[April-11-2025] Daily Cybersecurity Threat Report – Part 1

1. Executive Summary

This report provides a detailed analysis of 31 distinct cybersecurity incidents reported on April 11, 2025, based on available intelligence feeds. The operational tempo during this period was notably high, characterized predominantly by Distributed Denial-of-Service (DDoS) attacks, which constituted 24 of the 31 documented events. Alongside this disruptive activity, several significant data compromise incidents, categorized as Data Leaks and Data Breaches, were observed. Additionally, singular instances of Ransomware deployment and the brokering of Initial Access credentials underscore the multifaceted nature of the contemporary threat landscape.

Key trends observed during this reporting period include the overwhelming prevalence of DDoS attacks, indicating sustained campaigns likely orchestrated by hacktivist collectives aiming for operational disruption and public visibility. Geopolitical factors appeared to be a primary motivator for a substantial portion of the activity; entities within Ukraine were targeted in 10 separate incidents, primarily DDoS attacks attributed to the groups “Dark Storm Team” and “NoName057(16)”. Similarly, Spanish organizations faced a concentrated wave of DDoS attacks (4 incidents) attributed to “Desinformador ruso”. These patterns strongly suggest motivations tied to the ongoing Russia-Ukraine conflict and potentially broader anti-NATO or anti-Western sentiments. Israeli entities were also subjected to multiple DDoS attacks (3 incidents).

Furthermore, the period witnessed several concerning data exposure events. Alleged data leaks and breaches potentially impacted large user bases in China (related to iPhone rentals and the Bddbid platform), Russia (affecting Healthy Smile dental clinic and Rusalut pyrotechnics company), Australia (TheLotter online platform), and Turkey (TolNet ISP). A separate incident involved the claimed leak of sensitive corporate credentials impacting organizations in the UAE and Brazil.

Multiple threat actors demonstrated operational capability. “Dark Storm Team” and “NoName057(16)” executed apparently coordinated DDoS volleys against Ukrainian targets. “Desinformador ruso” focused its disruptive efforts on Spanish governmental and strategic institutions. Other actors, including “Kaught”, “X0Frankenstein”, “marg”, “Ponce”, “fabiolages85”, “LYNX”, and “miya”, were implicated in data compromise events, ransomware operations, and the sale of network access. Analysis of communication channels reveals Telegram as the favored platform for announcing DDoS attacks (utilized by Dark Storm Team, NoName057(16), Vulture, Keymous+, Desinformador ruso, Websec, Arab Ghosts Hackers), while Open Web forums, particularly breachforums.st, served as the marketplace for advertising compromised data and network access. One ransomware incident was traced back to a Tor-based leak site.

Among the most significant events recorded were the alleged sale of root-level firewall access pertaining to a U.S. Department of Energy entity, a ransomware attack claimed by the LYNX group against Restaurant Associates in Jamaica, and multiple large-scale data compromise claims potentially affecting hundreds of thousands to millions of individuals (associated with Bddbid, TheLotter, Rusalut, and Healthy Smile).

2. Incident Summary Table

The following table provides a chronological overview of the cybersecurity incidents reported on April 11, 2025.

Time (UTC)	Category	Threat Actor	Victim Organization	Victim Country
2025-04-11T13:21:01Z	DDoS Attack	Dark Storm Team	vinnytsia city council	Ukraine
2025-04-11T13:15:22Z	Data Leak	Kaught	(Unspecified – China iPhone Rentals)	China
2025-04-11T13:12:19Z	DDoS Attack	Dark Storm Team	zaporizhzhia city council	Ukraine
2025-04-11T13:05:33Z	DDoS Attack	Dark Storm Team	ministry of finance of ukraine	Ukraine
2025-04-11T12:58:52Z	DDoS Attack	Dark Storm Team	ministry of internal affairs of ukraine	Ukraine
2025-04-11T12:42:15Z	DDoS Attack	NoName057(16)	state space agency of ukraine (ssau)	Ukraine
2025-04-11T12:37:26Z	DDoS Attack	NoName057(16)	ukrjet	Ukraine
2025-04-11T12:32:28Z	DDoS Attack	NoName057(16)	athlon avia	Ukraine
2025-04-11T12:30:03Z	DDoS Attack	vulture	high medical​	Israel
2025-04-11T12:27:19Z	DDoS Attack	NoName057(16)	chezara telemetria	Ukraine
2025-04-11T12:22:59Z	DDoS Attack	NoName057(16)	tochprilad	Ukraine
2025-04-11T12:09:31Z	DDoS Attack	vulture	tgspot	Israel
2025-04-11T12:05:22Z	DDoS Attack	Keymous+	sotelma	Mali
2025-04-11T12:00:13Z	Data Breach	X0Frankenstein	healthy smile	Russia
2025-04-11T11:49:04Z	DDoS Attack	Desinformador ruso	spanish institute for strategic studies	Spain
2025-04-11T11:42:05Z	DDoS Attack	Desinformador ruso	incibe – national institute of cybersecurity	Spain
2025-04-11T11:37:02Z	DDoS Attack	Desinformador ruso	national cryptologic center – computer emergency response team	Spain
2025-04-11T11:26:31Z	DDoS Attack	Desinformador ruso	state agency official state gazette	Spain
2025-04-11T11:11:31Z	Data Leak	marg	(Unspecified – UAE & Brazilian Corps)	UAE
2025-04-11T11:10:24Z	DDoS Attack	Keymous+	telecommunications company of mali	Mali
2025-04-11T10:50:10Z	Data Breach	X0Frankenstein	rusalut	Russia
2025-04-11T10:40:58Z	Data Breach	Ponce	thelotter	Australia
2025-04-11T10:29:41Z	Data Leak	fabiolages85	tolnet	Turkey
2025-04-11T10:08:34Z	DDoS Attack	Websec	channel 10	Israel
2025-04-11T09:57:30Z	DDoS Attack	Dark Storm Team	ministry of defence	UAE
2025-04-11T09:54:48Z	DDoS Attack	Dark Storm Team	ministry of interior (moi)	UAE
2025-04-11T09:32:42Z	Ransomware	LYNX	restaurant associates	Jamaica
2025-04-11T09:27:09Z	Data Breach	Ponce	bddbid	China
2025-04-11T09:23:09Z	DDoS Attack	Arab Ghosts Hackers	yad vashem holocaust museum	Israel
2025-04-11T08:28:47Z	Initial Access	miya	office of nuclear energy, u.s. department of energy	USA
2025-04-11T07:54:21Z	DDoS Attack	NoName057(16)	kookas media oy	Finland

3. Detailed Incident Analysis

The following sections provide detailed accounts of each incident reported on April 11, 2025, presented in chronological order.

3.1 Incident: Dark Storm Team DDoS Attack on Vinnytsia City Council

• Date & Time (UTC): 2025-04-11T13:21:01Z
• Category: DDoS Attack
• Threat Actor(s): Dark Storm Team
• Victim:

• Organization: vinnytsia city council
• Website/Target: vmr.gov.ua
• Industry: Government & Public Sector
• Country: Ukraine

• Details: The threat actor group “Dark Storm Team” claimed responsibility for conducting a Distributed Denial-of-Service attack against the official website of the Vinnytsia City Council. Evidence supporting the claim of service disruption was provided via a link to a third-party website availability check: https://check-host.net/check-report/24de3d85k993.
• Source Network: telegram
• Source Publication: The claim was published on Telegram at the following URL: https://t.me/DarkStormTeam3/225
• Associated Screenshots: Visual evidence accompanying the claim includes:

• https://d34iuop8pidsy8.cloudfront.net/ba18f006-6b22-432a-9ba6-16a8e7001341.png
• https://d34iuop8pidsy8.cloudfront.net/52aa1b36-44f4-4e74-8b10-951a5d5d1628.png
• Analysis: This attack appears to be part of a broader, synchronized campaign orchestrated by Dark Storm Team. Multiple Ukrainian government entities were targeted by this group within a compressed timeframe on this date (see Incidents 3.3, 3.4, 3.5). The reuse of the identical Telegram publication URL (…/225) for announcing the attacks against Vinnytsia City Council, Zaporizhzhia City Council, the Ministry of Finance, and the Ministry of Internal Affairs strongly suggests these actions were part of a single, planned operational wave rather than isolated events. This points towards a degree of coordination and resource allocation by the group. Targeting government websites in Ukraine, particularly during periods of heightened geopolitical tension, is characteristic of hacktivist operations aimed at causing disruption, signaling capability, and potentially disseminating propaganda, aligning with observed patterns in the cyber dimensions of the Russia-Ukraine conflict.

3.2 Incident: Alleged Data Leak of China iPhone Rental Applications

• Date & Time (UTC): 2025-04-11T13:15:22Z
• Category: Data Leak
• Threat Actor(s): Kaught
• Victim:

• Organization: (Unspecified – related to high-end iPhone rentals)
• Website/Target: (Not specified)
• Industry: (Not specified, likely Retail or Financial Services)
• Country: China

• Details: The threat actor identified as “Kaught” advertised a data leak allegedly originating from a service handling real-name rental applications for high-end iPhones within China. The actor claims the dataset contains over 3,500 records dated April 2025. The compromised information reportedly includes sensitive Personally Identifiable Information (PII) such as full names, mobile phone numbers, complete residential addresses, specific device models rented, quoted rental prices, and application submission dates.
• Source Network: openweb
• Source Publication: The leak was advertised on a known cybercrime forum: https://breachforums.st/Thread-COLLECTION-China-3-500-iPhone-Rental-Applications-%E2%80%93-Full-Name-Mobile-Address-Model-2025
• Associated Screenshots: A screenshot related to the alleged leak was provided:
• https://d34iuop8pidsy8.cloudfront.net/d303e52c-dd88-4843-847a-ec6e26166c90.png
• Analysis: The nature of the data allegedly exposed (full name, mobile number, full address) represents a significant privacy violation and security risk for the affected individuals. This combination of PII is highly conducive to identity theft, targeted phishing campaigns (spear-phishing), and various forms of social engineering. The claimed volume of over 3,500 records affects a substantial number of people. Furthermore, the recency of the data (April 2025) enhances its potential value and usability for malicious actors. The publication of this leak on Breach Forums (breachforums.st), a platform recognized for facilitating the trade of illicitly obtained data, suggests the actor’s participation in the cybercriminal underground economy, likely aiming for financial gain or reputation enhancement within that community. The lack of a specified victim organization could indicate the actor is unaware of the precise source, is aggregating data, or is intentionally obscuring the origin.

3.3 Incident: Dark Storm Team DDoS Attack on Zaporizhzhia City Council

• Date & Time (UTC): 2025-04-11T13:12:19Z
• Category: DDoS Attack
• Threat Actor(s): Dark Storm Team
• Victim:

• Organization: zaporizhzhia city council
• Website/Target: zp.gov.ua
• Industry: Government Administration
• Country: Ukraine

• Details: Dark Storm Team claimed another DDoS attack, this time targeting the website of the Zaporizhzhia City Council. A link was provided as purported proof of downtime: https://check-host.net/check-report/24de3b30ke37.
• Source Network: telegram
• Source Publication: This claim was also linked to the same Telegram post as the Vinnytsia attack: https://t.me/DarkStormTeam3/225
• Associated Screenshots:

• https://d34iuop8pidsy8.cloudfront.net/9f33cbd6-32d5-40d7-942d-f578bc4ba3d1.png
• https://d34iuop8pidsy8.cloudfront.net/a1b7f6b2-a054-4a4d-bf87-781dd3a70340.png
• Analysis: This incident further reinforces the assessment that Dark Storm Team was engaged in a coordinated DDoS campaign against Ukrainian government entities. The common elements – the same threat actor, similar target profile (regional government administration), close temporal proximity to other attacks, the same attack methodology (DDoS), and critically, the identical Telegram announcement URL (…/225) used for Incidents 3.1, 3.4, and 3.5 – collectively point to a planned operation. Zaporizhzhia, being a city located in a region significantly impacted by the ongoing conflict, represents a target of symbolic and potentially minor operational relevance. Disrupting its city council’s online presence, even temporarily, could serve the actor’s presumed hacktivist objectives.

3.4 Incident: Dark Storm Team DDoS Attack on Ministry of Finance of Ukraine

• Date & Time (UTC): 2025-04-11T13:05:33Z
• Category: DDoS Attack
• Threat Actor(s): Dark Storm Team
• Victim:

• Organization: ministry of finance of ukraine
• Website/Target: minfin.gov.ua
• Industry: Government Administration
• Country: Ukraine

• Details: The campaign by Dark Storm Team continued, with a claimed DDoS attack targeting the website of the Ministry of Finance of Ukraine. Proof of downtime was offered via: https://check-host.net/check-report/24de2dc1k6a6.
• Source Network: telegram
• Source Publication: Again, linked to the same Telegram announcement: https://t.me/DarkStormTeam3/225
• Associated Screenshots:

• https://d34iuop8pidsy8.cloudfront.net/86bbab63-b6d8-4db3-9700-9daaa61da4cb.png
• https://d34iuop8pidsy8.cloudfront.net/7ba8f1d8-3659-4acd-9886-5539c79a7bcb.png
• Analysis: Targeting a national ministry, specifically the Ministry of Finance, represents an escalation compared to regional city councils, although still falling within the pattern of attacking Ukrainian government infrastructure. This action further solidifies the view of a coordinated campaign by Dark Storm Team, given the consistent use of the same announcement URL (…/225) and the timing relative to other attacks by the group. Disrupting access to the Ministry of Finance website aligns with hacktivist goals of causing interference and demonstrating capability against central government functions.

3.5 Incident: Dark Storm Team DDoS Attack on Ministry of Internal Affairs of Ukraine

• Date & Time (UTC): 2025-04-11T12:58:52Z
• Category: DDoS Attack
• Threat Actor(s): Dark Storm Team
• Victim:

• Organization: ministry of internal affairs of ukraine
• Website/Target: mvs.gov.ua
• Industry: Government Administration
• Country: Ukraine

• Details: Dark Storm Team claimed another DDoS attack against a key Ukrainian ministry, this time the Ministry of Internal Affairs. The provided proof-of-downtime link was: https://check-host.net/check-report/24de2e64k7c2.
• Source Network: telegram
• Source Publication: This attack was also announced under the same Telegram post: https://t.me/DarkStormTeam3/225
• Associated Screenshots:

• https://d34iuop8pidsy8.cloudfront.net/9f1073f8-630d-4a27-81bd-d47aa63946d5.png
• https://d34iuop8pidsy8.cloudfront.net/ab1e2d96-2c52-47a3-b918-447a5f0a8842.png
• Analysis: This marks the fourth attack attributed to Dark Storm Team within approximately 30 minutes, all announced via the same Telegram message (…/225). Targeting the Ministry of Internal Affairs, responsible for law enforcement and public security, alongside the Ministry of Finance and regional councils, demonstrates a clear focus on disrupting various facets of Ukrainian government operations. This pattern strongly indicates a pre-planned, multi-target DDoS operation consistent with politically motivated hacktivism.

3.6 Incident: NoName057(16) DDoS Attack on State Space Agency of Ukraine (SSAU)

• Date & Time (UTC): 2025-04-11T12:42:15Z
• Category: DDoS Attack
• Threat Actor(s): NoName057(16)
• Victim:

• Organization: state space agency of ukraine (ssau)
• Website/Target: nkau.gov.ua
• Industry: Aviation & Aerospace
• Country: Ukraine

• Details: The threat actor group “NoName057(16)”, known for pro-Russian hacktivist activities, claimed a DDoS attack against the State Space Agency of Ukraine. Proof of downtime was provided: https://check-host.net/check-report/24de12ddk549.
• Source Network: telegram
• Source Publication: The claim appeared on a Telegram channel associated with the group: https://t.me/nnm05716rus/513
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/fd3ed58e-a81c-421b-8ba3-ddb96bf63838.png
• Analysis: This incident marks the beginning of a series of attacks attributed to NoName057(16) targeting Ukrainian entities, primarily within the aerospace, defense, and manufacturing sectors. Similar to the Dark Storm Team activity, multiple attacks by NoName057(16) were announced under the same Telegram post URL (…/513), suggesting a coordinated wave (see Incidents 3.7, 3.8, 3.10, 3.11). Targeting the State Space Agency aligns with a potential objective of disrupting organizations perceived as contributing to Ukraine’s defense or technological capabilities.

3.7 Incident: NoName057(16) DDoS Attack on UkrJet

• Date & Time (UTC): 2025-04-11T12:37:26Z
• Category: DDoS Attack
• Threat Actor(s): NoName057(16)
• Victim:

• Organization: ukrjet
• Website/Target: ukrjet.ua
• Industry: Aviation & Aerospace
• Country: Ukraine

• Details: NoName057(16) claimed a DDoS attack against UkrJet, a Ukrainian company in the aviation sector. The check-host link provided was: https://check-host.net/check-report/24de125ckcb1.
• Source Network: telegram
• Source Publication: Announced under the same Telegram post as the SSAU attack: https://t.me/nnm05716rus/513
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/37dd7559-0298-4898-83f8-10c129b93750.png
• Analysis: This attack further develops the pattern of NoName057(16) targeting the Ukrainian aerospace sector. The use of the same Telegram announcement URL (…/513) reinforces the likelihood of a coordinated campaign focusing on specific industries perceived as strategically relevant within the context of the conflict.

3.8 Incident: NoName057(16) DDoS Attack on Athlon Avia

• Date & Time (UTC): 2025-04-11T12:32:28Z
• Category: DDoS Attack
• Threat Actor(s): NoName057(16)
• Victim:

• Organization: athlon avia
• Website/Target: athlonavia.com
• Industry: Electrical & Electronic Manufacturing
• Country: Ukraine

• Details: The group NoName057(16) targeted Athlon Avia, a Ukrainian company involved in manufacturing (potentially defense-related, given the context of other targets). Proof of downtime link: https://check-host.net/check-report/24de13f6k42a.
• Source Network: telegram
• Source Publication: Also announced via Telegram post: https://t.me/nnm05716rus/513
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/4de25a6b-f27b-42c1-88fc-b21ce2d19627.png
• Analysis: This attack broadens the scope slightly from pure aerospace to electronic manufacturing, but remains within the theme of targeting Ukrainian industrial or technological entities. Athlon Avia is known for producing unmanned aerial systems (UAS), making it a relevant target for disruption by a pro-Russian group. The continued use of the same announcement URL (…/513) confirms its inclusion in this coordinated wave by NoName057(16).

3.9 Incident: vulture DDoS Attack on High Medical

• Date & Time (UTC): 2025-04-11T12:30:03Z
• Category: DDoS Attack
• Threat Actor(s): vulture
• Victim:

• Organization: high medical​
• Website/Target: hmedical.co.il
• Industry: Medical Equipment Manufacturing
• Country: Israel

• Details: The threat actor “vulture” claimed a DDoS attack against High Medical, an Israeli medical equipment manufacturer. A check-host link was provided: https://check-host.net/check-report/24dcbb5dkdb2.
• Source Network: telegram
• Source Publication: Claim published on Telegram: https://t.me/Vulture_000/210
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/d8cd83eb-dbc3-445b-ae06-3203b461d572.png
• Analysis: This incident, along with Incident 3.12 targeting TGspot, indicates activity by the actor “vulture” against Israeli targets. Both attacks were announced via the same Telegram post (…/210), suggesting coordination. Targeting a medical equipment manufacturer might be opportunistic or part of a broader anti-Israel hacktivist agenda prevalent among certain groups.

3.10 Incident: NoName057(16) DDoS Attack on CheZaRa Telemetria

• Date & Time (UTC): 2025-04-11T12:27:19Z
• Category: DDoS Attack
• Threat Actor(s): NoName057(16)
• Victim:

• Organization: chezara telemetria
• Website/Target: chezara-telemetria.com
• Industry: Electrical & Electronic Manufacturing
• Country: Ukraine

• Details: NoName057(16) continued its campaign, targeting CheZaRa Telemetria, another Ukrainian company in the electrical/electronic manufacturing sector. Proof of downtime link: https://check-host.net/check-report/24de122eke3b.
• Source Network: telegram
• Source Publication: Announced via the same Telegram post: https://t.me/nnm05716rus/513
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/2bb0d778-7621-4796-9594-60c0a3637062.png
• Analysis: This attack further solidifies the focus of NoName057(16)’s coordinated campaign (…/513) on Ukrainian manufacturing and technology firms, potentially those perceived as having defense applications or contributing to the national industrial base.

3.11 Incident: NoName057(16) DDoS Attack on Tochprilad

• Date & Time (UTC): 2025-04-11T12:22:59Z
• Category: DDoS Attack
• Threat Actor(s): NoName057(16)
• Victim:

• Organization: tochprilad
• Website/Target: tochprilad.com
• Industry: Electrical & Electronic Manufacturing
• Country: Ukraine

• Details: The final attack observed in this wave by NoName057(16) targeted Tochprilad, also in the Ukrainian electrical/electronic manufacturing industry. Proof link: https://check-host.net/check-report/24de1225kc47.
• Source Network: telegram
• Source Publication: Announced under the same Telegram post: https://t.me/nnm05716rus/513
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/9edab154-7602-41a5-89ff-d84cce8af0fe.png
• Analysis: This concludes the series of five attacks claimed by NoName057(16) announced via the single Telegram post …/513. The consistent targeting of Ukrainian aerospace and electronic manufacturing entities within a short timeframe strongly indicates a deliberate, coordinated operation aimed at disrupting specific industrial sectors.

3.12 Incident: vulture DDoS Attack on TGspot

• Date & Time (UTC): 2025-04-11T12:09:31Z
• Category: DDoS Attack
• Threat Actor(s): vulture
• Victim:

• Organization: tgspot
• Website/Target: tgspot.co.il
• Industry: Network & Telecommunications (likely related to tech news/publishing)
• Country: Israel

• Details: The actor “vulture” claimed a DDoS attack against TGspot, an Israeli website likely focused on technology or telecommunications news. Proof link: https://check-host.net/check-report/24dcaabfk623.
• Source Network: telegram
• Source Publication: Announced via the same Telegram post as the High Medical attack: https://t.me/Vulture_000/210
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/8818318f-5ae0-43d8-ac4d-eadca12098a2.png
• Analysis: This second attack by “vulture” against an Israeli target, announced concurrently with the High Medical attack (…/210), confirms a small, coordinated operation by this actor. Targeting a tech news site alongside a medical equipment manufacturer suggests either opportunistic targeting or a broader anti-Israel motivation.

3.13 Incident: Keymous+ DDoS Attack on SOTELMA (Intranet)

• Date & Time (UTC): 2025-04-11T12:05:22Z
• Category: DDoS Attack
• Threat Actor(s): Keymous+
• Victim:

• Organization: sotelma (Société des Télécommunications du Mali)
• Website/Target: intranet.sotelma.ml
• Industry: Network & Telecommunications
• Country: Mali

• Details: The group “Keymous+” claimed a DDoS attack targeting the intranet portal of SOTELMA, the primary telecommunications company in Mali. Proof link: https://check-host.net/check-report/24ddc2e4k29a.
• Source Network: telegram
• Source Publication: Claim published on Telegram: https://t.me/KeymousTeam/1295
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/0c5282e2-4c93-4164-9b81-3667f198234c.png
• Analysis: This incident, along with Incident 3.20 targeting SOTELMA’s webmail, indicates a focused effort by Keymous+ against Mali’s national telecom provider. Targeting both intranet and webmail suggests an intent to disrupt internal and external communications. The motivation is unclear from the provided data but could range from hacktivism to extortion attempts. The use of separate Telegram posts (…/1295 and …/1294) for the two attacks might indicate sequential actions rather than a single announcement wave.

3.14 Incident: Alleged Data Breach of Healthy Smile (Russia)

• Date & Time (UTC): 2025-04-11T12:00:13Z
• Category: Data Breach
• Threat Actor(s): X0Frankenstein
• Victim:

• Organization: healthy smile (Dental Polyclinic)
• Website/Target: healthy-smile.ru
• Industry: Hospital & Health Care
• Country: Russia

• Details: Threat actor “X0Frankenstein” claimed to have leaked data allegedly exfiltrated from “Healthy Smile,” a Russian dental polyclinic. The compromised data reportedly contains approximately 5,000 records from 2024. The exposed information is said to include highly sensitive PII: last names, first names, birth dates, mobile and home phone numbers, email addresses, residential addresses, passport numbers, SNILS (Russian social insurance) numbers, and potentially other details.
• Source Network: openweb
• Source Publication: The alleged breach was posted on Breach Forums: https://breachforums.st/Thread-COLLECTION-Dental-Polyclinic-Healthy-Smile
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/d3f13133-a9dd-4d1d-9dd6-341fee8902e9.png
• Analysis: This alleged breach involves extremely sensitive health-related and personal identification data, including passport and social insurance numbers. Exposure of such information poses severe risks of identity theft, financial fraud, and targeted social engineering for the approximately 5,000 individuals affected. The healthcare sector is often targeted due to the richness of the data it holds. The actor “X0Frankenstein” also claimed responsibility for another Russian data breach (Incident 3.21), suggesting a focus on Russian targets or access to data from that region. Publication on Breach Forums indicates intent to distribute or sell the data within the cybercriminal community.

3.15 Incident: Desinformador ruso DDoS Attack on Spanish Institute for Strategic Studies

• Date & Time (UTC): 2025-04-11T11:49:04Z
• Category: DDoS Attack
• Threat Actor(s): Desinformador ruso
• Victim:

• Organization: spanish institute for strategic studies (IEEE)
• Website/Target: revista.ieee.es (Journal website)
• Industry: Think Tanks
• Country: Spain

• Details: The actor “Desinformador ruso” (translates to “Russian Disinformer”) claimed a DDoS attack targeting the online journal of the Spanish Institute for Strategic Studies. Proof of downtime link: https://check-host.net/check-report/24da4113kb34.
• Source Network: telegram
• Source Publication: Claim published on Telegram: https://t.me/musicarusaesp/6009
• Associated Screenshots:

• https://d34iuop8pidsy8.cloudfront.net/5fa4e8f1-f3b9-4bca-8796-3e4d1cd1a151.png
• https://d34iuop8pidsy8.cloudfront.net/9db9830b-f2eb-43a2-a71f-45c1f0f03f03.png
• Analysis: This is the first of four observed DDoS attacks attributed to “Desinformador ruso” targeting Spanish institutions, all announced via the same Telegram post (…/6009). This strongly indicates a coordinated campaign. The actor’s name explicitly suggests a pro-Russian, anti-Western/anti-NATO agenda. Targeting a strategic studies think tank aligns with disrupting institutions involved in policy analysis and potentially perceived as influential in shaping national or international perspectives unfavorable to the actor’s apparent alignment.

3.16 Incident: Desinformador ruso DDoS Attack on INCIBE (Spanish Cybersecurity Institute)

• Date & Time (UTC): 2025-04-11T11:42:05Z
• Category: DDoS Attack
• Threat Actor(s): Desinformador ruso
• Victim:

• Organization: incibe – national institute of cybersecurity
• Website/Target: incibe.es
• Industry: Government Administration
• Country: Spain

• Details: “Desinformador ruso” continued its campaign by targeting INCIBE, Spain’s National Institute of Cybersecurity. Proof link: https://check-host.net/check-report/24da381bkec2.
• Source Network: telegram
• Source Publication: Announced under the same Telegram post: https://t.me/musicarusaesp/6009
• Associated Screenshots:

• https://d34iuop8pidsy8.cloudfront.net/ce63450a-39df-48ed-8e4f-06fa246e74af.png
• https://d34iuop8pidsy8.cloudfront.net/132e93ac-1e01-49ca-8b3f-ef6b33bff5b9.png
• Analysis: Targeting the national cybersecurity agency of a NATO country is a significant action within a hacktivist campaign. It aims to disrupt a key entity responsible for national cyber defense and public guidance. This choice of target, combined with the actor’s name and the coordinated nature of the attacks (…/6009), reinforces the interpretation of this activity as politically motivated disruption aimed at Spanish state infrastructure.

3.17 Incident: Desinformador ruso DDoS Attack on CCN-CERT (Spanish National Cryptologic Center CERT)

• Date & Time (UTC): 2025-04-11T11:37:02Z
• Category: DDoS Attack
• Threat Actor(s): Desinformador ruso
• Victim:

• Organization: national cryptologic center – computer emergency response team (CCN-CERT)
• Website/Target: ccn-cert.cni.es
• Industry: Consumer Services (Note: More accurately Government/Cybersecurity)
• Country: Spain

• Details: The coordinated DDoS wave by “Desinformador ruso” also hit the website of CCN-CERT, Spain’s national Computer Emergency Response Team operating under the National Cryptologic Center. Proof link: https://check-host.net/check-report/24da2cfckce8.
• Source Network: telegram
• Source Publication: Announced via the same Telegram post: https://t.me/musicarusaesp/6009
• Associated Screenshots:

• https://d34iuop8pidsy8.cloudfront.net/cb8d381d-99fc-4f73-b066-cb1dd595d723.png
• https://d34iuop8pidsy8.cloudfront.net/c91da77c-5daf-4b45-8690-0fb9ebbdcdae.png
• Analysis: Attacking CCN-CERT, another critical component of Spain’s national cybersecurity apparatus alongside INCIBE, further demonstrates the actor’s focus on disrupting core cyber defense functions. This continued targeting within the same coordinated announcement (…/6009) underscores the strategic nature of this hacktivist campaign against Spanish state entities.

3.18 Incident: Desinformador ruso DDoS Attack on State Agency Official State Gazette (BOE)

• Date & Time (UTC): 2025-04-11T11:26:31Z
• Category: DDoS Attack
• Threat Actor(s): Desinformador ruso
• Victim:

• Organization: state agency official state gazette (BOE – Boletín Oficial del Estado)
• Website/Target: boe.es
• Industry: Government & Public Sector
• Country: Spain

• Details: The final observed attack in this series by “Desinformador ruso” targeted the website of the BOE, Spain’s Official State Gazette, responsible for publishing laws and official government notices. Proof link: https://check-host.net/check-report/24da1561kb74.
• Source Network: telegram
• Source Publication: Announced under the same Telegram post: https://t.me/musicarusaesp/6009
• Associated Screenshots:

• https://d34iuop8pidsy8.cloudfront.net/b72390ea-f56b-495c-ba9b-1567efaf5d34.png
• https://d34iuop8pidsy8.cloudfront.net/3508471b-95d0-466e-8aa5-2120555af694.png
• Analysis: Targeting the BOE disrupts access to official government publications, a symbolic and potentially disruptive act against state function. This concludes the coordinated wave of four attacks announced via Telegram post …/6009, clearly demonstrating a focused campaign by “Desinformador ruso” against various Spanish government and strategic institutions, likely driven by geopolitical motives.

3.19 Incident: Alleged Leak of UAE and Brazilian Corporate Credentials

• Date & Time (UTC): 2025-04-11T11:11:31Z
• Category: Data Leak
• Threat Actor(s): marg
• Victim:

• Organization: (Unspecified – one UAE company, one Brazilian corporate group)
• Website/Target: (Not specified)
• Industry: (Not specified)
• Country: UAE, Brazil

• Details: The threat actor “marg” claimed to be leaking corporate credentials obtained from two separate entities: an unnamed company in the United Arab Emirates and an unnamed corporate group in Brazil. The leaked data allegedly includes highly sensitive access information: AWS credentials (reportedly with 2FA details), access to an ESET business management panel, Fortinet VPN/firewall credentials, Remote Desktop Protocol (RDP) credentials, and Portainer (container management) access. The actor claims a total of 1,063 passwords are included in the leak.
• Source Network: openweb
• Source Publication: The leak was advertised on Breach Forums: https://breachforums.st/Thread-2-FRESH-CORP-PW-MANAGER-EXPORTS
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/4fc5bb2d-a7c7-49f3-acf1-f93c2158253e.png
• Analysis: This incident represents a significant corporate security threat. The types of credentials allegedly leaked (AWS, ESET, Fortinet, RDP, Portainer) provide deep access into corporate IT environments, potentially enabling network compromise, data exfiltration, deployment of malware (including ransomware), espionage, and lateral movement. Even with 2FA mentioned for AWS, the exposure of other credentials like RDP and VPN poses immediate risks. The leak impacts organizations in two different regions (UAE and Brazil), suggesting the actor may have obtained this data through potentially widespread campaigns (e.g., infostealer malware) or by purchasing logs from other criminals. Posting on Breach Forums indicates an intent to sell or trade this valuable access information.

3.20 Incident: Keymous+ DDoS Attack on Telecommunications Company of Mali (Webmail)

• Date & Time (UTC): 2025-04-11T11:10:24Z
• Category: DDoS Attack
• Threat Actor(s): Keymous+
• Victim:

• Organization: telecommunications company of mali (SOTELMA)
• Website/Target: webmail.sotelma.ml
• Industry: Network & Telecommunications
• Country: Mali

• Details: Following the earlier attack on SOTELMA’s intranet (Incident 3.13), “Keymous+” claimed a DDoS attack against the company’s webmail service. Proof link: https://check-host.net/check-report/24dda445k9ca.
• Source Network: telegram
• Source Publication: Claim published on Telegram: https://t.me/KeymousTeam/1294
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/7fe42f7b-e177-4b56-9e79-1dd74f38f800.png
• Analysis: This second attack on SOTELMA by Keymous+, targeting a different critical service (webmail), reinforces the assessment of a focused campaign against Mali’s primary telecom provider. Disrupting webmail access directly impacts external communication for the company and its users. The use of a separate Telegram post (…/1294) from the intranet attack (…/1295) might suggest these were sequential attacks rather than announced simultaneously.

3.21 Incident: Alleged Database Leak of Rusalut (Russia)

• Date & Time (UTC): 2025-04-11T10:50:10Z
• Category: Data Breach
• Threat Actor(s): X0Frankenstein
• Victim:

• Organization: rusalut
• Website/Target: rusalut.ru
• Industry: Manufacturing (Pyrotechnics/Fireworks)
• Country: Russia

• Details: The actor “X0Frankenstein”, also responsible for the Healthy Smile breach claim (Incident 3.14), alleged a data leak from Rusalut, a Russian company specializing in pyrotechnics and fireworks. The compromised data reportedly contains over 67,000 customer records dating back to 2019. Information exposed allegedly includes full names, birthdates, phone numbers, gender, cities, email addresses (if provided), and details regarding activation points (possibly related to loyalty programs or purchases).
• Source Network: openweb
• Source Publication: Posted on Breach Forums: https://breachforums.st/Thread-DATABASE-RUSALUT-Pyrotechnics-rusalut-ru
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/ee08f4f1-2f33-4b6a-8107-be916606aa91.png
• Analysis: This alleged breach exposes the PII of a large number of customers (over 67,000). While the data dates back to 2019, information like names, birthdates, phone numbers, and emails can still be valuable for phishing, spam, and potentially identity theft attempts. This second claim by “X0Frankenstein” involving a Russian entity within a short period reinforces the possibility of this actor having specific access or focus related to Russian organizations. The publication on Breach Forums follows the pattern of making compromised data available to the wider cybercriminal community.

3.22 Incident: Alleged Database Leak of TheLotter (Australia)

• Date & Time (UTC): 2025-04-11T10:40:58Z
• Category: Data Breach
• Threat Actor(s): Ponce
• Victim:

• Organization: thelotter
• Website/Target: thelotter.com.au
• Industry: Gambling & Casinos
• Country: Australia

• Details: Threat actor “Ponce” claimed to have leaked data from the Australian domain of TheLotter, an online platform for purchasing lottery tickets. The compromised data allegedly contains information for 201,617 customers. Exposed details reportedly include first names, last names, addresses, IP addresses, order dates, order status, and potentially other related information.
• Source Network: openweb
• Source Publication: Advertised on Breach Forums: https://breachforums.st/Thread-DATABASE-The-Lotter-Australia-Leaked-Download
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/7425c977-c0c4-4d10-9dad-540ae3ec6900.png
• Analysis: This represents a large-scale data breach claim, potentially affecting over 200,000 individuals. The combination of names, addresses, IP addresses, and order details provides valuable information for identity theft, targeted phishing (especially related to winnings or account issues), and potentially correlating online activity with real-world identities. The actor “Ponce” was also responsible for the Bddbid breach claim (Incident 3.28), suggesting activity involving large datasets from different regions. The use of Breach Forums is consistent with data trading practices.

3.23 Incident: Alleged Data Leak of TolNet (Turkey)

• Date & Time (UTC): 2025-04-11T10:29:41Z
• Category: Data Leak
• Threat Actor(s): fabiolages85
• Victim:

• Organization: tolnet (Tolbilisim)
• Website/Target: tolbilisim.com.tr
• Industry: Network & Telecommunications (Internet Service Provider)
• Country: Turkey

• Details: The threat actor “fabiolages85” claimed a data leak originating from TolNet (Tolbilisim), an Internet Service Provider (ISP) in Turkey. The compromised data, allegedly from 2025, reportedly includes customer information and financial transaction records.
• Source Network: openweb
• Source Publication: Posted on Breach Forums: https://breachforums.st/Thread-TURKEY-Tolbilisim-Leak-Data-2025
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/bfd446eb-316e-4f3d-b242-6b332b55e26f.png
• Analysis: Data leaks from ISPs are particularly concerning as they can expose not only customer PII but also potentially metadata related to internet usage and financial details linked to service payments. The claim of recent data (2025) and inclusion of financial transaction records increases the potential impact, enabling financial fraud and highly targeted phishing. The specific nature and volume of data were not detailed beyond the claim. Publication on Breach Forums indicates intent to share or sell the data.

3.24 Incident: Websec DDoS Attack on Channel 10 (Israel)

• Date & Time (UTC): 2025-04-11T10:08:34Z
• Category: DDoS Attack
• Threat Actor(s): Websec
• Victim:

• Organization: channel 10
• Website/Target: 10tv.nana10.co.il
• Industry: Broadcast Media
• Country: Israel

• Details: The group “Websec” claimed responsibility for a DDoS attack targeting the website of Channel 10, an Israeli broadcast media outlet. No check-host link was provided in the summary, only the claim itself.
• Source Network: telegram
• Source Publication: Claim made on Telegram: https://t.me/KeymousTeam/1286 (Note: URL seems associated with KeymousTeam, potentially indicating collaboration or shared channel usage).
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/0948ffb5-7dff-4ee2-9354-ed15f75d7914.png
• Analysis: Targeting a national media channel is a common tactic for hacktivist groups seeking visibility and disruption. This attack adds to the DDoS activity directed against Israeli entities during this period. The publication URL points to a channel associated with “KeymousTeam”, suggesting a possible link or shared platform between these actors, although the claim attributes the attack specifically to “Websec”.

3.25 Incident: Dark Storm Team DDoS Attack on UAE Ministry of Defence

• Date & Time (UTC): 2025-04-11T09:57:30Z
• Category: DDoS Attack
• Threat Actor(s): Dark Storm Team
• Victim:

• Organization: ministry of defence
• Website/Target: mod.gov.ae
• Industry: Government Administration
• Country: UAE

• Details: Shifting focus from Ukraine, Dark Storm Team claimed a DDoS attack against the Ministry of Defence of the United Arab Emirates. Proof link: https://check-host.net/check-report/24dd1acfkf8f.
• Source Network: telegram
• Source Publication: Announced via Telegram post: https://t.me/DarkStormTeam3/221
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/4d2cf92a-258d-4916-b5e5-b42bc8a59b04.png
• Analysis: This attack, along with the subsequent one against the UAE Ministry of Interior (Incident 3.26), indicates a brief campaign by Dark Storm Team targeting UAE government ministries. Both attacks were announced under the same Telegram post (…/221), suggesting coordination. This marks a geographic shift from the group’s earlier focus on Ukraine within the same day. The motivation for targeting the UAE is not immediately clear from the data but could relate to broader geopolitical alignments or specific events.

3.26 Incident: Dark Storm Team DDoS Attack on UAE Ministry of Interior (MOI)

• Date & Time (UTC): 2025-04-11T09:54:48Z
• Category: DDoS Attack
• Threat Actor(s): Dark Storm Team
• Victim:

• Organization: ministry of interior (moi)
• Website/Target: moi.gov.ae
• Industry: Government Administration
• Country: UAE

• Details: Dark Storm Team claimed a DDoS attack against the UAE Ministry of Interior. Proof link: https://check-host.net/check-report/24dd143ak4b1.
• Source Network: telegram
• Source Publication: Announced via the same Telegram post as the Ministry of Defence attack: https://t.me/DarkStormTeam3/221
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/62b7816d-e15d-4ecf-98e0-bd919cefeb18.png
• Analysis: This second attack against a UAE ministry, announced concurrently (…/221) with the attack on the Ministry of Defence, confirms a coordinated, albeit brief, DDoS operation by Dark Storm Team targeting the UAE government. Targeting both defense and internal security ministries suggests an intent to disrupt core state functions.

3.27 Incident: LYNX Ransomware Attack on Restaurant Associates (Jamaica)

• Date & Time (UTC): 2025-04-11T09:32:42Z
• Category: Ransomware
• Threat Actor(s): LYNX
• Victim:

• Organization: restaurant associates
• Website/Target: raljm.com
• Industry: Restaurants
• Country: Jamaica

• Details: The ransomware group known as LYNX claimed to have successfully breached Restaurant Associates, a company based in Jamaica. The group alleges exfiltration of sensitive corporate data, including financial statements, tax records, details on franchisee commissions, business analytics reports, marketing strategies, human resources documents (likely containing employee PII), and contracts. This data is typically held hostage, with its public release threatened if a ransom is not paid.
• Source Network: tor
• Source Publication: The claim and potentially samples of stolen data were published on the LYNX ransomware group’s dedicated leak site on the Tor network: http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion/leaks/67f00107ce8dcc3b0de604ab (Note: Tor link)
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/4726798c-9778-4c3c-9e3b-795e46744a5b.png
• Analysis: This is the sole ransomware incident reported during this period. It highlights the ongoing threat posed by ransomware groups employing the double-extortion tactic (encrypting data and threatening to leak exfiltrated data). The types of data claimed by LYNX (financial, HR, strategic) are typical targets as their exposure can cause significant financial, reputational, and operational damage, increasing pressure on the victim to pay the ransom. The use of a Tor-based leak site is standard operating procedure for many ransomware groups to publicize victims and leak data.

3.28 Incident: Alleged Database Sale of Bddbid (China)

• Date & Time (UTC): 2025-04-11T09:27:09Z
• Category: Data Breach
• Threat Actor(s): Ponce
• Victim:

• Organization: bddbid
• Website/Target: h5.bddbid.com
• Industry: Gambling & Casinos (Note: Description suggests a tendering/bidding platform, industry may be miscategorized)
• Country: China

• Details: Threat actor “Ponce”, also responsible for TheLotter claim (Incident 3.22), advertised the sale of a database allegedly originating from Bddbid, described as a Chinese tendering platform. The actor claims the database contains a massive 6,081,278 customer records. Exposed information reportedly includes names, email addresses, phone numbers, addresses, taxpayer identification numbers, credit codes, and potentially more.
• Source Network: openweb
• Source Publication: Advertised for sale on Breach Forums: https://breachforums.st/Thread-SELLING-Bddbid-Breached-6-millions-customers
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/11822204-85e2-4a27-a408-9dcdf19d1a0d.png
• Analysis: This alleged breach is notable for its sheer scale, claiming over 6 million records. If accurate, the exposure of names, contact details, addresses, and potentially sensitive identifiers like taxpayer numbers and credit codes from a tendering platform could lead to widespread identity theft, sophisticated fraud schemes, and business espionage targeting users of the platform. The actor “Ponce” appears to specialize in obtaining and selling large datasets. The platform, Breach Forums, serves as the marketplace for this high-volume data offering.

3.29 Incident: Arab Ghosts Hackers DDoS Attack on Yad Vashem Holocaust Museum

• Date & Time (UTC): 2025-04-11T09:23:09Z
• Category: DDoS Attack
• Threat Actor(s): Arab Ghosts Hackers
• Victim:

• Organization: yad vashem holocaust museum
• Website/Target: yad-vashem.org.il
• Industry: Museums & Institutions
• Country: Israel

• Details: The group “Arab Ghosts Hackers” claimed a DDoS attack against the website of Yad Vashem, Israel’s official memorial to the victims of the Holocaust. Two check-host links were provided as proof: https://check-host.net/check-report/24dcec55k94f and https://check-host.net/check-report/24dced1fk11c.
• Source Network: telegram
• Source Publication: Claim made via Telegram: https://t.me/c/2291310850/375 (Note: URL format suggests a private channel or group).
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/98e9a438-1e1e-4d83-8310-d6434dfccb0f.png
• Analysis: Targeting Yad Vashem, a site of immense historical and cultural significance, is a highly symbolic act often associated with anti-Israel or antisemitic motivations within the hacktivism sphere. This attack adds to the cluster of DDoS incidents targeting Israeli entities during this period, carried out by various groups (Vulture, Websec, Arab Ghosts Hackers).

3.30 Incident: Alleged Initial Access Sale for U.S. Department of Energy Entity

• Date & Time (UTC): 2025-04-11T08:28:47Z
• Category: Initial Access
• Threat Actor(s): miya
• Victim:

• Organization: office of nuclear energy, u.s. department of energy (Specific entity potentially targeted, broad claim refers to Dept of Energy)
• Website/Target: energy.gov (Domain associated with Dept of Energy)
• Industry: Government Administration
• Country: USA

• Details: Threat actor “miya” advertised the sale of initial network access allegedly pertaining to a U.S. Department of Energy entity, described as involved in “USA Energy Technology & Nuclear Power.” The access being sold is claimed to be highly privileged: Root Shell access on a firewall. The actor also noted the target organization’s reported revenue is around $1.5 billion, likely to emphasize its value.
• Source Network: openweb
• Source Publication: Access offered for sale on Breach Forums: https://breachforums.st/Thread-USA-Energy-Technology-Nuclear-Power-1-5billion-Revenue
• Associated Screenshots:
• https://d34iuop8pidsy8.cloudfront.net/9f071649-5825-4ad5-9263-0e410dd71df8.png
• Analysis: This is arguably one of the most critical incidents reported during this period. The sale of initial access, particularly root-level access on a firewall belonging to a government entity involved in energy and nuclear power, represents an extremely serious security threat. Such access could enable sophisticated follow-on attacks, including espionage, data exfiltration of highly sensitive information, deployment of destructive malware, or potentially disruption of critical infrastructure functions. The high claimed revenue ($1.5 billion) highlights the potential significance of the target. The sale being conducted on Breach Forums underscores the role of such marketplaces in facilitating high-stakes cyber intrusions by connecting initial access brokers with actors capable of exploiting that access. Verification of this claim is crucial.

3.31 Incident: NoName057(16) DDoS Attack on Kookas Media Oy (Finland)

• Date & Time (UTC): 2025-04-11T07:54:21Z
• Category: DDoS Attack
• Threat Actor(s): NoName057(16)
• Victim:

• Organization: kookas media oy
• Website/Target: kookas.fi
• Industry: Online Publishing
• Country: Finland

• Details: The group NoName057(16), previously seen targeting Ukraine, claimed a DDoS attack against Kookas Media Oy, an online publishing company in Finland. Proof link: http://check-host.net/check-report/24dc703fk6d9.
• Source Network: telegram
• Source Publication: Claim published on the group’s Telegram channel: https://t.me/nnm05716rus/502
• Associated Screenshots:

• https://d34iuop8pidsy8.cloudfront.net/92d165c3-96b5-47d1-a91a-6ce5781d2596.png
• https://d34iuop8pidsy8.cloudfront.net/59970b8b-e98d-49c3-9275-bcd2917c67ba.png
• Analysis: This attack demonstrates that NoName057(16)’s operational scope extends beyond Ukraine. Targeting a Finnish media company could be related to Finland’s geopolitical stance, its recent accession to NATO, or specific reporting by the outlet deemed unfavorable by the group. This action, announced under a different Telegram post (…/502) than the Ukrainian campaign (…/513), suggests it might be part of a separate operational focus or a broadening of targets by the pro-Russian hacktivist group.

4. Threat Actor Spotlight

Several threat actors were particularly active during this 24-hour period:

• Dark Storm Team: This group executed two distinct, coordinated DDoS campaigns. The first involved four attacks within 30 minutes against Ukrainian government entities (Vinnytsia City Council, Zaporizhzhia City Council, Ministry of Finance, Ministry of Internal Affairs), all announced via a single Telegram post (…/225). The second involved two attacks against UAE ministries (Defence, Interior), announced via a different Telegram post (…/221). Their actions appear consistent with politically motivated hacktivism, primarily focused on Ukraine but demonstrating capability against other nations.
• NoName057(16): This well-known pro-Russian hacktivist group conducted a coordinated DDoS campaign against five Ukrainian entities, primarily in the aerospace and electronic manufacturing sectors (SSAU, UkrJet, Athlon Avia, CheZaRa Telemetria, Tochprilad), announced via Telegram post …/513. They also targeted a Finnish online publisher (Kookas Media Oy) in a separate action announced via post …/502. Their activity reflects a clear focus on disrupting targets perceived as adversaries or relevant to the conflict in Ukraine, with operations extending to other European nations like Finland.
• Desinformador ruso: This actor, whose name translates to “Russian Disinformer,” executed a coordinated DDoS campaign against four Spanish state and strategic institutions (IEEE, INCIBE, CCN-CERT, BOE), announced via Telegram post …/6009. The actor’s name and target selection strongly suggest a politically motivated operation aimed at disrupting Spanish government functions, likely linked to anti-NATO or anti-Western sentiment.
• Data Brokers/Leakers (Kaught, X0Frankenstein, marg, Ponce, fabiolages85, miya): A significant portion of the non-DDoS activity involved actors advertising data leaks, data breaches, or initial access sales on the breachforums.st platform. These actors targeted diverse geographies (China, Russia, UAE, Brazil, Australia, Turkey, USA) and data types (PII, corporate credentials, financial data, government access). Actors like “X0Frankenstein” and “Ponce” were linked to multiple large breaches, indicating specialization or significant access. “miya” offered potentially high-impact access to a US Department of Energy entity. This activity highlights the vibrant underground market for compromised data and network access.

5. Geographic & Sectoral Trends

• Geographic Focus:

• Ukraine: Remained the most heavily targeted nation with 10 incidents, almost exclusively DDoS attacks attributed to pro-Russian hacktivist groups (Dark Storm Team, NoName057(16)). The focus was on government administration, aerospace, and manufacturing sectors, directly reflecting the cyber dimension of the ongoing conflict.
• Spain: Experienced a concentrated DDoS campaign (4 incidents) by “Desinformador ruso” targeting government administration, cybersecurity institutions, and strategic think tanks. This points to targeted hacktivist operations against a specific NATO member state.
• Israel: Was targeted by multiple DDoS actors (Vulture, Websec, Arab Ghosts Hackers) across 3 incidents, hitting medical manufacturing, tech media, and a significant cultural institution (Yad Vashem). This likely reflects ongoing regional tensions and associated hacktivism.
• Russia: Appeared as a victim in two significant data breach claims (Healthy Smile, Rusalut) attributed to “X0Frankenstein”, indicating that Russian entities are also subject to data compromise operations.
• China: Was the locus for two major data compromise claims (iPhone rentals, Bddbid platform), one involving potentially millions of records, signaling significant cybercriminal interest in data from this region.
• Other Nations: Incidents also impacted the UAE (DDoS, corporate credential leak), Mali (Telecom DDoS), Jamaica (Ransomware), Australia (Data Breach), Turkey (ISP Data Leak), USA (Initial Access Sale), and Finland (Media DDoS), demonstrating the global reach of cyber threats reported within this single day.
• Sectoral Focus:

• Government Administration / Public Sector: This sector bore the brunt of DDoS attacks (Ukraine, Spain, UAE) and was the target of the high-stakes initial access sale claim (USA – Dept of Energy). Government entities continue to be prime targets for disruption and potentially espionage or more severe attacks.
• Network & Telecommunications: Targeted by DDoS in Mali (SOTELMA) and Israel (TGspot), and subject to a data leak claim in Turkey (TolNet). This highlights the vulnerability of critical communications infrastructure.
• Manufacturing (incl. Aerospace, Electronics, Medical): Faced DDoS attacks (Ukraine, Israel) and a data breach claim (Russia). Disruption and potential intellectual property theft remain concerns for this sector.
• Data-Intensive Services (Gambling, Rentals, Online Platforms): Subject to large-scale data breach claims (Australia, China), emphasizing the risk associated with platforms holding substantial amounts of customer PII.
• Healthcare: A Russian dental clinic was allegedly breached, highlighting the ongoing targeting of this sector for sensitive patient data.
• Restaurants: A Jamaican entity was hit by ransomware, showing that this threat affects diverse industries.

6. Concluding Observations

The cybersecurity incidents documented on April 11, 2025, illustrate several persistent and evolving trends in the threat landscape.

First, the high volume of DDoS attacks, particularly the coordinated campaigns against Ukraine and Spain, underscores the continued utility of this method for disruption and political signaling by hacktivist groups. The organization demonstrated by groups like Dark Storm Team, NoName057(16), and Desinformador ruso, using platforms like Telegram for announcements and coordination, suggests a level of operational maturity beyond simple, isolated attacks.

Second, compromised data remains a highly valued commodity in the cybercriminal underground. Multiple incidents involved the leak or sale of sensitive PII, corporate credentials, and financial information on dedicated forums like Breach Forums. The scale of some alleged breaches, potentially involving millions of records, poses significant risks for individuals and organizations globally, fueling identity theft, fraud, and corporate espionage.

Third, geopolitical tensions demonstrably drive a significant portion of cyber threat activity. The concentration of attacks against Ukraine, Spain (a NATO member), and Israel directly correlates with ongoing conflicts and international alignments, indicating that state-sponsored or politically motivated actors frequently leverage cyber operations.

Fourth, alongside the prevalent DDoS attacks and data breaches, high-impact threats continue to pose serious risks. The reported ransomware attack by LYNX and, most notably, the alleged sale of root-level access to a U.S. Department of Energy entity by “miya”, serve as critical reminders of the potential for devastating consequences arising from successful intrusions, ranging from financial extortion to compromises of critical infrastructure.

Finally, the observed activity highlights a distinct ecosystem of platforms used by threat actors. Telegram serves as a primary channel for communication, coordination, and claims related to disruptive attacks like DDoS. Specialized forums on the Open Web and Dark Web (Tor) function as marketplaces for the trade of stolen data, credentials, and network access, facilitating the broader cybercrime economy. Continuous monitoring and analysis of these platforms remain essential for effective threat intelligence.