[June-27-2025] Daily Cybersecurity Threat Report

Posted on

I. Introduction

This report provides a comprehensive overview of recent cybersecurity incidents observed within the last 24 hours, alongside detailed profiles of the threat actors involved. The analysis aims to offer a deeper understanding of current attack methodologies, motivations, and the evolving tactics employed by malicious entities in the digital realm. By examining these incidents and the groups behind them, the report highlights critical vulnerabilities and strategic implications for organizations worldwide, fostering a more informed and proactive defense posture.

II. Incident Overview

Recent Incidents: June 27, 2025

1. RageStealer Malware Promotion

2. Alleged Sale of Unauthorized Web Shell Access to Swift Pace Shipping

  • Category: Initial Access
  • Description: The CyberVolk. Group. claims to be selling unauthorized web shell access to Swift Pace Shipping, a transportation and logistics company based in the USA. This type of access can be a precursor to further malicious activities, such as data exfiltration or ransomware deployment. Swift Pace Logistics LLC is an active interstate freight carrier based out of Knoxville, Tennessee.1
  • Threat Actor(s) Involved: CyberVolk. Group.
  • Victim Organization: Swift Pace Shipping
  • Victim Industry: Transportation & Logistics
  • Victim Country: USA
  • Victim Site: swiftpaceshipping.com
  • Published Report: https://t.me/CyberVolk_Eye/66
  • Screenshots/Evidence: https://d34iuop8pidsy8.cloudfront.net/9bfe13f2-33ce-4275-8abc-e7a8fa303912.png

3. Alleged Data Leak of Ramkhamhaeng University

4. Alleged Leak of MetaMask Dump Tool

  • Category: Malware
  • Description: A threat actor named “C2YP70” claims to have leaked a lightweight command-line tool designed to extract and decrypt MetaMask data from Mozilla Firefox. The tool reportedly features JSON key/value dumps, password-based wallet decryption, support for mnemonics and private keys, full account derivation (including hardware wallets), and cross-operating system compatibility.
  • Threat Actor(s) Involved: C2YP70
  • Published Report: https://forum.exploit.in/topic/261531/
  • Screenshots/Evidence:

5. Alleged Data Leak of Lessoons

  • Category: Data Breach
  • Description: The threat actor “ZeroEcho” claims to have leaked 45 million rows of data from the database of Lessoons, an Israeli tutoring marketplace. The compromised data allegedly includes emails, phone numbers, full names, passwords, payment details, IP addresses, and Facebook profile IDs, provided in SQL dump and CSV formats. Lessons.com (Lessoons) is a platform that provides teachers with tools to market their services online and accept payments.3
  • Threat Actor(s) Involved: ZeroEcho
  • Victim Organization: Lessoons
  • Victim Industry: Education
  • Victim Country: Israel
  • Victim Site: lessoons.co.il
  • Published Report: https://darkforums.st/Thread-Source-Code-lessoons-co-il-Israeli-tutoring-marketplace-official-leak
  • Screenshots/Evidence:

6. Alleged Sale of Access to Unidentified PrestaShop-based Shop in France

7. Alleged Data Sale of Express Ltd

  • Category: Data Breach
  • Description: The threat actor “CD” claims to be selling a database from Express Ltd., a Ukrainian network and telecommunications company. The compromised dataset reportedly contains 380,000 lines of sensitive information. Ukraine Express Limited is an exporter based in the United States, with primary export markets in Ukraine.4
  • Threat Actor(s) Involved: CD
  • Victim Organization: Express Ltd
  • Victim Industry: Network & Telecommunications
  • Victim Country: Ukraine
  • Victim Site: express.net.ua
  • Published Report: https://xss.is/threads/140701/
  • Screenshots/Evidence: https://d34iuop8pidsy8.cloudfront.net/e0ef7453-984e-4d5e-b18a-a82753b83ffd.png

8. Alleged Data Sale of Dtunes

9. Alleged Sale of Access to Unidentified PrestaShop Platform in Spain (Multiple Incidents)

  • Category: Initial Access
  • Description: The threat actor “Pisoletik” is involved in multiple alleged sales of unauthorized access to PrestaShop platforms in Spain.
  • One listing mentions transactions processed via RedSys (448) and credit cards (300), with PayPal and Bizum as additional payment methods.
  • Threat Actor(s) Involved: Pisoletik
  • Victim Country: Spain

10. Alleged Sale of Access to PrestaShop in France

11. Alleged Sale of Access to Unidentified WordPress-based Shop in UK

12. Alleged Sale of Access to Unidentified WordPress-based Shop in Canada

13. Alleged Data Leak of Study in Romania

  • Category: Data Leak
  • Description: The threat actor “fuckoverflow” claims to be selling 20.2k logs from the database of Study in Romania, a Romanian Government Scholarship Programme managed by the Ministry of Foreign Affairs. The leaked data reportedly contains sensitive documents such as Curriculum Vitae, Passport or National ID, Birth certificates, Name change proofs, High school diplomas, Certificates, and High school transcripts. Study in Romania offers fully-funded scholarships for non-EU citizens across various academic levels.6
  • Threat Actor(s) Involved: fuckoverflow
  • Victim Organization: Study in Romania
  • Victim Industry: Government Administration
  • Victim Country: Romania
  • Victim Site: scholarships.studyinromania.gov.ro
  • Published Report: https://darkforums.st/Thread-Selling-scholarships-studyinromania-gov-ro-20-2k-logs-students
  • Screenshots/Evidence: https://d34iuop8pidsy8.cloudfront.net/9e57dc31-362e-410c-8543-0b650b81f158.png

14. Alleged Leak of Elbit Systems Data

  • Category: Data Leak
  • Description: The threat actor “USTINT” claims to have leaked a list of individuals associated with Israeli defense and aerospace sectors, specifically mentioning Elbit Systems Ltd. The compromised data allegedly includes full names, home addresses, email addresses, phone numbers, and detailed employment history. Elbit Systems is an international high-technology company primarily engaged in defense and homeland security.7
  • Threat Actor(s) Involved: USTINT
  • Victim Organization: Elbit Systems Ltd
  • Victim Industry: Defense & Space
  • Victim Country: Israel
  • Victim Site: elbitsystems.com
  • Published Report: https://t.me/WeAreUst/325
  • Screenshots/Evidence: https://d34iuop8pidsy8.cloudfront.net/1bc51790-9955-4d85-a105-51dd30a85c3d.png

15. Alleged Selling Access to Airline’s Ticket Booking System

16. Alleged Leak of Admin Access to Newgrounds

17. Alleged Sale of Credit Card Details from USA

18. Alleged Unauthorized Access to Unidentified Person’s Phone in Italy

  • Category: Initial Access
  • Description: The “Z-PENTEST ALLIANCE” group claims to have unauthorized access to an unidentified person’s phone in Italy.
  • Threat Actor(s) Involved: Z-PENTEST ALLIANCE
  • Victim Country: Italy
  • Published Report: https://t.me/Z_alliance_ru/290
  • Screenshots/Evidence:

19. Alleged Sale of Admin Access to Unidentified Cpanel

20. Alleged Leak of Israeli President’s Profile

21. Alleged Threat Warning to Bangladesh Meteorological Department

  • Category: Alert
  • Description: A threat actor named “BatCrypt” has posted a public warning on a hacking forum, alleging vulnerabilities and negligence in the Bangladesh Meteorological Department (BMD). The message states this is not an attack but a signal, urging authorities to secure their systems before others exploit them. A video message was also shared as part of the warning. The Bangladesh Meteorological Department is the national meteorological organization of Bangladesh, operating under the Ministry of Defense.9
  • Threat Actor(s) Involved: BatCrypt
  • Victim Organization: Bangladesh Meteorological Department
  • Victim Industry: Government Administration
  • Victim Country: Bangladesh
  • Victim Site: bmd.gov.bd
  • Published Report: https://darkforums.st/Thread-Warning-to-the-Bangladesh-Meteorological-Department-from-BatCrypt
  • Screenshots/Evidence: https://d34iuop8pidsy8.cloudfront.net/7998cb24-46b7-4ee1-ba05-6a6ca3245acf.png

22. Alleged Sale of RDWEB Access

23. HIME666 Targets the Website of Stie Satya Dharma

24. Alleged Data Breach of Consubanco

  • Category: Data Breach
  • Description: Threat actor “Kaught” claims to be selling personal data from Consubanco, a commercial bank in Mexico. The compromised data reportedly consists of 2,745,145 records and includes emails, names, phones, and IDs. Consubanco was founded in 2001 and offers various banking services.11
  • Threat Actor(s) Involved: Kaught
  • Victim Organization: Consubanco
  • Victim Industry: Banking & Mortgage
  • Victim Country: Mexico
  • Victim Site: consubanco.com
  • Published Report: https://xss.is/threads/140604/
  • Screenshots/Evidence: https://d34iuop8pidsy8.cloudfront.net/0220de3f-d3f8-4519-b2a2-97980c3443de.png

25. Alleged Data Breach of 190K Student Credentials from Türkiye Scholarships

26. Alleged Data Leak of Multiple Countries (CVV Data)

27. Alleged Data Leak of Telegram Database from Iran

  • Category: Data Leak
  • Description: A threat actor named “ecstasy125” claims to have leaked a Telegram user database from Iran, allegedly containing user IDs, usernames, and phone numbers. Telegram Messenger is a popular instant messaging application founded in 2013, with its operational center in Dubai.13
  • Threat Actor(s) Involved: ecstasy125
  • Victim Organization: Telegram Messenger
  • Victim Industry: Information Technology (IT) Services
  • Victim Country: Iran
  • Victim Site: telegram.org
  • Published Report: https://kittyforums.to/thread/318
  • Screenshots/Evidence: https://d34iuop8pidsy8.cloudfront.net/3c78e58a-1cb3-4272-bd69-9d38ec6a12e0.png

28. Alleged Data Breach of PPKMI

29. Alleged Sale of Unauthorized Access to Perplexity

30. Alleged Sale of Unauthorized Cursor.com Pro Access

31. Alleged Data Leak of Paytm Users India

32. Alleged Data Breach of Sothema

33. Alleged Data Leak of USA Consumer Database

34. Alleged Data Breach of Tiendapp and COMERCIALIZADORA CAMDUN

  • Category: Data Breach
  • Description: The threat actor “Rui_Deidad” claims to have breached data involving the Colombian e-commerce platform TIENDAPP and its client Comercializadora Camdun. The attacker claims to have exploited an Insecure Direct Object Reference (IDOR) vulnerability, resulting in the exfiltration of over 20,700 records containing personally identifiable information (PII), including national identification numbers, full names, addresses, phone numbers, and payment details. TIENDAPP Technologies A.I. is an operator of an e-commerce platform founded in 2015.19
  • Threat Actor(s) Involved: Rui_Deidad
  • Victim Organization: Tiendapp Technologies A.I.
  • Victim Industry: Information Technology (IT) Services
  • Victim Country: Colombia
  • Victim Site: tiendapp.co
  • Published Report: https://darkforums.st/Thread-TIENDAPP-E-COMMERCE-CAMDUN-20-7K-PII-RECORDS-Colombia
  • Screenshots/Evidence:

35. Alleged Data Leak of 1 Million U.S. Crypto User Records

36. Alleged Data Leak of Crypto Leads China

37. Alleged Data Leak of USA B2C Gamblers Database

38. Alleged Data Breach of USA Doctors

39. Tunisian Maskers Cyber Force Claims to Target Czech Republic

  • Category: Alert
  • Description: A recent post by the “Tunisian Maskers Cyber Force” group claims they are targeting the Czech Republic. The research indicates that “Tunisian Armed Forces cyber teams” are legitimate military entities involved in academic exchanges with U.S. Cyber Command Soldiers.20 However, the specific group “Tunisian Maskers Cyber Force” is not identified as a legitimate military/government entity or a hacktivist group in the provided research.20
  • Threat Actor(s) Involved: Tunisian Maskers Cyber Force
  • Victim Country: Czech Republic
  • Published Report: https://t.me/CyberforceTn/260
  • Screenshots/Evidence: https://d34iuop8pidsy8.cloudfront.net/75137312-a4e8-4856-91e4-00b033ba24aa.png

40. Alleged Leak of U.S. Consumer Database

41. Alleged Data Leak of USA Gambling Database

42. Alleged Data Leak of 6 Million Spain Consumer Records

43. Alleged Data Leak of USA Healthcare Database

44. Alleged Sale of Email Database from USA (70+ Ages)

45. Alleged Sale of Falcon Tools AIO

  • Category: Malware
  • Description: A threat actor named “Starip” claims to be selling Falcon Tools AIO, an all-in-one suite for web, file, and network operations. The toolkit reportedly includes functions such as server flooders, shell checkers, file binders, data stealers, encryption tools, file obfuscation, and IP tracking.
  • Threat Actor(s) Involved: Starip
  • Published Report: https://demonforums.net/Thread-Falcon-Tools-AIO–164747
  • Screenshots/Evidence:

46. Alleged Data Breach of Oide Ireland’s Portal

  • Category: Data Breach
  • Description: The threat actor “OpMoya” claims to have leaked 49,000 records in an alleged data breach of Oide’s portal, including 43.8k unique entries from a dataset labeled Zelenka AP. Oide provides high-quality professional learning supports and services to teachers and school leaders in Ireland.22
  • Threat Actor(s) Involved: OpMoya
  • Victim Organization: Oide
  • Victim Industry: Higher Education/Acadamia
  • Victim Country: Ireland
  • Victim Site: dms.oide.ie
  • Published Report: https://bhf.pro/threads/709500/
  • Screenshots/Evidence: https://d34iuop8pidsy8.cloudfront.net/972c8a24-4239-4585-98db-3bec2c4ce07d.jpg

47. Alleged Sale of Email List from Brazil

48. Alleged Data Breach of BMW

  • Category: Data Breach
  • Description: The threat actor “wlo” claims to be selling a vehicle registration database, allegedly containing personal and ownership details such as make, chassis number, registration number and date, model series, manufacturer description, and vehicle owner information (names, contact numbers, corporate status, salutations, and opt-out preferences for calls and SMS). BMW Group is a leading manufacturer of premium automobiles and motorcycles.23
  • Threat Actor(s) Involved: wlo
  • Victim Organization: BMW
  • Victim Industry: Manufacturing
  • Victim Country: Germany
  • Victim Site: bmwgroup.com
  • Published Report: https://kittyforums.to/thread/310
  • Screenshots/Evidence: https://d34iuop8pidsy8.cloudfront.net/c83c77a2-adf1-477c-b8d3-08c5589440ed.png

III. Threat Actor Profiles

Understanding the adversaries is paramount to effective cybersecurity. This section details the profiles of various threat actors, groups, and related concepts identified through recent intelligence, providing context on their origins, motivations, and operational methods.

Prominent Threat Actors and Groups

LulzSec Black

LulzSec Black is identified as an Iran-linked threat actor group with strong pro-Hezbollah ideological affiliations, particularly active in Lebanon. This group has been observed engaging in anti-Israeli and anti-Saudi propaganda, often disseminating misleading information to amplify geopolitical events.24 Beyond ideological motivations, LulzSec Black is also involved in monetizing stolen data, as evidenced by attempts to sell information from the Saudi Games.24

A common tactic employed by these actors is the use of “burner profiles” like ‘ZeroDayX’ to promote and distribute stolen data across the Dark Web. Such profiles are typically newly created with minimal activity, serving solely as a front for major data leaks.24 LulzSec Black has a history of collaboration with other groups, including the 313 Team (@xX313XxTeam) and Cyber Islamic Resistance (@Mhwear98), further expanding their reach and capabilities.24 Their activities have impacted various regions, with attacks reported against Israel and Jordan, alongside other groups such as Arabian Ghosts and Moroccan Black Cyber Army.25

CyberVolk. Group.

The CyberVolk Group is a financially motivated threat actor group originating from India, despite some of their ransom notes claiming Russian allegiance and their use of Russian naming conventions (Volk means wolf in Russian).26 They are a member of the “Holy League” organization, which was established by APT 44 and other Russian or Russian-aligned hackers to conduct attacks against NATO, Ukraine, and states opposing Russia.26

CyberVolk operates as a Ransomware-as-a-Service (RaaS) provider, having released their ransomware for sale on July 1, 2024.26 The group is known for various malicious activities, including data breaches, website defacement, and Distributed Denial-of-Service (DDoS) attacks.27 Their ransomware employs robust encryption algorithms such as ChaCha20-Poly1305, AES, RSA, and even quantum-resistant algorithms, making decryption challenging.26 A notable technical characteristic of their ransomware is its ability to block Task Manager, preventing users from terminating the encryption process.26

CyberVolk has been active since December 2023, previously operating under aliases such as GLORIAMIST and Solntsevskaya Bratva.27 Their ransomware encryptor’s lineage can be traced back to the AzzaSec group, which derived its encryptor from the leaked Babuk ransomware.27 The group’s targets have included organizations in Japan, the U.S., Armenia, Venezuela, Albania, and Italy, with extortion demands varying widely from a few thousand to several million dollars.27 They also engage in “data broker” activities, exfiltrating data in conjunction with ransomware deployment.27

Z-PENTEST ALLIANCE

The Z-Pentest group first appeared in October 2023 and is believed to originate from Serbia, maintaining close ties to pro-Russian actors.28 This group is distinguished by its ability to penetrate Operational Technology (OT) and Industrial Control Systems (ICS/SCADA) in critical infrastructures.28

Z-Pentest’s attacks are driven by geopolitical motivations, aiming to weaken industrial and control systems in Western countries to bolster Russia’s geopolitical influence by exploiting technological vulnerabilities.28 They primarily target the energy (oil and gas) and water sectors, disrupting critical functions such as water pumping and gas/oil distribution management.28 The group operates in a decentralized and anonymous manner, making identification and tracking difficult for authorities. They coordinate attacks on Telegram and private forums, and use platforms like X (Twitter) for propaganda and amplifying the impact of their operations.28 Z-Pentest develops tools to penetrate OT systems, exploits zero-day vulnerabilities, and sells access to industrial systems and zero-day exploits on the dark web. They are known to collaborate with groups like SECTOR16, OverFlame, and People’s Cyber Army (PCA).28

HIME666

HIME666 has formally united with the Rabbit Cyber Team to form a formidable alliance, marking a pivotal shift in cyber warfare capabilities.29 This collaboration merges two previously independent threat actors known for their sophisticated methodologies and cross-border operations.29 The alliance has already targeted critical infrastructure and governmental networks in Bangladesh, India, Indonesia, Russia, Australia, Brazil, the United Kingdom, and South Africa.29

The partnership between Rabbit Cyber Team and HIME666 represents a convergence of complementary skill sets. While Rabbit Cyber Team historically focused on advanced persistent threat (APT) campaigns and exploiting zero-day vulnerabilities, HIME666 specializes in financial system intrusions and ransomware deployment.29 Together, their operational scope now spans espionage, data exfiltration, and disruptive attacks on industrial control systems (ICS).29 Analysts suggest this merger enables multi-vector attack strategies, combining automated exploitation frameworks with manual, human-operated intrusions to bypass traditional signature-based defenses.29 Their tactics include the use of fileless malware, living-off-the-land binaries (LOLBins) like Windows Management Instrumentation (WMI), and encrypted command-and-control (C2) channels to evade detection.29

Jack_back

Jack_back is identified as a forum user on “DarkForums” who has been involved in selling sensitive data, including employee information and nuclear equipment design files.30 Historically, this individual has also been associated with hacking online video games for recreational purposes.31 This suggests a profile of an individual actor engaged in financially motivated data exfiltration, potentially leveraging past technical skills from less malicious hacking activities.

Other Relevant Entities and Concepts

sazz

The provided research does not contain specific information about “sazz” as a profiled threat actor.33 However, the incident involving Ramkhamhaeng University suggests an individual or group engaged in data breaches.

C2YP70 (China-nexus Espionage Group)

While “C2YP70” is not a specific threat actor name, it appears in the context of a China-nexus espionage group actively exploiting vulnerabilities.34 This group has been observed exploiting an unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2025-4428) in Ivanti Endpoint Manager Mobile (EPMM) deployments since at least May 15, 2025.34 The targeted organizations span critical sectors, including healthcare, telecommunications, aviation, municipal government, finance, and defense across Europe, North America, and the Asia-Pacific region.34

The group utilizes Java-based commands embedded in HTTP GET requests to execute malicious processes and establish reliable command-and-control (C2) mechanisms.34 They deploy KrustyLoader malware for persistence and remote access, often delivering payloads via publicly accessible Amazon AWS S3 buckets.34 The mifs database within Ivanti EPMM is a primary target for their espionage and data exfiltration operations. They leverage hardcoded MySQL database credentials to dump sensitive data, including Office 365 integration tokens, credentials, and metadata from managed mobile devices, supporting their cyber espionage objectives against high-value individuals and public institutions.34 They also use reverse proxy tools like FRP for network reconnaissance and lateral movement within compromised environments.34

ZeroEcho (XE Group Context)

The term “ZeroEcho” is not identified as a distinct threat actor in the provided research.35 However, the incident involving Lessoons is attributed to “ZeroEcho.” The research does provide a profile for the

XE Group, a sophisticated cybercriminal organization active since at least 2013.35 Initially, their focus was on credit card skimming and password theft, primarily executed through supply chain attacks and webshells.35 In 2024, the XE Group transitioned to targeted information theft, focusing on supply chains within the manufacturing and distribution sectors.35 They are known for maintaining long-term access to compromised systems and have notably exploited zero-day vulnerabilities in VeraCore software (CVE-2024-57968 and CVE-2025-25181) to perform SQL injection attacks and deploy webshells.35 The group uses email addresses such as xecloud@icloud[.]com, xethanh@gmail[.]com, and joyn.nguyen@gmail[.]com, and pseudonyms like “XeThanh” and “Joe Nguyen”.35

Pisoletik

“Pisoletik” is not identified as a specific threat actor group in the provided research. However, the queries related to this term lead to information about hacktivism and the exploitation of WordPress plugin vulnerabilities.36 Hacktivism involves intentional unauthorized access to systems, websites, or data, and/or intentional interference with their functioning or accessibility.36 Hacktivists commit cybercrimes such as website defacements, redirects, Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks, malware distribution, data theft and disclosure, and sabotage.36

CD (HelloKitty Ransomware Group Context)

The term “CD” is not an alias for the HelloKitty ransomware group.39 CD Projekt RED is the Polish video game company that was attacked by the HelloKitty ransomware group.39

The HelloKitty ransomware group was first observed in early November 2020.39 This group gained significant attention for its attack on CD Projekt RED, where they breached the company’s internal network, encrypted devices, and stole sensitive data, including source code for games and documents related to accounting, administration, legal, and HR.39 HelloKitty is known for conducting targeted attacks and often leaves custom ransom notes, such as “read_me_unlock.txt,” a naming convention uniquely associated with this group.39 The group has also targeted other large companies, including the Brazilian power company CEMIG.39

0xBlade

The provided research does not contain specific information about “0xBlade” as a profiled threat actor.41 However, queries related to this term lead to information about

DarkForums, a significant deep and dark web (DDW) hacking forum that facilitates the trade of various types of leaked data, including databases, combo lists, cracked accounts, and stealer logs.41 DarkForums gained popularity after the shutdown of BreachForums and serves as an active platform for cybercrime discussions.41

powder12 (Water Gamayun Context)

The term “powder12” is not identified as a threat actor in the provided research.43 However, queries related to this term lead to information about “impromptu cybercrime euphemisms” 43 and the

Water Gamayun threat actor.44 Water Gamayun, also known as EncryptHub and Larva-208, is a suspected Russian threat actor that exploits zero-day vulnerabilities in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code and exfiltrate data.44

reimugang

The provided research does not contain specific information about “reimugang” as a profiled threat actor.41 However, queries related to this term lead to information about

DarkForums, a deep and dark web hacking forum that facilitates the trade of leaked data.41

Robot17

“Robot17” is not identified as a cyber threat actor in the provided research. It is mentioned in contexts related to a “Fire Fighting Robot” used in rescue operations 46 and a “humanoid robot” in a research context.47 While one reference tangentially mentions “cybercrime and state surveill…” alongside “Robot17” 47, there is no direct evidence to suggest it is a threat actor or involved in cyber operations.

TnCrow (APT41 Context)

The term “TnCrow” is not identified as a distinct threat actor in the provided research.48 However, queries related to this term lead to information about

APT41, which is a highly sophisticated and active Chinese state-sponsored Advanced Persistent Threat (APT) group.48 APT41 is known by numerous aliases, including Barium, Wicked Panda, Wicked Spider, Double Dragon, Blackfly, and Bronze Atlas.48 The group’s motivations are multifaceted, involving information theft and espionage for state interests, financial gain through cybercriminal activities, and potentially sabotage.48

BatCrypt (OBSCURE#BAT Context)

The research indicates that “BatCrypt” is associated with the “OBSCURE#BAT” malicious campaign, but it does not explicitly state whether “BatCrypt” is the name of the malware or the threat actor.50 The

OBSCURE#BAT campaign relies on batch script execution to deploy a user-mode rootkit (r77 rootkit) that manipulates system processes and registry entries to evade detection and maintain persistence.50 This malware can hide files, registry entries, and running processes using API hooking, making them invisible to standard Windows tools.50 It often targets users by masquerading as legitimate software downloads or via fake captcha social engineering scams.50

ProfessorKliq (China-nexus Espionage Group Context)

The term “ProfessorKliq” is not identified as a distinct threat actor in the provided research.34 However, queries related to this term lead to information about the

China-nexus espionage group that actively exploits vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) deployments.34 This is the same group associated with “C2YP70” and is known for cyber espionage objectives against high-value individuals and public institutions.34

Kaught (IntelBroker and ShinyHunters Context)

The name “Kaught” is not mentioned in the context of IntelBroker or ShinyHunters arrests or BreachForums in the provided research.33 However, the incident involving Consubanco is attributed to “Kaught.” The research does provide profiles for

IntelBroker and ShinyHunters, who are prominent threat actors closely associated with BreachForums, a significant deep web hacking forum.33 Both actors were reportedly arrested in June 2025, with IntelBroker’s arrest occurring in France in February 2025.33

IntelBroker is primarily known as a data broker, responsible for high-profile cyberattacks against well-known entities globally, including alleged breaches of Home Depot and Hewlett Packard Enterprise (HPE).33 ShinyHunters is an English-speaking threat actor or collective active since approximately 2020, responsible for numerous data breaches, and widely considered the owner of BreachForums after a previous moderator’s arrest.33

fuckoverflow

The provided research does not contain specific information about “fuckoverflow” as a profiled threat actor.42 However, queries related to this term lead to information about

Nation-State Cyber Actors and Advanced Persistent Threat (APT) groups.42 Nation-state adversaries are well-resourced and engage in sophisticated malicious cyber activity aimed at prolonged network/system intrusion, with objectives including espionage, data theft, and network/system disruption or destruction.42

cusoeud

The term “cusoeud” is not identified as a profiled threat actor in the provided research.51 Its appearance in research relates to general definitions of cybercrime and a data breach on

Demon Forums from February 2019, which affected approximately 52.6 thousand accounts.53 This indicates “cusoeud” might be a term associated with a specific data breach event or a user handle on that forum.

ecstasy125 (Scattered Spider Context)

The provided research does not mention “ecstasy125” or any relationship between it and Scattered Spider.54 However, the incident involving Telegram is attributed to “ecstasy125.” The research does provide a profile for

Scattered Spider, also known by aliases such as UNC3944, Starfraud, Muddled Libra, Octo Tempest, and Storm-0875.54 This is a financially motivated cybercriminal group that emerged in May 2022, believed to consist primarily of young individuals from the United States and the United Kingdom.54 Scattered Spider targets high-value organizations across various sectors, including telecommunications, finance, retail, gaming, food services, and healthcare.54 They are known for sophisticated social engineering tactics like phishing and SIM swapping, and their use of legitimate tools to evade detection.54 The group operates as an affiliate of major ransomware operations, notably AlphV (BlackCat/ALPHV), and has shifted to RansomHub in 2024.54

Redbull93

“Redbull93” is not identified as a cyber threat actor in the provided research. Queries related to this term lead to a Reddit user’s personal post discussing game resources.55 Its appearance in cyber incident queries is likely a misattribution.

Team_CRO (Cobalt Group and Operation Cronos Context)

“Team_CRO” is not a directly profiled threat actor group in the provided research. However, queries related to this term point to the Cobalt cybercrime group and Operation Cronos.56 The Cobalt group has been active since 2016, primarily targeting financial organizations to steal money via ATM, card processing, and payment system breaches (e.g., SWIFT, AWS-CBR).56 They use tools like Cobalt Strike, TeamViewer, and Ammyy Admin.56 “Operation Cronos” refers to an international law enforcement effort that successfully seized control of LockBit, a major ransomware organization.57

XQLGhost (DarkCloud Stealer Context)

The term “XQLGhost” is not identified as a profiled threat actor in the provided research.58 However, queries related to this term lead to information about

DarkCloud Stealer malware.58 DarkCloud Stealer is information-stealing malware designed to capture sensitive browser data, credit card information, and login credentials.58 It is primarily distributed through email phishing campaigns and has been observed targeting various sectors, including government organizations.58 The malware employs multi-stage payloads and obfuscated AutoIt scripting to evade detection.58

Tunisian Maskers Cyber Force

The provided research does not identify “Tunisian Maskers Cyber Force” as a hacktivist group. Instead, it mentions that during African Lion 2025, U.S. Cyber Command Soldiers joined Wyoming National Guardsmen and Tunisian Armed Forces cyber teams for an academic exchange.20 This suggests that the Tunisian cyber force involved is a legitimate military entity.20

Starip

“Starip” is not identified as a profiled threat actor in the provided research.59 Instead, it is associated with “malware developers”.59 Malware developers create tools that threat actors then utilize in their campaigns, such as information-stealing malware like Redline, Raccoon, and Vidar.52 These malware types are used to acquire login credentials, which are then sold or used for further attacks like ransomware.52

OpMoya (APT32 and OnePercent Ransomware Context)

“OpMoya” is not a directly profiled threat actor in the provided research.42 However, queries related to this term lead to information about

APT32 (OceanLotus Group) and the OnePercent ransomware group.60 APT32 is a cyber espionage actor aligned with Vietnamese state interests, known for exploiting ActiveMime files and deploying backdoors for data exfiltration and system control.60 The OnePercent group is a ransomware affiliate, active since November 2020, with ties to REvil, Maze, and Egregor, using tools like IcedID, Cobalt Strike, and PowerShell.61

L34NDR0

The provided research does not contain specific information about “L34NDR0” as a profiled threat actor.62 However, queries related to this term lead to information about

Latrodectus malware, which was targeted by Operation Endgame in May 2024 but quickly rebuilt its infrastructure.62 Latrodectus has been observed being dropped by Brute Ratel and delivered via tax/IRS-themed phishing emails and fake Windows 11 Pro download sites.62

wlo (Dire Wolf Ransomware Group Context)

The term “wlo” is not mentioned in relation to the Dire Wolf ransomware group in the provided research.63 However, the incident involving BMW is attributed to “wlo.” The research does provide a profile for the

Dire Wolf ransomware group, which is a newly emerged group first observed in May 2025.63 Dire Wolf quickly launched a series of targeted attacks across multiple sectors and regions, with a particular emphasis on manufacturing and technology.63 Dire Wolf employs a double extortion tactic, encrypting victims’ files and threatening to publish stolen sensitive data.63 The ransomware is written in Golang and attempts to disable Windows event logging and terminate processes that might hinder its execution.63

The analysis of recent cybersecurity incidents and threat actor behaviors reveals several critical trends that shape the current threat landscape. These trends highlight the evolving sophistication of adversaries and the systemic challenges faced by organizations in maintaining robust defenses.

Proliferation and Commoditization of Cybercrime Services

A significant observation in the current cybersecurity environment is the increasing proliferation and commoditization of cybercrime services. Groups like CyberVolk operate as Ransomware-as-a-Service (RaaS) providers, offering their malicious tools and infrastructure to other actors.26 Similarly, HIME666 and Rabbit Cyber Team, in their new alliance, are expanding their capabilities to include financial system intrusions and ransomware deployment.29 Beyond these, prominent actors such as Jack_back are involved in data brokering, selling exfiltrated sensitive information on underground forums.30

This service-based model for cybercrime signifies a mature and specialized illicit economy. It allows for the modularization and sale of malicious capabilities, which inherently lowers the barrier to entry for individuals and groups with less technical expertise. This means that even unsophisticated actors can now leverage highly effective tools, such as advanced ransomware or large-scale DDoS attacks, simply by acquiring these services. The consequence is a broader and less predictable threat landscape, as the pool of potential attackers expands significantly. Furthermore, this commoditization creates a continuous market for vulnerabilities and stolen data, providing a persistent economic incentive that drives ongoing innovation and exploitation by cybercriminals. The ability to monetize breaches through multiple avenues—be it ransomware payments, direct data sales, or subscription-based hacking services—makes cybercrime a highly resilient and profitable enterprise. If one revenue stream is disrupted, actors can readily pivot to alternative methods of financial gain. This economic viability ensures that these groups will continue to operate and evolve, underscoring the need for organizations to adopt comprehensive risk management approaches that account for diverse forms of financial and reputational damage, not just data encryption but also data exfiltration.

Blurring Lines Between Motivations

A complex and challenging aspect of the contemporary threat landscape is the increasing convergence of motivations among cyber adversaries. For instance, CyberVolk, while operating a Ransomware-as-a-Service, is also identified as a hacktivist group with pro-Russian allegiances.26 Similarly, LulzSec Black combines geopolitical propaganda with the monetization of stolen data.24 Advanced Persistent Threat (APT) groups, traditionally associated with state-sponsored espionage, are also observed engaging in financially motivated cybercrime, as seen with APT41.48 Even hacktivist groups like HIME666 are now offering commercial services or engaging in financially motivated activities.29

This intermingling of financial gain, geopolitical objectives, and ideological hacktivism complicates threat intelligence and attribution efforts. An attack that initially appears to be financially motivated might, in reality, serve broader geopolitical goals, or state-sponsored actors might utilize cybercriminal proxies to achieve plausible deniability. This inherent ambiguity makes it significantly more difficult for defenders to accurately determine the true intent and potential for escalation of an attack. When the underlying purpose of an attack is unclear, it can hinder strategic decision-making for both governments and private organizations. Is the act a criminal offense to be addressed by law enforcement, or does it constitute state-sponsored aggression requiring a different national security response? Such uncertainty can delay effective countermeasures and foster a climate of pervasive risk. Addressing this requires more sophisticated threat intelligence capabilities that can analyze not only tactics, techniques, and procedures (TTPs) but also contextual clues, geopolitical developments, and historical actor behaviors to infer intent. Enhanced collaboration between public and private sectors, as well as across international borders, becomes indispensable for sharing intelligence and overcoming these complex attribution challenges.

Exploitation of Supply Chain and Zero-Day Vulnerabilities

The current threat landscape demonstrates a distinct shift towards more sophisticated initial access methods, particularly through the exploitation of supply chain and zero-day vulnerabilities. The XE Group, for example, actively exploits previously undocumented vulnerabilities (zero-days) in widely used supply chain software such as VeraCore.35 The HIME666 and Rabbit Cyber Team alliance also focuses on zero-day exploits and weaponizes supply chain vulnerabilities.29 Similarly, the Z-Pentest group leverages zero-day vulnerabilities to gain access to critical infrastructure systems.28

This trend highlights that attackers are moving beyond easily detectable methods, opting for techniques that bypass traditional signature-based defenses. Compromising a single point within a widely used supply chain can grant access to numerous downstream targets, significantly amplifying the potential impact of an attack. This creates systemic risk across various industries, as attackers exploit the inherent trust within supply chain relationships. A breach at one software vendor or a key component supplier can trigger a cascading effect, impacting multiple organizations that rely on that vendor’s products or services. This is a highly efficient method for adversaries to scale their operations, turning a single successful exploit into widespread compromise. Organizations must therefore implement robust supply chain risk management programs, which include rigorous vetting of third-party vendors, regular security audits, and contractual obligations for stringent security standards. This extends beyond basic vendor assessments to continuous monitoring of third-party security postures and the adoption of “zero-trust” principles for all external integrations.

Persistent Threat Actor Presence and Evolving Tactics

Cyber adversaries are not static entities; they continuously learn, adapt, and demonstrate remarkable persistence. The XE Group, for instance, is known for maintaining long-term access to compromised systems, even reactivating webshells that were initially deployed years earlier.35 Similarly, Scattered Spider remains an active threat despite reported arrests of some of its members.54 This persistence is complemented by their evolving tactics, which include the increasing use of fileless malware, living-off-the-land binaries (LOLBins), and encrypted command-and-control (C2) channels.29

This sustained presence and adaptability mean that detection and eradication of these threats are becoming increasingly challenging. The ability of threat actors to maintain access for extended periods, sometimes reactivating dormant access points, provides them with significant strategic advantages for intelligence gathering, planning future attacks, or even selling access to other malicious entities. This “sleeper cell” approach allows adversaries to conduct extensive reconnaissance, meticulously map target networks, identify high-value assets, and exfiltrate data incrementally without triggering immediate alerts. It also implies that even if an initial breach is believed to be contained, residual or dormant access points might persist, leading to re-infection or future exploitation. This strategic patience is aimed at maximizing intelligence gain or the eventual impact of an attack. Consequently, organizations need to transition from purely reactive incident response to proactive threat hunting, actively searching for subtle signs of compromise. Regular, deep forensic analyses and compromise assessments are crucial for identifying and eradicating persistent threats. Implementing robust logging and log analysis, combined with stringent network segmentation, can help limit the scope and impact of such long-term compromises.

Critical Infrastructure and High-Value Sectors as Primary Targets

There is a clear and concerning trend indicating a strategic shift towards targeting critical infrastructure and high-value sectors. The Z-Pentest group specifically targets energy and water systems.28 The XE Group focuses on manufacturing and distribution supply chains.35 Multiple groups, including hacktivist entities like HIME666, are actively targeting critical infrastructure and governmental networks.29 Scattered Spider’s targets include telecommunications, finance, retail, gaming, food services, and healthcare 54, while Dire Wolf focuses on manufacturing and technology.63

This concentrated targeting signifies a move from opportunistic attacks to those designed for maximum disruption, significant financial gain, or profound geopolitical impact. Attacks on critical infrastructure and essential services elevate the risk of widespread societal disruption beyond mere data loss or financial fraud. Such incidents can directly impact national security, economic stability, and public welfare, potentially leading to power outages, water contamination, healthcare service disruptions, or financial system instability. The consequences extend far beyond individual company losses to potential societal-level repercussions. This necessitates a heightened focus from governments on protecting critical infrastructure through robust regulatory frameworks, enhanced intelligence sharing, and direct assistance to private sector entities. Organizations within these critical sectors must prioritize operational resilience, implement redundant systems, and develop comprehensive incident response plans that consider not just data recovery but also the continuity of essential services. Cross-sector collaboration and information sharing are paramount to collectively address these high-impact threats.

V. Recommendations and Outlook

The evolving cybersecurity landscape, characterized by sophisticated threat actors, blurred motivations, and targeted attacks on critical sectors, demands a proactive and multi-layered defense strategy. To bolster defenses against these persistent and adaptive threats, the following recommendations are put forth:

Recommendations for Bolstering Defenses

  • Comprehensive Threat Intelligence Integration: Organizations should actively monitor dark web forums and encrypted messaging platforms, such as Telegram, for early warnings of data leaks, discussions of new tactics, techniques, and procedures (TTPs), and the emergence of new threats.24 Subscribing to and integrating feeds from reputable threat intelligence providers is crucial to track RaaS affiliates, hacktivist groups, and state-sponsored actors with blended motivations. A deep understanding of the economic models of cybercrime, including RaaS, and data brokering, is essential to anticipate shifts in attack patterns and monetization strategies.
  • Enhanced Vulnerability Management and Patching: Prioritizing the patching of known exploited vulnerabilities (KEVs) in internet-facing systems is critical, especially for those embedded in supply chain software.35 Implementing robust vulnerability scanning and penetration testing programs that simulate sophisticated threat actor TTPs, including attempts to exploit zero-day vulnerabilities, is also vital.35 Organizations must also develop a strong software supply chain security program, which includes thorough vetting of third-party software and components.
  • Robust Identity and Access Management (IAM): Enforcing strong, unique passwords and multi-factor authentication (MFA) across all systems is paramount, with a preference for phishing-resistant MFA methods (e.g., FIDO2 hardware tokens) to counter SIM swapping and credential theft.54 Implementing least privilege principles and conducting regular access reviews will minimize the potential impact of compromised accounts.
  • Advanced Endpoint Detection and Response (EDR) & Network Segmentation: Deploying EDR solutions capable of detecting fileless malware, living-off-the-land binaries (LOLBins), and behavioral anomalies is necessary to identify sophisticated lateral movement and persistence.29 Implementing network segmentation and micro-segmentation can effectively limit the blast radius of a successful breach, particularly for critical Operational Technology (OT) and Industrial Control Systems (ICS) environments.28 Regular offline backups of critical data and frequent testing of recovery procedures are essential to mitigate the impact of ransomware attacks.
  • Employee Security Awareness Training: Conducting continuous, tailored training programs that educate employees on the latest social engineering tactics, including phishing and pretexting, is crucial, as the human element remains a critical defense layer.54 Fostering a security-conscious culture where suspicious activities are reported without fear of reprisal is also important.
  • Incident Response and Resilience Planning: Organizations must develop and regularly test comprehensive incident response plans that account for various scenarios, including data exfiltration, service disruption (DDoS), and ransomware attacks. A strong focus on business continuity and operational resilience is particularly important for organizations in critical sectors. Establishing clear communication protocols for both internal and external stakeholders during a breach is also vital for effective response.

Anticipated Shifts in the Cybersecurity Landscape

The cybersecurity landscape is dynamic, and several key shifts are anticipated in the coming period:

  • Continued Hybridization of Threat Actors: The distinctions between financially motivated cybercriminals, ideologically driven hacktivists, and state-sponsored groups will continue to diminish. This convergence will make attribution and the assessment of attack intent increasingly complex, requiring more nuanced intelligence and collaborative response mechanisms.
  • Increased Focus on Operational Technology (OT) and Critical Infrastructure: As geopolitical tensions persist, attacks targeting industrial control systems and critical services are likely to escalate. Both state-aligned actors and hacktivist groups will likely continue to target these systems, aiming for maximum disruption and strategic impact.
  • Sophistication of Initial Access: Expect a continued emphasis on exploiting zero-day vulnerabilities and weaknesses within the software supply chain. Alongside these technical exploits, highly refined social engineering tactics will remain a primary vector for initial access, as attackers seek to bypass traditional, signature-based defenses.
  • Evolution of Cybercrime Ecosystems: Dark web forums and encrypted messaging platforms will remain central to cybercrime operations, constantly adapting to law enforcement pressures. The emergence of new “as-a-Service” models will further democratize access to advanced attack capabilities, enabling a wider range of actors to execute sophisticated campaigns.
  • AI in Cyber Operations: While the provided intelligence snippets did not extensively detail AI’s role in actor TTPs, the broader cybersecurity context suggests that artificial intelligence will increasingly be leveraged by both defenders and attackers. Adversaries may use AI for reconnaissance, exploit development, and evasion, while defenders will increasingly rely on AI for enhanced detection, anomaly identification, and automated response capabilities. This will lead to an AI-driven arms race in cyber warfare.

Works cited

  1. Swift Pace Logistics LLC | CarrierSource, accessed June 27, 2025, https://www.carriersource.io/carriers/swift-pace-logistics-llc
  2. Overview, accessed June 27, 2025, http://www.oasc2.ru.ac.th/en/index.php/about/about-us/overview
  3. Lessons.com Company Overview, Contact Details & Competitors – LeadIQ, accessed June 27, 2025, https://leadiq.com/c/lessonscom/5a1dc50e2300005b00c78af7
  4. Ukraine Express Limiteds – Buyers, Suppliers, full Export Import details – Volza, accessed June 27, 2025, https://www.volza.com/company-profile/ukraine-express-limited-89873706
  5. Dtunes Launches Innovative Crypto Wallet to Empower Nigerians in the Digital Economy, accessed June 27, 2025, https://punchng.com/dtunes-launches-innovative-crypto-wallet-to-empower-nigerians-in-the-digital-economy/
  6. Study in Romania: Romanian Government Scholarships for Non-EU Citizens 2025 (fully-funded & available for undergraduate, master’s, and PhD) – Global South Opportunities, accessed June 27, 2025, https://www.globalsouthopportunities.com/2025/02/11/romanian-government/
  7. Business Overview | Elbit Systems, accessed June 27, 2025, https://www.elbitsystems.com/business-overview
  8. Newgrounds – Wikipedia, accessed June 27, 2025, https://en.wikipedia.org/wiki/Newgrounds
  9. Bangladesh Meteorological Department – Wikipedia, accessed June 27, 2025, https://en.wikipedia.org/wiki/Bangladesh_Meteorological_Department
  10. Sekolah Tinggi Ilmu Ekonomi STIE Satya Dharma Singaraja – FAQ – AD Scientific Index, accessed June 27, 2025, https://www.adscientificindex.com/university/Sekolah+Tinggi+Ilmu+Ekonomi+STIE+Satya+Dharma+Singaraja/university-faq/
  11. Consubanco Company Profile: Financings & Team – PitchBook, accessed June 27, 2025, https://pitchbook.com/profiles/advisor/342172-63
  12. Türkiye Burslari Scholarship – ASEAN Youth Organization, accessed June 27, 2025, https://aseanyouth.net/turkiye-scholarship/
  13. Telegram (software) – Wikipedia, accessed June 27, 2025, https://en.wikipedia.org/wiki/Telegram_(software)
  14. Profil PPPKMI, accessed June 27, 2025, https://web.pppkmi.org/profil-pppkmi/
  15. Perplexity AI – Wikipedia, accessed June 27, 2025, https://en.wikipedia.org/wiki/Perplexity_AI
  16. Cursor revenue, valuation & growth rate – Sacra, accessed June 27, 2025, https://sacra.com/c/cursor/
  17. Paytm – Wikipedia, accessed June 27, 2025, https://en.wikipedia.org/wiki/Paytm
  18. Moroccan PHARMACEUTICAL LABORATORY – Sothema, accessed June 27, 2025, https://www.sothema.com/wp-content/uploads/2015/12/plaquette-faconnage.pdf
  19. TiendAPP 2025 Company Profile: Valuation, Funding & Investors | PitchBook, accessed June 27, 2025, https://pitchbook.com/profiles/company/223070-59
  20. Cyber lethality: Multidomain training enhances readiness at exercise …, accessed June 27, 2025, https://www.army.mil/article/285284/cyber_lethality_multidomain_training_enhances_readiness_at_exercise_african_lion_2025
  21. Turkish Group Hacks Zero-Day Flaw to Spy on Kurdish Forces, accessed June 27, 2025, https://www.bankinfosecurity.com/turkish-group-hacks-zero-day-flaw-to-spy-on-kurdish-forces-a-28388
  22. About – Oide, accessed June 27, 2025, https://oide.ie/about/
  23. The Company BMW Group, accessed June 27, 2025, https://www.bmwgroup.com/en/company.html
  24. Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games – Resecurity, accessed June 27, 2025, https://www.resecurity.com/blog/article/iran-linked-threat-actors-leak-visitors-and-athletes-data-from-saudi-games
  25. Radware reports hybrid warfare as cyberattacks, disinformation escalate in 2025 Israel-Iran conflict – Industrial Cyber, accessed June 27, 2025, https://industrialcyber.co/threats-attacks/radware-reports-hybrid-warfare-as-cyberattacks-disinformation-escalate-in-2025-israel-iran-conflict/
  26. CyberVolk Ransomware Technical & Malware Analysis Report – ThreatMon, accessed June 27, 2025, https://threatmon.io/cybervolk-ransomware-technical-malware-analysis-report/
  27. CyberVolk Ransomware | WatchGuard Technologies, accessed June 27, 2025, https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/cybervolk
  28. Z-PENTEST ALLIANCE – Cyber Intelligence Bureau – Orange Cyberdefense, accessed June 27, 2025, https://www.orangecyberdefense.com/fileadmin/global/CyberIntelligenceBureau/Gangs_Investigations/z-pentest/Z-Pentest_Alliance.pdf
  29. Rabbit Cyber Team and HIME666 Form New Hacktivist Alliance, accessed June 27, 2025, https://cyberpress.org/rabbit-cyber-hime666/
  30. Weekly Darkweb in May W2 – S2W, accessed June 27, 2025, https://s2w.inc/en/resource/detail/831
  31. EP 7: Manfred (Part 1) – Darknet Diaries, accessed June 27, 2025, https://darknetdiaries.com/episode/7/
  32. Fortress stories – TechDay New Zealand – Page 3, accessed June 27, 2025, https://techday.co.nz/tag/fortress?page=3
  33. Flash Report: Prominent Threat Actors Reportedly Arrested | ZeroFox, accessed June 27, 2025, https://www.zerofox.com/intelligence/flash-report-prominent-threat-actors-reportedly-arrested/
  34. China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) Vulnerability – EclecticIQ Blog, accessed June 27, 2025, https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability
  35. XE Group: From Credit Card Skimming to Exploiting Zero-Days …, accessed June 27, 2025, https://intezer.com/blog/xe-group-exploiting-zero-days/
  36. Hacktivism – Cybercrime Module 14 Key Issues – UNODC, accessed June 27, 2025, https://www.unodc.org/e4j/zh/cybercrime/module-14/key-issues/hacktivism.html
  37. Threat Actors Exploit High-Severity Bypass Vulnerability in WordPress Plugin – Bitdefender, accessed June 27, 2025, https://www.bitdefender.com/en-us/blog/hotforsecurity/threat-actors-exploit-high-severity-bypass-vulnerability-in-wordpress-plugin
  38. 4 Internet Activities That May Constitute White Collar Crime, accessed June 27, 2025, https://cahillcriminaldefense.com/4-internet-activities-that-may-constitute-white-collar-crime/
  39. HelloKitty ransomware group likely responsible for CD Projekt attack …, accessed June 27, 2025, https://www.emsisoft.com/en/blog/37783/hellokitty-ransomware-group-likely-responsible-for-cd-projekt-attack-heres-why/
  40. CD PROJEKT RED Hit by Ransomware Attack – Cyble, accessed June 27, 2025, https://cyble.com/blog/cd-projekt-red-gaming-studio-suffered-a-ransomware-attack/
  41. Quick Overview of DarkForums – S2W, accessed June 27, 2025, https://s2w.inc/en/resource/detail/857
  42. Nation-State Cyber Actors | Cybersecurity and Infrastructure Security Agency CISA, accessed June 27, 2025, https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors
  43. Impromptu Cybercrime Euphemism Detection – ACL Anthology, accessed June 27, 2025, https://aclanthology.org/2025.coling-main.612.pdf
  44. CVE-2025-26633: How Water Gamayun Weaponizes MUIPath using MSC EvilTwin, accessed June 27, 2025, https://www.trendmicro.com/en_us/research/25/c/cve-2025-26633-water-gamayun.html
  45. From 0 to 100: a story of the escalation of Threat Actors | CyberPeace Institute, accessed June 27, 2025, https://cyberpeaceinstitute.org/news/story-of-the-escalation-of-threat-actors/
  46. Hyderabad fire tragedy: Building’s structural layout posed significant challenges for rescue teams – Deccan Herald, accessed June 27, 2025, https://www.deccanherald.com/india/telangana/hyderabad-fire-tragedy-buildings-structural-layout-posed-significant-challenges-for-rescue-teams-3546393
  47. 36808 PDFs | Review articles in MECHANISM DESIGN, accessed June 27, 2025, https://www.researchgate.net/topic/Mechanism-Design/publications/15
  48. Threat Actor Profiles – Malware Patrol, accessed June 27, 2025, https://www.malwarepatrol.net/threat-actor-profiles/
  49. Threat Profiles – Google Threat Intelligence – VirusTotal, accessed June 27, 2025, https://gtidocs.virustotal.com/docs/threat-profiles-guides
  50. Analyzing OBSCURE#BAT: Threat Actors Lure Victims into …, accessed June 27, 2025, https://www.securonix.com/blog/analyzing-obscurebat-threat-actors-lure-victims-into-executing-malicious-batch-scripts-to-deploy-stealthy-rootkits/
  51. What is Cybercrime and How to Protect Yourself? – Kaspersky, accessed June 27, 2025, https://me-en.kaspersky.com/resource-center/threats/what-is-cybercrime
  52. Ben Kapon – content writer at kelacyber, accessed June 27, 2025, https://www.kelacyber.com/academy/editorial/team/ben-kapon-3568003/
  53. Demon Forums Data Breach – Have I Been Pwned, accessed June 27, 2025, https://haveibeenpwned.com/Breach/DemonForums
  54. Comprehensive CTI Report: Scattered Spider Threat Actor Group …, accessed June 27, 2025, https://barricadecyber.com/cti-report-scattered-spider-threat-actor-group/
  55. Sinisterly – Reddit, accessed June 27, 2025, https://www.reddit.com/user/Sinisterly/
  56. Cobalt – Positive Technologies, accessed June 27, 2025, https://global.ptsecurity.com/analytics/hacker-groups/cobalt
  57. ‘Operation Cronos’ seizes major cybercrime group – and other cybersecurity news to know this month | World Economic Forum, accessed June 27, 2025, https://www.weforum.org/stories/2024/02/ransomware-cronos-cybersecurity-news/
  58. DarkCloud Stealer: Comprehensive Analysis of a New Attack Chain That Employs AutoIt, accessed June 27, 2025, https://unit42.paloaltonetworks.com/darkcloud-stealer-and-obfuscated-autoit-scripting/
  59. 5 Best Freelance Malware Developers for Hire in June 2025 – Arc.dev, accessed June 27, 2025, https://arc.dev/hire-developers/malware
  60. Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations | Mandiant, accessed June 27, 2025, https://cloud.google.com/blog/topics/threat-intelligence/cyber-espionage-apt32/
  61. FBI issues FLASH alert about OnePercent ransomware group – Acronis, accessed June 27, 2025, https://www.acronis.com/en-gb/tru/posts/fbi-issues-flash-alert-about-onepercent-ransomware-group/
  62. Intelligence Insights: Amber Albatross, Latrodectus emerges – Red Canary, accessed June 27, 2025, https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/
  63. Dire Wolf Strikes: New Ransomware Group Targeting Global Sectors, accessed June 27, 2025, https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dire-wolf-strikes-new-ransomware-group-targeting-global-sectors/

Related Posts