[April-13-2025] Daily Cybersecurity Threat Report – Part 2

Posted on

Executive Summary

This report details cybersecurity incidents reported over the past 24 hours, ending April 13, 2025. The threat landscape was notably active, characterized by a high volume of hacktivist operations, primarily employing Distributed Denial-of-Service (DDoS) and website defacement tactics, alongside persistent threats from established Ransomware-as-a-Service (RaaS) groups. Geopolitical tensions appear to be a significant driver for hacktivist campaigns, with multiple groups claiming attacks related to the Israeli-Palestinian conflict and targeting entities in Kosovo and Finland. Financially motivated actors, specifically the MEDUSA and DragonForce ransomware groups, continued targeting critical sectors like Education and Manufacturing in the US and UK, leveraging double extortion tactics and exploiting known vulnerabilities. An alert regarding the sale of credential-checking tools for cryptocurrency exchanges highlights ongoing preparations for financial fraud. Organizations should prioritize DDoS mitigation, vulnerability management, robust access controls, and user awareness training to counter these diverse threats.

Detailed Incident Analysis

This section provides an in-depth analysis of individual cybersecurity incidents reported on April 13, 2025, integrating threat actor intelligence and contextual information.

1. Anonymous Jordan claims to target Israel and Italy

  • Timestamp: 2025-04-13T13:00:36Z
  • Category: Alert
  • Victim Details: Potential targets in Israel and Italy.
  • Incident Description: A Telegram post attributed to “Anonymous Jordan” announced plans to target two websites, one in Israel and one in Italy, within 48 hours. The stated motivation is retaliation for the bombing of the Baptist Hospital in Gaza.
  • Threat Actor Intelligence:
  • Actor: Anonymous Jordan
  • Contextual Analysis: Anonymous Jordan aligns with the broader Anonymous hacktivist collective, typically motivated by political or ideological causes. Their actions often involve disruptive tactics like DDoS attacks or website defacements aimed at raising awareness or protesting specific events.1 This specific threat appears directly linked to the ongoing Israeli-Palestinian conflict, a common theme driving hacktivist activity. While specific TTPs for Anonymous Jordan are not detailed in the provided context, groups operating under the Anonymous banner frequently employ DDoS and defacement.1 The explicit naming of target countries and a timeframe indicates a planned operation intended to have a symbolic impact related to the stated grievance.
  • Supporting Links:
  • Publication URL: https://t.me/AnonymousJordan/162
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/7ef30984-e3a6-4678-b5c1-ea90fbe1c47b.png

2. Anonymous Italia targets the website of UNITEX

  • Timestamp: 2025-04-13T12:57:57Z
  • Category: Defacement
  • Victim Details:
  • Organization: unitex
  • Country: Russia
  • Industry: Software Development
  • Website: webunitex.ru
  • Incident Description: The hacktivist group “Anonymous Italia” claimed responsibility for defacing the website of UNITEX, a Russian software development company.
  • Threat Actor Intelligence:
  • Actor: Anonymous Italia
  • Contextual Analysis: Anonymous Italia operates as part of the decentralized Anonymous collective, driven by hacktivism and political motivations.2 Historically, they have focused on data leaks, particularly targeting Italian government and law enforcement entities under operations like “Operation Police” as part of the broader “AntiSec” movement.2 They have also participated in campaigns driven by environmental activism (#OpJapan 5) and geopolitical events, including targeting Russian entities following the invasion of Ukraine.6 Their TTPs include website defacement, data leaks/dumping 2, and participation in DDoS campaigns.6 This defacement of a Russian company website is consistent with their established anti-Russian stance within the Anonymous collective’s response to the Ukraine conflict 6, serving as a symbolic act of digital protest.
  • Supporting Links:
  • Publication URL: https://t.me/AnonSecIta_Ops/653
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/db9aa990-e832-46e4-8cc3-051be3cf4161.png
  • https://d34iuop8pidsy8.cloudfront.net/2876fce0-f6ff-4590-9281-83e6b9069f34.png

3. Fall River Public School falls victim to MEDUSA Ransomware

  • Timestamp: 2025-04-13T12:42:26Z
  • Category: Ransomware
  • Victim Details:
  • Organization: fall river public school
  • Country: USA
  • Industry: Education
  • Website: fallriverschools.org
  • Incident Description: The MEDUSA ransomware group claims to have compromised Fall River Public Schools, obtained unspecified data, and intends to publish it within 6 to 7 days if ransom demands are not met.
  • Threat Actor Intelligence:
  • Actor: MEDUSA
  • Contextual Analysis: MEDUSA operates a financially motivated Ransomware-as-a-Service (RaaS) model, active since June 2021.9 Initially a closed group, it now relies on affiliates, though core developers often manage negotiations.9 Their primary tactic is double extortion: encrypting data and threatening to leak exfiltrated information via their “Medusa Blog” on Tor 11 and a public Telegram channel 11 if the ransom (often substantial 9) is not paid.9 Triple extortion has also been reported.16 Affiliates gain initial access through various means, including exploiting public-facing applications like RDP 13 or specific vulnerabilities (e.g., ScreenConnect CVE-2024-1709, Fortinet EMS CVE-2023-48788 9), phishing 9, or purchasing access from Initial Access Brokers (IABs).9 They heavily utilize Living-off-the-Land (LOTL) techniques (PowerShell, WMI, certutil 9) for discovery, execution, and defense evasion, often obfuscating scripts 9 and attempting to disable security tools, sometimes using Bring-Your-Own-Vulnerable-Driver (BYOVD) methods.9 Lateral movement often involves RDP 9, PsExec 10, and legitimate remote management tools.10 Data exfiltration frequently uses tools like Rclone 10 or RoboCopy 15 before deploying the AES-256 encryptor 10, which appends the .medusa extension 10 and drops a ransom note (!READ_ME_MEDUSA!!!.txt 13). MEDUSA targets a wide range of critical infrastructure sectors globally, with Education being a frequent target 10, particularly in the US.12 This attack on a US public school system fits MEDUSA’s established operational pattern and target profile precisely. The claimed data theft and publication deadline align with their double extortion model, and the 6-7 day timeframe is consistent with their typical demands.15
  • Supporting Links:
  • Publication URL: http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/detail?id=e8b22c830ef1fbaabddc943f6e661c61
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/2312d599-fbcf-477e-8c47-74d6ab5d6dca.png

4. Arabian Ghosts targets the website of 8200 IMPACT

  • Timestamp: 2025-04-13T12:20:56Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: 8200 impact
  • Country: Israel
  • Industry: Information Technology (IT) Services
  • Website: impact.8200.org.il
  • Incident Description: The group “Arabian Ghosts” claimed a DDoS attack against the website of 8200 IMPACT, an Israeli IT services organization affiliated with the IDF’s Unit 8200 intelligence corps. Proof of downtime was provided via a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Arabian Ghosts
  • Contextual Analysis: Specific intelligence on “Arabian Ghosts” is limited in the provided materials. However, their name, chosen target (an Israeli entity linked to military intelligence), and method (DDoS) strongly suggest they are a hacktivist group motivated by the Israeli-Palestinian conflict, similar to Anonymous Jordan mentioned earlier. Targeting high-profile Israeli organizations, especially those with military or intelligence connections, is a common tactic for pro-Palestinian hacktivist groups seeking to cause disruption and make a political statement. The use of check-host.net links to prove downtime is a standard practice among such groups.18
  • Supporting Links:
  • Publication URL: https://t.me/ARABIAN_GHOSTS/610
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/91df40de-acbb-4308-9748-4fdf5f9d0ffd.png
  • Proof of Downtime: https://check-host.net/check-report/24eea62ck3de (from content)

5. Precision Textiles LLC (Targeted by DragonForce)

  • Timestamp: 2025-04-13T12:20:18Z
  • Category: Ransomware
  • Victim Details:
  • Organization: precision textiles llc
  • Country: USA
  • Industry: Manufacturing
  • Website: precisiontextiles-usa.com
  • Incident Description: The DragonForce ransomware group claims to have exfiltrated 475.34 GB of data from Precision Textiles LLC, a US-based manufacturing company. They threaten to publish the data within 2-3 days if their demands are not met.
  • Threat Actor Intelligence:
  • Actor: DragonForce
  • Contextual Analysis: DragonForce emerged as a ransomware operator in late 2023 19 and operates a RaaS program.20 While potentially linked to the “DragonForce Malaysia” hacktivist group 23 and sometimes exhibiting pro-Palestinian rhetoric 21, their primary operational focus appears financial. They employ double extortion 19, threatening to leak data via their “DragonLeaks” site 19 if ransoms aren’t paid. Notably, they utilize leaked ransomware builders from prominent groups like LockBit (specifically LockBit Black/3.0) 22 and potentially ContiV3 25, allowing affiliates significant customization capabilities.25 This reliance on leaked tools from major players highlights a significant trend in the ransomware ecosystem, where advanced capabilities can be adopted by newer groups, lowering the barrier to entry for sophisticated attacks. Initial access vectors commonly include phishing 19, exploitation of RDP/VPN vulnerabilities 20, and possibly purchased credentials.19 Their TTPs involve data discovery 21, significant data exfiltration before encryption 19, and potential defense evasion techniques like file deletion or log clearing.21 DragonForce targets globally diverse industries, including Manufacturing 25, Real Estate 25, Transportation 25, and others 19, with the US being the most frequent target geography.22 They actively recruit affiliates on underground forums 20, offering high commissions and support services.20 This attack on a US manufacturing firm aligns perfectly with DragonForce’s known target preferences and modus operandi. The claim of exfiltrating a specific, large volume of data (475.34 GB) and the short deadline (2-3 days) are characteristic of their double extortion approach, designed to pressure victims into quick payment.
  • Supporting Links:
  • Publication URL: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/16d3fe1d-2491-414d-94e1-a74cf8ac8af6.png

6. Arab Ghosts Hackers targets the website of Pragati Ashtech

  • Timestamp: 2025-04-13T12:17:00Z
  • Category: Defacement
  • Victim Details:
  • Organization: pragati ashtech
  • Country: India
  • Industry: Building and construction
  • Website: pragatiashtech.com
  • Incident Description: The group “Arab Ghosts Hackers” claimed to have defaced the website of Pragati Ashtech, an Indian construction company.
  • Threat Actor Intelligence:
  • Actor: Arab Ghosts Hackers
  • Contextual Analysis: Similar to “Arabian Ghosts,” specific intelligence on “Arab Ghosts Hackers” is limited. The name suggests a hacktivist group, likely with motivations tied to Middle Eastern or Islamic geopolitical issues. Targeting an Indian entity could relate to various regional conflicts or political stances. The use of website defacement is a common, relatively low-sophistication tactic used by hacktivists for symbolic protest or disruption.28 The existence of multiple groups with similar names (“Arabian Ghosts,” “Arab Ghosts Hackers”) highlights the fragmented nature of the hacktivist landscape and the challenges in precise attribution based on name alone. It could indicate loosely affiliated cells or groups drawing inspiration from each other.
  • Supporting Links:
  • Publication URL: https://t.me/c/2518408007/13
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/174c5e17-82fa-4dc8-b52a-ca5522fc2b77.png

7. Dark Storm Team targets the website of International Learning Group (ILG)

  • Timestamp: 2025-04-13T12:12:23Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: international learning group (ilg)
  • Country: Kosovo
  • Industry: Education
  • Website: ilgschool.org
  • Incident Description: Dark Storm Team claimed a DDoS attack against the International Learning Group in Kosovo, providing a check-host.net link as proof.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: This is one of numerous DDoS attacks claimed by Dark Storm Team today, primarily targeting Kosovo and Finland. Dark Storm Team emerged in late 2023 29 and operates as a hacktivist group with both pro-Palestinian/anti-Western political motivations 18 and financial incentives (offering DDoS-for-hire services 18). Their primary TTP is DDoS 18, executed using large botnets and validated via proof links.18 They communicate via Telegram.18 Their targets often include entities in countries perceived as opposing their agenda (NATO members, Israel supporters, US, Ukraine 18). Targeting an educational institution in Kosovo aligns with their broader campaign observed today against entities in the region, likely driven by geopolitical motives related to Kosovo’s alignment or perceived Western ties. The targeting of the education sector by various actors today underscores its vulnerability.
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/252
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/7d3a8d01-d3cd-4c6c-927f-20486b3f75d7.png
  • Proof of Downtime: https://check-host.net/check-report/24ee7ceak551 (from content)

8. Dark Storm Team targets the website of American School of Kosova (ASK)

  • Timestamp: 2025-04-13T12:06:21Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: american school of kosova (ask)
  • Country: Kosovo
  • Industry: Education
  • Website: askosova.org
  • Incident Description: Dark Storm Team claimed another DDoS attack in Kosovo, this time targeting the American School of Kosova, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: This attack is part of the same coordinated campaign by Dark Storm Team targeting Kosovo and Finland today. See Incident 7 for detailed actor analysis. Targeting a school explicitly named “American” further reinforces the likely anti-Western/anti-NATO motivation behind the Kosovo attacks.18 The consistent use of DDoS and check-host.net links across multiple targets within a short timeframe points to a planned operation.18
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/252
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/1fb15daf-005d-40fc-bf7e-dd7c11bdf169.png
  • Proof of Downtime: https://check-host.net/check-report/24ee7aa3k71c (from content)

9. Dark Storm Team targets the website of Success Offer

  • Timestamp: 2025-04-13T11:53:51Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: success offer
  • Country: Kosovo
  • Industry: Real Estate
  • Website: ofertasuksesi.com
  • Incident Description: Dark Storm Team claimed a DDoS attack against Success Offer, a real estate entity in Kosovo, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: Part of the ongoing Dark Storm Team DDoS campaign against Kosovo targets. See Incident 7 for detailed actor analysis. The targeting of diverse sectors like Real Estate, alongside Education and Government, suggests an intent to cause broad disruption within the targeted region rather than focusing solely on symbolic government or military targets.
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/252
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/16f85f04-a5ba-4966-9dc9-39729c4e7ff3.png
  • Proof of Downtime: https://check-host.net/check-report/24ee7604kcc4 (from content)

10. Dark Storm Team targets the website of Portal Pune

  • Timestamp: 2025-04-13T11:48:23Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: portal pune
  • Country: Kosovo
  • Industry: Information Services
  • Website: portalpune.com
  • Incident Description: Dark Storm Team claimed a DDoS attack against Portal Pune, an information services website (likely a job portal) in Kosovo, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: Another incident within the coordinated Dark Storm Team DDoS campaign targeting Kosovo. See Incident 7 for detailed actor analysis. Attacking an information services/job portal site aims to disrupt daily economic or social activity within the country.
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/252
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/b8956d7e-e177-4b76-9d06-c51862e1b270.png
  • Proof of Downtime: https://check-host.net/check-report/24ee72d7k7a0 (from content)

11. Dark Storm Team targets the website of Pristina International Airport

  • Timestamp: 2025-04-13T11:40:15Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: pristina international airport
  • Country: Kosovo
  • Industry: Airlines & Aviation
  • Website: airportpristina.com
  • Incident Description: Dark Storm Team claimed a DDoS attack against Pristina International Airport in Kosovo, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: Part of the Dark Storm Team DDoS campaign. See Incident 7 for detailed actor analysis. Targeting critical infrastructure like an international airport is a common tactic for hacktivist groups seeking high visibility and maximum disruption.29 This aligns with Dark Storm Team’s previous claimed attacks on US airports 29 and underscores the seriousness of their disruptive capabilities.
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/252
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/28aa2c9a-55f0-42ca-a0e1-7aaf9769b08b.png
  • Proof of Downtime: https://check-host.net/check-report/24ee6fd6k604 (from content)

12. SERVER KILLERS targets the website of THE TRUTH OF KOSOVO

  • Timestamp: 2025-04-13T11:19:21Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: the truth of kosovo
  • Country: Kosovo
  • Industry: Newspapers & Journalism
  • Website: thetruthofkosova.com
  • Incident Description: The group “SERVER KILLERS” claimed a DDoS attack against the website “The Truth of Kosovo,” providing a check-host.net link as proof.
  • Threat Actor Intelligence:
  • Actor: SERVER KILLERS
  • Contextual Analysis: Limited specific information exists for “SERVER KILLERS.” The name and tactic (DDoS with proof link) strongly suggest a hacktivist group.28 Hacktivists frequently target media outlets to silence opposing views, disrupt information dissemination, or make political statements.28 This attack on a Kosovo-based news site fits the pattern of hacktivist activity seen against Kosovo today, potentially driven by similar geopolitical motivations as Dark Storm Team, or representing a separate group capitalizing on the situation. The overall volume of DDoS claims has fluctuated, but groups employing these tactics remain active.36
  • Supporting Links:
  • Publication URL: https://t.me/xServerKillers/67
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/51ce2a27-4c47-403b-a9d2-61a69cf8a5c2.png
  • Proof of Downtime: https://check-host.net/check-report/24ee169fkd2b (from content)

13. Ossman Windows & Garden Maintenance falls victim to DragonForce Ransomware (Misidentified Victim – Harris Steel Company)

  • Timestamp: 2025-04-13T11:06:32Z
  • Category: Ransomware
  • Victim Details:
  • Organization: harris steel company (Note: Title mentions Ossman, but victim details point to Harris Steel)
  • Country: USA
  • Industry: Manufacturing
  • Website: harrissteelco.com
  • Incident Description: The DragonForce ransomware group claims to have obtained 57.96 GB of data from Harris Steel Company (despite the title mentioning Ossman Windows). They have posted sample files on their dark web portal as proof.
  • Threat Actor Intelligence:
  • Actor: DragonForce
  • Contextual Analysis: This incident involves DragonForce, a RaaS group active since late 2023. See Incident 5 for detailed actor analysis. This attack targets a US manufacturing company, consistent with DragonForce’s focus.25 Claiming a specific data volume (57.96 GB) and posting samples aligns with their double extortion strategy.19 The discrepancy between the title victim (“Ossman Windows”) and the detailed victim (“Harris Steel Company”) could indicate an error in the initial reporting or potentially confusion by the threat actor themselves, but the attack characteristics fit DragonForce’s profile. The specific data volume claimed suggests successful network penetration and data discovery capabilities.
  • Supporting Links:
  • Publication URL: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/705d5dcb-994e-40dd-9f7b-63b539b7ca74.png

14. Ossman Windows & Garden Maintenance falls victim to DragonForce Ransomware

  • Timestamp: 2025-04-13T10:59:47Z
  • Category: Ransomware
  • Victim Details:
  • Organization: ossman windows & garden maintenance
  • Country: UK
  • Industry: Professional Services
  • Website: ossman.co.uk
  • Incident Description: The DragonForce ransomware group claims to have obtained 98.45 GB of data from Ossman Windows & Garden Maintenance in the UK and intends to publish it within 2-3 days.
  • Threat Actor Intelligence:
  • Actor: DragonForce
  • Contextual Analysis: This is the second incident today explicitly naming Ossman Windows, this time with matching victim details (UK, Professional Services). See Incident 5 for detailed DragonForce analysis. Targeting a UK entity aligns with their known operational scope, as the UK is a significant target after the US.25 Claiming 98.45 GB of data and a 2-3 day publication deadline is consistent with their double extortion model.19
  • Supporting Links:
  • Publication URL: http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/blog
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/431fc934-ac6e-47fd-bcf3-60d039990c69.png

15. Dark Storm Team targets the website of Interiori Sisustusarkkitehtuuria

  • Timestamp: 2025-04-13T10:48:07Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: interiori sisustusarkkitehtuuria
  • Country: Finland
  • Industry: Architecture & Planning
  • Website: interior.fi
  • Incident Description: Dark Storm Team claimed a DDoS attack against Interiori Sisustusarkkitehtuuria, an architecture firm in Finland, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: Part of the coordinated Dark Storm Team DDoS campaign observed today, this time targeting Finland. See Incident 7 for detailed actor analysis. Finland, as a NATO member 18, fits the profile of countries targeted by Dark Storm Team due to their anti-NATO/Western stance. The attack on a private company in the architecture sector shows their willingness to target non-governmental entities to cause disruption within a targeted nation.
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/250?single
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/4dc581d2-0383-4c1e-993f-a240b389cc08.png
  • https://d34iuop8pidsy8.cloudfront.net/60a25dcd-91be-4c23-a0a0-e552ed5dc2ad.png
  • Proof of Downtime: https://check-host.net/check-report/24ed99c0k513 (from content)

16. EvilMorocco targets the website of Rwandz Private Technical Institute

  • Timestamp: 2025-04-13T10:41:28Z
  • Category: Defacement
  • Victim Details:
  • Organization: rwandz private technical institute
  • Country: Iraq
  • Industry: Education
  • Website: rwandz.edu.krd (Kurdistan Region of Iraq)
  • Incident Description: The group “EvilMorocco Hacktivism” claimed to have defaced the website of the Rwandz Private Technical Institute in the Kurdistan Region of Iraq.
  • Threat Actor Intelligence:
  • Actor: EvilMorocco Hacktivism
  • Contextual Analysis: Limited specific intelligence is available for “EvilMorocco Hacktivism.” The name clearly indicates a hacktivist group with Moroccan origins or affiliations. Their motivation for targeting an educational institute in Iraqi Kurdistan is unclear from the provided data but likely stems from regional political or ideological conflicts. Website defacement is a common tactic for such groups to broadcast messages or claim symbolic victories.28 This incident adds another data point to the vulnerability of the education sector to attacks by various actors.
  • Supporting Links:
  • Publication URL: https://t.me/evilmorocco/263
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/92a48a60-eb75-4d2b-b852-afc16ac86826.png
  • https://d34iuop8pidsy8.cloudfront.net/9edbe96c-7897-45e7-9222-12b523262ff8.png

17. Dark Storm Team targets the website of City of Lappeenranta

  • Timestamp: 2025-04-13T10:36:50Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: city of lappeenranta
  • Country: Finland
  • Industry: Government Administration
  • Website: lappeenranta.fi
  • Incident Description: Dark Storm Team claimed a DDoS attack against the website of the City of Lappeenranta in Finland, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: Part of the Dark Storm Team DDoS campaign targeting Finland. See Incident 7 and 15 for actor analysis and motivation regarding Finland/NATO. Targeting a municipal government website aims to disrupt local government services and communications, demonstrating impact within the targeted NATO country.
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/250?single
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/95e3a009-5fe9-4ca8-a54f-29f989711f6a.png
  • https://d34iuop8pidsy8.cloudfront.net/40b46076-0b54-4e5e-89ba-a678bb0fb389.png
  • Proof of Downtime: https://check-host.net/check-report/24ed98c2k48c (from content)

18. Dark Storm Team targets the website of City of Rovaniemi

  • Timestamp: 2025-04-13T10:31:07Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: city of rovaniemi
  • Country: Finland
  • Industry: Government & Public Sector
  • Website: rovaniemi.fi
  • Incident Description: Dark Storm Team claimed a DDoS attack against the website of the City of Rovaniemi in Finland, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: Another attack in the Dark Storm Team DDoS campaign against Finnish municipal government websites. See Incident 7, 15, and 17 for context. This reinforces their focus on disrupting local government functions within Finland.
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/250?single
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/329655d2-57ed-400f-9622-ad34398f992a.png
  • https://d34iuop8pidsy8.cloudfront.net/d0692280-5219-4f7a-b995-23777ded5776.png
  • Proof of Downtime: https://check-host.net/check-report/24ed9791k4ae (from content)

19. Dark Storm Team targets the website of Kosova Sot

  • Timestamp: 2025-04-13T10:30:02Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: kosova sot
  • Country: Kosovo
  • Industry: Newspapers & Journalism
  • Website: kosova-sot.info
  • Incident Description: Dark Storm Team claimed a DDoS attack against Kosova Sot, a newspaper in Kosovo, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: Part of the Dark Storm Team DDoS campaign targeting Kosovo. See Incident 7 for detailed actor analysis. Like the attack by SERVER KILLERS (Incident 12), targeting a media outlet aims to disrupt information flow and potentially silence specific viewpoints within the targeted region.
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/250?single
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/6376502e-3f5e-4174-a222-cf982f587f7a.png
  • https://d34iuop8pidsy8.cloudfront.net/38ca5cc6-8293-44ed-8f3e-4028af2b97aa.png
  • Proof of Downtime: https://check-host.net/check-report/24eda83ek3c5 (from content)

20. Dark Storm Team targets the website of Kosovo 2.0

  • Timestamp: 2025-04-13T10:24:28Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: kosovo 2.0
  • Country: Kosovo
  • Industry: Broadcast Media
  • Website: kosovotwopointzero.com
  • Incident Description: Dark Storm Team claimed a DDoS attack against Kosovo 2.0, a broadcast media organization in Kosovo, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: Another media target in the Dark Storm Team’s Kosovo DDoS campaign. See Incident 7 and 19 for context. The consistent targeting of media outlets alongside government and infrastructure highlights a strategy aimed at broad societal disruption.
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/250?single
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/85194deb-33f8-42d2-b4fc-9ea2716b556e.png
  • https://d34iuop8pidsy8.cloudfront.net/cfc2a418-3c59-4bba-babd-ba5c0a4a951e.png
  • Proof of Downtime: https://check-host.net/check-report/24eda552kf8a (from content)

21. Dark Storm Team targets the website of Turku Flying Club

  • Timestamp: 2025-04-13T10:21:45Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: turku flying club
  • Country: Finland
  • Industry: Aviation & Aerospace
  • Website: turunlentokerho.fi
  • Incident Description: Dark Storm Team claimed a DDoS attack against the Turku Flying Club in Finland, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: Part of the Dark Storm Team DDoS campaign targeting Finland. See Incident 7, 15, 17, 18 for context. Targeting an aviation-related entity, even a flying club, aligns with their previous focus on the aviation sector (e.g., Pristina Airport, Incident 11; US airports 29).
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/250?single
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/3f26c9b3-4192-4070-b96a-856b6b22d84c.png
  • https://d34iuop8pidsy8.cloudfront.net/605ebc9d-9de3-4051-998a-96f7cc10e4c7.png
  • Proof of Downtime: https://check-host.net/check-report/24ed956ck825 (from content)

22. Dark Storm Team targets the website of Tuulikki-Vampula Airfield

  • Timestamp: 2025-04-13T10:17:12Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: tuulikki-vampula airfield
  • Country: Finland
  • Industry: Airlines & Aviation
  • Website: tuulikki-vampula.fi
  • Incident Description: Dark Storm Team claimed a DDoS attack against the Tuulikki-Vampula Airfield in Finland, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: Another aviation target in the Dark Storm Team’s Finnish DDoS campaign. See Incident 7, 15, 17, 18, 21 for context. The repeated targeting of aviation infrastructure (airports, airfields, clubs) in both Kosovo and Finland suggests a specific focus within their broader disruptive campaign.
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/250?single
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/9cb71824-061a-4394-b0d8-b58f24a75832.png
  • https://d34iuop8pidsy8.cloudfront.net/904e4997-2de9-4627-bf3c-0c105ea2230b.png
  • Proof of Downtime: https://check-host.net/check-report/24edbabfk5e8 (from content)

23. Dark Storm Team targets the website of Bank of Finland

  • Timestamp: 2025-04-13T10:12:43Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: bank of finland
  • Country: Finland
  • Industry: Banking & Mortgage
  • Website: suomenpankki.fi
  • Incident Description: Dark Storm Team claimed a DDoS attack against the Bank of Finland, the country’s central bank, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: Part of the Dark Storm Team DDoS campaign targeting Finland. See Incident 7, 15, 17, 18, 21, 22 for context. Targeting a nation’s central bank represents a significant escalation in disruptive intent, aiming at the heart of the country’s financial system. This high-profile target aligns with their strategy of attacking critical infrastructure and key institutions within perceived adversary nations.18
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/250?single
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/b765638b-d9e2-492c-a079-20f1dad11927.png
  • https://d34iuop8pidsy8.cloudfront.net/a7790fa6-9270-42c7-a225-dfe482a0a061.png
  • Proof of Downtime: https://check-host.net/check-report/24ed93e9kc10 (from content)

24. Dark Storm Team targets the website of Ministry of Agriculture, Forestry and Rural Development

  • Timestamp: 2025-04-13T10:07:44Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: ministry of agriculture, forestry and rural development
  • Country: Kosovo
  • Industry: Government Administration
  • Website: bujqesia-ks.net
  • Incident Description: Dark Storm Team claimed a DDoS attack against Kosovo’s Ministry of Agriculture, Forestry and Rural Development, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: Part of the Dark Storm Team DDoS campaign targeting Kosovo. See Incident 7 for detailed actor analysis. This attack targets a specific government ministry, aiming to disrupt administrative functions.
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/250?single
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/a016dc82-e1e5-4923-a119-e10170f48d6e.png
  • https://d34iuop8pidsy8.cloudfront.net/d7adbd99-f505-43e7-be5a-a6983feeb8ed.png
  • Proof of Downtime: https://check-host.net/check-report/24ed835fkc5 (from content)

25. Dark Storm Team targets the website of Hangon Lentokerho

  • Timestamp: 2025-04-13T10:07:13Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: hangon lentokerho (Hanko Flying Club)
  • Country: Finland (Note: JSON lists Kosovo, but org name/site suggest Finland)
  • Industry: Airlines & Aviation
  • Website: hangonlentokerho.fi
  • Incident Description: Dark Storm Team claimed a DDoS attack against Hangon Lentokerho (Hanko Flying Club), likely in Finland despite the JSON country tag, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: Assumed part of the Finnish campaign based on the victim name/website, despite the JSON listing Kosovo. See Incident 7, 15, 17, 18, 21, 22, 23 for context on the Finnish campaign. This is another aviation-related target in Finland. The potential discrepancy in the country tag highlights potential inaccuracies in raw intelligence feeds.
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/250?single
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/d1039796-d971-43a1-8a96-d539cdcd6eba.png
  • https://d34iuop8pidsy8.cloudfront.net/cbdc36b0-a9ed-41e8-8e98-4e756c2ec83d.png
  • Proof of Downtime: https://check-host.net/check-report/24ed9f4eke81 (from content)

26. Alleged sale of Valid Mail and Number Checkers

  • Timestamp: 2025-04-13T10:05:00Z
  • Category: Alert
  • Victim Details: N/A (Potential victims are users of Coinbase, KuCoin, MEXC, Binance)
  • Incident Description: A threat actor named “lasthaven” advertised tools for sale on a breach forum. These tools allegedly check the validity of email addresses and phone numbers associated with accounts on major cryptocurrency exchanges (Coinbase, KuCoin, MEXC, Binance).
  • Threat Actor Intelligence:
  • Actor: lasthaven
  • Contextual Analysis: “lasthaven” appears to be a financially motivated cybercriminal operating within underground forums. The development and sale of “checker” tools is a common precursor activity in the cybercrime lifecycle. These tools allow attackers to validate credentials or account identifiers obtained from breaches or other sources, improving the efficiency of subsequent attacks like targeted phishing, credential stuffing, account takeover attempts, or SIM swapping, particularly against high-value targets like cryptocurrency exchange users.5 The availability of such tools on public forums indicates an active market facilitating fraud against cryptocurrency platforms and their customers.
  • Supporting Links:
  • Publication URL: https://breachforums.st/Thread-VM-Valid-Mail-Checkers–179189
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/06e47d5c-2422-46f7-a624-1dfdb786c428.png

27. Dark Storm Team targets the website of GOVERNMENT OF KOSOVO MINISTRY OF INTERNAL AFFAIRS

  • Timestamp: 2025-04-13T10:00:52Z
  • Category: DDoS Attack
  • Victim Details:
  • Organization: government of kosovo ministry of internal affairs
  • Country: Kosovo
  • Industry: Government Administration
  • Website: mpb.rks-gov.net
  • Incident Description: Dark Storm Team claimed a DDoS attack against Kosovo’s Ministry of Internal Affairs, providing a check-host.net link.
  • Threat Actor Intelligence:
  • Actor: Dark Storm Team
  • Contextual Analysis: Part of the Dark Storm Team DDoS campaign targeting Kosovo. See Incident 7 for detailed actor analysis. Targeting the Ministry of Internal Affairs, a key security and administrative body, represents a direct attack on the Kosovo government’s core functions, consistent with their strategy of targeting government entities.18 This large cluster of DDoS attacks against numerous targets in Kosovo and Finland within a short period strongly indicates a single, coordinated campaign by Dark Storm Team, rather than disparate actions. The consistent use of check-host proof links and Telegram for claims, combined with the targeting of specific regions potentially linked to their anti-NATO/Western stance 18, points to a planned operation designed for maximum disruption across perceived adversary territories.
  • Supporting Links:
  • Publication URL: https://t.me/DarkStormTeam3/250?single
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/2d7a0974-6609-43ee-a0fa-72bab178a557.png
  • https://d34iuop8pidsy8.cloudfront.net/5b267ec5-d419-4d74-add0-085358ab3450.png
  • Proof of Downtime: https://check-host.net/check-report/24ed8059kd1b (from content)

Threat Actor Summary

The past 24 hours showcased a diverse range of threat actors, from financially motivated RaaS operators deploying sophisticated ransomware to numerous hacktivist collectives leveraging DDoS and defacement attacks driven by geopolitical events.

  • Anonymous Jordan: A hacktivist group, politically motivated (pro-Palestine), planning attacks against Israeli and Italian targets. Likely TTPs include DDoS and defacement.1
  • Anonymous Italia: A branch of the Anonymous collective, driven by hacktivism (anti-establishment, anti-Russia). Observed TTPs include defacement; known for data leaks and DDoS participation.2 Targeted Russia in this period.
  • MEDUSA: A prominent, financially motivated RaaS group employing double/triple extortion. TTPs include ransomware deployment via exploitation of vulnerabilities (RDP, known CVEs) or phishing, extensive use of LOTL techniques for evasion and lateral movement, EDR disabling (sometimes via BYOVD), and data exfiltration.9 Targeted US Education sector in this period.
  • Arabian Ghosts: Likely a hacktivist group motivated by the Israeli-Palestinian conflict. Observed TTP: DDoS. Targeted Israeli IT Services linked to military intelligence.
  • DragonForce: A financially motivated RaaS group operational since late 2023, potentially with hacktivist origins/links. Employs double extortion, leveraging leaked ransomware builders (LockBit, Conti).22 TTPs include phishing, RDP/VPN exploitation, data exfiltration, and ransomware deployment.19 Targeted US Manufacturing and UK Professional Services in this period. The use of leaked builders signifies a concerning trend of capability proliferation, enabling newer groups to wield sophisticated tools.
  • Arab Ghosts Hackers: Likely a hacktivist group. Observed TTP: Defacement. Targeted Indian Construction sector. The existence of multiple groups with similar “Ghosts” or “Anonymous” names points towards loosely connected cells or deliberate imitation within the hacktivist sphere, complicating precise attribution.2
  • Dark Storm Team: A prolific hacktivist group with dual political (pro-Palestine, anti-NATO/West) and financial (DDoS-for-hire) motivations.18 Primary TTP observed is DDoS, using large botnets and proof links; also associated with ransomware/data theft claims. Conducted a large-scale DDoS campaign against multiple sectors in Kosovo and Finland in this period.
  • SERVER KILLERS: Likely a hacktivist group. Observed TTP: DDoS. Targeted Kosovo Media sector.
  • lasthaven: A financially motivated cybercriminal selling illicit tools (credential checkers for crypto exchanges) on breach forums, facilitating future financial fraud.23
  • EvilMorocco Hacktivism: Likely a hacktivist group with Moroccan links. Observed TTP: Defacement. Targeted Iraqi (Kurdistan Region) Education sector.

Table: Threat Actor Overview (April 13, 2025 Incidents)

Threat ActorPrimary MotivationCommon TTPs Observed (in this report)Target Regions/Sectors (in this report)
Anonymous JordanHacktivism/PoliticalAlert (Planned Attack)Israel, Italy (Planned)
Anonymous ItaliaHacktivism/PoliticalDefacementRussia (Software Development)
MEDUSAFinancial (RaaS)Ransomware, Data ExfiltrationUSA (Education)
Arabian GhostsHacktivism/PoliticalDDoSIsrael (IT Services)
DragonForceFinancial (RaaS)Ransomware, Data ExfiltrationUSA (Manufacturing), UK (Professional Services)
Arab Ghosts HackersHacktivism/PoliticalDefacementIndia (Construction)
Dark Storm TeamHacktivism/Political/FinancialDDoSKosovo (Education, Real Estate, Info Services, Aviation, Media, Govt), Finland (Architecture, Govt, Aviation, Banking)
SERVER KILLERSHacktivism/PoliticalDDoSKosovo (Media)
lasthavenFinancialSale of Malicious ToolsN/A (Tools target Crypto Exchanges)
EvilMorocco HacktivismHacktivism/PoliticalDefacementIraq / Kurdistan Region (Education)

This table synthesizes the threat actor activity observed today, providing a rapid overview of the active groups, their likely motivations, the methods employed in these specific incidents, and the impacted regions and sectors. It highlights the dominance of DDoS by hacktivist groups targeting Kosovo and Finland, and the continued pressure from RaaS operators like MEDUSA and DragonForce on US and UK organizations.

Concluding Remarks and Recommendations

The cybersecurity landscape documented on April 13, 2025, was highly active and diverse. Key themes include a surge in hacktivist activity, predominantly DDoS attacks orchestrated by groups like Dark Storm Team against targets in Kosovo and Finland, likely fueled by geopolitical drivers. Simultaneously, established RaaS groups MEDUSA and DragonForce demonstrated persistent threats against critical sectors in the US and UK, employing double extortion tactics and claiming significant data breaches. The alert regarding Anonymous Jordan’s planned attacks and the sale of cryptocurrency account checker tools by ‘lasthaven’ serve as reminders of imminent and developing threats.

The current environment requires vigilance against both sophisticated, financially motivated ransomware campaigns and high-volume, ideologically driven disruptive attacks. Hacktivist groups demonstrate the capacity for rapid mobilization around geopolitical events, often using accessible TTPs like DDoS and defacement. The continued operation of RaaS models like MEDUSA and DragonForce, particularly DragonForce’s use of leaked builders 22, underscores the ongoing risk and the commoditization of advanced attack capabilities.

Based on the observed activities and threat actor TTPs, the following recommendations are advised:

  1. DDoS Mitigation: Organizations, particularly those in currently targeted regions (Israel, Italy, Kosovo, Finland) or sensitive sectors (Government, Finance, Aviation, Media), should ensure robust DDoS mitigation capabilities are in place. This includes utilizing specialized mitigation services, implementing traffic filtering, and employing rate limiting.35
  2. Ransomware Defense (Addressing MEDUSA & DragonForce TTPs):
  • Vulnerability Management: Prioritize patching, especially for public-facing services like RDP 13 and known exploited vulnerabilities such as ScreenConnect CVE-2024-1709 9, Fortinet EMS CVE-2023-48788 9, and potentially others associated with these groups.13
  • Access Control: Secure all remote access points (RDP, VPN) with strong, unique passwords and mandatory Multi-Factor Authentication (MFA).11 Implement the principle of least privilege and consider disabling PowerShell for standard users where possible.16
  • Endpoint Security: Deploy and maintain up-to-date Endpoint Detection and Response (EDR) and antivirus solutions configured to detect LOTL techniques (e.g., malicious PowerShell usage 9), credential dumping attempts (e.g., Mimikatz 10), and ransomware encryption behaviors. Monitor for signs of BYOVD.9
  • Data Backup and Recovery: Implement a comprehensive backup strategy with regular, tested, offline, and immutable backups.11 Protect volume shadow copies, recognizing that attackers actively target them.10
  1. Phishing and Credential Security: Continue user awareness training focused on identifying phishing attempts.9 Enforce strong password policies and MFA across all accounts, especially critical systems and financial platforms, given the threat posed by credential checker tools.23
  2. Network Security Monitoring and Segmentation: Implement network segmentation to hinder lateral movement.11 Actively monitor for anomalous network activity, including unusual RDP connections, network scanning 9, large outbound data transfers (potentially indicating exfiltration via tools like Rclone 10), and connections to known C2 infrastructure or anonymizing services like Tor.11
  3. Incident Response Preparedness: Regularly review and test incident response plans, specifically addressing ransomware and double extortion scenarios. Ensure forensic readiness to investigate breaches effectively.19

The threat landscape requires a defense-in-depth approach. Addressing the common attack vectors exploited by multiple actors observed today—such as RDP compromise 9, phishing 9, and abuse of legitimate tools 9—offers broad protection against a significant portion of current threats. Continuous monitoring of threat intelligence is crucial for adapting defenses to this evolving environment.

Works cited

  1. All Years, accessed April 13, 2025, https://ifs02.du.edu/DataGator/EXAMPLE%20Diplometrics%20Hackmageddon%20Data%20v2%20HS%2020170614.xlsx
  2. (PDF) Leak Early, Leak (More Than) Often: Outlining the Affective …, accessed April 13, 2025, https://www.researchgate.net/publication/327587532_Leak_Early_Leak_More_Than_Often_Outlining_the_Affective_Politics_of_Data_Leaks_in_Network_Ecologies
  3. Press kit – The CyberThreat Handbook by Thales & Verint – Business Wire, accessed April 13, 2025, https://mms.businesswire.com/media/20191006005044/en/748065/1/Press_kitEN.pdf?download=1
  4. DIGEST OF CYBER ORGANIZED CRIME, accessed April 13, 2025, https://www.unodc.org/documents/organized-crime/tools_and_publications/Digest_of_Cyber_Organized_Crime_2nd_edition_English.pdf
  5. Threat Highlight Report August 2023 – WithSecure, accessed April 13, 2025, https://www.withsecure.com/content/dam/with-secure/documents/threat-reports/WS_Threat_Highlight_report_August_2023_en.pdf
  6. Cyber Dimensions – CyberPeace Institute, accessed April 13, 2025, https://cyberpeaceinstitute.org/wp-content/uploads/2023/05/Ukraine-Report-Q1_2023.pdf
  7. CYBER THREAT LANDSCAPE REPORT OF THE HUNGARIAN FINANCIAL SECTOR 2022 – MNB, accessed April 13, 2025, https://www.mnb.hu/letoltes/cyberthreat-landscape-report-2022.pdf
  8. Cyber threat landscape report of the Hungarian financial sector 2022 – Issuu, accessed April 13, 2025, https://issuu.com/jegybank/docs/cyberthreat-landscape-report-2022
  9. Medusa Ransomware Analysis, Simulation, and Mitigation – CISA Alert AA25-071A, accessed April 13, 2025, https://www.picussecurity.com/resource/blog/medusa-ransomware-cisa-alert-aa25-071a
  10. #StopRansomware: Medusa Ransomware | CISA, accessed April 13, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
  11. Dark Web Profile: Medusa Ransomware (MedusaLocker) – SOCRadar® Cyber Intelligence Inc., accessed April 13, 2025, https://socradar.io/dark-web-profile-medusa-ransomware-medusalocker/
  12. Medusa Ransomware Turning Your Files into Stone, accessed April 13, 2025, https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/
  13. Security Advisory for Medusa Ransomware – Sangfor Technologies, accessed April 13, 2025, https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/security-advisory-for-medusa-ransomware
  14. Darktrace Investigation Into Medusa Ransomware, accessed April 13, 2025, https://darktrace.com/blog/medusa-ransomware-looking-cyber-threats-in-the-eye-with-darktrace
  15. Medusa Ransomware Claims 40+ Victims in 2025, Confirmed Healthcare Attacks, accessed April 13, 2025, https://www.infosecurity-magazine.com/news/medusa-claims-victims-2025/
  16. Breaking Down Medusa Ransomware – Armis, accessed April 13, 2025, https://www.armis.com/blog/breaking-down-medusa-ransomware/
  17. medusalocker-ransomware-analyst-note.pdf – HHS.gov, accessed April 13, 2025, https://www.hhs.gov/sites/default/files/medusalocker-ransomware-analyst-note.pdf
  18. Dark Storm Team Claims Responsibility for Cyber Attack on X …, accessed April 13, 2025, https://blog.checkpoint.com/security/dark-storm-team-claims-responsibility-for-cyber-attack-on-x-platform-what-it-means-for-the-future-of-digital-security/
  19. DragonForce Ransomware Recovery – Solace Cyber, accessed April 13, 2025, https://solacecyber.co.uk/dragonforce-ransomware/
  20. DragonForce Ransomware Hits Saudi Firm, 6TB Data Stolen – Infosecurity Magazine, accessed April 13, 2025, https://www.infosecurity-magazine.com/news/6tb-data-stolen-saudi-cyber-attack/
  21. DragonForce Ransomware Group: Tactics, Targets & Mitigation – Cyble, accessed April 13, 2025, https://cyble.com/threat-actor-profiles/dragonforce-ransomware-group/
  22. Dark Web Profile: DragonForce Ransomware – SOCRadar® Cyber Intelligence Inc., accessed April 13, 2025, https://socradar.io/dark-web-profile-dragonforce-ransomware/
  23. DragonForce Ransomware | WatchGuard Technologies, accessed April 13, 2025, https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/dragonforce
  24. THREAT ADVISORY • ATTACK REPORT (Red) – Hive Pro, accessed April 13, 2025, https://www.hivepro.com/wp-content/uploads/2024/06/TA2024243.pdf
  25. DragonForce Ransomware Group | Group-IB Blog, accessed April 13, 2025, https://www.group-ib.com/blog/dragonforce-ransomware/
  26. TRACKING RANSOMWARE : OCTOBER 2024 – CYFIRMA, accessed April 13, 2025, https://www.cyfirma.com/research/tracking-ransomware-october-2024/
  27. Ransomware Review: First Half of 2024 – Palo Alto Networks Unit 42, accessed April 13, 2025, https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/
  28. Understanding Hacktivists: The Overlap of Ideology and Cybercrime | Trend Micro (US), accessed April 13, 2025, https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/understanding-hacktivists-the-overlap-of-ideology-and-cybercrime
  29. Dark Storm Team – Wikipedia, accessed April 13, 2025, https://en.wikipedia.org/wiki/Dark_Storm_Team
  30. Cyberattack Suspected in Worldwide X Outage – ZeroFox, accessed April 13, 2025, https://www.zerofox.com/intelligence-feed/cyberattack-suspected-in-worldwide-x-outage/
  31. Hackers Take Credit for X Cyberattack – SecurityWeek, accessed April 13, 2025, https://www.securityweek.com/hackers-take-credit-for-x-cyberattack/
  32. Epidemiology Labs – Orange Cyberdefense, accessed April 13, 2025, https://www.orangecyberdefense.com/global/insights/research-intelligence/epidemiology-labs
  33. Cyber Risk Intelligence Update: Hacktivist Involvement in Israel-Hamas War Reflects Possible Shift in Threat Actor Focus – SecurityScorecard, accessed April 13, 2025, https://securityscorecard.com/research/hacktivist-involvement-in-israel-hamas-war-reflects-possible-shift-in-threat-actor-focus/
  34. X outage: Who are hackers ‘behind massive cyber attack’ on Elon Musk’s social media platform? – Sky News, accessed April 13, 2025, https://news.sky.com/story/x-outage-who-are-hackers-claiming-to-have-caused-massive-cyber-attack-on-elon-musks-social-media-platform-13326288
  35. Exploring Telegram DDoS Groups: Threats, Tools, and Evolving Strategies – SOCRadar, accessed April 13, 2025, https://socradar.io/exploring-telegram-ddos-groups-threats-tools/
  36. Down, Not Out: Russian Hacktivists Claiming DDoS Disruptions – BankInfoSecurity, accessed April 13, 2025, https://www.bankinfosecurity.com/down-out-russian-hacktivists-claiming-ddos-disruptions-a-24468
  37. 2019 H1 Cyber Events Summary Report, accessed April 13, 2025, https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf
  38. Analyzing Recent Cyber Attacks in the United States Coinciding with Columbus Day Celebration | CloudSEK, accessed April 13, 2025, https://www.cloudsek.com/blog/analyzing-recent-cyber-attacks-in-the-united-states-coinciding-with-columbus-day-celebration

Related Posts