[May-13-2025] Daily Cybersecurity Threat Report

I. Introduction

This report provides an analysis of cyber threat incidents reported on May 13, 2025, focusing on data breaches, website defacements, and ransomware attacks. It examines the involved threat actors, their tactics, techniques, and procedures (TTPs), motivations, and the broader trends emerging from these activities. The analysis integrates data from the reported incidents with extensive external research to offer a comprehensive overview of the evolving threat landscape. The objective is to identify key patterns, understand actor methodologies, and derive strategic implications for organizations to enhance their defensive postures against prevalent and emerging cyber threats. The increasing interconnectedness of global systems and the persistent activities of diverse threat actors necessitate continuous vigilance and adaptive security strategies.

II. Overview of Reported Incidents (May 13, 2025)

On May 13, 2025, a total of 20 distinct cyber incidents were reported. These incidents primarily fall into the categories of data breaches and website defacements, with a smaller number of ransomware deployment claims.

A. Incident Categorization and Volume

The reported incidents can be broken down as follows:

• Data Breach: 11 incidents
• Defacement: 8 incidents
• Ransomware: 1 incident

This distribution highlights a significant volume of data exfiltration and disruptive website attacks. Data breaches remain a prevalent threat, indicating actors’ continued success in accessing and stealing sensitive information. Website defacements, often politically or ideologically motivated, serve as a public platform for threat actors to broadcast messages or claims.

B. Geographic Distribution of Victims

The victim organizations are located across various countries, with a notable concentration in specific regions:

• India: 6 incidents (primarily data breaches and defacements)
• Peru: 2 incidents (data breaches)
• Indonesia: 2 incidents (defacements)
• United Kingdom (UK): 2 incidents (data breaches)
• Other countries with single incidents include: Algeria, Cyprus, Hong Kong, Nepal, Turkey, United States (US), and one unspecified.

This geographical spread suggests that while some threat actors may focus on specific regions due to geopolitical motivations or perceived vulnerabilities, others operate opportunistically across a wider range of targets. The concentration of attacks in India aligns with ongoing observations of hacktivist activity related to regional tensions.¹

C. Attack Vectors and Platforms Used for Claims

The primary attack categories observed are data breaches and defacements.

• Data Breaches: These incidents involved the unauthorized access and exfiltration of sensitive information, including personally identifiable information (PII), student records, and financial data. The threat actors involved often claimed the breaches on dark web forums or Telegram channels. For example, the alleged leak from Universidad Nacional de Educación Enrique Guzmán y Valle by Gatito_FBI_Nz was published on a dark web forum (darkforums.st).
• Defacements: These attacks involved altering the visual appearance of victims’ websites, typically to display a message from the attacking group. Telegram was a common platform for claiming responsibility for these defacements, as seen with NKRI EROR SYSTEM’s claim regarding Dekorapet and INDOHAXSEC’s claim against Everest Bank Limited (though the latter was categorized as a data leak in the claim, the pattern of hacktivist claims on Telegram is consistent).
• Ransomware: One ransomware incident was claimed by Islamic Hacker Army against an entity in Algeria, also announced via Telegram.

The use of Telegram by numerous actors (NKRI EROR SYSTEM, Islamic Hacker Army, INDOHAXSEC, Mr.RootVerse, Tunisian Maskers Cyber Force, GHOST OF GAZA TEAM, JAKARTA CYBER WHITE, DCG (Dark Cyber Gang)) for disseminating claims, propaganda, and sometimes data samples is a significant trend. Telegram’s features, such as minimal moderation and large group capabilities, make it an ideal platform for these activities.³ Dark web forums (e.g., darkforums.st used by Gatito_FBI_Nz) continue to be venues for advertising data leaks and selling compromised information.

The education sector appears to be a particularly frequent target. Of the 20 incidents, at least five directly impacted educational institutions or entities related to education (Universidad Nacional de Educación Enrique Guzmán y Valle, STIE YKPN Yogyakarta, Indian Railway Employee Co-operative Credit Society Ltd – if employees are from the education sector, an Indian education institution targeted by GHOST OF GAZA TEAM, and potentially others where the industry was broadly categorized). This aligns with observations that educational institutions are often targeted due to valuable PII, potentially softer security postures, and their role in society.⁵ The financial sector also remains a high-value target, as evidenced by the alleged breach of Everest Bank Limited.

The prevalence of data breaches underscores the persistent challenge organizations face in protecting sensitive information. The types of data reportedly exposed (full names, ID numbers, financial details) can lead to severe consequences, including identity theft, financial fraud, and reputational damage.⁷ Defacements, while often less directly damaging in terms of data loss, can significantly impact an organization’s reputation and signal underlying security weaknesses.⁹

III. Threat Actor Spotlight

This section profiles key threat actors involved in the May 13, 2025 incidents, based on the provided data and supporting research.

Date	Threat Actor(s)	Victim Organization(s)	Victim Country	Victim Industry	Category	Published URL
2025-05-13	Gatito_FBI_Nz	Universidad Nacional de Educación Enrique Guzmán y Valle	Peru	Education	Data Breach	https://darkforums.st/Thread-UNIVERSIDAD-NACIONAL-DE-EDUCACION-PERU-2025-LEAK-FRESH
2025-05-13	NKRI EROR SYSTEM	Dekorapet	Turkey	Furniture	Defacement	https://t.me/nkrierorsystem/4
2025-05-13	Islamic Hacker Army	Algeria	Algeria	Unknown	Ransomware	https://t.me/Islamichackerarmy/141
2025-05-13	INDOHAXSEC	Everest Bank Limited	Nepal	Education (Bank)	Data Breach	https://t.me/INDOHAXSEC/1164
2025-05-13	GARUDA ERROR SYSTEM	Indian Railway Employee Co-operative Credit Society Ltd	India	Finance	Data Breach	https://t.me/GARUDAERRORSYSTEM/6
2025-05-13	Mr.RootVerse	indianot	India	Unknown	Defacement	https://t.me/MrRootVerse/12
2025-05-13	Tunisian Maskers Cyber Force	cyprus7s	Cyprus	Sports	Defacement	https://t.me/tunisianmaskerscyberforce/132
2025-05-13	GHOST OF GAZA TEAM	siddharthnagar	India	Education	Defacement	https://t.me/GHOSTOFGAZATEAM/211
2025-05-13	Err0r404X	Chocolates Helena	Peru	Food & Beverage	Data Breach	https://darkforums.st/Thread-CHOCOLATES-HELENA-PERU-DATA-BREACH-FRESH-2025
2025-05-13	heiwukoong	Hong Kong China Travel Document Services Co. Ltd.	Hong Kong	Government	Data Breach	https://darkforums.st/Thread-HONG-KONG-CHINA-TRAVEL-DOCUMENT-SERVICES-CO-LTD-DATABASE-LEAK
2025-05-13	imlit217	Zed-Pay	India	Finance	Data Breach	https://darkforums.st/Thread-ZED-PAY-INDIA-DATABASE-LEAK-FRESH-2025
2025-05-13	wearerootsec	STIE YKPN Yogyakarta	Indonesia	Education	Data Breach	https://t.me/wearerootsec/32
2025-05-13	JAKARTA CYBER WHITE	pln group	Indonesia	Energy	Defacement	https://t.me/JAKARTACYBERWHITE/5
2025-05-13	DCG (Dark Cyber Gang)	indianic	India	IT	Defacement	https://t.me/DarkCyberGang/17
2025-05-13	Hens	royal mail	UK	Logistics	Data Breach	https://darkforums.st/Thread-ROYAL-MAIL-UK-DATABASE-LEAK-FRESH-2025
2025-05-13	Hens	pearson	UK	Education	Data Breach	https://darkforums.st/Thread-PEARSON-UK-DATABASE-LEAK-FRESH-2025
2025-05-13	Pain	Zedxion Crypto Exchange	US	Finance	Data Breach	https://darkforums.st/Thread-ZEDXION-CRYPTO-EXCHANGE-USA-DATABASE-LEAK-FRESH-2025
2025-05-13	ChillCapybara	University of Indonesia	Indonesia	Education	Data Breach	https://darkforums.st/Thread-UNIVERSITY-OF-INDONESIA-DATABASE-LEAK-FRESH-2025

(Note: Some victim industries in the table are based on the query data and may require further verification, e.g., “Education” for Everest Bank Limited).

A. Gatito_FBI_Nz

• Activity: Claimed data leak from Universidad Nacional de Educación Enrique Guzmán y Valle (Peru), exposing student and faculty information.
• Profile: Gatito_FBI_Nz has a history of targeting entities in Latin America. In May 2025, this actor claimed to have breached the Ministry of Agriculture in Paraguay, exfiltrating 1,414 records, including supplier usernames and passwords. They also claimed a breach of DINAC (National Directory of Civil Aeronautics of Paraguay).¹⁰ Their modus operandi focuses on data exfiltration and publicizing these breaches on dark web forums.
• Motivation: Likely financial gain through the sale of stolen data and achieving notoriety within cybercrime communities. The targeting of educational and governmental databases suggests a focus on PII and sensitive credentials.

B. NKRI EROR SYSTEM

• Activity: Claimed defacement of the website of Dekorapet (Turkey).
• Profile: The acronym “NKRI” (Negara Kesatuan Republik Indonesia) strongly suggests an Indonesian nationalist affiliation.¹¹ Defacement groups like NKRI EROR SYSTEM typically aim for public visibility, using website compromises to display their messages or symbols. Their TTPs often involve exploiting common web vulnerabilities in Content Management Systems (CMS) or poorly secured web servers.⁹ While specific research on “NKRI EROR SYSTEM” is limited in the provided materials, their name and choice of attack (defacement) are characteristic of nationalist hacktivist groups.
• Motivation: Primarily hacktivism, driven by nationalist sentiments. The defacement serves as a public statement and a demonstration of capability. The choice of a Turkish company could be opportunistic or tied to broader geopolitical narratives if any exist that align with the group’s ideology.

C. INDOHAXSEC

• Activity: Claimed data leak from Everest Bank Limited (Nepal).
• Profile: INDOHAXSEC is an Indonesian hacktivist collective active since at least October 2024.³ Their motivations are diverse, including pro-Palestine sentiments, religious ideology, and Indonesian nationalistic agendas. The group is known for DDoS attacks, ransomware deployments, website defacements, and hack-and-leak operations. They maintain a presence on Telegram for communication and propaganda, and have a GitHub repository for custom tools.³ INDOHAXSEC has also announced alliances with other groups, including the pro-Russian NoName057(16) and Pakistani group Team Azrael – Angel of Death, explicitly stating intent to target Indian cyberspace in retaliation for geopolitical events.¹ Cyble has also observed INDOHAXSEC promoting data leaks on their Telegram channels.¹²
• Motivation: Geopolitically and ideologically driven hacktivism, data exfiltration for propaganda or potential sale, and disruption. Their targeting of a Nepalese bank could be an extension of their anti-India campaigns, given Nepal’s proximity and relationship with India, or an opportunistic attack.

D. GARUDA ERROR SYSTEM

• Activity: Claimed data leak from Indian Railway Employee Co-operative Credit Society Ltd.
• Profile: GARUDA ERROR SYSTEM was part of a coalition of hacktivist groups (including Lực Lượng Đặc Biệt Quân Đội Điện Tử and Vulture) that announced Distributed Denial of Service (DDoS) attacks against high-profile Indian government websites between May 7-8, 2025.² However, the actual impact of these DDoS attacks was reportedly negligible, with targeted websites remaining largely operational.² The name “Garuda” (a mythical bird that is the national emblem of Indonesia) and the “ERROR SYSTEM” suffix (common in hacktivist group names) suggest an Indonesian origin. This distinguishes them from the Iranian APT group “Yellow Garuda” (also linked to APT35) ¹³, unless further evidence indicates a connection.
• Motivation: Likely hacktivism with an anti-India focus, aligning with the broader trend of Indonesian and other regional hacktivist groups targeting Indian entities.

E. Mr.RootVerse

• Activity: Claimed defacement of “indianot” (India).
• Profile: Specific intelligence on “Mr.RootVerse” is not available in the provided materials. However, the targeting of an Indian entity with a defacement attack is consistent with the activities of numerous hacktivist groups involved in ongoing cyber conflicts related to India-Pakistan tensions or other ideological motivations.¹⁴ These attacks often aim to make a political statement or cause reputational damage.
• Motivation: Hacktivism, likely with an anti-India sentiment.

F. Tunisian Maskers Cyber Force

• Activity: Claimed defacement of “cyprus7s” (Cyprus, Sports industry).
• Profile: The name suggests a Tunisian origin. The targeting of a Cypriot entity aligns with recent campaigns by pro-Palestine hacktivist groups against Cyprus due to its perceived support for Israel.¹⁶ Groups like LulzSec Black, Moroccan Soldiers, and Black Maskers Army (which could share members or ideology with “Tunisian Maskers Cyber Force”) have been involved in such operations against Cypriot critical infrastructure and government websites. While older reports mention Tunisian hackers involved in various activities, including those affiliated with Anonymous ¹⁸, the current context points towards politically motivated hacktivism.
• Motivation: Likely pro-Palestine hacktivism, using defacement to protest Cyprus’s geopolitical stance.

G. GHOST OF GAZA TEAM

• Activity: Claimed defacement of “siddharthnagar” (India, likely a local government or educational entity).
• Profile: The name “GHOST OF GAZA TEAM” strongly implies a pro-Palestinian affiliation. This aligns with groups like “GHOST JACKAL” (also known as AnonGhost), a pro-Palestinian hacktivist adversary active in #OpIsrael campaigns.¹⁹ Furthermore, reports from October 2023 indicated that a Palestinian group named “Ghosts of Palestine” invited hackers to attack Israeli infrastructure and its allies, explicitly including India due to its perceived support for Israel.²⁰ The TTPs of such groups often involve defacements and DDoS attacks to spread their message. Some groups like GhostSec (aliases GhostSecMafia, GSM), which has ties to Anonymous, are highly organized and use Telegram for coordination ²¹, potentially sharing operational characteristics.
• Motivation: Pro-Palestinian hacktivism, targeting Indian entities as a form of protest against India’s perceived alignment with Israel.

H. Other Noteworthy Actors

• Islamic Hacker Army: Claimed a ransomware attack against an Algerian entity. The name suggests Islamist motivations. While many groups with similar names focus on defacement or DDoS ⁴, a ransomware claim is notable. Iranian threat groups have been observed deploying destructive malware, including ransomware.²³ This could indicate an evolution in tactics for this type of group or a mislabeled claim.
• Err0r404X: Claimed a data breach against Chocolates Helena (Peru). With no specific profile available ²⁵, this appears to be opportunistic data theft targeting a commercial entity.
• heiwukoong: Claimed a data breach against Hong Kong China Travel Document Services Co. Ltd. No specific profile for this actor was found. The target, a travel document service, holds valuable PII. Past incidents in Hong Kong have involved breaches of travel agencies and highlight issues like weak IT security frameworks and lack of MFA.²⁶
• imlit217: Claimed a data breach against Zed-Pay (India). No specific profile for this actor. General TTPs for such breaches often involve exploiting vulnerabilities or using compromised credentials obtained from other sources.²⁸
• JAKARTA CYBER WHITE: Claimed defacement of “pln group” (Indonesia, Energy sector). The name indicates an Indonesian origin. Targeting PLN, Indonesia’s state electricity company, is significant and aligns with concerns about cyber threats to critical infrastructure in Indonesia.³⁰
• DCG (Dark Cyber Gang): Claimed defacement of “indianic” (India, IT). “indianic” could refer to India’s National Informatics Centre (NIC), a critical government IT organization. A successful defacement here would be a significant symbolic victory for an anti-India hacktivist group.

The activities of these diverse actors reveal a complex interplay of motivations. While some, like Gatito_FBI_Nz, appear primarily driven by the potential for illicit profit from stolen data, many others, such as INDOHAXSEC, GHOST OF GAZA TEAM, and NKRI EROR SYSTEM, are clearly motivated by ideology, geopolitics, or nationalism. This underscores the multifaceted nature of the cyber threat landscape.

A notable pattern is the potential blurring of lines between traditionally distinct cyber activities. For instance, INDOHAXSEC, a group with clear hacktivist leanings and ideological motivations ³, also engages in ransomware deployment and hack-and-leak operations—TTPs typically associated with financially motivated cybercrime. This group’s stated motivations include pro-Palestine sentiments, religious ideology, and nationalistic agendas, yet their operational playbook includes methods that can yield financial returns.³ Similarly, the “Islamic Hacker Army,” a name suggestive of ideological motivation, made a ransomware claim. While many Islamist hacktivist groups have historically focused on defacements or DDoS attacks ⁴, the adoption of ransomware could signal a tactical shift. This fluidity suggests that groups may not rigidly adhere to a single operational model but rather adapt their methods based on opportunity, desired impact, or even the need to fund their activities. The availability of Ransomware-as-a-Service (RaaS) models further lowers the barrier to entry for groups wishing to incorporate such attacks into their arsenal. Consequently, profiling threat actors based solely on their stated ideology may become increasingly insufficient for predicting their full range of potential behaviors.

Furthermore, the formation of alliances and collaborative efforts among hacktivist groups is an important dynamic. INDOHAXSEC’s alliances with pro-Russian entities like NoName057(16) and Pakistani hacktivist groups ¹, or GARUDA ERROR SYSTEM operating as part of a coalition for DDoS attacks ², exemplify this trend. Such collaborations allow smaller or regionally focused groups to amplify their reach, share TTPs, tools, or target lists, and participate in broader campaigns. For example, groups like NoName057(16) and RipperSec have been observed forming alliances to expand their influence and operational scope.⁴ This network effect means that the threat posed by an individual group can be magnified by its connections, complicating attribution and requiring defenders to consider a wider ecosystem of potential adversaries. An attack seemingly from one group might, in reality, involve resources or coordination from others.

The very names chosen by many of these groups—such as NKRI EROR SYSTEM, GARUDA ERROR SYSTEM, JAKARTA CYBER WHITE, GHOST OF GAZA TEAM, and Tunisian Maskers Cyber Force—are a form of psychological operation. These names clearly signal national origin, allegiance, or ideological stance. This deliberate branding strategy serves to amplify their message, rally support from like-minded individuals or groups, and intimidate their targets. In the context of hacktivism, where public messaging and psychological impact are key objectives ⁷, the choice of name is itself a tactic designed to create a stronger association between the cyber act and the espoused cause.

IV. Emerging Trends and Patterns

Analysis of the May 13 incidents, supported by broader research, reveals several key trends in the current cyber threat landscape.

A. Dominance of Data Leaks and Defacements

The incident data clearly shows that data leaks (11 incidents) and defacements (8 incidents) were the most common forms of attack. Defacements are often used by hacktivists for immediate public visibility, allowing them to convey political or ideological messages directly on the victim’s platform.⁹ Data leaks, on the other hand, serve multiple purposes: they can cause significant reputational and financial harm to the victim organization, the stolen data (especially PII and financial information) can be sold on dark web markets for profit, and the act of leaking data itself can be a powerful statement of capability or a means of extortion.⁷ The emergence of dedicated data leak markets, as observed in regions like Indonesia, further incentivizes such activities.³⁰

B. Hacktivism as a Primary Motivator

A significant portion of the identified threat actors, including NKRI EROR SYSTEM, INDOHAXSEC, GARUDA ERROR SYSTEM, Mr.RootVerse, Tunisian Maskers Cyber Force, GHOST OF GAZA TEAM, and JAKARTA CYBER WHITE, exhibit strong hacktivist characteristics. Their actions are frequently linked to ongoing geopolitical tensions and ideological conflicts. Examples include:

• India-Pakistan cyber conflict: Groups like INDOHAXSEC and GARUDA ERROR SYSTEM targeting Indian entities, often in retaliation for perceived aggressions or in solidarity with allied groups.¹
• Pro-Palestine sentiment: Actors like INDOHAXSEC ³, GHOST OF GAZA TEAM ²⁰, and Tunisian Maskers Cyber Force (inferred from targeting Cyprus ¹⁶) align their attacks with pro-Palestinian causes, often targeting nations perceived as supporting Israel.
• Indonesian nationalism/regional issues: Groups like INDOHAXSEC ³ and JAKARTA CYBER WHITE focus on targets relevant to Indonesian national interests or regional dynamics.⁶ These hacktivist campaigns leverage cyber operations as a tool for protest, propaganda, and disruption.⁷

C. Exploitation of Publicly Known Vulnerabilities and Basic Misconfigurations

While specific CVEs were not detailed for the May 13 incidents, the prevalence of defacements often points to the exploitation of common web application vulnerabilities such as SQL injection (SQLi), Cross-Site Scripting (XSS), or vulnerabilities in outdated CMS platforms and plugins.9 Compromised credentials, often obtained through phishing or previous data breaches, are another common vector for gaining initial access for defacements and data theft.

Recent examples from wider reporting illustrate this trend: the 360XSS campaign exploited a known XSS flaw (CVE-2020-24901) in the Krpano VR library 34, and the Pearson data breach reportedly originated from an exposed GitLab Personal Access Token and subsequently discovered hard-coded credentials.5 The FBI has also warned about end-of-life routers being hijacked due to unpatched vulnerabilities or default credentials.5 This suggests that many actors, particularly those involved in less sophisticated attacks like defacements, continue to rely on “low-hanging fruit” in terms of security weaknesses.

D. Prominent Use of Telegram and Dark Web Forums for Claims and Data Dumps

As noted in Section II.C, Telegram and dark web forums are crucial platforms for many of the threat actors involved in the May 13 incidents. Telegram channels are used by groups like INDOHAXSEC ³, GhostSec (a group with similar TTPs to some observed actors) ²¹, and the People’s Cyber Army of Russia (PCA) ³⁶ for recruitment, coordination, disseminating propaganda, and claiming attacks. The platform’s features facilitate rapid communication to a wide audience with minimal censorship.³ Dark web forums remain the primary marketplaces for advertising and selling stolen data, as seen with Gatito_FBI_Nz’s post concerning the Peruvian university leak.

The data leaked in these incidents often embarks on a prolonged illicit journey. Information exfiltrated by one actor can be subsequently acquired by others, repackaged, and reused for various malicious purposes, such as spear-phishing campaigns, credential stuffing attacks, or identity theft. This “lifecycle” of leaked data means the impact of a breach can extend far beyond the initial compromise. A notable tactic observed among hacktivists is the repackaging of previously disclosed data to create the illusion of a new, high-impact breach, thereby generating undue alarm and publicity.² For example, credentials stolen years prior through an infostealer infection impacting an employee of a third-party supplier were later exploited by a different threat actor to claim significant breaches against major companies.³⁷ This illustrates the long-term risk associated with any data compromise, as the exposed information can circulate within the cybercriminal underground and be weaponized repeatedly.

Hacktivism, particularly in the form of website defacements and low-impact DDoS attacks, remains a persistent threat partly because it offers a high degree of visibility for a relatively low investment of resources or technical sophistication. Defacers often exploit common vulnerabilities or use readily available tools to achieve their aims, which primarily revolve around publicity and messaging.⁷ Even if the technical impact of such attacks is minimal and quickly remediated, as noted in several analyses of hacktivist campaigns against India ², they succeed in generating media attention and conveying the actors’ narratives. The widespread availability of DDoS tools and even DDoS-for-hire services further lowers the barrier to entry.⁴ This makes hacktivism an attractive tactic for ideologically motivated groups, allowing them to make a statement and achieve a degree of notoriety without needing the advanced capabilities of state-sponsored actors or organized cybercrime syndicates.

The increasing alignment of hacktivist operations with nation-state geopolitical agendas signifies that cyber activities are becoming a normalized and integral component of modern conflicts and international relations. The incidents involving INDOHAXSEC’s retaliation against India ¹, GHOST OF GAZA TEAM’s targeting of Indian entities due to perceived support for Israel ²⁰, and pro-Palestine groups attacking Cyprus ¹⁶ all exemplify this trend. Furthermore, alliances like INDOHAXSEC’s with the pro-Russian NoName057(16) ³ demonstrate how these non-state actors can become entangled in, or act as proxies for, larger state-level confrontations, such as the conflict in Ukraine. This integration of cyber operations by hacktivists into geopolitical landscapes means that risk assessments for nations and international organizations must now routinely include a substantial cyber dimension, anticipating that political and military tensions will almost invariably spill over into the digital realm.

V. In-Depth Event Case Studies

This section provides a more detailed examination of three specific incidents from May 13, 2025, integrating actor profiles and contextual information.

A. Case Study 1: Universidad Nacional de Educación Enrique Guzmán y Valle Data Leak (Gatito_FBI_Nz)

• Incident Details: On May 13, 2025, the threat actor Gatito_FBI_Nz claimed to have leaked a significant volume of data from the Universidad Nacional de Educación Enrique Guzmán y Valle, a public university in Peru. The exposed information reportedly included sensitive details such as full names, student ID numbers, faculty codes, student codes, record numbers, and issue dates. The claim was posted on the dark web forum darkforums.st.
• Threat Actor Context: Gatito_FBI_Nz has demonstrated a pattern of targeting Latin American governmental and educational institutions. Prior activities in May 2025 include claims of breaching Paraguay’s Ministry of Agriculture, allegedly exfiltrating supplier data including credentials, and compromising DINAC, Paraguay’s civil aviation authority.¹⁰ This actor’s modus operandi consistently involves data exfiltration followed by public disclosure or sale on underground forums.
• Victim Context: The education sector in Peru, like in many countries, holds substantial amounts of PII for students, faculty, and staff, making it an attractive target. While the provided research details a separate incident where the Rhysida ransomware gang targeted Peruvian government entities (though the government denied a breach of its main portal, an attack on a regional tax administration website was confirmed ³⁸), it highlights that Peru is actively targeted by cyber threat actors.
• Potential Impact: The exposure of detailed personal and academic records poses a severe risk of identity theft, financial fraud, and targeted phishing attacks against the affected individuals. For the university, the breach can lead to significant reputational damage, loss of trust from students and faculty, and potential regulatory scrutiny. The leaked credentials or personal information could also be leveraged for further intrusions into the university’s network or related systems.
• Likely Motivation: The primary motivations for Gatito_FBI_Nz appear to be financial gain, likely through the sale of the exfiltrated database on dark web markets, and the notoriety achieved by successfully breaching and exposing data from prominent institutions.

The selection of a national university in Peru by Gatito_FBI_Nz is indicative of a strategy often employed by “mid-tier” threat actors. While not possessing the resources of a state-sponsored APT, such actors can still inflict considerable damage by targeting organizations that hold valuable data but may possess less mature cybersecurity defenses compared to major financial institutions or critical infrastructure in more developed economies. The successful exfiltration of comprehensive student and faculty data from a national university provides the actor with a valuable commodity for the cybercriminal underground.

B. Case Study 2: Dekorapet Defacement (NKRI EROR SYSTEM)

• Incident Details: The Turkish furniture company Dekorapet had its website defaced on May 13, 2025. The hacktivist group NKRI EROR SYSTEM claimed responsibility for the attack via their Telegram channel.
• Threat Actor Context: The name “NKRI EROR SYSTEM” strongly suggests an Indonesian nationalist affiliation, as “NKRI” stands for “Negara Kesatuan Republik Indonesia” (Unitary State of the Republic of Indonesia), a term of significant national importance.¹¹ Hacktivist groups with nationalist leanings often use defacements as a quick and visible way to make a statement, demonstrate their presence, and promote their ideology.⁹ Their TTPs typically involve exploiting known vulnerabilities in web servers or content management systems.
• Victim Context: Dekorapet is a commercial entity in Turkey’s furniture sector. The choice of this specific target by an Indonesian nationalist group may appear random but could be opportunistic (i.e., the website was found to be vulnerable) or symbolic if there is an underlying, less obvious geopolitical or ideological narrative connecting Indonesian interests to Turkey or the specific company. However, often such defacements are about finding any vulnerable platform to spread a message.
• Potential Impact: The primary impact of a defacement is reputational damage to the targeted company. It can erode customer trust, create an impression of poor security, and lead to temporary disruption of online services if the website is a key channel for business.
• Likely Motivation: The motivation for NKRI EROR SYSTEM is almost certainly hacktivism, driven by Indonesian nationalist sentiments. The defacement serves as a digital flag-planting, a display of capability, and a means of broadcasting their presence or a specific message to an international audience.

A website defacement, such as the one perpetrated against Dekorapet, should not be dismissed as mere digital vandalism. While the immediate impact might seem limited to a temporary alteration of the website’s appearance, it signifies a confirmed security breach. The unauthorized access gained to deface the website, if the underlying vulnerability is not promptly and thoroughly remediated, could potentially be exploited for more malicious activities.⁹ This could include deeper network penetration, data exfiltration, or the deployment of malware, either by the original defacers or by other threat actors who might discover or purchase access to the same compromised system. Thus, any defacement serves as a critical indicator of a security flaw that requires immediate attention.

C. Case Study 3: Everest Bank Limited Data Leak (INDOHAXSEC)

• Incident Details: On May 13, 2025, the Indonesian hacktivist group INDOHAXSEC claimed on their Telegram channel to have breached Everest Bank Limited, a financial institution in Nepal, and leaked its data. (The query initially listed the victim industry as “Education,” which appears to be a data entry error given the victim’s name).
• Threat Actor Context: INDOHAXSEC is a known Indonesian hacktivist collective established in late 2024. Their activities are driven by a mix of pro-Palestine sentiments, religious ideology, and Indonesian nationalism.³ Their TTPs are diverse, including DDoS attacks, ransomware deployment, website defacements, and hack-and-leak operations. They actively use Telegram for communication and have formed alliances with other international hacktivist groups, including pro-Russian NoName057(16) and Pakistani groups like Team Azrael, with a stated intent to target Indian cyberspace.¹ Their promotion of data leaks on Telegram has been noted previously.¹²
• Victim Context: Everest Bank Limited is a commercial bank in Nepal. Financial institutions are perennially high-value targets for cybercriminals due to the sensitive customer data and financial assets they manage.⁴⁰ Nepal’s geographical proximity to India and its complex regional dynamics might make its institutions targets for groups like INDOHAXSEC, whose campaigns often have an anti-India nexus. Alternatively, the attack could be opportunistic, driven by the value of banking data. It is important to distinguish this incident from activities related to the “Everest ransomware group,” which is a separate entity.⁴¹
• Potential Impact: A data breach at a bank can have severe consequences, including financial losses for customers through fraud, identity theft, a significant loss of customer trust in the bank, and potential regulatory penalties and legal action against the institution.
• Likely Motivation: Given INDOHAXSEC’s multifaceted profile, their motivation for targeting Everest Bank could be complex. It might be an opportunistic attack aimed at acquiring valuable financial data for sale or propaganda. Alternatively, it could be ideologically driven if the group perceives the bank or Nepal as being aligned with entities they oppose (e.g., related to their anti-India stance or broader geopolitical views). The public claim on Telegram suggests a desire for notoriety and to project influence.

The targeting of a Nepalese bank by an Indonesian hacktivist group like INDOHAXSEC, known for its anti-India campaigns, highlights the expanding geographical scope and target diversification of such groups. While their core motivations might be rooted in specific regional conflicts (e.g., India-Pakistan, Israel-Palestine), their operational reach can extend to neighboring countries or entities perceived as associated with their primary adversaries, or simply to targets of opportunity that offer valuable data or a platform for their messaging.

VI. Strategic Implications and Recommendations

The analyzed incidents and threat actor activities from May 13, 2025, alongside broader cybersecurity research, present several strategic implications for organizations and inform recommendations for enhancing defensive postures.

A. Assessed Threat Level and Evolving Landscape

The current cyber threat landscape is characterized by a high tempo of operations from a diverse array of threat actors. These actors exhibit a spectrum of motivations, ranging from financial gain to hacktivism and potentially state-influenced activities. The incidents of May 13, dominated by data breaches and defacements, underscore the persistent threats to data integrity and organizational reputation.

A key characteristic of this landscape is the asymmetric nature of cyber threats. Small, loosely organized hacktivist groups can cause disproportionate disruption or reputational damage relative to their size and resources. This is facilitated by the widespread availability of attack tools, the ease of communication and coordination via platforms like Telegram ³, and the global connectivity that amplifies their message. This means that organizations cannot solely focus their defenses on sophisticated state-sponsored actors but must also prepare for a high volume of attacks from less complex but highly motivated entities.

Furthermore, the attribution of cyberattacks remains a significant challenge. The use of common TTPs, shared platforms, and alliances among threat actors (e.g., INDOHAXSEC’s collaborations ¹) often obscures the true origin and full scope of an attack campaign. This difficulty in precise attribution can hinder strategic responses, as understanding the “who” and “why” is crucial for predicting future actions and tailoring long-term defenses. While tactical defense against specific TTPs is essential, the ambiguity surrounding many incidents, especially those involving hacktivist groups, means organizations should prioritize building resilience and implementing TTP-based detection mechanisms rather than relying solely on actor-specific indicators.

The concept of the Pyramid of Pain ⁴² is relevant here. While many of the observed hacktivist attacks might operate at the lower, easier-to-change levels of the pyramid (e.g., using specific IP addresses, domain names, or easily modified tools for defacement), disrupting their core TTPs and operational methodologies (higher up the pyramid) is more challenging but ultimately more impactful for defenders.

Geopolitical tensions continue to be a major driver of ideologically motivated cyberattacks. Organizations perceived to be aligned with certain nations or involved in contentious regional issues are increasingly likely to become targets.¹

B. Recommendations for Enhanced Defensive Posture

To effectively counter the observed threats, organizations should adopt a multi-layered, defense-in-depth strategy:

1. Strengthen Foundational Security Hygiene:

• Patch Management: Regularly update systems and software to address known vulnerabilities. Many attacks exploit unpatched software.⁵
• Credential Security: Enforce strong, unique passwords and implement multi-factor authentication (MFA) across all critical systems and user accounts. The lack of MFA has been cited as a factor in significant breaches.²⁷ Disable or reset default credentials immediately upon system deployment.²⁴
• Secure Configurations: Harden systems, disable unnecessary services, and avoid default URLs for administrative panels.⁹ Secure development environments, including version control systems like GitLab, by ensuring access tokens and API keys are not publicly exposed.³⁵

2. Enhance Web Application Security:

• Conduct regular vulnerability scanning and penetration testing of web applications, particularly those based on CMS platforms, to identify and remediate flaws like SQLi, XSS, and insecure configurations that lead to defacements and initial access.⁹

3. Implement Robust Network and Endpoint Security:

• Network Segmentation: Isolate critical systems and data to limit the blast radius of a successful intrusion and hinder lateral movement by attackers.
• Endpoint Detection and Response (EDR): Deploy EDR solutions for advanced threat detection, investigation, and response capabilities at the endpoint, crucial for identifying malware like TerrastealerV2 ¹⁰, Crimson RAT ¹⁴, or DslogdRAT.⁴⁵
• Advanced Malware Protection: Utilize solutions capable of detecting and blocking sophisticated malware, including ransomware variants like Brain Cipher.⁴⁵

4. Protect Sensitive Data:

• Data Leak Prevention (DLP): Implement DLP strategies and tools to identify, monitor, and protect sensitive data (PII, financial records, intellectual property) from unauthorized exfiltration.
• Data Minimization and Encryption: Store only necessary data and encrypt sensitive data at rest and in transit.

5. Develop and Test Incident Response Capabilities:

• Maintain a comprehensive and regularly updated incident response plan. Conduct drills and tabletop exercises to ensure readiness.³²

6. Bolster the Human Firewall:

• Security Awareness Training: Educate employees on recognizing and reporting phishing attempts, social engineering tactics, and the importance of secure credential handling.³² Training should address emerging threats like AI-driven voice phishing.⁴⁷
• Secure Helpdesk Procedures: Implement strong authentication and verification processes for IT helpdesks, especially for password resets or changes to payment instructions, to counter social engineering attempts.⁴⁶

7. Manage Third-Party and Supply Chain Risk:

• Thoroughly vet the security practices of all third-party vendors and suppliers with access to organizational systems or data. Implement continuous monitoring and contractual security requirements.²⁷ The breach of Royal Mail via its supplier Spectos ³⁷ and issues in Hong Kong due to poor third-party oversight ²⁷ highlight this critical risk area.

C. Importance of Proactive Threat Intelligence and Monitoring

A proactive approach to security is essential in the current threat environment:

1. Active Monitoring: Monitor public channels, including specific Telegram groups and dark web forums identified as being used by relevant threat actors, for mentions of the organization, its industry peers, or emerging TTPs.³
2. Threat Intelligence Consumption: Subscribe to reputable threat intelligence feeds and services to stay informed about new vulnerabilities, active threat actors, and evolving attack campaigns.¹⁰
3. Understanding Initial Access Brokers (IABs): Familiarize security teams with the TTPs of IABs, as their activities often precede major attacks like ransomware. IABs specialize in gaining and selling access to corporate networks.⁵⁰

Proactive defense extends beyond purely technical measures. The significant role of social engineering ⁴⁶, the exploitation of exposed or weak credentials ⁵, and other human-element vulnerabilities in many breaches means that a holistic security strategy must heavily emphasize security awareness across the organization. Vigilance regarding third-party risks and the implementation of robust internal processes, such as multi-person authentication for critical changes like payment instructions ⁴⁶, are paramount. Technical defenses are indispensable, but a substantial portion of cyber risk originates from human factors and procedural gaps, necessitating a balanced approach that fortifies both technological and human aspects of security.

VII. Conclusion

The cyber threat landscape as of mid-May 2025 remains dynamic and fraught with risk. The prevalence of data breaches and website defacements, driven by a combination of financially motivated cybercriminals and ideologically driven hacktivists, poses a continuous challenge to organizations globally. Actors like Gatito_FBI_Nz, INDOHAXSEC, and various nationalist or cause-driven groups demonstrate a persistent capability to exploit vulnerabilities and achieve their objectives, whether for profit, propaganda, or disruption.

Key takeaways include the critical role of platforms like Telegram and dark web forums in the threat actor ecosystem, the increasing blurriness between hacktivist and cybercriminal TTPs, and the continued exploitation of basic security weaknesses alongside more sophisticated attack vectors. Geopolitical tensions persistently fuel hacktivist campaigns, making organizations in affected regions or those perceived to be aligned with certain geopolitical interests prime targets.

To navigate this complex environment, organizations must prioritize robust foundational security measures, including diligent patch management, strong authentication protocols, and comprehensive web application security. Proactive threat intelligence, continuous monitoring, and a well-rehearsed incident response plan are no longer optional but essential components of a resilient cybersecurity posture. Crucially, the human element of security—encompassing employee awareness, secure operational procedures, and stringent third-party risk management—must be given co-equal importance with technical defenses. By adopting such a holistic and adaptive approach, organizations can better mitigate the risks posed by the ever-evolving tactics of cyber adversaries.

Works cited

1. Reflections of the India–Pakistan Kashmir Escalation on the Cyber World – SOCRadar, accessed May 13, 2025, https://socradar.io/india-pakistan-kashmir-escalation-on-cyber-world/
2. Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge | CloudSEK, accessed May 13, 2025, https://www.cloudsek.com/blog/brief-disruptions-bold-claims-the-tactical-reality-behind-the-india-pakistan-hacktivist-surge
3. INDOHAXSEC Indonesian Hacking Collective | Arctic Wolf – Arctic Wolf, accessed May 13, 2025, https://arcticwolf.com/resources/blog-uk/indohaxsec-indonesian-hacking-collective/
4. Exploring Telegram DDoS Groups: Threats, Tools, and Evolving Strategies – SOCRadar, accessed May 13, 2025, https://socradar.io/exploring-telegram-ddos-groups-threats-tools/
5. Top 5 Cybersecurity News Stories May 9, 2025 – DIESEC, accessed May 13, 2025, https://diesec.com/2025/05/top-5-cybersecurity-news-stories-may-9-2025/
6. Indonesia Under Sophisticated Cyberattacks: A Deep-dive Analysis of Threat Actors Targeting the Indonesian Ecosystem – Cyble, accessed May 13, 2025, https://cyble.com/blog/indonesia-under-sophisticated-cyberattacks-a-deep-dive-analysis-of-threat-actors-targeting-the-indonesian-ecosystem/
7. Know Your Enemy: Types of cybersecurity threat actors – Prey Project, accessed May 13, 2025, https://preyproject.com/blog/cybersecurity-threat-actors
8. Cyber Security Threats – All you need to know about Types and Sources – DataGuard, accessed May 13, 2025, https://www.dataguard.com/cyber-security/threats/
9. Website Defacement Attacks | Group-IB Knowledge Hub, accessed May 13, 2025, https://www.group-ib.com/resources/knowledge-hub/website-defacement-attacks/
10. Breaking Cyber News From Cyberint, accessed May 13, 2025, https://cyberint.com/news-feed/
11. (Colour online) Posing in front of the seventeenth-century painter…. | Download Scientific Diagram – ResearchGate, accessed May 13, 2025, https://www.researchgate.net/figure/Colour-online-Posing-in-front-of-the-seventeenth-century-painter-Stadsarchief_fig3_331108460
12. Rise in hacktivist threats to critical sector, as pro-Russian groups cause 50% rise in ICS/OT attacks in March – Industrial Cyber, accessed May 13, 2025, https://industrialcyber.co/reports/rise-in-hacktivist-threats-to-critical-sector-as-pro-russian-groups-cause-50-rise-in-ics-ot-attacks-in-march/
13. cybersecurity — Latest News, Reports & Analysis | The Hacker News, accessed May 13, 2025, https://thehackernews.com/search/label/cybersecurity?updated-max=2022-09-14T23:49:00-07:00&max-results=20&start=1345&by-date=false
14. Hacktivist Attacks on India Overstated Amid APT36 Espionage Threat, accessed May 13, 2025, https://www.infosecurity-magazine.com/news/hacktivist-attacks-india/
15. Cyble’s Insights on Independence Day Hacktivist Attacks, accessed May 13, 2025, https://cyble.com/blog/from-celebrations-to-cyber-strikes-hacktivism-incidents-spark-amidst-independence-day-celebrations/
16. Cyprus critical infrastructure targeted in series of cyberattacks, as authorities stress on readiness – Industrial Cyber, accessed May 13, 2025, https://industrialcyber.co/critical-infrastructure/cyprus-critical-infrastructure-targeted-in-series-of-cyberattacks-as-authorities-stress-on-readiness/
17. Pro-Palestine cyberattacks against Cyprus mostly thwarted – SC Media, accessed May 13, 2025, https://www.scworld.com/brief/pro-palestine-cyberattacks-against-cyprus-mostly-thwarted
18. Tunisian Hacker — Latest News, Reports & Analysis, accessed May 13, 2025, https://thehackernews.com/search/label/Tunisian%20Hacker
19. Ghost Jackal – crowdstrike.com, accessed May 13, 2025, https://www.crowdstrike.com/adversaries/ghost-jackal/
20. Pro-Palestine hackers target India, pro-India groups strike back | India News – Times of India, accessed May 13, 2025, https://timesofindia.indiatimes.com/india/pro-palestine-hackers-target-india-pro-india-groups-strike-back/articleshow/104297059.cms
21. Threat Actor Profile – GhostSec – Outpost24, accessed May 13, 2025, https://outpost24.com/blog/threat-actor-profile-ghostsec/
22. Hacktivists Call for Release of Telegram Founder with #FreeDurov DDoS Campaign, accessed May 13, 2025, https://blog.checkpoint.com/security/hacktivists-call-for-release-of-telegram-founder-with-freedurov-ddos-campaign/
23. The Iranian Cyber Capability – Trellix, accessed May 13, 2025, https://www.trellix.com/blogs/research/the-iranian-cyber-capability/
24. IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including US Water and Wastewater Systems Facilities | CISA, accessed May 13, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a
25. Threat Actor Profiles – SOCRadar® Cyber Intelligence Inc., accessed May 13, 2025, https://socradar.io/category/threat-actor-profiles/
26. Customer data compromised in Hong Kong travel agency hack – TravelMole, accessed May 13, 2025, https://www.travelmole.com/news/customer-data-compromised-in-hong-kong-travel-agency-hack/?region
27. Clyde & Co highlights lessons from Hong Kong’s 2024 data breaches – Insurance Business, accessed May 13, 2025, https://www.insurancebusinessmag.com/asia/news/cyber/clyde-and-co-highlights-lessons-from-hong-kongs-2024-data-breaches-519963.aspx
28. What happened in the Exploit.In data breach? – Twingate, accessed May 13, 2025, https://www.twingate.com/blog/tips/exploit-in-data-breach
29. Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization | CISA, accessed May 13, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-046a
30. EXECUTIVE THREAT LANDSCAPE REPORT INDONESIA – cyfirma, accessed May 13, 2025, https://www.cyfirma.com/research/executive-threat-landscape-report-indonesia/
31. The Impact of Cyberattacks on Jakarta’s Electric Energy Sector: An Evaluation of Risk, Security, and Economic Implications – ResearchGate, accessed May 13, 2025, https://www.researchgate.net/publication/386275216_The_Impact_of_Cyberattacks_on_Jakarta’s_Electric_Energy_Sector_An_Evaluation_of_Risk_Security_and_Economic_Implications/download
32. What is a Cyber Threat Actor? | CrowdStrike, accessed May 13, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
33. Understanding Threat Actors: Know Your Adversaries – Neumetric, accessed May 13, 2025, https://www.neumetric.com/journal/understanding-threat-actors-know-adversaries/
34. Over 350 High-Profile Websites Hit by 360XSS Attack – Hackread, accessed May 13, 2025, https://hackread.com/over-350-high-profile-websites-hit-by-360xss-attack/
35. Major cyberattack hits UK’s Pearson and steals customer data – iZOOlogic, accessed May 13, 2025, https://izoologic.com/region/uk/major-cyberattack-hits-uks-pearson-and-steals-customer-data/
36. Threat Actor Profile: Peoples Cyber Army of Russia – Cyble, accessed May 13, 2025, https://cyble.com/threat-actor-profiles/peoples-cyber-army-of-russia/
37. Royal Mail Investigates Data Breach Affecting Supplier – Infosecurity Magazine, accessed May 13, 2025, https://www.infosecurity-magazine.com/news/royal-mail-investigates-data/
38. Peru denies it was hit by ransomware attack following Rhysida claims, accessed May 13, 2025, https://therecord.media/peru-rhysida-ransomware-claims-denied
39. Peru government denies ransomware attack, despite hacker claims – TechRadar, accessed May 13, 2025, https://www.techradar.com/pro/security/peru-government-denies-ransomware-attack-despite-hacker-claims
40. List of Recent Data Breaches in 2025–2024 – Bright Defense, accessed May 13, 2025, https://www.brightdefense.com/resources/recent-data-breaches/
41. Everest ransomware group’s darknet site offline following defacement, accessed May 13, 2025, https://therecord.media/everest-ransomware-site-offline-following-defacement
42. What Is Pyramid of Pain in Cybersecurity? – Picus Security, accessed May 13, 2025, https://www.picussecurity.com/resource/glossary/what-is-pyramid-of-pain
43. What is the Pyramid of Pain? – Cymulate, accessed May 13, 2025, https://cymulate.com/cybersecurity-glossary/pyramid-of-pain/
44. DragonForce Ransomware Group: Tactics, Targets & Mitigation – Cyble, accessed May 13, 2025, https://cyble.com/threat-actor-profiles/dragonforce-ransomware-group/
45. Weekly Intelligence Report – 02 May 2025 – CYFIRMA, accessed May 13, 2025, https://www.cyfirma.com/news/weekly-intelligence-report-02-may-2025/
46. FBI, HHS issue advisory on cyberthreat actors targeting health care to divert payments | AHA News, accessed May 13, 2025, https://www.aha.org/news/headline/2024-06-25-fbi-hhs-issue-advisory-cyber-threat-actors-targeting-health-care-divert-payments
47. Deepfake Defense in the Age of AI – The Hacker News, accessed May 13, 2025, https://thehackernews.com/2025/05/deepfake-defense-in-age-of-ai.html
48. Threat Actor Profile List – Cybergeist, accessed May 13, 2025, https://cybergeist.io/threat-actor
49. Threat Actor Profiles – Cyble, accessed May 13, 2025, https://cyble.com/threat-actor-profiles/
50. 2023 in Review: Threat Actors and Motivations – Searchlight Cyber, accessed May 13, 2025, http://slcyber.io/2023-in-review-threat-actors-and-motivations/
51. The use of Initial Access Brokers (IABs) by ransomware groups – Outpost24, accessed May 13, 2025, https://outpost24.com/blog/use-of-initial-access-brokers-by-ransomware-groups/
52. Initial Access Brokers – Arctic Wolf, accessed May 13, 2025, https://arcticwolf.com/resources/glossary/what-are-initial-access-brokers/