[April-14-2025] Daily Cybersecurity Threat Report – Part 1

Introduction

This briefing provides a detailed analysis of significant cybersecurity incidents reported on April 14, 2025, based on available intelligence feeds. It includes summaries of events, in-depth context on the attributed threat actors derived from recent research, and relevant supporting evidence including publication and screenshot URLs. The focus is on providing actionable intelligence for cybersecurity professionals regarding emerging threats, actor Tactics, Techniques, and Procedures (TTPs), and targeted sectors. The analysis aims to equip security teams with the necessary understanding to assess risks and refine defensive postures against the evolving threat landscape.

Executive Summary

Overview

The cyber threat landscape on April 14, 2025, was characterized by intense hacktivist activity, primarily driven by geopolitical tensions surrounding the Russia-Ukraine conflict and the Israeli-Palestinian conflict. Distributed Denial-of-Service (DDoS) attacks dominated the incident volume, with pro-Russian groups like NoName057(16) executing numerous campaigns against Ukrainian, Polish, and other NATO-aligned entities. This aligns with a broader trend of hacktivism being leveraged as a tool in geopolitical disputes.¹ Ransomware operations remained persistent, with established groups such as PLAY, Akira, and INC RANSOM, alongside newer entrants like NightSpire, employing double-extortion tactics against diverse sectors globally. These groups target organizations across manufacturing, healthcare, non-profit, IT, and business services, often exfiltrating sensitive data before encryption.³ Data breaches and leaks continued, frequently facilitated through cybercrime forums like BreachForums, Exploit.in, and DarkForums, targeting sensitive personal, corporate, and even military data.⁸ Initial access brokers were also active, offering pathways into corporate networks, often via compromised VPN or RDP credentials.¹¹ Critical infrastructure, government, finance, and technology sectors were primary targets across various attack vectors, reflecting their high value for both disruption and data theft.²

Key Trends Observed

Dominance of Geopolitically Motivated DDoS: Hacktivist groups leveraged DDoS attacks extensively, aligning with specific geopolitical conflicts (Russia-Ukraine, Israel-Palestine). NoName057(16) was particularly prolific, launching numerous attacks against government and critical infrastructure targets in Ukraine, Poland, and other NATO-aligned nations, often timing attacks with political events.¹⁵ Other groups like Websec, Diplomat, Atlas Flood, SYLHET GANG-SG, The Anonymous 71, RABBIT CYBER TEAM, Keymous+, and RuskiNet also contributed to the DDoS activity, targeting government, financial, energy, and e-commerce sectors across various regions including Kosovo, France, Algeria, UK, Israel, India, Indonesia, and Morocco.
Persistent Ransomware Threat: Multiple ransomware groups targeted organizations across various industries (Manufacturing, Healthcare, Non-profit, IT, Business Services) using established double-extortion models. PLAY targeted a Canadian machinery group ³, Akira hit a German business development firm and a US manufacturing company ⁵, INC RANSOM impacted US healthcare providers ⁶, and the emerging NightSpire group targeted an Indonesian chemical manufacturer.⁷ These incidents underscore the continued financial motivation driving ransomware operations and their global reach.
Cybercrime Forum Activity: Forums like BreachForums, Exploit.in, and DarkForums served as central hubs for data leaks, sales of compromised accounts, and initial access offerings.⁸ Actors like ‘dna’, ‘keanu’, ‘kazu’, ‘betway’, ‘Doskabete’, ‘mixic’, ‘fkzsecxploit’, ‘Dzvy’, ‘kzi_services’, ‘ABZeroCool’, and ‘Sythe’ used these platforms to advertise stolen databases (Arbor Day Foundation, Takeda Pharma, Armada Boliviana, Biofam, ProfileSuite, AGH University, etc.), leaked API keys (getimg.ai), compromised financial accounts (PayPal, Venmo, Stripe), and VPN access. This highlights the crucial role these forums play in the cybercrime ecosystem, facilitating the trade of illicit goods and services.¹⁰
Targeting of Critical Infrastructure: Energy, utilities, government, transportation, and finance sectors faced significant threats from both hacktivists and financially motivated actors. NoName057(16) heavily targeted Polish energy (ORLEN subsidiaries) and Ukrainian energy/transport sectors.¹⁷ Z-PENTEST ALLIANCE claimed control over industrial systems in Poland.¹³ Diplomat targeted France’s largest bank ², and The Anonymous 71 targeted the Bank of Israel.²⁴ This focus reflects the high impact potential of disrupting these essential services.
Emergence of New Actors: Alongside established groups, newer entities like NightSpire ransomware ⁷ and various individual data brokers/leakers (e.g., ‘dna’, ‘keanu’, ‘kazu’, ‘betway’, ‘Doskabete’, ‘mixic’, ‘fkzsecxploit’, ‘Dzvy’, ‘ABZeroCool’, ‘Sythe’, ‘postget’) were observed, indicating a continuously evolving threat landscape.

Incident Summary Table (April 14, 2025)

Victim Organization	Victim Country	Victim Industry	Incident Category	Threat Actor(s)
municipalities portal of the republic of kosovo	Kosovo	Government Administration	DDoS Attack	Websec
calmont group	Canada	Machinery	Ransomware	PLAY
arbor day foundation	USA	Non-profit & Social Organizations	Data Breach	dna
getimg.ai	USA	Information Technology (IT) Services	Data Leak	keanu
crédit agricole	France	Banking & Mortgage	DDoS Attack	Diplomat
pentol-enviro polska sp. z o.o.	Poland	Energy & Utilities	Data Breach	Z-PENTEST ALLIANCE
ооек	Ukraine	Electrical & Electronic Manufacturing	DDoS Attack	NoName057(16)
gasolina online	Ukraine	Oil & Gas	DDoS Attack	NoName057(16)
odesagas	Ukraine	Oil & Gas	DDoS Attack	NoName057(16)
unified citizen appeal center of odesa	Ukraine	Government & Public Sector	DDoS Attack	NoName057(16)
odesa city council	Ukraine	Government Administration	DDoS Attack	NoName057(16)
sumy chamber of commerce and industry	Ukraine	International Trade & Development	DDoS Attack	NoName057(16)
the odessa regional chamber of commerce and industry	Ukraine	International Trade & Development	DDoS Attack	NoName057(16)
stumpf müller biberach gmbh	Germany	Business and Economic Development	Ransomware	akira
odessa commercial sea port	Ukraine	Transportation & Logistics	DDoS Attack	NoName057(16)
the kharkiv chamber of commerce and industry	Ukraine	International Trade & Development	DDoS Attack	NoName057(16)
presidency of the republic of algeria	Algeria	Government Administration	DDoS Attack	Atlas Flood
oklahoma steel & wire co. inc.	USA	Manufacturing	Ransomware	akira
trainline.com limited	UK	E-commerce & Online Stores	DDoS Attack	SYLHET GANG-SG
armada boliviana	Bolivia	Government Administration	Data Leak	kazu
absolute instrumentation	India	Industrial Automation	Defacement	SYLHET GANG-SG
orthopaedic specialists of connecticut	USA	Hospital & Health Care	Ransomware	INC RANSOM
clinica family health & wellness	USA	Healthcare & Pharmaceuticals	Ransomware	INC RANSOM
anwil	Poland	Oil & Gas	DDoS Attack	NoName057(16)
orlen vc	Poland	Oil & Gas	DDoS Attack	NoName057(16)
takeda pharmaceutical company	Japan	Healthcare & Pharmaceuticals	Data Breach	betway
orlen upstream	Poland	Oil & Gas	DDoS Attack	NoName057(16)
orlen transport	Poland	Transportation & Logistics	DDoS Attack	NoName057(16)
orlen serwis	Poland	Automotive	DDoS Attack	NoName057(16)
bank of israel	Israel	Banking & Mortgage	DDoS Attack	The Anonymous 71
orlen projekt	Poland	Building and construction	DDoS Attack	NoName057(16)
orlen s.a. (eko.orlen.pl)	Poland	Oil & Gas	DDoS Attack	NoName057(16)
(Compromised PayPal, Venmo, Stripe Accounts)			Data Leak	Doskabete
orlen s.a. (cuk.orlen.pl)	Poland	Oil & Gas	DDoS Attack	NoName057(16)
orlen s.a. (cs.orlen.pl)	Poland	Oil & Gas	DDoS Attack	NoName057(16)
orlen s.a. (budonaft.orlen.pl)	Poland	Oil & Gas	DDoS Attack	NoName057(16)
orlen s.a. (aviation.orlen.pl)	Poland	Oil & Gas	DDoS Attack	NoName057(16)
orlen południe	Poland	Oil & Gas	DDoS Attack	NoName057(16)
orlen s.a. (asfalt.orlen.pl)	Poland	Oil & Gas	DDoS Attack	NoName057(16)
(Egyptian Citizens data)	Egypt		Data Leak	mixic
orlen paliwa	Poland	Oil & Gas	DDoS Attack	NoName057(16)
orlen s.a. (neptun.orlen.pl – Oil & Gas)	Poland	Oil & Gas	DDoS Attack	NoName057(16)
orlen oil	Poland	Oil & Gas	DDoS Attack	NoName057(16)
orlen ochrona	Poland	Computer & Network Security	DDoS Attack	NoName057(16)
orlen neptun	Poland	Energy & Utilities	DDoS Attack	NoName057(16)
orlen energia	Poland	Energy & Utilities	DDoS Attack	NoName057(16)
syrena dywany	Poland	Retail Industry	Data Leak	fkzsecxploit
central coalfields limited (ccl)	India	Mining/Metals	DDoS Attack	RABBIT CYBER TEAM
op jindal school	India	Education	DDoS Attack	RABBIT CYBER TEAM
district headquarter hospitals (dhhs)	India	Hospital & Health Care	DDoS Attack	RABBIT CYBER TEAM
wafacash	Morocco	Financial Services	DDoS Attack	Keymous+
agh university of krakow	Poland	Education	Data Breach	Dzvy
iwaniska city and commune office	Poland	Government Administration	Data Breach	Dzvy
instytucja kultury zamek krzyżtopór w ujeździe	Poland	Museums & Institutions	Data Breach	Dzvy
kolskie towarzystwo budownictwa społecznego sp. z o.o.	Poland	Real Estate	Data Breach	Dzvy
stawki	Poland	Real Estate	Data Breach	Dzvy
(Brazilian food supplier)	Brazil		Initial Access	kzi_services
iks.pi kera sakti komisariat puton	Indonesia	Sports	DDoS Attack	RABBIT CYBER TEAM
pagar nusa	Indonesia	Religious Institutions	DDoS Attack	ddos rabbit cyber team
al hilal computers and engineering	Israel	E-commerce & Online Stores	DDoS Attack	RABBIT CYBER TEAM
consulate general of israel in new york	Israel	Government Administration	DDoS Attack	RABBIT CYBER TEAM
city of wheaton	USA	Government Administration	DDoS Attack	RABBIT CYBER TEAM
population and immigration authority	Israel	Government Administration	DDoS Attack	RABBIT CYBER TEAM
mn & associates sa	Peru	Insurance	Data Breach	ABZeroCool
biofam	Russia	E-commerce & Online Stores	Data Breach	Sythe
profilesuite	USA	Graphic & Web Design	Data Breach	Sythe
pt pupuk indonesia	Indonesia	Chemical Manufacturing	Ransomware	NightSpire
dusa	USA	Retail Industry	Defacement	ShadowHunter
kaye academic college of education	Israel	Higher Education/Acadamia	DDoS Attack	RuskiNet
(Email spoofing service)			Alert	postget

Threat Actor Activity Summary (April 14, 2025)

Threat Actor	Observed Incidents (Count)	Primary Motivation (Inferred)	Common TTPs (Observed Today)	Primary Targets (Observed Today – Sectors/Regions)
NoName057(16)	18	Hacktivism (Pro-Russian)	DDoS	Government, Energy/Oil&Gas, Transportation, Trade/Development (Ukraine, Poland)
RABBIT CYBER TEAM	6	Hacktivism	DDoS	Education, Healthcare, Mining, Government, E-commerce, Sports (India, Israel, USA, Indonesia)
Akira	3	Financial (Ransomware)	Ransomware, Data Exfiltration	Business Development, Manufacturing (Germany, USA)
Dzvy	5	Data Leak/Breach	Data Leak (via Forum)	Education, Government, Museums, Real Estate (Poland)
INC RANSOM	2	Financial (Ransomware)	Ransomware, Data Exfiltration	Healthcare (USA)
SYLHET GANG-SG	2	Hacktivism	DDoS, Defacement	E-commerce, Industrial Automation (UK, India)
Sythe	2	Data Leak/Breach	Data Leak (via Forum)	E-commerce, Graphic Design (Russia, USA)
Websec	1	Hacktivism	DDoS	Government (Kosovo)
PLAY	1	Financial (Ransomware)	Ransomware, Data Exfiltration	Machinery (Canada)
dna	1	Data Breach/Sale	Data Sale (via Forum)	Non-profit (USA)
keanu	1	Data Leak	Data Leak (API Key via Forum)	IT Services (USA)
Diplomat	1	Hacktivism	DDoS	Banking (France)
Z-PENTEST ALLIANCE	1	Hacktivism (Pro-Russian)	Data Breach (ICS/SCADA Access Claim)	Energy/Utilities (Poland)
Atlas Flood	1	Hacktivism	DDoS	Government (Algeria)
kazu	1	Data Leak/Sale	Data Sale (via Forum)	Government/Military (Bolivia)
betway	1	Data Breach/Sale	Data Sale (via Forum)	Healthcare/Pharma (Japan)
The Anonymous 71	1	Hacktivism	DDoS	Banking (Israel)
Doskabete	1	Data Leak/Sale	Compromised Account Sale (via Forum)	Financial Services (Global)
mixic	1	Data Leak	Data Leak (via Forum)	Citizen Data (Egypt)
fkzsecxploit	1	Data Leak	Data Leak (via Forum)	Retail (Poland)
Keymous+	1	Hacktivism	DDoS	Financial Services (Morocco)
kzi_services	1	Initial Access Broker	VPN Access Sale (via Forum)	Food Supplier (Brazil)
ddos rabbit cyber team	1	Hacktivism	DDoS	Religious Institutions (Indonesia)
ABZeroCool	1	Data Breach/Leak	Data Leak (via Forum)	Insurance (Peru)
NightSpire	1	Financial (Ransomware)	Ransomware, Data Exfiltration	Chemical Manufacturing (Indonesia)
ShadowHunter	1	Hacktivism	Defacement	Retail (USA)
RuskiNet	1	Hacktivism (Pro-Russian)	DDoS	Higher Education (Israel)
postget	1	Service Sale	Email Spoofing Service Sale (via Forum)	General (Email Users)

Detailed Incident Analysis

Incident: Websec targets the website of Municipality of Peja

Victim: municipalities portal of the republic of kosovo, Government Administration, Kosovo
Date Reported: 2025-04-14T14:33:11Z
Incident Type: DDoS Attack
Summary: The hacktivist group “Websec” claims responsibility for conducting a Distributed Denial-of-Service (DDoS) attack that successfully took down the website of the Municipality of Peja (kk.rks-gov.net), part of the municipalities portal of the Republic of Kosovo. The claim was made via Telegram.
Threat Actor Context: Websec

Overview: Websec appears to be a hacktivist entity engaging in disruptive attacks like DDoS. While specific information on “Websec” itself is limited in the provided materials, the context of targeting a government entity in Kosovo suggests politically motivated activity, potentially linked to regional tensions or broader geopolitical alignments. Hacktivist groups often operate under various names or as part of larger coalitions, making precise attribution difficult without further tracking. Hacktivism often involves leveraging technical skills for social, political, or religious causes, frequently targeting government or corporate entities perceived as adversaries.¹ Groups may form alliances (like the Holy League or collaborations involving Z-Pentest) ²⁹ or operate under broader banners like Anonymous.²⁴ Some groups, particularly those with pro-Islamic leanings, have historically included members from regions like Kosovo.²⁸
Motivations: Likely political or ideological, given the targeting of a government administrative portal in Kosovo. Hacktivist motivations range from protesting specific policies (like anti-LGBTQ+ legislation ³¹) or geopolitical events (Russia-Ukraine conflict ³³, Israel-Palestine conflict ²⁵) to broader anti-government or anti-corporate stances.¹
TTPs: Primarily DDoS attacks, a common tactic for hacktivist groups aiming for disruption and public attention.¹ Coordination often occurs via platforms like Telegram.¹⁵ While some groups develop custom tools (e.g., NoName057(16)’s DDOSIA ¹⁷), many rely on readily available or shared tools, sometimes operating with lower technical sophistication but achieving impact through volume or coordination.¹⁶
Targeting: Government entities are frequent targets for hacktivists globally.¹⁵ The specific targeting of Kosovo aligns with patterns of hacktivism related to regional conflicts or international political alignments.
Supporting Evidence:

Published URL: https://t.me/Websechacktivists/595
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/7536fc44-5a17-4e17-9856-c60c18e44a2f.png

Incident: New York Sports Club falls victim to PLAY Ransomware (Note: Title seems mismatched with Victim Org/Industry)

Victim: calmont group (calmont.ca), Machinery, Canada (Note: Title mentions New York Sports Club, but victim details point to Calmont Group in Canada’s Machinery sector. Analysis proceeds based on victim details.)
Date Reported: 2025-04-14T14:27:12Z
Incident Type: Ransomware
Summary: The PLAY ransomware group claims to have compromised the Calmont Group, a Canadian organization in the machinery industry. The group asserts they have exfiltrated sensitive data, including private and personal confidential information, client documents, budget records, payroll details, IDs, tax records, and financial information. They have threatened to publish this data on April 15, 2025, if their demands are not met, following their typical double-extortion model.
Threat Actor Context: PLAY

Overview: PLAY (also known as PlayCrypt, Balloonfly, Fiddling Scorpius) is a financially motivated ransomware group active since at least June 2022.⁴ They target a wide range of businesses and critical infrastructure globally, including North America, South America, Europe, and Australia.³ By late 2023, they were allegedly responsible for impacting approximately 300 entities.⁴ The group operates a closed model, aiming to maintain secrecy around negotiations.⁴ Their primary tactic is double extortion: data is exfiltrated before systems are encrypted, and victims are threatened with public data release on their Tor leak site if the ransom is not paid.³ Initial contact is made via email, without specifying a ransom amount upfront.³
Motivations & Potential State Links: The primary motivation appears to be financial gain.³⁶ However, significant evidence suggests a potential collaboration or operational link with the North Korean state-sponsored group Andariel (also known as Jumpy Pisces, APT45, Onyx Sleet, etc.).³⁷ Observations from mid-2024 showed Andariel activity, including the use of the Sliver C2 framework and the Dtrack backdoor, on victim networks shortly before PLAY ransomware deployment.³⁸ Both groups reportedly used the same compromised user account, and Andariel’s C2 communication persisted until just before the ransomware execution.³⁸ This connection could indicate Andariel providing initial access or affiliate services to PLAY, potentially as part of North Korea’s strategy to generate state revenue through cybercrime or for combined intelligence gathering and monetization.³⁷ This potential state link elevates the threat posed by PLAY, blurring the lines between cybercrime and state-sponsored activity.
TTPs: PLAY employs a sophisticated set of TTPs:

Initial Access: Exploiting vulnerabilities in public-facing applications like FortiOS (CVE-2018-13379, CVE-2020-12812) and Microsoft Exchange (ProxyNotShell: CVE-2022-41040, CVE-2022-41082).⁴ They also abuse valid accounts and external remote services such as RDP and VPN.⁴
Discovery & Reconnaissance: Utilizing AdFind for Active Directory queries ³, nltest for domain controller enumeration ³, WMIC for gathering drive information ³, and tools like Grixba for network enumeration and antivirus scanning.⁴
Privilege Escalation & Credential Access: Employing Mimikatz (specifically sekurlsa::logonPasswords) for credential dumping from memory ³, dumping the LSASS process ³, performing Kerberoasting to crack service ticket hashes ³, and using WinPEAS to find privilege escalation paths.³
Lateral Movement & Execution: Leveraging tools like PsExec ⁴, command-and-control frameworks like Cobalt Strike and SystemBC ⁴, and abusing PowerShell.³ They have also been observed distributing executables via Group Policy Objects (GPOs).⁴
Defense Evasion: Creating scheduled tasks disguised with benign names for persistence and execution.³
Exfiltration & Impact: Using tools like WinRAR to compress stolen data and WinSCP for transferring data to actor-controlled servers.⁴ They follow a double-extortion model, encrypting data after exfiltration.⁴
Targeting: PLAY targets a diverse range of sectors, including telecommunications, healthcare, media, transportation, construction, government ³, finance, commercial facilities, legal/business, and retail.³⁶ Their targeting appears opportunistic but often focuses on organizations perceived to have a higher capacity or inclination to pay ransoms, such as those holding sensitive data or operating critical services.³⁶
Supporting Evidence:

Published URL: http://mbrlkbtq5jonaqkurjwmxftytyn2ethqvbxfu4rgjbkkknndqwae6byd.onion/topic.php?id=wr7Q9NWapmQ4Qy
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/aa717a39-43d4-4488-b834-6401974ed379.png

Incident: Alleged database sale of Arbor Day Foundation

Victim: arbor day foundation (arborday.org), Non-profit & Social Organizations, USA
Date Reported: 2025-04-14T14:11:48Z
Incident Type: Data Breach
Summary: A threat actor using the handle “dna” is advertising the sale of a database allegedly belonging to the Arbor Day Foundation on the BreachForums cybercrime forum. The actor claims the database contains information on 330,000 customers, including sensitive details such as IDs, full names, email addresses, phone numbers, billing addresses, order numbers, signatures, and IP addresses.
Threat Actor Context: dna (on BreachForums)

Overview: “dna” appears to be a threat actor involved in the trafficking of stolen data, operating on cybercrime forums like BreachForums. Such forums serve as marketplaces where actors buy, sell, and trade compromised data, access credentials, hacking tools, and other illicit services.⁸ BreachForums, specifically, emerged as a successor to RaidForums and gained notoriety for hosting leaks from high-profile targets before facing its own law enforcement disruptions and subsequent reincarnations.⁸ Actors on these forums often use aliases to maintain anonymity.
Motivations: Primarily financial gain, achieved through the sale of stolen data. The value of the data depends on its sensitivity, volume, and freshness.⁹ Some actors may also be motivated by notoriety within the cybercrime community. The specific mention of Arbor Day Foundation customer data suggests an opportunistic breach or purchase of data aimed at resale. The context of the 23andMe breach, where actors specifically targeted and leaked data based on ethnicity (Ashkenazi Jews, Chinese) ⁴¹, indicates that motivations can sometimes include ideological or targeted harassment elements, although “dna”‘s motivation here seems purely commercial based on the advertisement.
TTPs: The primary TTP observed here is Data Sale on Cybercrime Forum. The actor lists the type and volume of data available, often providing samples to prove authenticity.⁹ The method used by “dna” to obtain the Arbor Day Foundation data is not specified in this report, but common methods include exploiting web application vulnerabilities (like SQL injection ¹⁰), API vulnerabilities ¹⁰, misconfigured cloud storage (like S3 buckets ¹⁰), exploiting third-party providers ¹⁰, or purchasing data obtained via credential stuffing ⁴² or infostealers.
Targeting: In this instance, a US-based non-profit organization. Data brokers on forums target a wide array of organizations across various sectors, seeking valuable datasets containing PII, financial information, or credentials that can be monetized.¹⁰
Supporting Evidence:

Published URL: https://breachforums.st/Thread-SELLING-Arbor-Day-Foundation-330-000-Customers-Orders
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/adec8661-8900-46f2-8fbc-459ed0b7c470.png

Incident: Alleged leak of Image Generation API Credentials and Account Balance

Victim: getimg.ai, Information Technology (IT) Services, USA
Date Reported: 2025-04-14T13:59:15Z
Incident Type: Data Leak
Summary: A threat actor using the alias “keanu” has claimed on BreachForums to have leaked access credentials for an image generation API service, specifically getimg.ai. The leak purportedly includes a live API key and proof of the associated account balance ($5).
Threat Actor Context: keanu (on BreachForums)

Overview: Similar to “dna”, “keanu” is operating within the cybercrime ecosystem facilitated by forums like BreachForums.²² These forums act as marketplaces for various illicit goods, including compromised credentials, API keys, and access to systems.⁸ The relatively low value ($5 balance) associated with this leak might suggest either an opportunistic finding, a small-scale compromise, or an attempt by the actor to build reputation by sharing even minor findings.
Motivations: Likely financial, even if minor in this case, or potentially reputational gain within the forum community. Sharing access, even to low-value accounts, can demonstrate capability or provide resources for others’ malicious activities. Some actors might leak such information freely to gain status or trade for other data/tools.
TTPs: The core activity is Data Leak (API Key) via Forum. The method used to obtain the API key is unspecified but could range from exploiting vulnerabilities in the getimg.ai platform or related infrastructure, phishing the account owner, using credentials obtained from infostealer logs, or finding exposed keys in publicly accessible code repositories or misconfigured services. Leaking API keys can enable unauthorized use of the service, potentially leading to resource abuse or further exploitation depending on the API’s capabilities.
Targeting: An IT service provider (specifically an AI image generation service) based in the USA. Targeting API keys is increasingly common as they provide direct programmatic access to services and data.
Supporting Evidence:

Published URL: https://breachforums.st/Thread-Image-Generation-API-5-Balance
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/144de85a-86cd-4940-8420-82b77116553e.png

Incident: Diplomat targets the website of Crédit Agricole

Victim: crédit agricole (credit-agricole.fr), Banking & Mortgage, France
Date Reported: 2025-04-14T13:50:09Z
Incident Type: DDoS Attack
Summary: A hacktivist group identified as “Diplomat” has posted on Telegram claiming an ongoing DDoS attack against Crédit Agricole, France’s largest bank. The post indicates the attack commenced recently and is expected to persist through the night, aiming to disrupt the bank’s online services.
Threat Actor Context: Diplomat

Overview: “Diplomat” appears to be a hacktivist group conducting DDoS attacks, targeting high-profile entities like major financial institutions. While specific details about “Diplomat” are not available in the provided snippets, their actions align with the broader landscape of hacktivism, which often involves ideologically or politically motivated attacks against prominent targets.¹ The targeting of a major French bank could be linked to France’s geopolitical stance, particularly its role in international conflicts like Ukraine or the Middle East, which has drawn attention from various hacktivist factions, including pro-Russian and pro-Palestinian groups.²
Motivations: Likely political or ideological. France has become an increasing target for hacktivists due to its diplomatic efforts and support for Ukraine.² Attacks on critical sectors like banking aim to cause disruption, exert political pressure, and gain public attention.¹ Hacktivist groups often operate under banners of justice or resistance against perceived oppression or specific government policies.¹
TTPs: Primarily DDoS attacks aimed at disrupting service availability.¹ Hacktivist groups coordinate attacks via platforms like Telegram ¹⁵ and may use various tools, from custom scripts to publicly available DDoS tools or botnets.¹⁷ The claim of an ongoing attack expected to last indicates a potentially sustained effort, possibly involving multiple actors or botnet resources.
Targeting: High-profile financial institution in France. The banking and financial services sector is a common target for hacktivists aiming to inflict economic disruption or make a political statement.² Crédit Agricole, as a major national bank, represents a symbolic and impactful target.⁴⁹ Such institutions invest heavily in security, but remain vulnerable to persistent DDoS campaigns.⁴⁹
Supporting Evidence:

Published URL: https://t.me/c/2171893545/1324
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/b45d75b9-305e-483d-8a76-c044a7f1efae.png

Incident: Alleged data breach of Pentol

Victim: pentol-enviro polska sp. z o.o. (pentol.pl), Energy & Utilities, Poland
Date Reported: 2025-04-14T13:37:06Z
Incident Type: Data Breach
Summary: The threat group “Z-PENTEST ALLIANCE” claims via Telegram to have gained full control over an industrial boiler plant in Łódź, Poland. They specifically state they have compromised equipment supplied by Pentol Enviro Polska, including exhaust gas cleaning systems, gas analyzers, and combustion optimization controls. The group implies they can manipulate emissions and operational parameters, posing a potential physical threat.
Threat Actor Context: Z-PENTEST ALLIANCE

Overview: Z-PENTEST ALLIANCE is identified as a pro-Russian hacktivist group, likely originating from or having strong ties to Serbia, known for targeting critical infrastructure, particularly Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems.¹³ They first appeared around October 2023 and have demonstrated capabilities in penetrating operational technology (OT) environments.¹³ They often collaborate with other pro-Russian groups like Sector 16 and People’s Cyber Army (PCA).¹³ Communication and recruitment occur via platforms like Telegram and X (Twitter).¹³
Motivations: Primarily geopolitical and ideological, aligning with Russian interests.¹³ Their attacks aim to weaken industrial and control systems in Western countries or nations supporting Ukraine, exploiting technological vulnerabilities to exert pressure and potentially cause physical disruption.¹³ They use fear and uncertainty, often releasing videos or screenshots of accessed systems, to amplify impact and influence.¹³
TTPs:

Primary Focus: Targeting and compromising ICS/SCADA/OT systems.¹³ They claim to manipulate critical functions like water pumping, gas distribution, and industrial processes.¹³
Initial Access: Exploiting vulnerabilities in public-facing applications, potentially including zero-day vulnerabilities.¹³ They may also use information from data leaks or employ social engineering.¹³
Communication & Propaganda: Using Telegram and X for coordination, recruitment, and disseminating proof of compromise (videos, screenshots) to instill fear and gain notoriety.¹³
Collaboration: Working in alliances with other pro-Russian hacktivist groups (e.g., Sector 16, PCA, OverFlame) to share resources and coordinate attacks.¹³
Targeting: Critical infrastructure sectors, especially Energy (Oil & Gas), Water, and Utilities, primarily in Western countries (USA, Europe) and nations opposing Russian interests (e.g., Australia, Poland).¹³ Previous targets include oil pumps in Texas ⁵², a hydroelectric plant in France ², water treatment facilities in the US ¹⁴, and potentially sewage and cooling systems in Australia.¹⁴ The targeting of a Polish energy/utilities-related company fits this pattern precisely.
Supporting Evidence:

Published URL: https://t.me/c/2442953840/142
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/4a4141f5-9840-4a6a-926e-a9045703dd14.png
https://d34iuop8pidsy8.cloudfront.net/d6147dd4-eff6-47e9-a412-b994c604cc13.png

Incident: NoName targets the website of ООЕК

Victim: ооек (ooek.od.ua), Electrical & Electronic Manufacturing, Ukraine
Date Reported: 2025-04-14T13:35:50Z
Incident Type: DDoS Attack
Summary: The pro-Russian hacktivist group NoName057(16) claims responsibility for a DDoS attack against the website of ООЕК (Odesa Oblenergo), an electrical company in Ukraine. They provided a check-host link as proof of the website’s downtime.
Threat Actor Context: NoName057(16)

Overview: NoName057(16) (also 05716nnm, Nnm05716) is a prominent pro-Russian hacktivist group active since March 2022.¹⁵ They specialize in conducting DDoS attacks against entities in Ukraine and NATO countries or their supporters.¹⁵ They operate publicly via Telegram channels, boasting a large following, to announce attacks, recruit volunteers (often incentivized financially through their “DDoSia Project”), and share proof of impact.¹⁴ They utilize GitHub for hosting information about their custom DDoS tool, DDOSIA.¹⁷
Motivations: Explicitly pro-Russian and politically driven, aiming to disrupt services and silence voices perceived as anti-Russian, especially in the context of the Ukraine war.¹⁵ Their target selection often directly correlates with geopolitical events and statements made by targeted nations.¹⁴
TTPs: Primarily DDoS attacks, executed using their custom tool DDOSIA, which is available for multiple operating systems and supports various attack methods (HTTP/S floods, TCP SYN floods).¹⁶ They leverage a volunteer network, incentivized by payments, coordinated via Telegram.¹⁵ They typically post check-host links or similar evidence to validate their claims of successful disruption.
Targeting: Consistent focus on Ukraine and NATO member states or supporters.¹⁵ Targets include government agencies, critical infrastructure (energy, finance, transport), media outlets, and political entities.² This attack on a Ukrainian electrical company is a typical example of their targeting strategy against critical infrastructure in Ukraine.
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/544
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/834ef0f4-dc10-4578-9f84-6b3729a9c880.png

Incident: NoName targets the website of Gasolina Online

Victim: gasolina online (gasolina-online.com), Oil & Gas, Ukraine
Date Reported: 2025-04-14T13:23:50Z
Incident Type: DDoS Attack
Summary: NoName057(16) continues its campaign against Ukrainian targets, claiming a DDoS attack on Gasolina Online, an entity in the oil and gas sector. Proof of downtime was provided via a check-host link.
Threat Actor Context: NoName057(16)
As detailed previously, NoName057(16) is a pro-Russian hacktivist group specializing in DDoS attacks against Ukraine and its allies, using their DDOSIA tool and volunteer network.¹⁵ Targeting the oil and gas sector aligns with their focus on critical infrastructure disruption.¹⁶
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/544
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/54a8ffb3-9504-4df9-9a97-66743eac2977.png

Incident: NoName targets the website of Odesagas

Victim: odesagas (odgaz.odessa.ua), Oil & Gas, Ukraine
Date Reported: 2025-04-14T13:18:25Z
Incident Type: DDoS Attack
Summary: The NoName057(16) group claimed another DDoS attack against Ukrainian critical infrastructure, targeting Odesagas, an oil and gas company in Odesa. A check-host link was provided as evidence.
Threat Actor Context: NoName057(16)
Consistent with their established pattern, NoName057(16) continues targeting Ukrainian energy infrastructure using DDoS attacks.¹⁵ This attack on Odesagas further demonstrates their focus on disrupting essential services within Ukraine.
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/544
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/22e95933-7dbb-4db9-9231-aa12c0792b04.png

Incident: NoName targets the website of Unified Citizen Appeal Center of Odesa

Victim: unified citizen appeal center of odesa (1535.omr.gov.ua), Government & Public Sector, Ukraine
Date Reported: 2025-04-14T13:05:42Z
Incident Type: DDoS Attack
Summary: NoName057(16) targeted the Unified Citizen Appeal Center of Odesa, a public service portal, with a DDoS attack. The group posted proof of the website’s downtime via a check-host link on their Telegram channel.
Threat Actor Context: NoName057(16)
This attack aligns with NoName057(16)’s strategy of targeting government and public service websites in Ukraine and NATO-aligned countries.¹⁵ Disrupting citizen services aims to cause inconvenience and undermine public trust in government institutions.
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/543
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/91404de1-0ac7-4ae7-af26-bbc2f6246af1.png
https://d34iuop8pidsy8.cloudfront.net/2d1beea9-c29f-4fa7-995d-da766855b0c1.png

Incident: NoName targets the website of Odesa City Council

Victim: odesa city council (citizen.omr.gov.ua), Government Administration, Ukraine
Date Reported: 2025-04-14T13:03:46Z
Incident Type: DDoS Attack
Summary: The pro-Russian hacktivist group NoName057(16) claimed another DDoS attack, this time targeting the citizen portal of the Odesa City Council in Ukraine. Evidence of the attack’s success was shared via a check-host link.
Threat Actor Context: NoName057(16)
Continuing their focus on Ukrainian government entities, NoName057(16) targeted the Odesa City Council’s citizen portal.¹⁵ This follows the attack on the Odesa Citizen Appeal Center, indicating a concentrated effort against municipal services in Odesa on this day.
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/544
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/24eb8d09-3916-498c-b9ae-2e753858da87.png

Incident: NoName targets the website of Sumy Chamber of Commerce and Industry

Victim: sumy chamber of commerce and industry (cci.sumy.ua), International Trade & Development, Ukraine
Date Reported: 2025-04-14T12:59:49Z
Incident Type: DDoS Attack
Summary: NoName057(16) targeted the Sumy Chamber of Commerce and Industry in Ukraine with a DDoS attack, providing a check-host link as proof of disruption.
Threat Actor Context: NoName057(16)
This attack targets an organization involved in international trade and development, potentially aiming to disrupt business activities and economic ties.¹⁵ While primarily focused on government and critical infrastructure, NoName057(16) occasionally targets business or economic entities perceived to support Ukraine or oppose Russian interests.
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/543
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/470f4ff5-4d9d-4af1-af16-544c7f6b53c8.png
https://d34iuop8pidsy8.cloudfront.net/988d661e-79db-49d4-93fc-ed28a91fe041.png

Incident: NoName targets the website of The Odessa Regional Chamber of Commerce and Industry

Victim: the odessa regional chamber of commerce and industry (orcci.odessa.ua), International Trade & Development, Ukraine
Date Reported: 2025-04-14T12:55:28Z
Incident Type: DDoS Attack
Summary: Following the attack on the Sumy Chamber of Commerce, NoName057(16) also claimed a DDoS attack against The Odessa Regional Chamber of Commerce and Industry, again providing a check-host link as evidence.
Threat Actor Context: NoName057(16)
This further attack on a regional Chamber of Commerce in Odesa, alongside other Odesa targets today, reinforces the group’s focus on disrupting economic and governmental functions in specific Ukrainian regions.¹⁵
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/543
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/44591c5e-0d72-4324-9abc-142d3f51acf4.png
https://d34iuop8pidsy8.cloudfront.net/e7dba377-e3c5-4a2b-aa78-7330cce81c4a.png

Incident: STUMPF MÜLLER Biberach GmbH falls victim to Akira Ransomware

Victim: stumpf müller biberach gmbh (sum-bc.de), Business and Economic Development, Germany
Date Reported: 2025-04-14T12:54:35Z
Incident Type: Ransomware
Summary: The Akira ransomware group has listed STUMPF MÜLLER Biberach GmbH, a German business development company, on its leak site. The group claims to have exfiltrated essential corporate documents, including contact details for employees and customers, corporate licenses, agreements, and contracts, employing their standard double-extortion tactic. (Note: This incident appears twice in the JSON with the same details and timestamp).
Threat Actor Context: Akira

Overview: Akira is a prominent Ransomware-as-a-Service (RaaS) operation that emerged in March 2023.⁵ They quickly gained notoriety, impacting over 250 organizations and claiming approximately $42 million USD in ransom proceeds by early 2024.⁵ The group is believed to have connections to the defunct Conti ransomware gang, potentially leveraging Conti’s resources and expertise, although this link is not definitively confirmed.⁵ Akira operates a Tor-based leak site with a distinctive retro command-line interface aesthetic.⁵ They employ a double extortion model, stealing data before encryption and threatening to leak it if the ransom (paid in Bitcoin ⁵⁴) is not met.⁵⁶
Motivations & Origins: Primarily financially motivated, targeting organizations for ransom payments.⁵ While their origins are debated, evidence suggests Russian ties, including communication in Russian on dark web forums and code designed to avoid execution on systems with Russian language layouts.⁵ The name “Akira” is likely inspired by the 1988 anime film, portraying the group as a disruptive force.⁵ Unlike Conti, Akira has not explicitly pledged allegiance to Russia.⁵ The strong links to Conti, including shared Bitcoin wallets associated with former Conti affiliates and leadership, reinforce the likelihood of Russian origins or significant overlap.⁵⁵
TTPs:

Initial Access: Frequently exploit vulnerabilities in VPNs, particularly those without multi-factor authentication (MFA).⁵⁴ They have also used compromised credentials purchased on the dark web and exploited RDP.⁵⁵ Potential exploitation of vulnerabilities like SonicWall SSL VPN (CVE-2024-40766) has been reported but not confirmed.⁵⁵ Other methods include phishing and exploiting public-facing applications.⁵⁶
Privilege Escalation & Lateral Movement: Use techniques like ‘pass-the-hash’.⁵ Exploit vulnerabilities such as VMware vCenter flaws (CVE-2021-21972).⁵⁵ Utilize remote access tools like AnyDesk and ScreenConnect for persistence.⁵⁵ Employ network scanners like Advanced IP Scanner and SoftPerfect.⁵⁵ Dump credentials from LSASS memory.⁵⁶
Defense Evasion: Use tools like PowerTool, KillAV, and Terminator to disable antivirus and security solutions.⁵ Use PowerShell commands to disable Microsoft Defender.⁵ Delete Volume Shadow Copies to inhibit system recovery.⁵⁶
Exfiltration & Encryption: Compress data using WinRAR before exfiltration.⁵ Use tools like Rclone to exfiltrate data, often to cloud storage like Mega.⁵⁵ Employ hybrid encryption strategies.⁵⁴ Newer versions (Akira v2, written in Rust) target specific file types, including database and virtual machine files (.edb,.vdh,.vmdk, etc.), and append extensions like .akira or .akiranew.¹⁹ They use PowerShell for encryption processes.⁵⁴
Targeting: Primarily targets small-to-medium-sized enterprises (SMEs) but has hit larger organizations like Nissan and Stanford University.⁵ They are opportunistic and attack across various sectors, with a notable focus on manufacturing, critical infrastructure, education, business services, construction, retail, and technology.⁵ Geographically, they heavily target the US and Western Europe (including Canada, UK, Germany ¹⁹), with France being a major target in some analyses.⁵⁴ Recent activity shows expansion into Latin America.⁵⁵ This attack on a German business development firm fits their typical targeting profile.
Supporting Evidence:

Published URL: https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/538773e2-103f-4241-9466-8db3904eebfa.png

Incident: NoName targets the website of Odessa Commercial Sea Port

Victim: odessa commercial sea port (omtp.com.ua), Transportation & Logistics, Ukraine
Date Reported: 2025-04-14T12:49:00Z
Incident Type: DDoS Attack
Summary: NoName057(16) targeted the website of the Odessa Commercial Sea Port in Ukraine with a DDoS attack, posting a check-host link as proof of the disruption.
Threat Actor Context: NoName057(16)
This attack on a major Ukrainian sea port represents a direct targeting of critical transportation and logistics infrastructure by NoName057(16).¹⁵ Such attacks aim to disrupt trade and economic activity, aligning with their pro-Russian objectives in the ongoing conflict.
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/543
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/72fd4aa6-cda9-458a-9ff8-2a6efe9664b7.png
https://d34iuop8pidsy8.cloudfront.net/a6262f35-e6ab-49de-8df2-77d89a5b64c5.png

Incident: NoName targets the website of The Kharkiv Chamber of Commerce and Industry

Victim: the kharkiv chamber of commerce and industry (kcci.kharkov.ua), International Trade & Development, Ukraine
Date Reported: 2025-04-14T12:41:50Z
Incident Type: DDoS Attack
Summary: The NoName057(16) group claimed a DDoS attack against The Kharkiv Chamber of Commerce and Industry in Ukraine, providing a check-host link as evidence. (Note: The title in the JSON is incomplete, but the victim details are clear).
Threat Actor Context: NoName057(16)
Similar to the attacks on the Sumy and Odesa Chambers of Commerce, this action targets regional economic bodies in Ukraine, aiming to disrupt business and trade functions.¹⁵
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/543
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/1d3ae344-d207-4f09-ac80-1d4ae8fbb647.png
https://d34iuop8pidsy8.cloudfront.net/7e02d3d4-b422-41c4-abc5-9f212bfc2d85.png

Incident: Atlas Flood targets the website of Presidency of the Republic of Algeria

Victim: presidency of the republic of algeria (el-mouradia.dz), Government Administration, Algeria
Date Reported: 2025-04-14T12:21:38Z
Incident Type: DDoS Attack
Summary: The group “Atlas Flood” claimed responsibility for DDoS attacks against the official website of the Presidency of the Republic of Algeria. They provided two check-host links as proof of downtime.
Threat Actor Context: Atlas Flood

Overview: “Atlas Flood” appears to be a hacktivist group conducting DDoS attacks, in this case targeting a high-profile government website in Algeria. The name itself suggests a focus on DDoS (Flood). While specific information on this group is scarce in the provided snippets, the name might be a reference to NETSCOUT’s ATLAS (Active Threat Level Analysis System) intelligence platform, which monitors global DDoS activity ⁵⁷, perhaps ironically or as a statement of capability. Alternatively, it could relate to the Atlas Mountains region or the Moroccan cybercrime group Atlas Lion, known for different types of attacks (fraudulent gift cards) ⁶⁰, although a direct link is speculative without more data. DDoS attacks remain a common tactic for various actors, including hacktivists and potentially even criminal groups testing capabilities or advertising services.⁶¹
Motivations: Likely political or ideological, given the target is the head of state’s official website. Motivations for targeting Algeria could range from internal dissent to external geopolitical factors or regional rivalries. Without more context on the group, specific motivations are unclear.
TTPs: DDoS attacks, specifically likely utilizing HTTP Flood or TCP-based flood attacks, which are common methods.⁶² The use of check-host links to prove downtime is standard practice among hacktivist groups making claims on platforms like Telegram.¹⁵ DDoS attacks aim to overwhelm server resources or bandwidth, making the target website inaccessible.⁶¹ Algeria has experienced DDoS activity previously, with common vectors including DNS Amplification, NTP Amplification, and UDP floods.⁶⁴
Targeting: High-level government website in Algeria. Targeting presidential or primary government portals is a common tactic for hacktivists seeking maximum visibility and symbolic impact.¹⁵
Supporting Evidence:

Published URL: https://t.me/AtlasFlood/12
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/30c87e6a-f845-41c4-a658-078cefac0785.png

Incident: Oklahoma Steel & Wire Co. Inc. falls victim to Akira Ransomware

Victim: oklahoma steel & wire co. inc. (okbrand.com), Manufacturing, USA
Date Reported: 2025-04-14T12:08:05Z
Incident Type: Ransomware
Summary: The Akira ransomware group has added Oklahoma Steel & Wire Co. Inc. to its list of victims on its Tor leak site. The group claims to have exfiltrated 129 GB of data, including essential corporate documents like licenses, agreements, contracts, contact details of employees and customers, and financial data. This follows their typical double-extortion methodology.
Threat Actor Context: Akira
As detailed previously, Akira is a financially motivated RaaS group, likely with Russian ties and connections to the former Conti group.⁵ They employ double extortion, targeting primarily SMEs but also larger organizations across various sectors, with a focus on the US and Western Europe.⁵ Manufacturing is one of their commonly targeted sectors.⁵ Their TTPs involve exploiting VPNs/RDP, leveraging tools for lateral movement and credential theft, disabling security software, and exfiltrating data before encryption.⁵ This attack on a US manufacturing company aligns perfectly with their known operational patterns.
Supporting Evidence:

Published URL: https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/d3348ecd-e61f-4fbe-a97b-2596227cd02c.png

Incident: SYLHET GANG-SG targets the website of Trainline

Victim: trainline.com limited (thetrainline.com), E-commerce & Online Stores, UK
Date Reported: 2025-04-14T11:45:24Z
Incident Type: DDoS Attack
Summary: The hacktivist group “SYLHET GANG-SG” claimed responsibility for DDoS attacks targeting the website of Trainline, a major UK-based online train ticket retailer. The group provided two check-host links as proof of the disruption.
Threat Actor Context: SYLHET GANG-SG

Overview: SYLHET GANG-SG is identified as a hacktivist group, likely originating from or associated with Bangladesh (Sylhet is a major city in Bangladesh).⁶⁵ They engage in politically motivated cyberattacks, primarily DDoS and website defacements.³⁵ They have been observed targeting entities in Europe (including the EU Parliament, UK), Saudi Arabia, India, and potentially others.⁶⁵ The group has declared allegiance to the KillNet 2.0 collective, indicating alignment with pro-Russian interests, and also expresses pro-Palestinian sentiments.⁶⁵ They operate via Telegram channels.
Motivations: Primarily political and ideological. Their targeting reflects alignment with broader hacktivist campaigns, such as those supporting Palestine or opposing Western nations/allies of Israel.⁶⁵ Attacks against entities in countries like the UK could be framed as retaliation for perceived geopolitical stances or support for adversaries (e.g., Israel, Ukraine). They also participate in broader campaigns like #OpIndia.¹
TTPs: Primarily DDoS attacks ³⁵ and website defacements.¹ Like many hacktivist groups, they likely use readily available DDoS tools or participate in coordinated attacks leveraging shared resources or botnets, possibly including tools used by allies like KillNet or other groups within coalitions they join.³⁵ They use Telegram for communication and claims.
Targeting: Diverse targets based on political motivations. Known targets include critical infrastructure, government entities (EU Parliament, Cyprus police), private companies (Trainline UK), and websites associated with political figures (UK Prime Minister Sunak’s personal site).⁶⁶ They have also targeted Saudi Arabia ⁶⁵ and participated in campaigns against India ¹ and potentially China (related to policies against Muslims).¹ Targeting a major UK e-commerce site like Trainline fits their pattern of attacking prominent Western entities.
Supporting Evidence:

Published URL: https://t.me/SylhetGangSG1/6223
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/22d8af49-3feb-45e1-8670-35b052c79fe5.png

Incident: Alleged data sale of Armada Boliviana

Victim: armada boliviana (evaluacionfisica.armada.mil.bo), Government Administration, Bolivia
Date Reported: 2025-04-14T11:36:54Z
Incident Type: Data Leak
Summary: A threat actor using the alias “kazu” is advertising the sale of a database allegedly belonging to the Armada Boliviana (Bolivian Navy) on the dark web forum DarkForums.st. The actor claims the database contains 1,433,996 records related to the physical fitness of military personnel, including highly sensitive PII such as identity card numbers, full names, ranks, TINs, dates of birth, units, age, weight, blood pressure, fitness test scores, and final evaluations.
Threat Actor Context: kazu (on DarkForums)

Overview: “kazu” appears to be a data broker operating on dark web forums, specializing in the sale of sensitive databases, particularly government or military-related data. Dark web forums, distinct from but similar in function to clear web forums like BreachForums, serve as marketplaces for illicit data and services.⁴⁴ The high volume and sensitivity of the claimed data (military personnel fitness records) suggest a potentially significant breach.
Motivations: Primarily financial gain through the sale of valuable, sensitive data. Military and government databases command high prices due to their potential use for espionage, identity theft, or targeted attacks.
TTPs: Data Sale on Dark Web Forum. The actor advertises the database contents, volume, and potentially a price or contact method. The method of acquisition is unknown but could involve direct intrusion, exploitation of vulnerabilities in the specific ‘.mil.bo’ subdomain, insider threats, or purchasing the data from another actor. The specificity of the data (physical fitness records) might point towards a compromise of a specific system or application used for managing this information.
Targeting: Military/Government entity in Bolivia. Targeting military databases is often associated with state-sponsored actors seeking intelligence, but financially motivated criminals also recognize the value of such data on underground markets.
Supporting Evidence:

Published URL: https://darkforums.st/Thread-Selling-LEAK-Military-Fitness-Records-Breach-evaluacionfisica-armada-mil-bo-1433996-lines
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/8ac35781-0f4c-485b-b624-38de4014ef17.png

Incident: SYLHET GANG-SG targets the website of Absolute Instrumentation

Victim: absolute instrumentation (aiautomation.in), Industrial Automation, India
Date Reported: 2025-04-14T11:18:42Z
Incident Type: Defacement
Summary: The hacktivist group SYLHET GANG-SG claimed via Telegram to have defaced the website of Absolute Instrumentation, an Indian company specializing in industrial automation.
Threat Actor Context: SYLHET GANG-SG
As previously detailed, SYLHET GANG-SG is a politically motivated hacktivist group, likely from Bangladesh, known for DDoS attacks and defacements.¹ They align with pro-Russian and pro-Palestinian causes and target entities in Europe, Saudi Arabia, and India.¹ Website defacement is a common hacktivist tactic used to display messages, protest, or simply claim a successful intrusion.¹ Targeting an Indian company aligns with their documented participation in anti-India campaigns (#OpIndia).¹
Supporting Evidence:

Published URL: https://t.me/SylhetGangSG1/6222
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/89094e35-f4a9-44ae-ab3f-cd6646ff1b72.png

Incident: Orthopaedic Specialists of Connecticut falls victim to INC RANSOM Ransomware

Victim: orthopaedic specialists of connecticut (ctorthopaedic.com), Hospital & Health Care, USA
Date Reported: 2025-04-14T11:09:47Z
Incident Type: Ransomware
Summary: The INC RANSOM group has listed Orthopaedic Specialists of Connecticut on its data leak blog. The group claims to have obtained the organization’s data, implying a double-extortion attack typical of ransomware operations targeting the healthcare sector.
Threat Actor Context: INC RANSOM

Overview: INC RANSOM (also GOLD IONIC) is a ransomware and data extortion group active since at least July/August 2023.⁶ They operate globally, targeting a wide range of industries across North America, Europe, Asia, and South America.⁶ They employ a multi-stage attack strategy, often involving double extortion where data is stolen before encryption.²⁰ They maintain a Tor-based blog to leak data from non-paying victims.⁶⁷ While their origin is not definitively confirmed, researchers suspect Russian criminals may be behind the operation.²⁰
Motivations: Primarily financial gain through ransom payments.²⁰ They position themselves as a “service” to victims on their ransom notes.⁶⁷ Their targeting appears opportunistic but shows a focus on organizations where operational disruption or data sensitivity is high, increasing leverage for payment.²⁰
TTPs:

Initial Access: Exploiting vulnerabilities in public-facing applications, notably CVE-2023-3519 in Citrix NetScaler.⁶ Spear-phishing campaigns are also used.⁶ Use of compromised valid accounts is another vector.⁶
Execution & Persistence: Utilize command and scripting interpreters.²⁰ May use legitimate tools like PsExec (disguised, e.g., as ‘winupd’) and wmic.exe for execution.⁶ Persistence achieved through valid accounts.²⁰
Privilege Escalation & Credential Access: Exploit vulnerabilities for privilege escalation.²⁰ Dump OS credentials.²⁰
Discovery & Lateral Movement: Employ network scanning tools like Advanced IP Scanner.⁶ Use remote services like RDP for lateral movement.⁶ Discover system network configurations.²⁰
Defense Evasion: Obfuscate files or information.²⁰ Rename legitimate tools.⁶
Collection & Exfiltration: Stage data using tools like 7-Zip.⁶⁹ Exfiltrate data using tools like Rclone, Tor, or cloud services like MEGASync.⁶
Impact: Data encryption and potential data destruction.²⁰ Double extortion by threatening to leak stolen data.⁶ Ransom notes (INC-README.TXT/HTML) direct victims to a Tor portal using a personal ID.⁶⁷
Targeting: Broad targeting across many sectors including healthcare, education, government, manufacturing, retail, energy, finance, technology, and telecommunications.⁶ They show little discrimination, hitting critical sectors like healthcare (including children’s hospitals and health boards).²⁰ Geographically, they target North America (USA), Europe (UK, Germany, France, Spain, etc.), and other regions like Asia and South America.⁶ This attack on a US healthcare provider is consistent with their known targeting patterns.
Supporting Evidence:

Published URL: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/blog/disclosures/67ee8d1d516e69ca611ee27d
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/55fcc707-918b-4ac1-a9ab-e6108ab0fff8.png

Incident: Chickenshed Theatre falls victim to INC RANSOM Ransomware (Note: Title seems mismatched with Victim Org/Industry)

Victim: clinica family health & wellness (clinica.org), Healthcare & Pharmaceuticals, USA (Note: Title mentions Chickenshed Theatre, but victim details point to Clinica Family Health & Wellness in the US Healthcare sector. Analysis proceeds based on victim details.)
Date Reported: 2025-04-14T10:46:37Z
Incident Type: Ransomware
Summary: The INC RANSOM group has claimed another victim in the US healthcare sector, listing Clinica Family Health & Wellness on its leak blog. The group asserts they have obtained the organization’s data and provides sample screenshots on their portal as proof, indicating a double-extortion ransomware attack.
Threat Actor Context: INC RANSOM
As detailed above, INC RANSOM is a financially motivated ransomware group known for targeting diverse sectors globally, with a notable focus on healthcare.⁶ They utilize double extortion, often gaining initial access via vulnerability exploitation (like Citrix CVE-2023-3519) or phishing, and employ various tools for lateral movement, data exfiltration (MEGASync, Rclone), and encryption.⁶ This attack on another US healthcare provider further confirms their operational focus and methods.
Supporting Evidence:

Published URL: http://incblog6qu4y4mm4zvw5nrmue6qbwtgjsxpw6b7ixzssu36tsajldoad.onion/blog/disclosures/67efb5a6516e69ca612626e1
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/0339a6c5-ac58-4193-ad62-e3fe1b268179.png

Incident: NoName targets the website of ANWIL

Victim: anwil (anwil.orlen.pl), Oil & Gas, Poland
Date Reported: 2025-04-14T10:34:31Z
Incident Type: DDoS Attack
Summary: NoName057(16) claimed a DDoS attack against ANWIL, a Polish chemical company belonging to the ORLEN Group (a major Polish oil refiner and petrol retailer). Proof of downtime was provided via a check-host link.
Threat Actor Context: NoName057(16)
This attack is part of a larger campaign observed today by NoName057(16) targeting subsidiaries and related entities of Poland’s ORLEN Group.¹⁵ Targeting Polish critical infrastructure, especially in the energy sector, aligns with their pro-Russian stance and likely serves as retaliation for Poland’s support of Ukraine and criticism of Russia.¹⁶
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/539
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/b45e6e94-8465-4c5f-8660-507f581b5877.png
https://d34iuop8pidsy8.cloudfront.net/9f4624bb-577d-4a70-9ad1-fab371bf5c22.png

Incident: NoName targets the website of ORLEN VC

Victim: orlen vc (vc.orlen.pl), Oil & Gas, Poland
Date Reported: 2025-04-14T10:27:01Z
Incident Type: DDoS Attack
Summary: Continuing their focus on the ORLEN Group, NoName057(16) claimed a DDoS attack against ORLEN VC (Venture Capital), providing a check-host link as evidence.
Threat Actor Context: NoName057(16)
Another attack within the coordinated campaign against ORLEN entities in Poland by the pro-Russian hacktivist group NoName057(16).¹⁵ Targeting the venture capital arm might aim to disrupt investment activities or simply broaden the scope of disruption against the parent company.
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/539
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/a8ce05b4-299f-442d-a316-6c49a4fc9b42.png
https://d34iuop8pidsy8.cloudfront.net/64f9d275-d64c-4def-8d20-1efdbf469e84.png

Incident: Alleged database sale of Takeda Pharmaceutical Company

Victim: takeda pharmaceutical company (takeda.com), Healthcare & Pharmaceuticals, Japan
Date Reported: 2025-04-14T10:24:05Z
Incident Type: Data Breach
Summary: A threat actor using the alias “betway” posted on the Russian-language cybercrime forum Exploit.in, claiming to sell a database allegedly stolen from Takeda Pharmaceutical Company. The database purportedly contains approximately 2 million rows of user information, including full names, titles, departments, mailing addresses, birthdates, and other contact details.
Threat Actor Context: betway (on Exploit.in)

Overview: “betway” appears to be a threat actor engaged in selling large datasets on prominent cybercrime forums like Exploit.in. Exploit.in is a well-known Russian-language forum frequented by sophisticated actors involved in various cybercriminal activities, including malware development, vulnerability trading, and data sales.⁹ The alias “betway” has previously been associated with attempts to sell data allegedly from the gambling company Betway ⁹, suggesting a focus on brokering large datasets.
Motivations: Primarily financial gain from selling valuable corporate or customer data. Pharmaceutical company data, containing PII and potentially sensitive health-related context or corporate information, can be highly valuable for follow-on attacks like spear-phishing, corporate espionage, or identity theft.⁹
TTPs: Data Sale on Cybercrime Forum (Exploit.in). The actor advertises the data source, volume, and types of information included. The method of obtaining the Takeda data is not specified, but could involve direct intrusion, exploiting vulnerabilities, phishing, or purchasing from another source. Selling data on established, high-reputation forums like Exploit.in targets a specific audience of potentially more sophisticated buyers compared to more open forums.⁷²
Targeting: A major multinational pharmaceutical company headquartered in Japan. Targeting large corporations in critical sectors like healthcare is common for actors seeking high-value data.⁹
Supporting Evidence:

Published URL: https://forum.exploit.in/topic/257350/
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/90523400-a664-46fa-a8fd-48a468b50c11.png

Incident: NoName targets the website of ORLEN Upstream

Victim: orlen upstream (orlenupstream.pl), Oil & Gas, Poland
Date Reported: 2025-04-14T10:20:52Z
Incident Type: DDoS Attack
Summary: NoName057(16) claimed another DDoS attack within their campaign against the ORLEN Group, this time targeting ORLEN Upstream, the company’s exploration and production arm. A check-host link was provided as proof.
Threat Actor Context: NoName057(16)
Part of the ongoing, coordinated DDoS campaign by the pro-Russian group NoName057(16) against ORLEN subsidiaries in Poland.¹⁵ Targeting the upstream operations aims directly at the core business of the energy company.
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/539
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/283f0dec-a0be-49ee-bfb7-94ab91a209e2.png
https://d34iuop8pidsy8.cloudfront.net/9e464f57-dbe1-435c-b034-03f841ef498c.png

Incident: NoName targets the website of ORLEN Transport

Victim: orlen transport (transport.orlen.pl), Transportation & Logistics, Poland
Date Reported: 2025-04-14T10:15:17Z
Incident Type: DDoS Attack
Summary: The NoName057(16) group continued its assault on ORLEN Group entities, claiming a DDoS attack against ORLEN Transport. Proof was shared via a check-host link.
Threat Actor Context: NoName057(16)
Another incident in the NoName057(16) campaign targeting ORLEN.¹⁵ Disrupting the transport and logistics arm impacts the distribution network of the energy company.
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/539
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/ee1e19aa-ff23-4d7c-abd2-40de3e4fa3c9.png
https://d34iuop8pidsy8.cloudfront.net/612669a6-fcd9-4fba-82ce-025ba1f3849f.png

Incident: NoName targets the website of ORLEN Serwis

Victim: orlen serwis (serwis.orlen.pl), Automotive, Poland
Date Reported: 2025-04-14T10:08:30Z
Incident Type: DDoS Attack
Summary: NoName057(16) targeted ORLEN Serwis, the automotive service division of the ORLEN Group, with a DDoS attack, providing a check-host link as evidence.
Threat Actor Context: NoName057(16)
Continuing the pattern of attacks against ORLEN subsidiaries by NoName057(16).¹⁵ This targets a customer-facing service division.
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/539
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/be65e998-74aa-4307-aab4-46d2f84f4cde.png
https://d34iuop8pidsy8.cloudfront.net/bb2415f6-8b5f-4681-8a33-61289bebe83c.png

Incident: The Anonymous 71 targets the website of Bank of Israel

Victim: bank of israel (boi.org.il), Banking & Mortgage, Israel
Date Reported: 2025-04-14T10:05:38Z
Incident Type: DDoS Attack
Summary: A group calling itself “The Anonymous 71” claimed responsibility for a DDoS attack targeting the Bank of Israel’s website. They provided a check-host link as proof of the disruption attempt.
Threat Actor Context: The Anonymous 71

Overview: “The Anonymous 71” appears to be a hacktivist entity operating under the broad “Anonymous” banner, targeting Israeli institutions. The Anonymous collective is a decentralized international movement known for cyberattacks against governments and corporations, often motivated by anti-censorship, anti-surveillance, or specific political causes.²⁴ Anyone can claim affiliation ⁷⁴, leading to numerous independent groups or individuals using the name and symbolism (like the Guy Fawkes mask).²⁴ The “71” suffix could be a specific identifier for this cell or relate to a specific event or cause (though its meaning isn’t immediately clear from the snippets). Groups operating under the Anonymous name have historically been involved in #OpIsrael campaigns.²⁵
Motivations: Likely political, specifically anti-Israel, given the target and the context of ongoing hacktivist campaigns related to the Israeli-Palestinian conflict (#OpIsrael, #OpJerusalem, pro-Palestinian alliances).²⁵ Attacks often coincide with specific events or anniversaries ²⁵ or serve as retaliation for perceived aggressions or policies.²⁵ Targeting the central bank is a high-impact action aimed at disrupting the financial system and making a strong political statement.
TTPs: Primarily DDoS attacks, a hallmark tactic of many Anonymous operations and related hacktivist campaigns.²⁵ They use public platforms like Telegram to announce attacks and share proof.²⁵ The effectiveness and sophistication of Anonymous-affiliated attacks can vary widely, from simple website disruptions to more complex breaches, depending on the specific individuals or cells involved.²⁴
Targeting: High-profile government/financial institution in Israel. The Bank of Israel, as the central bank, is a critical and symbolic target. This aligns with the known targeting patterns of pro-Palestinian/anti-Israel hacktivist campaigns.²⁵
Supporting Evidence:

Published URL: https://t.me/TAMQ_71BDF/468
Screenshots:
https://d34iuop8pidsy8.cloudfront.net/f9364881-c74f-47a1-805f-169f338494eb.png

Incident: NoName targets the website of ORLEN Projekt

Victim: orlen projekt (projekt.orlen.pl), Building and construction, Poland
Date Reported: 2025-04-14T09:58:41Z
Incident Type: DDoS Attack
Summary: NoName057(16) targeted ORLEN Projekt, the engineering and construction subsidiary of the ORLEN Group, with a DDoS attack, providing a check-host link as evidence.
Threat Actor Context: NoName057(16)
Part of the sustained DDoS campaign by NoName057(16) against various entities within Poland’s ORLEN Group.¹⁵ This attack targets the group’s project development and construction capabilities.
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/539
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/96377fb0-0464-4511-a72a-c1c70c3a3d29.png
https://d34iuop8pidsy8.cloudfront.net/1ec26e77-aef6-4ee7-886f-ab06f61077c1.png

Incident: NoName targets the website of ORLEN EKO

Victim: orlen s.a. (eko.orlen.pl), Oil & Gas, Poland
Date Reported: 2025-04-14T09:31:29Z
Incident Type: DDoS Attack
Summary: The pro-Russian group NoName057(16) claimed a DDoS attack against ORLEN EKO, an environmental services part of ORLEN S.A., providing a check-host link.
Threat Actor Context: NoName057(16)
Another attack in the NoName057(16) series targeting ORLEN Group websites in Poland.¹⁵
Supporting Evidence:

Published URL: https://t.me/nnm05716rus/537
Screenshots:

https://d34iuop8pidsy8.cloudfront.net/f4a927b2-fcdf-4b4c-8f93-4b4a02768866.png
`https://d34iuop8pidsy8.cloudfront.net/cf041fe6-4863-4f4a-bec4-

Works cited

Tactics and Motivations of Modern Hacktivists – CYFIRMA, accessed April 15, 2025, https://www.cyfirma.com/research/tactics-and-motivations-of-modern-hacktivists/
Hacktivists Increasingly Target France for Its Diplomatic Efforts – Cyble, accessed April 15, 2025, https://cyble.com/blog/hacktivists-france-for-its-diplomatic-efforts/
Play Ransomware: Exposing One of 2024’s Greediest Cyber Extortionists – Picus Security, accessed April 15, 2025, https://www.picussecurity.com/resource/blog/play-ransomware
#StopRansomware: Play Ransomware | CISA, accessed April 15, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a
Akira: Modern ransomware with a retro vibe | Barracuda Networks Blog, accessed April 15, 2025, https://blog.barracuda.com/2025/02/11/akira–modern-ransomware-with-a-retro-vibe
INC Ransom: A Sophisticated Ransomware & Data Extortion Group – Cyble, accessed April 15, 2025, https://cyble.com/threat-actor-profiles/inc-ransom/
Threat Intelligence Report Apr 8th – Apr 14th, 2025 – Red Piranha, accessed April 15, 2025, https://redpiranha.net/news/threat-intelligence-report-april-8-april-14-2025
BreachForums v1 Data Leak Exposes Members’ Info – CertPro, accessed April 15, 2025, https://certpro.com/breachforums-data-leak/
Data of 500000 Betway gambling customers being allegedly sold on hacker forum, accessed April 15, 2025, https://securityreport.com/data-of-500000-betway-gambling-customers-being-allegedly-sold-on-hacker-forum/
Revealing Corporate Vulnerabilities: Understanding How Threat Actors Breach and Exploit Your Data | KELA Cyber, accessed April 15, 2025, https://www.kelacyber.com/blog/revealing-corporate-vulnerabilities-understanding-how-threat-actors-breach-and-exploit-your-data/
Brute Force or Something More? Ransomware Initial Access Brokers Exposed – Huntress, accessed April 15, 2025, https://www.huntress.com/blog/brute-force-or-something-more-ransomware-initial-access-brokers-exposed
The Rise of Initial Access Brokers on the Dark Web – SOCRadar® Cyber Intelligence Inc., accessed April 15, 2025, https://socradar.io/the-rise-of-initial-access-brokers-on-the-dark-web/
Z-PENTEST ALLIANCE – Cyber Intelligence Bureau – Orange Cyberdefense, accessed April 15, 2025, https://www.orangecyberdefense.com/fileadmin/global/CyberIntelligenceBureau/Gangs_Investigations/z-pentest/Z-Pentest_Alliance.pdf
Pro-Russian and Pro-Palestinian Hacktivists Targeting Australian Organizations | Radware, accessed April 15, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/pro-russian-and-pro-palestinian-hacktivists-targeting-australian-organizations/
Unmasking NoName057(16): Botnets, DDoSia, and NATO – CybelAngel, accessed April 15, 2025, https://cybelangel.com/unmasking-noname05716/
NoName057(16) – The Pro-Russian Hacktivist Group Targeting NATO | SentinelOne, accessed April 15, 2025, https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/
NoName057(16): Pro-Russian Hacktivist Group – Radware, accessed April 15, 2025, https://www.radware.com/cyberpedia/ddos-attacks/noname057(16)/
NoName057(16) – NetScout Systems, accessed April 15, 2025, https://www.netscout.com/blog/asert/noname057-16
Akira Ransomware: A Shifting Force in the RaaS Domain – Bitdefender, accessed April 15, 2025, https://www.bitdefender.com/en-au/blog/businessinsights/akira-ransomware-a-shifting-force-in-the-raas-domain
Is Your Organization Safe From INC Ransom? – Vectra AI, accessed April 15, 2025, https://www.vectra.ai/threat-actors/inc-ransom
Decrypt NightSpire Ransomware – Digital Recovery, accessed April 15, 2025, https://digitalrecovery.com/en/decrypt-ransomware/nightspire/
BreachForums – Wikipedia, accessed April 15, 2025, https://en.wikipedia.org/wiki/BreachForums
Inside The Rise And Fall Of BreachForums | Blog – Dark Atlas, accessed April 15, 2025, https://darkatlas.io/blog/inside-the-rise-and-fall-of-breachforums
Anonymous (hacker group) – Wikipedia, accessed April 15, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
OpIsrael 2025: Hacktivist Coordination Intensifies Ahead of April 7 – Radware, accessed April 15, 2025, https://radware.com/security/threat-advisories-and-attack-reports/opisrael-2025-hacktivist-coordination-intensifies-ahead-of-april-7/
Bitdefender Threat Debrief | April 2025 – MSSP Alert, accessed April 15, 2025, https://www.msspalert.com/native/bitdefender-threat-debrief-april-2025
2025 Ransomware: Business as Usual, Business is Booming – SecurityBrief UK, accessed April 15, 2025, https://securitybrief.co.uk/story/2025-ransomware-business-as-usual-business-is-booming
Hacktivists unmasked | Group-IB Blog, accessed April 15, 2025, https://www.group-ib.com/blog/uicf/
Holy League: A Unified Threat Against Western Nations, NATO, India and Israel – Radware, accessed April 15, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/holy-league-a-unified-threat-against-western-nations/
Dark Web Activity January 2025: A New Hacktivist Group Emerges – Cyble, accessed April 15, 2025, https://cyble.com/blog/dark-web-activity-new-hacktivist-group-emerges/
SiegedSec – Wikipedia, accessed April 15, 2025, https://en.wikipedia.org/wiki/SiegedSec
List of hacker groups – Wikipedia, accessed April 15, 2025, https://en.wikipedia.org/wiki/List_of_hacker_groups
Dark Web Profile: UserSec – SOCRadar® Cyber Intelligence Inc., accessed April 15, 2025, https://socradar.io/dark-web-profile-usersec/
Peoples Cyber Army Of Russia | Threat Actor Profile – Cyble, accessed April 15, 2025, https://cyble.com/threat-actor-profiles/peoples-cyber-army-of-russia/
Hacktivism Unveiled Q1 2025: How Hacktivists Zeroed In on the US – Radware, accessed April 15, 2025, https://www.radware.com/blog/threat-intelligence/hacktivism-unveiled-q1-2025/
Ransomware Report 2023: targets, motives, and trends – Outpost24, accessed April 15, 2025, https://outpost24.com/blog/ransomware-report-2023-targets-motives-and-trends/
State-aligned APT groups are increasingly deploying ransomware – and that’s bad news for everyone | ESET, accessed April 15, 2025, https://www.eset.com/us/about/newsroom/corporate-blog/state-aligned-apt-groups-are-increasingly-deploying-ransomware-and-thats-bad-news-for-everyone/
North Korean Group Collaborates with Play Ransomware in Significant Cyber Attack, accessed April 15, 2025, https://thehackernews.com/2024/10/north-korean-group-collaborates-with.html
Justice Department Announces Arrest of the Founder of One of the World’s Largest Hacker Forums and Disruption of Forum’s Operation, accessed April 15, 2025, https://www.justice.gov/archives/opa/pr/justice-department-announces-arrest-founder-one-world-s-largest-hacker-forums-and-disruption
BreachForums replacement emerges as robust forum for criminal hackers to trade their spoils | CyberScoop, accessed April 15, 2025, https://cyberscoop.com/breachforums-return-criminal-hackers/
Multiple Data Leaks at 23andme – Communications of the ACM, accessed April 15, 2025, https://cacm.acm.org/news/multiple-data-leaks-at-23andme/
23andMe hack: What happened to genetic data from millions of users? – Techerati, accessed April 15, 2025, https://www.techerati.com/news-hub/23andme-genetic-information-compromised-by-hackers-what-happened/
Millions of new 23andMe genetic data profiles leak on cybercrime forum – Bitdefender, accessed April 15, 2025, https://www.bitdefender.com/en-us/blog/hotforsecurity/millions-of-new-23andme-genetic-data-profiles-leak-on-cybercrime-forum
Threat actor is selling data on 5.4 million Twitter users for $30K on hacking forum, accessed April 15, 2025, https://www.bitdefender.com/en-us/blog/hotforsecurity/threat-actor-is-selling-data-on-5-4-million-twitter-users-for-30k-on-hacking-forum
23andMe Date: xxxxxx Subject: Notice of Data Breach To: xxxxxxx – California Department of Justice, accessed April 15, 2025, https://oag.ca.gov/system/files/CA%20AG%20-%20CA%20Notification%20Letters.pdf
May You Live in Interesting Times: The Rise and Fall of Threat Actors | Flashpoint, accessed April 15, 2025, https://flashpoint.io/blog/rise-fall-of-threat-actors/
Hacktivism – Wikipedia, accessed April 15, 2025, https://en.wikipedia.org/wiki/Hacktivism
Threat Actor Profile – Guacamaya hacktivist group – Outpost24, accessed April 15, 2025, https://outpost24.com/blog/threat-actor-profile-guacamaya/
Unified Attack Surface Visibility for Crédit Agricole PFM – Hadrian.io, accessed April 15, 2025, https://hadrian.io/case-study/ca-personal-finance-mobility
Group news / 2024 Cyber Month: you’re the strongest link, accessed April 15, 2025, https://www.credit-agricole.com/en/news-channels/the-channels/60-seconds/group-news-2024-cyber-month-you-re-the-strongest-link
Potential fraud: clone firms | Crédit Agricole CIB, accessed April 15, 2025, https://www.ca-cib.com/en/potential-fraud-clone-firms
Cyble details Russian hacktivist group Sector 16 targeting US oil infrastructure in alarming data breaches – Industrial Cyber, accessed April 15, 2025, https://industrialcyber.co/control-device-security/cyble-details-russian-hacktivist-group-sector-16-targeting-us-oil-infrastructure-in-alarming-data-breaches/
NoName057(16) – the Pro-Russian hacktivist group targeting NATO – Global Security Mag, accessed April 15, 2025, https://www.globalsecuritymag.com/NoName057-16-the-Pro-Russian-hacktivist-group-targeting-NATO.html
The 2025 Akira Ransomware Playbook – CybelAngel, accessed April 15, 2025, https://cybelangel.com/the-akira-ransomware-playbook-everything-you-need-to-know/
Ransomware in focus: Meet Akira – S-RM, accessed April 15, 2025, https://www.s-rminform.com/latest-thinking/ransomware-in-focus-meet-akira
Akira Ransomware – Trellix, accessed April 15, 2025, https://www.trellix.com/blogs/research/akira-ransomware/
ATLAS Intelligence Feed – Tech Data Canada, accessed April 15, 2025, https://www.techdata.ca/arbornetworks/files/ARBORNETWORKS_AIF%20Data%20Sheet.pdf
DDoS Attack Protection: Arbor Network’s ATLAS | TD SYNNEX Public Sector – DLT Solutions, accessed April 15, 2025, https://www.dlt.com/resources/ddos-attack-protection-arbor-network-s-atlas
NETSCOUT® ATLAS® Intelligence Feed (AIF): An Added Buffer Against DDoS Attacks, accessed April 15, 2025, https://www.zayo.com/resources/atlas-intelligence-feed-an-added-buffer-against-ddos-attacks/
Moroccan cybercrime group Atlas Lion hiding in plain sight during attacks on retailers, accessed April 15, 2025, https://therecord.media/atlas-lion-gift-card-cybercrime-hiding-virtual-machines
Denial-of-service attack – Wikipedia, accessed April 15, 2025, https://en.wikipedia.org/wiki/Denial-of-service_attack
What is an HTTP Flooding DDoS Attack? – NetScout Systems, accessed April 15, 2025, https://www.netscout.com/what-is-ddos/http-flood-attacks
TCP Floods Are Again the Leading DDoS Attack Vector | NETSCOUT, accessed April 15, 2025, https://www.netscout.com/blog/tcp-floods-are-again-leading-ddos-attack-vector
Algeria – Latest Cyber Threat Intelligence Report – Netscout, accessed April 15, 2025, https://www.netscout.com/threatreport/2h2022/emea/algeria/
An Overview of Cyber Attacks in the Middle East 2024[Threat Note] – CybelAngel, accessed April 15, 2025, https://cybelangel.com/cyber-attacks-middle-east-2024/
SYLHET GANG-SG (Threat Actor) – Malpedia, accessed April 15, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/sylhet_gang-sg
Inc. Ransom | SentinelOne, accessed April 15, 2025, https://www.sentinelone.com/anthology/inc-ransom/
Inc. Ransom Group – Detection and Prevention – Check Point Software, accessed April 15, 2025, https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/inc-ransom-group-detection-and-prevention/
Dark Web Profile: INC Ransom – SOCRadar® Cyber Intelligence Inc., accessed April 15, 2025, https://socradar.io/dark-web-profile-inc-ransom/
Risky Bulletin: Hackers abuse secret WordPress feature – Risky Biz News, accessed April 15, 2025, https://news.risky.biz/risky-bulletin-hackers-abuse-secret-wordpress-feature-youll-probably-want-to-disable/
Indonesia Under Sophisticated Cyberattacks: A Deep-dive Analysis of Threat Actors Targeting the Indonesian Ecosystem – Cyble, accessed April 15, 2025, https://cyble.com/blog/indonesia-under-sophisticated-cyberattacks-a-deep-dive-analysis-of-threat-actors-targeting-the-indonesian-ecosystem/
Old Services, New Tricks: Cloud Metadata Abuse by UNC2903 | Google Cloud Blog, accessed April 15, 2025, https://cloud.google.com/blog/topics/threat-intelligence/cloud-metadata-abuse-unc2903
Timeline of events associated with Anonymous – Wikipedia, accessed April 15, 2025, https://en.wikipedia.org/wiki/Timeline_of_events_associated_with_Anonymous
Why haven’t we heard anything from Anonymous (hacker “group”) lately? – Reddit, accessed April 15, 2025, https://www.reddit.com/r/NoStupidQuestions/comments/1ibkmj4/why_havent_we_heard_anything_from_anonymous/
Where is Anonymous : r/NoStupidQuestions – Reddit, accessed April 15, 2025, https://www.reddit.com/r/NoStupidQuestions/comments/1j55e30/where_is_anonymous/

Works cited

Related Posts

[April-18-2025] Daily Cybersecurity Threat Report

[April-07-2025] Daily Cybersecurity Threat Report

[April-26-2025] Daily Cybersecurity Threat Report