Executive Summary
The past 24 hours have underscored a dynamic and multifaceted global cybersecurity landscape, characterized by a spectrum of threats ranging from financially motivated data breaches and malware sales to ideologically driven hacktivism and website defacements. A notable trend involves the direct manifestation of geopolitical conflicts within the cyber domain, where state-aligned actors and their proxies engage in digital warfare to achieve strategic objectives. This includes groups like Akatsuki Cyber Team and Handala, deeply embedded in the Israel-Iran and Israel-Palestine conflicts, respectively, showcasing how real-world tensions translate into targeted cyber operations.
Another significant observation is the dual nature of hacktivism. While some groups, such as KAL EGY 319, primarily engage in symbolic disruptions with minimal actual impact, others like Handala demonstrate an alarming evolution towards nation-state-level capabilities, executing highly destructive and data-intensive attacks. This distinction highlights the critical need for nuanced threat assessment, differentiating between propaganda-driven claims and genuinely impactful breaches. Furthermore, the persistent exploitation of unpatched vulnerabilities by financially motivated actors like Ghost (Cring) Ransomware continues to be a prevalent and effective attack vector, emphasizing fundamental weaknesses in organizational security posture. The reliance on legitimate tools by groups like Rare Werewolf also presents a challenge, as traditional defenses may struggle to differentiate between benign and malicious activity. Collectively, these incidents paint a picture of an increasingly complex threat environment demanding adaptive and intelligence-driven defensive strategies.
Daily Incident Briefs
This section provides a detailed analysis of cybersecurity incidents reported in the last 24 hours. For each incident, a summary of the breach, a comprehensive profile of the responsible threat actor, their observed Tactics, Techniques, and Procedures (TTPs), and the broader impact and context are provided. All available links, including published URLs and screenshots, are included for further reference.
Daily Incident Summary Table
| Incident Name | Affected Sector/Entity | Primary Threat Actor | Brief Impact | Date Reported |
| AKATSUKI CYBER TEAM claims to target Israel | Israel | Akatsuki cyber team (official) | Alert: Group claims targeting Israel | 2025-07-06T13:23:44Z |
| Alleged sale of VPN access to multiple Southeast Asian Academic and Medical Institutions | Academic Institutions across Southeast Asia | XManX | Initial Access: Sale of 7 Fortinet SSL VPN accesses | 2025-07-06T12:03:09Z |
| Alleged sale of data from multiple companies | Multiple companies | nick_diesel | Data Leak: Sale of data from multiple companies | 2025-07-06T09:51:31Z |
| Alleged data leak of Freedom Wood Doors Ltd | Freedom Wood Doors Ltd, Israel (Manufacturing) | Handala Hack | Data Leak: 92GB data leak including client lists, invoices, schematics | 2025-07-06T09:42:26Z |
| KAL EGY 319 claims to target the Turkish government | Turkey (Government Administration) | KAL EGY 319 | Alert: Group claims targeting Turkish government | 2025-07-06T08:20:01Z |
| Alleged leak of webshell access to Kerala State Coir Corporation Ltd | Kerala State Coir Corporation Ltd, India (Manufacturing) | WOLF CYBER ARMY | Initial Access: Unauthorized access to corporate systems | 2025-07-06T07:05:48Z |
| WOLF CYBER ARMY targets the website of mtsmaarif03.com | mtsmaarif03.com | WOLF CYBER ARMY | Defacement: Website defacement | 2025-07-06T06:11:07Z |
| Liwaa Muhammad targets the website of Tamam Company | Tamam Company, Saudi Arabia (Facilities Services) | Liwaa Muhammad | Defacement: Website defacement | 2025-07-06T05:33:37Z |
| Alleged data breach of Advanced Call Center Technologies, LLC | Advanced Call Center Technologies, LLC, USA (Outsourcing & Offshoring) | DigitalGhost | Data Breach: Leak of sensitive user information | 2025-07-06T04:24:35Z |
| Alleged data breach of Advanced Call Center Technologies, LLC | Advanced Call Center Technologies, LLC, USA (Government & Public Sector) | DigitalGhost | Data Breach: Leak of sensitive user information | 2025-07-06T04:18:11Z |
| Alleged data breach of Go Bus | Go Bus, Egypt (Transportation & Logistics) | stepbro | Data Breach: 1.4 million customer records leaked | 2025-07-06T04:10:18Z |
| Alleged Data Leak of Taxi Company Egypt | Egypt (Transportation & Logistics) | stepbro | Data Leak: 176,000 user records leaked | 2025-07-06T04:07:56Z |
| Alleged data breach of Mazaya Egypt | Mazaya Egypt, Egypt (Retail Industry) | stepbro | Data Breach: Breach of customer data (name, address, payment) | 2025-07-06T04:01:05Z |
| Liwaa Muhammad targets the website of Arkan Al Omran Factory | Arkan Al Omran Factory, Saudi Arabia (Manufacturing) | Liwaa Muhammad | Defacement: Website defacement | 2025-07-06T03:37:17Z |
| Liwaa Muhammad targets the website of Multi Technical Solutions Establishment | Multi Technical Solutions Establishment, Saudi Arabia (Sports) | Liwaa Muhammad | Defacement: Website defacement | 2025-07-06T03:37:12Z |
| Alleged data leak of Philippine fresh user records | Philippines | NotFoundddd | Data Leak: Over 500,000 user records leaked | 2025-07-06T02:51:59Z |
| Alleged data breach of SOM ENERGIA | Som Energia, Spain (Renewables & Environment) | Nosferatu | Data Breach: 120,000 records leaked (personal, banking) | 2025-07-06T02:42:27Z |
| Alleged leak of Vehicle Plates Database Chile | Chile | DelitosPenales | Data Leak: Over 55,000 vehicle registration records leaked | 2025-07-06T02:41:48Z |
| Alleged sale of CAIN Malware | N/A | BUBBAS GATE | Malware: Sale of malicious cryptocurrency wallet clone | 2025-07-06T02:16:23Z |
| Alleged data sale of documents from a Federal State Budgetary Institution of Higher Education | Russia (Higher Education/Acadamia) | deabec | Data Leak: Sale of classified documents (Gazprom, tax, legal) | 2025-07-06T01:45:35Z |
| Alleged data breach of Fashion Group México and GOC Makeup | Fashion Group México, Mexico (Healthcare & Pharmaceuticals) | Rui_Deidad | Data Breach: 135,535 records leaked (personal, financial) | 2025-07-06T00:43:03Z |
| Alleged leak of data from a Seychelle main bank | Seychelles (Banking & Mortgage) | ByteToBreach | Data Leak: Client information leaked from major bank | 2025-07-06T00:30:25Z |
| Alleged data sale from an unidentified financial services firm in panama | Panama (Financial Services) | Lucczi | Data Leak: 60,000 financial service entries leaked | 2025-07-06T00:01:23Z |
Incident 1: AKATSUKI CYBER TEAM claims to target Israel
Summary of Breach and Affected Entities:
A recent post by the group claims that they are targeting Israel.
Detailed Threat Actor Profile: Akatsuki Cyber Team
Identity and Affiliation: Akatsuki Cyber Team is recognized as a pro-Iran hacktivist group. This group is increasingly prominent within the ongoing Israel-Iran cyber conflict, particularly as many Iran-based groups may experience reduced activity due to internet blackouts. Akatsuki Cyber Team is observed to be coordinating efforts and directing its focus towards Israeli targets.1 Their operations are part of a broader “cyber war” that involves both official Iranian cyber units and various proxy groups.1
Motivations: The primary drivers behind Akatsuki Cyber Team’s operations are geopolitical and ideological, aligning directly with Iran’s strategic interests within the cyber domain. Their activities are designed to contribute to shaping public perception and exerting pressure during periods of geopolitical escalation.1
Tactics, Techniques, and Procedures (TTPs):
| Tactic | Technique | Description/Examples | Associated Malware/Tools | MITRE ATT&CK ID |
| Initial Access | Exploit Public-Facing Application | Exploitation of unpatched or outdated software with known Common Vulnerabilities and Exposures (CVEs).2 | N/A | T1190 |
| Initial Access | Valid Accounts | Exploitation of default or common passwords on internet-connected accounts and devices; automated password guessing; password hash cracking.2 | N/A | T1078 |
| Reconnaissance | Active Scanning | Utilization of tools like Shodan to identify vulnerable internet-facing devices, particularly within Industrial Control System (ICS) environments.2 | Shodan | T1595.002 |
| Lateral Movement | Internal Spearphishing | Exploiting weak segmentation or misconfigured firewalls to move across networks after initial compromise.2 | N/A | T1534 |
| Execution & Persistence | Remote Access Tools (RATs) | Deployment of RATs for remote control and access.2 | Various RATs | T1219 |
| Execution & Persistence | Credential Dumping | Use of keyloggers and legitimate administrative utilities to escalate access and evade endpoint defenses.2 | Keyloggers, Mimikatz | T1003 |
| Execution & Persistence | Command and Scripting Interpreter | Use of legitimate administrative utilities like PsExec.2 | PsExec | T1059 |
| Impact | Data Destruction | Potential future use of wiper malware to destroy data.1 | Wiper malware | T1485 |
| Impact | Data Encrypted for Impact | Potential future use of ransomware for financial support.1 | Ransomware | T1486 |
| Impact | Denial of Service | Execution of Distributed Denial of Service (DDoS) attacks.1 | N/A | T1498 |
| Impact | Data Theft | Campaigns focused on stealing data.1 | N/A | T1041 |
| Impact | Disruptive Attacks | Intrusion attempts on critical infrastructure, potential exploitation of PLCs, SCADAs, and other OT systems.1 | N/A | T1499, T1529 |
| Command and Control | Ingress Tool Transfer | Employing system engineering and diagnostic tools to breach Operational Technology (OT) networks.2 | N/A | T1105 |
| Collection | Data from Local System | Siphoning credentials and other sensitive information.2 | N/A | T1005 |
Impact and Broader Context:
The activities of Akatsuki Cyber Team are a direct reflection of the “cyber reflections” of the Israel-Iran conflict, indicating a likelihood of faster and more intense digital confrontations.1 Their visible and early involvement in these escalations suggests that state-linked cyber units are increasingly instrumental in shaping both public perception and strategic pressure, blurring the traditional boundaries between conventional and cyber warfare.1 The consistent pattern of state-sponsored entities and their aligned hacktivist proxies engaging in cyber actions demonstrates a direct and escalating manifestation of real-world geopolitical conflicts within the cyber domain. This means that organizations with ties to regions experiencing geopolitical tensions must maintain heightened vigilance against ideologically motivated attacks, which may prioritize disruption, psychological warfare, or intelligence gathering over purely financial objectives.
Relevant Resources:
Published URL: https://t.me/c/2601166559/102
Screenshots: https://d34iuop8pidsy8.cloudfront.net/d479d4c2-89e9-48ab-aa6b-d1dd8e00996f.PNG, https://d34iuop8pidsy8.cloudfront.net/25e692d9-0ea5-4c48-bcd2-0abd4c4ac604.PNG
Incident 2: Alleged sale of VPN access to multiple Southeast Asian Academic and Medical Institutions
Summary of Breach and Affected Entities:
The threat actor claims to be selling unauthorized access to 7 Fortinet SSL VPNs allegedly linked to legitimate.edu and.ac domain networks. The compromised VPN credentials reportedly grant access to internal systems of university and academic institutions across Southeast Asia, including Malaysia, Thailand, Taiwan, Kenya, Pakistan, and India.
Detailed Threat Actor Profile: XManX
Identity and Affiliation: XManX is identified as a threat actor operating in online criminal forums, potentially involved in the sale of access to compromised systems.3 Specific details regarding their history or broader affiliations are limited in the provided research material.
Motivations: As with many actors on cybercrime forums, the primary motivation for XManX appears to be financial gain through the sale of illicit access.3
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for XManX are not detailed in the provided research. However, general methods for gaining initial access to systems for sale often include exploiting public-facing applications with known vulnerabilities (CVEs) or using default/common passwords.2
Impact and Broader Context:
The sale of VPN access poses a significant risk as it can lead to further exploitation, including data theft, ransomware deployment, or other disruptive activities within the compromised networks. The targeting of academic and medical institutions highlights the vulnerability of these sectors to financially motivated cybercrime.
Relevant Resources:
Published URL: https://darkforums.st/Thread-Selling-7-Fortinet-SSL-VPN-Access-%E2%80%93-edu-ac-Domains
Screenshots: https://d34iuop8pidsy8.cloudfront.net/5e441023-87e8-41b2-b9ee-717b77100da6.png
Incident 3: Alleged sale of data from multiple companies
Summary of Breach and Affected Entities:
The threat actor claims to be selling data from multiple companies.
Detailed Threat Actor Profile: nick_diesel
Identity and Affiliation: nick_diesel is identified as a threat actor active on online forums, potentially involved in the sale of stolen data.5 Specific details regarding their history or broader affiliations are limited in the provided research material.6
Motivations: The primary motivation for nick_diesel appears to be financial gain through the sale of exfiltrated data.
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for nick_diesel are not detailed in the provided research. Data leaks typically result from various methods, including exploiting vulnerabilities, phishing, or insider threats.7
Impact and Broader Context:
The sale of data from multiple companies indicates a broad targeting strategy, potentially impacting various industries and exposing sensitive information. Such data can be used for further cybercrime, including identity theft, fraud, or targeted phishing campaigns.
Relevant Resources:
Published URL: https://forum.exploit.in/topic/261980/?tab=comments#comment-1579683
Screenshots: https://d34iuop8pidsy8.cloudfront.net/5bafa785-f578-4086-8cf5-2b0c36c553ee.png
Incident 4: Alleged data leak of Freedom Wood Doors Ltd
Summary of Breach and Affected Entities:
A threat actor claims to have leaked 92GB of data from Freedom Wood Doors Ltd, Israel. The breach reportedly includes client lists, invoices, delivery schedules, technical schematics, and PoC.
Detailed Threat Actor Profile: Handala Hack Group
Identity and Affiliation: Handala is a pro-Palestinian hacktivist group that has demonstrated significant activity targeting Israeli organizations and digital infrastructure since late 2023.8 While the group asserts independent activism, many cybersecurity experts suggest that Iranian state interests may play a supporting role, indicating a potential proxy relationship.8
Motivations: The group is ideologically driven by pro-Palestinian motives, focusing its attacks on Israeli government, infrastructure, and private organizations.8 Handala’s operational strategy integrates technical capabilities with psychological warfare, leveraging mass communications to amplify fear and confusion among victims and the broader public.8
Tactics, Techniques, and Procedures (TTPs):
| Tactic | Technique | Description/Examples | Associated Malware/Tools | MITRE ATT&CK ID |
| Initial Access | Phishing | Phishing campaigns, often exploiting major events and critical vulnerabilities, masquerading as legitimate organizations to gain initial access. Evolution from basic phishing to credential-based infiltrations.9 | N/A | T1566 |
| Execution & Persistence | Multi-Stage Loading | Utilization of a multi-stage loading process for malware delivery, including a Delphi-coded second-stage loader and an AutoIT injector.9 | Delphi, AutoIT injector | T1059 |
| Execution & Persistence | Privilege Escalation | Focus on privilege escalation and establishing long-term persistence within victim environments.8 | N/A | T1068 |
| Defense Evasion | Obfuscated Files or Information | Malware designed to blend into normal network traffic to evade detection.8 | N/A | T1027 |
| Impact | Data Destruction | Use of custom wiper malware specifically targeting Windows and Linux environments for destructive attacks.9 | win.handala, win.hatef, win.flash_develop | T1485 |
| Impact | Data Theft | Engagement in data theft and extortion.9 | N/A | T1041 |
| Impact | Denial of Service | Execution of Distributed Denial of Service (DDoS) attacks.8 | N/A | T1498 |
| Exfiltration | Exfiltration Over C2 Channel | Use of cloud storage (e.g., AWS S3, Storj) and multi-channel Command and Control (C2) techniques, including Telegram, for data exfiltration.8 | AWS S3, Storj, Telegram, senvarservice-DC.exe | T1041, T1567.002 |
| Impact | Public Disclosure | Operation of a data leak site to publicize stolen data, although claims of success are sometimes disputed.9 | Data leak site | T1598 |
| Impact | Psychological Operations | Triggering emergency sirens and sending mass SMS alerts to cause panic (e.g., kindergarten alert hijack).8 | N/A | T1589 |
| Communication | Social Media | Heavy use of Telegram and social media to publicize operations and taunt victims.8 | Telegram, social media | T1589 |
Impact and Broader Context:
Handala’s evolution from a disruptive hacktivist collective to an actor demonstrating “nation-state-level capabilities” highlights the increasing sophistication of ideologically motivated groups, especially when they receive potential backing from state interests.8 The documented disruption of their activities through proactive threat intelligence, exemplified by OP Innovate’s “Unpacking Handala” report, underscores the critical importance of detailed technical analysis in empowering defenders and disrupting threat actor momentum.8 This demonstrates that comprehensive intelligence gathering and dissemination can significantly enhance overall cyber resilience by providing organizations with early-warning capabilities and actionable Indicators of Compromise (IOCs).8
Relevant Resources:
Published URL: https://t.me/handala_hack27/81
Screenshots: https://d34iuop8pidsy8.cloudfront.net/493cff5b-f38d-49af-a286-8622d8616d96.png
Incident 5: KAL EGY 319 claims to target the Turkish government
Summary of Breach and Affected Entities:
A recent post by the group claims that they are targeting the Turkish government.
Detailed Threat Actor Profile: KAL EGY 319
Identity and Affiliation: KAL EGY 319 is identified as a Pakistan-linked hacktivist group. This group operates within a broader surge of hacktivist activity related to the India-Pakistan conflict, often alongside other groups such as Nation Of Saviors and SYLHET GANG-SG.10
Motivations: The group is ideologically driven by the India-Pakistan conflict, claiming responsibility for attacks on Indian government, educational institutions, and critical infrastructure websites.10
Tactics, Techniques, and Procedures (TTPs):
| Tactic | Technique | Description/Examples | Claimed Impact | Actual Verified Impact |
| Initial Access | Phishing | Phishing emails with malicious attachments, such as PowerPoint files containing macros.10 | N/A | N/A |
| Execution | Malicious File | Delivery of Crimson RAT malware cleverly disguised as an image file (e.g., WEISTT.jpg), which then launches an executable (jnmxrvt hcsm.exe) to initiate infection.10 | N/A | N/A |
| Impact | Defacement | Claimed widespread defacement campaign affecting approximately 40 Indian educational and medical websites.10 | Approximately 40 Indian educational and medical websites defaced.10 | All named websites were found to be functioning normally; defacements were either not fully executed or did not result in significant compromise.10 |
| Impact | Data Breach | Claims of over 100 successful breaches of government sites and critical infrastructure, including the CBI, Election Commission of India (ECI), and National Portal of India. Alleged exfiltration of 247 GB of sensitive government data from India’s National Informatics Centre.10 | Over 100 breaches, 247 GB of sensitive government data exfiltrated.10 | Alleged data leaks were largely unsubstantiated, consisting of publicly available marketing materials or recycled data. The “proof” for the 247 GB claim amounted to just 1.5 GB of public media files.10 |
| Impact | Data Breach | Alleged data stolen from the Andhra Pradesh High Court.11 | Data stolen from Andhra Pradesh High Court.11 | Consisted mostly of case metadata already available online.11 |
Impact and Broader Context:
The activities of KAL EGY 319 exemplify the “tactical reality behind the India-Pakistan hacktivist surge,” where claimed disruptions are often symbolic rather than deeply impactful.10 This highlights a common characteristic of some hacktivist operations: high visibility and bold claims that serve as propaganda, but with limited technical sophistication or lasting damage. This contrasts sharply with more advanced state-sponsored groups, such as APT36, which has been observed using sophisticated phishing campaigns to infiltrate Indian government and defense networks.11 Understanding this distinction is crucial for accurate threat assessment, preventing the misallocation of resources to symbolic attacks, and ensuring focus remains on threats with verified, tangible impact.
Relevant Resources:
Published URL: https://t.me/c/2678006578/8
Screenshots: https://d34iuop8pidsy8.cloudfront.net/65969aa7-698f-4266-91ec-d9efe48773fd.png
Incident 6: Alleged leak of webshell access to Kerala State Coir Corporation Ltd
Summary of Breach and Affected Entities:
The group claims to have gained unauthorised access to the Kerala State Coir Corporation Ltd.
Detailed Threat Actor Profile: WOLF CYBER ARMY
Identity and Affiliation: WOLF CYBER ARMY is identified as a threat actor group. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.12 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: While specific motivations for WOLF CYBER ARMY are not detailed, threat actors can be driven by various factors including financial gain, ideological beliefs (hacktivism), or state-sponsored objectives.7
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for WOLF CYBER ARMY are not detailed in the provided research. However, initial access, such as gaining webshell access, often involves exploiting public-facing applications, phishing, or leveraging compromised credentials.2
Impact and Broader Context:
Unauthorized access, such as webshell access, is a critical initial step for attackers, allowing them to maintain persistence, escalate privileges, and potentially exfiltrate data or deploy further malicious payloads. This incident highlights the importance of securing web applications and monitoring for unauthorized access attempts.
Relevant Resources:
Published URL: https://t.me/c/2678983526/581
Screenshots: https://d34iuop8pidsy8.cloudfront.net/fcecbd86-919f-4274-b75b-6bd211f5ca41.png
Incident 7: WOLF CYBER ARMY targets the website of mtsmaarif03.com
Summary of Breach and Affected Entities:
The group claims to have defaced the website of mtsmaarif03.com. Mirror Link: https://defacer.id/mirror/id/170069
Detailed Threat Actor Profile: WOLF CYBER ARMY
Identity and Affiliation: WOLF CYBER ARMY is identified as a threat actor group. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.12 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: While specific motivations for WOLF CYBER ARMY are not detailed, defacement attacks are often carried out by hacktivists seeking to spread a message or demonstrate capabilities.14
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for WOLF CYBER ARMY are not detailed in the provided research. Website defacement typically involves exploiting vulnerabilities in web applications, content management systems, or server configurations to alter the visual appearance of a website.7
Impact and Broader Context:
Website defacement, while often symbolic, can damage an organization’s reputation, disrupt services, and indicate underlying vulnerabilities that could be exploited for more severe attacks.
Relevant Resources:
Published URL: https://t.me/c/2678983526/579
Screenshots: https://d34iuop8pidsy8.cloudfront.net/16545dde-299b-4cc7-8945-e9deb77172f9.jpg
Incident 8: Liwaa Muhammad targets the website of Tamam Company
Summary of Breach and Affected Entities:
The group claims to have defaced the website of Tamam Company.
Detailed Threat Actor Profile: Liwaa Muhammad
Identity and Affiliation: Liwaa Muhammad is identified as a threat actor group. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.15 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: While specific motivations for Liwaa Muhammad are not detailed, defacement attacks are often carried out by hacktivists seeking to spread a message or demonstrate capabilities.14
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for Liwaa Muhammad are not detailed in the provided research. Website defacement typically involves exploiting vulnerabilities in web applications, content management systems, or server configurations to alter the visual appearance of a website.7
Impact and Broader Context:
Website defacement, while often symbolic, can damage an organization’s reputation, disrupt services, and indicate underlying vulnerabilities that could be exploited for more severe attacks.
Relevant Resources:
Published URL: https://t.me/liwaamohammad/477
Screenshots: https://d34iuop8pidsy8.cloudfront.net/f346a44b-5e5a-4514-b223-18bf8e3ee252.jpg
Incident 9: Alleged data breach of Advanced Call Center Technologies, LLC
Summary of Breach and Affected Entities:
The threat actor claims to have leaked a database of Advanced Call Center Technologies containing sensitive user information, including user IDs, phone numbers, email addresses, and timestamps of activity.
Detailed Threat Actor Profile: DigitalGhost
Identity and Affiliation: DigitalGhost is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.20 The research notes explicitly state that information about “Ghost (Cring) Ransomware” refers to a different group and not “DigitalGhost”.21 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: While specific motivations for DigitalGhost are not detailed, data breaches are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.7
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for DigitalGhost are not detailed in the provided research. Data breaches often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7
Impact and Broader Context:
A data breach involving sensitive user information can lead to significant financial and reputational damage for the victim organization. Compromised data can be used for identity theft, phishing, and other fraudulent activities, impacting a large number of individuals.
Relevant Resources:
Published URL: https://darkforums.st/Thread-68K-ADVANCED-CALL-CANTER-TECHNOLOGIES-DATA
Screenshots: https://d34iuop8pidsy8.cloudfront.net/86ae01ed-8987-4067-9631-24fa423c30a1.png, https://d34iuop8pidsy8.cloudfront.net/512ce153-a65f-499e-ac38-2ea0130086be.png
Incident 10: Alleged data breach of Advanced Call Center Technologies, LLC
Summary of Breach and Affected Entities:
The threat actor claims to have leaked a database of Advanced Call Center Technologies containing sensitive user information, including user IDs, phone numbers, email addresses, and timestamps of activity.
Detailed Threat Actor Profile: DigitalGhost
Identity and Affiliation: DigitalGhost is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.20 The research notes explicitly state that information about “Ghost (Cring) Ransomware” refers to a different group and not “DigitalGhost”.21 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: While specific motivations for DigitalGhost are not detailed, data breaches are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.7
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for DigitalGhost are not detailed in the provided research. Data breaches often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7
Impact and Broader Context:
A data breach involving sensitive user information can lead to significant financial and reputational damage for the victim organization. Compromised data can be used for identity theft, phishing, and other fraudulent activities, impacting a large number of individuals.
Relevant Resources:
Published URL: https://darkforums.st/Thread-68K-ADVANCED-CALL-CANTER-TECHNOLOGIES-DATA
Screenshots: https://d34iuop8pidsy8.cloudfront.net/86ae01ed-8987-4067-9631-24fa423c30a1.png, https://d34iuop8pidsy8.cloudfront.net/512ce153-a65f-499e-ac38-2ea0130086be.png
Incident 11: Alleged data breach of Go Bus
Summary of Breach and Affected Entities:
The threat actor claims to have leaked the database of GoBus Egypt, compromising data from 1.4 million customers. The exposed information includes names, email addresses, phone numbers, and password hashes.
Detailed Threat Actor Profile: stepbro
Identity and Affiliation: stepbro is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.22 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: Data breaches are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.7
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for stepbro are not detailed in the provided research.24 Data breaches often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7
Impact and Broader Context:
A data breach of this scale, affecting 1.4 million customers and including sensitive information like password hashes, poses a severe risk of identity theft, account compromise, and further targeted attacks. This highlights the critical need for strong data security measures and robust password policies.
Relevant Resources:
Published URL: https://xss.is/threads/141331/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/adeb0ffd-2a83-40be-bf59-949d09e84b2b.png, https://d34iuop8pidsy8.cloudfront.net/dd22c7c3-3760-4d2d-9b76-2cfc36bcc3ab.png
Incident 12: Alleged Data Leak of Taxi Company Egypt
Summary of Breach and Affected Entities:
The threat actor claims to have leaked data of 176,000 users from an Egyptian taxi company, exposing names, phone numbers, emails, and other personal details.
Detailed Threat Actor Profile: stepbro
Identity and Affiliation: stepbro is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.22 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: Data leaks are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.7
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for stepbro are not detailed in the provided research.24 Data leaks often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7
Impact and Broader Context:
The leak of personal details for 176,000 users can lead to various forms of abuse, including targeted phishing, spam, and potential identity theft. This underscores the importance of robust data protection for service providers handling customer information.
Relevant Resources:
Published URL: https://xss.is/threads/141330/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/d7b105b8-ccd7-447e-b71e-88237a4f4162.jpg
Incident 13: Alleged data breach of Mazaya Egypt
Summary of Breach and Affected Entities:
The threat actor claims to have breached the data of Mazaya perfumes store Egypt. The compromised data consists of name, address, payment, etc.
Detailed Threat Actor Profile: stepbro
Identity and Affiliation: stepbro is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.22 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: Data breaches are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.7
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for stepbro are not detailed in the provided research.24 Data breaches often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7
Impact and Broader Context:
The breach of customer data, including payment information, from a retail store highlights the risks associated with e-commerce platforms. Such incidents can lead to financial fraud and erode customer trust, emphasizing the need for strong payment card industry (PCI) compliance and data encryption.
Relevant Resources:
Published URL: https://xss.is/threads/141332/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/67e9b363-20b4-48be-be2e-04910c0a4350.png
Incident 14: Liwaa Muhammad targets the website of Arkan Al Omran Factory
Summary of Breach and Affected Entities:
The group claims to defaced the website of Arkan Al Omran Factory.
Detailed Threat Actor Profile: Liwaa Muhammad
Identity and Affiliation: Liwaa Muhammad is identified as a threat actor group. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.15 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: While specific motivations for Liwaa Muhammad are not detailed, defacement attacks are often carried out by hacktivists seeking to spread a message or demonstrate capabilities.14
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for Liwaa Muhammad are not detailed in the provided research. Website defacement typically involves exploiting vulnerabilities in web applications, content management systems, or server configurations to alter the visual appearance of a website.7
Impact and Broader Context:
Website defacement, while often symbolic, can damage an organization’s reputation, disrupt services, and indicate underlying vulnerabilities that could be exploited for more severe attacks.
Relevant Resources:
Published URL: https://t.me/liwaamohammad/476
Screenshots: https://d34iuop8pidsy8.cloudfront.net/8b15ebea-0982-4764-8381-75ce8e42dc01.png
Incident 15: Liwaa Muhammad targets the website of Multi Technical Solutions Establishment
Summary of Breach and Affected Entities:
The group claims to have defaced the website of Multi Technical Solutions Establishment.
Detailed Threat Actor Profile: Liwaa Muhammad
Identity and Affiliation: Liwaa Muhammad is identified as a threat actor group. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.15 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: While specific motivations for Liwaa Muhammad are not detailed, defacement attacks are often carried out by hacktivists seeking to spread a message or demonstrate capabilities.14
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for Liwaa Muhammad are not detailed in the provided research. Website defacement typically involves exploiting vulnerabilities in web applications, content management systems, or server configurations to alter the visual appearance of a website.7
Impact and Broader Context:
Website defacement, while often symbolic, can damage an organization’s reputation, disrupt services, and indicate underlying vulnerabilities that could be exploited for more severe attacks.
Relevant Resources:
Published URL: https://t.me/liwaamohammad/474
Screenshots: https://d34iuop8pidsy8.cloudfront.net/5c40a434-0a32-4409-ac00-7b29200967c3.jpg
Incident 16: Alleged data leak of Philippine fresh user records
Summary of Breach and Affected Entities:
The threat actor claims to have leaked a database containing over 500,000 fresh Philippine user records, including emails, phone numbers, usernames, and physical addresses.
Detailed Threat Actor Profile: NotFoundddd
Identity and Affiliation: NotFoundddd is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.27 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: Data leaks are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.7
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for NotFoundddd are not detailed in the provided research. Data leaks often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7
Impact and Broader Context:
The leak of over 500,000 user records, including personal identifiable information (PII), poses a significant risk for the affected individuals, potentially leading to identity theft, targeted phishing, and other forms of fraud. This highlights the importance of robust data security practices for any entity handling large volumes of user data.
Relevant Resources:
Published URL: https://darkforums.st/Thread-Selling-over-500K-fresh-Philippine-fresh-user-records-for-sale
Screenshots: https://d34iuop8pidsy8.cloudfront.net/88b77c9e-5af1-4490-9b0f-e9062f63a702.png
Incident 17: Alleged data breach of SOM ENERGIA
Summary of Breach and Affected Entities:
The threat actor claims to have leaked a database of 120,000 records from Som Energia, a Spanish renewable energy cooperative. The leak includes personal and banking information such as names, contact details, national IDs, addresses, and IBANs.
Detailed Threat Actor Profile: Nosferatu
Identity and Affiliation: Nosferatu is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.29 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: The primary motivation for Nosferatu appears to be financial gain, as indicated by their involvement in campaigns to generate revenue from FakeAV (Fake Antivirus) redirects.29
Tactics, Techniques, and Procedures (TTPs):
Nosferatu has been observed leveraging compromised websites, particularly those tied to WebFusion, in SEO campaigns to redirect victims to FakeAV malware.29 This involves dropping SEO bot scripts (e.g.,
lndex.php) that generate spam pages and contact a C&C server to obtain redirection information.29
Impact and Broader Context:
The data breach of a renewable energy cooperative, involving personal and banking information, highlights the vulnerability of critical infrastructure-related organizations to financially motivated attacks. Such breaches can lead to direct financial fraud and broader trust issues within the energy sector. The use of SEO poisoning and FakeAV redirects by actors like Nosferatu demonstrates a common tactic to monetize compromised systems by tricking users into installing malicious software.
Relevant Resources:
Published URL: https://darkforums.st/Thread-Selling-Som-Energia-Database-SPAIN
Screenshots: https://d34iuop8pidsy8.cloudfront.net/f229d86e-1784-426c-8fa6-1d7fa2eeb0ca.png, https://d34iuop8pidsy8.cloudfront.net/d95f6642-57d6-4eff-8f53-ef581c6c76d9.png
Incident 18: Alleged leak of Vehicle Plates Database Chile
Summary of Breach and Affected Entities:
The threat actor claims to have leaked a database containing detailed vehicle registration records from Chile on a cybercrime forum. The dataset, dated July 5, 2025, reportedly includes over 55,000 records and continues to grow. It contains information such as license plates, vehicle specifications, owner names and identification numbers, inspection details, and traffic ticket counts.
Detailed Threat Actor Profile: DelitosPenales
Identity and Affiliation: DelitosPenales is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.7 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: Data leaks are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.7
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for DelitosPenales are not detailed in the provided research. Data leaks often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7
Impact and Broader Context:
The leak of a national vehicle registration database is a significant privacy concern, potentially enabling various forms of fraud, surveillance, or targeted criminal activities. This highlights the critical importance of securing government and public sector databases that contain extensive personal and sensitive information.
Relevant Resources:
Published URL: https://darkforums.st/Thread-Plates-Chile-Database
Screenshots: https://d34iuop8pidsy8.cloudfront.net/b95fb742-6e19-4f11-b1c0-1e9255e86a96.png, https://d34iuop8pidsy8.cloudfront.net/64aec11a-d501-4855-bbf0-b4c6bec35c90.png
Incident 19: Alleged sale of CAIN Malware
Summary of Breach and Affected Entities:
A threat actor claims to be selling CAIN, a malicious tool described as an evil twin of the Ledger cryptocurrency wallet app. The malware operates in five stealthy phases, including silently replacing the legitimate app with a flawless clone, harvesting mnemonic phrases via a fake recovery prompt, and executing an instant crypto theft. It then restores the original app and self-destructs, leaving no trace.
Detailed Threat Actor Profile: BUBBAS GATE
Identity and Affiliation: BUBBAS GATE is identified as a threat actor, specifically a malware developer or seller. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.33 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: The sale of malware like CAIN is primarily driven by financial gain, enabling other cybercriminals to conduct cryptocurrency theft.
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for BUBBAS GATE are not detailed in the provided research. However, the description of CAIN malware indicates sophisticated techniques for stealth, impersonation, credential harvesting (mnemonic phrases), and self-destruction to evade detection.
Impact and Broader Context:
The development and sale of specialized malware like CAIN, targeting cryptocurrency wallets, represent a direct threat to digital asset holders. This highlights the evolving sophistication of financially motivated cybercrime and the need for users to exercise extreme caution with cryptocurrency applications and prompts.
Relevant Resources:
Published URL: https://xss.is/threads/141327/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/2e2242fb-9993-4941-8083-37e5bb6b7fb7.png, https://d34iuop8pidsy8.cloudfront.net/2e2f8e0f-5dab-4522-aa68-08a6948345f3.png
Incident 20: Alleged data sale of documents from a Federal State Budgetary Institution of Higher Education
Summary of Breach and Affected Entities:
The threat actor claims to be selling classified documents from the Federal State Budgetary Institution of Higher Education. The leak includes sensitive agreements and licenses related to Gazprom, Gazpromneft, INK, geological and geophysical exploration, oil and gas suppliers, and tax and legal documents dated from 2012 to 2021.
Detailed Threat Actor Profile: deabec
Identity and Affiliation: deabec is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.35 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: The sale of classified documents is primarily driven by financial gain, as such information can be highly valuable on illicit markets.
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for deabec are not detailed in the provided research. Data leaks often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to institutional networks.7
Impact and Broader Context:
The alleged sale of classified documents from a higher education institution, especially those related to major energy companies and government entities, poses a significant risk of corporate espionage, intellectual property theft, and national security implications. This highlights the critical need for robust cybersecurity in academic and research institutions, particularly those with ties to sensitive industries.
Relevant Resources:
Published URL: https://darkforums.st/Thread-Selling-classified-documents-from-Federal-State-Budgetary-Institution-of-Higher-Education
Screenshots: https://d34iuop8pidsy8.cloudfront.net/9051adce-6c66-4a5e-a5c6-3228911882da.png, https://d34iuop8pidsy8.cloudfront.net/7a9cc4b5-142b-4e8d-a859-38ba008fbbd8.png
Incident 21: Alleged data breach of Fashion Group México and GOC Makeup
Summary of Breach and Affected Entities:
The threat actor claims to have leaked a database containing 135,535 records from Fashion Group México and GOC Makeup. The data includes full names, email addresses, phone numbers, CURP, RFC, dates of birth, addresses, credit limits, loyalty program data, bank account fields, and more.
Detailed Threat Actor Profile: Rui_Deidad
Identity and Affiliation: Rui_Deidad is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.36 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: Data breaches are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.7
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for Rui_Deidad are not detailed in the provided research. Data breaches often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7
Impact and Broader Context:
The breach of 135,535 records containing extensive personal and financial information from retail and makeup companies poses a significant risk of identity theft, financial fraud, and targeted marketing scams for the affected individuals. This underscores the importance of robust data security for consumer-facing businesses.
Relevant Resources:
Published URL: https://darkforums.st/Thread-FASHION-GROUP-MEXICO-135-535-RECORDS-LEAK
Screenshots: https://d34iuop8pidsy8.cloudfront.net/dc0ff990-8f64-4d2d-be44-17f081a874f9.png
Incident 22: Alleged leak of data from a Seychelle main bank
Summary of Breach and Affected Entities:
The threat actor claims to have leaked database containing client information from a major bank in Seychelles. The data allegedly includes names, dates of birth, phone numbers, addresses, and emails. While employee PINs and passwords are present, they are said to be encrypted with advanced security layers, making decryption currently impossible despite access to the AES key. The leak reportedly includes sensitive entries like government balance accounts.
Detailed Threat Actor Profile: ByteToBreach
Identity and Affiliation: ByteToBreach is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.37 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: Data leaks from financial institutions are primarily driven by financial gain, as banking information is highly valuable on illicit markets.7
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for ByteToBreach are not detailed in the provided research. Data leaks often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7
Impact and Broader Context:
A data leak from a major bank, even with encrypted passwords, poses a severe risk to client privacy and financial security. The presence of sensitive entries like government balance accounts suggests potential broader implications beyond individual clients, highlighting the critical need for robust cybersecurity in the banking sector.
Relevant Resources:
Published URL: https://darkforums.st/Thread-SELL-Seychelle-main-bank-clients-leak
Screenshots: https://d34iuop8pidsy8.cloudfront.net/2b754fd3-b4b7-4427-bfc2-f610b32597cf.png
Incident 23: Alleged data sale from an unidentified financial services firm in panama
Summary of Breach and Affected Entities:
The threat actor claims to be selling a database allegedly sourced from a unidentified Panamanian financial service organization, containing 60,000 entries. The data includes full names, national IDs (cedula), email addresses, monthly salaries, regions, genders, and document verification flags.
Detailed Threat Actor Profile: Lucczi
Identity and Affiliation: Lucczi is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.39 Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.7
Motivations: The sale of financial data is primarily driven by financial gain, as such information can be highly valuable for fraud and other illicit activities.7
Tactics, Techniques, and Procedures (TTPs):
Specific TTPs for Lucczi are not detailed in the provided research. Data leaks often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7
Impact and Broader Context:
The alleged sale of 60,000 financial records from a Panamanian firm, including sensitive details like national IDs and salaries, poses a significant risk of identity theft and financial fraud for the affected individuals. This underscores the importance of robust data protection in the financial services sector, particularly in regions that may be targeted for such data.
Relevant Resources:
Published URL: https://darkforums.st/Thread-%F0%9F%87%B5%F0%9F%87%A6-Panama-Fullz-Salary-Emails-%E2%80%94-60K-Fresh-Leads
Screenshots: https://d34iuop8pidsy8.cloudfront.net/b4239026-df01-401c-818c-5a75106f90fc.png
Conclusions
The analysis of recent cybersecurity incidents reveals several critical dynamics shaping the current threat landscape. The interconnectedness of geopolitical conflicts and cyber operations is undeniable, with state-sponsored entities and their proxies actively using the digital realm as an extension of real-world tensions. This means that geopolitical developments must be closely monitored as a key indicator for potential cyber threats, particularly for organizations operating in or having ties to conflict regions.
Furthermore, the varying nature of hacktivism demands a nuanced approach to threat assessment
Works cited
- Reflections of the Israel-Iran Conflict on the Cyber World …, accessed July 6, 2025, https://socradar.io/reflections-of-israel-iran-conflict-cyber-world/
- U.S. Agencies Warn of Rising Iranian Cyber Attacks on Defense, OT …, accessed July 6, 2025, https://thehackernews.com/2025/06/us-agencies-warn-of-rising-iranian.html
- Using AI to identify cybercrime masterminds – Sophos News, accessed July 6, 2025, https://news.sophos.com/en-us/2025/06/30/using-ai-to-identify-cybercrime-masterminds/
- XMAX – Krebs on Security, accessed July 6, 2025, https://krebsonsecurity.com/tag/xmax/
- XIM4 for console? : r/Overwatch – Reddit, accessed July 6, 2025, https://www.reddit.com/r/Overwatch/comments/4xzdr9/xim4_for_console/
- accessed January 1, 1970, https://forum.exploit.in/topic/261980/?tab=comments#comment-1579683
- What is a Cyber Threat Actor? | CrowdStrike, accessed July 6, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
- Disrupting Handala: Did OP Innovate Help Silence a Major Cyber …, accessed July 6, 2025, https://op-c.net/blog/did-op-innovate-disrupt-handala-cyber-threat/
- Handala (Threat Actor) – Malpedia, accessed July 6, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/handala
- Brief Disruptions, Bold Claims: The Tactical Reality Behind the India …, accessed July 6, 2025, https://www.cloudsek.com/blog/brief-disruptions-bold-claims-the-tactical-reality-behind-the-india-pakistan-hacktivist-surge
- Hacktivist Attacks on India Overstated Amid APT36 Espionage …, accessed July 6, 2025, https://www.infosecurity-magazine.com/news/hacktivist-attacks-india/
- Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises – The Hacker News, accessed July 6, 2025, https://thehackernews.com/2025/06/rare-werewolf-apt-uses-legitimate.html
- Experts urge vigilance as lone wolf terror threats rise nationwide, citing recent attacks, accessed July 6, 2025, https://www.youtube.com/watch?v=ObeukBBWKEs
- Threat actor – Wikipedia, accessed July 6, 2025, https://en.wikipedia.org/wiki/Threat_actor
- FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stake.com, accessed July 6, 2025, https://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom
- FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony’s Horizon Bridge Currency Theft, accessed July 6, 2025, https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft
- accessed January 1, 1970, https://t.me/liwaamohammad/474
- accessed January 1, 1970, https://t.me/liwaamohammad/476
- accessed January 1, 1970, https://t.me/liwaamohammad/477
- Attack Surface Analysis of the Digital Twin and Advanced Sensor and Instrumentation Interfaces – INL Digital Library – Idaho National Laboratory, accessed July 6, 2025, https://inldigitallibrary.inl.gov/sites/sti/sti/Sort_74726.pdf
- #StopRansomware: Ghost (Cring) Ransomware | CISA, accessed July 6, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
- Chakra (2021 film) – Wikipedia, accessed July 6, 2025, https://en.wikipedia.org/wiki/Chakra_(2021_film)
- HAPPY FAMILIES – Macmillan.pl, accessed July 6, 2025, https://www.macmillan.pl/images/materials/1667556484_Gateway_to_the_World_B1_WB_U1-2.pdf
- accessed January 1, 1970, https://xss.is/threads/141332/
- accessed January 1, 1970, https://xss.is/threads/141330/
- accessed January 1, 1970, https://xss.is/threads/141331/
- Got hacked and they added an additional profile that I can’t delete and cant see it on my account center either. Any suggestions thats not deleting the account, unless theres no other way I will. : r/facebook – Reddit, accessed July 6, 2025, https://www.reddit.com/r/facebook/comments/1chtcl8/got_hacked_and_they_added_an_additional_profile/
- accessed January 1, 1970, https://darkforums.st/Thread-Selling-over-500K-fresh-Philippine-fresh-user-records-for-sale
- WebFusion “nosferatu” SEO/FakeAV Campaign – Zscaler, accessed July 6, 2025, https://www.zscaler.com/blogs/security-research/webfusion-nosferatu-seofakeav-campaign
- The Nosferatu : r/WhiteWolfRPG – Reddit, accessed July 6, 2025, https://www.reddit.com/r/WhiteWolfRPG/comments/nxfdzu/the_nosferatu/
- accessed January 1, 1970, https://darkforums.st/Thread-Selling-Som-Energia-Database-SPAIN
- accessed January 1, 1970, https://darkforums.st/Thread-Plates-Chile-Database
- Cloaked and Covert: Uncovering UNC3886 Espionage Operations | Google Cloud Blog, accessed July 6, 2025, https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
- accessed January 1, 1970, https://xss.is/threads/141327/
- accessed January 1, 1970, https://darkforums.st/Thread-Selling-classified-documents-from-Federal-State-Budgetary-Institution-of-Higher-Education
- accessed January 1, 1970, https://darkforums.st/Thread-FASHION-GROUP-MEXICO-135-535-RECORDS-LEAK
- Threat actor | Malwarebytes Glossary, accessed July 6, 2025, https://www.malwarebytes.com/glossary/threat-actor
- accessed January 1, 1970, https://darkforums.st/Thread-SELL-Seychelle-main-bank-clients-leak
- Minor in Computer Crime and Forensics – Loyola University Chicago, accessed July 6, 2025, https://www.luc.edu/forensicscience/minor.shtml
- accessed January 1, 1970, https://darkforums.st/Thread-%F0%9F%87%B5%F0%9F%87%A6-Panama-Fullz-Salary-Emails-%E2%80%94-60K-Fresh-Leads