[May-19-2025] Daily Cybersecurity Threat Report

This report provides an analysis of recent cybersecurity incidents occurring within the last 24 hours. The information presented herein is based on an examination of newly reported breaches and leverages available threat intelligence to offer insights into the involved threat actors, their motivations, tactics, and potential implications.

1. Executive Summary

Recent cybersecurity events highlight a diverse range of threats, from ideologically motivated hacktivism to sophisticated cyber espionage and ransomware attacks. This report details several incidents, attributing them where possible to known threat actors and examining the patterns and potential connections between these events. Understanding the nature of these threats, the actors behind them, and their methods is crucial for developing effective defense strategies and mitigating future risks. The analysis reveals ongoing activity from various threat groups, each with distinct objectives and techniques, underscoring the dynamic and persistent nature of the cybersecurity landscape.

2. Incident Analysis

This section provides a detailed breakdown of each reported cybersecurity incident, including information about the likely threat actors involved, their known characteristics based on available intelligence, and direct links to published reports and any associated screenshots.

2.1. Incident INC001: Alleged data leak of Sightvision

Description: The group claims to have leaked data from Sightvision.
Threat Actor Analysis:

Hacktivist Indonesia: Initial analysis suggests the involvement of the hacktivist group Hacktivist Indonesia . This collective, originating from Indonesia and established in early October 2024, is known for politically motivated cyberattacks, often expressing pro-Palestinian sentiments and religious ideology . They have been observed conducting DDoS attacks, website defacements, ransomware deployments, and hack-and-leak operations against entities perceived as supporting Israel or acting against Indonesian interests . Hacktivist Indonesia has also formed an alliance with the pro-Russian hacktivist group NoName057(16) . Members of this collective have been previously associated with other regional hacktivist groups such as AnonBlackFlag, PaluAnonCyber, and KUNINGAN EXPLOITER . Their toolkit includes rudimentary scripts and tools designed for DDoS attacks and website defacements, often shared on their GitHub repository .
Motivations: The primary motivation for Hacktivist Indonesia appears to be political and ideological, driven by pro-Palestinian sentiments, religious beliefs, and a nationalistic agenda focused on perceived Indonesian interests .
Tactics, Techniques, and Procedures (TTPs): Hacktivist Indonesia employs DDoS attacks, website defacements, ransomware deployments, and hack-and-leak operations .
Known Affiliations: Hacktivist Indonesia is known to have an alliance with the pro-Russian hacktivist group NoName057(16) . Members have also been associated with other Indonesian hacktivist groups .
Target Sectors and Geographies: The group primarily targets entities perceived as supporting Israel or acting against Indonesian interests. Their activity has been observed within Southeast Asia .
2.1.4. Direct Links:

Published URL: https://t.me/hacktivist_indonesiaa/121
Screenshots: https://d34iuop8pidsy8.cloudfront.net/169c0d63-c1cc-48e8-a958-0143843e8711.png, https://d34iuop8pidsy8.cloudfront.net/8ef4afb1-3650-49e3-9782-5a1241ea251c.png

2.2. Incident INC002: Alleged leak of login access to Jayoti Vidyapeeth Women’s University

Description: The threat group claims to have leaked unauthorized login access to Jayoti Vidyapeeth Women’s University.
Threat Actor Analysis:

KEDIRISECTEAM: This threat actor is currently uncategorized based on the provided information. Further research is needed to determine their motivations, typical targets, and known tactics.
Motivations: The motivation behind this alleged leak of login access is currently unknown. It could range from financial gain to hacktivism or even a display of technical capabilities.
Tactics, Techniques, and Procedures (TTPs): The tactic employed in this incident is the alleged leak of unauthorized login credentials. The specific techniques used to gain this access are not detailed in the provided information.
Known Affiliations: No known affiliations for KEDIRISECTEAM are mentioned in the provided snippets.
Target Sectors and Geographies: In this instance, the target is an educational institution in India. This single incident does not provide enough information to determine if this is a pattern for this threat actor.
2.2.4. Direct Links:

Published URL: https://t.me/kedirisecteammm/618
Screenshots: https://d34iuop8pidsy8.cloudfront.net/5be81e7f-1592-4a81-958c-9e41a7c9baa3.png

2.3. Incident INC003: Alleged leak of admin access to Enalo Technologies Private Limited

Description: The threat group claims to have leaked unauthorized admin access to Enalo Technologies Private Limited.
Threat Actor Analysis:

KEDIRISECTEAM: This threat actor is currently uncategorized based on the provided information. Further research is needed to determine their motivations, typical targets, and known tactics.
Motivations: The motivation behind this alleged leak of admin access is currently unknown. Similar to the previous incident involving Jayoti Vidyapeeth Women’s University, the reasons could vary.
Tactics, Techniques, and Procedures (TTPs): The tactic employed is the alleged leak of unauthorized administrative access. The methods used to achieve this access are not specified.
Known Affiliations: No known affiliations for KEDIRISECTEAM are mentioned in the provided snippets.
Target Sectors and Geographies: The victim in this case is a financial services company in India. Combined with the previous incident targeting an Indian university, it might suggest a focus on Indian organizations, but more data is needed to confirm this.
2.3.4. Direct Links:

Published URL: https://t.me/kedirisecteammm/617
Screenshots: https://d34iuop8pidsy8.cloudfront.net/ea7cb7df-9520-4252-bf85-2a6c6b688ca3.png

2.4. Incident INC004: Alleged Unauthorised access to Bright Way Technologies (Pvt) Ltd

Description: The threat actor claims to have gained unauthorized access to Bright Way Technologies (Pvt) Ltd.
Threat Actor Analysis:

KINGSMAN INDIA: The threat actor behind this claim is likely KINGSMAN INDIA . This uncategorized threat actor was identified in March 2024 targeting Indian government entities and the energy sector through a cyber espionage campaign known as “Operation FlightNight”.¹ The group utilized a modified version of the open-source information stealer HackBrowserData, delivered via phishing emails disguised as invitations from the Indian Air Force.¹ After the malware’s execution, the attackers used Slack channels as exfiltration points to upload confidential internal documents, private email messages, and cached web browser data.¹ The targeted government entities included agencies responsible for electronic communications, IT governance, and national defense.¹ Additionally, private Indian energy companies were targeted, with financial documents, employee personal details, and information about drilling activities being exfiltrated.¹ The exfiltrated data, totaling 8.81 GB, is assessed to potentially aid further intrusions into the Indian government’s infrastructure.¹ The techniques and malware used show strong similarities to an attack reported in January 2024, suggesting a consistent actor.¹ The primary motive behind these actions is assessed as cyber espionage.¹
Motivations: The primary motivation for KINGSMAN INDIA is cyber espionage, focused on gathering intelligence from Indian government entities and the energy sector.¹
Tactics, Techniques, and Procedures (TTPs): KINGSMAN INDIA uses phishing emails to deliver a modified version of the HackBrowserData information stealer. They utilize ISO files containing executables and LNK shortcut files with misleading icons to trick victims into activating the malware. Data is then exfiltrated via Slack channels.¹
Known Affiliations: No specific affiliations are mentioned in the provided snippet for KINGSMAN INDIA, although the targeting of Indian government entities suggests a potential nation-state nexus or a group acting in alignment with certain national interests. The name “KINGSMAN INDIA” might be inspired by the movie “Kingsman,” which features a secret spy organization .
Target Sectors and Geographies: KINGSMAN INDIA primarily targets government entities in India, including those responsible for electronic communications, IT governance, and national defense, as well as private Indian energy companies.¹ This incident suggests an expansion of their target scope to include organizations in Pakistan.
2.4.4. Direct Links:

Published URL: https://t.me/pkmkb5/349
Screenshots: https://d34iuop8pidsy8.cloudfront.net/c6a287fa-a182-4123-8545-901e2b6ebd32.png

2.5. Incident INC005: Alleged data leak of Institute Of Skill Development Education (ISDE)

Description: The group claims to have leaked data from Institute Of Skill Development Education (ISDE).
Threat Actor Analysis:

GARUDA ERROR SYSTEM: This group is part of a coalition of hacktivist groups that announced DDoS attacks targeting Indian government websites between May 7-8, 2025 . While their DDoS attacks caused minimal disruption, the group has been associated with data leaks, including the exposure of publicly accessible case metadata and some password hashes from an Indian court system . This suggests a potential motivation of disrupting or protesting against Indian entities.
Motivations: Based on their previous activities, the motivation for GARUDA ERROR SYSTEM appears to be hacktivism, possibly targeting Indian educational institutions as part of a broader campaign against Indian entities .
Tactics, Techniques, and Procedures (TTPs): GARUDA ERROR SYSTEM is known to conduct DDoS attacks and has been involved in data leak operations .
Known Affiliations: GARUDA ERROR SYSTEM is part of a coalition that includes Lực Lượng Đặc Biệt Quân Đội Điện Tử and Vulture .
Target Sectors and Geographies: Their known targets include Indian government websites and, in this case, an Indian educational institution .
2.5.4. Direct Links:

Published URL: https://t.me/GarudaHacktivis/571
Screenshots: https://d34iuop8pidsy8.cloudfront.net/5d8aac31-3294-4d55-b18b-3d3e8aecc0d4.png

2.6. Incident INC006: KINGSMAN INDIA targets the website of My Bark Bistro

Description: The group claims to have defaced the website of My Bark Bistro.
Threat Actor Analysis:

KINGSMAN INDIA: As analyzed in Incident INC004, this group is known for targeting Indian entities for cyber espionage . This incident indicates a potential expansion of their activities to include website defacements, and a shift in targeting to organizations in Pakistan. The motivation behind this defacement is not explicitly stated but could be related to broader geopolitical tensions between India and Pakistan or simply an opportunistic act.
Motivations: The motivation behind this website defacement is not clear. It could be related to geopolitical tensions, a form of protest, or simply an attempt to gain notoriety.
Tactics, Techniques, and Procedures (TTPs): In addition to phishing and information stealing, KINGSMAN INDIA has now demonstrated the capability of website defacement.
Known Affiliations: Same as Incident INC004.
Target Sectors and Geographies: While primarily focused on Indian government and energy sectors, this incident shows targeting of a food production company in Pakistan.
2.6.4. Direct Links:

Published URL: https://t.me/pkmkb5/348
Screenshots: https://d34iuop8pidsy8.cloudfront.net/69daaed5-d159-4bfb-800f-fea71f77d569.png

2.7. Incident INC007: Alleged sale of 4,500+ UK document kits

Description: The threat actor claims to be selling 4,500+ UK document kits, including driver’s licenses (both sides) and passports paired with video selfies.
Threat Actor Analysis:

EMIRE_TEAM: This threat actor is currently uncategorized based on the provided information. The name “EMIRE_TEAM” does not readily link to any known threat groups in the available snippets . Further investigation would be needed to understand their history, motivations, and typical operations.
Motivations: The primary motivation appears to be financial gain through the sale of stolen identity documents.
Tactics, Techniques, and Procedures (TTPs): The main tactic is the collection and sale of compromised personal identification documents, likely obtained through various means such as data breaches, phishing, or other illicit activities.
Known Affiliations: No known affiliations for EMIRE_TEAM are mentioned in the provided snippets.
Target Sectors and Geographies: The focus in this incident is on obtaining and selling UK identification documents, suggesting a target demographic of individuals seeking to fraudulently acquire or use these documents.
2.7.4. Direct Links:

Published URL: https://xss.is/threads/138049/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/f88759bc-a98f-4ebc-89c9-e7519d9d180f.png

2.8. Incident INC008: Alleged sale of access to an unidentified Brazilian business services firm

Description: The threat actor claims to be selling domain admin VPN access to a Brazilian business services firm ($7M revenue), compromising 7 PCs protected by TrendMicro.
Threat Actor Analysis:

FPS: This threat actor is currently uncategorized based on the provided information. The acronym “FPS” could potentially refer to various entities, including the Federal Protective Service in the US , but without further context, a definitive attribution cannot be made.
Motivations: The primary motivation appears to be financial gain through the sale of unauthorized access to compromised systems.
Tactics, Techniques, and Procedures (TTPs): The tactic involves gaining domain administrator-level access, likely through exploiting vulnerabilities, social engineering, or obtaining stolen credentials, and then selling this access to other malicious actors.
Known Affiliations: No known affiliations for FPS are mentioned in the provided snippets.
Target Sectors and Geographies: The target in this incident is a business services firm in Brazil. This single instance does not establish a clear pattern for this threat actor’s targeting preferences.
2.8.4. Direct Links:

Published URL: https://xss.is/threads/138048/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/a0084101-9afd-4f4a-86bd-c485a94cb193.png

2.9. Incident INC009: GARUDA ERROR SYSTEM claims to target India and Vietnam

Description: A recent post by the group claims that they are targeting India and Vietnam.
Threat Actor Analysis:

GARUDA ERROR SYSTEM: As analyzed in Incident INC005, this group is known for hacktivist activities, primarily targeting Indian entities . This claim suggests an expansion of their focus to include Vietnam.
Motivations: The motivation remains likely hacktivism, potentially related to geopolitical issues or specific grievances against entities in India and Vietnam.
Tactics, Techniques, and Procedures (TTPs): Based on previous incidents, their tactics likely include DDoS attacks and data leaks .
Known Affiliations: Same as Incident INC005.
Target Sectors and Geographies: While previously focused on India, this claim indicates an intent to target organizations in Vietnam as well.
2.9.4. Direct Links:

Published URL: https://t.me/GarudaHacktivis/570
Screenshots: https://d34iuop8pidsy8.cloudfront.net/e64d2452-f8fb-4f56-8cec-5296cf4bc84c.png

2.10. Incident INC010: Alleged sale of access to an unidentified Brazilian real estate firm

Description: The threat actor claims to be selling domain admin VPN access to a Brazilian real estate firm ($88M revenue), compromising 60 PCs protected by Kaspersky.
Threat Actor Analysis:

FPS: As analyzed in Incident INC008, this threat actor is currently uncategorized. This second incident involving the sale of access to a Brazilian entity might suggest a regional focus, but more information is needed for confirmation.
Motivations: Similar to the previous incident, the motivation is likely financial gain through the monetization of compromised access.
Tactics, Techniques, and Procedures (TTPs): The tactic remains gaining and selling domain administrator-level access, highlighting a potential capability in compromising networks and escalating privileges.
Known Affiliations: Same as Incident INC008.
Target Sectors and Geographies: This incident targets a real estate firm in Brazil, further suggesting a potential interest in Brazilian organizations.
2.10.4. Direct Links:

Published URL: https://xss.is/threads/138048/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/06ed6c29-617a-409f-bbf4-f05292f56a77.png

2.11. Incident INC011: Anonymous_SVN targets the website of Roosta Battery

Description: The group claims to have defaced the website of Roosta Battery.
Threat Actor Analysis:

Anonymous_SVN: This appears to be a hacktivist group, possibly associated with the broader Anonymous movement . The “SVN” suffix might indicate a regional affiliation, but this requires further investigation. Hacktivist groups often conduct website defacements as a form of protest or to raise awareness about specific issues.
Motivations: The motivation is likely hacktivism, aiming to disrupt the website and potentially convey a message. The specific reasons for targeting Roosta Battery are not stated.
Tactics, Techniques, and Procedures (TTPs): Website defacement is the primary tactic used in this incident.
Known Affiliations: Anonymous_SVN is likely part of the broader Anonymous hacktivist movement .
Target Sectors and Geographies: Roosta Battery is based in Iran, suggesting a focus on Iranian targets for this group.
2.11.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/769
Screenshots: https://d34iuop8pidsy8.cloudfront.net/1ca16e84-e401-4da6-82d1-9c3036699a99.png

2.12. Incident INC012: Anonymous_SVN targets the website of Endocrine and Metabolism Research Institute (EMRI)

Description: The group claims to have defaced the website of Endocrine and Metabolism Research Institute.
Threat Actor Analysis:

Anonymous_SVN: Same as Incident INC011. This incident further supports the idea that Anonymous_SVN is targeting Iranian organizations.
Motivations: Likely hacktivism, with the specific reasons for targeting this research institute unknown.
Tactics, Techniques, and Procedures (TTPs): Website defacement.
Known Affiliations: Same as Incident INC011.
Target Sectors and Geographies: This target, an Iranian research institute, aligns with the previous incident involving Roosta Battery, indicating a focus on Iran.
2.12.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/766
Screenshots: https://d34iuop8pidsy8.cloudfront.net/4ef0e1d8-99af-4943-b52f-813812a3d946.png

2.13. Incident INC013: Anonymous_SVN targets the website of Dr Bahariyeh Beauty Clinic

Description: The group claims to have defaced the website of Dr Bahariyeh Beauty Clinic.
Threat Actor Analysis:

Anonymous_SVN: Same as Incident INC011. The continued targeting of Iranian websites reinforces the potential regional focus of this group.
Motivations: Likely hacktivism, with the specific reasons for targeting a beauty clinic unknown.
Tactics, Techniques, and Procedures (TTPs): Website defacement.
Known Affiliations: Same as Incident INC011.
Target Sectors and Geographies: Another Iranian target, a beauty clinic, further confirms the focus on Iran.
2.13.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/765
Screenshots: https://d34iuop8pidsy8.cloudfront.net/b755f93f-875d-40ab-9601-efe424a816d3.png

2.14. Incident INC014: Anonymous_SVN targets the website of Dicardo

Description: The group claims to have defaced the website of Dicardo.
Threat Actor Analysis:

Anonymous_SVN: Same as Incident INC011. The pattern of targeting Iranian websites continues.
Motivations: Likely hacktivism, with the specific reasons for targeting an e-commerce site unknown.
Tactics, Techniques, and Procedures (TTPs): Website defacement.
Known Affiliations: Same as Incident INC011.
Target Sectors and Geographies: The target, an Iranian e-commerce store, fits the established pattern.
2.14.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/760
Screenshots: https://d34iuop8pidsy8.cloudfront.net/10b7db61-c21e-4a35-9a92-9fc16159cb6b.png

2.15. Incident INC015: Hacktivist Indonesia targets the website of India Live News 24×7

Description: The group claims to have defaced the website of India Live News 24×7.
Threat Actor Analysis:

Hacktivist Indonesia: As analyzed in Incident INC001, this group is known for politically motivated cyberattacks . This incident shows a website defacement targeting an Indian news outlet.
Motivations: The motivation is likely political, potentially related to news coverage or broader geopolitical issues between Indonesia and India.
Tactics, Techniques, and Procedures (TTPs): Website defacement is the tactic used in this incident, adding to their known capabilities of DDoS and hack-and-leak operations .
Known Affiliations: Same as Incident INC001.
Target Sectors and Geographies: This incident targets an Indian news organization, aligning with their known interest in entities perceived to be against their core interests .
2.15.4. Direct Links:

Published URL: https://t.me/hacktivist_indonesiaa/120
Screenshots: https://d34iuop8pidsy8.cloudfront.net/c3e05ee1-49bc-4a79-8984-bcb8d045548c.png

2.16. Incident INC016: Anonymous_SVN targets the website of PARK TAKHFIF

Description: The group claims to have defaced the website of PARK TAKHFIF.
Threat Actor Analysis:

Anonymous_SVN: Same as Incident INC011. The consistent targeting of Iranian websites continues.
Motivations: Likely hacktivism, with the specific reasons for targeting this retail website unknown.
Tactics, Techniques, and Procedures (TTPs): Website defacement.
Known Affiliations: Same as Incident INC011.
Target Sectors and Geographies: Another Iranian target, a retail website, fits the established pattern.
2.16.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/755
Screenshots: https://d34iuop8pidsy8.cloudfront.net/ff974713-054e-4e2b-9f40-a23f5c8b5e4f.PNG

2.17. Incident INC017: Alleged Unauthorized Access to Milan Water SCADA System

Description: The group claims to have successfully accessed the SCADA dispatch control system managing water filtration in Milan, Italy. They manipulated pump operations and filter settings—activating manual flushing unnecessarily and altering pump schedules—causing temporary disruption and ineffectiveness of the water filtration process, and changed the VNC connection password.
Threat Actor Analysis:

SECT0R16: This group is known for targeting critical infrastructure, particularly in the oil and gas sector, with a geopolitical motivation . They collaborate with other groups like Z-Pentest and OverFlame . Their tactics include exploiting vulnerabilities, social engineering, and manipulating control interfaces . This incident indicates a potential expansion of their targets to include water treatment facilities.
Motivations: The motivation appears to be geopolitical, aiming to disrupt critical infrastructure in Western countries, potentially to weaken them or demonstrate vulnerabilities .
Tactics, Techniques, and Procedures (TTPs): SECT0R16 is known for infiltrating and manipulating industrial control systems (ICS/SCADA), exploiting vulnerabilities, and using social engineering . This incident demonstrates their capability to disrupt water filtration processes.
Known Affiliations: SECT0R16 collaborates with Z-Pentest and OverFlame .
Target Sectors and Geographies: Primarily targets oil and gas infrastructure in the US, with a claimed target in the Netherlands. This incident shows targeting of a water treatment facility in Italy, suggesting a broader interest in European critical infrastructure .
2.17.4. Direct Links:

Published URL: https://t.me/SECTOR16S16/20
Screenshots: https://d34iuop8pidsy8.cloudfront.net/af3ae9ce-84e6-42fd-8df3-7a206030307b.PNG

2.18. Incident INC018: Anonymous_SVN targets the website of Andisheeh Sajjad Educational Complex

Description: The group claims to have defaced the website of Andisheeh Sajjad Educational Complex.
Threat Actor Analysis:

Anonymous_SVN: Same as Incident INC011. The pattern of targeting Iranian websites, including educational institutions, continues.
Motivations: Likely hacktivism, with the specific reasons for targeting this educational complex unknown.
Tactics, Techniques, and Procedures (TTPs): Website defacement.
Known Affiliations: Same as Incident INC011.
Target Sectors and Geographies: Another Iranian educational institution, fitting the established pattern.
2.18.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/753
Screenshots: https://d34iuop8pidsy8.cloudfront.net/b4071f01-22b7-467e-9508-9015736adbf8.png

2.19. Incident INC019: Alleged database leak of NATO

Description: A threat actor claims to have leaked a 9 GB database belonging to NATO. The data reportedly includes sensitive information such as training details, types of military exercises, unit classifications, and other confidential NATO military data.
Threat Actor Analysis:

Ogsgd: This threat actor is currently uncategorized based on the provided information. The claim of leaking sensitive NATO data suggests a potentially significant breach with possible implications for national security and international affairs. Further investigation is needed to understand the actor’s motivations and capabilities.
Motivations: The motivation could range from cyber espionage to making a political statement or seeking financial gain through the sale of the data. The high-profile nature of the alleged victim suggests a sophisticated actor.
Tactics, Techniques, and Procedures (TTPs): The primary tactic is data exfiltration and leaking. The methods used to gain access to the database are not specified.
Known Affiliations: No known affiliations for Ogsgd are mentioned in the provided snippets.
Target Sectors and Geographies: The alleged victim is NATO, an international organization with member states primarily in North America and Europe. This suggests a focus on high-profile international political and military targets.
2.19.4. Direct Links:

Published URL: https://leakbase.la/threads/natos-sensitive-database-9gb.38606/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/a96ff39f-000b-4bbc-b189-7391c0ffe3af.png

2.20. Incident INC020: Anonymous_SVN targets the website of Iran Brand

Description: The group claims to have defaced the website of Iran Brand.
Threat Actor Analysis:

Anonymous_SVN: Same as Incident INC011. The consistent targeting of Iranian websites continues.
Motivations: Likely hacktivism, with the specific reasons for targeting this online publishing platform unknown.
Tactics, Techniques, and Procedures (TTPs): Website defacement.
Known Affiliations: Same as Incident INC011.
Target Sectors and Geographies: Another Iranian target, an online publishing platform, fits the established pattern.
2.20.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/752
Screenshots: https://d34iuop8pidsy8.cloudfront.net/e941cef6-1f40-4912-b965-9f318bc5e032.png

2.21. Incident INC021: Alleged unauthorized access to Pizza Sprint S.r.l

Description: The group claims to have gained unauthorised access to Pizza Sprint.
Threat Actor Analysis:

Z-PENTEST ALLIANCE: This group is known for targeting critical infrastructure, particularly in the energy and water sectors, with a geopolitical motivation aligned with pro-Russian interests . They often work in collaboration with groups like SECTOR16 and OverFlame . This incident suggests a potential broadening of their target scope to include other types of businesses in Western countries.
Motivations: While their primary focus is geopolitical disruption of critical infrastructure, this incident might indicate a more opportunistic approach or a desire to demonstrate their capabilities across different sectors .
Tactics, Techniques, and Procedures (TTPs): Z-PENTEST ALLIANCE is known for penetrating operational control systems (OT) and industrial control systems (ICS/SCADA), exploiting zero-day vulnerabilities, and using social engineering . The specific techniques used to gain access to Pizza Sprint are not detailed.
Known Affiliations: Z-PENTEST ALLIANCE collaborates with SECTOR16, OverFlame, and possibly the People’s Cyber Army (PCA) .
Target Sectors and Geographies: Primarily targets energy and water sectors in Western countries. This incident shows targeting of a food and beverage company in Italy, indicating a potential expansion beyond critical infrastructure .
2.21.4. Direct Links:

Published URL: https://t.me/c/2503473563/161
Screenshots: https://d34iuop8pidsy8.cloudfront.net/68d764a2-78d1-4790-a7b7-febbd1f511a9.png

2.22. Incident INC022: Alleged Unauthorized Access to Gdansk Water SCADA System

Description: The group claims to have successfully accessed the SCADA dispatch control system managing water filtration in Gdańsk, Poland. They manipulated pump operations and filter settings—activating manual flushing unnecessarily and altering pump schedules—causing temporary disruption and ineffectiveness in the water filtration process.
Threat Actor Analysis:

SECT0R 16: This is likely a variation in the naming of the SECT0R16 group, analyzed in Incident INC017 . This incident further reinforces their focus on disrupting water treatment facilities in Europe.
Motivations: Same as Incident INC017 – geopolitical disruption of critical infrastructure in Western countries .
Tactics, Techniques, and Procedures (TTPs): Same as Incident INC017 – infiltrating and manipulating ICS/SCADA systems to disrupt water filtration processes .
Known Affiliations: Same as Incident INC017.
Target Sectors and Geographies: This incident confirms their interest in targeting water treatment facilities in Europe, specifically in Poland .
2.22.4. Direct Links:

Published URL: https://t.me/SECTOR16S16/21
Screenshots: https://d34iuop8pidsy8.cloudfront.net/a756a9f8-70cc-42f7-b9ad-7d761aa4cf15.PNG, https://d34iuop8pidsy8.cloudfront.net/3e3a9d3d-48d3-4eea-a43d-2e0075bbf5d6.PNG

2.23. Incident INC023: Alleged data leak of Leadergame

Description: The group claims to have leaked 200MB of data from Leadergame.
Threat Actor Analysis:

Arabian Ghosts: This group, also known as Ghost (Cring) ransomware, has been active since early 2021 and has targeted organizations across more than 70 countries, including various industries . They are known for indiscriminate targeting, exploiting outdated security measures, and using double extortion tactics . While primarily known for ransomware, this claim suggests they might also engage in data leaks without encryption in some cases.
Motivations: The primary motivation for Arabian Ghosts is financial gain . This data leak could be a precursor to a ransomware attack or an attempt to extort the victim organization.
Tactics, Techniques, and Procedures (TTPs): Arabian Ghosts typically exploits vulnerabilities, escalates privileges, deploys ransomware, exfiltrates data, and disables security tools . This incident indicates a potential for data leaks as a standalone tactic.
Known Affiliations: No specific affiliations are mentioned in the provided snippets for Arabian Ghosts.
Target Sectors and Geographies: Arabian Ghosts targets organizations across various industries globally . Leadergame is based in France, indicating their global reach.
2.23.4. Direct Links:

Published URL: https://t.me/ARABIAN_GHOSTS/923
Screenshots: https://d34iuop8pidsy8.cloudfront.net/9a67f3c0-ac85-4201-b7ca-c15f0766c7c1.png

2.24. Incident INC024: Alleged database leak of an unidentified Indonesian bank

Description: The threat actor claims to have leaked the database of an unidentified Indonesian bank. The compromised data includes details such as merchant type, merchant id, merchant code, merchant group, merchant email, merchant name, merchant status and more.
Threat Actor Analysis:

NodeSillent: This threat actor is currently uncategorized based on the provided information . The claim of leaking sensitive data from an Indonesian bank suggests a focus on financial institutions in Indonesia. More research is needed to understand their broader activities and motivations.
Motivations: The primary motivation is likely financial gain through the sale or exploitation of the leaked database.
Tactics, Techniques, and Procedures (TTPs): The main tactic is data exfiltration and leaking. The methods used to compromise the bank’s database are not specified.
Known Affiliations: No known affiliations for NodeSillent are mentioned in the provided snippets.
Target Sectors and Geographies: The target is an Indonesian bank, suggesting a focus on the financial sector in Indonesia.
2.24.4. Direct Links:

Published URL: https://darkforums.st/Thread-5-5K-MERCHANT-INDONESIAN-BANK-DATABASE
Screenshots: https://d34iuop8pidsy8.cloudfront.net/a3aa1a11-57eb-487d-a188-8f1350a77c61.PNG

2.25. Incident INC025: Alleged database leak of KENDAL KARIER

Description: The threat actor claims to have leaked the database from KENDAL KARIER. The compromised data includes details such as national identification number, name, gender, mobile number, whatsapp number and more.
Threat Actor Analysis:

VirXploit24: This threat actor is currently uncategorized based on the provided information . The claim of leaking a database containing sensitive personal information from an Indonesian government administration website suggests a focus on Indonesian government entities and potentially politically motivated actions.
Motivations: The motivation could be politically driven, aiming to expose government data or disrupt services, or it could be for financial gain through the sale of the leaked information.
Tactics, Techniques, and Procedures (TTPs): The primary tactic is data exfiltration and leaking. The methods used to compromise the database are not specified.
Known Affiliations: No known affiliations for VirXploit24 are mentioned in the provided snippets.
Target Sectors and Geographies: The target is an Indonesian government administration website, suggesting a focus on government entities in Indonesia.
2.25.4. Direct Links:

Published URL: https://darkforums.st/Thread-DATABASE-KARIER-KENDAL-LEAKED
Screenshots: https://d34iuop8pidsy8.cloudfront.net/5df3a57f-63d6-4c52-877c-01813ce4f8cd.PNG

2.26. Incident INC026: Alleged data leak of IntuView

Description: The threat actor claims to have leaked the data of IntuView.
Threat Actor Analysis:

Black Ember: This threat actor is currently uncategorized based on the provided information . The claim of a data leak from an Israeli software development company suggests a potential focus on technology companies in Israel. More research is needed to understand their motivations and typical activities.
Motivations: The motivation could be financial gain through the sale of the data or hacktivism targeting Israeli organizations.
Tactics, Techniques, and Procedures (TTPs): The primary tactic is data exfiltration and leaking. The methods used to compromise IntuView’s data are not specified.
Known Affiliations: No known affiliations for Black Ember are mentioned in the provided snippets.
Target Sectors and Geographies: The target is an Israeli software development company, suggesting a focus on the technology sector in Israel.
2.26.4. Direct Links:

Published URL: https://t.me/BlackEmber/32
Screenshots: https://d34iuop8pidsy8.cloudfront.net/2bfb52b9-d67d-4ee7-b91a-0350ed803997.PNG

2.27. Incident INC027: Alleged database leak of Lamma Fisherfolk’s Village

Description: The threat actor claims to have leaked the database of Lamma Fisherfolk’s Village. The compromised data reportedly includes records of 720,000 individuals such as name, gender, birth year, mobile number, order date, order contents, and order total.
Threat Actor Analysis:

heiwukoong: This threat actor is currently uncategorized based on the provided information. The claim of a significant data leak from a Hong Kong hospitality and tourism business suggests a focus on organizations in this region. The large volume of personal data involved indicates a potentially serious breach.
Motivations: The motivation is likely financial gain through the sale of the large database containing personal information.
Tactics, Techniques, and Procedures (TTPs): The primary tactic is data exfiltration and leaking. The methods used to compromise the database are not specified.
Known Affiliations: No known affiliations for heiwukoong are mentioned in the provided snippets.
Target Sectors and Geographies: The target is a hospitality and tourism business in Hong Kong, suggesting a focus on organizations in this region.
2.27.4. Direct Links:

Published URL: https://darkforums.st/Thread-Selling-Hong-Kong-customer-database-in-April-2025-a-total-of-720k-lines-lfv-com-hk
Screenshots: https://d34iuop8pidsy8.cloudfront.net/ae51a247-5ae1-4d45-84da-1b5b805e23e4.PNG

2.28. Incident INC028: Alleged data sale of multiple Malaysian telecom companies

Description: A threat actor claims to be selling data from multiple Malaysian telecom companies. The compromised data reportedly includes 41 million records containing call details, full names, phone numbers, email addresses, IC numbers, and other sensitive customer information.
Threat Actor Analysis:

Malaysia_leaks: This threat actor is currently uncategorized based on the provided information. The claim of selling a massive dataset from multiple Malaysian telecom companies indicates a significant breach with potentially severe consequences for the affected individuals. The scale of the alleged leak suggests a sophisticated operation.
Motivations: The primary motivation is likely financial gain through the sale of the highly sensitive personal and communication data.
Tactics, Techniques, and Procedures (TTPs): The primary tactic is data exfiltration and selling. The methods used to compromise the telecom companies are not specified but likely involved sophisticated techniques to access and extract such a large volume of data.
Known Affiliations: No known affiliations for Malaysia_leaks are mentioned in the provided snippets.
Target Sectors and Geographies: The targets are Malaysian telecom companies, indicating a focus on the telecommunications sector in Malaysia.
2.28.4. Direct Links:

Published URL: https://darkforums.st/Thread-Malaysian-Mobile-privders
Screenshots: https://d34iuop8pidsy8.cloudfront.net/5789aa77-f9d7-4697-b820-626498c48dee.PNG

2.29. Incident INC029: WOLF CYBER ARMY targets the website of Kingway Technical Institute

Description: Group claims to have defaced the website of Kingway Technical Institute.
Threat Actor Analysis:

WOLF CYBER ARMY: This threat actor is currently uncategorized based on the provided information . The name suggests a potential focus on cyber warfare or hacktivism. The targeting of an Indian educational institute might indicate a regional focus or a specific motivation related to the education sector.
Motivations: The motivation is likely hacktivism, aiming to disrupt the website and potentially convey a message. The specific reasons for targeting Kingway Technical Institute are not stated.
Tactics, Techniques, and Procedures (TTPs): Website defacement is the primary tactic used in this incident.
Known Affiliations: No known affiliations for WOLF CYBER ARMY are mentioned in the provided snippets.
Target Sectors and Geographies: The target is an Indian educational institute, suggesting a focus on the education sector in India.
2.29.4. Direct Links:

Published URL: https://t.me/WOLF_CYBER_ARMY_ID/46
Screenshots: https://d34iuop8pidsy8.cloudfront.net/3cb2d616-db83-496b-abb2-fabaa31ec2db.png

2.30. Incident INC030: Anonymous_SVN targets the website of Paya Bio

Description: The group claims to have defaced the website of Paya Bio.
Threat Actor Analysis:

Anonymous_SVN: Same as Incident INC011. The consistent targeting of Iranian websites continues.
Motivations: Likely hacktivism, with the specific reasons for targeting this agriculture and farming company unknown.
Tactics, Techniques, and Procedures (TTPs): Website defacement.
Known Affiliations: Same as Incident INC011.
Target Sectors and Geographies: Another Iranian target, an agriculture and farming company, fits the established pattern.
2.30.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/748
Screenshots: https://d34iuop8pidsy8.cloudfront.net/d181c9a6-9b5e-4813-98c8-57dbffc53965.png

2.31. Incident INC031: Alleged leak of admin credentials to Fay Marketing

Description: The threat actor claims to have compromised the admin panel of Fay Marketing, leaking administrator login credentials including the username and password for full access to the control panel.
Threat Actor Analysis:

KINGSMAN INDIA: As analyzed in Incident INC004, this group is known for targeting Indian entities for cyber espionage . This incident shows a targeting of a Pakistani manufacturing company and a leak of administrative credentials.
Motivations: The motivation could be cyber espionage, aiming to gain access to the company’s systems for intelligence gathering, or it could be a disruptive attack.
Tactics, Techniques, and Procedures (TTPs): In addition to phishing and information stealing, KINGSMAN INDIA has now demonstrated the capability of compromising admin panels and leaking credentials.
Known Affiliations: Same as Incident INC004.
Target Sectors and Geographies: While primarily focused on Indian government and energy sectors, this incident shows targeting of a manufacturing company in Pakistan.
2.31.4. Direct Links:

Published URL: https://t.me/pkmkb5/346
Screenshots: https://d34iuop8pidsy8.cloudfront.net/c5424c9b-e21d-43e2-829f-880c5e02103c.png

2.32. Incident INC032: Anonymous_SVN targets the website of porosbali

Description: The group claims to have defaced the website of porosbali.
Threat Actor Analysis:

Anonymous_SVN: Same as Incident INC011. This incident marks a shift in targeting from Iranian websites to Indonesian ones.
Motivations: Likely hacktivism, with the specific reasons for targeting this Indonesian news website unknown. The change in target geography suggests a broader scope or a shift in focus.
Tactics, Techniques, and Procedures (TTPs): Website defacement.
Known Affiliations: Same as Incident INC011.
Target Sectors and Geographies: This target, an Indonesian news website, deviates from the previous pattern of targeting Iranian entities.
2.32.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/740
Screenshots: https://d34iuop8pidsy8.cloudfront.net/46fee08c-6779-47f2-a51b-6c87e9e8fcfe.png

2.33. Incident INC033: Anonymous_SVN targets the website of Great Mind

Description: The group claims to have defaced the website of Great Mind.
Threat Actor Analysis:

Anonymous_SVN: Same as Incident INC011. The targeting of Indonesian websites continues.
Motivations: Likely hacktivism, with the specific reasons for targeting this Indonesian online publishing platform unknown.
Tactics, Techniques, and Procedures (TTPs): Website defacement.
Known Affiliations: Same as Incident INC011.
Target Sectors and Geographies: Another Indonesian target, an online publishing platform, fits the recent shift in focus.
2.33.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/742
Screenshots: https://d34iuop8pidsy8.cloudfront.net/f379122d-9061-4bea-a230-d03b7d1652ab.png

2.34. Incident INC034: Anonymous_SVN targets the website of Redaksi

Description: The group claims to have defaced the website of Redaksi.
Threat Actor Analysis:

Anonymous_SVN: Same as Incident INC011. The targeting of Indonesian websites continues.
Motivations: Likely hacktivism, with the specific reasons for targeting this Indonesian news website unknown.
Tactics, Techniques, and Procedures (TTPs): Website defacement.
Known Affiliations: Same as Incident INC011.
Target Sectors and Geographies: Another Indonesian target, a news website, fits the recent shift in focus.
2.34.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/743
Screenshots: https://d34iuop8pidsy8.cloudfront.net/b7e9d82a-f12e-4a91-91a0-df65041822b5.png

2.35. Incident INC035: Alleged data breach of Peerform

Description: The threat actor claims to be selling a database containing 625,000 U.S.-based loan applicant records from Peerform. The leaked data allegedly includes highly sensitive personal and financial information.
Threat Actor Analysis:

info_usa: This threat actor is currently uncategorized based on the provided information. The name suggests a focus on obtaining and potentially selling data related to individuals or entities in the USA. The type of data allegedly compromised (loan applicant records with sensitive financial information) indicates a high-value target for cybercriminals.
Motivations: The primary motivation is likely financial gain through the sale of the sensitive personal and financial data.
Tactics, Techniques, and Procedures (TTPs): The primary tactic is data exfiltration and selling. The methods used to compromise Peerform’s database are not specified but likely involved exploiting vulnerabilities or obtaining unauthorized access to their systems.
Known Affiliations: No known affiliations for info_usa are mentioned in the provided snippets.
Target Sectors and Geographies: The target is a financial services company in the USA, suggesting a focus on this sector and region.
2.35.4. Direct Links:

Published URL: https://darkforums.st/Thread-USA-Loan-Data-Peerform
Screenshots: https://d34iuop8pidsy8.cloudfront.net/d13950b9-2e01-4d44-9dfd-a92e8808b898.png

2.36. Incident INC036: Anonymous_SVN targets the website of signcompany.ir

Description: The Group claims to have defaced the organization’s website.
Threat Actor Analysis:

Anonymous_SVN: Same as Incident INC011. The targeting of Iranian websites resumes.
Motivations: Likely hacktivism, with the specific reasons for targeting this graphic and web design company unknown.
Tactics, Techniques, and Procedures (TTPs): Website defacement.
Known Affiliations: Same as Incident INC011.
Target Sectors and Geographies: Another Iranian target, a graphic and web design company, fits the initial pattern.
2.36.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/747
Screenshots: https://d34iuop8pidsy8.cloudfront.net/da17f7f8-14f2-4945-86bb-c114cf9f1f4b.png

2.37. Incident INC037: Anonymous_SVN targets the website of Rsu Negara Jembrana

Description: The group claims to have defaced the organization’s website.
Threat Actor Analysis:

Anonymous_SVN: Same as Incident INC011. The targeting of Indonesian websites continues.
Motivations: Likely hacktivism, with the specific reasons for targeting this Indonesian hospital unknown.
Tactics, Techniques, and Procedures (TTPs): Website defacement.
Known Affiliations: Same as Incident INC011.
Target Sectors and Geographies: Another Indonesian target, a hospital, fits the recent shift in focus.
2.37.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/746
Screenshots: https://d34iuop8pidsy8.cloudfront.net/9faee662-2e86-412d-b5b3-da71a55901e5.png

2.38. Incident INC038: Alleged Sale of Turnkey Email Spam Services

Description: Threat actor claims to offer turnkey bulk email spam services using their own SMTP/PMTA infrastructure. The service promises quick setup (1–3 days) and is customized per client, requiring only a mailing list and message content from the buyer.
Threat Actor Analysis:

Wanderer_Traffic: This threat actor is currently uncategorized based on the provided information. The offering of bulk email spam services indicates a financially motivated actor involved in facilitating malicious email campaigns.
Motivations: The primary motivation is financial gain through providing services that enable spam and potentially phishing or malware distribution.
Tactics, Techniques, and Procedures (TTPs): The tactic involves setting up and offering infrastructure for sending bulk emails, a common technique used in spam campaigns.
Known Affiliations: No known affiliations for Wanderer_Traffic are mentioned in the provided snippets.
Target Sectors and Geographies: The service is offered to anyone willing to pay, suggesting a broad target market for malicious actors needing spam infrastructure. The origin of the threat actor is not specified.
2.38.4. Direct Links:

Published URL: https://forum.exploit.in/topic/259360/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/d1b5ea3c-9cc5-4cb5-ad71-6abce2ad428d.png

2.39. Incident INC039: Alleged sale of multiple sensitive databases

Description: The threat actor claims to be selling large volumes of sensitive data, including citizen data, insurance records, shopping information, and more from countries such as India, Vietnam, Taiwan, Cambodia, the Philippines, Tajikistan, and Uzbekistan.
Threat Actor Analysis:

kubogc: This threat actor is currently uncategorized based on the provided information . The claim of selling a wide range of sensitive data from multiple Asian countries suggests a financially motivated actor with access to significant data breaches.
Motivations: The primary motivation is financial gain through the sale of the stolen data.
Tactics, Techniques, and Procedures (TTPs): The primary tactic is data exfiltration and selling. The methods used to obtain these databases are not specified.
Known Affiliations: No known affiliations for kubogc are mentioned in the provided snippets.
Target Sectors and Geographies: The data originates from various sectors (citizen data, insurance, shopping) across multiple countries in Asia, indicating a broad scope of compromised information.
2.39.4. Direct Links:

Published URL: https://darkforums.st/Thread-Sell-large-amounts-of-databases
Screenshots: https://d34iuop8pidsy8.cloudfront.net/6f40f7ad-b372-4465-8177-52ef228aab27.png

2.40. Incident INC040: Alleged sale of data from Vietnam’s online shopping platforms

Description: The threat actor claims to be selling fresh daily data from Vietnam’s online shopping platforms. The leaked data includes full names, phone numbers, addresses, purchased product names, prices, and more.
Threat Actor Analysis:

namolesa: This threat actor is currently uncategorized based on the provided information . The claim of selling daily updated data from Vietnamese online shopping platforms suggests a consistent and potentially automated data harvesting operation.
Motivations: The primary motivation is financial gain through the sale of the consumer data.
Tactics, Techniques, and Procedures (TTPs): The primary tactic is data exfiltration and selling. The methods used to obtain this data are not specified but could involve exploiting vulnerabilities in the shopping platforms or intercepting data streams.
Known Affiliations: No known affiliations for namolesa are mentioned in the provided snippets.
Target Sectors and Geographies: The target is online shopping platforms in Vietnam, indicating a focus on e-commerce data in this region.
2.40.4. Direct Links:

Published URL: https://darkforums.st/Thread-Vietnam-Online-Shopping-Daily-data%C2%A0-0-05-Line
Screenshots: https://d34iuop8pidsy8.cloudfront.net/10b3f39f-2b05-4e25-9634-90b7d61c974f.png

2.41. Incident INC041: Alleged data breach of India Steel Expo 2025

Description: The threat actor claims to be selling a database containing over 6,000 leaked records from the India Steel Expo website. The data is said to contain extensive personal and professional information of event registrants.
Threat Actor Analysis:

ClayOxtymus1337: This threat actor is currently uncategorized based on the provided information. The claim of a data breach from an Indian industry event website suggests a focus on obtaining and selling information related to businesses and professionals in India’s steel industry.
Motivations: The primary motivation is likely financial gain through the sale of the event registrant data.
Tactics, Techniques, and Procedures (TTPs): The primary tactic is data exfiltration and selling. The methods used to compromise the India Steel Expo website are not specified.
Known Affiliations: No known affiliations for ClayOxtymus1337 are mentioned in the provided snippets.
Target Sectors and Geographies: The target is an event related to the steel industry in India, suggesting a focus on this sector and region.
2.41.4. Direct Links:

Published URL: https://darkforums.st/Thread-Selling-6000-Leaked-Records-from-India-Steel-Expo-www-indiasteelexpo-in
Screenshots: https://d34iuop8pidsy8.cloudfront.net/0606d892-3acc-444a-951e-99433f0147e4.png

2.42. Incident INC042: Alleged data breach of Marathon Realty

Description: The threat actor claims to have leaked a database from the Indian real estate company Marathon Realty, containing detailed records of approximately 3,300 users. The data includes sensitive information such as customer names, phone numbers, email addresses, physical addresses, project names, flat numbers, bank names, receipt details, and financial transactions.
Threat Actor Analysis:

wht: This threat actor is currently uncategorized based on the provided information . The claim of a data breach from an Indian real estate company suggests a focus on obtaining and potentially selling data from organizations in India’s real estate sector.
Motivations: The primary motivation is likely financial gain through the sale of the sensitive customer data.
Tactics, Techniques, and Procedures (TTPs): The primary tactic is data exfiltration and leaking. The methods used to compromise Marathon Realty’s database are not specified.
Known Affiliations: No known affiliations for wht are mentioned in the provided snippets.
Target Sectors and Geographies: The target is a real estate company in India, suggesting a focus on this sector and region.
2.42.4. Direct Links:

Published URL: https://darkforums.st/Thread-marathon-in-leak
Screenshots: https://d34iuop8pidsy8.cloudfront.net/2d083c81-85a0-441c-bc00-6b38474b9e2d.png

2.43. Incident INC043: Anonymous_SVN targets the website of Stikom Yogyakarta

Description: the group claims to have defaced the organization’s website.
Threat Actor Analysis:

Anonymous_SVN: Same as Incident INC011. The targeting of Indonesian websites continues, including higher education institutions.
Motivations: Likely hacktivism, with the specific reasons for targeting this Indonesian college unknown.
Tactics, Techniques, and Procedures (TTPs): Website defacement.
Known Affiliations: Same as Incident INC011.
Target Sectors and Geographies: Another Indonesian target, a higher education institution, fits the recent pattern.
2.43.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/733
Screenshots: https://d34iuop8pidsy8.cloudfront.net/6b137aa0-8436-4a16-a01f-8b7c95fa9340.png

2.44. Incident INC044: Alleged sale of login credentials to multiple domains

Description: The threat actor claims to be selling over 700,000 lines of login credentials (usernames and passwords) from both government and private organizations, including domains such as.gov,.edu,.org,.com, and more from various countries.
Threat Actor Analysis:

Skivon: This threat actor is currently uncategorized based on the provided information . The claim of selling a large volume of login credentials from diverse organizations and countries suggests a broad data collection operation, potentially through large-scale data breaches or the aggregation of multiple smaller breaches.
Motivations: The primary motivation is likely financial gain through the sale of the compromised credentials, which can be used for various malicious purposes, including account takeover and further cyberattacks.
Tactics, Techniques, and Procedures (TTPs): The primary tactic is the acquisition and sale of stolen login credentials. The methods used to obtain these credentials are not specified.
Known Affiliations: No known affiliations for Skivon are mentioned in the provided snippets.
Target Sectors and Geographies: The compromised data spans across government and private organizations in numerous countries, indicating a wide and indiscriminate scope of data collection.
2.44.4. Direct Links:

Published URL: https://darkforums.st/Thread-Selling-GOVT-PRIVATE-ORGANISATIONS-LOGIN-DATA-FOR-RESEARCH-PURPOSES-50
Screenshots: https://d34iuop8pidsy8.cloudfront.net/74a2c696-e9fa-4210-b3b0-5a0cd02d798d.png

2.45. Incident INC045: Anonymous_SVN claims to target Iran and Indonesia

Description: A recent post by the group claims that they are targeting Iran and Indonesia.
Threat Actor Analysis:

Anonymous_SVN: As analyzed in Incident INC011, this group appears to be a hacktivist collective . This claim aligns with the observed targeting patterns in the previous incidents, showing a focus on both Iranian and Indonesian organizations.
Motivations: The motivation is likely hacktivism, with the specific reasons for targeting these two countries potentially related to political or social issues.
Tactics, Techniques, and Procedures (TTPs): Based on previous incidents, their primary tactic is website defacement.
Known Affiliations: Same as Incident INC011.
Target Sectors and Geographies: This claim confirms their focus on targeting organizations in both Iran and Indonesia.
2.45.4. Direct Links:

Published URL: https://t.me/Anonymous_SVN/732
Screenshots: https://d34iuop8pidsy8.cloudfront.net/e59309b4-e1b6-4ee7-844a-96be8b7fb11a.png

2.46. Incident INC046: Alleged sale of unauthorized RDP access to unidentified Architecture & Engineering firm in Switzerland

Description: The threat actor claims to be selling RDP access with Domain Admin privileges to an unidentified company in Switzerland operating in the architecture, engineering, and design sector.
Threat Actor Analysis:

rawmeat: This threat actor is currently uncategorized based on the provided information . The offering of RDP access with domain admin privileges suggests a financially motivated actor who has likely compromised the target network through exploiting vulnerabilities or obtaining stolen credentials.
Motivations: The primary motivation is financial gain through the sale of unauthorized access to the compromised network.
Tactics, Techniques, and Procedures (TTPs): The tactic involves gaining remote access with high-level privileges and then selling this access to other malicious actors.
Known Affiliations: No known affiliations for rawmeat are mentioned in the provided snippets. The name “rawmeat” is also used in the context of food safety regulations , but there is no indication of a connection.
Target Sectors and Geographies: The target is a company in the architecture, engineering, and design sector in Switzerland, indicating a potential interest in organizations in this industry or region.
2.46.4. Direct Links:

Published URL: https://forum.exploit.in/topic/259357/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/76fc19cf-48cf-47ca-b218-e5fa1eee3b43.png

2.47. Incident INC047: Alleged sale of RCE Access to an unidentified government entity in California

Description: The threat actor claims to have Remote Code Execution (RCE) access to a U.S. municipal government entity in California. The access is achieved via script on a Linux system.
Threat Actor Analysis:

shine: This threat actor is currently uncategorized based on the provided information . The claim of RCE access to a US government entity suggests a potentially sophisticated actor with the ability to exploit vulnerabilities in Linux systems. The motivation could range from espionage to disruption or financial gain.
Motivations: The motivation is not explicitly stated but could include espionage, disruption of government services, or potentially selling the access to other malicious actors.
Tactics, Techniques, and Procedures (TTPs): The tactic involves gaining Remote Code Execution on a Linux system of a government entity, indicating advanced technical skills.
Known Affiliations: No known affiliations for shine are mentioned in the provided snippets. The term “Typhoon cyber groups” is mentioned in the context of Chinese APTs , but there is no direct link to the “shine” actor.
Target Sectors and Geographies: The target is a municipal government entity in California, USA, indicating a focus on government organizations in the United States.
2.47.4. Direct Links:

Published URL: https://darkforums.st/Thread-Selling-USA-Municipal-Government-in-California-gov-RCE
Screenshots: https://d34iuop8pidsy8.cloudfront.net/84a674f5-fc86-4d03-a5fe-fbbdb0949e53.png

2.48. Incident INC048: Alleged sale of RCE Access to an unidentified Executive Government Entity in Hong Kong

Description: The threat actor claims to be selling Remote Code Execution (RCE) access to a Hong Kong executive government entity with a *.gov.hk domain. The system runs on Linux.
Threat Actor Analysis:

shine: Same as Incident INC047. This second incident involving the sale of RCE access, this time targeting a government entity in Hong Kong, further suggests a focus on government targets and the ability to compromise Linux systems.
Motivations: Similar to the previous incident, the motivation is not explicitly stated but could include espionage, disruption, or selling access.
Tactics, Techniques, and Procedures (TTPs): The tactic remains gaining Remote Code Execution on Linux systems, indicating a consistent skillset.
Known Affiliations: Same as Incident INC047.
Target Sectors and Geographies: The target is an executive government entity in Hong Kong, indicating a focus on government organizations in Asia.
2.48.4. Direct Links:

Published URL: https://darkforums.st/Thread-Selling-Hong-Kong-Executive-Government-Entity-gov-hk-RCE
Screenshots: https://d34iuop8pidsy8.cloudfront.net/defc7ae7-737f-4903-8f56-46e59b67a8e0.png

2.49. Incident INC049: Alleged sale of RCE Access to an unidentified USA local bank

Description: The threat actor claims to be selling Remote Code Execution (RCE) access to an unidentified USA-based local bank’s Linux system.
Threat Actor Analysis:

shine: Same as Incident INC047 and INC048. This third incident involving the sale of RCE access, this time targeting a bank in the USA, indicates a broader targeting scope that includes financial institutions in addition to government entities. The consistent targeting of Linux systems remains a notable characteristic.
Motivations: The primary motivation is likely financial gain through selling access that could be used for further malicious activities like data theft or ransomware deployment.
Tactics, Techniques, and Procedures (TTPs): The tactic remains gaining Remote Code Execution on Linux systems.
Known Affiliations: Same as Incident INC047.
Target Sectors and Geographies: The target is a local bank in the USA, indicating an interest in the financial sector in the United States.
2.49.4. Direct Links:

Published URL: https://darkforums.st/Thread-Selling-USA-Local-Bank-RCE
Screenshots: https://d34iuop8pidsy8.cloudfront.net/6e1971a8-52c2-452d-a665-0ef395722770.png

3. Cross-Incident Analysis and Emerging Trends

Analysis of the reported incidents reveals several noteworthy trends. Firstly, there is a significant amount of activity from hacktivist groups like Anonymous_SVN and Hacktivist Indonesia, with the former showing a strong focus on Iranian and Indonesian targets, and the latter primarily targeting entities perceived to be against their political and religious beliefs. Secondly, the continued targeting of critical infrastructure by groups like SECT0R16 and Z-PENTEST ALLIANCE, with a focus on geopolitical disruption, remains a concern. The alleged breach of NATO, if confirmed, would represent a significant escalation in cyber espionage activities. Thirdly, there is a notable trend of threat actors selling various forms of unauthorized access, including domain admin VPN access and Remote Code Execution, indicating a thriving underground market for compromised systems. Finally, the prevalence of data leaks and alleged sales of sensitive personal and financial information highlights the ongoing risk to individuals and organizations across various sectors and geographies.

The geographical distribution of targets is wide, spanning across Asia (India, Indonesia, Pakistan, Malaysia, Vietnam, Hong Kong), the Middle East (Israel, Iran), Europe (Italy, Poland, France, Switzerland), and North America (USA). The targeted sectors are also diverse, including government, education, financial services, healthcare, manufacturing, retail, and critical infrastructure. This underscores the global and multi-faceted nature of the current cyber threat landscape.

Key Table: Summary of Threat Actor Activity Across Incidents

Threat Actor Name	List of Incident Identifiers	Primary Motivation	Common Attack Types Observed in Today’s Incidents
Hacktivist Indonesia	INC001, INC015	Political, Ideological	Data Leak, Website Defacement
KEDIRISECTEAM	INC002, INC003	Unknown	Data Leak (Alleged)
KINGSMAN INDIA	INC004, INC006, INC031	Cyber Espionage	Unauthorized Access, Website Defacement, Credential Leak
GARUDA ERROR SYSTEM	INC005, INC009	Hacktivism	Data Leak (Alleged), Claimed Targeting
Anonymous_SVN	INC011, INC012, INC013, INC014, INC016, INC018, INC020, INC030, INC032, INC033, INC034, INC036, INC037, INC043, INC045	Hacktivism	Website Defacement
EMIRE_TEAM	INC007	Financial	Sale of Stolen Documents
FPS	INC008, INC010	Financial	Sale of Unauthorized Access
SECT0R16 / SECT0R 16	INC017, INC022	Geopolitical Disruption	Unauthorized Access, Manipulation of SCADA Systems
Ogsgd	INC019	Unknown	Data Leak (Alleged)
Z-PENTEST ALLIANCE	INC021	Geopolitical Disruption	Unauthorized Access
Arabian Ghosts	INC023	Financial	Data Leak (Alleged)
NodeSillent	INC024	Financial	Data Leak (Alleged)
VirXploit24	INC025	Unknown	Data Leak (Alleged)
Black Ember	INC026	Unknown	Data Leak (Alleged)
heiwukoong	INC027	Financial	Data Leak (Alleged)
Malaysia_leaks	INC028	Financial	Sale of Stolen Data
WOLF CYBER ARMY	INC029	Unknown	Website Defacement
info_usa	INC035	Financial	Sale of Stolen Data
wht	INC042	Financial	Data Leak (Alleged)
Skivon	INC044	Financial	Sale of Stolen Credentials
rawmeat	INC046	Financial	Sale of Unauthorized Access
shine	INC047, INC048, INC049	Unknown	Sale of Unauthorized Access (RCE)
Wanderer_Traffic	INC038	Financial	Offering Spam Services
kubogc	INC039	Financial	Sale of Stolen Data
namolesa	INC040	Financial	Sale of Stolen Data
ClayOxtymus1337	INC041	Financial	Sale of Stolen Data

4. Conclusion

The cybersecurity incidents reported within the last 24 hours paint a picture of a highly active and diverse threat landscape. Hacktivism remains a significant force, with groups like Anonymous_SVN and Hacktivist Indonesia demonstrating persistent activity. The targeting of critical infrastructure by groups with geopolitical motivations continues to pose a serious risk. The increasing trend of selling unauthorized access highlights the monetization of compromised systems. Finally, the numerous data leaks underscore the vulnerability of organizations across various sectors to data breaches. Organizations must remain vigilant, implement robust security measures, and stay informed about the evolving tactics and motivations of threat actors to effectively mitigate these risks.

Works cited

Ghost (Cring) Ransomware: Understanding The Threat & How Enterprises Can Defend Themselves, accessed May 19, 2025, https://www.alstonprivacy.com/ghost-cring-ransomware-understanding-the-threat-how-enterprises-can-defend-themselves/

Works cited

Related Posts

[April-10-2025] Daily Cybersecurity Threat Report

[May-20-2025] Daily Cybersecurity Threat Report

[May-15-2025] Daily Cybersecurity Threat Report