynx Ransomware Group: Tactics, Targets, And Defense Strategies – Cyble, accessed April 29, 2025, https://cyble.com/threat-actor-profiles/lynx-ransomware/
  9. Nova RaaS: The Ransomware That ‘Spares’ Schools and Nonprofits—For Now – SonicWall, accessed April 29, 2025, https://www.sonicwall.com/blog/nova-raas-the-ransomware-that-spares-schools-and-nonprofits-for-now
  10. RALord Ransomware Group: Threat Profile & Attack Tactics – Cyble, accessed April 29, 2025, https://cyble.com/threat-actor-profiles/ralord-ransomware-group/
  11. What Is a Threat Actor? – Definition, Types & More | Proofpoint US, accessed April 29, 2025, https://www.proofpoint.com/us/threat-reference/threat-actor
  12. What are the Types of Cyber Threat Actors? – Sophos, accessed April 29, 2025, https://www.sophos.com/en-us/cybersecurity-explained/threat-actors
  13. What is a Threat Actor? | IBM, accessed April 29, 2025, https://www.ibm.com/think/topics/threat-actor
  14. Cyber Security Reports, accessed April 29, 2025, https://www.security.ntt/reports/Cyber-Security-Reports-10_v001.pdf
  15. Gaza-Linked Cyber Threat Actor Targets Israeli Energy and Defense Sectors, accessed April 29, 2025, https://thehackernews.com/2023/10/gaza-linked-cyber-threat-actor-targets.html
  16. Ghost Jackal – crowdstrike.com, accessed April 29, 2025, https://www.crowdstrike.com/adversaries/ghost-jackal/
  17. Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways | CISA, accessed April 29, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
  18. #StopRansomware: Ghost (Cring) Ransomware | CISA, accessed April 29, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
  19. Labyrinth Chollima – crowdstrike.com, accessed April 29, 2025, https://www.crowdstrike.com/adversaries/labyrinth-chollima/
  20. Threat actor profile: Lazarus | Hunt & Hackett, accessed April 29, 2025, https://www.huntandhackett.com/members/actors/apt38
  21. Lazarus Group, Hidden Cobra, Labyrinth Chollima – Threat Group Cards: A Threat Actor Encyclopedia, accessed April 29, 2025, https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Lazarus%20Group%2C%20Hidden%20Cobra%2C%20Labyrinth%20Chollima
  22. Researchers warn of critical flaw found in Erlang OTP SSH | Cybersecurity Dive, accessed April 29, 2025, https://www.cybersecuritydive.com/news/researchers-warn-of-critical-flaw-found-in-erlang-otp-ssh/745900/
  23. Lynx Ransomware: Exposing How INC Ransomware Rebrands Itself – Picus Security, accessed April 29, 2025, https://www.picussecurity.com/resource/blog/lynx-ransomware
  24. New Threat on the Prowl: Investigating Lynx Ransomware – Darktrace, accessed April 29, 2025, https://www.darktrace.com/blog/new-threat-on-the-prowl-investigating-lynx-ransomware
  25. The Value of Engaging a Threat Actor: Leveraging Strategic Communications for Ransomware Response | GuidePoint Security, accessed April 29, 2025, https://www.guidepointsecurity.com/blog/the-value-of-engaging-a-threat-actor-leveraging-strategic-communications-for-ransomware-response/
  26. Emerging cyber threats in Russia: Nova malware’s impact and the escalating cyber landscape | Digital Watch Observatory, accessed April 29, 2025, https://dig.watch/updates/emerging-cyber-threats-in-russia-nova-malwares-impact-and-the-escalating-cyber-landscape
  27. Russian cyber research companies post alerts about infostealer, industrial threats, accessed April 29, 2025, https://therecord.media/russia-cybersecurity-research-bizone-nova-infostealer
  28. Golden Falcon | CFR Interactives, accessed April 29, 2025, https://www.cfr.org/cyber-operations/golden-falcon
  29. DustSquad, Golden Falcon – Threat Group Cards: A Threat Actor Encyclopedia, accessed April 29, 2025, https://apt.etda.or.th/cgi-bin/showcard.cgi?g=DustSquad%2C%20Golden%20Falcon
  30. Extensive hacking operation discovered in Kazakhstan – ZDNET, accessed April 29, 2025, https://www.zdnet.com/article/extensive-hacking-operation-discovered-in-kazakhstan/
  31. What is a Golden Ticket Attack? – CrowdStrike, accessed April 29, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/golden-ticket-attack/
  32. Know Your Enemy: Types of cybersecurity threat actors – Prey, accessed April 29, 2025, https://preyproject.com/blog/cybersecurity-threat-actors
  33. Breaking Cyber News From Cyberint, accessed April 29, 2025, https://cyberint.com/news-feed/

Related Posts