[May-28-2025] Daily Cybersecurity Threat Report

I. Executive Summary

This daily cybersecurity threat report provides a high-level overview of the most critical cybersecurity incidents and trends observed in the recent period, offering essential intelligence for security leadership and operational teams. The current threat landscape is characterized by a dynamic interplay of financially motivated cybercriminal groups and politically driven hacktivist collectives.

A significant observation is the blurring of traditional motivational boundaries among threat actors. Groups are increasingly demonstrating a readiness to pivot between purely financially driven operations and those with hacktivist or geopolitical objectives. For instance, entities like Pryx, initially identified as a malware developer and access broker, are actively forming new ransomware groups.¹ Similarly, the FunkSec group, while seemingly less experienced, engages in both hacktivism and ransomware/extortion activities.² This fluidity in objectives implies that organizations must adopt a more flexible and comprehensive threat modeling approach, preparing for a wider array of potential impacts—including data theft, system disruption, and reputational damage—regardless of an adversary’s initial perceived primary motivation.

Another critical aspect of the current environment is the persistent evolution and resilience of threat actors in the face of disruption. Despite law enforcement efforts, sophisticated groups often demonstrate remarkable adaptability. For example, the alleged leader of the Qakbot malware operation continued cyberattacks even after a significant botnet takedown.³ Similarly, Advanced Persistent Threat (APT) groups like APT29, active since at least 2008, consistently evolve their tactics, techniques, and procedures (TTPs), including sophisticated supply chain attacks.⁴ This continuous adaptation means that organizations cannot rely solely on reactive measures or the expectation that adversaries will be fully neutralized. Instead, a proactive, intelligence-led defense strategy focused on anticipating adversary evolution and building adaptive resilience is paramount.

The following table summarizes key incidents that exemplify these trends, providing a quick reference for immediate situational awareness.

Table 1: Daily Incident Summary

Incident Name	Affected Entity	Type of Incident	Brief Impact/Summary	Associated Threat Actor(s)
KINGSMAN INDIA target the website of Anadolu University	Anadolu University	Defacement	Website defaced by the group.	KINGSMAN INDIA
Alleged sale of CoinMarketCap credentials	CoinMarketCap	Combo List	Sale of 580,000 email and password combinations.	pridexp
Alleged sale of databases from Spain	N/A	Data Leak	Sale/exchange of databases from Spain.	killbill
Alleged sale of admin access to a Spanish WordPress store using Redsys	N/A (Spanish e-commerce site)	Initial Access	WordPress admin access to e-commerce site with Redsys payments.	TreeWater
Alleged sale of admin access to a WordPress-based site in Spain	N/A (WordPress-based site in Spain)	Initial Access	Sale of admin access to a WordPress site with plugin support.	Reve
Alleged data leak of the City Council of Vila Lângaro	City Council of Vila Lângaro	Data Leak	Leaked private documents, admin login credentials in CSV/BIN formats.	wh6ami
Alleged data breach of VIP.org.il	VIP.org.il	Data Breach	Data leaked from VIP.org.il.	GARUDA ERROR SYSTEM
Alleged data breach of Dr. Michael Rudnitsky’s Dental Clinic	Dr. Michael Rudnitsky’s Dental Clinic	Data Breach	Data leaked from dental clinic.	GARUDA ERROR SYSTEM
Alleged sale of unauthorized access to a Magento 1-based online store in USA	N/A (Magento 1 online store)	Initial Access	Sale of admin access to a Magento 1 e-commerce site.	Fordnox
Alleged sale of RDWeb access to an unidentified Australian government organization	N/A (Australian government organization)	Initial Access	Sale of RDWeb user access.	gadji
INDOHAXSEC targets the website of Utkarsh Research Network Private Limited	Utkarsh Research Network Private Limited	Defacement	Website defaced by the group.	INDOHAXSEC
Alleged access sale of Superloop	Superloop	Initial Access	Access to internal portal, including domain admin tools.	w_tchdogs
Alleged data breach of Universidad Pedagógica Experimental Libertador (UPEL)	Universidad Pedagógica Experimental Libertador (UPEL)	Data Breach	Database leak (41k students, 10k professors, 11k users).	el_farado
Alleged access sale of Telkomsel Center Panel	Telkomsel	Initial Access	Sale of access to Telkomsel Center Panel (SIM management, telecom data).	Captainfen
HANZ TZYY targets the website of Federal Radio Corporation of Nigeria (FRCN)	Federal Radio Corporation of Nigeria (FRCN)	Defacement	Website defaced by the group.	HANZ TZYY
ErrOr_HB targets the website of The Santa Cruz Police	The Santa Cruz Police	Defacement	Website defaced by the group.	ErrOr_HB
Alleged sale of phone number Database from Portugal	N/A	Data Leak	Sale of 7 million Portugal phone numbers.	hagilo2748
Alleged sale of Phone Number Database from Poland	N/A	Data Leak	Sale of Poland Citizen Phone Number Database.	decojo4605
Alleged sale of unauthorized access to an unidentified company in Dubai	N/A (Unidentified company in Dubai)	Initial Access	Sale of admin access to various corporate services.	LongNight
Alleged data leak of Russian Documents	N/A	Data Leak	Leaked data of 4,000 Russian documents.	DelitosPenales
Alleged leak of USA Driver Licenses database	N/A	Data Leak	Sale of 10,000 U.S. driver’s licenses (F&B images, selfies).	wndyn1337
Alleged data leak of BKPSDM	BKPSDM Lebak	Data Leak	Leaked personal and employment data of civil servants.	KEDIRISECTEAM
Alleged data breach of santaluc\u00eda seguros	santaluc\u00eda seguros	Data Breach	Customer database (3 million records) leaked.	vaquilla
Alleged data breach of Amazon	Amazon Spain	Data Breach	Customer database (5.1 million records) leaked.	vaquilla
Alleged data breach of SANTIAGO DE CALI UNIVERSITY	SANTIAGO DE CALI UNIVERSITY	Data Breach	Over 127 CSV/XLSX files from SNIES database leaked.	aero

II. Daily Incident Briefs

This section provides a detailed analysis of recent cybersecurity incidents, offering context beyond simple descriptions to elucidate their significance and broader implications.

Incident: KINGSMAN INDIA targets the website of Anadolu University

Overview: The group claims to have defaced the website of Anadolu University on May 28, 2025. Anadolu University is an educational institution in Turkey.⁶
Nature of Compromise & Impact: Defacement attacks typically involve unauthorized alteration of a website’s visual content, often to convey a political message or demonstrate hacking capabilities. While the immediate impact might be reputational damage and temporary disruption, such incidents can also be a precursor to more severe attacks or indicate underlying vulnerabilities.
Observed Attack Vectors and TTPs: Specific attack vectors are not detailed. Defacement often involves exploiting web application vulnerabilities (e.g., SQL injection, cross-site scripting), weak administrative credentials, or compromised content management systems.
Associated Threat Actor(s): KINGSMAN INDIA. While specific TTPs for KINGSMAN INDIA are not detailed in the provided research, Indian cyber actors are noted for extensive digital infrastructure and face numerous cyberattacks, with a majority originating from Chinese or Pakistani actors.⁸
Published URL: https://t.me/PKMKB5/364
Screenshots:

Incident: Alleged sale of CoinMarketCap credentials

Overview: On May 28, 2025, the threat actor pridexp is selling a database containing 580,000 email and password combinations allegedly registered on CoinMarketCap. The data is reportedly sourced from 2025 dumps. CoinMarketCap is an information services company based in the USA.⁹
Nature of Compromise & Impact: The sale of a combo list containing email and password combinations poses a significant risk of credential stuffing attacks, where attackers use these leaked credentials to gain unauthorized access to other online services where users might have reused their passwords. This can lead to account takeovers and further data breaches.
Observed Attack Vectors and TTPs: The data is reportedly sourced from “2025 dumps,” suggesting it was obtained through previous breaches or infostealer malware. Infostealer malware extracts sensitive information from compromised systems.¹¹
Associated Threat Actor(s): pridexp. No specific threat actor profile for pridexp is available in the provided research. However, the incident aligns with activities of financially motivated cybercriminals who monetize stolen credentials.
Published URL: https://xss.is/threads/138670/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/e53dfd67-070f-4db2-8bff-7a772b2828be.png

Incident: Alleged sale of databases from Spain

Overview: On May 28, 2025, the threat actor killbill claims to be selling or exchanging databases from Spain.
Nature of Compromise & Impact: The sale of databases from a specific country, even without identified victims, indicates a potential large-scale data leak affecting individuals or organizations within that region. This can lead to various forms of cybercrime, including identity theft, targeted phishing, and further exploitation.
Observed Attack Vectors and TTPs: The method of obtaining these databases is not specified, but such data is often acquired through breaches of various organizations, supply chain compromises, or exploitation of vulnerabilities.
Associated Threat Actor(s): killbill. No specific threat actor profile for killbill is available in the provided research. This activity is typical of financially motivated data brokers.
Published URL: https://forum.exploit.in/topic/259901/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/39345fc6-80fb-4ff7-8e41-c585dd60b38f.png

Incident: Alleged sale of admin access to a Spanish WordPress store using Redsys

Overview: On May 28, 2025, the threat actor TreeWater claims to have WordPress admin access to a Spanish e-commerce site with Redsys payments. The victim is an E-commerce & Online Stores entity in Spain.
Nature of Compromise & Impact: Selling admin access to an e-commerce site, especially one integrated with a payment gateway like Redsys, poses a severe risk. Attackers could potentially steal customer data (including payment information), inject malicious code, deface the site, or disrupt business operations.
Observed Attack Vectors and TTPs: Gaining WordPress admin access often involves exploiting vulnerabilities in WordPress core, plugins, or themes, or through brute-force attacks and credential compromise.
Associated Threat Actor(s): TreeWater. No specific threat actor profile for TreeWater is available in the provided research. This activity is characteristic of initial access brokers.
Published URL: https://forum.exploit.in/topic/259899/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/90fc6e0b-af86-4220-884c-6d03d6f7cd23.png

Incident: Alleged sale of admin access to a WordPress-based site in Spain

Overview: On May 28, 2025, the threat actor Reve claims to be selling admin access to a WordPress-based site in Spain, with plugin support.
Nature of Compromise & Impact: Similar to the previous incident, the sale of admin access to a WordPress site allows for full control over the website. This can lead to data theft, defacement, malware injection, or using the site for malicious purposes like phishing or hosting illicit content.
Observed Attack Vectors and TTPs: Access to WordPress sites is frequently gained through exploiting vulnerabilities in outdated plugins or themes, weak credentials, or brute-force attacks.
Associated Threat Actor(s): Reve. No specific threat actor profile for Reve is available in the provided research. This is consistent with the activities of initial access brokers.
Published URL: https://forum.exploit.in/topic/259893/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/af8b59ec-a616-4d13-9cbf-24119ccecc82.png

Incident: Alleged data leak of the City Council of Vila Lângaro

Overview: On May 28, 2025, the threat actor wh6ami claims to have leaked data from the City Council of Vila Lângaro, Brazil. The compromised data includes information about private documents, admin login credentials, and other sensitive details, stored in CSV and BIN formats. The victim is a Government Administration entity.
Nature of Compromise & Impact: A data leak from a government administration entity, especially one containing private documents and admin credentials, poses a severe risk to citizen privacy and government operations. This can lead to identity theft, unauthorized access to government systems, and potential disruption of public services.
Observed Attack Vectors and TTPs: The method of compromise is not specified, but data leaks from government entities can result from various attack vectors, including phishing, exploitation of software vulnerabilities, or insider threats.
Associated Threat Actor(s): wh6ami. No specific threat actor profile for wh6ami is available in the provided research. This activity aligns with financially motivated data leaks or hacktivism.
Published URL: https://xss.is/threads/138658/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/a89aaed7-cfa2-4ce9-9eab-ad84f3c06314.png

Incident: Alleged data breach of VIP.org.il

Overview: On May 28, 2025, the group GARUDA ERROR SYSTEM claims to have leaked data from VIP.org.il, a Marketing, Advertising & Sales organization in Israel.
Nature of Compromise & Impact: Data breaches of marketing and advertising firms can expose sensitive customer information, leading to privacy violations, targeted phishing campaigns, and reputational damage for both the victim organization and its clients.
Observed Attack Vectors and TTPs: The specific method of data leakage is not detailed. GARUDA ERROR SYSTEM is known to participate in Distributed Denial of Service (DDoS) attacks, often motivated by geopolitical tensions.¹² While DDoS is a different attack type, it indicates the group’s capability for cyber operations.
Associated Threat Actor(s): GARUDA ERROR SYSTEM. This group is part of a coalition of hacktivist groups, including Lực Lượng Đặc Biệt Quân Đội Điện Tử and Vulture, and has been involved in coordinated DDoS claims against Indian government sites.¹² Their motivation is often geopolitical.¹²
Published URL: https://t.me/c/2641677587/165
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/4f1a3dd5-abe8-4882-a9bd-8ed0c2999e66.png

Incident: Alleged data breach of Dr. Michael Rudnitsky’s Dental Clinic

Overview: On May 28, 2025, the group GARUDA ERROR SYSTEM claims to have leaked data from Dr. Michael Rudnitsky’s Dental Clinic, a Hospital & Health Care entity in Israel.
Nature of Compromise & Impact: Data breaches in the healthcare sector are particularly sensitive due to the nature of protected health information (PHI). Such leaks can lead to identity theft, medical fraud, and significant privacy violations for patients.
Observed Attack Vectors and TTPs: The specific method of data leakage is not detailed. GARUDA ERROR SYSTEM is known for its involvement in hacktivist activities, including DDoS attacks, often driven by geopolitical motivations.¹²
Associated Threat Actor(s): GARUDA ERROR SYSTEM. This group is part of a coalition of hacktivist groups, including Lực Lượng Đặc Biệt Quân Đội Điện Tử and Vulture, and has been involved in coordinated DDoS claims against Indian government sites.¹²
Published URL: https://t.me/c/2641677587/164
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/49f1f255-9872-42c2-9101-cb655d8d2f13.png

Incident: Alleged sale of unauthorized access to a Magento 1-based online store in USA

Overview: On May 28, 2025, the threat actor Fordnox claims to be selling unauthorized access to a Magento 1-based online store in the USA. The victim is an E-commerce & Online Stores entity.
Nature of Compromise & Impact: Selling unauthorized access to an e-commerce store, especially one running on an older platform like Magento 1 (which is End-of-Life and no longer receives official security updates), presents a high risk. This access can be used for data theft (customer, payment), website defacement, or injecting malware.
Observed Attack Vectors and TTPs: Access to older, unsupported platforms like Magento 1 is often gained by exploiting known vulnerabilities that remain unpatched, or through brute-force attacks and credential compromise.
Associated Threat Actor(s): Fordnox. No specific threat actor profile for Fordnox is available in the provided research. This activity is typical of initial access brokers who monetize vulnerabilities.
Published URL: https://forum.exploit.in/topic/259885/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/bf2ba125-0383-4bd1-a434-579f51fe7351.png

Incident: Alleged sale of RDWeb access to an unidentified Australian government organization

Overview: On May 28, 2025, the threat actor gadji claims to be selling RDWeb user access to an unidentified Australian government organization. The victim is a Government Administration entity.
Nature of Compromise & Impact: Gaining RDWeb (Remote Desktop Web Access) user access to a government organization is a critical initial access point. This can allow attackers to move laterally within the network, access sensitive internal systems, exfiltrate data, or deploy further malware like ransomware.
Observed Attack Vectors and TTPs: RDWeb access is often compromised through phishing, brute-force attacks against weak credentials, or exploitation of vulnerabilities in the RDWeb gateway or underlying infrastructure.
Associated Threat Actor(s): gadji. No specific threat actor profile for gadji is available in the provided research.¹³ This activity is consistent with initial access brokers.
Published URL: https://forum.exploit.in/topic/259884/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/2d0c4dac-3476-44d0-b9ea-bd446399fa10.png

Incident: INDOHAXSEC targets the website of Utkarsh Research Network Private Limited

Overview: On May 28, 2025, the group INDOHAXSEC claims to have defaced the website of Utkarsh Research Network Private Limited, a Research Industry entity in India.¹⁴
Nature of Compromise & Impact: Website defacement, while often symbolic, can cause reputational damage and disrupt online services. For a research network, it could also imply a broader compromise of their web infrastructure.
Observed Attack Vectors and TTPs: INDOHAXSEC is an Indonesian hacker collective known for geopolitical motivations and hacktivism, explicitly targeting Indian cyberspace in retaliation for geopolitical events.¹⁵ Their TTPs include defacement and coordinated campaigns.¹⁵
Associated Threat Actor(s): INDOHAXSEC. This group has announced collaboration with Pakistani groups like Team Azrael – Angel of Death, and frames its cyber-attacks as direct retaliation against specific geopolitical events.¹⁵
Published URL: https://t.me/IndoHaxSec2/9
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/707065cd-bd8e-4abb-8d0a-96fd0811e586.png

Incident: Alleged access sale of Superloop

Overview: On May 28, 2025, a threat actor identified as w_tchdogs is offering access to the internal portal of Superloop, a major Australian telecommunications provider. The access reportedly includes domain administration tools and other sensitive operational resources.¹⁶
Nature of Compromise & Impact: The sale of internal portal access, especially with domain administration tools, to a telecommunications provider is a critical threat. This level of access could enable widespread network disruption, data exfiltration, surveillance, or further attacks on Superloop’s customers.
Observed Attack Vectors and TTPs: The method of gaining access is not specified, but such high-level access often results from sophisticated social engineering, exploitation of critical vulnerabilities, or insider threats.
Associated Threat Actor(s): w_tchdogs. No specific threat actor profile for w_tchdogs is available in the provided research.³ This activity is consistent with initial access brokers who target high-value corporate networks.
Published URL: https://darkforums.st/Thread-Selling-Superloop-Telecommunications-Portal-Access
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/ff5b2be5-301d-46e8-a474-2d6c015cf2f4.png

Incident: Alleged data breach of Universidad Pedagógica Experimental Libertador (UPEL)

Overview: On May 28, 2025, the threat actor el_farado claims to have leaked data from Extensión Académica Maracaibo under UPEL (Universidad Pedagógica Experimental Libertador) in Venezuela. The compromised database reportedly contains records of approximately 41k students, 10k professors, and 11k users, including IDs, names, emails, phone numbers, addresses, and passwords. The victim is an Education entity.
Nature of Compromise & Impact: A data breach of this scale from a university, exposing personal and academic information of tens of thousands of individuals, poses a significant privacy risk. This data can be used for identity theft, targeted phishing, and other malicious activities. Educational institutions are vulnerable to security breaches.¹⁷
Observed Attack Vectors and TTPs: The method of compromise is not specified. el_farado is associated with the FunkSec ransomware group and is described as an inexperienced threat actor who promotes FunkSec.² FunkSec is involved in both hacktivism and ransomware/extortion.²
Associated Threat Actor(s): el_farado. This actor is linked to the FunkSec ransomware group and is noted for inconsistency and inexperience, suggesting a lack of technical depth.²
Published URL: https://forum.exploit.in/topic/259878/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/fbf412db-4ca5-4a3a-bd6b-dfb5a7f2d73b.png

Incident: Alleged access sale of Telkomsel Center Panel

Overview: On May 28, 2025, a threat actor identified as Captainfen claims to be selling access to the Telkomsel Center Panel, offering real-time SIM management and detailed telecom data. The data reportedly includes ICCID, IMSI, MSISDN, billing details, usage stats, and more. Telkomsel is a Network & Telecommunications provider in Indonesia.¹⁸
Nature of Compromise & Impact: The sale of access to a telecommunications provider’s central panel, especially one offering SIM management and detailed customer data, is extremely high-risk. This could enable SIM swapping attacks, surveillance, fraud, and widespread privacy violations for millions of subscribers.
Observed Attack Vectors and TTPs: The method of gaining access is not specified, but such critical access often results from sophisticated attacks targeting internal systems or privileged accounts.
Associated Threat Actor(s): Captainfen. No specific threat actor profile for Captainfen is available in the provided research. This activity is consistent with initial access brokers targeting critical infrastructure.
Published URL: https://darkforums.st/Thread-TELKOMSEL-CENTER-PANEL-telkomsel-com?highlight=telkomsel
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/65a06500-6159-4b51-9733-5054131fe939.png

Incident: HANZ TZYY targets the website of Federal Radio Corporation of Nigeria (FRCN)

Overview: On May 28, 2025, the group HANZ TZYY claims to have defaced the website of Federal Radio Corporation of Nigeria (FRCN), a Broadcast Media entity in Nigeria.¹⁹
Nature of Compromise & Impact: Website defacement for a national broadcast media organization can lead to significant reputational damage, disruption of public information services, and potentially spread misinformation if the defaced content is malicious.
Observed Attack Vectors and TTPs: The specific attack vectors are not detailed. Defacement typically involves exploiting web application vulnerabilities or weak credentials.
Associated Threat Actor(s): HANZ TZYY. No specific threat actor profile for HANZ TZYY is available in the provided research.
Published URL: https://t.me/bekasierorsystemm/166
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/158877ef-4df6-4750-baaf-de1cb34cc9ed.png

Incident: ErrOr_HB targets the website of The Santa Cruz Police

Overview: On May 28, 2025, the group ErrOr_HB claims to have defaced the website of The Santa Cruz Police, a Law Enforcement entity in Argentina.²⁰
Nature of Compromise & Impact: Defacement of a law enforcement website is a serious incident, potentially undermining public trust, disrupting official communications, and demonstrating a security lapse in a critical public service.
Observed Attack Vectors and TTPs: ErrOr_HB’s TTPs, as described in broader threat actor toolkits, include extensive defense evasion (disabling antivirus, clearing event logs, modifying registry to disable UAC), persistence (registry run keys), impact (stopping services, inhibiting system recovery by deleting backups and shadow copies), and command and control (using Sliver, PoshC2, SystemBC, Ngrok for proxying).²¹ These TTPs suggest a sophisticated approach to system compromise, often associated with ransomware intrusion activity.²¹
Associated Threat Actor(s): ErrOr_HB. This group employs a comprehensive toolkit for system compromise, persistence, defense evasion, and data destruction.²¹
Published URL: https://t.me/defacer1337/209
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/2cb207b9-be14-4191-abe9-5b9d33e40696.png

Incident: Alleged sale of phone number Database from Portugal

Overview: On May 28, 2025, the threat actor hagilo2748 claims to be selling a Portugal Phone Number Database containing 7 million records.
Nature of Compromise & Impact: The sale of a large phone number database poses a significant privacy risk to millions of individuals. This data can be used for targeted SMS phishing (smishing) campaigns, telemarketing fraud, and other social engineering attacks.
Observed Attack Vectors and TTPs: The method of obtaining this database is not specified, but such large datasets are often compiled from multiple breaches, web scraping, or compromised telecommunication systems.
Associated Threat Actor(s): hagilo2748. No specific threat actor profile for hagilo2748 is available in the provided research. This activity is typical of data brokers in the cybercriminal underground.
Published URL: https://leakbase.la/threads/portugal-phone-number-database-7m.38855/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/0e5cc1a3-bc77-4dfd-8b5f-43ef1b026e4f.png

Incident: Alleged sale of Phone Number Database from Poland

Overview: On May 28, 2025, the threat actor decojo4605 claims to be selling a Poland Citizen Phone Number Database, allegedly containing personal contact information of individuals in Poland.
Nature of Compromise & Impact: Similar to the Portugal database, the sale of a large phone number database for Polish citizens creates a substantial risk for targeted attacks like smishing, vishing, and other forms of social engineering, leading to potential fraud or identity theft.
Observed Attack Vectors and TTPs: The method of obtaining this database is not specified.
Associated Threat Actor(s): decojo4605. No specific threat actor profile for decojo4605 is available in the provided research. This activity is consistent with data brokering.
Published URL: https://leakbase.la/threads/poland-citizen-phone-number-database.38854/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/7d661499-d19b-4c5b-9e2d-47436c476072.png

Incident: Alleged sale of unauthorized access to an unidentified company in Dubai

Overview: On May 28, 2025, the threat actor LongNight claims to be selling admin access to an unidentified company in Dubai, United Arab Emirates, offering access to various corporate services and infrastructure. The victim is an Information Technology (IT) Services entity.
Nature of Compromise & Impact: The sale of admin access to an IT services company is highly critical, as it could provide a gateway to numerous downstream clients and their data. This could lead to widespread data breaches, service disruptions, or supply chain attacks.
Observed Attack Vectors and TTPs: LongNight is a financially motivated cybercriminal known for exploiting vulnerabilities to gain remote code execution (RCE) access, such as in backup systems.²² This actor then sells this access, enabling other malicious actors to compromise critical systems.²²
Associated Threat Actor(s): LongNight. This actor specializes in exploiting critical infrastructure components for illicit gain and operates as an initial access broker.²²
Published URL: https://xss.is/threads/138631/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/bf52aca6-d5d6-45b9-8cc0-0a088cb3fddc.png

Incident: Alleged data leak of Russian Documents

Overview: On May 28, 2025, the threat actor DelitosPenales claims to have leaked the data of 4,000 Russian documents, sharing a sample via a screenshot link.
Nature of Compromise & Impact: The leak of government or official documents, even a limited number, can expose sensitive information, operational details, or personal data, leading to intelligence gathering by adversaries or public embarrassment.
Observed Attack Vectors and TTPs: The method of obtaining these documents is not specified.
Associated Threat Actor(s): DelitosPenales. No specific threat actor profile for DelitosPenales is available in the provided research. This activity could be financially motivated or politically motivated (hacktivism).
Published URL: https://darkforums.st/Thread-Document-Free-4k-Russian-Documents
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/767f0d42-36fa-481c-90e0-4a6c3dcc9d78.png

Incident: Alleged leak of USA Driver Licenses database

Overview: On May 28, 2025, the threat actor wndyn1337 claims to be selling a database containing 10,000 U.S. driver’s licenses, including front and back images (F&B) along with selfies of the license holders.
Nature of Compromise & Impact: The sale of driver’s licenses with images and selfies is extremely high-risk for identity theft, fraud (e.g., opening accounts, passing KYC checks), and targeted social engineering. This is a direct threat to the personal security of affected individuals.
Observed Attack Vectors and TTPs: The method of obtaining this data is not specified, but it likely involves a significant breach of a government agency or a third-party service provider that processes driver’s license information.
Associated Threat Actor(s): wndyn1337. No specific threat actor profile for wndyn1337 is available in the provided research. This activity is typical of financially motivated data brokers.
Published URL: https://leakbase.la/threads/x10-000-usa-driver-licences-f-b-selfies-available-contact-me-on-telegram-kynw1337.38842/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/120a5fdd-c3d5-4727-9eab-570f6db56bc8.png

Incident: Alleged data leak of BKPSDM

Overview: On May 28, 2025, the threat actor KEDIRISECTEAM claims to have obtained the database of BKPSDM Lebak, Indonesia. It contains detailed personal and employment data of civil servants, including names, ID numbers, job and education history, contact information, and other sensitive records—posing a significant data privacy risk. The victim is a Government Administration entity.²³
Nature of Compromise & Impact: A data leak from a government human resources agency, exposing detailed civil servant data, is a severe privacy breach. This information can be used for targeted phishing, blackmail, or even espionage, impacting national security and individual privacy.
Observed Attack Vectors and TTPs: The method of obtaining this data is not specified.
Associated Threat Actor(s): KEDIRISECTEAM. No specific threat actor profile for KEDIRISECTEAM is available in the provided research. This activity aligns with financially motivated data leaks or hacktivism.
Published URL: https://darkforums.st/Thread-Document-DATABASE-BKPSDM-LEBAKKAB
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/2171fd82-dfa4-404f-b84e-b445a307ed0.png

Incident: Alleged data breach of santaluc\u00eda seguros

Overview: On May 28, 2025, the threat actor vaquilla claims to have exploited a critical vulnerability in the Spanish insurance company santaluc\u00eda seguros, gaining unrestricted access to its systems. As a result, they assert to have extracted a customer database containing 3 million records. The leaked information includes emails, password hashes, full names, dates of birth, phone numbers, street addresses, zip codes, cities, and usernames. The victim is an Insurance entity in Spain.
Nature of Compromise & Impact: A data breach of an insurance company, exposing 3 million customer records with extensive PII and password hashes, is a major incident. This data can be used for identity theft, financial fraud, and targeted phishing. The use of password hashes, while better than plaintext, still poses a risk if weak hashes are used or if they can be cracked.
Observed Attack Vectors and TTPs: The threat actor claims to have exploited a “critical vulnerability” to gain “unrestricted access.” This suggests exploitation of a zero-day or a critical N-day vulnerability in the company’s systems.
Associated Threat Actor(s): vaquilla. No specific threat actor profile for vaquilla is available in the provided research.²⁴ This activity is typical of financially motivated cybercriminals.
Published URL: https://leakbase.la/threads/spain-santalucia-es-customers-3m-2025.38846/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/dd261b4a-5a0a-43f4-a603-67170ea759c3.png

Incident: Alleged data breach of Amazon

Overview: On May 28, 2025, the threat actor vaquilla claims to be selling a database containing 5.1 million records allegedly extracted from Amazon Spain. The leaked data reportedly includes sensitive customer information such as full names, email addresses, phone numbers, DNI (national ID numbers), street addresses, zip codes, and cities. The breach appears to affect individuals across various regions of Spain and is said to have occurred between 2024 and 2025. The victim is an E-commerce & Online Stores entity in Spain.
Nature of Compromise & Impact: A data breach affecting 5.1 million Amazon Spain customers, exposing extensive PII, is a massive incident. This data is highly valuable for identity theft, targeted phishing, and various forms of fraud. This incident highlights the significant impact of data breaches on large e-commerce platforms.²⁵
Observed Attack Vectors and TTPs: The method of extraction is not specified, but large-scale data breaches often result from exploiting critical vulnerabilities in web applications, supply chain compromises (e.g., MOVEit vulnerability in a third-party vendor affecting Amazon employee data ²⁵), or sophisticated social engineering.
Associated Threat Actor(s): vaquilla. No specific threat actor profile for vaquilla is available in the provided research.²⁴ This activity is typical of financially motivated cybercriminals.
Published URL: https://leakbase.la/threads/spain-amazon-es-es-amazon-espana-5-1m.38852/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/2e64c0f3-244a-4f29-bfa9-1033cd3c1d37.png

Incident: Alleged data breach of SANTIAGO DE CALI UNIVERSITY

Overview: On May 28, 2025, a threat actor identified as aero claims to have obtained over 127 CSV/XLSX files from the SNIES database related to Universidad Santiago de Cali in Colombia. The files contain detailed information on study levels, enrollment, national entities, document types, expenses, and institutional data, including files like Colegio.csv and IES.csv. The victim is a Higher Education/Academia entity.
Nature of Compromise & Impact: A data breach of a university’s SNIES database, containing detailed academic and institutional data, poses a significant risk to student and faculty privacy, as well as the integrity of academic records. This data can be used for identity theft, academic fraud, or targeted social engineering. Educational institutions are vulnerable to security breaches.¹⁷
Observed Attack Vectors and TTPs: The method of obtaining this data is not specified. aero is not a known alias for APT29.⁵ APT29 is a Russian state-sponsored cyberespionage group known for targeting education, telecommunications, and government entities, and uses spearphishing, supply chain attacks, and vulnerability exploitation for initial access.⁵ While aero is not APT29, the incident aligns with the type of targets APT29 pursues.
Associated Threat Actor(s): aero. No specific threat actor profile for aero is available in the provided research. This activity could be financially motivated or for intelligence gathering.
Published URL: https://darkforums.st/Thread-SNIES-SANTIAGO-DE-CALI-UNIVERSITY
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/44944690-ae7f-483a-9679-31a3acd23f77.png

III. Featured Threat Actor Profiles

This section provides in-depth intelligence on key threat actors, detailing their aliases, motivations, typical targets, and operational TTPs. Understanding these profiles is crucial for developing effective defensive strategies.

Threat Actor: Scattered Spider

Aliases and Known Affiliations: Scattered Spider operates under various aliases, including UNC3944, 0ktapus, Muddled Libra, Scatter Swine, Storm-0875, Octo Tempest, LUCR-3, and Star Fraud.¹³ This group is notably affiliated with the ALPHV ransomware group, also known as BlackCat Gang.¹³
Country of Origin and Motivations: While a specific country of origin is not explicitly stated, Scattered Spider is a cybercriminal group primarily motivated by data theft for extortion.¹³ They are also known to deploy BlackCat/ALPHV ransomware as part of their operations.¹³
Target Industries and Geographies: Scattered Spider targets a wide array of sectors, including customer relationship management (CRM), business process outsourcing (BPO), telecommunications, technology, hospitality, retail, media and entertainment, and financial services.¹³ Their operations have been observed globally, with notable compromises in the United States, including major casino and gambling companies.¹³
Typical Tactics, Techniques, and Procedures (TTPs):

Initial Access: Scattered Spider’s attacks frequently begin with social engineering. This includes SMS phishing campaigns, phone calls to victim help desks to obtain password reset links or MFA bypass codes, and SIM swapping attacks.¹³
Persistence: Once credentials are compromised, they utilize legitimate software such as AnyDesk and ScreenConnect to maintain a foothold.¹³ They are also known to install multiple Remote Monitoring and Management (RMM) tools (e.g., Zoho Assist, Splashtop, TeamViewer) to ensure persistent backdoor access.¹³
Privilege Escalation: The group escalates privileges using malicious tools like Mimikatz and secretdump.¹³
Defense Evasion: Scattered Spider employs various techniques to evade detection. They disable antivirus and host-based firewalls, create defender exclusions, deactivate or uninstall Endpoint Detection and Response (EDR) and other monitoring products, and set up unmanaged cloud virtual machines.¹³ For operational security, they consistently use commercial VPN services (e.g., Mullvad VPN, ExpressVPN, NordVPN) to obscure their geographic location.¹³ They also manipulate scheduled tasks and clear alerts within EDR administrative consoles.¹³
Lateral Movement: They move laterally through the network using Remote Desktop Protocol (RDP), SSH, and other services.¹³
Command & Control (C2): They have sought to establish reverse proxy shells or SSH tunnels for command-and-control exfiltration, utilizing tunneling software like RSocx.¹³
Impact: In the final stages of their attacks, they disable security and recovery services, exfiltrate data, and conduct ransomware operations.¹³ They commonly use file transfer sites like put.io, transfer.sh, and gofile.io for data exfiltration and to retrieve attack tools.¹³

Known Tools and Malware: The group has used a phishing kit known as EIGHTBAIT and later adopted new kits copied from targeted organizations’ webpages.¹³ They also leverage various RMM tools and common file transfer agents like Cyberduck.¹³
Notable Historical Activities/Campaigns: Scattered Spider initially gained notoriety by obtaining Okta identity credentials and multi-factor authentication (MFA) codes to execute supply chain attacks against Okta’s clients.¹³ They are well-known for hacking Caesars Entertainment and MGM Resorts International.¹³ Their capabilities have expanded to include bring-your-own-vulnerable-driver (BYOVD) attacks.¹³
Relevant Incidents: Scattered Spider’s TTPs are highly relevant to incidents involving credential theft, data leaks, and initial access, such as the “Alleged sale of CoinMarketCap credentials” or “Alleged sale of unauthorized access to a Magento 1-based online store in USA.”

Threat Actor: APT29 (Cozy Bear / Midnight Blizzard)

Aliases and Known Affiliations: APT29 is known by numerous aliases, including ATK 7, Blue Dev 5, Blue Kitsune, BlueBravo, Cloaked Ursa, CloudLook, Cozy Bear, CozyDuke, Cranefly

Works cited

Threat Actor Spotlight: Pryx – Morado Intelligence, accessed May 28, 2025, https://www.morado.io/blog-posts/threat-actor-spotlight-pryx
Dark Web Profile: FunkSec – SOCRadar® Cyber Intelligence Inc., accessed May 28, 2025, https://socradar.io/dark-web-profile-funksec/
Breach Roundup: US Indicts Qakbot Malware Leader – Bank Info Security, accessed May 28, 2025, https://www.bankinfosecurity.com/breach-roundup-us-indicts-qakbot-malware-leader-a-28464
THREAT PROFILE: APT29 – Blackpoint Cyber, accessed May 28, 2025, https://blackpointcyber.com/wp-content/uploads/2024/06/Threat-Profile-APT29_Blackpoint-Adversary-Pursuit-Group-APG_2024.pdf?utm_campaign=Image%20Editing%20/%20Aviary%20Launch/
Threat Actor Profile: APT29 – Cyble, accessed May 28, 2025, https://cyble.com/threat-actor-profiles/apt-29/
2017-03-08 Anadolu University | Scholars at Risk, accessed May 28, 2025, https://www.scholarsatrisk.org/report/2017-03-08-anadolu-university/
Learning Outcomes | Anadolu University, accessed May 28, 2025, https://www.anadolu.edu.tr/en/academics/faculties/course/150996/acil-durum-ve-afetlerde-ulastirma-yonetimi-ve-uygulamalari/learning-outcomes
Cybersecurity Profile 2025: India – The Henry M. Jackson School of …, accessed May 28, 2025, https://jsis.washington.edu/news/cybersecurity-profile-2025-india/
Crypto Hacks Soar to $1.63 Billion in Q1 2025, Bybit and Phemex Among Biggest Targets, accessed May 28, 2025, https://coinmarketcap.com/academy/article/crypto-hacks-soar-to-dollar163-billion-in-q1-2025-bybit-and-phemex-among-biggest-targets
Crypto Hack Surge in January 2025, Users Losses Top $73.9M: ImmuneFi | CoinMarketCap, accessed May 28, 2025, https://coinmarketcap.com/academy/article/6a9dac48-09d1-4a53-ace8-d87853ed8f94
Over 180m users’ passwords, login credentials stolen in massive data breach, says national cyber security body – Pakistan – Dawn, accessed May 28, 2025, https://www.dawn.com/news/1913465/over-180m-users-passwords-login-credentials-stolen-in-massive-data-breach-says-national-cyber-security-body
Brief Disruptions, Bold Claims: The Tactical Reality Behind the India …, accessed May 28, 2025, https://www.cloudsek.com/blog/brief-disruptions-bold-claims-the-tactical-reality-behind-the-india-pakistan-hacktivist-surge
Scattered Spider: Threat Actor Profile – Cyble, accessed May 28, 2025, https://cyble.com/threat-actor-profiles/scattered-spider/
Utkarsh, accessed May 28, 2025, https://utkarshresearchnetwork.in/systematicreview.php
Reflections of the India–Pakistan Kashmir Escalation on the Cyber …, accessed May 28, 2025, https://socradar.io/india-pakistan-kashmir-escalation-on-cyber-world/
Fast fibre internet plans with unlimited data – Superloop, accessed May 28, 2025, https://www.superloop.com/internet/fibre/
Data Breach – Protecting Student Privacy – Department of Education, accessed May 28, 2025, https://studentprivacy.ed.gov/topic/data-breach
Dentons HPRP Secures Thrilling Success in Telkomsel’s Sale and Lease Back of IBS Assets, accessed May 28, 2025, https://dentons.hprplawyers.com/en/about-dentons-hprp/news/2024/july/dentons-hprp-secures-thrilling-success-in-telkomsels-sale-and-lease-back-of-ibs-assets
Fire at Radio Nigeria’s Broadcasting House put out – FRCN HQ, accessed May 28, 2025, https://radionigeria.gov.ng/2024/11/28/fire-at-radio-nigerias-broadcasting-house-lagos-put-out/
Black Lives Matter mural coverage Archives – Lookout Santa Cruz, accessed May 28, 2025, https://lookout.co/tag/black-lives-matter-mural-coverage
Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts …, accessed May 28, 2025, https://thedfirreport.com/2024/08/12/threat-actors-toolkit-leveraging-sliver-poshc2-batch-scripts/
Threat Actor Sells Burger King Backup System RCE Vulnerability for …, accessed May 28, 2025, https://gbhackers.com/threat-actor-sells-burger-king-backup-system/
BKPSDM Kabupaten Lebak: Home, accessed May 28, 2025, https://bkpsdm.lebakkab.go.id/
Full article: Latino gangs in Spain: from the Latin Kings & Queens to the Dominican don’t play, accessed May 28, 2025, https://www.tandfonline.com/doi/full/10.1080/13691457.2024.2352001
Amazon Data Breach: What Happened and How To Prevent It – StrongDM, accessed May 28, 2025, https://www.strongdm.com/what-is/amazon-data-breach