[May-11-2025] Daily Cybersecurity Threat Report

1. Daily Cybersecurity Threat Briefing: May 11, 2025

1.1. Executive Summary
This report details significant cybersecurity incidents and threat actor activities observed over the past 24 hours, based on available intelligence. The threat landscape continues to be characterized by a diverse range of malicious activities, from the sale of unauthorized access to sensitive systems and large-scale data breaches to politically motivated website defacements and concerning alerts regarding critical infrastructure. Targeted industries span healthcare, political organizations, telecommunications, luxury goods, law enforcement, information technology, and government sectors across multiple geographic regions.
A prominent feature of the current environment is the persistent operation of financially motivated cybercriminals, evidenced by multiple offerings of compromised data and access credentials on underground forums. Concurrently, hacktivist groups remain active, leveraging cyber operations to broadcast political messages or protest perceived grievances, often targeting government and politically affiliated entities. The challenge of definitively attributing activities to specific actors persists, particularly when individuals or groups operate under monikers specific to certain online platforms without extensive, publicly corroborated profiles. The incidents documented herein collectively illustrate a complex and dynamic threat environment. This environment demands robust and adaptable security postures from organizations, as threat actors exploit a wide array of digital vulnerabilities to achieve varied objectives, ranging from direct financial extortion to broader geopolitical signaling. The coexistence of sophisticated attacks targeting critical systems with more opportunistic or ideologically driven campaigns underscores the multifaceted nature of contemporary cyber threats.
1.2. Table: Summary of Reported Incidents (May 11, 2025)
The following table provides a consolidated overview of the incidents analyzed in this report, enabling rapid identification of events pertinent to specific interests or organizational relevance. This summary serves as an immediate reference to the scope of cyber activities reported within the last 24 hours.

Internal Incident ID	Incident Title	Threat Actor(s)	Category	Victim Organization	Victim Country	Victim Industry
DCR-20250511-001	Alleged sale of unauthorized access to a U.S. Private Clinic’s ERM System	jaba1234	Initial Access	Private Clinic (Unidentified)	USA	Hospital & Health Care
DCR-20250511-002	HexaForce Alliance targets the website of Pakistan Muslim League (N)	HexaForce Alliance	Defacement	Pakistan Muslim League (N)	Pakistan	Political Organization
DCR-20250511-003	Arabian Ghosts targets the ICS functional tower operated by West Texas Rural Telephone Cooperative (WTRT)	Arabian Ghosts	Alert	West Texas Rural Telephone Cooperative (WTRT)	USA	Network & Telecommunications
DCR-20250511-004	Alleged database leak of A. Sirkar & Co. Jewellers	LulzSec Black	Data Breach	A. Sirkar & Co. Jewellers	India	Luxury Goods & Jewelry
DCR-20250511-005	Alleged data sale of Frisco Police Department	Shinchan	Data Breach	Frisco Police Department	USA	Law Enforcement
DCR-20250511-006	Alleged data breach of Dooble Digital Solutions	EL_FEDAYEEN	Data Breach	Dooble Digital Solutions	Israel	Information Technology (IT) Services
DCR-20250511-007	Alleged leak of admin access to AryaGO	Black Ember	Initial Access	AryaGO	India	Transportation & Logistics
DCR-20250511-008	Alleged sale of Win Stealer	D0gger	Malware	Not Applicable	Not Applicable	Not Applicable
DCR-20250511-009	GHOST’S OF GAZA targets the website of Directorate of Power and Energy Audit (PEAD)	GHOST’S OF GAZA	Defacement	Directorate of Power and Energy Audit (PEAD)	Bangladesh	Government & Public Sector
DCR-20250511-010	Alleged sale of admin access to an unidentified organization in Spain	Reve	Initial Access	Unidentified Organization	Spain	Not Specified
DCR-20250511-011	Alleged data leak of an unidentified Background Verification Company in Pakistan	k4rm_yogi	Data Leak	Unidentified Background Verification Company	Pakistan	Not Specified
DCR-20250511-012	TEAM R70 targets the website of Alaska Batteries	TEAM R70	Defacement	Alaska Batteries	Pakistan	Manufacturing
DCR-20250511-013	TEAM R70 targets the website of Al-Waei News	TEAM R70	Defacement	Al-Waei News	Egypt	Newspapers & Journalism
DCR-20250511-014	TEAM R70 targets the website of Banjaluka.net	TEAM R70	Defacement	Banjaluka.net	Bosnia and Herzegovina	Newspapers & Journalism

2. Detailed Incident Analysis

Incident DCR-20250511-001: Alleged sale of unauthorized access to a U.S. Private Clinic’s ERM System

2.1.1. Incident Overview

Date Reported: 2025-05-11T10:33:27Z
Category: Initial Access
Network: openweb
Victim Details:

Organization: Unidentified Private Clinic
Industry: Hospital & Health Care
Country: USA
Site: Not Specified
Incident Description: A threat actor, identified by the moniker “jaba1234,” has advertised the sale of unauthorized access to the Electronic Records Management (ERM) system of a private clinic located in the United States. The advertised access purportedly includes “fullz” data, a term commonly used in cybercriminal circles to denote complete sets of personally identifiable information. This allegedly includes Social Security Numbers (SSNs), driver’s license details, confidential internal documents, and other forms of sensitive information.
2.1.2. Threat Actor Profile: jaba1234

The threat actor “jaba1234” is known in this context through their post on the XSS.is forum, a platform frequently utilized by cybercriminals for trading illicit goods and services, including compromised access and data. At present, there is no extensive public threat intelligence profile available that definitively links “jaba1234” to previously known campaigns or larger threat groups.
The actor’s primary motivation appears to be financial, seeking to monetize the alleged unauthorized access. Their TTPs involve gaining unauthorized access to the clinic’s ERM system (method unspecified in the claim) and subsequently advertising this access for sale on a cybercrime forum.
The operation of such actors on forums like XSS.is is indicative of a broader trend within the cybercrime ecosystem where individuals or small, agile groups can offer specialized services, such as initial access brokering. These brokers play a crucial role by providing entry points into victim networks for other malicious actors, who may then deploy ransomware, exfiltrate further data, or conduct espionage.
2.1.3. Supporting Evidence & Sources
Published URL: https://xss.is/threads/137460/
This URL directs to the forum post where “jaba1234” made the claim and advertised the sale.
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/6658c3c2-5bd9-4a47-b9ad-4314fef0f531.png
The screenshot likely provides visual evidence of the forum post or the data being offered.
2.1.4. Potential Implications & Risk Assessment

The sale of unauthorized access to an ERM system represents a severe security breach with potentially devastating consequences. Such access is a critical precursor to more damaging attacks, including ransomware deployment which could cripple the clinic’s operations, and comprehensive data exfiltration for identity theft, fraud, or public shaming.
The types of data allegedly compromised – SSNs, driver’s licenses, and confidential internal documents – are highly sensitive. Fullz data containing SSNs and driver’s licenses commands a significant price on dark web markets due to its utility in committing identity theft, financial fraud, and other malicious activities. The exposure of confidential internal documents could also lead to reputational damage, regulatory penalties (e.g., under HIPAA in the U.S.), and loss of patient trust.
This incident underscores the critical importance for healthcare organizations to secure their ERM systems through robust authentication mechanisms, continuous monitoring for anomalous access patterns, and regular security audits. The activities of initial access brokers highlight the need for proactive threat intelligence to identify and mitigate compromised credentials before they can be leveraged for broader attacks.

Incident DCR-20250511-002: HexaForce Alliance targets the website of Pakistan Muslim League (N)

2.2.1. Incident Overview

Date Reported: 2025-05-11T09:47:03Z
Category: Defacement
Network: telegram
Victim Details:

Organization: Pakistan Muslim League (N)
Industry: Political Organization
Country: Pakistan
Site: pmln.org
Incident Description: A group identifying itself as “HexaForce Alliance” has claimed responsibility for defacing the official website of the Pakistan Muslim League (N), a prominent political party in Pakistan. Website defacement involves unauthorized alteration of a website’s appearance, typically to display the attacker’s message.
2.2.2. Threat Actor Profile: HexaForce Alliance

“HexaForce Alliance” appears to be a hacktivist group, with their actions targeting a political organization suggesting a politically motivated agenda. The claim was disseminated via a Telegram channel, a common platform for hacktivist groups to announce their activities and communicate with supporters.
Available research materials ¹ do not contain specific intelligence directly pertaining to a group named “HexaForce Alliance.” One source describes a threat actor impersonating the Electronic Frontier Foundation (EFF) to target online gamers with malware, attributing this to Russian-speaking, financially motivated cybercriminals.¹ Another details activities of Russian state-sponsored groups like Sandworm and Gamaredon targeting Ukraine and NATO allies.² These profiles do not align with the claimed activity or name “HexaForce Alliance.”
Therefore, the profile of “HexaForce Alliance” is primarily based on their current claim of defacing the Pakistan Muslim League (N) website. Without further corroborated information linking them to broader campaigns or known TTPs beyond website defacement, their capabilities and long-term objectives remain largely unconfirmed. Their choice of target strongly indicates a motivation rooted in political activism or protest related to Pakistani politics.
2.2.3. Supporting Evidence & Sources
Published URL: https://t.me/c/2391918007/186
This URL points to the Telegram message where HexaForce Alliance made their claim.
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/4a3a168c-9947-4de9-8efa-74aff3f67e0f.png
The screenshot likely displays the defaced webpage of the Pakistan Muslim League (N) website.
2.2.4. Potential Implications & Risk Assessment

Website defacements, while often not causing direct financial loss or data theft, can lead to reputational damage for the targeted organization. For a political party, such an attack can be perceived as a sign of weakness or an inability to secure its digital assets, potentially impacting public perception.
The incident may also cause temporary disruption to the party’s online communication channels. Depending on the sophistication of the attackers and the vulnerabilities exploited, a defacement could potentially be a precursor to or a diversion for more intrusive attacks aimed at accessing sensitive internal data.
This event highlights the ongoing use of cyber means for political expression and activism, particularly in regions with active political discourse and tensions.

Incident DCR-20250511-003: Arabian Ghosts targets the ICS functional tower operated by West Texas Rural Telephone Cooperative (WTRT)

2.3.1. Incident Overview

Date Reported: 2025-05-11T09:24:46Z
Category: Alert
Network: telegram
Victim Details:

Organization: West Texas Rural Telephone Cooperative (WTRT)
Industry: Network & Telecommunications
Country: USA
Site: wtrt.net
Incident Description: A group calling itself “Arabian Ghosts” claims to have successfully hacked into an Industrial Control System (ICS) functional tower associated with the West Texas Rural Telephone Cooperative (WTRT). ICS are critical components of infrastructure, managing and controlling industrial processes.
2.3.2. Threat Actor Profile: Arabian Ghosts

The name “Arabian Ghosts” has appeared in threat intelligence contexts, though with potentially differing attributions. One set of reports identifies “Arabian Ghosts” as a prominent hacktivist group involved in targeting Indian organizations, particularly active during periods of India-Pakistan geopolitical tensions. Their activities in that context primarily involved Distributed Denial of Service (DDoS) attacks and were politically motivated, focusing on South Asian targets.³
Separately, intelligence describes “Ghost actors” (using aliases such as Cring, Crypt3r, Phantom, but not explicitly “Arabian Ghosts”) as a China-based, financially motivated group conducting ransomware attacks and data exfiltration across various sectors globally, including critical infrastructure. These actors are known to exploit vulnerabilities in internet-facing services and have used tools like Cobalt Strike.⁴
The current claim by an entity named “Arabian Ghosts” to have compromised a U.S. telecommunications provider’s ICS presents a notable deviation from the India-focused hacktivist profile. It is plausible that:

The “Arabian Ghosts” claiming this U.S. ICS attack is a distinct entity from the group targeting India.
The original group has expanded its targeting scope and capabilities.
The name is being used opportunistically by an unrelated actor.

Given the critical nature of ICS and the U.S. target, this claim, if substantiated, would be of significant concern. The motivation behind such an attack could range from disruption, espionage, to demonstrating capability. The TTPs involved in compromising an ICS tower would typically require a higher level of sophistication than simple website defacement or DDoS attacks. Analysis of the content on their Telegram channel is crucial to better understand their purported capabilities and intentions regarding this specific claim.
2.3.3. Supporting Evidence & Sources
Published URL: https://t.me/ARABIAN_GHOSTS/843
This URL links to the Telegram message where “Arabian Ghosts” announced the alleged ICS hack.
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/911f4449-1832-436b-bcef-d76c0b37939a.png
https://d34iuop8pidsy8.cloudfront.net/fd571074-b092-4f78-8ad4-e94eb9649492.png
These screenshots presumably offer some form of evidence supporting their claim, potentially showing interfaces or data related to the ICS.
2.3.4. Potential Implications & Risk Assessment

A successful compromise of an ICS functional tower within a telecommunications cooperative could have severe consequences. It could lead to disruption of telecommunication services for rural customers, potentially impacting emergency communications, business operations, and daily life.
Beyond service disruption, unauthorized access to ICS environments can pose risks of physical damage, enable espionage on critical infrastructure operations, or allow attackers to establish persistent footholds for future malicious activities.
The targeting of critical infrastructure, especially ICS, by any group is a serious development. Verification of this claim is paramount. If true, it would indicate a capable adversary targeting U.S. infrastructure, requiring immediate investigation and response from relevant authorities and the affected organization. The ambiguity surrounding the “Arabian Ghosts” identity in this context makes it difficult to ascertain specific motivations without further intelligence.

Incident DCR-20250511-004: Alleged database leak of A. Sirkar & Co. Jewellers

2.4.1. Incident Overview

Date Reported: 2025-05-11T08:58:37Z
Category: Data Breach
Network: telegram
Victim Details:

Organization: A. Sirkar & Co. Jewellers
Industry: Luxury Goods & Jewelry
Country: India
Site: asirkar.in
Incident Description: The threat actor group “LulzSec Black” claims to have leaked the database of A. Sirkar & Co. Jewellers, an Indian company specializing in luxury goods and jewelry.
2.4.2. Threat Actor Profile: LulzSec Black

“LulzSec Black” is a name that evokes the original Lulz Security (LulzSec) group, which was active around 2011 and known for high-profile attacks motivated by “the lulz” (entertainment) rather than direct financial gain.⁵ The original LulzSec consisted of several core members, including Hector Monsegur (“Sabu”), and targeted governments and companies, often making private information public.⁶
More recently, a group operating as “LulzSec Black” has been associated with politically motivated hacktivism, particularly with a pro-Palestine stance. This iteration of LulzSec Black was reportedly involved in coordinated cyberattacks against Cyprus’ critical infrastructure and government websites in early 2025, citing Cyprus’s support for Israel as the motive. Their tactics in that campaign included DDoS attacks and claimed data exfiltration, and they issued political demands.⁷
The current claim of leaking an Indian jeweler’s database by “LulzSec Black” presents a potential divergence from their more explicitly documented anti-Israel campaigns. While hacktivist groups can have broad or shifting targets, the direct motivation for targeting an Indian luxury goods company is not immediately apparent from their established pro-Palestine narrative. It could be an opportunistic attack, an attempt to gain notoriety, or there might be a perceived (by the group) indirect link that is not publicly known. The content of their Telegram channel, where this claim was made, may offer more context on their specific reasoning for this target. The “LulzSec” branding itself often implies a desire for disruption and public attention, which a data leak can achieve.
2.4.3. Supporting Evidence & Sources
Published URL: https://t.me/c/2218423825/6850
This URL directs to the Telegram message containing the claim by LulzSec Black.
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/1e701b5e-ef74-464a-b0af-19991d696bd5.png
The screenshot likely provides a sample or proof of the leaked database.
2.4.4. Potential Implications & Risk Assessment

A database leak from a luxury jeweler could expose sensitive customer information, including names, contact details, purchase histories, and potentially financial information. Such data can be exploited for identity theft, targeted phishing attacks, or social engineering.
For A. Sirkar & Co. Jewellers, the breach can lead to significant reputational damage, loss of customer trust, and potential regulatory scrutiny under India’s data protection laws. The luxury goods sector often caters to high-net-worth individuals, making their data particularly attractive to criminals.
This incident, attributed to a group with known hacktivist leanings, also underscores how commercial entities can become targets in broader ideological campaigns, even if the direct link is not immediately obvious.

Incident DCR-20250511-005: Alleged data sale of Frisco Police Department

2.5.1. Incident Overview

Date Reported: 2025-05-11T06:35:14Z
Category: Data Breach
Network: openweb
Victim Details:

Organization: Frisco Police Department
Industry: Law Enforcement
Country: USA
Site: friscopd.com
Incident Description: A threat actor using the alias “Shinchan” claims to be selling a database purportedly containing the personal and professional details of approximately 90,000 law enforcement personnel linked to the Frisco Police Department in Texas, USA. The extensive list of allegedly compromised data includes full names, email addresses, phone numbers, agency affiliations, job titles, supervisor contact information, IP addresses, training details, and registration metadata.
2.5.2. Threat Actor Profile: Shinchan

The threat actor “Shinchan” is identified in this context solely through their advertisement on the “darkforums.st” website, a platform known to host illicit marketplaces for stolen data and cybercrime tools.
Extensive searches for a threat actor named “Shinchan” involved in data breaches yield no specific, credible intelligence linking this moniker to established hacking groups or prior campaigns. The name is predominantly associated with a popular Japanese anime series ⁸, and various online user profiles unrelated to cybercrime.¹⁰ Other search results are generic or irrelevant to this specific type of malicious activity.¹²
Therefore, “Shinchan” should be considered the persona adopted by an individual or group for this specific transaction on the dark web forum. Their motivation is clearly financial, aiming to profit from the sale of highly sensitive law enforcement data. The TTPs involve the acquisition (through unspecified means) of this data and its subsequent advertisement and sale on an underground market.
The emergence of actors like “Shinchan” on such forums highlights the accessibility of platforms for monetizing stolen data. The credibility of their claim would typically depend on samples or proofs offered within the forum post.
2.5.3. Supporting Evidence & Sources
Published URL: https://darkforums.st/Thread-Selling-90K-FRISCO-TEXAS-USA-POLICE-PERSONNEL-DATA
This URL links to the dark web forum thread where “Shinchan” is advertising the data sale.
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/50d64028-d464-474d-b32d-45f60fefdd87.png
The screenshot likely shows the advertisement or a sample of the data being offered.
2.5.4. Potential Implications & Risk Assessment
The alleged breach and sale of data pertaining to 90,000 law enforcement personnel is an extremely serious incident with profound security implications. Such data, if authentic, could be used to:

Target officers and their families for harassment, intimidation, or violence.
Compromise ongoing investigations or undercover operations.
Facilitate identity theft and financial fraud against the affected personnel.
Undermine the operational security of the Frisco Police Department and potentially other interconnected agencies.
Erode public trust in the ability of law enforcement agencies to protect their own sensitive information.
The detailed nature of the allegedly compromised data, including training details and supervisor contacts, further exacerbates the risk. This incident underscores the critical need for robust cybersecurity measures within law enforcement agencies to protect personnel data and maintain operational integrity. The ease with which such sensitive information can be advertised for sale, assuming the claim is legitimate, is a cause for significant alarm and necessitates thorough investigation by relevant authorities.

Incident DCR-20250511-006: Alleged data breach of Dooble Digital Solutions

2.6.1. Incident Overview

Date Reported: 2025-05-11T05:48:21Z
Category: Data Breach
Network: telegram
Victim Details:

Organization: Dooble Digital Solutions
Industry: Information Technology (IT) Services
Country: Israel
Site: dooble.co.il
Incident Description: A threat actor or group identifying as “EL_FEDAYEEN” claims to have breached Dooble Digital Solutions, an Israeli technology provider that supports critical sectors, including infrastructure and electricity. According to the attackers, they exfiltrated the complete source code for the company’s website and multiple applications, along with sensitive data on over 915 clients. Allegedly impacted high-profile organizations include Toyota, Elbit Systems, HPE, Cognyte, the Israel Electric Corporation, and Technion. The leaked data reportedly includes login credentials, internal emails, project settings, confidential documents, and source code for several platforms. The attackers also claim to have obtained control panel access and proprietary Chrome extension code.
2.6.2. Threat Actor Profile: EL_FEDAYEEN

“EL_FEDAYEEN” appears as the entity claiming responsibility for this significant data breach via a Telegram channel. The name “El Fedayeen” (Arabic for “those who sacrifice themselves”) often carries connotations of militant or resistance groups, suggesting a potential political or ideological motivation behind the attack, particularly given the Israeli target and its high-profile, critical sector clients (including defense contractor Elbit Systems).
Available research materials reviewed ¹⁸ do not contain specific intelligence on a threat actor group named “EL_FEDAYEEN.” One source discusses the BADBOX 2.0 operation targeting CTV devices, attributed to threat actors like MoYu Group and Lemon Group.¹⁸ Another details the activities of Seashell Blizzard, a Russian GRU-linked actor, focusing on targets related to the conflict in Ukraine.¹⁹ These profiles are not related to “EL_FEDAYEEN” or the described attack on Dooble Digital Solutions.
Thus, “EL_FEDAYEEN” is primarily known through this claim on Telegram. Their TTPs, as described, involve sophisticated network intrusion, large-scale data exfiltration (including source code and client data), and public disclosure of the breach. The targeting of an IT solutions provider represents a potential supply chain attack vector, aiming to impact a multitude of its clients.
2.6.3. Supporting Evidence & Sources
Published URL: https://t.me/el_fedayeen/109
This URL links to the Telegram message where “EL_FEDAYEEN” announced the alleged breach.
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/331bced3-60bb-464e-89bb-7c82639957f8.png
https://d34iuop8pidsy8.cloudfront.net/e939f7cb-6a08-44ef-8fff-730b1c0f3c2e.png
These screenshots likely offer purported evidence of the breach, such as samples of exfiltrated data or access to internal systems.
2.6.4. Potential Implications & Risk Assessment

A breach of this magnitude at an IT provider like Dooble Digital Solutions could have cascading and severe consequences for its clients. The exfiltration of source code for websites and applications can expose vulnerabilities that other threat actors could exploit.
The compromise of sensitive data for over 915 clients, including major international corporations and critical infrastructure entities like the Israel Electric Corporation and defense company Elbit Systems, poses significant risks:

Espionage and Intellectual Property Theft: Competitors or state-sponsored actors could leverage the stolen data.
Further Attacks: Exposed login credentials, internal emails, and project settings can be used to launch targeted attacks against Dooble’s clients.
Operational Disruption: Access to control panels could allow attackers to disrupt client services or manipulate data.
Reputational Damage: Both Dooble and its affected clients could suffer significant reputational harm and loss of trust.
This incident highlights the critical vulnerability posed by supply chain attacks, where compromising a single service provider can grant attackers access to a multitude of downstream targets. The claim, if verified, represents a major cybersecurity event with potential national security implications for Israel.

Incident DCR-20250511-007: Alleged leak of admin access to AryaGO

2.7.1. Incident Overview

Date Reported: 2025-05-11T05:22:25Z
Category: Initial Access
Network: telegram
Victim Details:

Organization: AryaGO
Industry: Transportation & Logistics
Country: India
Site: aryago.co.in
Incident Description: A group identifying as “Black Ember” claims to have leaked administrative credentials belonging to AryaGO, an Indian company in the transportation and logistics sector.
2.7.2. Threat Actor Profile: Black Ember

“Black Ember” is the name used by the entity claiming this credential leak via Telegram.
Research into threat actors provides information on “Black Basta” and “Ember Bear,” but not specifically “Black Ember.” “Black Basta” is a Russian-speaking ransomware-as-a-service (RaaS) group known for double extortion attacks, first spotted in early 2022 and having targeted healthcare among other sectors.²⁰ “Ember Bear” (also known as UNC2589, DEV-0586, Cadet Blizzard) is identified as a Russian state-sponsored cyber espionage group linked to the GRU, primarily targeting Ukrainian government and telecommunication entities, as well as critical infrastructure in Europe and the Americas.²¹
Neither of these profiles directly matches a group named “Black Ember” leaking admin credentials for an Indian logistics company. It is possible that “Black Ember” is a new or lesser-known group, or a moniker adopted for this specific activity. Their motivation, based on leaking admin credentials, could be to cause disruption, enable further attacks by others, or gain notoriety. The chosen platform (Telegram) is common for such disclosures.
2.7.3. Supporting Evidence & Sources
Published URL: https://t.me/BlackEmber/25
This URL points to the Telegram message where “Black Ember” made their claim.
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/63397437-a457-49e7-9176-249f5403dc5d.png
The screenshot likely displays the leaked administrative credentials or proof of access.
2.7.4. Potential Implications & Risk Assessment
The leak of administrative credentials for a transportation and logistics company like AryaGO can have serious operational and security consequences. Admin access could allow malicious actors to:

Disrupt logistics operations by altering schedules, rerouting shipments, or manipulating inventory data.
Access sensitive customer and cargo information, potentially leading to theft or further targeted attacks.
Deploy malware, including ransomware, within AryaGO’s network.
Use AryaGO’s systems as a pivot point to attack partners or customers.
This incident underscores the importance of strong credential management, multi-factor authentication, and regular monitoring for unauthorized access, especially for accounts with administrative privileges.

Incident DCR-20250511-008: Alleged sale of Win Stealer

(This incident is detailed in Section 3: Emerging Malware & Tools Spotlight)

Incident DCR-20250511-009: GHOST’S OF GAZA targets the website of Directorate of Power and Energy Audit (PEAD)

2.9.1. Incident Overview

Date Reported: 2025-05-11T03:48:27Z
Category: Defacement
Network: telegram
Victim Details:

Organization: Directorate of Power and Energy Audit (PEAD)
Industry: Government & Public Sector
Country: Bangladesh
Site: pead.org.bd
Incident Description: A group calling itself “GHOST’S OF GAZA” has claimed responsibility for defacing the website of the Directorate of Power and Energy Audit (PEAD) in Bangladesh. A mirror of the defacement is reportedly available at https://ownzyou.com/zone/264707.
2.9.2. Threat Actor Profile: GHOST’S OF GAZA

The name “GHOST’S OF GAZA” strongly suggests a hacktivist group with a pro-Palestine political motivation. Their choice of name explicitly references the Gaza Strip, a focal point of the Israeli-Palestinian conflict.
This profile aligns ideologically with “GhostSec,” another hacktivist group that reportedly emerged from Anonymous. GhostSec initially focused on countering ISIS but later declared support for Palestine, engaging in activities like DDoS attacks, defacements, data breaches, and even developing ransomware (GhostLocker).²² GhostSec is also noted as being part of “The Five Families” hacktivist collective and has collaborated with other groups like Stormous.²²
It is important to distinguish these ideologically motivated “Ghost” groups from “Ghost actors” described in other intelligence, which are identified as China-based, financially motivated ransomware operators using names like Cring or Phantom.⁴ These appear to be entirely separate entities.
“GHOST’S OF GAZA,” based on their name and the act of defacement (a common hacktivist TTP), likely operates to promote their political agenda. Targeting a government entity in Bangladesh is somewhat unusual if their sole focus is the Israeli-Palestinian conflict. The motivation for this specific target might be symbolic, opportunistic, or based on a perceived stance or action by Bangladesh that the group opposes. Their Telegram channel would be the primary source for understanding their specific messaging regarding this attack.
2.9.3. Supporting Evidence & Sources
Published URL: https://t.me/ghostsofGAZAofficial/65
This URL links to the Telegram announcement by “GHOST’S OF GAZA.”
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/d831cee3-1f25-48fa-baba-73d5643e70b8.png
The screenshot likely shows the defaced PEAD website.
Mirror URL: https://ownzyou.com/zone/264707 (as provided in the incident content)
2.9.4. Potential Implications & Risk Assessment

The defacement of a government agency’s website, such as the Directorate of Power and Energy Audit, can cause reputational damage and may be perceived as an embarrassment for the targeted government. It can temporarily disrupt the agency’s ability to disseminate information via its official website.
While defacements are often superficial, they indicate that attackers were able to exploit a vulnerability in the website or its hosting environment. This could potentially be leveraged for more severe attacks if the underlying vulnerabilities are not addressed.
The action by “GHOST’S OF GAZA” highlights how hacktivist groups can target entities seemingly unrelated to their core ideological focus, possibly to gain attention, make a broader statement, or due to perceived, less obvious connections.

Incident DCR-20250511-010: Alleged sale of admin access to an unidentified organization in Spain

2.10.1. Incident Overview

Date Reported: 2025-05-11T03:41:22Z
Category: Initial Access
Network: openweb
Victim Details:

Organization: Unidentified
Industry: Not Specified
Country: Spain
Site: Not Specified
Incident Description: A threat actor using the handle “Reve” is claiming to sell unauthorized administrative access to an unspecified organization located in Spain. The claim was made on the Exploit.in forum.
2.10.2. Threat Actor Profile: Reve

The threat actor “Reve” is known in this instance through their post on Exploit.in, a well-known Russian-language cybercrime forum where illicit goods, services, exploits, and compromised access are frequently traded.
Available search results for a threat actor specifically named “Reve” operating as an initial access broker are not definitive or directly linked to this activity on Exploit.in.²³ The name itself is generic, and public threat intelligence does not provide a clear, established profile for an actor “Reve” specializing in selling access to Spanish organizations via this forum.
Therefore, “Reve” should be considered the moniker used by an individual or group on the Exploit.in forum for this particular transaction. Their motivation is undoubtedly financial, aiming to profit from the sale of administrative access. The TTPs involve gaining unauthorized administrative-level access to the target organization (method unknown) and then advertising this access for sale.
Actors like “Reve” on platforms such as Exploit.in form a critical part of the cybercrime supply chain, providing initial footholds that can be purchased by other criminals for deploying ransomware, exfiltrating data, or conducting other malicious operations.
2.10.3. Supporting Evidence & Sources
Published URL: https://forum.exploit.in/topic/258905/
This URL directs to the Exploit.in forum post where “Reve” is advertising the sale.
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/d5a8e277-9f17-4051-b457-023ad07918d3.png
The screenshot likely shows the forum post advertising the admin access.
2.10.4. Potential Implications & Risk Assessment
The sale of administrative access to any organization poses a severe threat. Admin-level credentials provide extensive control over systems and data, potentially allowing a buyer to:

Deploy ransomware across the network.
Exfiltrate sensitive corporate or customer data.
Install persistent backdoors for long-term espionage.
Disrupt operations or cause significant damage to IT infrastructure.
Use the compromised organization’s resources to attack other entities.
For the unidentified Spanish organization, this represents an immediate and critical risk. The fact that such access is being openly sold on a major cybercrime forum increases the likelihood of it being purchased and exploited. This highlights the continuous threat posed by initial access brokers and the importance of robust security measures to prevent unauthorized access and detect compromised credentials.

Incident DCR-20250511-011: Alleged data leak of an unidentified Background Verification Company in Pakistan

2.11.1. Incident Overview

Date Reported: 2025-05-11T03:35:56Z
Category: Data Leak
Network: openweb
Victim Details:

Organization: Unidentified Background Verification Company
Industry: Not Specified (likely Professional Services or HR Services)
Country: Pakistan
Site: Not Specified
Incident Description: A threat actor using the moniker “k4rm_yogi” claims to be selling data from an unidentified Pakistani background verification company. The compromised dataset allegedly exposes over 300,000 records, including sensitive personal information such as names, emails, phone numbers, home addresses, CNIC (Computerized National Identity Card) documents, photos, and invoices.
2.11.2. Threat Actor Profile: k4rm_yogi

“k4rm_yogi” is the alias used by the individual or group advertising this data leak on the “darkforums.st” platform, a known marketplace for illicitly obtained data and cybercrime tools.
There is no readily available public threat intelligence profile that specifically details the activities or affiliations of a threat actor named “k4rm_yogi.” As such, their identity and broader operational scope are primarily defined by this current claim.
The motivation of “k4rm_yogi” is clearly financial, seeking to monetize the allegedly stolen data. Their TTPs involve the exfiltration of a significant volume of sensitive data from the Pakistani background verification company and its subsequent advertisement for sale on a dark web forum. The method of data acquisition is not specified in the claim.
2.11.3. Supporting Evidence & Sources
Published URL: https://darkforums.st/Thread-Pakistan-s-Background-Verification-Company-s-Data-Leaked
This URL links to the dark web forum thread where “k4rm_yogi” is advertising the data.
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/4a865024-2bd1-4be0-8b79-39b2c6cfb03e.png
The screenshot likely displays the advertisement or a sample of the leaked data.
2.11.4. Potential Implications & Risk Assessment
A data leak from a background verification company is exceptionally serious due to the highly sensitive and comprehensive nature of the information typically handled by such entities. The exposure of over 300,000 records containing names, contact details, home addresses, official CNIC documents, photos, and invoices can lead to severe consequences for the individuals whose data has been compromised:

Identity Theft and Fraud: CNIC documents and other PII are prime targets for identity thieves.
Targeted Scams and Extortion: Detailed personal information can be used for sophisticated phishing, social engineering, or extortion attempts.
Reputational Damage and Privacy Violations: The public exposure of such personal details is a gross violation of privacy.
For the background verification company, this breach (if confirmed) would result in catastrophic reputational damage, loss of client trust, and significant legal and regulatory repercussions under Pakistan’s data protection laws. It also raises questions about the security practices within an industry entrusted with safeguarding vast amounts of personal data.

Incident DCR-20250511-012: TEAM R70 targets the website of Alaska Batteries

2.12.1. Incident Overview

Date Reported: 2025-05-11T02:59:29Z
Category: Defacement
Network: telegram
Victim Details:

Organization: Alaska Batteries
Industry: Manufacturing
Country: Pakistan
Site: alaskabatteries.com
Incident Description: The group “TEAM R70” claims to have defaced the website of Alaska Batteries, a manufacturing company based in Pakistan.
2.12.2. Threat Actor Profile: TEAM R70

“TEAM R70” has been identified in previous intelligence as a politically driven hacktivist group. Notably, they were reported as being highly active in targeting Brazilian government websites, accounting for a significant percentage (19.70%) of cyberattacks in Brazil during a three-month period leading up to September 2024. Their primary TTP in those campaigns was website defacement aimed at promoting their political agenda.³¹
The current claim of defacing a Pakistani manufacturing company’s website, along with other claims on the same day targeting entities in Egypt and Bosnia and Herzegovina (see incidents DCR-20250511-013 and DCR-20250511-014), indicates a broader geographical scope of activity than previously documented (Brazil-focused).
This raises questions as to whether this is the same “TEAM R70” expanding its operations globally, or if other unrelated groups are using the same name. Hacktivist groups can indeed operate internationally, or their targeting can be opportunistic. The group’s Telegram channel (t.me/T3am_R70/), where these claims are published, would be the most direct source for understanding their current ideology, motivations, and the rationale behind this diverse set of targets. Their consistent use of defacement aligns with the TTPs observed in the Brazilian context. Microsoft’s threat actor naming conventions describe various categories but do not offer specific details on TEAM R70.³²
2.12.3. Supporting Evidence & Sources
Published URL: https://t.me/T3am_R70/936 (This URL is common for incidents DCR-20250511-012, -013, and -014, suggesting a batch announcement)
This URL links to the Telegram message from TEAM R70 claiming the defacement.
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/848cf76d-dcf0-44c2-a32d-df10c6e0539e.png
https://d34iuop8pidsy8.cloudfront.net/5cbffe64-7057-4416-a3be-1176f57eb04b.png
These screenshots likely show the defaced Alaska Batteries website.
2.12.4. Potential Implications & Risk Assessment

For Alaska Batteries, a website defacement can cause reputational damage and a temporary loss of their online presence. It may raise concerns among customers and partners about the company’s overall security posture.
While often less directly damaging than data breaches or ransomware, defacements signal that vulnerabilities exist. If the attackers gained deeper access than just what was needed to alter the website, there could be further unstated risks.
The broader pattern of TEAM R70’s activity on this day suggests a coordinated campaign of defacements across multiple countries, likely aimed at maximizing their visibility and disseminating their message, whatever it may be.

Incident DCR-20250511-013: TEAM R70 targets the website of Al-Waei News

2.13.1. Incident Overview

Date Reported: 2025-05-11T02:51:10Z
Category: Defacement
Network: telegram
Victim Details:

Organization: Al-Waei News
Industry: Newspapers & Journalism
Country: Egypt
Site: elwaai.net
Incident Description: The group “TEAM R70” claims to have defaced the website of Al-Waei News, a news organization based in Egypt.
2.13.2. Threat Actor Profile: TEAM R70

As detailed in the preceding incident (DCR-20250511-012), “TEAM R70” is known as a politically motivated hacktivist group, previously documented for extensive defacement campaigns targeting Brazilian government entities.³¹
This attack on an Egyptian news website, alongside claimed attacks in Pakistan and Bosnia and Herzegovina on the same day, further supports the observation that TEAM R70 is currently engaged in a geographically diverse campaign. Targeting a news organization often aligns with hacktivist goals of influencing public discourse, protesting media narratives, or simply gaining high visibility for their cause.
The motivations for targeting Al-Waei News specifically would likely be articulated in TEAM R70’s communications on their Telegram channel.
2.13.3. Supporting Evidence & Sources
Published URL: https://t.me/T3am_R70/936 (Shared with other TEAM R70 claims from the same day)
This URL links to TEAM R70’s Telegram announcement.
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/46cd669d-fda3-4b30-aa4c-a62fdc90a342.png
https://d34iuop8pidsy8.cloudfront.net/e712cd75-e940-4c70-ba2e-c1f252fbc106.png
These screenshots likely display the defaced Al-Waei News website.
2.13.4. Potential Implications & Risk Assessment

Defacement of a news website can disrupt the timely dissemination of news and information to the public. It can also damage the credibility and reputation of the news organization.
Depending on the message displayed during the defacement, it could be used to spread propaganda, disinformation, or messages aligned with TEAM R70’s agenda.
For media organizations, maintaining the integrity and availability of their online platforms is crucial. Such attacks highlight their vulnerability to ideologically motivated cyberattacks.

Incident DCR-20250511-014: TEAM R70 targets the website of Banjaluka.net

2.14.1. Incident Overview

Date Reported: 2025-05-11T02:42:02Z
Category: Defacement
Network: telegram
Victim Details:

Organization: Banjaluka.net
Industry: Newspapers & Journalism
Country: Bosnia and Herzegovina
Site: banjaluka.net
Incident Description: The group “TEAM R70” claims to have defaced the website of Banjaluka.net, a news portal based in Bosnia and Herzegovina.
2.14.2. Threat Actor Profile: TEAM R70

Consistent with the profiles in incidents DCR-20250511-012 and DCR-20250511-013, “TEAM R70” is a hacktivist group known for politically motivated website defacements.³¹
This attack against a news website in Bosnia and Herzegovina is part of the same series of geographically diverse defacements claimed by the group on May 11, 2025. The targeting of another media outlet reinforces the likelihood that TEAM R70 aims to influence or protest media narratives or gain visibility for their political messages across different regions.
The specific reasons for targeting Banjaluka.net would likely be found in the group’s communications on their Telegram channel.
2.14.3. Supporting Evidence & Sources
Published URL: https://t.me/T3am_R70/936 (Shared with other TEAM R70 claims from the same day)
This URL links to TEAM R70’s Telegram announcement.
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/81906a70-fb59-4659-b266-793cbf1a68d9.png
https://d34iuop8pidsy8.cloudfront.net/c7b8235a-8ac2-4485-86b2-d927b1719c9a.png
These screenshots likely show the defaced Banjaluka.net website.
2.14.4. Potential Implications & Risk Assessment

Similar to the attack on Al-Waei News, the defacement of Banjaluka.net can disrupt news delivery, damage the outlet’s reputation, and potentially be used to spread specific messages or propaganda.
The series of attacks by TEAM R70 on this day demonstrates a coordinated effort to target multiple entities across different countries, suggesting a level of organization and a clear intent to make a widespread impact with their defacement campaign.

3. Emerging Malware & Tools Spotlight

3.1. “Win Stealer” Malware

Incident Title: Alleged sale of Win Stealer
Date Reported: 2025-05-11T05:10:10Z
Threat Actor/Seller: D0gger
Platform: openweb (XSS.is forum)
Advertised Capabilities: The threat actor “D0gger,” operating on the XSS.is forum, is advertising a malware tool named “Win Stealer.” The malware is described as a sophisticated information stealer with a range of capabilities designed to bypass common security measures and exfiltrate a wide variety of sensitive data. Key advertised features include:

Evasion of Windows Defender and Chrome browser security.
Theft of passwords, browser cookies, credit card details, and authentication tokens from Chromium-based (e.g., Chrome, Edge) and Gecko-based (e.g., Firefox) browsers.
A self-written loader, potentially to improve evasion or deployment flexibility.
Screen capture functionality.
Targeted theft of Telegram session data, KeePass password manager databases, and Binance desktop application data (likely targeting cryptocurrency assets).
Runtime obfuscation techniques to hinder detection and analysis.
Threat Actor Profile: D0gger

“D0gger” is the moniker used by the seller of “Win Stealer” on the XSS.is hacking forum. This platform is a known hub for the sale and exchange of cybercrime tools, exploits, and services.
Available general threat intelligence on threat actor types and malware ³³ discusses motivations and the complexity of modern malware but does not contain specific information about an actor named “D0gger” or a tool explicitly called “Win Stealer.” The actor “UNK_CraftyCamel,” for instance, was noted for using polyglot files and developing the Sosano backdoor, indicating sophisticated development capabilities aimed at evading detection.³⁴ While not directly related to “D0gger,” this illustrates the continuous evolution of malware by various actors.
The primary motivation for “D0gger” is financial, derived from the sale of this malware. By developing and distributing such tools, this actor directly contributes to the proliferation of capabilities used in cybercrime.
Potential Impact and Significance:

The availability of a feature-rich stealer like “Win Stealer” on a relatively public forum significantly lowers the barrier to entry for other cybercriminals. Less sophisticated actors can purchase such tools to conduct large-scale credential theft, financial fraud, identity theft, and cryptocurrency theft.
The claims of bypassing Windows Defender and Chrome security, if accurate, are particularly concerning. These are widely used security components, and their effective bypass would render many users and organizations vulnerable. This highlights the ongoing arms race where malware authors continuously adapt their techniques to circumvent existing defenses.
The diverse range of targeted data – from browser credentials and financial information to specific application data like KeePass, Telegram, and Binance – makes “Win Stealer” a versatile and dangerous tool for comprehensive victim exploitation. The theft of authentication tokens, for example, can allow attackers to bypass multi-factor authentication in some scenarios.
Supporting Evidence:

Published URL: https://xss.is/threads/137441/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/79cda916-ea6c-4d88-93d4-b6119639dec3.png
The continuous development, advertisement, and sale of sophisticated stealers like “Win Stealer” underscore the dynamic nature of the cyber threat landscape. The claims of advanced evasion capabilities emphasize the necessity for organizations and individuals to adopt defense-in-depth security strategies. These should include not only traditional antivirus and endpoint protection but also behavioral detection systems (EDR/XDR), regular security awareness training, robust patch management, and proactive monitoring for indicators of compromise. The proliferation of such tools necessitates a shift towards assuming compromise and focusing on rapid detection and response.

4. Concluding Remarks & Key Observations

4.1. Overall Threat Landscape Assessment:
The cybersecurity incidents reported on May 11, 2025, paint a picture of a persistently active and multifaceted threat landscape. Activities ranged from financially motivated crimes, such as the sale of unauthorized access to critical systems (healthcare ERM, Spanish organization admin access) and sensitive datasets (Frisco Police Department, Pakistani background verification company, Dooble Digital Solutions), to politically charged hacktivism, predominantly manifesting as website defacements (Pakistan Muslim League (N), Directorate of Power and Energy Audit in Bangladesh, and multiple entities by TEAM R70). An alert concerning an alleged compromise of U.S. telecommunications ICS and the advertisement of sophisticated malware like “Win Stealer” further highlight the diverse threats organizations and individuals face. The digital environment clearly remains a contested domain, with a wide spectrum of threat actors employing various tactics to achieve their disparate objectives.
4.2. Prominent Threat Actor Activities & TTPs:
Several threat actors, or at least their monikers, were notably active. Groups like “LulzSec Black” and “TEAM R70” continued their hacktivist campaigns, while individual sellers on forums like XSS.is and darkforums.st (e.g., “jaba1234,” “Shinchan,” “D0gger,” “Reve,” “k4rm_yogi,” “EL_FEDAYEEN,” “Black Ember”) facilitated the cybercrime economy by offering data, access, or tools.
Common Tactics, Techniques, and Procedures (TTPs) observed included:

Website Defacement: A primary tool for hacktivist groups to broadcast messages and claim presence.
Data Exfiltration and Sale/Leak: A core activity for both financially motivated criminals and some hacktivist groups seeking to cause damage or embarrassment.
Initial Access Brokering: Selling unauthorized access to networks remains a key enabler for subsequent attacks like ransomware.
Malware Development and Sale: The advertisement of tools like “Win Stealer” demonstrates an active market for malicious software.
Claims of ICS Targeting: While requiring further verification, such claims are always of high concern.

A persistent operational characteristic is the significant reliance on platforms like Telegram and specialized web forums (e.g., XSS.is, darkforums.st). These platforms serve as crucial nexuses for threat actors to announce their exploits, advertise illicit goods and services, coordinate activities, and disseminate leaked data. They offer a degree of anonymity and a broad reach within the cybercriminal and hacktivist communities, making them indispensable for many malicious operations. Effective monitoring and intelligence gathering from these sources are therefore vital for understanding and anticipating emerging threats.

4.3. Emerging Trends & Patterns:

The “Branding” and Evolution of Hacktivism: Groups such as “LulzSec Black” and “GHOST’S OF GAZA” strategically use names that either leverage the notoriety of past collectives (LulzSec) or clearly signal their ideological alignment (Gaza). This “branding” can help attract sympathizers, amplify their message, and create a distinct persona. However, it can also lead to confusion, as the TTPs or motivations of a newer group using an established name may differ significantly from the original. For instance, “LulzSec Black” exhibits a more overt political motivation compared to the original LulzSec’s “lulz”-driven agenda. Understanding these nuances is critical for accurate threat attribution and analysis.
Persistent Targeting of Highly Sensitive Data: The incidents involving the alleged sale of Frisco Police Department personnel data by “Shinchan” and the unauthorized access to a U.S. private clinic’s ERM system by “jaba1234” underscore the continued and escalating focus of threat actors on acquiring and monetizing high-value, deeply sensitive information. Data from law enforcement and healthcare sectors is particularly prized due to its potential for misuse in identity theft, extortion, or causing significant personal and operational harm.
Geopolitical Tensions as Cyber Conflict Drivers: A number of the defacement incidents and some claimed data breaches appear to be linked, either directly or indirectly, to ongoing regional or international political tensions. The activities of groups like “LulzSec Black” (pro-Palestine), “GHOST’S OF GAZA” (pro-Palestine), and the targeting of entities in Pakistan and India reflect how cyber operations are increasingly used as a tool in broader geopolitical contests.
Democratization of Cybercrime via Online Platforms: The prevalence of individual actors or small groups advertising potent tools (like “Win Stealer” by “D0gger”) or sensitive data/access on easily accessible (though often illicit) online forums points to a lowering of barriers to entry into cybercrime. These platforms effectively democratize access to malicious capabilities, enabling a wider range of actors to conduct attacks without needing to develop their own sophisticated tools or exploits from scratch. This creates a more diffuse and unpredictable threat landscape, challenging traditional defense and attribution efforts that may focus primarily on large, well-known threat groups.
4.4. Table: Threat Actor TTP and Motivation Matrix (May 11, 2025)
The following matrix synthesizes the primary characteristics of the threat actors observed in this reporting period, facilitating a comparative understanding of their motivations, methods, and operational platforms.

Threat Actor	Suspected Origin/Affiliation	Primary Motivation	Key TTPs Observed	Primary Communication Platform
jaba1234	Forum-Based Seller	Financial	Initial Access Sale (ERM System)	XSS.is
HexaForce Alliance	Hacktivist Group	Political Hacktivism	Defacement	Telegram
Arabian Ghosts	Ambiguous (Claim vs. Known Profile: Hacktivist/Other)	Unclear for ICS claim (Potentially Disruption/Political)	Claimed ICS Compromise (Historically DDoS by similarly named group)	Telegram
LulzSec Black	Hacktivist Collective (Leveraging LulzSec Name)	Political Hacktivism (Pro-Palestine)	Data Breach/Leak, Defacement (historically DDoS)	Telegram
Shinchan	Forum-Based Seller	Financial	Data Breach & Sale (Law Enforcement Data)	darkforums.st
EL_FEDAYEEN	Telegram-Based Group/Persona	Political/Ideological (Anti-Israel implied)	Data Breach & Leak (IT Provider, Source Code, Client Data)	Telegram
Black Ember	Telegram-Based Group/Persona	Notoriety/Disruption/Enabling Attacks	Initial Access Leak (Admin Credentials)	Telegram
D0gger	Forum-Based Seller	Financial	Malware Sale (Win Stealer)	XSS.is
GHOST’S OF GAZA	Hacktivist Group	Political Hacktivism (Pro-Palestine)	Defacement	Telegram
Reve	Forum-Based Seller	Financial	Initial Access Sale (Admin Access)	Exploit.in
k4rm_yogi	Forum-Based Seller	Financial	Data Leak & Sale (Background Verification Data)	darkforums.st
TEAM R70	Hacktivist Group	Political Hacktivism	Defacement (Multiple international targets; historically Brazil-focused)	Telegram

Works cited

Exposing the Deception: Russian EFF Impersonators Behind Stealc & Pyramid C2 – “a threat actor impersonating the Electronic Frontier Foundation (EFF) to target the online gaming community” – Osint Advisory IBM X-Force Report, accessed May 11, 2025, https://exchange.xforce.ibmcloud.com/osint/guid:701be159c64e421992384147a2b30aa3
Security Service of Ukraine and NATO Allies Potentially Targeted by Russian State-Sponsored Threat Actor – EclecticIQ Blog, accessed May 11, 2025, https://blog.eclecticiq.com/security-service-of-ukraine-and-nato-allies-potential-targeting-by-russian-state-sponsored-threat-actor
Escalating Hacktivist Attacks Amidst India-Pakistan Tensions – Radware, accessed May 11, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/escalating-hacktivist-attacks-amidst-india-pakistan-tensions/
#StopRansomware: Ghost (Cring) Ransomware | CISA, accessed May 11, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
LulzSec – Radware, accessed May 11, 2025, https://www.radware.com/security/ddos-knowledge-center/ddospedia/lulzsec/
Hunter and hunted: Ex-FBI agent and LulzSec leader dish on …, accessed May 11, 2025, https://www.rdworldonline.com/hunter-and-hunted-ex-fbi-agent-and-lulzsec-leader-dish-on-adversarial-innovation-and-ais-dark-turn/
Cyprus’ critical infrastructure targeted by coordinated cyberattacks …, accessed May 11, 2025, https://therecord.media/cyprus-critical-infrastructure-cyberattack-israel-palestine
Kureyon Shin-chan (TV Series 2006–2011) – IMDb, accessed May 11, 2025, https://www.imdb.com/title/tt0245612/
Shin Jigen! Crayon Shin-chan the Movie (2023) – IMDb, accessed May 11, 2025, https://www.imdb.com/title/tt26862791/
Shinchan | Profile – HackerOne, accessed May 11, 2025, https://hackerone.com/shinchanpyaara
It’s QP broooooooo – Page 5 – General Discussion – Overwatch Forums, accessed May 11, 2025, https://us.forums.blizzard.com/en/overwatch/t/its-qp-broooooooo/910814?page=5
EVEN MORE ADDED!! 23/09. 2000 Retro Games, H/WARE! – Bordersdown, accessed May 11, 2025, https://bordersdown.net/forum/trading/whaddya-sellin-sell-and-swap-gaming-only/65879-even-more-added-23-09-2000-retro-games-h-ware
Millions Sold : 5 Year Breakdown – Kaggle, accessed May 11, 2025, https://www.kaggle.com/code/samanfatima7/millions-sold-5-year-breakdown
(Unsaved Publication) – Atari FTP, accessed May 11, 2025, http://ftp.pigwa.net/stuff/collections/Atari%20newsletters/Digital%20Press/dp_psychopedia.pdf
display/node_modules/zxcvbn/src/frequency_lists.coffee · v1.8.1 · eabx-public / Transect · GitLab – forgeMIA, accessed May 11, 2025, https://forgemia.inra.fr/eabx-public/transect/-/blob/v1.8.1/display/node_modules/zxcvbn/src/frequency_lists.coffee?ref_type=tags
How can I fix, my comments not showing up on reddit? Nor my posts… : r/TOR, accessed May 11, 2025, https://www.reddit.com/r/TOR/comments/18bh00f/how_can_i_fix_my_comments_not_showing_up_on/
Assignment 4: Features Engineering – Text Dataال – Kaggle, accessed May 11, 2025, https://www.kaggle.com/code/ibrahimmurad/assignment-4-features-engineering-text-data
Satori Threat Intelligence Disruption: BADBOX 2.0 Targets Consumer Devices with Multiple Fraud Schemes – HUMAN Security, accessed May 11, 2025, https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/
The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation | Microsoft Security Blog, accessed May 11, 2025, https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
black-basta-threat-profile.pdf – HHS.gov, accessed May 11, 2025, https://www.hhs.gov/sites/default/files/black-basta-threat-profile.pdf
Ember Bear, UNC2589, Bleeding Bear, DEV-0586, Cadet Blizzard, Frozenvista, UAC-0056, Group G1003 | MITRE ATT&CK®, accessed May 11, 2025, https://attack.mitre.org/groups/G1003/
Dark Web Profile: GhostSec – SOCRadar® Cyber Intelligence Inc., accessed May 11, 2025, https://socradar.io/dark-web-profile-ghostsec/
cybersecurity — Latest News, Reports & Analysis | The Hacker News, accessed May 11, 2025, https://thehackernews.com/search/label/cybersecurity?updated-max=2024-01-14T14:37:00%2B05:30&max-results=20&start=1496&by-date=false&m=1
Search results for malicious — Latest News, Reports & Analysis | The Hacker News, accessed May 11, 2025, https://thehackernews.com/search?q=malicious&updated-max=2014-09-23T14:38:00%2B05:30&max-results=20&start=438&by-date=false&m=1
hacking news | News & Insights – The Hacker News, accessed May 11, 2025, https://thehackernews.com/search/label/hacking%20news?updated-max=2017-11-17T21:38:00%2B05:30&max-results=20&start=748&by-date=false&m=1
hacking news — Latest News, Reports & Analysis | The Hacker News, accessed May 11, 2025, https://thehackernews.com/search/label/hacking%20news?updated-max=2017-11-03T02:38:00-07:00&max-results=20&start=1983&by-date=false
hacking news — Latest News, Reports & Analysis | The Hacker News, accessed May 11, 2025, https://thehackernews.com/search/label/hacking%20news?updated-max=2017-11-17T21:38:00%2B05:30&max-results=20&start=1483&by-date=false&m=1
Zero-day Vulnerability Database, accessed May 11, 2025, https://www.zero-day.cz/database/
Vulnerability Summary for the Week of April 7, 2025 | CISA, accessed May 11, 2025, https://www.cisa.gov/news-events/bulletins/sb25-104
European Cybersecurity Journal, accessed May 11, 2025, https://cybersecforum.eu/wp-content/uploads/2025/04/ECJ_vol9_issue1.pdf
Guarding the Green and Yellow: Cyber Threats and Insights for …, accessed May 11, 2025, https://www.cloudsek.com/blog/guarding-the-green-and-yellow-cyber-threats-and-insights-for-brazils-independence-day
How Microsoft names threat actors – Microsoft’s unified security operations platform, accessed May 11, 2025, https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-threat-actor-naming
What is a Cyber Threat Actor? | CrowdStrike, accessed May 11, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware, accessed May 11, 2025, https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot

Works cited

Related Posts

[April-27-2025] Daily Cybersecurity Threat Report

[April-18-2025] Daily Cybersecurity Threat Report

[April-07-2025] Daily Cybersecurity Threat Report