[April-22-2025] Daily Cybersecurity Threat Report – Part 1

Posted on

I. Introduction

This report details significant cybersecurity incidents observed and reported on April 22, 2025. The incidents encompass a range of attack vectors and threat actor types, including Ransomware-as-a-Service (RaaS) operations, Initial Access Broker (IAB) activity, politically motivated website defacements, and data breach disclosures. Analysis includes context derived from publicly available threat intelligence regarding the tactics, techniques, procedures (TTPs), and motivations of the involved threat actors.

II. Incident Analysis

Incident 1: Qilin Ransomware Targets Parrish Leasing, INC

  • Victim Details:
  • Organization: Parrish Leasing, INC
  • Industry: Transportation & Logistics
  • Country: USA
  • Website: parrishleasing.com
  • Incident Summary:
  • Category: Ransomware
  • Date: 2025-04-22T12:33:32Z
  • Network: Telegram
  • Actor’s Claims: Data exfiltration confirmed.
  • Threat Actor Analysis: Qilin
  • Background & Motivation: Qilin, also known as Agenda, operates a Ransomware-as-a-Service (RaaS) model, likely originating from Russia, and has been active since at least 2022.1 The group provides affiliates with ransomware tools, taking a percentage (estimated 15-20%) of ransom proceeds.2 While primarily financially motivated, with ransom demands historically ranging from $50,000 to millions 2, the group has occasionally made claims of political motivation, although these are often viewed skeptically given their history of targeting diverse sectors globally.1 Qilin employs double extortion, encrypting victim data and exfiltrating sensitive files, threatening public release on their darknet leak site if the ransom is unpaid.2
  • Observed TTPs: Qilin affiliates gain initial access through various methods, including exploiting vulnerabilities in public-facing applications (e.g., CVE-2023-27532 in Veeam Backup & Replication) and external remote services like VPNs (particularly Fortinet SSL VPN), sometimes using brute force.2 They also utilize phishing and spear-phishing emails.2 Post-access, they employ techniques like process injection (T1055), leveraging valid accounts (T1078) often obtained from leaks, modifying registry keys (T1112) and group policies (T1484.001) for defense evasion and privilege escalation, and establishing persistence via scheduled tasks (T1053.005).3 They utilize tools like Cobalt Strike and PsExec for lateral movement and deployment.2 Their ransomware, written in Go and Rust, targets Windows and Linux (VMware ESXi) systems and offers customization options to affiliates.2
  • Historical Targets: Qilin targets organizations opportunistically across various sectors and geographies, including healthcare, manufacturing, education, finance, legal services, and critical infrastructure.2 A recent high-profile attack involved Synnovis, a UK pathology provider, causing significant disruption to NHS hospitals and involving a reported $50 million ransom demand.1
  • Context for Current Incident: The targeting of Parrish Leasing, a US-based transportation and logistics company, aligns with Qilin’s documented pattern of attacking diverse industries in Western countries.2 The claim of data exfiltration is consistent with their standard double-extortion tactics.3 The announcement via Telegram is a common communication channel for threat actors.2 The sophistication inherent in the RaaS model suggests that even if the affiliate executing this specific attack is less experienced, they benefit from the advanced tooling and operational structure provided by the core Qilin group.5 The group’s focus on critical sectors like transportation underscores the potential for widespread disruption stemming from their activities.
  • Supporting Evidence:
  • Published URL: https://t.me/venarix/4487
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/8384e6d8-bead-4030-9984-ef71bd8de17f.png

Incident 2: LYNX Ransomware Targets R & M Manufacturing Inc.

  • Victim Details:
  • Organization: R & M Manufacturing Inc.
  • Industry: Manufacturing
  • Country: USA
  • Website: rmmanufacturinginc.com
  • Incident Summary:
  • Category: Ransomware
  • Date: 2025-04-22T12:17:16Z
  • Network: Tor
  • Actor’s Claims: Organization’s data obtained.
  • Threat Actor Analysis: LYNX
  • Background & Motivation: LYNX emerged in mid-2024, widely believed to be a rebrand or successor of the INC ransomware group.6 It operates a RaaS model, providing affiliates with tools to execute attacks.6 LYNX claims to be financially motivated but professes an “ethical” stance, stating they avoid targeting government, healthcare, and non-profit organizations.8 However, attacks attributed to them have impacted critical infrastructure, such as the Electrica Group in Romania.8 They employ double extortion, exfiltrating data before encryption and threatening leaks on their “Lynx News” data leak site.6
  • Observed TTPs: LYNX shares significant code similarities with INC ransomware and may have purchased its source code.7 Initial access is often gained via phishing emails or compromised credentials (e.g., brute force, pass-the-hash).6 They utilize strong encryption (Curve25519 Donna key exchange, AES-128 file encryption).6 The ransomware uses the Restart Manager API (RstrtMgr) to terminate processes hindering encryption and executes via Windows command shell using executables, installers, or DLLs.8 Privilege escalation is employed if initial encryption fails.7 Defense evasion techniques include terminating security software, file obfuscation, clearing Windows event logs, and potentially using external cloud storage for exfiltration.6 Encrypted files are appended with the .lynx extension, and a ransom note (README.txt) is dropped, often accompanied by desktop background modification.7
  • Historical Targets: LYNX targets various industries, including finance, architecture, manufacturing, retail, real estate, and energy, primarily in North America and Europe, but also observed in the Middle East and APAC.7 Notable past victims include Hunter Taubman Fischer & Li LLC (US law firm) and Electrica Group (Romanian electricity supplier).8
  • Context for Current Incident: The attack on R & M Manufacturing Inc., a US-based manufacturing company, fits squarely within LYNX’s documented target industries and geographical focus.7 The claim of data acquisition aligns with their double-extortion methodology.6 The use of a Tor-based leak site for announcements is standard practice for this group.9 The potential link to the INC ransomware group suggests a level of maturity and experience, despite LYNX being a relatively newer name.7 Their claimed “ethical” exclusions appear flexible, given past targeting of critical infrastructure providers.8
  • Supporting Evidence:
  • Published URL: http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion/leaks/68077e55d5daa03fd3331aee
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/e8aafecb-6804-4a46-80ce-716e6cb215a0.png

Incident 3: Alleged Sale of RDWEB Access to U.S. Human Resources Software Firm by 1NK

  • Victim Details:
  • Organization: Unnamed (U.S.-based Human Resources Software Company)
  • Industry: Software
  • Country: USA
  • Size/Revenue: Approx. 1,560 employees, $327.7 million annual revenue (as claimed by actor).
  • Incident Summary:
  • Category: Initial Access
  • Date: 2025-04-22T12:15:36Z
  • Network: Open Web (XSS.is forum)
  • Actor’s Claims: Selling RDWEB access with Domain Admin rights.
  • Threat Actor Analysis: 1NK (as an Initial Access Broker)
  • Background & Motivation: 1NK is operating as an Initial Access Broker (IAB). IABs specialize in gaining unauthorized access to networks and then selling that access to other cybercriminals, such as ransomware groups.11 Their primary motivation is financial gain, profiting from the sale of access rather than executing the final attack themselves, which reduces their risk.11 They operate on underground forums like XSS.is, Exploit, and BreachForums.12 IABs are a crucial part of the cybercrime ecosystem, particularly enabling RaaS operations by handling the initial intrusion phase.11
  • Observed TTPs (IABs): IABs use various methods to gain access, including exploiting vulnerabilities in remote services (RDP, VPN), brute-forcing credentials, phishing, using infostealer malware, or leveraging previously leaked credentials.12 They commonly sell access types like RDP, VPN, Active Directory credentials, web shells, and control panel access.12 When advertising access, they typically provide details about the victim organization (industry, revenue, country) without naming it directly, along with the type and level of access obtained (e.g., Domain Admin).12 Pricing varies based on the target’s value and access level, often ranging from hundreds to thousands of dollars, sometimes sold via auction.11
  • Context for Current Incident: The activity by 1NK on the XSS.is forum aligns perfectly with the IAB model.12 They are advertising access to a specific type of organization (US HR Software) with details on size and revenue to indicate value.12 The offered access type (RDWEB) and privilege level (Domain Admin) are highly sought after by attackers, particularly ransomware groups, as Domain Admin rights grant extensive control over a network.14 This sale significantly lowers the barrier for a subsequent attacker to deploy malware, exfiltrate data, or cause widespread disruption within the target company. The specialization demonstrated by IABs allows ransomware groups to focus on deployment and extortion, increasing the overall efficiency and scale of cybercrime operations.11
  • Supporting Evidence:
  • Published URL: https://xss.is/threads/136543/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/30cc5402-3655-456e-b70c-a5d5d4a5151b.png

Incident 4: Team 1722 Defaces Delsak Delikli Website

  • Victim Details:
  • Organization: Delsak Delikli
  • Industry: Unspecified
  • Country: Turkey
  • Website: Unspecified (Implied defaced)
  • Incident Summary:
  • Category: Defacement
  • Date: 2025-04-22T10:34:05Z
  • Network: Telegram
  • Actor’s Claims: Website defaced.
  • Threat Actor Analysis: Team 1722
  • Background & Motivation: Team 1722 is identified as a hacktivist group.16 Hacktivist groups typically engage in cyber activities like DDoS attacks and website defacements to promote political or social agendas, protest against perceived injustices, or support specific causes.18 Their motivations are generally ideological rather than financial, although some groups may have links to nation-state agendas or engage in hybrid activities.19 Team 1722 has shown consistent activity alongside other hacktivist groups.16
  • Observed TTPs (Hacktivists): Common hacktivist tactics include DDoS attacks (often using readily available tools or botnets), website defacement (exploiting web vulnerabilities or using compromised credentials), and sometimes data leaks (“hack and leak”).17 They often announce their actions publicly, frequently using platforms like Telegram or social media, to maximize visibility for their cause.18 Some groups form alliances or operate under umbrella campaigns.19 While often focused on disruption and messaging, some hacktivist groups are evolving, adopting more sophisticated techniques or even collaborating with ransomware operations.17
  • Historical Targets: Hacktivist targeting is often driven by current events, geopolitical conflicts (like the Russia-Ukraine war or Israel-Hamas conflict), or specific political grievances.16 Targets can range from government websites and critical infrastructure to corporations and organizations perceived as representing opposing viewpoints or nations.16 Team 1722’s specific historical targets or affiliations are not detailed in the provided context, but their activity places them within the broader landscape of active hacktivist groups.16
  • Context for Current Incident: The defacement of a Turkish website by Team 1722 is a typical hacktivist action.17 Defacement serves as a visible form of digital protest or disruption. Announcing the attack via Telegram is standard practice for hacktivist groups seeking publicity.18 Without further information on Team 1722’s specific agenda, the motivation behind targeting this particular Turkish entity remains unclear but is likely rooted in some form of political or social activism.
  • Supporting Evidence:
  • Published URL: https://t.me/x1722x/2498
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/1da5afb2-2a1e-4151-a390-8d90151dc321.png

Incident 5: RHYSIDA Ransomware Targets Aços Favorit Distribuidora Ltda

  • Victim Details:
  • Organization: Aços Favorit Distribuidora Ltda
  • Industry: Business and Economic Development
  • Country: Brazil
  • Website: favorit.com.br
  • Incident Summary:
  • Category: Ransomware
  • Date: 2025-04-22T07:29:17Z
  • Network: Tor
  • Actor’s Claims: Data obtained, plans to publish within 6-7 days.
  • Threat Actor Analysis: RHYSIDA
  • Background & Motivation: RHYSIDA emerged around May 2023 and operates as a RaaS group, leasing its tools and infrastructure to affiliates.22 They are considered financially motivated, targeting organizations opportunistically across various sectors globally.22 RHYSIDA employs double extortion, demanding Bitcoin ransoms to decrypt data and prevent the publication of exfiltrated information on their Tor-based leak site.23 CISA, the FBI, and MS-ISAC issued advisories regarding Rhysida in late 2023.22
  • Observed TTPs: Rhysida actors often gain initial access by exploiting external-facing remote services like VPNs (especially where MFA is lacking), exploiting vulnerabilities like Zerologon (CVE-2020-1472), and conducting phishing campaigns.22 They utilize “living off the land” techniques, employing native tools like PowerShell, net commands, and RDP for reconnaissance, lateral movement, and execution, helping them blend in with normal activity.22 Cobalt Strike beacons and PsExec are used for command and control and deployment.22 They stage malicious tools (potentially custom ones like “Rhysida-0.1”) and use tools like PowerView for domain reconnaissance and others to clear event logs for defense evasion.22 The ransomware payload (a 64-bit PE compiled with MinGW/GCC) uses a 4096-bit RSA key with AES or ChaCha20 for encryption, appending the .rhysida extension.23 Ransom notes are dropped as PDF files named “CriticalBreachDetected.pdf”.23
  • Historical Targets: Rhysida targets are opportunistic (“targets of opportunity”) and span sectors including education, healthcare (a notable focus, prompting HHS alerts), manufacturing, IT, and government across multiple continents.22 While healthcare has been significantly impacted, analysis suggests manufacturing, legal/professional services, and financial services were the most frequent victims as of mid-2024.2 Victims include Sunflower Medical Group, Community Care Alliance, and potentially Lurie Children’s Hospital.26
  • Context for Current Incident: The attack against Aços Favorit Distribuidora Ltda, a Brazilian business development firm, aligns with Rhysida’s opportunistic targeting across diverse industries and geographies.22 The claim of data exfiltration and the threat to publish within days is characteristic of their double-extortion model, communicated via their Tor leak site.23 The use of established RaaS TTPs, including potential exploitation of remote access or phishing for initial entry, followed by encryption and extortion, is consistent with Rhysida’s known operations.22
  • Supporting Evidence:
  • Published URL: http://rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/6c520200-ba7b-47c6-bbe4-f559764cea6f.png

Incident 6: RALord Ransomware Targets Agromate Holdings Sdn Bhd

  • Victim Details:
  • Organization: Agromate Holdings Sdn Bhd
  • Industry: Agriculture & Farming
  • Country: Malaysia
  • Website: agromate.com.my
  • Incident Summary:
  • Category: Ransomware
  • Date: 2025-04-22T04:11:14Z
  • Network: Tor
  • Actor’s Claims: Obtained 15 GB of data, intends to publish in 7-8 days.
  • Threat Actor Analysis: RALord
  • Background & Motivation: RALord is a relatively new ransomware group identified in late March 2025, operating as part of, or potentially associated with, the NOVA RaaS infrastructure.27 They offer an affiliate program with an 85/15 profit split and also sell their encryption tool separately.27 Their motivation is financial, employing multi-layered extortion involving data encryption, data theft, public naming on their Tor-based Data Leak Site (DLS), and detailed exposure of victim security weaknesses.27 There are potential, unconfirmed links to the older RAWorld/RAGroup ransomware due to naming similarities and RAWorld’s inactivity since late 2024.27
  • Observed TTPs: RALord utilizes at least two ransomware payloads: a widely distributed “.nova” variant (associated with NOVA RaaS) and a more advanced, internally developed Rust-based variant appending “.RALord”.27 Ransom notes instruct victims to contact attackers via secure messengers like qTox.27 The group maintains a public Tor blog detailing tool updates and RaaS program specifics.27 Their DLS posts often include detailed proof of breach, such as file trees and data samples.27 While affiliates might handle initial access (acting like IABs), RALord may conduct the encryption themselves in some RaaS arrangements.28 They actively recruit affiliates skilled in areas like Rust/Python programming, CVE exploitation, and network penetration.27
  • Historical Targets: RALord targets a broad range of industries globally, including healthcare, education, hospitality, IT, media, construction, and agriculture.27 Early victims were located in Europe, the Middle East, and South America.27 Some reports suggest they initially pledged not to target schools or nonprofits, even removing a school from their list, though the consistency of this policy is uncertain.30
  • Context for Current Incident: The attack on Agromate Holdings, a Malaysian agricultural company, fits RALord’s documented targeting of the agriculture sector and demonstrates their expanding geographical reach into Asia.27 Claiming a specific data volume (15 GB) and setting a publication deadline (7-8 days) are typical components of their double-extortion strategy, executed via their Tor DLS.27 The use of a Rust-based payload (.RALord extension implied by the group name) aligns with their known capabilities.29 This incident highlights the group’s ongoing operations and diversification of targets.
  • Supporting Evidence:
  • Published URL: http://ralord3htj7v2dkavss2hjzviviwgsf4anfdnihn5qcjl6eb5if3cuqd.onion/agromate/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/89f25dea-dfb8-422f-b081-8973751026b8.png

Incidents 7 & 8: Anonymous Italia Defaces Russian Websites

  • Victim Details (Incident 7):
  • Organization: Taturos Radio
  • Industry: Broadcast Media
  • Country: Russia
  • Website: taturosradio.ru
  • Incident Summary (Incident 7):
  • Category: Defacement
  • Date: 2025-04-22T03:08:42Z
  • Network: Telegram
  • Actor’s Claims: Website defaced.
  • Victim Details (Incident 8):
  • Organization: Judicial Investment Center
  • Industry: Legal Services
  • Country: Russia
  • Website: sudinvest-rf.ru
  • Incident Summary (Incident 8):
  • Category: Defacement
  • Date: 2025-04-22T02:56:14Z
  • Network: Telegram
  • Actor’s Claims: Website defaced.
  • Threat Actor Analysis: Anonymous Italia
  • Background & Motivation: Anonymous Italia is a hacktivist collective operating under the broader banner of the decentralized Anonymous movement.31 Anonymous groups are known for cyberattacks (primarily DDoS and defacement) against governments, corporations, and other organizations to protest censorship, advocate for political/social causes, or engage in internet vigilantism.31 Their actions are often driven by ideology and current events, particularly geopolitical conflicts.21 Anonymous Italia has been specifically active in targeting Russian entities following the invasion of Ukraine.32
  • Observed TTPs (Anonymous Collective): Anonymous utilizes DDoS attacks, website defacements, data leaks, and social media campaigns.31 They often operate publicly, using social media (like Twitter) and communication platforms (like Telegram) to announce actions, coordinate efforts (sometimes involving volunteers), and spread their message.32 While traditionally focused on disruption and activism, the lines can blur, with some Anonymous-affiliated actions potentially overlapping with more sophisticated operations or even state interests.34
  • Historical Targets: The Anonymous collective has targeted a vast array of organizations globally over the years, including government agencies, financial institutions, and corporations, often related to specific campaigns (e.g., #OpParisOfficial 39, #OpVenezuela 21). Anonymous Italia specifically claimed DDoS against Russian energy companies (Norilsk Gazprom, Arktik Energo) in Feb 2023 36 and was active in targeting Russian financial, public admin, media, ICT, and energy sectors.37
  • Context for Current Incidents: These two defacement attacks against Russian entities (a radio station and a legal/investment center) are entirely consistent with Anonymous Italia’s established pattern of targeting Russian organizations, likely as a form of protest related to the ongoing geopolitical situation.32 Defacement is a typical tactic for this group 37, and using Telegram (via the AnonSecIta_Ops channel) to announce it is standard procedure.32 These actions exemplify hacktivism directly driven by geopolitical conflict, aiming to disrupt, embarrass, or signal opposition to Russian actions.21 While potentially less impactful than data breaches or ransomware, such defacements contribute to the cyber dimension of international conflicts.
  • Supporting Evidence 7:
  • Published URL: https://t.me/AnonSecIta_Ops/769
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/9296d0c8-1b50-4d2c-a91e-555e111948ee.png
  • Supporting Evidence 8:
  • Published URL: https://t.me/AnonSecIta_Ops/767
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/d4d43b58-cf56-4615-a5c4-fca07d5a9418.png

Incident 9: Alleged Data Sale of Razorpay Software Private Limited by Machine1337

  • Victim Details:
  • Organization: Razorpay Software Private Limited
  • Industry: Software (FinTech/Payments)
  • Country: India
  • Website: razorpay.com
  • Incident Summary:
  • Category: Data Breach
  • Date: 2025-04-22T01:28:51Z
  • Network: Open Web (XSS.is forum)
  • Actor’s Claims: Selling data including Headers Information (Message, Destination Phone, DeliveryTime).
  • Threat Actor Analysis: Machine1337
  • Background & Motivation: Machine1337 appears to be acting as a data broker, offering allegedly stolen data for sale on the XSS.is underground forum.12 The motivation is presumed to be financial gain through the monetization of compromised data. The nature of the data advertised (“Headers Information”) suggests metadata related to communications or transactions, rather than comprehensive PII or direct financial account details. (General context on data breach actors like rose87168 and Coreinjection selling data on forums exists 41, but Machine1337 is not specifically profiled).
  • Observed TTPs (Data Brokers/Breach Actors): Actors involved in data breaches typically gain initial access through methods like vulnerability exploitation 42, phishing 44, malware deployment 41, or using compromised credentials.45 After exfiltrating data, they advertise it on dark web or clear web forums, often providing samples as proof.12 The data sold varies widely, including credentials, PII, financial data, source code, network information, and specific datasets like logs or metadata.41
  • Context for Current Incident: Machine1337’s operation on XSS.is aligns with the standard model for data brokers.12 Advertising specific data allegedly from Razorpay, a major Indian FinTech company, targets potential buyers interested in exploiting this information. While “Headers Information” is vague, the inclusion of fields like “Destination Phone” and “DeliveryTime” points towards communication or transaction metadata. Even if this data does not contain direct PII or financial details, it can possess significant value. Such metadata can be used for sophisticated social engineering, phishing campaigns, identifying user activity patterns, or gaining intelligence for further network intrusion attempts. For a payment processor, leakage of any transaction-related data, including metadata, represents a security concern and potential reputational damage. The sale highlights that various types of compromised data, not just the most obviously sensitive PII, are commoditized in the cybercrime underground.
  • Supporting Evidence:
  • Published URL: https://xss.is/threads/136523/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/187cf661-3b04-4ebd-b92f-6b5d38d733a8.png

III. Concluding Observations

The cybersecurity incidents reported on April 22, 2025, illustrate several persistent and evolving trends in the threat landscape:

  • Ransomware-as-a-Service (RaaS) Proliferation: The activity of four distinct RaaS groups (Qilin, LYNX, RHYSIDA, RALord) within a single 24-hour period underscores the enduring effectiveness and popularity of the RaaS model.3 These groups demonstrated global reach, targeting diverse industries across multiple continents, reinforcing the opportunistic yet impactful nature of these financially motivated operations. Double extortion remains a standard tactic.3
  • Initial Access Broker (IAB) Enablement: The sale of high-privilege (Domain Admin RDWEB) access by the IAB ‘1NK’ highlights the critical function these actors play in the cybercrime supply chain.11 By specializing in gaining initial footholds, IABs significantly lower the execution barrier for subsequent attackers, particularly ransomware affiliates, thereby increasing the overall threat velocity.11
  • Geopolitically Charged Hacktivism: The coordinated defacements by Anonymous Italia against Russian targets serve as a clear example of hacktivism being leveraged as a tool in geopolitical conflicts.21 While often employing less sophisticated techniques like defacement or DDoS compared to RaaS groups, these actions fulfill a distinct purpose of protest, disruption, and messaging aligned with specific political stances.19 Team 1722’s activity further contributes to this landscape.
  • Data Monetization: The alleged sale of Razorpay data by Machine1337 demonstrates the continued commodification of compromised information on underground markets.41 This incident suggests that even metadata or less overtly sensitive information can be perceived as valuable by threat actors, potentially for use in reconnaissance or future targeted attacks.
  • Cybercrime Ecosystem Dynamics: The day’s events showcase an increasingly specialized yet interconnected cybercrime ecosystem. RaaS operators provide platforms 3, affiliates execute attacks 2, IABs supply access 11, data brokers sell stolen information 41, and hacktivists pursue ideological goals, sometimes adopting criminal tools.17 This specialization enhances efficiency, but the lines can blur, with actors adapting models (e.g., RaaS potentially handling encryption while affiliates focus on access 28) creating a fluid and challenging environment for defenders. Understanding these interdependencies is crucial for anticipating threats and developing effective mitigation strategies.

Works cited

  1. Qilin Ransomware: What You Need To Know – Tripwire, accessed April 22, 2025, https://www.tripwire.com/state-of-security/qilin-ransomware-what-you-need-know
  2. qilin-threat-profile-tlpclear.pdf – HHS.gov, accessed April 22, 2025, https://www.hhs.gov/sites/default/files/qilin-threat-profile-tlpclear.pdf
  3. Threat Actor Profile: Qilin Ransomware Group – Cyble, accessed April 22, 2025, https://cyble.com/threat-actor-profiles/qilin-ransomware-group/
  4. Qilin Ransomware: Exposing the TTPs Behind One of the Most Active Ransomware Campaigns of 2024 – Picus Security, accessed April 22, 2025, https://www.picussecurity.com/resource/blog/qilin-ransomware
  5. The Qilin Ransomware Group vs the National Health Service. – Searchlight Cyber, accessed April 22, 2025, https://slcyber.io/podcasts/the-qilin-ransomware-group-vs-the-national-health-service/
  6. Lynx Ransomware Group: Tactics, Targets, And Defense Strategies – Cyble, accessed April 22, 2025, https://cyble.com/threat-actor-profiles/lynx-ransomware/
  7. New Threat on the Prowl: Investigating Lynx Ransomware – Darktrace, accessed April 22, 2025, https://darktrace.com/blog/new-threat-on-the-prowl-investigating-lynx-ransomware
  8. Defending Against Lynx Ransomware (Strategies for 2025) – CybelAngel, accessed April 22, 2025, https://cybelangel.com/lynx-ransomware-double-extortion/
  9. Lynx Ransomware – Blackpoint Cyber, accessed April 22, 2025, https://blackpointcyber.com/threat-profile/threat-profile-lynx-ransomware/
  10. New Threat on the Prowl: Investigating Lynx Ransomware – Darktrace, accessed April 22, 2025, https://www.darktrace.com/de/blog/new-threat-on-the-prowl-investigating-lynx-ransomware
  11. Initial Access Brokers Shift Tactics, Selling More for Less – The Hacker News, accessed April 22, 2025, https://thehackernews.com/2025/04/initial-access-brokers-shift-tactics.html
  12. What are Initial Access Brokers? – Searchlight Cyber, accessed April 22, 2025, https://slcyber.io/blog/what-are-initial-access-brokers/
  13. Initial access broker – Wikipedia, accessed April 22, 2025, https://en.wikipedia.org/wiki/Initial_access_broker
  14. Initial Access Brokers – Arctic Wolf, accessed April 22, 2025, https://arcticwolf.com/resources/glossary/what-are-initial-access-brokers/
  15. Initial Access Brokers How They’re Changing Cybercrime – CIS Center for Internet Security, accessed April 22, 2025, https://www.cisecurity.org/insights/blog/initial-access-brokers-how-theyre-changing-cybercrime
  16. Rise in hacktivist threats to critical sector, as pro-Russian groups cause 50% rise in ICS/OT attacks in March – Industrial Cyber, accessed April 22, 2025, https://industrialcyber.co/reports/rise-in-hacktivist-threats-to-critical-sector-as-pro-russian-groups-cause-50-rise-in-ics-ot-attacks-in-march/
  17. Hacktivists Target Critical Infrastructure, Move Into Ransomware – Cyble, accessed April 22, 2025, https://cyble.com/blog/hacktivists-infrastructure-move-into-ransomware/
  18. Hacktivism Unveiled Q1 2025: How Hacktivists Zeroed In on the US – Radware, accessed April 22, 2025, https://www.radware.com/blog/threat-intelligence/hacktivism-unveiled-q1-2025/
  19. Hacktivist Groups: The Shadowy Links to Nation-State Agendas – Trellix, accessed April 22, 2025, https://www.trellix.com/blogs/research/hacktivist-groups-the-shadowy-links-to-nation-state-agendas/
  20. Cyber Risk Intelligence Update: Hacktivist Involvement in Israel-Hamas War Reflects Possible Shift in Threat Actor Focus – SecurityScorecard, accessed April 22, 2025, https://securityscorecard.com/research/hacktivist-involvement-in-israel-hamas-war-reflects-possible-shift-in-threat-actor-focus/
  21. The rising tide: A 2024 retrospective of hacktivism – Silobreaker, accessed April 22, 2025, https://www.silobreaker.com/blog/hacktivism-ransomware-and-geopolitics-2024-in-review/
  22. #StopRansomware: Rhysida Ransomware – CISA, accessed April 22, 2025, https://www.cisa.gov/sites/default/files/2023-11/aa23-319a-stopransomware-rhysida-ransomware_1.pdf
  23. FBI, CISA, MS-ISAC release cybersecurity advisory on emerging Rhysida ransomware targeting critical sectors – Industrial Cyber, accessed April 22, 2025, https://industrialcyber.co/cisa/fbi-cisa-ms-isac-release-cybersecurity-advisory-on-emerging-rhysida-ransomware-targeting-critical-sectors/
  24. Ransomware Spotlight: Rhysida | Trend Micro (US), accessed April 22, 2025, https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-rhysida
  25. CISA, FBI, and MS-ISAC Release Advisory on Rhysida Ransomware, accessed April 22, 2025, https://www.cisa.gov/news-events/alerts/2023/11/15/cisa-fbi-and-ms-isac-release-advisory-rhysida-ransomware
  26. Beware the Rhysida Ransomware Group Threatening Healthcare – The HIPAA E-Tool, accessed April 22, 2025, https://thehipaaetool.com/beware-the-rhysida-ransomware-group-threat/
  27. RALord Ransomware Group: Threat Profile & Attack Tactics – Cyble, accessed April 22, 2025, https://cyble.com/threat-actor-profiles/ralord-ransomware-group/
  28. ARaaStocracy – RALord ransomware emerges with new DLS – CYJAX, accessed April 22, 2025, https://www.cyjax.com/resources/blog/araastocracy-ralord-ransomware-emerges-with-new-dls/
  29. RALord Ransomware, accessed April 22, 2025, https://www.broadcom.com/support/security-center/protection-bulletin/ralord-ransomware
  30. Nova RaaS: The Ransomware That ‘Spares’ Schools and Nonprofits—For Now – SonicWall, accessed April 22, 2025, https://www.sonicwall.com/blog/nova-raas-the-ransomware-that-spares-schools-and-nonprofits-for-now
  31. Anonymous (hacker group) – Wikipedia, accessed April 22, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
  32. Killnet – Forescout, accessed April 22, 2025, https://www.forescout.com/resources/analysis-of-killnet-report/
  33. Killnet: Analysis of Attacks from a Prominent Pro-Russian Hacktivist Group – Forescout, accessed April 22, 2025, https://www.forescout.com/blog/killnet-analysis-of-attacks-from-a-prominent-pro-russian-hacktivist-group/
  34. Modern Approach to Attributing Hacktivist Groups – Check Point Research, accessed April 22, 2025, https://research.checkpoint.com/2025/modern-approach-to-attributing-hacktivist-groups/
  35. Pro-Russian Hacktivist Group Claims 6600 Attacks Targeting Europe, accessed April 22, 2025, https://www.infosecurity-magazine.com/news/pro-russian-hacktivist-attacks/
  36. Europe’s 2022 Energy Sector: The Cyber Threats Landscape – Citalid, accessed April 22, 2025, https://citalid.com/resources/europes-2022-energy-sector-the-cyber-threats-landscape/
  37. Cyber Threat Overview: Armed Conflict in Ukraine – INFINITY, accessed April 22, 2025, https://h2020-infinity.eu/sites/default/files/2023-08/INFINITY%20-%20Cyber%20Threat%20Overview%20Armed%20Conflict%20in%20Ukraine.pdf
  38. CYBERDEFENSE REPORT Hacking the Cosmos: Cyber operations against the space sector A case study from the war in Ukraine – ETH Zürich, accessed April 22, 2025, https://ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/cyber-reports-2024-10-hacking-the-cosmos.pdf
  39. Anonymous Claims To Avert Possible Terrorist Attack On Italy – Hackread, accessed April 22, 2025, https://hackread.com/anonymous-claims-to-avert-terrorist-attack-on-italy/
  40. Russian-Ukraine Conflict: Cybersecurity analysis – Blog – Menlo Security, accessed April 22, 2025, https://www.menlosecurity.com/blog/the-russia-ukraine-conflict-cybersecurity-updates-and-analysis
  41. Our Investigation of the Oracle Cloud Data Leak [Flash Report] – CybelAngel, accessed April 22, 2025, https://cybelangel.com/oracle-data-leak-breaking-news/
  42. Threat actor in Oracle Cloud breach may have gained access to production environments, accessed April 22, 2025, https://www.cybersecuritydive.com/news/oracle-cloud-breach-production-environments/743720/
  43. Check Point Software confirms security incident but pushes back on threat actor claims, accessed April 22, 2025, https://www.cybersecuritydive.com/news/check-point-software-security-incident/744198/
  44. 31st March – Threat Intelligence Report – Check Point Research, accessed April 22, 2025, https://research.checkpoint.com/2025/31st-march-threat-intelligence-report/
  45. Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization | CISA, accessed April 22, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-046a

Related Posts