[April-15-2025] Daily Cybersecurity Threat Report – Part 1

Posted on

1. Executive Summary

Overview:

This report details significant cybersecurity incidents observed and reported within the 24-hour period ending April 15, 2025. The data indicates a highly active threat landscape characterized by a large volume of Distributed Denial-of-Service (DDoS) attacks, persistent Initial Access Broker (IAB) activity on underground forums, notable claims of government data breaches, and the offering of potentially high-impact exploits.

Key Trends:

  • Hacktivist-Driven DDoS Campaigns: A substantial portion of the reported incidents involved DDoS attacks. Groups identifying as AnonSec, RuskiNet, Al Ahad, and Dark Storm Team were particularly active, launching disruptive attacks against targets primarily located in the United States, Israel, Ukraine, Poland, and Denmark. This activity aligns with a broader, documented increase in geopolitically motivated hacktivism, often leveraging DDoS as a primary tool for disruption and protest.1 These attacks frequently target government, critical infrastructure, and symbolic commercial entities.
  • Initial Access Brokerage: Multiple listings surfaced on underground forums (categorized as ‘openweb’ in the source data, likely referring to platforms like Exploit[.]in and BreachForums based on URLs) advertising initial access to corporate and government networks. This included Fortinet VPN access, Remote Desktop Protocol (RDP) access, Remote Desktop Web Access (RDweb), and general user or root-level compromises targeting organizations in Austria, Qatar, Spain, the USA, and Uruguay. This highlights the thriving market for initial access, which serves as a critical enabler for subsequent, often more damaging attacks such as ransomware deployment or espionage.3
  • Government Data Breach Claims: Significant data breaches affecting government entities were claimed. Notably, the Prime Minister’s Department of Malaysia allegedly suffered a breach involving over 270GB of data, attributed to “R00TK1T ISC CYBER TEAM”. Separately, an actor named “ViralGod” claimed to possess data from Mexico’s national civil registry (Registro Nacional de Población), including extensive Personally Identifiable Information (PII). These incidents underscore the persistent targeting of sensitive government data and the potential for widespread impact on citizens.5
  • Exploit Availability: A threat actor under the handle “Valerie” advertised the sale of an alleged zero-day exploit targeting a plugin common to TinyMCE and CKEditor 5 rich text editors. The exploit purportedly allows arbitrary file uploads leading to Remote Code Execution (RCE). The availability of such exploits on underground markets presents a significant risk, potentially enabling widespread compromise if acquired and utilized by malicious actors.7

Executive Summary Table:

Incident TitleThreat ActorCategoryVictim CountryVictim Industry
Alleged sale of FortiVPN access to an unidentified organization in AustriaOpenProcessInitial AccessAustria
Alleged Data Breach of Malaysia’s Prime Minister’s DepartmentR00TK1T ISC CYBER TEAMData BreachMalaysiaGovernment Administration
AnonSec targets the website of Oron Group Investments and Holdings LtdAnonSecDDoS AttackIsraelCivil Engineering
RuskiNet targets the website of Bleeping ComputerRuskiNetDDoS AttackUSAComputer & Network Security
AnonSec targets the website of vividservices.comAnonSecDDoS AttackUSA
AnonSec targets the website of Southern Comfort ServicesAnonSecDDoS AttackUSA
AnonSec targets the website of campbellremodeling.comAnonSecDDoS AttackUSA
AnonSec targets the website of City of New OrleansAnonSecDDoS AttackUSAGovernment Administration
AnonSec targets the website of innovation.usAnonSecDDoS AttackUSA
AnonSec targets the website of BankruptcyAnonSecDDoS AttackUSAFinancial Services
Alleged data breach of Registro Nacional de PoblaciónViralGodData BreachMexicoGovernment Relations
Al Ahad targets the website of MEKOROTAl AhadDDoS AttackIsraelEnergy & Utilities
Alleged data leak of Zytglogge Verlag AGBlinkersData BreachSwitzerlandPublishing Industry
Alleged sale of rdp access to a Cibercrimen Police in UruguayNFTGuyDAHInitial AccessUruguayLaw Enforcement
Alleged Sale of Zero-Day File Upload Exploit for TinyMCE/CKEditor 5 PluginValerieVulnerability
Al Ahad targets the website of UNITE Ukrainian Infrastructure AssociationAl AhadDDoS AttackUkraineBuilding and construction
RuskiNet targets the website of DSBRuskiNetDDoS AttackDenmarkTransportation & Logistics
Al Ahad targets the website of Cabinet of Ministers of UkraineAl AhadDDoS AttackUkraineGovernment Administration
Al Ahad targets the website of A.L. Gibor Ltd.Al AhadDDoS AttackIsraelBuilding and construction
Al Ahad targets the website of Oron Group Investments and Holdings LtdAl AhadDDoS AttackIsraelCivil Engineering
Dark Storm Team targets the website of GrokDark Storm TeamDDoS AttackUSAInformation Technology (IT) Services
Alleged sale of RDweb Access to an unidentified organization in QatarAnon-WMGInitial AccessQatar
Alleged sale of RDweb Access to an unidentified organization in SpainAnon-WMGInitial AccessSpain
Alleged sale of RDweb Access to an unidentified organization in USAAnon-WMGInitial AccessUSA
Alleged leak of email credentials from German and mixed domainsTheLibertyCityData LeakGermany
Alleged sale of user access to an unidentified organization(bet****.site).tyrese2024Initial Access
Alleged sale of root access to an unidentified organization(***view.online).tyrese2024Initial Access
Alleged user access sale to an unidentified organization (****eamor.shop)tyrese2024Initial Access
Alleged user access sale to an unidentified organization (******77bet.site)tyrese2024Initial Access
Dark Storm Team targets the website of Zielona Góra City HallDark Storm TeamDDoS AttackPolandGovernment Administration

Second/Third-Order Implications:

The concurrent high volume of disruptive, often politically motivated DDoS attacks and the steady stream of initial access offerings on underground markets points towards a complex and multi-layered threat environment. While hacktivist groups generate noise and disruption, potentially aiming to influence public opinion or retaliate for geopolitical events 9, IABs operate more discreetly, providing the foundational access needed for financially motivated cybercrime (like ransomware) or state-sponsored espionage.4 This parallel activity suggests that organizations face both overt disruption and covert infiltration attempts simultaneously. The DDoS attacks might even serve as a smokescreen, diverting security resources while other actors leverage purchased access to establish persistence.

Furthermore, the reliance on specific online platforms is evident. Hacktivist groups heavily utilize platforms like Telegram for coordinating attacks, claiming responsibility, and disseminating propaganda.11 Conversely, the sale of initial access, exploits, and breached data predominantly occurs on specialized dark web or clear web forums such as BreachForums, Exploit[.]in, and XSS.is, as indicated by the publication URLs in the data.5 This platform specialization underscores their critical roles within the cybercrime ecosystem, serving as hubs for communication, recruitment, and illicit commerce. Disrupting these platforms remains a key challenge for law enforcement and security organizations.

The targeting observed in the DDoS campaigns extends beyond symbolic websites to include critical infrastructure and essential services. Attacks on entities like Mekorot (Israel’s national water company), DSB (Danish State Railways), the City of New Orleans government website, and even the cybersecurity news outlet Bleeping Computer demonstrate a willingness to disrupt services with real-world consequences. This aligns with growing concerns and observed incidents involving attacks targeting Operational Technology (OT) systems, where cyber actions can have physical effects.9 While the reported DDoS attacks primarily impact website availability, they signal the intent and capability to target sectors vital to public function and safety.

2. Detailed Incident Analysis

Incident: Alleged sale of FortiVPN access to an unidentified organization in Austria

Date Reported: April 15, 2025, 06:15 UTC

Category: Initial Access

Victim:

  • Organization: Unidentified
  • Country: Austria
  • Industry: Unspecified
  • Website (if applicable): Not specified Summary: A threat actor, using the handle “OpenProcess,” advertised the sale of Fortinet Virtual Private Network (VPN) and Local Administrator access to an unspecified organization located in Austria. The listing was posted on the XSS.is underground forum. FortiVPN access is highly sought after by malicious actors as it provides a direct entry point into a target organization’s internal network, potentially bypassing perimeter defenses. Combined with Local Administrator privileges, this access could allow an attacker to move laterally, deploy malware (such as ransomware), exfiltrate data, or establish long-term persistence. This incident represents typical Initial Access Broker (IAB) activity, where compromised access is sold to other threat actors who will carry out the main attack. Threat Actor Profile: OpenProcess
  • Analysis: The provided research materials do not contain specific intelligence on a threat actor group or individual operating under the name “OpenProcess.” However, “OpenProcess” is a well-known Windows Application Programming Interface (API) function.16 This API is commonly used in malware development, particularly for process injection techniques, where malicious code is inserted into legitimate processes to evade detection.16 Microsoft Defender Antivirus detects malicious behaviors associated with this API call under signatures like “Behavior:Win32/OpenProcess.B”.17 It is plausible that the actor handle “OpenProcess” was chosen in reference to this technical function, potentially indicating involvement in malware development or exploitation leveraging such techniques. Alternatively, it could simply be a chosen alias without deeper meaning. The activity itself—selling VPN and admin access—is characteristic of IABs operating on cybercrime forums. Without further information linking this specific handle to known campaigns or infrastructure, attribution remains limited to this single forum post. Evidence & Sources:
  • Publication URL: https://xss.is/threads/136202/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/33735807-71d0-40a8-a501-a58b4782afef.png

Incident: Alleged Data Breach of Malaysia’s Prime Minister’s Department

Date Reported: April 15, 2025, 06:11 UTC

Category: Data Breach

Victim:

  • Organization: Prime Minister’s Office of Malaysia
  • Country: Malaysia
  • Industry: Government Administration
  • Website (if applicable): pmo.gov.my Summary: The threat actor group “R00TK1T ISC CYBER TEAM” claimed responsibility for breaching the network of Malaysia’s Prime Minister’s Department (PMO). The group asserted they exfiltrated over 270GB of data. As initial proof, they leaked a folder purportedly related to the logistics and facilities sector of the PMO via their Telegram channel. The group announced intentions to leak the remaining data incrementally throughout the week. A breach of this scale against a high-profile government entity like the Malaysian PMO could expose sensitive national information, internal communications, and potentially compromise government operations and citizen data. Threat Actor Profile: R00TK1T ISC CYBER TEAM
  • Analysis: R00TK1T ISC Cyber Team is a known hacking group that has previously targeted Malaysian infrastructure. In late January 2024, the group announced via Telegram its intention to launch a cyber campaign against Malaysia, prompting an alert from the National Cyber Coordination and Command Centre (NC4).11 Their motivations have been described inconsistently; one source suggests they acted as a “retaliation team” against cyber campaigns stemming from the Middle East conflict 11, while another labels them a “pro-Israeli hacktivist group”.19 This contradiction may indicate shifting alliances, misreporting, or deliberate obfuscation by the group itself. Historically, R00TK1T has targeted various sectors globally, including education, transportation, healthcare, and telecommunications.11 Their methods reportedly involve exploiting known vulnerabilities and leveraging insider threats or disgruntled employees.11 Past claimed (though sometimes unverified) targets include L’Oreal and Qatar Airways.18 Their recent focus on Malaysia included attacks on telecommunications provider Maxis, where they refuted the company’s claims of limited impact and threatened further action 18, and Aminia.19 The group actively uses Telegram for announcements, threats, and data leaks.11 The current claim against the Malaysian PMO aligns with their previously stated intent and targeting history within the country. Evidence & Sources:
  • Publication URL: https://t.me/R00TK1TOFF/779
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/7ce0b4c5-9864-4754-9732-0c779bf35eb6.png

Incident: AnonSec targets the website of Oron Group Investments and Holdings Ltd

Date Reported: April 15, 2025, 06:11 UTC

Category: DDoS Attack

Victim:

  • Organization: Oron Group Investments and Holdings Ltd
  • Country: Israel
  • Industry: Civil Engineering
  • Website (if applicable): oron-group.co.il Summary: The hacktivist group “AnonSec” claimed responsibility for conducting a Distributed Denial-of-Service (DDoS) attack against the website of Oron Group Investments and Holdings Ltd, an Israeli civil engineering company. The claim was made via a Telegram channel, accompanied by links to check-host.net reports intended to serve as proof of the website’s downtime. This attack is part of a broader pattern of DDoS activity by AnonSec observed during this reporting period, primarily targeting Israeli and US entities. Threat Actor Profile: AnonSec
  • Analysis: “AnonSec” is a name associated with hacktivist operations, gaining notoriety for a claimed major data leak from NASA systems in 2016.20 The name strongly suggests an affiliation or inspiration from the wider Anonymous collective, a decentralized global hacktivist movement known since the early 2000s.21 Anonymous groups typically engage in DDoS attacks, website defacements, and data leaks, often driven by political protest, anti-censorship stances, or social justice causes.21 Their operations are characterized by a decentralized structure and the use of the Guy Fawkes mask motif.21 The current wave of DDoS attacks attributed to AnonSec, targeting Israeli and US organizations (including government, financial services, and various businesses), aligns with established Anonymous tactics 21 and reflects the recent surge in geopolitically motivated DDoS campaigns often linked to conflicts like the Israel-Palestine situation.1 The use of Telegram for claims and check-host.net links for proof of impact is also a common practice among contemporary hacktivist groups, including those operating under the Anonymous banner or similar ideologies.13 While the specific “AnonSec” moniker hasn’t been as prominent in recent reporting compared to groups like Anonymous Sudan or NoName057(16) 1, the observed TTPs firmly place this activity within the sphere of Anonymous-style hacktivism. It may represent a specific cell, a revived older banner, or simply one of many loosely affiliated actors using the Anonymous brand. Evidence & Sources:
  • Publication URL: https://t.me/c/2389372004/224
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/fd877148-5d28-44a3-913e-598b20ad6fe8.jpg
  • DDoS Proof:
  • https://check-host.net/check-report/24fcb91akfe7
  • https://check-host.net/check-report/24fcb994kb4a

Incident: RuskiNet targets the website of Bleeping Computer

Date Reported: April 15, 2025, 05:55 UTC

Category: DDoS Attack

Victim:

  • Organization: Bleeping Computer
  • Country: USA
  • Industry: Computer & Network Security
  • Website (if applicable): bleepingcomputer.com Summary: The threat group “RuskiNet” claimed responsibility for a DDoS attack targeting Bleeping Computer, a prominent cybersecurity news and support website. The claim was posted on Telegram, including a check-host.net link as evidence of the site’s disruption. Targeting a major cybersecurity news outlet is often symbolic, aiming to disrupt the flow of security information or gain notoriety within the cybersecurity community. Threat Actor Profile: RuskiNet
  • Analysis: RuskiNet has been identified conducting DDoS attacks, with at least one prior instance targeting the “Access Israel” website, which focuses on Israeli security research.5 The name “RuskiNet” strongly implies a pro-Russian affiliation. This aligns with the emergence and heightened activity of numerous pro-Russian hacktivist groups following the full-scale invasion of Ukraine in 2022.9 These groups, such as the Peoples Cyber Army of Russia (PCA), NoName057(16), and Cyber Army of Russia Reborn, commonly employ DDoS attacks against nations and organizations perceived as opposing Russian interests, including Ukraine, NATO members, and their allies.12 The targeting of a US-based cybersecurity news site (Bleeping Computer) and a Danish transportation entity (DSB) by RuskiNet fits this pattern of attacking entities in Western countries often seen as adversaries by pro-Russian groups. Like many hacktivist outfits, RuskiNet appears to use Telegram for communication and attack claims, providing check-host.net links as proof.9 While the provided materials confirm RuskiNet’s activity and likely pro-Russian stance, they do not detail its specific structure, size, or relationship to larger, more documented groups like PCA or NoName057(16).2 RuskiNet may be a smaller, newer, or less centrally organized entity within the broader pro-Russian hacktivist ecosystem. Evidence & Sources:
  • Publication URL: https://t.me/c/2577273080/191
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/40af6a35-925f-422d-9eb4-6c165af28690.png
  • DDoS Proof:
  • https://check-host.net/check-report/24fbb804kc3c

Incident: AnonSec targets the website of vividservices.com

Date Reported: April 15, 2025, 05:00 UTC

Category: DDoS Attack

Victim:

  • Organization: vividservices
  • Country: USA
  • Industry: Unspecified
  • Website (if applicable): vividservices.com Summary: The hacktivist group “AnonSec” claimed another DDoS attack, this time targeting vividservices.com, a US-based entity. The claim appeared on Telegram with a check-host.net link as purported proof of disruption. This continues the pattern of AnonSec’s attacks against US targets during this period. Threat Actor Profile: AnonSec
  • Analysis: As detailed previously (see incident “AnonSec targets the website of Oron Group Investments and Holdings Ltd”), AnonSec operates within the Anonymous hacktivist framework.20 Their use of DDoS attacks against US targets, communication via Telegram, and provision of check-host.net links are consistent with contemporary hacktivist methodologies, particularly those associated with Anonymous or similar politically motivated groups.1 This attack adds to the volume of activity attributed to this handle during the reporting period. Evidence & Sources:
  • Publication URL: https://t.me/c/2389372004/220
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/523492dd-f493-49f2-8638-7ab5f7f8d47d.png
  • https://d34iuop8pidsy8.cloudfront.net/fc39068a-f84b-4db1-a0f2-5530c93a1488.png
  • DDoS Proof:
  • https://check-host.net/check-report/24fc69f7kd54

Incident: AnonSec targets the website of Southern Comfort Services

Date Reported: April 15, 2025, 04:58 UTC

Category: DDoS Attack

Victim:

  • Organization: Southern Comfort Services
  • Country: USA
  • Industry: Unspecified (Likely HVAC/Home Services based on name)
  • Website (if applicable): southerncomfortservices.com Summary: “AnonSec” claimed responsibility for a DDoS attack targeting southerncomfortservices.com, another US-based business website. The claim was made on Telegram, including a check-host.net link as evidence. This attack further contributes to the series of DDoS incidents attributed to AnonSec against US entities. Threat Actor Profile: AnonSec
  • Analysis: Consistent with previous incidents attributed to AnonSec in this report, this DDoS attack aligns with the known tactics and targeting patterns of Anonymous-affiliated hacktivist groups.20 The use of Telegram and check-host.net links remains standard practice for such groups claiming responsibility for disruptive actions.13 Evidence & Sources:
  • Publication URL: https://t.me/c/2389372004/220
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/9a78387f-99b0-4d11-a364-0f9aa7accd3d.png
  • https://d34iuop8pidsy8.cloudfront.net/f4352713-e5a3-4a3c-a0b2-4aedabedee86.png
  • DDoS Proof:
  • https://check-host.net/check-report/24fc68f4k990

Incident: AnonSec targets the website of campbellremodeling.com

Date Reported: April 15, 2025, 04:54 UTC

Category: DDoS Attack

Victim:

  • Organization: campbellremodeling
  • Country: USA
  • Industry: Unspecified (Likely Construction/Remodeling)
  • Website (if applicable): campbellremodeling.com Summary: The hacktivist group “AnonSec” continued its campaign, claiming a DDoS attack against campbellremodeling.com, a US-based website. Evidence in the form of a check-host.net link was provided alongside the claim on Telegram. Threat Actor Profile: AnonSec
  • Analysis: This incident is another example of the DDoS activity attributed to AnonSec during this reporting period. The targeting of a US-based commercial website, the method of attack (DDoS), and the communication channel (Telegram) are all consistent with the profile of Anonymous-related hacktivist operations.20 Evidence & Sources:
  • Publication URL: https://t.me/c/2389372004/220
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/8843f8a1-052e-4d72-a503-2fd7a022122b.png
  • https://d34iuop8pidsy8.cloudfront.net/5dcb3880-af41-4189-bbab-3d5e72c76d73.png
  • DDoS Proof:
  • https://check-host.net/check-report/24fc6c28kbb

Incident: AnonSec targets the website of City of New Orleans

Date Reported: April 15, 2025, 04:51 UTC

Category: DDoS Attack

Victim:

  • Organization: City of New Orleans
  • Country: USA
  • Industry: Government Administration
  • Website (if applicable): nola.gov Summary: “AnonSec” claimed a DDoS attack against the official website of the City of New Orleans (nola.gov). The claim, posted on Telegram, included a check-host.net link as purported proof of the disruption. Targeting government websites is a common tactic for hacktivist groups seeking to make a political statement or cause disruption to public services. Threat Actor Profile: AnonSec
  • Analysis: This attack on a US city government website fits squarely within the typical target profile for Anonymous-affiliated hacktivist groups.21 DDoS remains a primary tool for these groups to express dissent or cause disruption.2 The methodology (DDoS, Telegram claim, check-host link) is consistent with other AnonSec activities reported today and with broader hacktivist trends.1 Evidence & Sources:
  • Publication URL: https://t.me/c/2389372004/220
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/12fe798a-f039-4444-887e-152246e26bef.png
  • https://d34iuop8pidsy8.cloudfront.net/d9895146-ba45-413c-a063-b3470e94e837.png
  • DDoS Proof:
  • https://check-host.net/check-report/24fc7189ka7c

Incident: AnonSec targets the website of innovation.us

Date Reported: April 15, 2025, 04:46 UTC

Category: DDoS Attack

Victim:

  • Organization: innovation
  • Country: USA
  • Industry: Unspecified
  • Website (if applicable): innovation.us Summary: The hacktivist group “AnonSec” claimed another DDoS attack, targeting the US domain innovation.us. The claim was made via Telegram, accompanied by a check-host.net link. Threat Actor Profile: AnonSec
  • Analysis: This incident adds to the volume of DDoS attacks against US-based websites attributed to AnonSec in this report. The tactics and communication methods remain consistent with previous observations and the general profile of Anonymous-related hacktivism.20 Evidence & Sources:
  • Publication URL: https://t.me/c/2389372004/220
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/4ee251f7-3372-4e18-954d-a53f0a61d668.png
  • https://d34iuop8pidsy8.cloudfront.net/4aef3254-0d2b-4db7-bd76-a9fbef06466e.png
  • DDoS Proof:
  • https://check-host.net/check-report/24fc4730k3f3

Incident: AnonSec targets the website of Bankruptcy

Date Reported: April 15, 2025, 04:41 UTC

Category: DDoS Attack

Victim:

  • Organization: Bankruptcy (Potentially a service or informational site)
  • Country: USA
  • Industry: Financial Services (Implied)
  • Website (if applicable): bankruptcy.us Summary: “AnonSec” claimed responsibility for a DDoS attack targeting the US domain bankruptcy.us, likely a site related to financial services or bankruptcy information. The claim was posted on Telegram with a check-host.net link. Targeting financial sector related sites is also a common tactic for hacktivists aiming for economic disruption or symbolic impact. Threat Actor Profile: AnonSec
  • Analysis: This attack on a US-based, likely finance-related website continues the pattern of AnonSec’s activity. The methods (DDoS) and communication (Telegram claim with proof link) are consistent with Anonymous-style hacktivism.20 Financial services are a frequent target for disruptive attacks.1 Evidence & Sources:
  • Publication URL: https://t.me/c/2389372004/220
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/f7f14e4f-9e70-40b0-98df-ff220a835655.png
  • https://d34iuop8pidsy8.cloudfront.net/a66c9c88-0769-4c99-937b-fb1516e901f9.png
  • DDoS Proof:
  • https://check-host.net/check-report/24fc42efk379

Incident: Alleged data breach of Registro Nacional de Población

Date Reported: April 15, 2025, 03:56 UTC

Category: Data Breach

Victim:

  • Organization: Registro Nacional de Población (RENAPO – National Population Registry)
  • Country: Mexico
  • Industry: Government Relations
  • Website (if applicable): gob.mx (Parent domain for Mexican government) Summary: A threat actor using the handle “ViralGod” claimed on the BreachForums platform to have breached and be selling access to query Mexico’s national civil registry database (RENAPO). The actor stated the data includes sensitive Personally Identifiable Information (PII) such as full names, CURP (Unique Population Registry Code), dates of birth, family relationships, and potentially marriage and death certificates. Access to such a comprehensive government database would represent a severe national security and citizen privacy incident for Mexico. Threat Actor Profile: ViralGod
  • Analysis: “ViralGod” is a known threat actor operating on cybercrime forums, specifically BreachForums.6 Their documented activity shows a clear specialization in acquiring and trading large datasets containing PII, with a particular focus on Latin American countries. Previous posts attributed to ViralGod include offering for sale a database containing information on over 14.5 million Chilean citizens (including names, addresses, and Tax IDs) and leaking a collection of 49 SQL databases allegedly sourced from various Mexican websites, containing user emails, names, addresses, and phone numbers.6 The current claim regarding RENAPO aligns perfectly with this established modus operandi: targeting major government or commercial data repositories in Latin America and offering the data or access for sale on specific underground forums. This consistent focus suggests ViralGod possesses methods or sources enabling access to significant data troves within the region. Evidence & Sources:
  • Publication URL: https://breachforums.st/Thread-SELLING-REGISTRO-CIVIL-MEXICO-QUERIES-GET-FAMILY-INFORMATION-FROM-ANY-CITIZEN
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/7de52493-e0cc-4c40-98e0-e0fc26cf5cd0.png

Incident: Al Ahad targets the website of MEKOROT

Date Reported: April 15, 2025, 03:51 UTC

Category: DDoS Attack

Victim:

  • Organization: Mekorot (Israel National Water Co.)
  • Country: Israel
  • Industry: Energy & Utilities
  • Website (if applicable): mekorot.co.il Summary: The hacktivist group “Al Ahad” claimed responsibility for a DDoS attack targeting the website of Mekorot, Israel’s national water company. The claim was made on Telegram, including a check-host.net link as purported evidence of the disruption. Targeting critical infrastructure like a national water company, even via a website DDoS, carries significant symbolic weight and highlights potential risks to essential services. Threat Actor Profile: Al Ahad
  • Analysis: Al Ahad is identified as an Iraqi anti-Israeli hacktivist group known for conducting DDoS attacks.26 Their targeting primarily focuses on Israeli organizations (like Mekorot, A.L. Gibor Ltd., Oron Group, as seen in today’s reports) and entities perceived as supporting Israel, such as Ukrainian government and infrastructure organizations also targeted today. The group actively uses Telegram for communication and attack claims.26 Notably, Al Ahad has demonstrated adaptability in maintaining its online presence; following Telegram policy changes in late 2024, the group announced a move to Signal but ultimately maintained active Telegram channels, sometimes under new names like “Al Ahad Security,” and attempted to frame their activities as compliant with platform rules while still promoting disruptive actions.26 They even briefly operated a Hebrew-language channel.26 This persistence and adaptation suggest a degree of organization and commitment characteristic of established hacktivist groups operating within specific geopolitical contexts. Their attacks align with their stated anti-Israeli stance. Evidence & Sources:
  • Publication URL: https://t.me/qayzerowns/74
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/7bc9148e-1abf-4349-a310-d6b882473912.png
  • DDoS Proof:
  • https://check-host.net/check-report/24fb48a6k6a5

Incident: Alleged data leak of Zytglogge Verlag AG

Date Reported: April 15, 2025, 03:22 UTC

Category: Data Breach (Reported as Data Leak, but involves credentials)

Victim:

  • Organization: Zytglogge Verlag AG
  • Country: Switzerland
  • Industry: Publishing Industry
  • Website (if applicable): zytglogge.ch Summary: A threat actor using the handle “Blinkers” claimed on BreachForums to have leaked data originating from Zytglogge Verlag AG, a Swiss publishing house. The actor stated the data comprises information on 4464 users, specifically including email addresses and passwords. The post indicated the breach occurred in 2022. Leaking email and password combinations, even from older breaches, poses risks such as credential stuffing attacks against other services where users might have reused passwords. Threat Actor Profile: Blinkers
  • Analysis: The provided research materials do not contain information about a threat actor or group named “Blinkers.” While snippets discuss Indicators of Compromise (IOCs) – the forensic evidence left behind by attackers 27 – they do not mention this specific actor name. The incident itself, leaking user credentials allegedly from a past breach (2022) on a public forum like BreachForums, is a common tactic used by various actors. Motivations can range from building reputation within the cybercrime community to potentially selling more complete datasets privately or simply releasing old data with limited perceived value. The name “Blinkers” appears to be a unique handle used by the individual posting the data, lacking established context or links to known threat groups within the scope of the provided research. Evidence & Sources:
  • Publication URL: https://breachforums.st/Thread-DATABASE-Zytglogge-ch-Leaked-Download
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/d0f95a32-6fff-4cae-9a86-59ad8ec233ac.png

Incident: Alleged sale of rdp access to a Cibercrimen Police in Uruguay

Date Reported: April 15, 2025, 03:07 UTC

Category: Initial Access

Victim:

  • Organization: Cibercrimen Police (Specific Unit/Agency Unclear)
  • Country: Uruguay
  • Industry: Law Enforcement
  • Website (if applicable): gub.uy/ministerio-interior/tematica/cibercrimen (Ministry of Interior Cybercrime page) Summary: A threat actor with the handle “NFTGuyDAH” posted on BreachForums claiming to sell Remote Desktop Protocol (RDP) access to a “Cibercrimen Police” entity in Uruguay. RDP access allows direct remote control of a system, and compromising a law enforcement agency, particularly a cybercrime unit, is a highly sensitive event. Such access could be used for espionage, data theft, disruption of investigations, or planting false evidence. Threat Actor Profile: NFTGuyDAH
  • Analysis: The available research does not profile a threat actor known as “NFTGuyDAH.” Snippets cover various known Advanced Persistent Threat (APT) groups and general threat actor profiles 3 but do not mention this specific handle. The name itself might suggest a possible (past or present) interest or involvement in the Non-Fungible Token (NFT) space, but this is purely speculative based on the alias. The activity – selling RDP access to a sensitive target like a law enforcement agency on a known cybercrime forum – is a form of high-stakes Initial Access Brokerage. Such access is valuable and dangerous, potentially attracting sophisticated buyers. Without further intelligence connecting “NFTGuyDAH” to other activities or infrastructure, the actor remains identified only by this forum handle and this specific offering. Evidence & Sources:
  • Publication URL: https://breachforums.st/Thread-rdp-access-to-Uruguay-Cibercrimen-Police
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/809508b0-d722-4dbb-8495-c369be5b3397.png

Incident: Alleged Sale of Zero-Day File Upload Exploit for TinyMCE/CKEditor 5 Plugin

Date Reported: April 15, 2025, 02:37 UTC

Category: Vulnerability

Victim:

  • Organization: Users of TinyMCE / CKEditor 5 plugins (Specific plugin unnamed)
  • Country: Not Applicable (Software Vulnerability)
  • Industry: Not Applicable (Software Vulnerability)
  • Website (if applicable): Not Applicable Summary: A threat actor using the handle “Valerie” advertised on BreachForums the sale of an alleged exclusive zero-day exploit. The exploit targets an unnamed plugin used in both TinyMCE and CKEditor 5, popular rich text editors widely integrated into web applications and content management systems. According to the seller, the vulnerability allows for arbitrary file upload, leading to Remote Code Execution (RCE). A zero-day RCE vulnerability in commonly used components like these editors represents a significant threat, potentially allowing attackers to compromise numerous websites and web applications that utilize the vulnerable plugin. Threat Actor Profile: Valerie
  • Analysis: The provided research materials do not contain information on a threat actor known as “Valerie.” Snippets discuss the active exploitation of zero-day vulnerabilities in other products like Fortinet firewalls, Ivanti gateways, and Atlassian Confluence 7, highlighting the ongoing threat posed by such flaws. However, the actor “Valerie” is not mentioned in these contexts. Selling zero-day exploits is a specialized activity within the cybercrime underground, often conducted by individual researchers/exploit developers or small groups who discover vulnerabilities and seek to monetize them before they become publicly known or patched. “Valerie” is likely the forum handle of the individual or entity offering this specific exploit for sale. The credibility of such claims often requires verification, but if legitimate, this exploit could be highly valuable to attackers seeking widespread web compromises. Evidence & Sources:
  • Publication URL: https://breachforums.st/Thread-SELLING-0day-Arbitrary-File-Upload-for-TinyMCE-CKEditor-5-Plugin
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/08345124-03c8-406a-bd0d-f74a44b543df.png

Incident: Al Ahad targets the website of UNITE Ukrainian Infrastructure Association

Date Reported: April 15, 2025, 02:08 UTC

Category: DDoS Attack

Victim:

  • Organization: UNITE Ukrainian Infrastructure Association
  • Country: Ukraine
  • Industry: Building and construction
  • Website (if applicable): unite.org.ua Summary: The hacktivist group “Al Ahad” claimed a DDoS attack against the website of the UNITE Ukrainian Infrastructure Association. The claim was posted on Telegram with a check-host.net link as proof. This targeting of a Ukrainian entity aligns with Al Ahad’s anti-Israeli stance, often extending attacks to perceived allies or opponents of their primary targets. Threat Actor Profile: Al Ahad
  • Analysis: As previously detailed (see incident “Al Ahad targets the website of MEKOROT”), Al Ahad is an Iraqi anti-Israeli hacktivist group active on Telegram.26 While their primary focus is Israel, they have been observed targeting entities in countries perceived as supporting Israel or opposing their geopolitical alignment, which can include Ukraine in the context of complex international relations and alliances. This attack fits that pattern. Their use of DDoS and Telegram for claims is consistent with their established TTPs.26 Evidence & Sources:
  • Publication URL: https://t.me/qayzerowns/75
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/e7bd5443-71a9-4f44-86a0-20a0717b110e.png
  • DDoS Proof:
  • https://check-host.net/check-report/24fb9835kb47

Incident: RuskiNet targets the website of DSB

Date Reported: April 15, 2025, 02:04 UTC

Category: DDoS Attack

Victim:

  • Organization: DSB (Danske Statsbaner – Danish State Railways)
  • Country: Denmark
  • Industry: Transportation & Logistics
  • Website (if applicable): dsb.dk Summary: The threat group “RuskiNet” claimed a DDoS attack against the website of DSB, the Danish state-owned railway company. The claim was made via Telegram, including a check-host.net link. Targeting national transportation infrastructure, even the public-facing website, is a common tactic for hacktivist groups seeking to cause disruption and gain attention. Threat Actor Profile: RuskiNet
  • Analysis: As established previously (see incident “RuskiNet targets the website of Bleeping Computer”), RuskiNet is a likely pro-Russian hacktivist group conducting DDoS attacks.5 Targeting Denmark, a NATO member and supporter of Ukraine, aligns with the typical targeting strategy of pro-Russian hacktivist groups like NoName057(16) and others who frequently attack entities in European nations perceived as adversaries.9 The use of DDoS and Telegram claims is consistent with their observed methods. Evidence & Sources:
  • Publication URL: https://t.me/c/2577273080/190
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/9765e56b-c297-478e-bc48-7fedcb02f7ae.png
  • DDoS Proof:
  • https://check-host.net/check-report/24fb34b1kc6

Incident: Al Ahad targets the website of Cabinet of Ministers of Ukraine

Date Reported: April 15, 2025, 02:02 UTC

Category: DDoS Attack

Victim:

  • Organization: Cabinet of Ministers of Ukraine
  • Country: Ukraine
  • Industry: Government Administration
  • Website (if applicable): kmu.gov.ua Summary: The hacktivist group “Al Ahad” claimed another DDoS attack, this time targeting the official website of the Cabinet of Ministers of Ukraine. The claim was posted on Telegram with a check-host.net link. This represents a direct attack on a high-level government body of Ukraine. Threat Actor Profile: Al Ahad
  • Analysis: Consistent with their profile as an Iraqi anti-Israeli group 26, Al Ahad’s targeting of Ukrainian government entities likely stems from perceived alliances or geopolitical positioning related to the Middle East conflict or broader international alignments. The methods (DDoS, Telegram claim, proof link) align with their standard operating procedures.26 Evidence & Sources:
  • Publication URL: https://t.me/qayzerowns/75
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/5918faaa-c3e6-4493-9005-9229b912e976.png
  • DDoS Proof:
  • https://check-host.net/check-report/24fb8ed8ke5b

Incident: Al Ahad targets the website of A.L. Gibor Ltd.

Date Reported: April 15, 2025, 01:58 UTC

Category: DDoS Attack

Victim:

  • Organization: A.L. Gibor Ltd.
  • Country: Israel
  • Industry: Building and construction
  • Website (if applicable): al-gibor.com Summary: “Al Ahad” claimed responsibility for a DDoS attack against the website of A.L. Gibor Ltd., an Israeli construction company. The claim was made on Telegram, including a check-host.net link. Threat Actor Profile: Al Ahad
  • Analysis: This attack directly aligns with Al Ahad’s primary motivation as an anti-Israeli hacktivist group.26 Targeting Israeli commercial entities, regardless of sector, is consistent with their campaign objectives. The use of DDoS via Telegram claims remains their standard tactic.26 Evidence & Sources:
  • Publication URL: https://t.me/qayzerowns/74
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/c7c9bca1-7ab8-4fdc-ad1e-99161fcdc7b8.png
  • DDoS Proof:
  • https://check-host.net/check-report/24fb3872k572

Incident: Al Ahad targets the website of Oron Group Investments and Holdings Ltd

Date Reported: April 15, 2025, 01:55 UTC

Category: DDoS Attack

Victim:

  • Organization: Oron Group Investments and Holdings Ltd
  • Country: Israel
  • Industry: Civil Engineering
  • Website (if applicable): en.oron-group.co.il (English version targeted) Summary: The hacktivist group “Al Ahad” claimed a DDoS attack targeting the English-language website of Oron Group Investments and Holdings Ltd, an Israeli civil engineering firm previously targeted by AnonSec earlier in the day. The claim was posted on Telegram with a check-host.net link. Threat Actor Profile: Al Ahad
  • Analysis: This attack further exemplifies Al Ahad’s focus on Israeli targets, consistent with their anti-Israeli hacktivist identity.26 The targeting of the same company attacked by AnonSec earlier could be coincidental, indicate shared target lists among different hacktivist groups, or represent piling-on against a known vulnerable or symbolic target. The methods remain consistent.26 Evidence & Sources:
  • Publication URL: https://t.me/qayzerowns/74
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/27f2366b-4477-4376-8e99-b1761756b1f4.png
  • DDoS Proof:
  • https://check-host.net/check-report/24fb3c3dkba1

Incident: Dark Storm Team targets the website of Grok

Date Reported: April 15, 2025, 01:50 UTC

Category: DDoS Attack

Victim:

  • Organization: Grok (Likely referring to xAI’s Grok AI)
  • Country: USA
  • Industry: Information Technology (IT) Services (AI)
  • Website (if applicable): grok.com (Redirects to x.ai/grok) Summary: The hacktivist group “Dark Storm Team” claimed responsibility for a DDoS attack targeting grok.com, associated with the AI service Grok developed by xAI. The claim was made on Telegram with a check-host.net link. Targeting high-profile tech companies or services is a common tactic for hacktivists seeking visibility. Threat Actor Profile: Dark Storm Team
  • Analysis: Dark Storm Team is identified as a pro-Palestinian hacktivist group active since late 2023, known for specializing in DDoS attacks.13 They have previously claimed responsibility for attacks on major platforms like X (formerly Twitter), Snapchat, and US airports.34 Their targets often include Western organizations, critical infrastructure, and entities in the US, Israel, Ukraine, and the UAE.13 While politically motivated, the group also explicitly advertises DDoS-for-hire services, representing a blend of hacktivism and cybercrime-as-a-service.13 They utilize Telegram for claims and employ “proof links” (like check-host.net) to validate their attacks, aiming to build credibility for both their political cause and their commercial offerings.13 The attack on Grok, a high-profile US-based AI service, fits their pattern of targeting prominent Western technology entities. Evidence & Sources:
  • Publication URL: https://t.me/DarkStormTeam3/278
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/b17ad4cc-9a01-4a1f-bfe3-b57c8dac0ff6.png
  • DDoS Proof:
  • https://check-host.net/check-report/24fb625bk17a

Incident: Alleged sale of RDweb Access to an unidentified organization in Qatar

Date Reported: April 15, 2025, 01:13 UTC

Category: Initial Access

Victim:

  • Organization: Unidentified
  • Country: Qatar
  • Industry: Unspecified
  • Website (if applicable): Not specified Summary: A threat actor using the handle “Anon-WMG” advertised the sale of Remote Desktop Web Access (RDWeb) to an unspecified organization located in Qatar. The listing was posted on the Exploit.in forum. RDWeb access provides a web-based portal to access Remote Desktop services, offering attackers a potential entry point into the organization’s network. This is another instance of IAB activity observed during this period. Threat Actor Profile: Anon-WMG
  • Analysis: The provided research materials do not contain specific information about a threat actor or group named “Anon-WMG.” General information about threat actors describes various types, including criminal groups motivated by profit and hacktivists driven by ideology.3 IABs typically fall under the financially motivated category, selling access for profit.10 The forum used (Exploit.in) is a known hub for such illicit sales. The name “Anon-WMG” is likely an alias used by an individual access broker operating on this forum. Without further intelligence linking this handle to specific campaigns or infrastructure, attribution is limited. The actor posted multiple similar listings for different countries around the same time. Evidence & Sources:
  • Publication URL: https://forum.exploit.in/topic/257418/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/4e5e9fff-b595-4782-ab7d-a12ea2dc4be0.png

Incident: Alleged sale of RDweb Access to an unidentified organization in Spain

Date Reported: April 15, 2025, 01:12 UTC

Category: Initial Access

Victim:

  • Organization: Unidentified
  • Country: Spain
  • Industry: Unspecified
  • Website (if applicable): Not specified Summary: The threat actor “Anon-WMG” advertised the sale of RDWeb access to an unspecified organization located in Spain. This listing was posted on the Exploit.in forum, concurrently with similar offerings for Qatar and the USA by the same actor. Threat Actor Profile: Anon-WMG
  • Analysis: As noted in the previous incident involving this actor, “Anon-WMG” appears to be an individual access broker operating on the Exploit.in forum.3 The lack of specific intelligence on this handle in the provided research prevents further attribution. This listing is part of a batch of access offerings posted by the actor. Evidence & Sources:
  • Publication URL: https://forum.exploit.in/topic/257418/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/4d829444-59df-4cc7-9072-107525bca3a0.png

Incident: Alleged sale of RDweb Access to an unidentified organization in USA

Date Reported: April 15, 2025, 01:11 UTC

Category: Initial Access

Victim:

  • Organization: Unidentified
  • Country: USA
  • Industry: Unspecified
  • Website (if applicable): Not specified Summary: The threat actor “Anon-WMG” advertised the sale of RDWeb access to an unspecified organization located in the USA. This listing was posted on the Exploit.in forum alongside similar offerings for Qatar and Spain. Threat Actor Profile: Anon-WMG
  • Analysis: Consistent with the other listings from “Anon-WMG,” this represents IAB activity on a known underground forum.3 The actor appears to be offering access to organizations across multiple geographic regions. No further specific intelligence on “Anon-WMG” is available in the provided materials. Evidence & Sources:
  • Publication URL: https://forum.exploit.in/topic/257418/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/546dcf86-0890-4583-b889-3c4c5e3e6591.png

Incident: Alleged leak of email credentials from German and mixed domains

Date Reported: April 15, 2025, 00:44 UTC

Category: Data Leak

Victim:

  • Organization: Various (Users of German and mixed domains)
  • Country: Germany (Primary focus), Others (Mixed)
  • Industry: Various
  • Website (if applicable): Not Applicable Summary: A threat actor using the handle “TheLibertyCity” claimed on the Exploit.in forum to have leaked a database containing 165,000 valid email and password combinations. The credentials reportedly correspond to IMAP/POP3 email accounts, primarily from German domains but also including others (“mixed”). Such leaks fuel credential stuffing attacks, where automated tools test stolen username/password pairs against various online services. Threat Actor Profile: TheLibertyCity
  • Analysis: The provided research materials do not contain information linking the handle “TheLibertyCity” to known cybercriminal activities. However, snippets do discuss the “Liberty City Seven,” a group of men arrested in Miami in 2006 for allegedly plotting attacks in support of Al Qaeda.36 This historical group, associated with the Moorish Science Temple sect “Seas of David,” appears entirely unrelated to the current incident involving the leak of German email credentials on a Russian-language cybercrime forum. The actor likely chose the name referencing the fictional city from the Grand Theft Auto video game series or coincidentally. The activity itself – leaking a large volume of email credentials – is a common practice on such forums, often done to gain reputation or potentially as a sample for selling larger, private datasets. Evidence & Sources:
  • Publication URL: https://forum.exploit.in/topic/257417/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/62ed2818-b9dc-4f15-a37a-91f21e216608.png

Incident: Alleged sale of user access to an unidentified organization(bet****.site).

Date Reported: April 15, 2025, 00:30 UTC

Category: Initial Access

Victim:

  • Organization: Unidentified (Domain partially redacted: bet****.site)
  • Country: Unspecified
  • Industry: Unspecified (Possibly Gambling/Betting based on domain pattern)
  • Website (if applicable): bet****.site (Partially redacted) Summary: A threat actor with the handle “tyrese2024” advertised the sale of user-level access to an organization associated with the domain “bet****.site”. The listing was posted on the Exploit.in forum. User-level access can be a stepping stone for privilege escalation or used for specific actions depending on the permissions associated with the compromised account. Threat Actor Profile: tyrese2024
  • Analysis: The provided research materials do not contain specific intelligence on a threat actor named “tyrese2024.” Snippets discuss general cybercrime trends in 2024, including the industrialization of attacks through RaaS models and the focus on identity compromise 4, as well as lists of top threat actors for that year 40, but “tyrese2024” is not mentioned. The name is likely a handle used by an individual operating on the Exploit.in forum, engaging in IAB activities. The actor posted multiple access listings around the same time, suggesting they are actively involved in compromising or acquiring access to various websites/servers. Evidence & Sources:
  • Publication URL: https://forum.exploit.in/topic/257416/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/10add6d9-4d11-45d6-a807-e1dccd48179a.png

Incident: Alleged sale of root access to an unidentified organization(***view.online).

Date Reported: April 15, 2025, 00:29 UTC

Category: Initial Access

Victim:

  • Organization: Unidentified (Domain partially redacted: ***view.online)
  • Country: Unspecified
  • Industry: Unspecified
  • Website (if applicable): ***view.online (Partially redacted) Summary: The threat actor “tyrese2024” advertised the sale of root-level access to an organization associated with the domain “***view.online”. This listing was also posted on the Exploit.in forum. Root access represents the highest level of privilege on a Unix/Linux system, granting complete control over the server. This is highly valuable access for an attacker. Threat Actor Profile: tyrese2024
  • Analysis: As noted previously, “tyrese2024” appears to be an individual access broker operating on Exploit.in, not specifically profiled in the provided research.4 This offering of root access indicates potentially deeper compromise capabilities compared to user-level access. Evidence & Sources:
  • Publication URL: https://forum.exploit.in/topic/257416/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/f1b27950-3908-463d-985c-9d1de1b370a0.png

Incident: Alleged user access sale to an unidentified organization (****eamor.shop)

Date Reported: April 15, 2025, 00:27 UTC

Category: Initial Access

Victim:

  • Organization: Unidentified (Domain partially redacted: ****eamor.shop)
  • Country: Unspecified
  • Industry: Unspecified (Possibly E-commerce based on.shop TLD)
  • Website (if applicable): ****eamor.shop (Partially redacted) Summary: The threat actor “tyrese2024” posted another listing on Exploit.in, this time offering user-level access to an organization with the domain “****eamor.shop”. The post included details about system uptime and server configuration, likely obtained post-compromise, as proof of access. Threat Actor Profile: tyrese2024
  • Analysis: This is another IAB listing from the actor “tyrese2024” on the Exploit.in forum. The inclusion of system details aims to increase the credibility of the access claim. No specific profile exists for this actor in the provided materials.4 Evidence & Sources:
  • Publication URL: https://forum.exploit.in/topic/257416/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/5c07db0a-ea56-40db-acb4-c979a1cd6963.png

Incident: Alleged user access sale to an unidentified organization (******77bet.site)

Date Reported: April 15, 2025, 00:23 UTC

Category: Initial Access

Victim:

  • Organization: Unidentified (Domain partially redacted: ******77bet.site)
  • Country: Unspecified
  • Industry: Unspecified (Possibly Gambling/Betting based on domain pattern)
  • Website (if applicable): ******77bet.site (Partially redacted) Summary: Continuing their activity, threat actor “tyrese2024” advertised user-level access for sale on Exploit.in, targeting an organization associated with the domain “******77bet.site”. Similar to the previous listing, details about system uptime and server configuration were included as proof. Threat Actor Profile: tyrese2024
  • Analysis: This fourth listing from “tyrese2024” reinforces their role as an active IAB on the Exploit.in forum. The pattern suggests they are either compromising multiple targets or acquiring access through other means for resale. No specific intelligence on this actor is available in the provided research.4 Evidence & Sources:
  • Publication URL: https://forum.exploit.in/topic/257416/
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/087d64ca-95b3-4111-bc3c-a9ba757fd95a.png

Incident: Dark Storm Team targets the website of Zielona Góra City Hall

Date Reported: April 15, 2025, 00:00 UTC

Category: DDoS Attack

Victim:

  • Organization: Zielona Góra City Hall
  • Country: Poland
  • Industry: Government Administration
  • Website (if applicable): zielona-gora.pl Summary: The hacktivist group “Dark Storm Team” claimed responsibility for a DDoS attack targeting the official website of the Zielona Góra City Hall in Poland. The claim was made via Telegram, including a check-host.net link as evidence of disruption. Targeting government entities in Poland aligns with the geopolitical targeting patterns observed for some hacktivist groups, particularly those opposing support for Ukraine. Threat Actor Profile: Dark Storm Team
  • Analysis: As detailed previously (see incident “Dark Storm Team targets the website of Grok”), Dark Storm Team is a pro-Palestinian hacktivist group also operating as a DDoS-for-hire service.13 While their primary stated motivation is pro-Palestinian, their targeting has included countries like Ukraine and its supporters (Poland being a key supporter).13 This attack on a Polish government website fits within that broader targeting scope, potentially reflecting their political stance or fulfilling a DDoS-for-hire contract. Their use of Telegram and check-host.net links is consistent with their established methods.13 Evidence & Sources:
  • Publication URL: https://t.me/DarkStormTeam3/276
  • Screenshots:
  • https://d34iuop8pidsy8.cloudfront.net/eec28efb-fc86-49c5-baa5-02b41c979876.png
  • https://d34iuop8pidsy8.cloudfront.net/e6fa923a-e1cc-41ac-a744-8f1b5933dcc5.png
  • DDoS Proof:
  • https://check-host.net/check-report/24faee7ek5d5

3. Concluding Remarks

Threat Landscape Summary:

The cybersecurity landscape on April 15, 2025, was marked by intense activity across several vectors. Hacktivist groups, notably AnonSec, Al Ahad, RuskiNet, and Dark Storm Team, executed numerous DDoS attacks, primarily driven by geopolitical tensions surrounding the Israel-Palestine and Russia-Ukraine conflicts. Their targets spanned government institutions, critical infrastructure (energy, transportation), commercial entities, and even cybersecurity information sources across the US, Israel, Ukraine, Denmark, and Poland. Concurrently, the underground market for initial access remained robust, with actors like OpenProcess, NFTGuyDAH, Anon-WMG, and tyrese2024 offering various forms of network access (VPN, RDP, RDWeb, user/root) on forums like XSS.is and Exploit.in. Significant data breach claims against high-profile government bodies in Malaysia (PMO) and Mexico (RENAPO) were made by R00TK1T ISC CYBER TEAM and ViralGod, respectively, highlighting the ongoing risk to sensitive public sector data. Additionally, the advertisement of a potential zero-day RCE exploit for widely used web editor plugins underscores the continuous development and trade of tools enabling broad compromises. Platforms like Telegram remain central for hacktivist communication and claims 13, while specific forums serve as marketplaces for illicit access and data.6

Key Actor Activity:

Several threat groups demonstrated notable activity:

  • AnonSec: Conducted a high volume of DDoS attacks primarily targeting US and Israeli entities, consistent with Anonymous hacktivist tactics.20
  • Al Ahad: Focused DDoS attacks on Israeli targets (including critical infrastructure) and Ukrainian entities, reflecting their Iraqi anti-Israeli stance and operational persistence.26
  • RuskiNet: Targeted entities in the US, Israel, and Denmark with DDoS attacks, aligning with the broader pro-Russian hacktivist movement.5
  • Dark Storm Team: Executed DDoS attacks against US and Polish targets, showcasing their pro-Palestinian alignment and potentially their DDoS-for-hire operations.13
  • R00TK1T ISC CYBER TEAM: Claimed a major data breach against the Malaysian PMO, continuing their focus on Malaysian targets observed earlier in the year.11
  • ViralGod: Claimed access to Mexico’s national civil registry, reinforcing their specialization in acquiring and selling large PII datasets from Latin America via forums.6
  • IAB Actors (OpenProcess, NFTGuyDAH, Anon-WMG, tyrese2024, etc.): Numerous actors, often identifiable only by forum handles, actively sold various forms of initial access, highlighting the scale and accessibility of the cybercrime service economy.

Emerging Concerns:

The confluence of readily available initial access, potent data breaches, and the potential weaponization of new exploits creates a concerning environment. While many observed DDoS attacks are primarily disruptive, the underlying availability of network access sold by IABs could facilitate more severe intrusions, including ransomware deployment or espionage, potentially masked by the noise of hacktivist campaigns. The sheer volume of actors operating on underground forums, many using transient handles (like Blinkers, Valerie, TheLibertyCity, tyrese2024), makes comprehensive tracking and attribution challenging, yet their collective activity significantly lowers the barrier to entry for various cybercrimes. Furthermore, the continued targeting of critical infrastructure and government services, even via DDoS, signals intent and capability that could escalate to more impactful attacks on essential functions.15

Outlook:

Continued vigilance is required. Monitoring hacktivist channels on platforms like Telegram is essential for anticipating disruptive DDoS campaigns, which are likely to ebb and flow with geopolitical events. Close observation of underground forums (BreachForums, Exploit.in, XSS.is, etc.) remains critical for tracking IAB activity, data leaks, and exploit sales. The alleged zero-day for TinyMCE/CKEditor 5 plugins warrants attention; if validated and purchased, it could lead to widespread exploitation attempts against vulnerable web applications. Organizations should prioritize patching known vulnerabilities, securing remote access pathways (VPN, RDP, RDWeb), implementing robust authentication (MFA), and maintaining defenses against both disruptive attacks and stealthy intrusions facilitated by compromised credentials or access. The persistent threat to government and critical infrastructure sectors necessitates ongoing security hardening and incident response preparedness.

Works cited

  1. Hacktivism Unveiled Q1 2025: How Hacktivists Zeroed In on the US – Radware, accessed April 15, 2025, https://www.radware.com/blog/threat-intelligence/hacktivism-unveiled-q1-2025/
  2. NETSCOUT DDoS THREAT INTELLIGENCE REPORT, accessed April 15, 2025, https://www.netscout.com/threatreport/wp-content/uploads/2024/09/TR_1H2024_Web.pdf
  3. Threat actors – SpyCloud, accessed April 15, 2025, https://spycloud.com/glossary/threat-actors/
  4. 2024 – Cisco Talos Blog, accessed April 15, 2025, https://blog.talosintelligence.com/content/files/2025/03/2024YiR-report.pdf
  5. Breaking Cyber News From Cyberint, accessed April 15, 2025, https://cyberint.com/news-feed/
  6. Week 30 – Cyberint, accessed April 15, 2025, https://e.cyberint.com/hubfs/Research%20Reports/Week%2030.pdf
  7. Threat Actor Allegedly Selling Fortinet Firewall Zero-Day Exploit – SecurityWeek, accessed April 15, 2025, https://www.securityweek.com/threat-actor-allegedly-selling-fortinet-firewall-zero-day-exploit/
  8. Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks, accessed April 15, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a
  9. Pro-Russian Hacktivist Group Claims 6600 Attacks Targeting Europe, accessed April 15, 2025, https://www.infosecurity-magazine.com/news/pro-russian-hacktivist-attacks/
  10. CompTIA-Security-SY0-701/Section 3: Threat Actors.md at main – GitHub, accessed April 15, 2025, https://github.com/wilsonvs/CompTIA-Security-SY0-701/blob/main/Section%203%3A%20Threat%20Actors.md
  11. Advisory – NACSA, accessed April 15, 2025, https://www.nacsa.gov.my/advisory11.php
  12. Peoples Cyber Army Of Russia | Threat Actor Profile – Cyble, accessed April 15, 2025, https://cyble.com/threat-actor-profiles/peoples-cyber-army-of-russia/
  13. Dark storm team claims responsibility for cyber attack on X platform – What it means for the future of digital security – ET CISO, accessed April 15, 2025, https://ciso.economictimes.indiatimes.com/news/ot-security/dark-storm-team-claims-responsibility-for-cyber-attack-on-x-platform-what-it-means-for-the-future-of-digital-security/119031271
  14. U.S. Department of Justice Indicts Hacktivist Group Anonymous Sudan for Prominent DDoS Attacks in 2023 and 2024 – CrowdStrike, accessed April 15, 2025, https://www.crowdstrike.com/en-us/blog/anonymous-sudan-hacktivist-group-ddos-indictment/
  15. Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity – CISA, accessed April 15, 2025, https://www.cisa.gov/sites/default/files/2024-05/defending-ot-operations-against-ongoing-pro-russia-hacktivist-activity-508c.pdf
  16. Rustware Part 1: Shellcode Process Injection Development – ConsulThink, accessed April 15, 2025, https://www.consulthink.it/rustware-part-1-shellcode-process-injection-development/
  17. Behavior:Win32/OpenProcess.B threat description – Microsoft Security Intelligence, accessed April 15, 2025, https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Behavior:Win32/OpenProcess.B&ThreatID=2147762161
  18. R00TK1T Malaysia Threat Pushes for Stronger Cybersecurity – Sangfor Technologies, accessed April 15, 2025, https://www.sangfor.com/blog/cybersecurity/r00tk1t-hacking-group-malaysia-needs-stronger-cybersecurity
  19. Cyble Chronicles – February 1: Latest Findings & Recommendations for the Cybersecurity Community, accessed April 15, 2025, https://cyble.com/blog/cyble-chronicles-february-1-latest-findings-recommendations-for-the-cybersecurity-community/
  20. Search results for Security — Latest News, Reports & Analysis | The Hacker News, accessed April 15, 2025, https://thehackernews.com/search?q=Security&updated-max=2023-03-09T04:25:00-08:00&max-results=20&start=2454&by-date=false&m=1
  21. Anonymous (hacker group) – Wikipedia, accessed April 15, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
  22. Threat Actor | BlackFog, accessed April 15, 2025, https://www.blackfog.com/cybersecurity-101/threat-actor/
  23. Cyble details Russian hacktivist group Sector 16 targeting US oil infrastructure in alarming data breaches – Industrial Cyber, accessed April 15, 2025, https://industrialcyber.co/control-device-security/cyble-details-russian-hacktivist-group-sector-16-targeting-us-oil-infrastructure-in-alarming-data-breaches/
  24. Hacktivists Target Romania in Latest Surge in Geopolitical DDoS Attacks | NETSCOUT, accessed April 15, 2025, https://www.netscout.com/blog/asert/hacktivists-target-romania-latest-surge-geopolitical-ddos
  25. Uncovering the Hacktivist Cyberattacks Targeting the EU Election – Security Solutions Media, accessed April 15, 2025, https://www.securitysolutionsmedia.com/2024/06/19/uncovering-the-hacktivist-cyberattacks-targeting-the-eu-election/
  26. Three Months After the Storm: Did Cybercriminals Move to Telegram Alternatives?, accessed April 15, 2025, https://www.kelacyber.com/blog/three-months-after-the-storm-did-cybercriminals-move-to-telegram-alternatives/
  27. Understanding Indicators of Compromise and Their Role in Cybersecurity – Arctic Wolf, accessed April 15, 2025, https://arcticwolf.com/resources/blog/understanding-indicators-of-compromise-and-their-role-in-cybersecurity/
  28. Indicators of Compromise (IOC) Security Explained – CrowdStrike.com, accessed April 15, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/indicators-of-compromise-ioc/
  29. Indicators of Compromise: What They Are & How to Identify Them – Intrusion Inc., accessed April 15, 2025, https://www.intrusion.com/blog/how-to-identify-iocs-indicators-of-compromise/
  30. Threat Actor Groups Archives – Unit 42, accessed April 15, 2025, https://unit42.paloaltonetworks.com/category/threat-actor-groups/
  31. Sandworm (Threat Actor) – Malpedia, accessed April 15, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/sandworm
  32. Threat Actor Profiles – SOCRadar® Cyber Intelligence Inc., accessed April 15, 2025, https://socradar.io/category/threat-actor-profiles/
  33. Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways | CISA, accessed April 15, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b
  34. Dark Storm Team – Wikipedia, accessed April 15, 2025, https://en.wikipedia.org/wiki/Dark_Storm_Team
  35. Worldwide outage at X due to DDoS attack | Cyber Intelligence Briefing: 14 March 2025, accessed April 15, 2025, https://www.s-rminform.com/cyber-intelligence-briefing/cyber-intelligence-briefing-14-march-2025
  36. What the Data Tells Us About Immigration and Terrorism | Brennan Center for Justice, accessed April 15, 2025, https://www.brennancenter.org/our-work/analysis-opinion/what-data-tells-us-about-immigration-and-terrorism
  37. Evaluating the Terrorist Threat Posed by African-American Muslim Groups – Combating Terrorism Center at West Point, accessed April 15, 2025, https://ctc.westpoint.edu/evaluating-the-terrorist-threat-posed-by-african-american-muslim-groups/
  38. A Major Terror Plot Interrupted — or a ‘Setup’? – PBS, accessed April 15, 2025, https://www.pbs.org/wgbh/frontline/article/video-liberty-city-seven-terror-plot-setup-in-the-shadow-of-911/
  39. How Threat Actors Industrialised Cybercrime in 2024 – Cyber Magazine, accessed April 15, 2025, https://cybermagazine.com/articles/how-threat-actors-industrialised-cybercrime-in-2024
  40. Top 10 Threat Actors of 2024: Beyond the Numbers – SOCRadar® Cyber Intelligence Inc., accessed April 15, 2025, https://socradar.io/top-10-threat-actors-of-2024-beyond-the-numbers/

Related Posts