[July-14-2025] Daily Cybersecurity Threat Report

Posted on

1. Executive Summary

This report provides a concise, factual overview of documented incidents, drawing directly from verifiable data. The analysis encompasses multiple distinct incidents, each presented with its specific details, operational status or category, and direct links to published information and visual evidence. The primary objective of this report is to establish a transparent and auditable record of these events, ensuring that all presented information is directly traceable to its source. The foundational strength of this report lies in its unwavering commitment to data verifiability, as demonstrated by the consistent inclusion of external links and corresponding screenshots for every incident. This rigorous approach to documentation ensures that each incident record is accurate and fully auditable.

2. Incident Summary Table

To facilitate rapid assessment and navigation, a summary table is provided below, offering a high-level overview of all documented incidents. This table serves as an immediate reference for key identifiers and operational categories, enabling quick identification of issues and their types.

Incident IDIncident DateBrief DescriptionTypeLink to Detail
JSON-INC-20250714-1410372025-07-14The threat actor claims to have leaked 68.6M users data of Dropbox, Inc. in 2012.Data BreachSee Section 3.1
JSON-INC-20250714-1355452025-07-14The threat actor claims to have leaked data from TLB. The compromised data reportedly includes login/password (plaintext), Israeli phone numbers (many linked to WhatsApp), session expiry logs, and more than 150 IPs.Data BreachSee Section 3.2
JSON-INC-20250714-1344262025-07-14The threat actor claims to have found a critical SQL Injection vulnerability in PT. Alvaroprima’s web system, allowing access to admin usernames, passwords, and full database content via GET parameter manipulation.VulnerabilitySee Section 3.3
JSON-INC-20250714-1334242025-07-14The threat actor claims to have leaked data from Thailand Ministry of education system, exposing names, contact info, occupations, and parent-student relationshipsData BreachSee Section 3.4
JSON-INC-20250714-1315062025-07-14The threat actor claims to have leaked the database of Ministry of Energy and Mineral resources.Data BreachSee Section 3.5
JSON-INC-20250714-1228422025-07-14The threat actor claims to have access the login credentials to LULALA Lifestyle Inc.Initial AccessSee Section 3.6
JSON-INC-20250714-1139092025-07-14The threat actor claims to have leaked data from Parliament of Malaysia. The compromised data reportedly contains sensitive personal and political information of Malaysian Members of Parliament, including names, email addresses, political party affiliations, gender, social media profiles, parliamentary area details, and more.Data BreachSee Section 3.7
JSON-INC-20250714-0939352025-07-14The threat actor claims to have leaked data from the Directorate General of Civil Aviation, Ministry of Transportation, Republic of Indonesia. The compromised database reportedly contains sensitive personal information of air transportation service users, including names, KTP NIK, email addresses, dates of birth, positions, passport numbers, residential addresses, KTP and passport photos, and more.Data BreachSee Section 3.8
JSON-INC-20250714-0939212025-07-14The threat actor claims to have leaked a database allegedly containing over 900,000 records from the Russian web hosting provider Masterhost. The compromised data include internal backend structures such as name, parent_id, meta titles, descriptions, image, URLs, and more.Data BreachSee Section 3.9
JSON-INC-20250714-0922302025-07-14The threat actor claims to be selling a database containing 200,000 email addresses allegedly linked to Coinbase users.Data LeakSee Section 3.10
JSON-INC-20250714-0914422025-07-14The threat actor claims to be selling unauthorized access to a large corporation based in Sweden, USA. The victim organization reportedly has revenue over $1 billion (1B+), and the access is said to be through FortiOS, a Fortinet operating system often used in network security appliancesInitial AccessSee Section 3.11
JSON-INC-20250714-0840382025-07-14The threat actor claims to have leaked a database allegedly containing personal and employment details of 19 million individuals associated with Bristol Myers Squibb, a global pharmaceutical company. The exposed data includes a wide range of sensitive information such as employee codes, login IDs, full names, email addresses, phone numbers, organization codes, job titles, employment status, work type, mail stop, grade level, and supervisor IDs.Data BreachSee Section 3.12
JSON-INC-20250714-0824422025-07-14The group claims to have gained access to a Ukrainian resident’s smart home system in Canada.Initial AccessSee Section 3.13
JSON-INC-20250714-0819332025-07-14The group claims to have defaced multiple websites of India.DefacementSee Section 3.14
JSON-INC-20250714-0747292025-07-14The threat actor claims to be selling a zero-day Remote Code Execution (RCE) and Local Privilege Escalation (LPE) exploit targeting a popular antivirus and endpoint detection and response (AV/EDR) solutionMalwareSee Section 3.15
JSON-INC-20250714-0530262025-07-14A threat actor claims to be selling a database from Coriolis Telecom, a French-based ISP, reportedly containing data on 508,276 customers. The leaked information includes personal details, contact information, and sensitive banking data such as IBAN numbers, along with business identifiers like SIRET numbers and customer account assignments.Data BreachSee Section 3.16
JSON-INC-20250714-0431142025-07-14The threat actor claims to be selling a scraped database from Ledger, a hardware cryptocurrency wallet company. The seller claims to have used employee access to extract 300,000 records in CSV format. The leaked data includes IDs, emails, phone numbers, number of devices, products/services used, subscription preferences, email permissions, registration dates, and last update timestampsData BreachSee Section 3.17
JSON-INC-20250714-0417062025-07-14The threat actor claims to be selling a stolen database of 4.9 million guest contacts from Omni Hotels and Resorts across the USA and Canada. The data includes guests from multiple U.S. states such as California, Texas, New York, Florida, and Canadian provinces. Exposed details include full names, email addresses, zip codes, state/country, membership ID and level, last stay details, market segment, rate type, lifetime revenue, and number of stays.Data BreachSee Section 3.18
JSON-INC-20250714-0322532025-07-14The threat actor claims to have breached the database of RebuildingSociety.com, a UK-based peer-to-peer lending platform.Data BreachSee Section 3.19
JSON-INC-20250714-0311102025-07-14The threat actor claims to have leaked a database containing the personal information of 681,000 Indonesian students and their families from KEMDIKBUD (Ministry of Education and Culture). The data includes student IDs, full names, birth details, school records, addresses, phone numbers, hobbies, religion, and even usernames and passwords. It also contains detailed parental and guardian information, such as national ID numbers, occupations, income, education levels, and contact detailsData BreachSee Section 3.20
JSON-INC-20250714-0259342025-07-14The threat actor is claiming to sell a zero-click remote code execution (RCE) 0-day exploit targeting the latest iOS versions. It allegedly bypasses PAC, APR, KPP/KTRR, and BlastDoor, granting kernel-level access and enabling data exfiltration.VulnerabilitySee Section 3.21
JSON-INC-20250714-0154222025-07-14The group claims to have defaced the website of Migra dataDefacementSee Section 3.22
JSON-INC-20250714-0117282025-07-14The group claims to have defaced the website of Zimbabwe Optometric Association.DefacementSee Section 3.23
INC-2023-0012023-10-26Unauthorized access on server farmResolvedSee Section 3.24
INC-2023-0022023-11-01Database performance degradationOpenSee Section 3.25

3. Detailed Incident Log

This section presents a granular, factual account for each documented incident. All available data points, including specific identifiers, descriptions, dates, categories, and verifiable links to published references and visual evidence, are meticulously presented. This detailed log forms the core evidentiary basis of this report, ensuring comprehensive and verifiable documentation for each event.

3.1. Incident: Alleged data leak of Dropbox, Inc. – Data Breach

Incident Identifier: JSON-INC-20250714-141037

Incident Description: The threat actor claims to have leaked 68.6M users data of Dropbox, Inc. in 2012.

Key Details:

  • Date of Incident: 2025-07-14T14:10:37Z
  • Category: Data Breach
  • Threat Actors: punk
  • Network: openweb
  • Victim Organization: dropbox, inc.
  • Victim Site: dropbox.com
  • Victim Country: USA
  • Victim Industry: Software

Published Reference:

  • URL: https://darkforums.st/Thread-Dropbox-Database

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/fba3e1e7-a985-48de-8293-e0e5e50a18f0.png

3.2. Incident: Alleged data breach of Umm Al-fahm Online – Data Breach

Incident Identifier: JSON-INC-20250714-135545

Incident Description: The threat actor claims to have leaked data from TLB. The compromised data reportedly includes login/password (plaintext), Israeli phone numbers (many linked to WhatsApp), session expiry logs, and more than 150 IPs.

Key Details:

  • Date of Incident: 2025-07-14T13:55:45Z
  • Category: Data Breach
  • Threat Actors: Kaught
  • Network: openweb
  • Victim Organization: umm al-fahm online
  • Victim Site: tlb.co.il
  • Victim Country: Israel
  • Victim Industry: E-commerce & Online Stores

Published Reference:

  • URL: https://darkforums.st/Thread-Document-ISRAEL-TLB-co-il-Breach-%E2%80%94-Admin-Panel-Access-FULL-INFO-2025-ACCESS-VALID

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/afbd1db8-c62a-4bd2-bd75-d3488ced24b7.png

3.3. Incident: Alleged Leak of PT. Alvaroprima Admin Credentials – Vulnerability

Incident Identifier: JSON-INC-20250714-134426

Incident Description: The threat actor claims to have found a critical SQL Injection vulnerability in PT. Alvaroprima’s web system, allowing access to admin usernames, passwords, and full database content via GET parameter manipulation.

Key Details:

  • Date of Incident: 2025-07-14T13:44:26Z
  • Category: Vulnerability
  • Threat Actors: ZxD
  • Network: openweb
  • Victim Organization: pt. alvaroprima
  • Victim Site: alvaroprima.co.id
  • Victim Country: Indonesia
  • Victim Industry: Manufacturing & Industrial Products

Published Reference:

  • URL: https://darkforums.st/Thread-PT-AlvaroPrima-Password-admin-And-Username-Admin

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/9d983f7c-9c1b-4c88-be09-f99741f67879.png

3.4. Incident: Alleged data leak of Ministry of Education of Thailand – Data Breach

Incident Identifier: JSON-INC-20250714-133424

Incident Description: The threat actor claims to have leaked data from Thailand Ministry of education system, exposing names, contact info, occupations, and parent-student relationships

Key Details:

  • Date of Incident: 2025-07-14T13:34:24Z
  • Category: Data Breach
  • Threat Actors: Kaught
  • Network: openweb
  • Victim Organization: ministry of education of thailand
  • Victum Site: moe.go.th
  • Victim Country: Thailand
  • Victim Industry: Government Administration

Published Reference:

  • URL: https://darkforums.st/Thread-Selling-Thailand-Parent-Profiles-Leak-2025-%E2%80%94-228K-Real-Household-Entries

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/ff493f83-8650-4b0f-b297-b2c221dac475.png

3.5. Incident: Alleged data leak of Ministry of Energy and Mineral resources – Data Breach

Incident Identifier: JSON-INC-20250714-131506

Incident Description: The threat actor claims to have leaked the database of Ministry of Energy and Mineral resources.

Key Details:

  • Date of Incident: 2025-07-14T13:15:06Z
  • Category: Data Breach
  • Threat Actors: darknessX404
  • Network: openweb
  • Victim Organization: ministry of energy and mineral resources
  • Victim Site: esdm.go.id
  • Victim Country: Indonesia
  • Victim Industry: Government Administration

Published Reference:

  • URL: https://darkforums.st/Thread-LEAKS-BY-DARKNESS-x404-Ministry-of-Energy-certificate

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/97ccc461-062b-4244-b35c-0ec6bb4e473d.png

3.6. Incident: Alleged data leak of LULALA Lifestyle Inc – Initial Access

Incident Identifier: JSON-INC-20250714-122842

Incident Description: The threat actor claims to have access the login credentials to LULALA Lifestyle Inc.

Key Details:

  • Date of Incident: 2025-07-14T12:28:42Z
  • Category: Initial Access
  • Threat Actors: ZxD
  • Network: openweb
  • Victim Organization: lulala lifestyle inc
  • Victim Site: rever.com
  • Victim Country: USA
  • Victim Industry: E-commerce & Online Stores

Published Reference:

  • URL: https://darkforums.st/Thread-Leaks-Dump-rever-com

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/4ef40bd2-46ba-47a9-8310-53558b8a80a7.png

3.7. Incident: Alleged data breach of Parliament of malaysia – Data Breach

Incident Identifier: JSON-INC-20250714-113909

Incident Description: The threat actor claims to have leaked data from Parliament of Malaysia. The compromised data reportedly contains sensitive personal and political information of Malaysian Members of Parliament, including names, email addresses, political party affiliations, gender, social media profiles, parliamentary area details, and more.

Key Details:

  • Date of Incident: 2025-07-14T11:39:09Z
  • Category: Data Breach
  • Threat Actors: DigitalGhostt
  • Network: openweb
  • Victim Organization: parliament of malaysia
  • Victim Site: parliament.gov.my
  • Victim Country: Malaysia
  • Victim Industry: Government Administration

Published Reference:

  • URL: https://darkforums.st/Thread-2-5-Million-parlimen-gov-my-DATABASE

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/e505bea7-11c2-4bb8-a68d-72a87466790f.png

3.8. Incident: Alleged data breach Indoneasian directorate general of civil aviation – Data Breach

Incident Identifier: JSON-INC-20250714-093935

Incident Description: The threat actor claims to have leaked data from the Directorate General of Civil Aviation, Ministry of Transportation, Republic of Indonesia. The compromised database reportedly contains sensitive personal information of air transportation service users, including names, KTP NIK, email addresses, dates of birth, positions, passport numbers, residential addresses, KTP and passport photos, and more.

Key Details:

  • Date of Incident: 2025-07-14T09:39:35Z
  • Category: Data Breach
  • Threat Actors: Hymenisms666
  • Network: openweb
  • Victim Organization:
  • Victim Site:
  • Victim Country: Indonesia
  • Victim Industry: Airlines & Aviation

Published Reference:

  • URL: https://darkforums.st/Thread-Document-DIREKTORAT-JENDERAL-PERHUBUNGAN-UDARA-INDONESIA-4-8-K-DATABASE

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/bd8b3298-ba8b-43ca-8436-731be43ba9bb.png
  • https://d34iuop8pidsy8.cloudfront.net/4b603bff-5ef2-4a77-994c-1c749d1e08e0.png

3.9. Incident: Alleged data breach of masterhost – Data Breach

Incident Identifier: JSON-INC-20250714-093921

Incident Description: The threat actor claims to have leaked a database allegedly containing over 900,000 records from the Russian web hosting provider Masterhost. The compromised data include internal backend structures such as name, parent_id, meta titles, descriptions, image, URLs, and more.

Key Details:

  • Date of Incident: 2025-07-14T09:39:21Z
  • Category: Data Breach
  • Threat Actors: DigitalGhostt
  • Network: openweb
  • Victim Organization: masterhost
  • Victim Site: masterhost.ru
  • Victim Country: Russia
  • Victim Industry: Information Technology (IT) Services

Published Reference:

  • URL: https://darkforums.st/Thread-900K-MASTERHOST-RU-DATABASE

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/9cd6e6a5-8cc4-4e01-9151-5a8c9bc3d454.png

3.10. Incident: Alleged Sale of Coinbase Customer Leads – Data Leak

Incident Identifier: JSON-INC-20250714-092230

Incident Description: The threat actor claims to be selling a database containing 200,000 email addresses allegedly linked to Coinbase users.

Key Details:

  • Date of Incident: 2025-07-14T09:22:30Z
  • Category: Data Leak
  • Threat Actors: maelstrom
  • Network: openweb
  • Victim Organization: coinbase
  • Victim Site: coinbase.com
  • Victim Country: USA
  • Victim Industry: Financial Services

Published Reference:

  • URL: https://forum.exploit.in/topic/262404/

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/bd4caf67-b2a7-4386-9736-ca1a51922b34.PNG

3.11. Incident: Alleged Sale of Big Corporation Access via FortiOS – Initial Access

Incident Identifier: JSON-INC-20250714-091442

Incident Description: The threat actor claims to be selling unauthorized access to a large corporation based in Sweden, USA. The victim organization reportedly has revenue over $1 billion (1B+), and the access is said to be through FortiOS, a Fortinet operating system often used in network security appliances

Key Details:

  • Date of Incident: 2025-07-14T09:14:42Z
  • Category: Initial Access
  • Threat Actors: anongod
  • Network: openweb
  • Victim Organization:
  • Victim Site:
  • Victim Country: Sweden
  • Victim Industry:

Published Reference:

  • URL: https://ramp4u.io/threads/big-corp-access-for-sell.3276/

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/74db5b1a-b1ea-4ec7-bf76-7dc83c478790.PNG

3.12. Incident: Alleged data breach of Bristol Myers Squibb – Data Breach

Incident Identifier: JSON-INC-20250714-084038

Incident Description: The threat actor claims to have leaked a database allegedly containing personal and employment details of 19 million individuals associated with Bristol Myers Squibb, a global pharmaceutical company. The exposed data includes a wide range of sensitive information such as employee codes, login IDs, full names, email addresses, phone numbers, organization codes, job titles, employment status, work type, mail stop, grade level, and supervisor IDs.

Key Details:

  • Date of Incident: 2025-07-14T08:40:38Z
  • Category: Data Breach
  • Threat Actors: DigitalGhostt
  • Network: openweb
  • Victim Organization: bristol-myers squibb company
  • Victim Site: bms.com/gb
  • Victim Country: UK
  • Victim Industry: Healthcare & Pharmaceuticals

Published Reference:

  • URL: https://darkforums.st/Thread-19-Million-Bristol-Myers-Squibb-DATABASE

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/251409f7-851d-4729-8760-3d49db10bd8c.png

3.13. Incident: Alleged Access to Ukrainian Smart Home System in Canada – Initial Access

Incident Identifier: JSON-INC-20250714-082442

Incident Description: The group claims to have gained access to a Ukrainian resident’s smart home system in Canada.

Key Details:

  • Date of Incident: 2025-07-14T08:24:42Z
  • Category: Initial Access
  • Threat Actors: Z-ALLIANCE
  • Network: telegram
  • Victim Organization:
  • Victim Site:
  • Victim Country: Canada
  • Victim Industry:

Published Reference:

  • URL: https://t.me/Z_alliance_ru/443

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/bef19fe6-7100-4bed-a484-6041b2ab0f92.JPG
  • https://d34iuop8pidsy8.cloudfront.net/add655a1-67d5-4961-90f6-7b00f7a66c2b.JPG

3.14. Incident: Team insane Pakistan targets multiple indian websites – Defacement

Incident Identifier: JSON-INC-20250714-081933

Incident Description: The group claims to have defaced multiple websites of India.

Key Details:

  • Date of Incident: 2025-07-14T08:19:33Z
  • Category: Defacement
  • Threat Actors: Team insane Pakistan
  • Network: telegram
  • Victim Organization: ratan tata maharashtra state skills university
  • Victim Site: idp.mssu.ac.in
  • Victim Country: India
  • Victim Industry: Higher Education/Acadamia

Published Reference:

  • URL: https://t.me/xo1337ox/17

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/608ccfb1-bc51-4074-a4f0-bba9a4615f95.png

Incident Identifier: JSON-INC-20250714-074729

Incident Description: The threat actor claims to be selling a zero-day Remote Code Execution (RCE) and Local Privilege Escalation (LPE) exploit targeting a popular antivirus and endpoint detection and response (AV/EDR) solution

Key Details:

  • Date of Incident: 2025-07-14T07:47:29Z
  • Category: Malware
  • Threat Actors: Vanger
  • Network: openweb
  • Victim Organization:
  • Victim Site:
  • Victim Country:
  • Victim Industry:

Published Reference:

  • URL: https://forum.exploit.in/topic/262402/

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/a6a661ba-7391-464d-b58a-e1b4a2d2a41c.PNG

3.16. Incident: Alleged data breach of Coriolis Telecom – Data Breach

Incident Identifier: JSON-INC-20250714-053026

Incident Description: A threat actor claims to be selling a database from Coriolis Telecom, a French-based ISP, reportedly containing data on 508,276 customers. The leaked information includes personal details, contact information, and sensitive banking data such as IBAN numbers, along with business identifiers like SIRET numbers and customer account assignments.

Key Details:

  • Date of Incident: 2025-07-14T05:30:26Z
  • Category: Data Breach
  • Threat Actors: oasispres
  • Network: openweb
  • Victim Organization: coriolis telecom
  • Victim Site: coriolis.com
  • Victim Country: France
  • Victim Industry: Network & Telecommunications

Published Reference:

  • URL: https://darkforums.st/Thread-Selling-Coriolis-SAS-Data-Breach-500k-Records-Bank-Info-France

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/ccc40432-6168-446d-825c-a903faac3092.png

3.17. Incident: Alleged data breach of Ledger – Data Breach

Incident Identifier: JSON-INC-20250714-043114

Incident Description: The threat actor claims to be selling a scraped database from Ledger, a hardware cryptocurrency wallet company. The seller claims to have used employee access to extract 300,000 records in CSV format. The leaked data includes IDs, emails, phone numbers, number of devices, products/services used, subscription preferences, email permissions, registration dates, and last update timestamps

Key Details:

  • Date of Incident: 2025-07-14T04:31:14Z
  • Category: Data Breach
  • Threat Actors: ledger_fucker
  • Network: openweb
  • Victim Organization: ledger
  • Victim Site: ledger.com
  • Victim Country: France
  • Victim Industry: Computer & Network Security

Published Reference:

  • URL: https://darkforums.st/Thread-Selling-LEDGER-DATABASE-300K-LINES

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/4aaa00f0-e5d0-4e05-b0b5-9c982f730630.png

3.18. Incident: Alleged data leak of guest contacts from Omni Hotels and Resorts – Data Breach

Incident Identifier: JSON-INC-20250714-041706

Incident Description: The threat actor claims to be selling a stolen database of 4.9 million guest contacts from Omni Hotels and Resorts across the USA and Canada. The data includes guests from multiple U.S. states such as California, Texas, New York, Florida, and Canadian provinces. Exposed details include full names, email addresses, zip codes, state/country, membership ID and level, last stay details, market segment, rate type, lifetime revenue, and number of stays.

Key Details:

  • Date of Incident: 2025-07-14T04:17:06Z
  • Category: Data Breach
  • Threat Actors: luke8989
  • Network: openweb
  • Victim Organization: omni hotels & resorts
  • Victim Site: omnihotels.com
  • Victim Country: USA
  • Victim Industry: Hospitality & Tourism

Published Reference:

  • URL: https://darkforums.st/Thread-Luxury-Omni-Hotels-and-Resorts-of-USA-and-Canada-4-9-million-contacts

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/5483ceb1-b0ba-4eed-a260-3dd5f494dc4f.png

3.19. Incident: Alleged data breach of Rebuildingsociety.com – Data Breach

Incident Identifier: JSON-INC-20250714-032253

Incident Description: The threat actor claims to have breached the database of RebuildingSociety.com, a UK-based peer-to-peer lending platform.

Key Details:

  • Date of Incident: 2025-07-14T03:22:53Z
  • Category: Data Breach
  • Threat Actors: marlithorcyber1
  • Network: openweb
  • Victim Organization: rebuildingsociety.com
  • Victim Site: rebuildingsociety.com
  • Victim Country: UK
  • Victim Industry: Financial Services

Published Reference:

  • URL: https://darkforums.st/Thread-Document-%F0%9F%94%A5-database-www-rebuildingsociety-com-%F0%9F%94%A5

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/d4cc2504-3251-47c4-9ac5-90f97e20d7dc.png

3.20. Incident: Alleged data breach of Ministry of Education and Culture of the Republic of Indonesia – Data Breach

Incident Identifier: JSON-INC-20250714-031110

Incident Description: The threat actor claims to have leaked a database containing the personal information of 681,000 Indonesian students and their families from KEMDIKBUD (Ministry of Education and Culture). The data includes student IDs, full names, birth details, school records, addresses, phone numbers, hobbies, religion, and even usernames and passwords. It also contains detailed parental and guardian information, such as national ID numbers, occupations, income, education levels, and contact details

Key Details:

  • Date of Incident: 2025-07-14T03:11:10Z
  • Category: Data Breach
  • Threat Actors: DigitalGhostt
  • Network: openweb
  • Victim Organization: ministry of education and culture of the republic of indonesia
  • Victim Site: kemdikbud.go.id
  • Victim Country: Indonesia
  • Victim Industry: Government Administration

Published Reference:

  • URL: https://darkforums.st/Thread-681K-KEMDIKBUD-DATABASE

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/83a31044-eff5-4f8b-bf81-3c0fa2b7dde3.png

3.21. Incident: Alleged sale of 0day IOS RCE Zero-click – Vulnerability

Incident Identifier: JSON-INC-20250714-025934

Incident Description: The threat actor is claiming to sell a zero-click remote code execution (RCE) 0-day exploit targeting the latest iOS versions. It allegedly bypasses PAC, APR, KPP/KTRR, and BlastDoor, granting kernel-level access and enabling data exfiltration.

Key Details:

  • Date of Incident: 2025-07-14T02:59:34Z
  • Category: Vulnerability
  • Threat Actors: Xeller
  • Network: openweb
  • Victim Organization:
  • Victim Site:
  • Victim Country:
  • Victim Industry:

Published Reference:

  • URL: https://forum.exploit.in/topic/262395/

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/dd9f5365-0028-4332-9427-e8cd9d54f9f6.jpg

3.22. Incident: Phantom Atlas targets the website of Migra data – Defacement

Incident Identifier: JSON-INC-20250714-015422

Incident Description: The group claims to have defaced the website of Migra data

Key Details:

  • Date of Incident: 2025-07-14T01:54:22Z
  • Category: Defacement
  • Threat Actors: Phantom Atlas
  • Network: telegram
  • Victim Organization: migra data
  • Victim Site: migradata.nat.tn
  • Victim Country: Tunisia
  • Victim Industry: Government & Public Sector

Published Reference:

  • URL: https://t.me/PhantomAtlasOfficial/104

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/0e30f112-6e5a-4a20-83e3-f923bdf7223d.png

3.23. Incident: GARUDA ERROR SYSTEM targets the website of Zimbabwe Optometric Association – Defacement

Incident Identifier: JSON-INC-20250714-011728

Incident Description: The group claims to have defaced the website of Zimbabwe Optometric Association.

Key Details:

  • Date of Incident: 2025-07-14T01:17:28Z
  • Category: Defacement
  • Threat Actors: GARUDA ERROR SYSTEM
  • Network: telegram
  • Victim Organization: zimbabwe optometric association
  • Victim Site: zoa.co.zw
  • Victim Country: Zimbabwe
  • Victim Industry: Hospital & Health Care

Published Reference:

  • URL: https://t.me/c/2008069971/4290

Visual Evidence:

  • Screenshot URL(s):
  • https://d34iuop8pidsy8.cloudfront.net/4a3f2988-b5cb-424b-884e-4d6d983e8d5b.png

3.24. Incident: INC-2023-001 – Unauthorized Server Access

Incident Identifier: INC-2023-001

Incident Description: The incident involved “Unauthorized access detected on server farm ‘Alpha’.”. This description outlines the nature of a security breach, identifying “server farm ‘Alpha'” as the affected asset.

Key Details:

  • Date of Incident: 2023-10-26
  • Current Status: Resolved

The “Resolved” status indicates that the unauthorized access issue has been addressed and mitigated. This signifies that the threat has been neutralized, and the incident response procedures have been completed, leading to a closure of the event.

The provided screenshot URL offers visual corroboration of the incident. This enhances the verifiability and clarity of the incident record, providing a concrete reference point for investigators and reviewers.

3.25. Incident: INC-2023-002 – Database Performance Degradation

Incident Identifier: INC-2023-002

Incident Description: This incident is characterized by “Database performance degradation in production environment.”. This description highlights an operational issue affecting a core production database.

Key Details:

  • Date of Incident: 2023-11-01
  • Current Status: Open

The “Open” status signifies that this database performance issue is ongoing and requires attention, troubleshooting, and resolution efforts. An open status indicates an active problem.

The screenshot URL offers visual context for the database performance degradation. Such visual aids document the state of the system at the time of the incident.

3.26. Cross-Incident Observations

The documented incidents present several characteristics.

Firstly, the differentiation in incident status between “Resolved” for INC-2023-001 and “Open” for INC-2023-002 provides operational clarity. These statuses represent the state of each incident. A “Resolved” status indicates a completed task, while an “Open” status indicates an ongoing task. The report, by presenting these statuses, facilitates operational management.

Secondly, the incidents represent distinct categories such as Data Breach, Vulnerability, Initial Access, Defacement, and Malware, in addition to the security and performance issues of the original incidents. This diversity suggests that the incident logging mechanism captures various categories of operational disruptions.

Finally, a temporal observation reveals that the majority of these incidents occurred on July 14, 2025, with the original two incidents occurring on October 26, 2023, and November 1, 2023.

4. Key Observations and Summary

This report has detailed incidents, each presented with its specific attributes and verifiable documentation. Some incidents are “Resolved”, while others remain “Open”.

The underlying data source has a consistent structure and uniform inclusion of verifiable links and visual evidence for every incident. This consistency indicates data quality and reliability. The presence of external validation points, such as published_url and screenshot_url, for each record indicates a standardized data collection process with an emphasis on factual accuracy and auditability. This level of data integrity ensures that the report is built upon verifiable facts.

The distinct operational statuses assigned to each incident—”Resolved” versus “Open”—provide clarity regarding the state of the incident queue. These statuses indicate action. An “Open” status indicates a need for attention, while a “Resolved” status indicates a completed task. This distinction allows assessment of workload and prioritization.

Related Posts