[April-19-2025] Daily Cybersecurity Threat Report

Posted on

1. Executive Summary

  • Overview: This report details significant cybersecurity incidents observed over the past 24 hours, concluding on 2025-04-19, based on analyzed data feeds. Activity levels were notably high, characterized by a prevalence of Distributed Denial-of-Service (DDoS) and Website Defacement campaigns. These disruptive activities were largely attributed to hacktivist groups motivated by geopolitical events. Concurrently, ransomware operations persist as a significant threat, with established and newly identified groups leveraging Ransomware-as-a-Service (RaaS) models. The incidents reported spanned multiple geographic regions, with distinct clusters affecting Indonesia, the USA, Poland, and Israel.
  • Key Trends:
  • Geopolitically Motivated Attacks: A substantial volume of DDoS and Defacement attacks targeted nations and organizations perceived to be involved in, or supportive of, ongoing geopolitical conflicts, notably the Russia-Ukraine war and the Israeli-Palestinian conflict. Threat actors such as NoName057(16), Dark Storm Team, and RuskiNet were prominently featured in these activities, demonstrating how real-world conflicts directly translate into cyber operations aimed at disruption and propaganda.
  • Ransomware RaaS Operations: Persistent campaigns were observed from RaaS groups including RALord and FSOCIETY | FLOCKER. These incidents underscore the maturity of the RaaS ecosystem, characterized by affiliate-driven models, sophisticated multi-layered extortion tactics (including data leakage threats), and even collaboration between groups.1 This professionalization lowers the barrier to entry for less skilled actors and increases the overall threat volume.
  • Targeting of Government Infrastructure: A coordinated series of defacements impacted multiple Indonesian government websites, executed by a single threat actor (“H4x0r Umbarella Corp H.U.C”). This pattern suggests either a focused campaign against Indonesian government entities or the exploitation of common vulnerabilities within their web infrastructure, possibly facilitated by automated tools commonly used in the region.3 Additionally, a US federal agency, the EEOC, was targeted in an alleged data breach by a hacktivist group.
  • Hacktivist Monetization & Credibility: Observations indicate an evolution in the hacktivist landscape, where ideological motivations are increasingly blended with financial opportunism. Groups like Dark Storm Team are noted not only for politically charged attacks but also for offering DDoS-for-hire services and attempting to monetize notoriety through ventures like cryptocurrency launches.4 Furthermore, the credibility of claims made by certain hacktivist groups, including Dark Storm Team and FunkSec (an FSOCIETY collaborator), requires careful scrutiny, as instances of exaggerated impact or the use of recycled data have been reported.5 Verification of claims remains crucial.
  • Significant Incidents:
  • The DDoS attack on Polish energy company ORLEN by NoName057(16) aligns with the group’s documented pattern of targeting critical infrastructure in NATO member states perceived as supporting Ukraine.8
  • RALord ransomware’s compromise of Bettin Soluções em Informática in Brazil exemplifies the group’s RaaS model, multi-layered extortion strategy (threatening data leaks), global reach, and potential lineage from previous ransomware operations like RAWorld.1
  • The cluster of defacements against Indonesian government websites by H4x0r Umbarella Corp H.U.C highlights potential systemic vulnerabilities or a targeted campaign within the country.3
  • Dark Storm Team’s claimed DDoS attack against the Jerusalem Post is consistent with the group’s pro-Palestine stance and focus on Israeli targets.4
  • Table: Summary of Incidents (2025-04-19)
Victim OrganizationVictim IndustryVictim CountryThreat ActorIncident CategoryDate/Time (UTC)
pinterest philippinesSocial Media & Online Social NetworkingPhilippinesCASH NETWORK C2DDoS Attack2025-04-19T09:04:36Z
kecamatan wonogiri​Government AdministrationIndonesiaH4x0r Umbarella Corp H.U.CDefacement2025-04-19T08:41:59Z
kecamatan wuryantoro​Government AdministrationIndonesiaH4x0r Umbarella Corp H.U.CDefacement2025-04-19T08:39:27Z
kecamatan puhpelem​Government AdministrationIndonesiaH4x0r Umbarella Corp H.U.CDefacement2025-04-19T08:36:21Z
kecamatan purwantoro​Government AdministrationIndonesiaH4x0r Umbarella Corp H.U.CDefacement2025-04-19T08:29:08Z
regional revenue agency of north kalimantan provinceGovernment AdministrationIndonesiaH4x0r Umbarella Corp H.U.CDefacement2025-04-19T08:23:15Z
satluj bazaarE-commerce & Online StoresPakistanJAKARTA CYBER WHITEDefacement2025-04-19T08:03:41Z
delsac perforated sheet industry and trade co. ltd.ManufacturingTurkeyTeam 1722Defacement2025-04-19T07:44:37Z
orlenEnergy & UtilitiesPolandNoName057(16)DDoS Attack2025-04-19T07:44:04Z
bettin soluções em informáticaInformation Technology (IT) ServicesBrazilRALordRansomware2025-04-19T06:19:45Z
u.s. equal employment opportunity commission(eeoc)Government AdministrationUSAEvilMorocco HacktivismData Breach2025-04-19T05:20:59Z
moray scubaHospitality & TourismUSAVortexDefacement2025-04-19T04:24:43Z
the tech interactiveMuseums & InstitutionsUSAMoney MessageRansomware2025-04-19T02:30:53Z
Unknown (Z****a.com)UnknownUnknownFSOCIETY \FLOCKERRansomware
UnknownUnknownUnknowntyrese2024Initial Access2025-04-19T01:45:01Z
the mediterranean dietHealth & FitnessUSARuskiNetDefacement2025-04-19T00:53:09Z
jerusalem postNewspapers & JournalismIsraelDark Storm TeamDDoS Attack2025-04-19T00:15:16Z

2. Detailed Incident Analysis

(A) Distributed Denial-of-Service (DDoS) Attacks

DDoS attacks continue to be a favored weapon for hacktivist groups seeking to cause disruption, gain visibility, and make political statements. The incidents observed in this reporting period exemplify this trend, targeting high-visibility platforms or organizations linked to specific geopolitical contexts. The actors involved, such as NoName057(16) and Dark Storm Team, have established histories of politically motivated attacks, primarily targeting NATO countries, Ukraine’s allies, and entities associated with Israel. The selection of targets—a major social media platform’s regional site, a critical energy provider in Poland, and a prominent Israeli news outlet—appears calculated for maximum public impact or strategic disruption aligned with the actors’ declared ideologies. The use of check-host links as proof of downtime is a common practice among these groups, though it doesn’t independently verify the actor’s sole responsibility or the precise scale of the attack.

  • Incident 1: CASH NETWORK C2 targets Pinterest Philippines
  • Victim: Pinterest Philippines (ph.pinterest.com)
  • Industry: Social Media & Online Social Networking
  • Country: Philippines
  • Date: 2025-04-19T09:04:36Z
  • Summary: The threat actor identified as “CASH NETWORK C2” claimed responsibility for conducting a DDoS attack against the Pinterest website localized for the Philippines. The claim, published via Telegram, included a link to a check-host report allegedly demonstrating service downtime.
  • Threat Actor Profile: CASH NETWORK C2:
  • Specific intelligence regarding the “CASH NETWORK C2” group is limited in open sources. However, the actor’s chosen name provides potential clues about their operational focus. The inclusion of “C2” (or C&C) strongly suggests an emphasis on Command and Control infrastructure. C2 channels are essential for attackers to communicate with and manage networks of compromised devices, commonly known as botnets.12 These botnets are frequently employed to launch large-scale DDoS attacks by overwhelming target servers with traffic coordinated via the C2 server.12 Attackers often attempt to disguise C2 traffic using common protocols like HTTP/HTTPS or DNS to evade detection.12 Tools such as Cobalt Strike are commonly used for establishing and maintaining C2 communications.13
  • The “CASH NETWORK” component of the name might imply a financial motivation. While this specific attack appears purely disruptive, groups operating botnets often engage in financially driven activities, such as offering DDoS-for-hire services or utilizing the compromised network for other illicit purposes like spam distribution or credential theft. The group utilizes Telegram for its communications and claims, a platform widely adopted by various threat actors, including hacktivists and cybercriminals.
  • Supporting Evidence:
  • Published URL: https://t.me/cashnetworkc2/107
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/8fd739aa-87d5-460a-870c-3bedfadf87e1.png
  • Proof of Downtime: https://check-host.net/check-report/251eb002ka2b
  • Incident 2: NoName057(16) targets ORLEN (Poland)
  • Victim: ORLEN (orlen.pl)
  • Industry: Energy & Utilities
  • Country: Poland
  • Date: 2025-04-19T07:44:04Z
  • Summary: The well-known pro-Russian hacktivist group NoName057(16) claimed responsibility for a DDoS attack targeting the corporate website of ORLEN, a major state-controlled Polish oil refiner and petrol retailer. The group provided a check-host link as evidence of the disruption.
  • Threat Actor Profile: NoName057(16):
  • Origin & Motivation: NoName057(16) is a pro-Russian hacktivist collective that became active around March-July 2022, coinciding with the escalation of the Russia-Ukraine conflict.9 Their operations are explicitly aligned with Russian Federation interests and driven by geopolitical motivations.10 The group primarily targets NATO member states and other countries perceived as supporting Ukraine, aiming to disrupt their critical infrastructure and digital services as a form of retaliation or destabilization.8
  • TTPs: The group’s hallmark is the execution of DDoS attacks.8 They developed and distribute a custom DDoS tool named “DDOSIA,” which has evolved from Python to utilize HTTP for C2 communication with JSON configurations.8 This tool is hosted on GitHub and designed for ease of use across Linux, Windows, and macOS, facilitating participation by a broad base of volunteers or supporters.8 NoName057(16) operates extensive Telegram channels (one noted with over 52,000 subscribers) to announce targets, claim responsibility for attacks, recruit participants, and share propaganda.8 They are also known to leverage botnets, potentially involving malware like Bobik distributed via stealers such as RedLine.8 Their operational model includes crowdsourcing attack capabilities, a method also employed by opposing hacktivist groups like the IT Army of Ukraine.10
  • Targets: NoName057(16) consistently targets government entities, financial institutions, transportation hubs (like airports), media organizations, and critical infrastructure within NATO countries, Ukraine, and nations supporting Ukraine.8 Poland is a frequent target due to its strategic location and significant support for Ukraine, making the attack on ORLEN entirely consistent with their established modus operandi.8 Other countries frequently targeted include Lithuania, the Czech Republic, Italy, Spain, Denmark, Canada, and the US.8 They have also participated in broader hacktivist campaigns like #OpIndia.9
  • Credibility: NoName057(16) is considered a persistent and active threat actor in the DDoS landscape, with some sources reporting a significant success rate for their claimed attacks.8 While sometimes described as “unorganized,” their consistent activity, custom tool development, and large online following suggest a degree of coordination, likely involving a core group directing a larger volunteer base.9
  • Supporting Evidence:
  • Published URL: https://t.me/nnm05716rus/616
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/c063aa81-4ef0-42f8-901b-3fe84ee1ae9e.png, https://d34iuop8pidsy8.cloudfront.net/91f51682-9083-4c2b-b389-ef1111a685bf.png
  • Proof of Downtime: https://check-host.net/check-report/251e259dk454
  • Incident 3: Dark Storm Team targets Jerusalem Post (Israel)
  • Victim: Jerusalem Post (m.jpost.com)
  • Industry: Newspapers & Journalism
  • Country: Israel
  • Date: 2025-04-19T00:15:16Z
  • Summary: The hacktivist collective known as “Dark Storm Team” claimed responsibility for a DDoS attack targeting the mobile version of the Jerusalem Post’s website, a major English-language newspaper in Israel. Proof of disruption was provided via a check-host link.
  • Threat Actor Profile: Dark Storm Team:
  • Origin & Motivation: Dark Storm Team emerged in the cyber threat landscape around mid-to-late 2023.4 The group operates primarily as a hacktivist collective driven by political and ideological motivations, specifically expressing strong pro-Palestine, anti-Israel, and anti-NATO sentiments.4 Alongside their political agenda, there are indications of financial motivation, as the group has been observed advertising DDoS-for-hire services and even launched a cryptocurrency (DARKSTORM on Solana) following a high-profile claimed attack.4 This blend of hacktivism and potential commercialization is an emerging trend among such groups.
  • TTPs: The group’s primary tactic is the execution of large-scale DDoS attacks aimed at disrupting the online services of their targets.4 They utilize Telegram channels extensively for communication, claiming attacks, issuing threats, recruiting, spreading propaganda, and advertising their illicit services.4 Dark web forums may also be used. To obscure their origins and amplify attacks, they likely employ techniques such as VPNs, proxy chains, and botnets.4
  • Targets: Dark Storm Team selects targets that align with their stated political objectives. This includes Israeli organizations (such as the Jerusalem Post), entities within NATO countries, Western corporations, government bodies, defense contractors, transportation infrastructure, educational institutions, financial services, media outlets, and technology companies.4 They have recently made high-profile (though potentially exaggerated) claims of attacks against major platforms like X (formerly Twitter), Zoom, and Spotify.4
  • Collaboration & Credibility: The group has been observed cooperating with pro-Russian hacktivist groups, highlighting the interconnected nature of these politically aligned collectives.5 However, the credibility of Dark Storm Team’s claims, particularly regarding large-scale attacks on major platforms, has been questioned. Reports suggest instances of exaggeration, mischaracterization of impact, or providing insufficient evidence.5 While skepticism is warranted for some claims, the attack on the Jerusalem Post aligns directly with their core anti-Israel motivation.
  • Supporting Evidence:
  • Published URL: https://t.me/DarkStormTeam3/344
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/2a57dd2d-3c61-4cab-973a-422698157cf5.png
  • Proof of Downtime: https://check-host.net/check-report/251bd45ek27b

(B) Website Defacements

Website defacement continues to be a prevalent tactic, particularly among hacktivist groups and less sophisticated actors. It serves as a visible means to broadcast messages, claim symbolic victories, damage reputation, or simply demonstrate technical prowess. The significant cluster of defacements targeting Indonesian government subdomains, all attributed to “H4x0r Umbarella Corp H.U.C,” strongly indicates a targeted campaign rather than random opportunistic attacks. This pattern aligns with reports detailing widespread exploitation of vulnerabilities in Indonesian web infrastructure, often facilitated by automated tools like SQLMap and the sharing of target lists within local hacking communities.3 The involvement of an actor named “JAKARTA CYBER WHITE,” despite targeting a Pakistani site, further hints at the activity and potential cross-border reach of Indonesian-linked actors. Other defacements, like the one by RuskiNet redirecting a US health website to a Hamas-associated domain 16, explicitly demonstrate the use of defacement for politically charged messaging, linking pro-Russian and pro-Palestinian narratives. The remaining defacements appear more opportunistic, lacking clear context or connection to broader campaigns.

  • Incidents 4-8: H4x0r Umbarella Corp H.U.C targets Indonesian Government Websites
  • Victims:
  • Kecamatan Wonogiri (kec.wonogiri.wonogirikab.go.id) – 2025-04-19T08:41:59Z
  • Kecamatan Wuryantoro (kec.wuryantoro.wonogirikab.go.id) – 2025-04-19T08:39:27Z
  • Kecamatan Puhpelem (kec.puhpelem.wonogirikab.go.id) – 2025-04-19T08:36:21Z
  • Kecamatan Purwantoro (kec.purwantoro.wonogirikab.go.id) – 2025-04-19T08:29:08Z
  • REGIONAL REVENUE AGENCY OF NORTH KALIMANTAN PROVINCE (bapenda.kaltaraprov.go.id) – 2025-04-19T08:23:15Z
  • Industry: Government Administration
  • Country: Indonesia
  • Summary: The threat actor group calling itself “H4x0r Umbarella Corp H.U.C” claimed responsibility for defacing the websites of five distinct Indonesian government entities. Four of these were district-level (Kecamatan) websites under the Wonogiri Regency administration, while the fifth belonged to the Regional Revenue Agency of North Kalimantan Province. All claims were disseminated via the same Telegram channel link.
  • Threat Actor Profile: H4x0r Umbarella Corp H.U.C:
  • Specific, verifiable intelligence on this particular group name is scarce. The name incorporates common hacker subculture terms (“H4x0r”) and a structure (“Corp”) often used ironically by informal hacking groups or individuals.
  • The simultaneous targeting of multiple Indonesian government websites, particularly several under the same regional administration (Wonogiri Regency), strongly suggests a focused effort rather than random chance. This could stem from a specific grievance against these entities or, more probably, the successful exploitation of a shared vulnerability present across these web platforms.
  • The broader context of cyber threats targeting Indonesia reveals significant activity from local hacktivist groups (such as those associated with “RaidForum Indo Cyber”) who frequently target government, education, and public service websites.3 These actors often employ automated tools, like SQLMap for SQL injection vulnerabilities, to conduct mass exploitation campaigns, sometimes sourcing lists of potentially vulnerable sites from public repositories like GitHub.3 It is highly plausible that “H4x0r Umbarella Corp H.U.C” operates within this ecosystem or utilizes similar TTPs, leveraging common weaknesses in Indonesian government web applications. Defacement is a known tactic used by hacktivist groups globally, sometimes to convey political messages.14
  • Supporting Evidence:
  • Published URL (Same for all 5): https://t.me/c/2626846291/98 (Note: This link appears to point to a private Telegram channel or chat, limiting public verification of the claim’s origin.)
  • Screenshots:
  • Wonogiri: https://d34iuop8pidsy8.cloudfront.net/8532654b-db79-41c8-8bc6-bca8027e4363.png
  • Wuryantoro: https://d34iuop8pidsy8.cloudfront.net/ed28fbbb-45fb-4df2-9dea-ea49208a43de.png
  • Puhpelem: https://d34iuop8pidsy8.cloudfront.net/487072ee-3ffc-4f26-955e-9d00c7db4057.png
  • Purwantoro: https://d34iuop8pidsy8.cloudfront.net/50a9b2b0-03ea-4023-bc93-9282561fe0cb.png
  • N. Kalimantan Revenue: https://d34iuop8pidsy8.cloudfront.net/f5aff519-8bc4-4f5e-adbf-b27fe4faddbb.png
  • Incident 9: JAKARTA CYBER WHITE targets Satluj Bazaar (Pakistan)
  • Victim: Satluj Bazaar (satlujbazaar.com)
  • Industry: E-commerce & Online Stores
  • Country: Pakistan
  • Date: 2025-04-19T08:03:41Z
  • Summary: The group identifying as “JAKARTA CYBER WHITE” claimed via Telegram to have defaced the website of Satluj Bazaar, an e-commerce platform operating in Pakistan. A mirror link hosted on the Zone-XSec archive was provided as evidence.
  • Threat Actor Profile: JAKARTA CYBER WHITE:
  • No specific threat intelligence profile exists for a group named “JAKARTA CYBER WHITE”. The name strongly suggests an Indonesian origin or affiliation (“Jakarta”).
  • As noted previously, Indonesia hosts active hacktivist communities known for targeting various domestic and sometimes international websites, often using automated tools and coordinating via online forums and messaging apps.3 While this attack targets a Pakistani entity, the actor’s chosen name may indicate participation by Indonesian individuals or groups, potentially involved in broader regional hacktivist campaigns or collaborations (e.g., groups like DragonForce Malaysia were mentioned operating alongside Indonesian actors 3). The term “White” in the name could potentially allude to “White Hat” ethical hacking, but website defacement is generally considered a malicious or grey-hat activity. It might also simply be part of the group’s chosen branding.
  • Supporting Evidence:
  • Published URL: https://t.me/JakartaCyberWhiteNew/5
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/3db97e0f-7f8c-4ee8-9375-d37bc46b6160.png
  • Mirror Link: https://zone-xsec.com/mirror/711364
  • Incident 10: Team 1722 targets Delsac Perforated Sheet Industry (Turkey)
  • Victim: Delsac Perforated Sheet Industry and Trade Co. Ltd. (delsac.com.tr)
  • Industry: Manufacturing
  • Country: Turkey
  • Date: 2025-04-19T07:44:37Z
  • Summary: An entity identified as “Team 1722” claimed via a private Telegram channel link to have defaced the website of Delsac, a Turkish company specializing in perforated sheet manufacturing.
  • Threat Actor Profile: Team 1722:
  • There is no readily available threat intelligence associated with the name “Team 1722”. The naming convention (“Team” followed by a number) is common among informal hacking groups or teams. Available research snippets mentioning “1722” were unrelated to cyber threat activity.17 Without further information or context, the motivation behind this attack remains unclear, and it appears likely to be an opportunistic defacement targeting a Turkish business. General threat actor profiling resources provide frameworks but no specific data on this entity.18
  • Supporting Evidence:
  • Published URL: https://t.me/c/2492189773/82 (Private channel/chat link)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/c9890f29-2cdc-4d7c-aa0f-5afb3b049add.png
  • Incident 11: Vortex targets Moray Scuba (USA)
  • Victim: Moray Scuba (morayscuba.com)
  • Industry: Hospitality & Tourism
  • Country: USA
  • Date: 2025-04-19T04:24:43Z
  • Summary: The group “Vortex” posted a claim on Telegram asserting they had defaced the website of Moray Scuba, a US-based company offering scuba diving services.
  • Threat Actor Profile: Vortex:
  • No specific threat intelligence directly links this defacement activity to a known threat actor group operating under the name “Vortex”. Searches for “Vortex” in a cybersecurity context yield results related to vulnerability management concepts (the “vulnerability vortex” 20), a specific cybersecurity platform named VortexCloud 22, and a legitimate cybersecurity services group in Bangladesh named VorTex Cybersecurity.23 None of these appear connected to the actor responsible for this website defacement. The targeting of a small business in the tourism sector suggests this was likely an opportunistic attack with unknown motivations.
  • Supporting Evidence:
  • Published URL: https://t.me/Vvorttexx/4
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/e4d6dd7b-1b15-427a-a354-d7b0bddaac6c.png
  • Incident 12: RuskiNet targets The Mediterranean Diet (USA)
  • Victim: The Mediterranean Diet (mymediterraneanplan.com)
  • Industry: Health & Fitness
  • Country: USA
  • Date: 2025-04-19T00:53:09Z
  • Summary: The group “RuskiNet” claimed responsibility for defacing the website “mymediterraneanplan.com”. The defacement involved redirecting the website to alqassam.ps, the domain associated with the Izz ad-Din al-Qassam Brigades, the military wing of Hamas.
  • Threat Actor Profile: RuskiNet:
  • While specific details about “RuskiNet” as a distinct entity are limited, its name strongly implies a pro-Russian affiliation. The TTP employed in this incident—website defacement involving redirection to a politically significant domain (alqassam.ps)—is a clear hacktivist tactic used to broadcast political messages and signal alliances.
  • This action explicitly links a likely pro-Russian stance with support for the Palestinian cause, an alignment observed among various hacktivist factions involved in geopolitical cyber conflicts. Further evidence of RuskiNet’s political motivations and targeting patterns comes from a reported attack on April 10, 2025, where they targeted the “Access Israel” website as part of the #OpIsrael campaign, disrupting access to Israeli security research.16
  • The broader landscape of Russian state-linked or ideologically aligned cyber actors (such as GRU Unit 29155 or groups like the People’s Cyber Army) frequently employs tactics like website defacement, data leaks, and attacks on critical infrastructure in NATO countries and their allies.14 RuskiNet appears to operate within this ecosystem, using cyber means to advance specific geopolitical narratives and target perceived adversaries.
  • Supporting Evidence:
  • Published URL: https://t.me/c/2577273080/216 (Private channel/chat link)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/ef19a744-dc52-4f3e-b424-ab66faa769e2.jpg

(C) Ransomware Incidents

Ransomware continues to pose a severe threat to organizations globally, driven by increasingly sophisticated actors and the proliferation of the Ransomware-as-a-Service (RaaS) model. The incidents recorded during this period involve distinct groups—RALord, Money Message, and FSOCIETY | FLOCKER—each demonstrating key characteristics of the modern ransomware landscape. Double extortion, where attackers encrypt data and exfiltrate sensitive information to leverage leak threats, is a standard tactic employed by all three groups.1 The RaaS model is explicitly mentioned for RALord (operating under NOVA RaaS) and FSOCIETY, highlighting how these platforms facilitate attacks by providing tools and infrastructure to affiliates.1 Technical capabilities are evident, such as RALord’s custom Rust-based payload 1 and Money Message’s specific techniques for encrypting files (ChaCha20/ECDH) and hindering recovery (Volume Shadow Copy deletion) on various platforms including ESXi.25 Furthermore, the cybercrime ecosystem’s collaborative nature is illustrated by FSOCIETY’s announced partnership with FunkSec.2 The use of deadlines (e.g., 7-11 days) for data publication serves as a potent psychological pressure tactic common in these campaigns.

  • Incident 13: RALord Ransomware targets Bettin Soluções em Informática (Brazil)
  • Victim: Bettin Soluções em Informática (bettininformatica.com.br)
  • Industry: Information Technology (IT) Services
  • Country: Brazil
  • Date: 2025-04-19T06:19:45Z
  • Summary: The RALord ransomware group added Bettin Soluções em Informática, a Brazilian IT solutions provider, to its data leak site. The group claims to have exfiltrated 15 GB of the organization’s data and stated their intention to publish it within 10-11 days if their demands are not met.
  • Threat Actor Profile: RALord:
  • Origin & Model: RALord emerged as a new ransomware operation around March 25, 2025.1 It functions within the NOVA RaaS platform, offering a lucrative 85% profit share to its affiliates who conduct the attacks, while the platform operators retain 15%.1 Beyond the standard RaaS offering, RALord distinguishes itself by providing standalone access to its encryption tool for a fee (€200 per attack plus a 10% cut of any ransom) and actively engaging in data sales and advertising its services on Tor networks.1 The group is known to operate on cybercrime forums under the alias ‘ForLord’.11
  • TTPs & Malware: RALord employs a double extortion strategy. Technically, they utilize two primary ransomware payloads: a “.nova” variant commonly distributed by affiliates, and a more sophisticated, custom-developed Rust-based variant that appends the “.RALord” extension to encrypted files.1 The malware reportedly possesses “anti-detection” capabilities.11 Their extortion tactics are particularly aggressive; their data leak site (DLS) features detailed reports on victims, often naming specific security products that allegedly failed to prevent the attack and highlighting poor cybersecurity practices within the victim organization.1 They provide proof of data theft (screenshots, file lists, data samples) and utilize countdown timers to pressure victims into payment.1 Communication with victims is often facilitated through the encrypted messaging app qTox.1
  • Targets: RALord demonstrates broad targeting across various high-value sectors and geographic regions. Affected industries include IT services, healthcare, education, hospitality, media/entertainment, construction, and agriculture.1 Geographically, victims have been identified in Brazil, Norway, Portugal, UAE, Saudi Arabia, Taiwan, Spain, France, and Argentina.1 Notably, the group publicly stated in April 2025 an intention to cease targeting schools and non-profit organizations, though the veracity and permanence of this claim remain uncertain.26
  • Potential Links: Researchers have noted potential connections between RALord and the older RAWorld (also known as RAGroup) ransomware group, based on similarities in code structure, messaging tone, and recruitment posts seeking individuals with skills in Rust/Python programming and vulnerability exploitation.1 RA Group itself has been associated with payloads derived from leaked Babuk ransomware source code.29
  • Supporting Evidence:
  • Published URL: http://ralordqe33mpufkpsr6zkdatktlu3t2uei4ught3sitxgtzfmqmbsuyd.onion/bettininformatica/ (Tor Link)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/b6387895-570c-44ab-8e64-93c8f19cc6a1.png
  • Incident 14: Money Message Ransomware targets The Tech Interactive (USA)
  • Victim: The Tech Interactive (thetech.org)
  • Industry: Museums & Institutions
  • Country: USA
  • Date: 2025-04-19T02:30:53Z
  • Summary: The Money Message ransomware group listed The Tech Interactive, a science and technology museum located in San Jose, California, on their Tor-based data leak site. The group claims to have obtained the organization’s data as part of the attack.
  • Threat Actor Profile: Money Message:
  • Origin & Activity: Money Message emerged as a ransomware threat in March 2023.25 The group conducts double extortion attacks, encrypting victim data and threatening public leaks to coerce payment.25 While perhaps not as prolific as some top-tier ransomware gangs, Money Message has maintained persistent operations into 2024 and 2025, targeting organizations globally.25 Ransom demands associated with the group can reach millions of dollars.27
  • TTPs & Malware: The ransomware payload is typically written in C++ 27 and is known to target both Windows and Linux environments, including VMware ESXi servers—a common target for enterprise-focused ransomware.25 Encryption is performed using the ChaCha20 algorithm, with keys protected via ECDH (Elliptic-curve Diffie-Hellman).27 A distinctive feature is that the malware often does not append a specific extension to encrypted files, instead leaving a ransom note file, frequently named money_message.log, as the primary indicator of compromise.28 To impede recovery efforts, the ransomware actively deletes Volume Shadow Copies using the native Windows tool vssadmin.exe.27 It also creates a specific mutex (“12345-12345-12235-12354”) to prevent multiple instances from running simultaneously.27 The malware terminates processes and stops services associated with backups, databases, and security software, based on a configuration often embedded in JSON format within the executable.27 Recent analysis of ESXi-targeting variants revealed advanced techniques like specific targeting of critical virtual machine files (e.g., .vmx) and the use of Base64 encoding for obfuscation.25
  • Targets: Money Message targets a wide range of victims, including commercial enterprises and government entities across the globe.25 Previously identified victims include organizations like Hawaii Self Storage, Biman Airlines, and Micro Star International (MSI).30 The targeting of The Tech Interactive fits their pattern of attacking diverse organizational types.
  • Supporting Evidence:
  • Published URL: http://blogvl7tjyjvsfthobttze52w36wwiz34hrfcmorgvdzb6hikucb7aqd.onion/news.php?id=1 (Tor Link)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/34e474e3-5b9d-4884-b0f0-46a0c4dd7b6f.png
  • Incident 15: FSOCIETY | FLOCKER Ransomware targets Unknown Victim
  • Victim: Unknown (Name partially obscured as Z****a.com)
  • Industry: Unknown
  • Country: Unknown
  • Date: 2025-04-19T01:48:30Z
  • Summary: The ransomware group operating under the banner “FSOCIETY | FLOCKER” added an entry for an unknown victim to their data leak site, identifying the target only as “Z****a.com”. The group claims to possess the victim’s data and has set a deadline of 7-8 days for its publication.
  • Threat Actor Profile: FSOCIETY | FLOCKER:
  • Origin & Model: The current iteration of FSociety, associated with the Flocker ransomware, emerged in 2024.2 It operates using a Ransomware-as-a-Service (RaaS) model, providing its tools and infrastructure to affiliates.2 This group should be distinguished from an earlier, less sophisticated ransomware strain that used the same “FSociety” name in 2016, which was directly inspired by the television series Mr. Robot.2 The RaaS model allows individuals recruited from specific online communities (including followers of the FunkSec group, access brokers, and insiders) to deploy the Flocker ransomware.2
  • TTPs: FSociety employs standard double extortion tactics, involving data encryption using the Flocker ransomware payload and the exfiltration of sensitive data, which is then threatened to be leaked.2 The group uses a Telegram channel and an Onion-hosted data leak site (DLS) for communication, victim shaming, and potentially negotiation.2 An interesting evolution in their tactics was observed: initially, they obscured victim names on their DLS, but reportedly shifted to full disclosure in 2025.2 Their collaborator, FunkSec, uses the FunkLocker ransomware which appends a “.funksec” extension.31
  • Collaboration: A significant aspect of FSOCIETY’s operation is its collaboration with the FunkSec ransomware group, another entity that emerged in late 2024. In January 2025, FSOCIETY announced a strategic alliance with FunkSec, aiming to operate together like “wolf packs” to increase efficiency and impact.2 This collaboration may involve shared resources or infrastructure, as FSOCIETY has been noted using FunkSec’s forum.2 FunkSec itself gained notoriety for a high volume of claimed victims, though the authenticity of some claims has been questioned due to the use of recycled data, and they are known for relatively low ransom demands (e.g., 0.1 Bitcoin).6 This suggests potentially different operational strategies or maturity levels between the collaborating groups.
  • Targets: As of early 2025, FSOCIETY had listed approximately 41 victims on its DLS.2 Their targets span various industries, including Financial Services, Construction, Government, Business Services, Retail, Technology, and Education.2 While the United States appears to be a primary focus, victims have also been identified in Canada and Taiwan.2 Their collaborator, FunkSec, also heavily targets the US, along with India.6
  • Supporting Evidence:
  • Published URL: http://flock4cvoeqm4c62gyohvmncx6ck2e7ugvyqgyxqtrumklhd5ptwzpqd.onion/?p=415 (Tor Link)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/27357a1a-28d8-4f54-b82c-8ffd772e22a2.png

(D) Data Breaches

Data breach claims, particularly when announced by hacktivist groups, often serve a dual purpose: causing tangible harm through data exposure and achieving political or ideological goals by embarrassing or damaging the reputation of the targeted entity. The credibility of such claims requires careful assessment, as proof provided on platforms like Telegram may be limited to screenshots or small data samples, making it difficult to verify the full extent or authenticity of the breach without further investigation or confirmation from the victim organization.

  • Incident 16: EvilMorocco Hacktivism alleges breach of U.S. EEOC
  • Victim: U.S. Equal Employment Opportunity Commission (EEOC) (eeoc.gov)
  • Industry: Government Administration
  • Country: USA
  • Date: 2025-04-19T05:20:59Z
  • Summary: A group identifying itself as “EvilMorocco Hacktivism” posted a claim on Telegram alleging they had leaked data obtained from the U.S. Equal Employment Opportunity Commission (EEOC). Screenshots were provided in the Telegram post, presumably as evidence of the breach.
  • Threat Actor Profile: EvilMorocco Hacktivism:
  • Specific intelligence on this group is limited. However, the name explicitly indicates a hacktivist motivation (“Hacktivism”) and suggests a connection to Morocco (“EvilMorocco”), either in origin or ideological focus.
  • Targeting a U.S. government agency like the EEOC is a common tactic for hacktivist groups harboring anti-US sentiments or pursuing specific political agendas against Western governments. The method used—claiming a data leak via Telegram with accompanying screenshots—is a standard procedure for hacktivist groups seeking to publicize their alleged accomplishments and maximize reputational damage to the target. The actual nature of the leaked data, the method used to acquire it, and the overall impact of the breach remain unconfirmed based solely on this claim.
  • Supporting Evidence:
  • Published URL: https://t.me/evilmorocco/265
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/2de3e729-9f5e-417c-8df4-9fd37da06509.png, https://d34iuop8pidsy8.cloudfront.net/063acb03-a46a-4e96-9b10-8e91b6261446.png

(E) Initial Access Brokerage

The cybercriminal underground functions as a complex economy with specialized roles. One crucial role is that of the Initial Access Broker (IAB), who gains unauthorized access to networks or systems and then sells that access to other criminals. This access can then be used to deploy ransomware, conduct espionage, launch phishing campaigns, or perform other malicious activities. The sale of compromised assets like SMTP servers falls into this category, enabling buyers to leverage the server’s reputation for nefarious purposes.

  • Incident 17: tyrese2024 alleges sale of SMTP Accounts
  • Activity: Sale of Unauthorized Access (Initial Access)
  • Platform: Exploit[.]in (Openweb cybercrime forum)
  • Date: 2025-04-19T01:45:01Z
  • Summary: A user operating under the handle “tyrese2024” advertised the sale of unauthorized access to SMTP (Simple Mail Transfer Protocol) servers on the well-known Russian-language cybercrime forum Exploit[.]in.
  • Threat Actor Profile: tyrese2024:
  • Based on the activity and platform, “tyrese2024” is likely a financially motivated cybercriminal acting as an Initial Access Broker (IAB). Selling unauthorized access to compromised resources is a common specialization within the cybercrime ecosystem.
  • Compromised SMTP servers are valuable commodities on underground markets. Buyers can use this access to send large volumes of spam or phishing emails that may appear more legitimate coming from a valid server, potentially bypassing spam filters and increasing the success rate of their campaigns. The specific methods used by “tyrese2024” to compromise these SMTP accounts are not detailed in the provided information.
  • Supporting Evidence:
  • Published URL: https://forum.exploit.in/topic/257678/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/3e3633a4-0b14-46e8-b2f8-5025b8749e62.png

3. Concluding Remarks

  • Summary: The 24-hour period ending 2025-04-19 was marked by significant cyber threat activity across multiple vectors. Geopolitically motivated hacktivism drove a large volume of disruptive incidents, primarily DDoS attacks and website defacements, with notable campaigns targeting entities associated with Indonesia, Poland, Israel, and the United States. Prominent actors in this space included NoName057(16), Dark Storm Team, and RuskiNet. Simultaneously, the ransomware threat remains acute, evidenced by continued operations from RaaS providers like RALord and FSOCIETY | FLOCKER, who employ sophisticated double extortion tactics and leverage affiliate networks. The broader cybercrime ecosystem’s specialization was also visible, with actors offering initial access brokerage services on underground forums.
  • Outlook: Vigilance regarding hacktivist activity is paramount, particularly concerning groups like NoName057(16), Dark Storm Team, RuskiNet, and actors focused on the Indonesian region. Monitoring their targets and TTPs, especially in relation to ongoing geopolitical events, is crucial. The evolution of some hacktivist groups towards incorporating financial motives warrants attention, as it may influence their target selection and persistence. Continued tracking of RaaS operations, including emerging groups like RALord and collaborations such as FSOCIETY/FunkSec, is essential for understanding the ransomware threat landscape. Verifying the claims made by threat actors, especially hacktivists known for potential exaggeration, remains a critical aspect of threat intelligence analysis. Fundamentally, organizations must maintain robust defenses against common initial access vectors, such as phishing and vulnerability exploitation, as these are the gateways for both disruptive hacktivism and destructive ransomware attacks.

Works cited

  1. RALord Ransomware Group: Threat Profile & Attack Tactics – Cyble, accessed April 19, 2025, https://cyble.com/threat-actor-profiles/ralord-ransomware-group/
  2. Dark Web Profile: FSociety (Flocker) Ransomware – SOCRadar …, accessed April 19, 2025, https://socradar.io/dark-web-profile-fsociety-flocker-ransomware/
  3. Indonesia Under Cyberattacks: Analyzing Threat Actors – Cyble, accessed April 19, 2025, https://cyble.com/blog/indonesia-under-sophisticated-cyberattacks-a-deep-dive-analysis-of-threat-actors-targeting-the-indonesian-ecosystem/
  4. Dark Storm is coming – Are you Safe enough to handle it? – Safe …, accessed April 19, 2025, https://safe.security/resources/dark-storm-is-coming-are-you-safe-enough-to-handle-it/
  5. Global Hacktivist Threats – Graphika, accessed April 19, 2025, https://graphika.com/reports/global-hacktivist-threats
  6. FSOCIETY & FUNKSEC Collaborate On Future Attacks – Cyberint, accessed April 19, 2025, https://cyberint.com/blog/research/fsociety-funksec-collaborate-on-future-attacks/
  7. Cyberattack Suspected in Worldwide X Outage | ZeroFox, accessed April 19, 2025, https://www.zerofox.com/intelligence-feed/cyberattack-suspected-in-worldwide-x-outage/
  8. Unmasking NoName057(16) – CybelAngel, accessed April 19, 2025, https://cybelangel.com/unmasking-noname05716/
  9. Pro-Russian Hacker Group: Noname057(16) | Radware, accessed April 19, 2025, https://www.radware.com/cyberpedia/ddos-attacks/noname057(16)/
  10. NoName057 Threat Actor Profile – Quorum Cyber, accessed April 19, 2025, https://www.quorumcyber.com/wp-content/uploads/2024/04/TI-NoName057-Threat-Actor-Profile-1.pdf
  11. ARaaStocracy – RALord ransomware emerges with new DLS – CYJAX, accessed April 19, 2025, https://www.cyjax.com/resources/blog/araastocracy-ralord-ransomware-emerges-with-new-dls/
  12. What is a Command and Control Attack? – Palo Alto Networks, accessed April 19, 2025, https://www.paloaltonetworks.com/cyberpedia/command-and-control-explained
  13. 202408201700_Everest Ransomware Threat Actor Profile_TLPCLEAR, accessed April 19, 2025, https://www.aha.org/system/files/media/file/2024/08/hc3-tlp-clear-threat-actor-profile-everest-ransomware-group-august-20-2024.pdf
  14. Peoples Cyber Army Of Russia | Threat Actor Profile – Cyble, accessed April 19, 2025, https://cyble.com/threat-actor-profiles/peoples-cyber-army-of-russia/
  15. X Faces Cyberattack: Dark Storm Team Takes Credit, Musk Blames Ukraine – SOCRadar, accessed April 19, 2025, https://socradar.io/x-faces-cyberattack-dark-storm-team-takes-credit-musk-blames-ukraine/
  16. Breaking Cyber News From Cyberint – Cyberint, accessed April 19, 2025, https://cyberint.com/news-feed/
  17. When The Phone Rings – AsianWiki, accessed April 19, 2025, https://asianwiki.com/When_The_Phone_Rings
  18. Threat Actor Profiles – Cyble, accessed April 19, 2025, https://cyble.com/threat-actor-profiles/
  19. Identifying a Threat Actor Profile, accessed April 19, 2025, https://oasis-open.github.io/cti-documentation/examples/identifying-a-threat-actor-profile.html
  20. Vulnerability Vortex: Escaping the Whirlpool of Ineffective Security | Rapid7 Blog, accessed April 19, 2025, https://www.rapid7.com/blog/post/2025/01/24/the-vulnerability-vortex-escaping-the-whirlpool-of-ineffective-security/
  21. Escaping the Vulnerability Vortex: Securing Code for a Safer Tomorrow – CloudDefense.AI, accessed April 19, 2025, https://www.clouddefense.ai/escape-the-vulnerability-vortex/
  22. VORTEX Cybersecurity, accessed April 19, 2025, https://www.vortexcloud.com/platform/cybersecurity
  23. VorTex Cybersecurity – GitHub, accessed April 19, 2025, https://github.com/VorTexCyberBD
  24. Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure | Cyber.gov.au, accessed April 19, 2025, https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/russian-military-cyber-actors-target-us-and-global-critical-infrastructure
  25. Money Message Ransomware activities continue – Broadcom Inc., accessed April 19, 2025, https://www.broadcom.com/support/security-center/protection-bulletin/money-message-ransomware-activities-continue
  26. Nova RaaS: The Ransomware That ‘Spares’ Schools and Nonprofits—For Now – SonicWall, accessed April 19, 2025, https://www.sonicwall.com/blog/nova-raas-the-ransomware-that-spares-schools-and-nonprofits-for-now
  27. securityscorecard.com, accessed April 19, 2025, https://securityscorecard.com/wp-content/uploads/2024/01/Whitepaper-A-Detailed-Analysis-of-the-Money-Message-Ransomware.pdf
  28. Malware with a “Money Message” – Acronis, accessed April 19, 2025, https://www.acronis.com/en-eu/cyber-protection-center/posts/malware-with-a-money-message/
  29. RA Group Ransomware – SentinelOne, accessed April 19, 2025, https://www.sentinelone.com/anthology/ra-group/
  30. Understanding the rising threat of Money Message ransomware …, accessed April 19, 2025, https://www.avira.com/en/blog/understanding-the-rising-threat-of-money-message-ransomware
  31. Funksec Ransomware Teams Up with Another Ransomware Group to Double Down on Targets – SonicWall, accessed April 19, 2025, https://www.sonicwall.com/blog/funksec-ransomware-teams-up-with-another-ransomware-group-to-double-down-on-targets
  32. FunkSec: An AI-Centric and Affiliate-Powered Ransomware Group – Bitdefender, accessed April 19, 2025, https://www.bitdefender.com/en-au/blog/businessinsights/funksec-an-ai-centric-and-affiliate-powered-ransomware-group

Related Posts