[April-09-2025] Daily Cybersecurity Threat Report

Executive Summary:

This report provides a consolidated overview of cybersecurity incidents reported within the specified 24-hour period, based exclusively on the structured data provided. The objective is to offer timely situational awareness regarding emerging threats, targeted sectors, and observed attack methodologies. During this reporting cycle, a total of 30 distinct incidents were analyzed.

Initial observations from the aggregated data show a high volume of Distributed Denial of Service (DDoS) attacks, particularly targeting organizations in Finland and Israel. Several data leak incidents were also reported, involving sensitive personal and corporate information across various countries including the USA, India, and Mexico. Ransomware, defacement, vulnerability exploits, phishing schemes, and initial access sales were also observed. Threat actors like NoName057(16), Dark Storm Team, Keymous+, and Red wolf ceyber were notably active in DDoS campaigns. The Incident Summary Table below offers a quick reference to all documented events. Further analysis within individual reports explores potential connections between attack vectors, target profiles, and observed impacts, aiming to provide a deeper understanding of the current threat landscape.

Incident Summary Table

Incident ID	Targeted Entity	Incident Type	Reported Date/Time	Assessed Impact (Summary)	Published Source Available?	Screenshots Available?
DBR-20250409-001	spotify ab	DDoS Attack	2025-04-09T09:33:53Z	Website downtime claimed	Yes	Yes
DBR-20250409-002	zipadia – b&bs and vacation homes in israel	Defacement	2025-04-09T09:15:24Z	Website defacement claimed	Yes	Yes
DBR-20250409-003	enersense international oyj	DDoS Attack	2025-04-09T08:38:20Z	Website downtime claimed	Yes	Yes
DBR-20250409-004	fingrid oyj	DDoS Attack	2025-04-09T08:32:22Z	Website downtime claimed	Yes	Yes
DBR-20250409-005	neova group companies	DDoS Attack	2025-04-09T08:27:10Z	Website downtime claimed	Yes	Yes
DBR-20250409-006	turku flying club	DDoS Attack	2025-04-09T08:25:02Z	Website downtime claimed	Yes	Yes
DBR-20250409-007	gasgrid finland oy	DDoS Attack	2025-04-09T08:18:54Z	Website downtime claimed	Yes	Yes
DBR-20250409-008	if insurance company	DDoS Attack	2025-04-09T08:13:58Z	Website downtime claimed	Yes	Yes
DBR-20250409-009	codento	DDoS Attack	2025-04-09T08:03:48Z	Website downtime claimed	Yes	Yes
DBR-20250409-010	145 GSM entities (Alleged)	Data Leak	2025-04-09T07:48:32Z	Alleged leak of GSM data	Yes	Yes
DBR-20250409-011	yozgat city hospital	Ransomware	2025-04-09T07:47:41Z	Data theft claimed	Yes	Yes
DBR-20250409-012	malian armed forces	DDoS Attack	2025-04-09T07:45:58Z	Website downtime claimed	Yes	Yes
DBR-20250409-013	city of lappeenranta	DDoS Attack	2025-04-09T07:38:03Z	Website downtime claimed	Yes	Yes
DBR-20250409-014	mossad	DDoS Attack	2025-04-09T07:34:44Z	Website downtime claimed	Yes	Yes
DBR-20250409-015	city of rovaniemi	DDoS Attack	2025-04-09T07:32:06Z	Website downtime claimed	Yes	Yes
DBR-20250409-016	visit israel	DDoS Attack	2025-04-09T07:29:27Z	Website downtime claimed	Yes	Yes
DBR-20250409-017	city of kuopio	DDoS Attack	2025-04-09T07:22:09Z	Website downtime claimed	Yes	Yes
DBR-20250409-018	ministry of defence of finland	DDoS Attack	2025-04-09T07:04:22Z	Website downtime claimed	Yes	Yes
DBR-20250409-019	India Car Owners (Alleged)	Data Leak	2025-04-09T06:32:39Z	Alleged sale of 60M records	Yes	Yes
DBR-20250409-020	daily sabah	DDoS Attack	2025-04-09T06:12:17Z	Website downtime claimed	Yes	Yes
DBR-20250409-021	USA data and leads (Alleged)	Data Leak	2025-04-09T05:55:46Z	Alleged sale of billions of records	Yes	Yes
DBR-20250409-022	N/A (Phishing Templates)	Phishing	2025-04-09T05:46:02Z	Sale of custom phishing templates	Yes	Yes
DBR-20250409-023	adamson ahdoot llp	Data Breach	2025-04-09T05:43:06Z	Alleged sale of 106GB legal/medical data	Yes	Yes
DBR-20250409-024	cbtis 122	Data Breach	2025-04-09T05:19:40Z	Alleged leak of student/teacher data	Yes	Yes
DBR-20250409-025	N/A (Apache Tomcat)	Vulnerability	2025-04-09T04:35:37Z	Sale of RCE exploit	Yes	Yes
DBR-20250409-026	Unidentified USA Org	Initial Access	2025-04-09T03:21:58Z	Sale of WP Admin/Shell access	Yes	Yes
DBR-20250409-027	gis.gov.bd	Data Breach	2025-04-09T03:17:40Z	Alleged data leak claimed	Yes	Yes
DBR-20250409-028	monster lead group	Data Leak	2025-04-09T03:12:58Z	Alleged sale of 31GB mortgage data	Yes	Yes
DBR-20250409-029	U.S. Vehicle Owners (Alleged)	Data Leak	2025-04-09T01:19:01Z	Alleged leak of 3M+ records	Yes	Yes
DBR-20250409-030	lifeline 16911	Data Leak	2025-04-09T00:02:47Z	Alleged source code leak	Yes	Yes

Detailed Incident Reports

Incident ID: DBR-20250409-001

Targeted Entity: Spotify AB
Targeted Site: open.spotify.com
Victim Industry: Media Production
Victim Country: Sweden
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T09:33:53Z
Incident Details:
The threat actor group “Dark Storm Team” claimed responsibility for a DDoS attack targeting the website of Spotify (open.spotify.com). Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption of access to the Spotify service via the targeted domain.
Threat Actor Information:
Dark Storm Team
Published Source Reference:
published_url: https://t.me/DarkStormTeam3/197
Proof of downtime: https://check-host.net/check-report/24cd7e8ek423
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/123ec63c-5866-4048-ad3c-44bfc9a21e7b.png
Additional Data Points:
Network: telegram
Analyst Remarks:
This incident is part of a series of DDoS attacks claimed by Dark Storm Team during the reporting period.

Incident ID: DBR-20250409-002

Targeted Entity: Zipadia – B&Bs and vacation homes in Israel
Targeted Site: zipedia.co.il
Victim Industry: Hospitality & Tourism
Victim Country: Israel
Incident Type: Defacement
Date/Time Reported: 2025-04-09T09:15:24Z
Incident Details:
The threat actor group “The Anonymous 71” claimed to have defaced the website of Zipadia. A mirror link documenting the defacement was provided.
Assessed Impact:
Website content replaced with attacker’s message, potential reputational damage.
Threat Actor Information:
The Anonymous 71
Published Source Reference:
published_url: https://t.me/TAO_71BD/442
Mirror: https://ownzyou.com/zone/262673
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/f4faa6ed-2060-41f6-9b1c-32f967b7ccb4.png
Additional Data Points:
Network: telegram
Analyst Remarks:
Website defacements are often used for political messaging or demonstrating capability.

Incident ID: DBR-20250409-003

Targeted Entity: Enersense International Oyj
Targeted Site: enersense.com
Victim Industry: Renewables & Environment
Victim Country: Finland
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T08:38:20Z
Incident Details:
The threat actor group “NoName057(16)” claimed responsibility for a DDoS attack targeting the website of Enersense International Oyj. Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption of access to the Enersense website.
Threat Actor Information:
NoName057(16)
Published Source Reference:
published_url: https://t.me/c/2364621778/448
Proof of downtime: http://check-host.net/check-report/24ccc031kd52
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/da2fc891-39be-4353-808b-dc0d8b82c508.png
* https://d34iuop8pidsy8.cloudfront.net/6dfe6006-948f-4f9d-8eb0-82d9d9399f39.png
Additional Data Points:
Network: telegram
Analyst Remarks:
This is one of several attacks attributed to NoName057(16) targeting Finnish organizations in this period.

Incident ID: DBR-20250409-004

Targeted Entity: Fingrid Oyj
Targeted Site: fingrid.fi
Victim Industry: Energy & Utilities
Victim Country: Finland
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T08:32:22Z
Incident Details:
The threat actor group “NoName057(16)” claimed responsibility for a DDoS attack targeting the website of Fingrid Oyj. Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption of access to the Fingrid website, a critical infrastructure entity (Transmission System Operator).
Threat Actor Information:
NoName057(16)
Published Source Reference:
published_url: https://t.me/c/2364621778/448
Proof of downtime: http://check-host.net/check-report/24ccbecbk5a5
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/02b7645b-7119-4a8e-9e67-14c49106e3cb.png
* https://d34iuop8pidsy8.cloudfront.net/13553f6e-312f-457f-b4f1-3a3749a0e654.png
Additional Data Points:
Network: telegram
Analyst Remarks:
Targeting critical infrastructure like the national power grid operator is significant, even if only the public-facing website is affected.

Incident ID: DBR-20250409-005

Targeted Entity: Neova Group companies
Targeted Site: mediabank.neova-group.com
Victim Industry: Renewables & Environment
Victim Country: Finland
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T08:27:10Z
Incident Details:
The threat actor group “NoName057(16)” claimed responsibility for a DDoS attack targeting the media bank website of Neova Group. Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption of access to the Neova Group media bank.
Threat Actor Information:
NoName057(16)
Published Source Reference:
published_url: https://t.me/c/2364621778/448
Proof of downtime: http://check-host.net/check-report/24ccbc81k5ca
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/63e23392-ac7d-4b54-a935-a55927a69f93.png
* https://d34iuop8pidsy8.cloudfront.net/cdba9ed1-5476-461c-a836-8661fc5fd9cf.png
Additional Data Points:
Network: telegram
Analyst Remarks:
Continues the pattern of NoName057(16) targeting Finnish entities.

Incident ID: DBR-20250409-006

Targeted Entity: Turku Flying Club
Targeted Site: turunlentokerho.fi
Victim Industry: Information Technology (IT) Services (Note: Likely miscategorized, Aviation/Recreation more appropriate)
Victim Country: Finland
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T08:25:02Z
Incident Details:
The threat actor group “Dark Storm Team” claimed responsibility for a DDoS attack targeting the website of Turku Flying Club. Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption of access to the Turku Flying Club website.
Threat Actor Information:
Dark Storm Team
Published Source Reference:
published_url: https://t.me/DarkStormTeam3/195
Proof of downtime: https://check-host.net/check-report/24cd1af1k7ac
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/4d60ae36-a8e7-4b8a-ab88-0a1a0fcb9aa8.png
Additional Data Points:
Network: telegram
Analyst Remarks:
Another Finnish target, this time by Dark Storm Team. The industry categorization seems inaccurate in the source data.

Incident ID: DBR-20250409-007

Targeted Entity: Gasgrid Finland Oy
Targeted Site: gasgrid.fi
Victim Industry: Oil & Gas
Victim Country: Finland
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T08:18:54Z
Incident Details:
The threat actor group “NoName057(16)” claimed responsibility for a DDoS attack targeting the website of Gasgrid Finland Oy. Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption of access to the Gasgrid Finland website, another critical infrastructure entity (Gas Transmission System Operator).
Threat Actor Information:
NoName057(16)
Published Source Reference:
published_url: https://t.me/c/2364621778/448
Proof of downtime: http://check-host.net/check-report/24ccbb6akf43
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/75c7796e-d126-46e6-8a4b-e15ca0ae8891.png
* https://d34iuop8pidsy8.cloudfront.net/f478478d-1dcc-4975-866c-b8b92da441ea.png
Additional Data Points:
Network: telegram
Analyst Remarks:
Further targeting of Finnish energy infrastructure by NoName057(16).

Incident ID: DBR-20250409-008

Targeted Entity: If Insurance Company
Targeted Site: login.if-insurance.com
Victim Industry: Insurance
Victim Country: Finland
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T08:13:58Z
Incident Details:
The threat actor group “NoName057(16)” claimed responsibility for a DDoS attack targeting the login portal of If Insurance Company. Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption for customers attempting to log in to their insurance accounts.
Threat Actor Information:
NoName057(16)
Published Source Reference:
published_url: https://t.me/c/2364621778/448
Proof of downtime: http://check-host.net/check-report/24ccba53k42d
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/a45ebad0-f04a-40c4-89ac-995e16521c7e.png
* https://d34iuop8pidsy8.cloudfront.net/3abdcf75-1328-42ad-92c5-9fc2a307c941.png
Additional Data Points:
Network: telegram
Analyst Remarks:
NoName057(16) continues its campaign against various sectors in Finland.

Incident ID: DBR-20250409-009

Targeted Entity: Codento
Targeted Site: codento.com
Victim Industry: Information Technology (IT) Services
Victim Country: Finland
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T08:03:48Z
Incident Details:
The threat actor group “NoName057(16)” claimed responsibility for a DDoS attack targeting the website of Codento. Proof of downtime was provided via a check-host link. (Note: The JSON attributes this to NoName057(16) but the published_url points to Dark Storm Team’s channel. This discrepancy is noted.)
Assessed Impact:
Potential disruption of access to the Codento website.
Threat Actor Information:
NoName057(16) (as per JSON field, conflicting with URL source)
Published Source Reference:
published_url: https://t.me/DarkStormTeam3/193 (Note: This URL is from Dark Storm Team, conflicting with the listed threat actor)
Proof of downtime: https://check-host.net/check-report/24ccb8f5kc2c
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/037c1922-394a-479c-9b6d-70458121e6e7.png
* https://d34iuop8pidsy8.cloudfront.net/5c217d40-924b-4123-98fa-f44255d4051e.png
Additional Data Points:
Network: telegram
Analyst Remarks:
Discrepancy between the attributed threat actor in the data and the source URL needs clarification. However, it continues the pattern of attacks on Finnish IT services.

Incident ID: DBR-20250409-010

Targeted Entity: Allegedly 145 GSM entities
Targeted Site: N/A
Victim Industry: Network & Telecommunications
Victim Country: Not specified
Incident Type: Data Leak
Date/Time Reported: 2025-04-09T07:48:32Z
Incident Details:
A threat actor named “dnmxdd” claimed on a breach forum to have leaked data related to 145 GSM (Global System for Mobile Communications) entities.
Assessed Impact:
Potential exposure of sensitive telecommunications infrastructure data or customer information, depending on the nature of the “GSM entities” and the leaked data.
Threat Actor Information:
dnmxdd
Published Source Reference:
published_url: https://breachforums.st/Thread-GSM-LEAK
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/06c836b0-9478-4d11-a8f1-d7a295da54bf.png
Additional Data Points:
Network: openweb
Analyst Remarks:
The lack of specific entity names or data details makes assessing the true impact difficult without further investigation of the forum post.

Incident ID: DBR-20250409-011

Targeted Entity: Yozgat City Hospital
Targeted Site: yozgatsehir.saglik.gov.tr
Victim Industry: Hospital & Health Care
Victim Country: Turkey
Incident Type: Ransomware
Date/Time Reported: 2025-04-09T07:47:41Z
Incident Details:
The ransomware group “BERT” claimed to have attacked Yozgat City Hospital and obtained the organization’s data. The claim was posted on their Tor leak site.
Assessed Impact:
Potential encryption of hospital systems, disruption of services, and exposure of sensitive patient health information (PHI).
Threat Actor Information:
BERT
Published Source Reference:
published_url: http://bertblogsoqmm4ow7nqyh5ik7etsmefdbf25stauecytvwy7tkgizhad.onion/post/CCF89B4CDE0A489DB22B294925477C8A (Tor Link)
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/a257757f-d700-4dfc-9cf2-12dbfd5530ea.png
Additional Data Points:
Network: tor
Analyst Remarks:
Ransomware attacks on healthcare facilities are particularly critical due to the potential impact on patient care and the sensitivity of the data involved.

Incident ID: DBR-20250409-012

Targeted Entity: Malian Armed Forces
Targeted Site: fama.ml
Victim Industry: Military Industry
Victim Country: Mali
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T07:45:58Z
Incident Details:
The threat actor group “Keymous+” claimed responsibility for a DDoS attack targeting the website of the Malian Armed Forces. Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption of access to the Malian Armed Forces website.
Threat Actor Information:
Keymous+
Published Source Reference:
published_url: https://t.me/KeymousTeam/1254
Proof of downtime: https://check-host.net/check-report/24ccc93bk6d7
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/a5be3a4c-e1bc-47d3-a80e-16246f3b5a0d.png
Additional Data Points:
Network: telegram
Analyst Remarks:
Keymous+ also targeted Israeli sites in this period, indicating activity across different geopolitical regions.

Incident ID: DBR-20250409-013

Targeted Entity: City of Lappeenranta
Targeted Site: lappeenranta.fi
Victim Industry: Government Administration
Victim Country: Finland
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T07:38:03Z
Incident Details:
The threat actor group “Dark Storm Team” claimed responsibility for a DDoS attack targeting the website of the City of Lappeenranta. Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption of access to the city’s website and online services.
Threat Actor Information:
Dark Storm Team
Published Source Reference:
published_url: https://t.me/DarkStormTeam3/192
Proof of Downtime: https://check-host.net/check-report/24cca4fek2dc
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/09bc22bb-e9ca-455a-b5f0-74f33bf0d515.png
Additional Data Points:
Network: telegram
Analyst Remarks:
Part of a series of attacks by Dark Storm Team targeting Finnish government entities.

Incident ID: DBR-20250409-014

Targeted Entity: Mossad
Targeted Site: mossad.gov.il
Victim Industry: Government Administration
Victim Country: Israel
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T07:34:44Z
Incident Details:
The threat actor group “Keymous+” claimed responsibility for a DDoS attack targeting the website of Mossad (Israeli intelligence agency). Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption of access to the public-facing Mossad website.
Threat Actor Information:
Keymous+
Published Source Reference:
published_url: https://t.me/KeymousTeam/1253
Proof of downtime: https://check-host.net/check-report/24c833f0kae
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/3bb3efc8-3a5b-4aa6-9aff-d804e2c84543.png
Additional Data Points:
Network: telegram
Analyst Remarks:
High-profile government target associated with intelligence services.

Incident ID: DBR-20250409-015

Targeted Entity: City of Rovaniemi
Targeted Site: rovaniemi.fi
Victim Industry: Government Administration
Victim Country: Finland
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T07:32:06Z
Incident Details:
The threat actor group “Dark Storm Team” claimed responsibility for a DDoS attack targeting the website of the City of Rovaniemi. Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption of access to the city’s website and online services.
Threat Actor Information:
Dark Storm Team
Published Source Reference:
published_url: https://t.me/DarkStormTeam3/192
Proof of Downtime: https://check-host.net/check-report/24cc9817kd6
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/433b138d-d54f-4287-bcd0-4320645a8381.png
Additional Data Points:
Network: telegram
Analyst Remarks:
Continues the Dark Storm Team campaign against Finnish municipalities.

Incident ID: DBR-20250409-016

Targeted Entity: Visit Israel
Targeted Site: israel.travel
Victim Industry: Government Administration
Victim Country: Israel
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T07:29:27Z
Incident Details:
The threat actor group “Keymous+” claimed responsibility for a DDoS attack targeting the official tourism website of Israel. Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption of access to Israel’s tourism information website.
Threat Actor Information:
Keymous+
Published Source Reference:
published_url: https://t.me/KeymousTeam/1253
Proof of downtime: https://check-host.net/check-report/24c8a085k69a
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/4eeb74c2-2b50-4106-a278-5ca78e25994b.png
Additional Data Points:
Network: telegram
Analyst Remarks:
Another Israeli government-related site targeted by Keymous+.

Incident ID: DBR-20250409-017

Targeted Entity: City of Kuopio
Targeted Site: kuopio.fi
Victim Industry: Government Administration
Victim Country: Finland
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T07:22:09Z
Incident Details:
The threat actor group “Dark Storm Team” claimed responsibility for a DDoS attack targeting the website of the City of Kuopio. Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption of access to the city’s website and online services.
Threat Actor Information:
Dark Storm Team
Published Source Reference:
published_url: https://t.me/DarkStormTeam3/192
Proof of Downtime: https://check-host.net/check-report/24cc96f5k9e1
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/7acaaa3a-76e3-4aa0-a1df-010987503e41.png
Additional Data Points:
Network: telegram
Analyst Remarks:
Third Finnish city targeted by Dark Storm Team in this report.

Incident ID: DBR-20250409-018

Targeted Entity: Ministry of Defence of Finland
Targeted Site: defmin.fi
Victim Industry: Government Administration
Victim Country: Finland
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T07:04:22Z
Incident Details:
The threat actor group “Red wolf ceyber” claimed responsibility for a DDoS attack targeting the website of the Ministry of Defence of Finland. Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption of access to the Ministry of Defence website.
Threat Actor Information:
Red wolf ceyber
Published Source Reference:
published_url: https://t.me/c/2404982305/681
Proof of Downtime: https://check-host.net/check-report/24cc8adek46c
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/7fef713b-d006-4dd9-95de-defd008c225b.png
Additional Data Points:
Network: telegram
Analyst Remarks:
High-profile government target. This introduces another threat actor group targeting Finland.

Incident ID: DBR-20250409-019

Targeted Entity: Alleged India Car Owners Database
Targeted Site: N/A
Victim Industry: Not specified (Automotive/Finance related)
Victim Country: India
Incident Type: Data Leak
Date/Time Reported: 2025-04-09T06:32:39Z
Incident Details:
A threat actor named “mr_jack311” claimed on a breach forum to be selling a database containing personal and financial details of 60 million Indian car owners. Data allegedly includes names, mobile numbers, addresses, vehicle models, loan details, interest rates, EMIs, and dealership information in CSV format. Sample data and images were provided as proof.
Assessed Impact:
Massive potential exposure of Personally Identifiable Information (PII) and financial data, leading to risks of identity theft, financial fraud, and targeted phishing for millions of individuals.
Threat Actor Information:
mr_jack311
Published Source Reference:
published_url: https://breachforums.st/Thread-DATABASE-India-Car-Owners
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/ba23fc33-7eca-4383-b0a2-a2a0191e771b.png
Additional Data Points:
Network: openweb
Analyst Remarks:
Significant alleged data leak impacting a large number of individuals in India. The breadth of data points claimed makes this particularly concerning.

Incident ID: DBR-20250409-020

Targeted Entity: Daily Sabah
Targeted Site: dailysabah.com
Victim Industry: Newspapers & Journalism
Victim Country: Turkey
Incident Type: DDoS Attack
Date/Time Reported: 2025-04-09T06:12:17Z
Incident Details:
The threat actor group “Red wolf ceyber” claimed responsibility for a DDoS attack targeting the website of the Turkish newspaper Daily Sabah. Proof of downtime was provided via a check-host link.
Assessed Impact:
Potential disruption of access to the news website.
Threat Actor Information:
Red wolf ceyber
Published Source Reference:
published_url: https://t.me/c/2404982305/679
Proof of Downtime: https://check-host.net/check-report/24cc640akc57
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/88beb823-5cb2-42b8-989c-79d73db7be5d.png
Additional Data Points:
Network: telegram
Analyst Remarks:
Red wolf ceyber also targeted the Finnish MoD, indicating activity against targets in both Finland and Turkey.

Incident ID: DBR-20250409-021

Targeted Entity: Alleged USA Data and Leads
Targeted Site: N/A
Victim Industry: Not specified (Data Broker/Various)
Victim Country: USA
Incident Type: Data Leak
Date/Time Reported: 2025-04-09T05:55:46Z
Incident Details:
A threat actor named “Intel_Data” advertised the sale of extensive U.S. databases on the XSS forum. Claims include Social Security Numbers (3 billion records), driver’s licenses (75 million), consumer leads (380 million), debt records (34 million), and criminal records with mugshots (50 million). The seller claimed the data is private, never sold before, with datasets up to 2025.
Assessed Impact:
Potentially colossal exposure of highly sensitive PII for a vast number of US individuals, enabling widespread identity theft, fraud, and other malicious activities if the claims are accurate.
Threat Actor Information:
Intel_Data
Published Source Reference:
published_url: https://xss.is/threads/135880/
Supporting Evidence (Screenshots)::
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/fb7915f7-61d5-4a94-9aca-e5aeb2bdb9a8.png
Additional Data Points:
Network: openweb
Analyst Remarks:
The scale of the data claimed for sale is exceptionally large and covers extremely sensitive information types. Verification of such claims is crucial but often difficult.

Incident ID: DBR-20250409-022

Targeted Entity: N/A (Service Offering)
Targeted Site: N/A
Victim Industry: N/A
Victim Country: Not specified
Incident Type: Phishing
Date/Time Reported: 2025-04-09T05:46:02Z
Incident Details:
A threat actor named “Reboot Inc” advertised the sale of custom phishing letter HTML templates on the XSS forum. These templates were marketed for high-volume email campaigns, claiming freshness, high compatibility, and optimization to bypass spam filters.
Assessed Impact:
Facilitation of phishing campaigns by providing tools to other malicious actors, increasing the overall phishing threat landscape.
Threat Actor Information:
Reboot Inc
Published Source Reference:
published_url: https://xss.is/threads/135877/
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/678a468b-0e32-4455-9ea6-fa1759e6c664.png
Additional Data Points:
Network: openweb
Analyst Remarks:
Represents the sale of tools and services within the cybercrime ecosystem, enabling less sophisticated actors to conduct attacks.

Incident ID: DBR-20250409-023

Targeted Entity: Adamson Ahdoot LLP
Targeted Site: aa.law
Victim Industry: Law Practice & Law Firms
Victim Country: USA
Incident Type: Data Breach
Date/Time Reported: 2025-04-09T05:43:06Z
Incident Details:
A threat actor named “sentap” claimed on a breach forum to have breached the Los Angeles law firm Adamson Ahdoot LLP and offered 106GB of data for sale. The data allegedly includes sensitive legal case files, client-attorney communications, HIPAA-protected medical records, and PII.
Assessed Impact:
Significant exposure of highly confidential legal and medical information, potentially violating attorney-client privilege and HIPAA regulations, leading to severe legal, financial, and reputational consequences for the firm and its clients.
Threat Actor Information:
sentap
Published Source Reference:
published_url: https://breachforums.st/Thread-SELLING-106-Gigabytes-of-High-Value-Legal-and-Medical-Data-from-aa-law
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/eff2dcf9-12e1-48c6-96e2-9a3fb1b8b560.png
Additional Data Points:
Network: openweb
Analyst Remarks:
Breaches at law firms are particularly damaging due to the sensitivity and confidentiality of the data they handle. The actor “sentap” also claimed responsibility for the Monster Lead Group leak (DBR-20250409-028).

Incident ID: DBR-20250409-024

Targeted Entity: CBTis 122
Targeted Site: cbtis122.edu.mx
Victim Industry: Education
Victim Country: Mexico
Incident Type: Data Breach
Date/Time Reported: 2025-04-09T05:19:40Z
Incident Details:
A threat actor named “marssepe” claimed on a breach forum to have leaked a database from CBTis 122 (a technical high school in Mexico). The data allegedly contains information on students, teachers, and administrators. The post linked the breach to the Caborca Cartel and APAJ Hacker group, offering the data for download.
Assessed Impact:
Potential exposure of personal information belonging to students (minors), teachers, and staff, leading to privacy violations and potential misuse of data.
Threat Actor Information:
marssepe (linked to Caborca Cartel and APAJ Hacker group in the claim)
Published Source Reference:
published_url: https://breachforums.st/Thread-DATABASE-DB-ALUMNOS-PROFESORES-Y-ADMINISTRATIVOS-CBTis-122
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/2319e8e8-36c7-4432-870a-278192e33756.png
Additional Data Points:
Network: openweb
Analyst Remarks:
The alleged connection to organized crime groups adds a concerning dimension to this education sector breach.

Incident ID: DBR-20250409-025

Targeted Entity: N/A (Software Vulnerability)
Targeted Site: N/A
Victim Industry: N/A
Victim Country: Not specified
Incident Type: Vulnerability
Date/Time Reported: 2025-04-09T04:35:37Z
Incident Details:
A threat actor named “303security” advertised the sale of a Remote Code Execution (RCE) exploit for Apache Tomcat on the Exploit forum. The exploit allegedly targets both Linux and Windows systems.
Assessed Impact:
Availability of an RCE exploit for a widely used web server like Apache Tomcat could enable attackers to compromise numerous vulnerable systems if the exploit is functional and targets a relevant vulnerability.
Threat Actor Information:
303security
Published Source Reference:
published_url: https://forum.exploit.in/topic/257079/
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/c56256b5-5e80-426d-8d44-08e9a7438ae9.png
Additional Data Points:
Network: openweb
Analyst Remarks:
Sale of exploits facilitates attacks by providing ready-made tools. Organizations using Apache Tomcat should ensure they are patched against known RCE vulnerabilities.

Incident ID: DBR-20250409-026

Targeted Entity: Unidentified organization in the USA
Targeted Site: N/A (WordPress site)
Victim Industry: Not specified
Victim Country: USA
Incident Type: Initial Access
Date/Time Reported: 2025-04-09T03:21:58Z
Incident Details:
A threat actor named “Reve” offered WordPress admin access and shell access for sale on the Exploit forum, targeting an unidentified organization in the USA.
Assessed Impact:
Sale of initial access allows other threat actors (e.g., ransomware groups) to bypass initial intrusion phases and directly proceed with deploying malware or exfiltrating data from the compromised organization.
Threat Actor Information:
Reve
Published Source Reference:
published_url: https://forum.exploit.in/topic/257078/
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/702ca5f7-afa3-4bdf-b708-74c09734efc3.png
Additional Data Points:
Network: openweb
Analyst Remarks:
The market for initial access brokers (IABs) is a key part of the cybercrime ecosystem, feeding victims to ransomware and data theft operations.

Incident ID: DBR-20250409-027

Targeted Entity: gis.gov.bd (Government site)
Targeted Site: gis.gov.bd
Victim Industry: Government Administration
Victim Country: Bangladesh
Incident Type: Data Breach
Date/Time Reported: 2025-04-09T03:17:40Z
Incident Details:
The threat actor group “Team 1945” claimed on Telegram to have leaked data from gis.gov.bd.
Assessed Impact:
Potential exposure of government data, possibly related to Geographic Information Systems (GIS), depending on the nature of the site and the leaked data.
Threat Actor Information:
Team 1945
Published Source Reference:
published_url: https://t.me/team_x1945x/697
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/9ee8db6c-8d72-4742-b3a5-610d9047d49e.png
* https://d34iuop8pidsy8.cloudfront.net/fa87c660-7c36-4f9e-9f2f-1844c98c868b.png
Additional Data Points:
Network: telegram
Analyst Remarks:
Attack targeting a government website in Bangladesh.

Incident ID: DBR-20250409-028

Targeted Entity: Monster Lead Group
Targeted Site: monsterleadgroup.com
Victim Industry: Marketing, Advertising & Sales
Victim Country: USA
Incident Type: Data Leak
Date/Time Reported: 2025-04-09T03:12:58Z
Incident Details:
A threat actor named “sentap” claimed on a breach forum to be selling the database of Monster Lead Group, a mortgage loan lead generation platform. The alleged leak involves over 31GB of data, including homeowner PII (names, addresses, phone numbers), mortgage details (loan type, equity, payments), internal emails, marketing templates, and credit card information. The data, allegedly including information from companies like Axen Mortgage and The Federal Savings Bank, was offered for $2,500.
Assessed Impact:
Significant exposure of sensitive personal and financial data for homeowners, as well as potentially sensitive corporate data from Monster Lead Group and its partners. High risk of identity theft, targeted financial fraud, and potential compromise of linked financial institutions.
Threat Actor Information:
sentap
Published Source Reference:
published_url: https://breachforums.st/Thread-SELLING-Sale-of-Monster-Lead-Group-Database-%E2%80%93-Sensitive-Mortgage-Loan-Data
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/50c36096-26ef-48bf-b6aa-18110d48e0b0.png
Additional Data Points:
Network: openweb
Analyst Remarks:
This alleged breach contains a mix of highly sensitive PII and financial data related to mortgages. The actor “sentap” also claimed the Adamson Ahdoot LLP breach (DBR-20250409-023).

Incident ID: DBR-20250409-029

Targeted Entity: Alleged U.S. Vehicle Owners Database (2023)
Targeted Site: N/A
Victim Industry: Not specified (Automotive/Data Broker related)
Victim Country: USA
Incident Type: Data Leak
Date/Time Reported: 2025-04-09T01:19:01Z
Incident Details:
A threat actor named “yatomuro” claimed on a breach forum to have breached a U.S. vehicle owners database containing over 3 million records, last updated in 2023. The data allegedly includes names, addresses, phone numbers, vehicle details (make, model, year, VIN), gender, and estimated income, covering all 50 states and totaling approximately 392 GB.
Assessed Impact:
Significant exposure of PII and vehicle ownership details for millions of US residents, facilitating identity theft, targeted scams (e.g., fake warranty calls), and potentially physical security risks (linking individuals to specific vehicles and addresses).
Threat Actor Information:
yatomuro
Published Source Reference:
published_url: https://breachforums.st/Thread-DATABASE-U-S-Vehicle-Owners-Database-2023
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/c8f11a90-f2ec-4ed8-9a81-94092a3d6b1c.png
Additional Data Points:
Network: openweb
Analyst Remarks:
Another large-scale alleged data leak impacting US residents, specifically targeting vehicle owner information.

Incident ID: DBR-20250409-030

Targeted Entity: Lifeline 16911
Targeted Site: lifeline.com.ph
Victim Industry: Hospital & Health Care (Emergency Services)
Victim Country: Philippines
Incident Type: Data Leak
Date/Time Reported: 2025-04-09T00:02:47Z
Incident Details:
A threat actor named “Sythe” claimed on a breach forum to have leaked the source code of Lifeline 16911, an emergency services provider in the Philippines.
Assessed Impact:
Exposure of source code could reveal vulnerabilities in the emergency service’s systems, potentially allowing further exploitation, disruption of services, or compromise of related data.
Threat Actor Information:
Sythe
Published Source Reference:
published_url: https://breachforums.st/Thread-SELLING-Philippines-Emergency-Services-Lifeline-ph
Supporting Evidence (Screenshots):
screenshots:
* https://d34iuop8pidsy8.cloudfront.net/dbbb929e-bc61-442f-8d7e-b368f1f2d234.png
Additional Data Points:
Network: openweb
Analyst Remarks:
Leaking source code, especially for critical services like emergency response, poses significant security risks.

Concluding Remarks

Overall Summary: The incidents documented in this reporting period underscore the dynamic and persistent nature of cyber threats. Based on the analyzed data, the most prominent activities involved DDoS attacks (18 incidents) and Data Leaks/Breaches (10 incidents). Specific sectors, such as Government Administration (Finland, Israel, Bangladesh, Mali), Energy & Utilities (Finland), and IT Services (Finland), along with large datasets pertaining to individuals in the USA and India, appeared to be significantly affected during this period.
Key Themes & Emerging Trends: Several recurring themes emerged. Coordinated DDoS campaigns by groups like NoName057(16), Dark Storm Team, Keymous+, and Red wolf ceyber targeted specific countries, notably Finland and Israel, often hitting multiple organizations within a short timeframe. The sale and leakage of massive datasets containing sensitive PII (SSNs, driver’s licenses, financial info, vehicle ownership) on breach forums remain a major concern, particularly impacting US and Indian individuals. Breaches targeting specific industries like legal (Adamson Ahdoot LLP) and healthcare/emergency services (Yozgat City Hospital, Lifeline 16911) highlight the risk to highly sensitive data. The cybercrime ecosystem is evident with offerings like phishing templates, RCE exploits, and initial access for sale.

Potential Outlook: Given the observed activities, it is prudent to anticipate continued high levels of DDoS activity, potentially politically motivated or driven by hacktivist groups. The market for large-scale data leaks and initial access will likely persist, fueling further cybercrime like ransomware and identity theft. Organizations, particularly in government, energy, healthcare, and legal sectors, should remain vigilant regarding DDoS mitigation, data security, vulnerability management (especially for common platforms like Apache Tomcat and WordPress), and third-party risks (as seen in the Monster Lead Group case).

Related Posts

[April-08-2025] Daily Cybersecurity Threat Report

[April-23-2025] Daily Cybersecurity Threat Report

[April-25-2025] Daily Cybersecurity Threat Report