[June-26-2025] Daily Cybersecurity Threat Report

Posted on

Executive Summary

The past 24 hours reveal a dynamic and increasingly complex cybersecurity landscape, characterized by a convergence of motivations among threat actors and a notable escalation in sophisticated attack methodologies. Key incidents highlight the persistent threat from financially motivated cybercriminals leveraging “as-a-service” models, the strategic targeting of critical infrastructure and network edge devices by highly capable actors, and the continued evolution of evasion techniques designed to bypass traditional defenses. Geopolitical tensions are observed to directly fuel diverse cyber operations, often with hacktivist facades masking state-sponsored or financially driven objectives.

Organizations face adversaries who are adaptable, professionalized, and capable of operating with a high degree of stealth. Effective defense necessitates a multi-layered approach, prioritizing robust patching of internet-facing systems, implementing strong multi-factor authentication (MFA), deploying advanced endpoint detection and response (EDR) solutions, and conducting continuous employee training against evolving social engineering tactics. A critical focus must also be placed on monitoring for “Living off the Land” (LOTL) techniques and anomalous network behavior that signals sophisticated, camouflaged operations.

Daily Incident Analysis

This section provides a detailed analysis of recent cybersecurity incidents, profiling the associated threat actors, their methodologies, and the broader implications of their activities.

Incident 1: Alleged data sale of Indian citizen database

Incident Overview:

The threat actor claims to be selling a private API that contains an Indian citizen database. The compromised data includes full name, father’s or spouse’s name, email address, phone number, alternate number, full address, Aadhaar number, and circle or region information.

Attack Vector & Methodology:

This incident is categorized as a Data Leak, where the threat actor is selling access to a private API containing sensitive personal information. The methodology involves the exfiltration and offering for sale of a large dataset, indicating a prior breach or unauthorized access to the database.

Associated Threat Actor(s) Profile: Dbproviderin

Dbproviderin is identified as a cybercriminal group primarily driven by financial gain, focusing on the exfiltration of sensitive data from targeted systems. This actor distinguishes its operations by leveraging legitimate database client tools, such as DBeaver (version 25.0.4), Navicat for Premium (version 17.2.5), and sqlcmd. The use of these tools, particularly sqlcmd, which is a default Microsoft SQL Server utility, aligns with “Living off the Land” (LOTL) tactics.1 This approach allows Dbproviderin to blend their malicious activities into normal system operations, making detection exceptionally challenging for traditional security measures.1

The modus operandi of Dbproviderin indicates that the actors have already progressed to advanced stages of information gathering. Their ability to utilize these database client tools suggests they have acquired critical database access details, including IP addresses, port numbers, and credentials.1 Attack scenarios frequently involve initial access via remote desktop protocol (RDP) or reverse tunneling, followed by the installation of these legitimate tools for data extraction.1 Exfiltrated data is typically formatted as CSV or.bak files for external transfer.1 Traces of their activities are often buried within system logs, local records of client tools, and SQL server execution logs, demanding meticulous forensic analysis to uncover the full scope of a breach.1 The reliance on legitimate tools for malicious purposes underscores a significant challenge for organizations, as it shifts the detection burden from identifying known malware signatures to discerning anomalous behavior of authorized tools. This necessitates a heightened focus on behavioral analytics and comprehensive log monitoring.

References:

Incident 2: Alleged Sale of Data from Vietnam Airlines Flight Training Center

Incident Overview:

A threat actor claims to be selling 70GB of data from the Vietnam Airlines Flight Training Centre. The compromised data reportedly includes student information, teacher identities, exam materials, training documents, and other internal storage files.

Attack Vector & Methodology:

This is a Data Leak incident, where a significant volume of internal data (70GB) from an aviation training center is being offered for sale. The attack vector likely involved unauthorized access to the organization’s internal storage systems, followed by data exfiltration.

Associated Threat Actor(s) Profile: HelluvaHack

“HelluvaHack” serves as an umbrella term encompassing a broad range of hacktivist activities that have seen a significant resurgence and intensification since early 2022, particularly in response to the Russian invasion of Ukraine and the Israel-Hamas conflict.2 These groups are primarily motivated by political or social activism, seeking to increase their prestige and publicize their campaigns.2

The operational methods of these hacktivists often involve layering multiple tactics in hybrid operations to amplify their impact.2 A notable characteristic is their tendency to target organizations that may not be directly involved in the triggering geopolitical event, selecting high-profile targets such as critical infrastructure or major businesses to maximize publicity.2 Messaging is typically promoted through direct claims, social media channels, or actor-owned websites.2 While some hacktivist activities may be of relatively low sophistication, involving distributed denial-of-service (DDoS) attacks, data theft, leaks, or website defacement, there is an observable trend towards more dexterous operations.3 A critical development is the increasing evidence of geopolitically and financially motivated groups adopting hacktivist facades to obscure their true intentions.2 This includes instances where nation-state actors cultivate hacktivist personas to claim responsibility for disruptive operations, thereby gaining plausible deniability for their cyber activities.2 For example, the pro-Iranian CyberAv3ngers, linked to the Islamic Revolutionary Guard Corps (IRGC), and the pro-Israel “Gonjeshke Darande” are examples of groups where nation-state sponsorship is indicated.2 Some groups, despite their declared ideological sympathies, also engage in commercial activities like offering DDoS-as-a-service or selling malware, further blurring the lines between hacktivism and cybercrime.3 The use of fabricated images or outdated data to support claims, as observed with the 1915 Team, also highlights a deceptive element in their operations.3 This evolving landscape necessitates a nuanced understanding of hacktivist claims, as they may conceal more sophisticated, state-backed, or financially driven agendas.

References:

Incident 3: WOLF CYBER ARMY targets the website of Cafe Little Karachi

Incident Overview:

The group claims to have defaced the website of Cafe Little Karachi.

Attack Vector & Methodology:

This incident is a website Defacement, indicating that the threat group gained unauthorized access to the web server or content management system of Cafe Little Karachi and altered its public-facing content.

Associated Threat Actor(s) Profile: WOLF CYBER ARMY

The provided research notes do not contain specific details about the “WOLF CYBER ARMY” group beyond their involvement in defacement activities.12 Their actions align with hacktivist motivations, aiming to promote an ideology or cause through public disruption and defacement of websites. Such groups often employ relatively low-sophistication methods to achieve their objectives, focusing on visibility and public messaging.

References:

Incident 4: Alleged sale of access to an unidentified Italian company

Incident Overview:

The threat actor claims to be selling access to an unidentified Italian company through a WebShell.

Attack Vector & Methodology:

This is an Initial Access incident, where the threat actor has gained unauthorized entry to a system, likely a web server, and established a WebShell. A WebShell provides remote control over the compromised server, which can then be sold for further malicious activities such as data exfiltration or lateral movement.

Associated Threat Actor(s) Profile: hackutron

The provided research notes do not contain specific details about the “hackutron” threat actor. However, their activity of selling access via a WebShell is consistent with Initial Access Brokers (IABs) or financially motivated cybercriminals who monetize unauthorized access to networks. This type of access is often a precursor to more significant attacks, including ransomware deployment or data theft.

References:

Incident 5: Alleged data leak of CitraLand Cibubur

Incident Overview:

The threat actor claims to be selling data from CitraLand Cibubur. The compromised data contains names and telephone numbers.

Attack Vector & Methodology:

This is a Data Breach incident, involving the unauthorized acquisition and subsequent offering for sale of personal identifiable information (names and telephone numbers) from CitraLand Cibubur. The specific method of breach is not detailed, but it indicates a compromise of customer databases.

Associated Threat Actor(s) Profile: HIME666

HIME666 is a financially motivated cybercriminal actor engaged in diverse and sophisticated operations, including malware distribution and direct financial fraud. This actor has been linked to a “distribution-as-a-service” operation that has been active since August 2022.4 A primary method involves publishing over 67 trojanized GitHub repositories that falsely claim to offer Python-based hacking tools but instead deliver malicious payloads.4 These payloads are designed to siphon sensitive information such as credentials, browser data, and session tokens, while also establishing persistent remote access to compromised systems.4

Beyond malware distribution, HIME666 has also been observed executing highly deceptive search engine optimization (SEO) poisoning attacks to facilitate payroll fraud.5 In these attacks, the actor creates fake authentication portals that mimic legitimate organizations, manipulating search results to rank these malicious sites highly.5 This tactic tricks employees, particularly those using mobile devices, into unknowingly entering their credentials on the fraudulent pages.5 Once credentials are stolen, the actor gains access to payroll portals, such as SAP SuccessFactor, to modify direct deposit information and redirect employee paychecks to their own accounts.5 To mask their traffic and evade detection, HIME666 utilizes compromised home office routers (including brands like ASUS and Pakedge) and mobile networks.5 The actor also leverages legitimate messaging services like Pusher to receive instant notifications of stolen credentials, enabling rapid reuse before victims can change them.5 This dual approach of broad malware distribution and targeted financial fraud demonstrates a highly organized and professionalized approach to cybercrime, emphasizing the need for comprehensive security measures that extend beyond traditional malware detection to address supply chain risks, advanced phishing, and network anomalies.

References:

Incident 6: Alleged data leak of Taman Anggrek Residences

Incident Overview:

The threat actor claims to be selling data from Taman Anggrek Residences. The compromised data contains names and telephone numbers.

Attack Vector & Methodology:

This is a Data Breach incident, similar to the previous one, involving the unauthorized acquisition and sale of personal identifiable information (names and telephone numbers) from Taman Anggrek Residences. The specific method of breach is not detailed, but it indicates a compromise of customer databases.

Associated Threat Actor(s) Profile: HIME666

HIME666 is a financially motivated cybercriminal actor engaged in diverse and sophisticated operations, including malware distribution and direct financial fraud. This actor has been linked to a “distribution-as-a-service” operation that has been active since August 2022.4 A primary method involves publishing over 67 trojanized GitHub repositories that falsely claim to offer Python-based hacking tools but instead deliver malicious payloads.4 These payloads are designed to siphon sensitive information such as credentials, browser data, and session tokens, while also establishing persistent remote access to compromised systems.4

Beyond malware distribution, HIME666 has also been observed executing highly deceptive search engine optimization (SEO) poisoning attacks to facilitate payroll fraud.5 In these attacks, the actor creates fake authentication portals that mimic legitimate organizations, manipulating search results to rank these malicious sites highly.5 This tactic tricks employees, particularly those using mobile devices, into unknowingly entering their credentials on the fraudulent pages.5 Once credentials are stolen, the actor gains access to payroll portals, such as SAP SuccessFactor, to modify direct deposit information and redirect employee paychecks to their own accounts.5 To mask their traffic and evade detection, HIME666 utilizes compromised home office routers (including brands like ASUS and Pakedge) and mobile networks.5 The actor also leverages legitimate messaging services like Pusher to receive instant notifications of stolen credentials, enabling rapid reuse before victims can change them.5 This dual approach of broad malware distribution and targeted financial fraud demonstrates a highly organized and professionalized approach to cybercrime, emphasizing the need for comprehensive security measures that extend beyond traditional malware detection to address supply chain risks, advanced phishing, and network anomalies.

References:

Incident 7: Alleged sale of Royal Thai Police data

Incident Overview:

The threat actor claims to be selling 130 GB data from Royal Thai Police. The compromised data reportedly includes sensitive law enforcement records such as vehicle stop data, offender reports, arrest and checkpoint operation details, internal officer communications, and document archives totaling over 2.5 million files.

Attack Vector & Methodology:

This is a Data Breach incident, involving the alleged exfiltration and sale of a massive 130 GB dataset from a law enforcement agency. The nature of the data suggests a deep compromise of internal systems, potentially through network intrusion or insider access, leading to the theft of highly sensitive operational and personal information.

Associated Threat Actor(s) Profile: sazz

The provided research notes do not contain specific details about the “sazz” threat actor.13 However, their activity of selling a large volume of sensitive data from a government entity aligns with financially motivated cybercriminals or potentially state-sponsored actors seeking to monetize or disrupt. The targeting of law enforcement data indicates a high-value target for various malicious purposes.

References:

Incident 8: Alleged data leak of Golf Island Pantai Indah Kapuk (PIK)

Incident Overview:

The threat actor claims to be selling data from Golf Island Pantai Indah Kapuk. The compromise data contains names and telephone numbers.

Attack Vector & Methodology:

This is a Data Breach incident, involving the unauthorized acquisition and sale of personal identifiable information (names and telephone numbers) from Golf Island Pantai Indah Kapuk. The specific method of breach is not detailed, but it indicates a compromise of customer databases.

Associated Threat Actor(s) Profile: HIME666

HIME666 is a financially motivated cybercriminal actor engaged in diverse and sophisticated operations, including malware distribution and direct financial fraud. This actor has been linked to a “distribution-as-a-service” operation that has been active since August 2022.4 A primary method involves publishing over 67 trojanized GitHub repositories that falsely claim to offer Python-based hacking tools but instead deliver malicious payloads.4 These payloads are designed to siphon sensitive information such as credentials, browser data, and session tokens, while also establishing persistent remote access to compromised systems.4

Beyond malware distribution, HIME666 has also been observed executing highly deceptive search engine optimization (SEO) poisoning attacks to facilitate payroll fraud.5 In these attacks, the actor creates fake authentication portals that mimic legitimate organizations, manipulating search results to rank these malicious sites highly.5 This tactic tricks employees, particularly those using mobile devices, into unknowingly entering their credentials on the fraudulent pages.5 Once credentials are stolen, the actor gains access to payroll portals, such as SAP SuccessFactor, to modify direct deposit information and redirect employee paychecks to their own accounts.5 To mask their traffic and evade detection, HIME666 utilizes compromised home office routers (including brands like ASUS and Pakedge) and mobile networks.5 The actor also leverages legitimate messaging services like Pusher to receive instant notifications of stolen credentials, enabling rapid reuse before victims can change them.5 This dual approach of broad malware distribution and targeted financial fraud demonstrates a highly organized and professionalized approach to cybercrime, emphasizing the need for comprehensive security measures that extend beyond traditional malware detection to address supply chain risks, advanced phishing, and network anomalies.

References:

Incident 9: Alleged data breach of PIK2

Incident Overview:

The threat actor claims to have breached the organization data, leaking sensitive information such as names, phone numbers and much more.

Attack Vector & Methodology:

This is a Data Breach incident, involving the unauthorized acquisition and leaking of sensitive personal information. The broad description “much more” suggests a significant compromise of organizational data beyond just names and phone numbers. The specific breach method is not detailed.

Associated Threat Actor(s) Profile: HIME666

HIME666 is a financially motivated cybercriminal actor engaged in diverse and sophisticated operations, including malware distribution and direct financial fraud. This actor has been linked to a “distribution-as-a-service” operation that has been active since August 2022.4 A primary method involves publishing over 67 trojanized GitHub repositories that falsely claim to offer Python-based hacking tools but instead deliver malicious payloads.4 These payloads are designed to siphon sensitive information such as credentials, browser data, and session tokens, while also establishing persistent remote access to compromised systems.4

Beyond malware distribution, HIME666 has also been observed executing highly deceptive search engine optimization (SEO) poisoning attacks to facilitate payroll fraud.5 In these attacks, the actor creates fake authentication portals that mimic legitimate organizations, manipulating search results to rank these malicious sites highly.5 This tactic tricks employees, particularly those using mobile devices, into unknowingly entering their credentials on the fraudulent pages.5 Once credentials are stolen, the actor gains access to payroll portals, such as SAP SuccessFactor, to modify direct deposit information and redirect employee paychecks to their own accounts.5 To mask their traffic and evade detection, HIME666 utilizes compromised home office routers (including brands like ASUS and Pakedge) and mobile networks.5 The actor also leverages legitimate messaging services like Pusher to receive instant notifications of stolen credentials, enabling rapid reuse before victims can change them.5 This dual approach of broad malware distribution and targeted financial fraud demonstrates a highly organized and professionalized approach to cybercrime, emphasizing the need for comprehensive security measures that extend beyond traditional malware detection to address supply chain risks, advanced phishing, and network anomalies.

References:

Incident 10: Alleged data breach of Mi Argentina

Incident Overview:

The threat actor claims to have breached the organization data, leaking over 12,000 records containing personal information. The exposed data include names, emails, addresses, DOBs and much more.

Attack Vector & Methodology:

This is a Data Breach incident, involving the unauthorized acquisition and leaking of over 12,000 records of personal information from a government administration platform. The broad scope of data suggests a compromise of a central database or system.

Associated Threat Actor(s) Profile: aero

The provided research notes do not contain specific details about the “aero” threat actor.14 However, their activity of breaching and leaking personal data from a government entity aligns with financially motivated cybercriminals or potentially hacktivist groups seeking to expose information. The nature of the victim (government administration) makes this a high-impact incident.

References:

Incident 11: Alleged sale of unauthorized admin access to a unidentified e-commerce site in France

Incident Overview:

The threat actor claims to be selling unauthorized full admin access to an unidentified PrestaShop store based in France, including card payment details and orders data from January to June 26.

Attack Vector & Methodology:

This is an Initial Access incident, where the threat actor has gained full administrative access to an e-commerce platform. This level of access allows for the theft of sensitive customer data, including payment information, and potentially manipulation of the store’s operations. The sale of such access indicates a financially motivated objective.

Associated Threat Actor(s) Profile: Reve

Reve is a cybercriminal actor specializing in financial gain through sophisticated account takeover and resale. Their operations heavily rely on the exploitation of infostealer logs, which they acquire from both public and private Telegram channels.6

A key capability of Reve is their ability to test the validity of stolen session cookies without invalidating them, a technique that allows them to maintain access to compromised accounts.6 They then employ anti-detect browsers to mimic the victim’s unique browser footprint, facilitating seamless session hijacking attacks to gain direct access to web application accounts.6 The actor meticulously sifts through stealer logs to identify high-value credentials or cryptocurrency wallets.6 Their process involves performing session replay attacks, where valid session data, such as authentication tokens, are captured and replayed to servers to fraudulently gain access, effectively mimicking the original user’s actions.6 To evade attribution, Reve often leverages virtual machines (VMs) combined with VPNs, hacked remote desktop protocols (RDPs), and proxies when accessing and sifting through these logs and compromised accounts.6 Once successful, they typically save the compromised credentials and session cookies to their own browser’s password management system.6 The final stages of their attack involve changing key profile information (e.g., email, password, two-factor authentication) to mechanisms they control, followed by transferring funds or reselling the compromised accounts.6 This highly specialized and illicit monetization of stolen data highlights a thriving underground market and the critical need for organizations to implement strong multi-factor authentication and continuous session monitoring to detect and prevent such sophisticated account takeovers.

References:

Incident 12: Alleged sale of Call Center surveillance dataset

Incident Overview:

The threat actor is offering for sale a high-fidelity surveillance dataset capturing inbound communications from specific call center numbers. The leak reportedly includes sensitive such as caller IP addresses (logged during calls), real-time geolocation data, device type and OS, network provider, voice pattern analytics, call frequency, and behavioral footprints.

Attack Vector & Methodology:

This is a Data Leak incident, involving the sale of a highly detailed surveillance dataset from call center communications. The nature of the data suggests a sophisticated compromise of telecommunications infrastructure or call center recording systems, allowing for the collection of extensive metadata and behavioral insights.

Associated Threat Actor(s) Profile: GoldRabbitMaghreb (GOLD DRAKE and GOLD CABIN)

“GoldRabbitMaghreb” serves as a collective term encompassing multiple financially motivated cybercrime groups, notably GOLD DRAKE (also known as Evil Corp) and GOLD CABIN. These groups exemplify the professionalization and “as-a-service” economy within the cybercriminal landscape.

GOLD DRAKE (Evil Corp)

GOLD DRAKE is a well-established, financially motivated cybercriminal group that began operating the Dridex botnet in 2014.7 Initially, they distributed Dridex in high-volume campaigns, but later shifted to more targeted attacks.7 From 2017 to early 2020, GOLD DRAKE developed and distributed the BitPaymer ransomware, often in post-intrusion attacks facilitated by Dridex.7 Following sanctions by the U.S. Treasury Department in 2019, the group adapted by shifting to other ransomware variants such as WastedLocker, Hades, Phoenix CryptoLocker, and Payload.bin, and modified their intrusion techniques to avoid attribution.7

Their initial access often involves SocGholish for drive-by downloads, though stolen credentials have also been observed as an initial vector.7 For post-exploitation activities, GOLD DRAKE heavily relies on PowerShell scripts, Cobalt Strike, Mimikatz, PsExec, and Metasploit.7 Data exfiltration is often performed using tools like MEGASync, and they utilize RDP and reverse SOCKS proxies for command and control.7 In 2024, a member of Evil Corp was identified as an affiliate of the LockBit ransomware-as-a-service (RaaS) scheme, demonstrating their continued adaptability and participation in the broader cybercriminal ecosystem.7 The group’s evolution from botnet operations to diverse ransomware strains, and their ability to adapt to law enforcement pressure, highlights the resilience and dynamic nature of financially motivated cybercrime.

GOLD CABIN (ATK236, G0127, Monster Libra, Shakthak, TA551)

GOLD CABIN is a distinct financially motivated cybercriminal group that has operated a malware distribution service for various customers since 2018.8 Their primary method involves delivering malicious documents, often contained within password-protected archives, via email.8 The second-stage payloads frequently include prominent malware such as Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes employing intermediary malware like Valak.8

The group’s infrastructure relies on artificial and frequently changing URLs generated through a domain generation algorithm (DGA).8 These URLs host PHP objects designed to return malware as DLL files.8 GOLD CABIN’s role as a malware distribution service provider illustrates the specialization within the cybercrime underground, where different actors provide specific components of an attack chain. This “as-a-service” model lowers the barrier to entry for other criminals, increasing the overall volume and diversity of cyberattacks.

References:

Incident 13: Alleged unauthorized access to TRC Automation

Incident Overview:

The group claims to have gained access to TRC Automation in Italy.

Attack Vector & Methodology:

This is an Initial Access incident, where the threat group claims to have gained unauthorized entry to TRC Automation. Given the victim’s industry (Industrial Automation), this could imply access to operational technology (OT) systems, posing a significant risk of disruption or sabotage.

Associated Threat Actor(s) Profile: Z-PENTEST ALLIANCE

The Z-PENTEST ALLIANCE is a cybercrime group that first emerged in October 2023, with probable origins in Serbia and close ties to pro-Russian actors.9 This group is characterized by its unique capability to penetrate operational control systems (OT) in critical infrastructures.9 Their primary motivation is geopolitical: to weaken industrial and control systems (ICS/SCADA) in Western countries, thereby strengthening Russia’s geopolitical influence and creating divisions within NATO.9 Financial gain, potentially from selling access to industrial systems and zero-day vulnerabilities on the dark web, also plays a role.9

Z-PENTEST ALLIANCE primarily targets the energy (oil and gas) and water sectors, demonstrating the ability to manipulate critical functions such as water pumping, gas flaring, and oil collection.9 The group operates in a decentralized manner, with anonymous members and a fluid organization, complicating identification and tracking.9 They coordinate their attacks on Telegram and private forums and use platforms like X (Twitter) for propaganda and to amplify the impact of their operations.9 Their tactics include exploiting zero-day vulnerabilities, often acquired from the dark web or through collaborations with other groups.9 They also employ social engineering techniques to obtain sensitive information or system access and leverage information from data leaks for more targeted attacks.9 A particularly alarming tactic is the release of videos showcasing their access to critical systems, intended to instill fear and uncertainty in victims.9 The group’s collaboration with other entities like SECTOR16, OverFlame, and People’s Cyber Army (PCA) further enhances their effectiveness.9 The focus on critical infrastructure and the explicit geopolitical objectives signify a direct threat to national security and physical assets, necessitating specialized and robust defense strategies for OT/ICS environments.

References:

Incident 14: Alleged Data Breach of Zomato

Incident Overview:

The threat actor claims to have breached the Indian food delivery platform Zomato.com, offering access to all user login emails and passwords for $100. The leaked data allegedly includes user credentials such as email addresses and plaintext passwords.

Attack Vector & Methodology:

This is a Data Breach incident, involving the compromise of user login credentials from a major food delivery platform. The claim of plaintext passwords suggests either a lack of proper hashing practices or a deeper compromise allowing access to unencrypted data. The offering for sale indicates a financially motivated attack.

Associated Threat Actor(s) Profile: Team_CRO

The provided research notes do not contain specific details about the “Team_CRO” threat actor.15 However, their activity of breaching and selling user credentials from an online service aligns with financially motivated cybercriminals. The targeting of a food delivery platform suggests a focus on consumer data that can be monetized through various illicit means.

References:

Incident 15: Alleged sale of access to an unidentified e-commerce shop in Greece

Incident Overview:

The threat actor claims to be selling admin access and drenched shell of an unidentified e-commerce platform in Greece, which includes payment information made via cards, banks, and receipts from May to June 25.

Attack Vector & Methodology:

This is an Initial Access incident, where the threat actor has gained administrative access and established a “drenched shell” (likely a persistent backdoor or web shell) on an e-commerce platform. The inclusion of payment information and receipts indicates a compromise of sensitive financial data, making this a high-value target for financially motivated actors.

Associated Threat Actor(s) Profile: Valag

The provided research notes do not contain specific details about the “Valag” threat actor.16 However, their activity of selling administrative access and sensitive financial data from an e-commerce platform aligns with financially motivated cybercriminals or Initial Access Brokers (IABs). The detailed nature of the compromised data suggests a thorough compromise of the e-commerce system.

References:

Incident 16: WOLF CYBER ARMY targets the website of La Calebasse

Incident Overview:

The group claims to have defaced the website of La Calebasse.

Attack Vector & Methodology:

This incident is a website Defacement, indicating that the threat group gained unauthorized access to the web server or content management system of La Calebasse and altered its public-facing content.

Associated Threat Actor(s) Profile: WOLF CYBER ARMY

The provided research notes do not contain specific details about the “WOLF CYBER ARMY” group beyond their involvement in defacement activities.12 Their actions align with hacktivist motivations, aiming to promote an ideology or cause through public disruption and defacement of websites. Such groups often employ relatively low-sophistication methods to achieve their objectives, focusing on visibility and public messaging.

References:

Incident 17: Alleged data breach of Federal Bureau of Prisons

Incident Overview:

The threat actor claims to have breached the organization data, leaking over 320 GB of data. The exposed data include names, registration numbers, incident reports and much more.

Attack Vector & Methodology:

This is a Data Breach incident, involving the alleged exfiltration and leaking of a massive 320 GB dataset from a federal law enforcement agency. The nature of the data (names, registration numbers, incident reports) suggests a deep compromise of internal systems, potentially through network intrusion or insider access, leading to the theft of highly sensitive operational and personal information.

Associated Threat Actor(s) Profile: Iboogeyman (Initial Access Brokers and APT33)

“Iboogeyman” is a broad categorization that encompasses various financially motivated Initial Access Brokers (IABs) and, notably, state-sponsored actors like the Iran-nexus APT33, demonstrating a significant convergence of motivations in the cyber threat landscape.

Initial Access Brokers (IABs)

IABs such as TA577, TA569, TA570, Hive0145, and Prophet Spider (UNC961/Gold Melody) are financially motivated cybercriminals whose primary objective is to gain and sell initial access to compromised networks.10 This access often serves as the precursor to ransomware deployment.10 Their typical methods include various phishing campaigns, including smishing, voice phishing, and Adversary-in-the-Middle (AiTM) phishing pages.10 They also exploit vulnerabilities, conduct password spraying attacks, and engage in SIM swapping to gain access or leverage valid accounts.10 IABs are associated with a wide array of tools and malware, including EvilProxy, DarkGate, IcedID, Latrodectus, PikaBot, SquirrelWaffle, and SystemBC (associated with TA577).10 They also facilitate the deployment of various ransomware strains like RansomHub, BlackCat, and Qilin/Agenda, and utilize numerous tools for data exfiltration such as PuTTY, Rclone, WinSCP, and various cloud storage services.10 The increasing evidence of state-sponsored actors cooperating with or even acting as IABs signifies a critical shift, where nation-states are leveraging the cybercriminal ecosystem to achieve their strategic objectives or to fund operations.

APT33 (Iran-nexus)

APT33 is an Iran-nexus state-sponsored actor that exemplifies the dual motive observed in some advanced persistent threats: intelligence gathering combined with financial gain.10 This group targets a wide range of sectors, including financial institutions, aviation, energy, education, government, and healthcare, across countries such as the USA, Israel, Azerbaijan, Saudi Arabia, and South Korea.10 A concerning aspect of their operations is the observation that they exploit accesses initially used for strategic operations for their own financial benefit.10 Their toolkit includes wiper malware like Shamoon, custom backdoors such as Tickler and FalseFont, and Remote Access Trojans like QuasarRAT.10 This convergence of state-sponsored objectives with cybercriminal methodologies complicates attribution and defense, as the lines between espionage and financially motivated attacks become increasingly blurred.

References:

Incident 18: Alleged data breach of API Consulta Brasil

Incident Overview:

The threat actor claims to offer access to databases containing highly sensitive Brazilian citizen data. The leaked information reportedly includes vehicle ownership records, personal identification details with photos, phone data, credit score analysis, emergency aid records, and more.

Attack Vector & Methodology:

This is a Data Breach incident, involving the alleged exfiltration and offering for sale of highly sensitive and comprehensive Brazilian citizen data. The breadth of information suggests a compromise of a large-scale government or public service database, enabling extensive identity theft and fraud.

Associated Threat Actor(s) Profile: marok (Groups Targeting Morocco)

“marok” serves as a collective designation for various cyber threat groups actively targeting entities in Morocco, often driven by regional geopolitical tensions. This landscape includes a mix of hacktivist groups, financially motivated ransomware operators, and espionage actors.

Pro-Algeria Hacktivist Groups: Groups such as Anonymous Algeria, EvilBbyte, and Abdelmomen Astra are hacktivists primarily motivated by ideological support for Palestine and Arab Nations, tensions surrounding the Western Sahara region, and opposition to perceived Israeli influences.11 Their attack methods typically include Distributed Denial of Service (DDoS) attacks, data theft and leaks, and website defacement.11

Stormous Ransomware: This financially motivated ransomware group has claimed to sell unauthorized VPN access to telecommunications companies in Morocco, such as Inwi.11 This access allegedly bypasses security measures like firewalls and intrusion detection systems, providing entry to the entire network.11 The group also employs advanced encryption methods for communications to ensure access remains resilient against detection.11

Starry Addax: Active since January 2024, Starry Addax is an actor focused on espionage and data harvesting, specifically targeting human rights activists in Morocco and Western Sahara.11 They use phishing attacks to install malicious Android applications, such as ‘FlexStarling’ (a versatile Android Trojan), and to harvest credentials from Windows users.11 Their focus on activists linked to the Sahrawi Arab Democratic Republic (SADR) underscores a specific intelligence objective.11

Moroccan Retaliatory Groups: In response to attacks, groups like the Moroccan Black Army, Moroccan Cyber Forces, Moroccan Soldiers, Moroccan CyberAliens, and Moroccan Dragons have escalated their operations, launching retaliatory attacks against Algeria and other pro-Israel nations.11

The diverse range of actors and motivations targeting Morocco exemplifies how regional geopolitical conflicts directly translate into a complex and fragmented cyber threat landscape. This requires a nuanced understanding of local conflicts and their potential cyber manifestations for effective defense.

References:

Incident 19: WOLF CYBER ARMY targets the website of Evinizi Yenileyin

Incident Overview:

The group claims to have defaced the website of Evinizi Yenileyin.

Attack Vector & Methodology:

This incident is a website Defacement, indicating that the threat group gained unauthorized access to the web server or content management system of Evinizi Yenileyin and altered its public-facing content.

Associated Threat Actor(s) Profile: WOLF CYBER ARMY

The provided research notes do not contain specific details about the “WOLF CYBER ARMY” group beyond their involvement in defacement activities.12 Their actions align with hacktivist motivations, aiming to promote an ideology or cause through public disruption and defacement of websites. Such groups often employ relatively low-sophistication methods to achieve their objectives, focusing on visibility and public messaging.

References:

Incident 20: Alleged Data Breach of Asemas Spanish insurance company

Incident Overview:

The threat actor claims to have breached the Spanish insurance company Asemas, leaking a database of over 11 million records. The data includes names, birthdates, national IDs, addresses, phone numbers, IBANs, emails, and payment details.

Attack Vector & Methodology:

This is a Data Breach incident, involving the alleged exfiltration and leaking of a massive database (over 11 million records) from an insurance company. The comprehensive nature of the compromised data, including financial details like IBANs, suggests a significant and deep compromise of the company’s customer information systems.

Associated Threat Actor(s) Profile: 003

The provided research notes do not contain specific details about the “003” threat actor.17 However, their activity of breaching and leaking a large volume of sensitive customer data from an insurance company aligns with financially motivated cybercriminals. The scale and type of data indicate a high-impact breach with potential for widespread fraud and identity theft.

References:

Incident 21: Alleged data leak of BITHUMB Crypto Platform User Database

Incident Overview:

A threat actor claims to be selling a database allegedly sourced from the BITHUMB Crypto Platform.

Attack Vector & Methodology:

This is a Data Leak incident, involving the alleged sale of a user database from a cryptocurrency platform. The specific details of the compromised data are not provided, but any breach of a crypto platform’s user data is significant due to the potential for financial fraud and account takeovers.

Associated Threat Actor(s) Profile: cryptodata01

The provided research notes do not contain specific details about the “cryptodata01” threat actor.19 However, their activity of selling a database from a crypto platform aligns with financially motivated cybercriminals specializing in the cryptocurrency sector. Such breaches can lead to direct financial losses for users and reputational damage for the platform.

References:

Incident 22: Alleged sale of credit card data from US

Incident Overview:

Threat actor claims to be selling 1,207 US credit card records. The data format includes card number, expiration date, CVV, full name, country, city, zip code, address, phone, and email.

Attack Vector & Methodology:

This is a Data Leak incident, involving the sale of a significant number of US credit card records, complete with sensitive details like CVV. This indicates a compromise of a payment processing system, e-commerce site, or point-of-sale (POS) system, leading to direct financial fraud risks for the affected individuals.

Associated Threat Actor(s) Profile: Valag

The provided research notes do not contain specific details about the “Valag” threat actor.16 However, their activity of selling credit card data aligns with financially motivated cybercriminals specializing in carding and financial fraud. The comprehensive nature of the leaked card data makes it highly valuable on underground markets.

References:

Incident 23: Alleged data sale from an unidentified university in Malaysia

Incident Overview:

A threat actor claims to be offering data from an unidentified Malaysian university. The leaked database reportedly contains detailed information for each record, including a unique identifier, serial number, honorific title, first and last names, department affiliation, email address, phone number, classification category, participation status, area of expertise, payment-related information, and other related details.

Attack Vector & Methodology:

This is a Data Leak incident, involving the sale of a comprehensive database from a Malaysian university. The extensive details in the leaked records suggest a deep compromise of the university’s student or staff information systems, posing risks of identity theft, phishing, and targeted social engineering.

Associated Threat Actor(s) Profile: Rau6

The provided research notes do not contain specific details about the “Rau6” threat actor.20 However, their activity of selling university data aligns with financially motivated cybercriminals. Educational institutions are often targeted for their rich datasets of personal information, which can be monetized on illicit markets.

References:

Incident 24: Alleged sale of xcz toolkit

Incident Overview:

The threat actor is advertising a Windows-based tool called xcz, a secure file wiper designed to irreversibly delete files and folders using the DoD 3-pass overwrite method. It features recursive directory scanning, empty folder cleanup, a simple GUI with progress updates, and randomized window titles for stealth. Stub functions for log and memory clearing are included for potential anti-forensic use. Compatible with Windows 10/11 and requiring compilation via Visual Studio or MinGW, the tool is run from an elevated command prompt and performs automatic cleanup upon completion. Its irreversible deletion process poses significant forensic challenges.

Attack Vector & Methodology:

This incident involves the advertisement and sale of a Malware toolkit, specifically a secure file wiper. This tool is designed for destructive purposes, aiming to irreversibly delete data and hinder forensic analysis, making it valuable for actors seeking to cover their tracks or inflict maximum damage.

Associated Threat Actor(s) Profile: darwin

The provided research notes do not contain specific details about the “darwin” threat actor.21 However, their activity of selling a file wiper toolkit aligns with cybercriminals or state-sponsored actors who require tools for data destruction, anti-forensics, or to support ransomware operations. The tool’s features indicate a focus on stealth and irreversible impact.

References:

Incident 25: Alleged data breach of Badan Pusat Statistik

Incident Overview:

The threat actor claims to be selling a database allegedly containing 500,000 records from BPS Indonesia (Statistics Indonesia). The leaked data includes names, email addresses, phone numbers, gender, and detailed addresses.

Attack Vector & Methodology:

This is a Data Breach incident, involving the alleged exfiltration and sale of a database containing 500,000 records from a national statistics agency. The nature of the data suggests a compromise of a significant government database, posing risks of identity theft, phishing, and targeted social engineering for a large population.

Associated Threat Actor(s) Profile: DigitalGhost

The provided research notes do not contain specific details about the “DigitalGhost” threat actor.22 However, their activity of selling a large database from a government statistics agency aligns with financially motivated cybercriminals or potentially state-sponsored actors seeking to monetize or disrupt. The scale and sensitivity of the data make this a high-impact breach.

References:

Incident 26: Alleged Data Leak of Telecom Records from Multiple Countries

Incident Overview:

The threat actor claims to have leaked telecom datasets from multiple countries, including subscriber data reportedly suitable for marketing or research. The data leak includes records from: Algeria, Argentina, Australia, Austria, Bahrain, Bangladesh, Belgium, Bolivia, Brazil, Cameroon, Canada, Chile, China, Colombia, Costa Rica, Croatia, Czech Republic, Denmark, Egypt, Finland, France, Germany, Greece, Guatemala, Hong Kong, Hungary, India, Indonesia, Iran, Iraq, Ireland, Israel, Italy, Japan, Jordan, Kazakhstan, Kuwait, Lebanon, Libya, Malaysia, Mexico, Morocco, Netherlands, New Zealand, Nigeria, Norway, Oman, Pakistan, Palestine, Panama, Peru, Philippines, Poland, Portugal, Qatar, Russia, Saudi Arabia, Singapore, South Africa, Spain, Sudan, Sweden, Switzerland, Syria, Taiwan, Thailand, Tunisia, Turkey, United Arab Emirates, United Kingdom, Uruguay, USA, Vietnam, Yemen.

Attack Vector & Methodology:

This is a Data Leak incident, involving the alleged exfiltration and leaking of vast telecom datasets from numerous countries. The broad geographic scope and the nature of the data (subscriber information) suggest a large-scale compromise of telecommunications providers or data aggregators, potentially for marketing, research, or further malicious activities like targeted phishing.

Associated Threat Actor(s) Profile: scribebabylon

The provided research notes do not contain specific details about the “scribebabylon” threat actor. However, their activity of leaking telecom datasets from multiple countries aligns with financially motivated cybercriminals or potentially state-sponsored actors engaged in mass data collection. The global scale of the alleged leak indicates a highly capable adversary.

References:

Incident 27: Alleged data breach of free

Incident Overview:

A threat actor claims to have leaked customer data from a telecom provider, exposing names, contact info, birth details, addresses, account credentials, and banking data (IBAN/BIC), along with identity and loan status indicators.

Attack Vector & Methodology:

This is a Data Breach incident, involving the alleged exfiltration and leaking of comprehensive customer data from a telecom provider. The inclusion of banking data and account credentials makes this a high-impact breach with significant financial fraud and identity theft risks.

Associated Threat Actor(s) Profile: sunrixes

The provided research notes do not contain specific details about the “sunrixes” threat actor.24 However, their activity of leaking extensive customer data from a telecom provider aligns with financially motivated cybercriminals. The detailed nature of the compromised information suggests a deep compromise of the telecom’s customer management systems.

References:

Incident 28: Alleged data breach of Internatial foundation for art research

Incident Overview:

The threat actor claims to be selling a database from the International Foundation for Art Research (IFAR), containing personal and contact information such as names, addresses, phone numbers, and email addresses.

Attack Vector & Methodology:

This is a Data Breach incident, involving the alleged sale of a database from a research organization. The compromised data includes personal and contact information, indicating a compromise of membership or donor databases, which could lead to targeted phishing or social engineering.

Associated Threat Actor(s) Profile: wlo

The provided research notes do not contain specific details about the “wlo” threat actor.25 However, their activity of selling a database from a research foundation aligns with financially motivated cybercriminals. Organizations holding personal data are frequent targets for such breaches.

References:

Incident 29: Alleged data breach of Logistic one

Incident Overview:

The threat actor claims to have breached the data of Logistic one and claims to sell for 1000 Dollars. The compromised data includes of customer details and codes.

Attack Vector & Methodology:

This is a Data Breach incident, involving the alleged compromise and sale of customer details and codes from a logistics company. The sale for a specific price ($1000) indicates a financially motivated attack. The nature of “codes” could imply access codes, tracking codes, or other operational data.

Associated Threat Actor(s) Profile: Chap

The provided research notes do not contain specific details about the “Chap” threat actor.26 However, their activity of breaching and selling data from a logistics company aligns with financially motivated cybercriminals. Logistics companies are attractive targets due to the sensitive operational and customer data they handle.

References:

Incident 30: Alleged sale of access to the Cloudflare

Incident Overview:

The threat actor claims to have access to the Cloudflare. The attacker was able to bypass the WAF by hiding the payload deep in a large POST body.

Attack Vector & Methodology:

This is an Initial Access incident, where the threat actor claims to have gained access to Cloudflare, a major internet infrastructure company. The method described involves bypassing a Web Application Firewall (WAF) by embedding a payload within a large POST request, indicating a sophisticated evasion technique. Gaining access to such a critical service provider could have widespread implications.

Associated Threat Actor(s) Profile: d3xNorth

The provided research notes do not contain specific details about the “d3xNorth” threat actor.28 However, their claim of bypassing a WAF to gain access to Cloudflare suggests a highly skilled and sophisticated adversary, potentially a nation-state actor or a top-tier cybercriminal group, targeting critical internet infrastructure.

References:

Incident 31: Alleged sale of unauthorized access to banks in Chile

Incident Overview:

A threat actor claims to be selling logs with access to unidentified Bank of Chile accounts.

Attack Vector & Methodology:

This is an Initial Access incident, involving the sale of logs that provide unauthorized access to bank accounts. This suggests the use of infostealer malware or phishing campaigns to compromise user credentials, which are then packaged and sold for financial gain.

Associated Threat Actor(s) Profile: ciriusking

The provided research notes do not contain specific details about the “ciriusking” threat actor.31 However, their activity of selling access logs to bank accounts aligns with financially motivated cybercriminals specializing in account takeovers and financial fraud. The sale of such logs indicates a thriving underground market for compromised banking credentials.

References:

Incident 32: Alleged data breach of Fit India Movement

Incident Overview:

A threat actor claims to have leaked data from the Fit India Movement, compromising a user list of 158K individuals.

Attack Vector & Methodology:

This is a Data Breach incident, involving the alleged exfiltration and leaking of a user list containing 158,000 individuals from a national health and fitness initiative. The nature of the victim (government-backed movement) could suggest either financially motivated data theft or hacktivist activity aimed at public exposure.

Associated Threat Actor(s) Profile: wlo

The provided research notes do not contain specific details about the “wlo” threat actor.25 However, their activity of leaking user data from a government-backed movement aligns with financially motivated cybercriminals or potentially hacktivist groups seeking to expose information. The scale of the leak (158K individuals) makes this a significant incident.

References:

Incident 33: Alleged data sale of USA car owners information

Incident Overview:

The threat actor claims to be selling a 2025 database containing information on 18 million U.S. car owners. The data is offered in CSV format and reportedly includes extensive personal details.

Attack Vector & Methodology:

This is a Data Leak incident, involving the alleged sale of a massive database (18 million records) of U.S. car owners. The extensive personal details and the sheer volume of data suggest a large-scale compromise of a vehicle registration database, automotive service provider, or data aggregator, posing significant risks for identity theft and targeted scams.

Associated Threat Actor(s) Profile: info_usa

The provided research notes do not contain specific details about the “info_usa” threat actor.32 However, their activity of selling a massive database of U.S. car owners aligns with financially motivated cybercriminals specializing in large-scale data breaches. The scale of the data indicates a highly capable adversary.

References:

Incident 34: Alleged data breach of BTS Group Holdings Public Company Limited

Incident Overview:

The threat actor claims to be selling the full database of BTS Group Holdings (Thailand) for $350, including super admin website access and a PHP reverse shell.

Attack Vector & Methodology:

This is a Data Breach incident, involving the alleged sale of a full database, super admin access, and a PHP reverse shell from a major transportation and logistics conglomerate. The comprehensive nature of the compromise, including administrative access and a backdoor, indicates a deep and persistent breach, likely for financial gain.

Associated Threat Actor(s) Profile: ByteToBreach

The provided research notes do not contain specific details about the “ByteToBreach” threat actor. However, their activity of selling a full database and administrative access to a major company aligns with financially motivated cybercriminals or Initial Access Brokers (IABs). The inclusion of a PHP reverse shell suggests a web server compromise.

References:

Works cited

  1. Threat Actors Deploy Database Client Tools on Targeted Systems to Exfiltrate Sensitive Data – GBHackers, accessed June 26, 2025, https://gbhackers.com/threat-actors-deploy-database-client-tools/
  2. Global Revival of Hacktivism Requires Increased Vigilance from Defenders – Google Cloud, accessed June 26, 2025, https://cloud.google.com/blog/topics/threat-intelligence/global-revival-of-hacktivism
  3. Cyber Risk Intelligence Update: Hacktivist Involvement in Israel-Hamas War Reflects Possible Shift in Threat Actor Focus – SecurityScorecard, accessed June 26, 2025, https://securityscorecard.com/research/hacktivist-involvement-in-israel-hamas-war-reflects-possible-shift-in-threat-actor-focus/
  4. 200+ Trojanized GitHub Repositories Found in Campaign Targeting …, accessed June 26, 2025, https://thehackernews.com/2025/06/67-trojanized-github-repositories-found.html
  5. Threat Spotlight: Hijacked Routers and Fake Searches Fueling …, accessed June 26, 2025, https://reliaquest.com/blog/threat-spotlight-payroll-fraud-attackers-stealing-paychecks-seo-poisoning/
  6. Criminal Hijacking: Profiling Threat Actors and Criminals Using Infostealer Logs, accessed June 26, 2025, https://www.channele2e.com/native/criminal-hijacking-profiling-threat-actors-and-criminals-using-infostealer-logs
  7. GOLD DRAKE | Threat Profile Detail – Secureworks, accessed June 26, 2025, https://www.secureworks.com/research/threat-profiles/gold-drake
  8. GOLD CABIN (Threat Actor) – Malpedia, accessed June 26, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/gold_cabin
  9. Z-PENTEST ALLIANCE – Cyber Intelligence Bureau – Orange …, accessed June 26, 2025, https://www.orangecyberdefense.com/fileadmin/global/CyberIntelligenceBureau/Gangs_Investigations/z-pentest/Z-Pentest_Alliance.pdf
  10. Cyber threats impacting the financial sector in 2024 – focus on the main actors, accessed June 26, 2025, https://blog.sekoia.io/cyber-threats-impacting-the-financial-sector-in-2024-focus-on-the-main-actors/
  11. Decoding Cyberattacks on Morocco – CYFIRMA, accessed June 26, 2025, https://www.cyfirma.com/research/decoding-cyberattacks-on-morocco/
  12. U.S. Army Cyber Command: Operate, Defend, Attack, Influence, Inform, accessed June 26, 2025, https://www.arcyber.army.mil/
  13. What is a Cyber Threat Actor? | CrowdStrike, accessed June 26, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
  14. AeroBlade (Threat Actor) – Malpedia, accessed June 26, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/aeroblade
  15. Microsoft, CrowdStrike, other cyber firms collaborate on threat actor taxonomy, accessed June 26, 2025, https://www.cybersecuritydive.com/news/microsoft-crowdstrike-other-cyber-firms-collaborate-on-threat-actor-taxon/749614/
  16. ValleyRAT Malware and the Evolving Landscape of Ransomware …, accessed June 26, 2025, https://www.morphisec.com/blog/valleyrat-malware-and-the-evolving-landscape-of-ransomware-threats/
  17. APT3 (Threat Actor) – Malpedia, accessed June 26, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/apt3
  18. Threat actor – Wikipedia, accessed June 26, 2025, https://en.wikipedia.org/wiki/Threat_actor
  19. Threat Actor Intelligence – SOCRadar LABS, accessed June 26, 2025, https://socradar.io/labs/threat-actor/
  20. RedCurl’s Ransomware Debut: A Technical Deep Dive – Bitdefender, accessed June 26, 2025, https://www.bitdefender.com/en-us/blog/businessinsights/redcurl-qwcrypt-ransomware-technical-deep-dive
  21. Darwin (character) – Wikipedia, accessed June 26, 2025, https://en.wikipedia.org/wiki/Darwin_(character)
  22. #StopRansomware: Ghost (Cring) Ransomware | CISA, accessed June 26, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
  23. FBI’s Ghost Cyber Warning: All You Need to Know | Cyber Magazine, accessed June 26, 2025, https://cybermagazine.com/articles/what-are-ghost-attacks-and-what-should-your-business-know
  24. Analyzing DEEP#DRIVE: North Korean Threat Actors Observed Exploiting Trusted Platforms for Targeted Attacks – Securonix, accessed June 26, 2025, https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/
  25. WordPress Sites Turned Weapon: How VexTrio and Affiliates Run a …, accessed June 26, 2025, https://thehackernews.com/2025/06/wordpress-sites-turned-weapon-how.html
  26. Chapter 2: Explaining Threat Actors and Threat Intelligence Flashcards | Quizlet, accessed June 26, 2025, https://quizlet.com/581934679/chapter-2-explaining-threat-actors-and-threat-intelligence-flash-cards/
  27. Chap 2 Flashcards – Quizlet, accessed June 26, 2025, https://quizlet.com/913120238/chap-2-flash-cards/
  28. Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519) | Mandiant, accessed June 26, 2025, https://cloud.google.com/blog/topics/threat-intelligence/citrix-zero-day-espionage/
  29. Unmasking The Hackers: A Complete Guide To Threat Actors – Kraven Security, accessed June 26, 2025, https://kravensecurity.com/threat-actors/
  30. 202404051700_HC3’s Top 10 Most Active Ransomware Groups Analyst Note_TLPCLEAR – HHS.gov, accessed June 26, 2025, https://www.hhs.gov/sites/default/files/hc3-top-10-most-active-ransomware-groups-analyst-note-tlpclear-r.pdf
  31. Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets …, accessed June 26, 2025, https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/
  32. Nation-State Cyber Actors | Cybersecurity and Infrastructure Security Agency CISA, accessed June 26, 2025, https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors

Related Posts