[April-23-2025] Daily Cybersecurity Threat Report

Posted on

I. Executive Summary & Key Observations (April 23, 2025)

  • Overview: This report details significant cybersecurity incidents observed and reported on April 23, 2025. The threat landscape was characterized by a high volume of activity spanning ransomware campaigns, hacktivist operations (including defacements, alerts, and vulnerability exploitations), data breaches, and the illicit sale of compromised access and data. A diverse range of threat actors, from established Ransomware-as-a-Service (RaaS) groups to politically motivated hacktivist collectives and individual sellers on underground forums, were active across multiple geographic regions and industry sectors.
  • Key Trends Observed:
  • Pervasive Ransomware Operations: Multiple established RaaS groups, including Hunters International, Qilin, DragonForce, and Medusa, alongside a potentially new entity named CRYPTO24, claimed responsibility for attacks against organizations in various sectors such as E-commerce, Oil & Gas, Business Development, Furniture, Packaging, Food & Beverages, and IT Services. Victims were located in Spain, Qatar, Singapore, Austria, Luxembourg, and the USA. This activity underscores the persistent and global threat posed by ransomware operators who leverage affiliate-based models and routinely employ multi-extortion tactics, involving both data encryption and the threat of public data exposure.1
  • Surge in Hacktivist Activity: Significant operations were claimed by hacktivist groups such as SYLHET GANG-SG, Lulzsec Arabs, Laneh Dark, Arab Ghosts Hackers, R00TK1T ISC CYBER TEAM, Anonymous Operations Vendetta, and Anonymous Italia. Their targets spanned India, the UK, Saudi Arabia, Uganda, Australia, Israel, the USA, China, Georgia, and Russia. The motivations appear primarily political or ideological, frequently linked to ongoing geopolitical tensions.11 Observed tactics included website defacement, exploitation of web vulnerabilities like Cross-Site Scripting (XSS), and public announcements signaling intent for future attacks. Collaboration between groups, such as the coalition announced by Arab Ghosts Hackers, was also noted.
  • Data Compromise and Illicit Sales: Incidents involving the confirmed or alleged breach of sensitive data (Dropmatix Sistema SL, VFS Global) were reported, alongside explicit offers for sale of compromised assets on underground forums (corporate credentials by TheLibertyCity, SSH access by credits). Platforms like xss.is, leakbase.io, and exploit.in continue to serve as critical marketplaces within the cybercrime economy, facilitating the trade of stolen information and initial access credentials.17
  • Exploitation of Web Vulnerabilities: Active exploitation of common web application vulnerabilities, specifically Reflected Cross-Site Scripting (XSS), was claimed by Anonymous Operations Vendetta against multiple targets.23 It is also highly probable that ransomware groups leveraged unpatched vulnerabilities in public-facing systems as part of their initial access strategies in several of the reported incidents.6
  • Interconnected Threat Ecosystem: The events of April 23, 2025, illustrate a deeply interconnected cyber threat ecosystem. Vulnerabilities are identified and exploited 23, leading to data breaches. This stolen data, along with compromised access credentials, is then monetized through sales on underground forums.17 Initial Access Brokers (IABs) facilitate these sales, providing entry points that are subsequently leveraged by ransomware affiliates for deploying their payloads.8 Concurrently, hacktivist groups react to geopolitical events, conducting disruptive attacks like defacements or DDoS.11 Each stage feeds into the next, creating a continuous cycle of compromise and attack.

Summary of Reported Incidents (April 23, 2025)

Incident TitleVictim OrganizationVictim CountryThreat Actor(s)Incident CategoryDate Reported
Alleged Database leak of Dropmatix Sistema SLdropmatix sistema slSpain108111118101Data Breach2025-04-23T14:11:58Z
Alleged sale of unauthorized SSH access to unidentified Oil company in QatarUnidentified Oil CompanyQatarcreditsInitial Access2025-04-23T13:20:50Z
SYLHET GANG-SG targets the website of Rohit Sinharohit sinhaIndiaSYLHET GANG-SGDefacement2025-04-23T12:48:00Z
Lulzsec Arabs claims to target BritainUKUKLulzsec ArabsAlert2025-04-23T12:39:56Z
Laneh Dark claims to target the company in saudi arabiaUnidentified CompanySaudi ArabiaLaneh DarkAlert2025-04-23T12:39:48Z
Arab Ghost Hackers claims to target 4 banks in Uganda, Australia, Israel and AmericaUnidentified BanksUganda, AU, IL, USArab Ghosts Hackers (et al.)Alert2025-04-23T12:06:53Z
N8XT PTE. LTD. falls victim to CRYPTO24 Ransomwaren8xt pte. ltd.SingaporeCRYPTO24Ransomware2025-04-23T11:40:42Z
Mafi Naturholzboden falls victim to HUNTERS INTERNATIONAL Ransomwaremafi naturholzboden gmbhAustriaHUNTERS INTERNATIONALRansomware2025-04-23T08:45:13Z
R00TK1T ISC CYBER TEAM claims to target the website of ByteDance and TiktokbytedanceChinaR00TK1T ISC CYBER TEAMAlert2025-04-23T08:00:43Z
UNITED CAPS falls victim to Qilin Ransomwareunited capsLuxembourgQilinRansomware2025-04-23T07:58:25Z
RRS Foodservice falls victim to DragonForce Ransomwarerrs foodserviceUSADragonForceRansomware2025-04-23T05:26:04Z
Phelps United falls victim to MEDUSA Ransomwarephelps unitedUSAMEDUSARansomware2025-04-23T05:17:04Z
Alleged reflected-XSS vulnerability in the website of Travel Desk Georgiatravel desk georgiaGeorgiaAnonymous Operations VendettaVulnerability2025-04-23T03:11:12Z
Alleged Data Breach of VFS Globalvfs globalUAEMachine1337Data Breach2025-04-23T02:20:43Z
Alleged reflected-XSS vulnerability in the website of RENTALS Ltdrentals ltdGeorgiaAnonymous Operations VendettaVulnerability2025-04-23T01:50:20Z
Alleged sale of 12k Full private corporate mail access credentialsMultiple UnspecifiedUSA & EuropeTheLibertyCityData Leak / Sale2025-04-23T01:26:04Z
Anonymous Italia targets the website of Praim Grouppraim groupRussiaAnonymous ItaliaDefacement2025-04-23T01:04:42Z
Anonymous Italia targets the website of London Schoollondon schoolRussiaAnonymous ItaliaDefacement2025-04-23T00:26:51Z

II. Detailed Incident Analysis

A. Incident: Alleged Database leak of Dropmatix Sistema SL

  • 1. Incident Overview:
  • Summary: A threat actor identified by the user handle “108111118101” posted a claim on the xss.is forum regarding the leakage of a database belonging to Dropmatix Sistema SL, an E-commerce software provider based in Spain. The actor alleges the compromised dataset contains sensitive information, including 46,000 lines related to orders and 36,000 lines of customer details. Specific data types mentioned include Order ID, Invoice Number, Customer Name, Company Name, VAT number, Tax number, Email, Street, Postal Code, City, Country, Date, Net amount, Tax Rate, Total Tax, Currency, Total Amount, Payment Method, Status, and Payment date. The data was reportedly available in CSV format.
  • Category: Data Breach
  • Date Reported: 2025-04-23T14:11:58Z
  • Victim: Dropmatix Sistema SL (dropmatix sistema sl), located in Spain, operating in the E-commerce & Online Stores sector. Affected site identified as app.dropmatix.com.
  • 2. Threat Actor Profile: 108111118101
  • Background & Affiliations: The identifier “108111118101” appears to be a username specific to the xss.is forum. This platform, formerly known as DaMaGeLaB, is a long-standing Russian-language forum recognized as a hub for cybercriminal activities, including the trading of stolen data, malware, and exploits.17 There is no readily available information linking this specific user ID to a known, named threat group. The actor’s presence and activity on xss.is indicate involvement in the underground economy focused on data compromise and illicit sales.
  • Motivations & Objectives: The primary motivation is assessed to be financial gain.31 By offering the allegedly stolen Dropmatix database for sale or public leak on a known cybercrime forum, the actor seeks to profit from the compromised information. The detailed listing of sensitive data types (PII, financial details, order specifics) is designed to attract buyers interested in exploiting this information for fraud, identity theft, or further targeted attacks.
  • Known TTPs: The actor demonstrates capabilities in data exfiltration and utilizes cybercrime forums for data disclosure and potential sale. The initial vector used to breach Dropmatix Sistema SL is not specified in the available information. However, common methods for achieving such breaches include exploiting vulnerabilities in web applications (such as SQL injection or Cross-Site Scripting 23), compromising credentials through phishing or malware, or exploiting misconfigured cloud storage or databases.
  • Contextual Analysis: This incident exemplifies a common data breach pattern where sensitive customer and business data is stolen and subsequently offered within cybercriminal communities. The exposure of comprehensive PII and detailed order information, including payment methods and financial amounts, presents substantial risks. Affected customers are vulnerable to targeted phishing campaigns, identity theft, and financial fraud. For Dropmatix Sistema SL, the breach carries significant reputational damage, potential regulatory penalties (e.g., under GDPR), and loss of customer trust.34 The publication on xss.is ensures the data reaches a broad audience of malicious actors, magnifying the potential harm.17 The act of publishing stolen data on such forums transforms a contained security incident into a widely available resource for other cybercriminals, significantly amplifying the potential damage beyond the initial breach itself. This marketplace effect connects the initial compromise to a multitude of potential follow-on attacks by unrelated actors who acquire the data.
  • 3. Supporting Evidence & References:

B. Incident: Alleged sale of unauthorized SSH access to unidentified Oil company in Qatar

  • 1. Incident Overview:
  • Summary: A threat actor using the handle “credits” posted an offer on the LeakBase.io forum, claiming to sell unauthorized Secure Shell (SSH) access to an unidentified company operating within the Oil & Gas sector in Qatar. No specific details about the victim organization or its website were provided.
  • Category: Initial Access
  • Date Reported: 2025-04-23T13:20:50Z
  • Victim: An unidentified company in Qatar, operating within the Oil & Gas industry.
  • 2. Threat Actor Profile: credits
  • Background & Affiliations: The actor “credits” is active on LeakBase.io, a forum that emerged in 2023, reportedly as a successor or alternative to the seized BreachForums, specializing in data leaks and related cybercrime offerings.17 Some sources suggest a possible link between the alias “LeakBase” (associated with the forum’s moderation or prominent users) and other aliases like “Chucky” and “Sqlrip,” known for large-scale database leaks, including significant breaches targeting Indian entities like the Swachhta platform.18 LeakBase.io itself has experienced security incidents, including the exposure of its user database on rival forums.19 The actor “credits” operates within this ecosystem of data trading and access brokerage.
  • Motivations & Objectives: The primary motivation appears to be financial gain derived from selling valuable initial access.22 SSH access provides deep system-level control, making it a highly sought-after commodity, especially when the target is within a critical infrastructure sector like Oil & Gas. This activity aligns with the role of an Initial Access Broker (IAB), who specializes in compromising networks and selling that access to other threat actors (e.g., ransomware groups, espionage actors).8
  • Known TTPs: The actor demonstrates the capability to compromise systems and obtain persistent remote access (SSH). Common methods for achieving this include exploiting vulnerabilities in internet-facing services, brute-forcing weak credentials, credential theft via phishing or infostealer malware, or exploiting misconfigurations. The threat actor persona “LeakBase” (potentially linked to “credits”) has been associated with custom brute-forcing techniques and leveraging credentials compromised by stealer logs.18 The core TTP is offering this access for sale on specialized cybercrime forums.17
  • Contextual Analysis: This incident represents the sale of potentially high-impact initial access, a crucial element fueling the cybercrime supply chain.22 Gaining SSH access to an Oil & Gas company network could enable various malicious activities by the buyer, including industrial espionage, disruption of operations (potentially impacting Operational Technology – OT systems), deployment of destructive malware, or ransomware attacks aimed at commanding high ransoms due to the critical nature of the sector.36 The anonymity of the victim makes targeted defense difficult for companies in the region. The LeakBase.io forum acts as the marketplace connecting the IAB (“credits”) with potential buyers seeking such access.17 The sale of access specifically into an Oil & Gas entity highlights the critical role IABs play in facilitating attacks against vital infrastructure. By overcoming the initial intrusion hurdle, IABs enable more sophisticated actors, such as ransomware groups or state-sponsored entities focused on espionage or sabotage, to directly target sensitive industrial environments.8
  • 3. Supporting Evidence & References:

C. Incident: SYLHET GANG-SG targets the website of Rohit Sinha

  • 1. Incident Overview:
  • Summary: The hacktivist group SYLHET GANG-SG claimed responsibility for defacing the website rohitsinhainc.in, associated with Rohit Sinha, an individual or entity operating within the Individual & Family Services sector in India. The claim was made via their Telegram channel.
  • Category: Defacement
  • Date Reported: 2025-04-23T12:48:00Z
  • Victim: Rohit Sinha (rohit sinha), located in India, associated with the Individual & Family Services industry. Affected site: rohitsinhainc.in.
  • 2. Threat Actor Profile: SYLHET GANG-SG
  • Background & Affiliations: SYLHET GANG-SG is recognized as a politically motivated hacktivist group.11 Their operational history includes targeting critical infrastructure, European Union institutions (including the EU Parliament and Central European University), and entities in Western countries like the UK (personal website of PM Sunak) and Cyprus (police).11 The group has publicly declared allegiance to the KillNet 2.0 hacker collective, known for its pro-Russian stance and focus on attacking nations perceived as adversaries, particularly allies of Israel.11 They are frequently cited among active DDoS hacktivist groups, particularly in campaigns related to Middle Eastern geopolitical conflicts and targeting entities in the UAE and Saudi Arabia.12
  • Motivations & Objectives: The group’s actions are driven primarily by hacktivism, stemming from political or ideological beliefs.11 Their campaigns often aim to make political statements, disrupt services of perceived adversaries, and gain notoriety for their cause.11 While the specific reason for targeting Rohit Sinha’s website is not detailed, it likely falls within a broader campaign related to their ideological stance, potentially targeting Indian entities due to perceived political alignments or actions.
  • Known TTPs: Website defacement, as demonstrated in this incident, is a known tactic used by the group to deliver messages visually. Distributed Denial of Service (DDoS) attacks are a primary tool in their arsenal, used extensively in their campaigns against various targets.11 They utilize platforms like Telegram to announce their activities and claim responsibility.
  • Contextual Analysis: This defacement is a typical hacktivist operation aimed at gaining visibility and conveying a message through website compromise. While the direct impact might be limited to temporary service disruption and reputational harm for the victim, it signifies the group’s continued activity and targeting patterns. Their documented history includes targeting Indian organizations, often as part of broader geopolitical campaigns.12 Although hacktivist groups frequently target large governmental or corporate entities, this incident demonstrates their willingness to also attack smaller websites belonging to individuals or smaller organizations. Such targets might be chosen opportunistically due to vulnerabilities, or symbolically if the individual or entity is perceived to represent a viewpoint or affiliation the group opposes.
  • 3. Supporting Evidence & References:

D. Incident: Lulzsec Arabs claims to target Britain

  • 1. Incident Overview:
  • Summary: The group identifying itself as “Lulzsec Arabs” posted an alert on their Telegram channel, declaring their intention to launch cyberattacks against targets within the United Kingdom. The announcement did not specify the nature of the intended attacks or identify particular victims.
  • Category: Alert
  • Date Reported: 2025-04-23T12:39:56Z
  • Victim: (Nation State) United Kingdom.
  • 2. Threat Actor Profile: Lulzsec Arabs
  • Background & Affiliations: This group likely draws inspiration from, or positions itself as a regional successor to, the original LulzSec collective that gained notoriety in 2011.40 The original LulzSec was known for high-profile, often disruptive hacks motivated by a desire to expose security flaws, embarrass targets, and champion causes like “internet freedom,” often framed with a sense of anarchic humor (“lulz”).40 Modern groups adopting the LulzSec moniker, such as the related “LulzSec Muslims,” frequently exhibit strong political and ideological motivations, particularly aligning with pro-Palestinian causes and expressing anti-Western or anti-Israel sentiments.13 Lulzsec Arabs is known to collaborate with other hacktivist entities, as evidenced by their partnership with Arab Ghosts Hackers mentioned in Incident F of this report.
  • Motivations & Objectives: The primary driver is assessed to be hacktivism, likely fueled by political opposition to the UK’s foreign policies, its alliances (particularly concerning Middle Eastern conflicts or perceived support for Israel), or broader anti-Western sentiment.13 While the original LulzSec sometimes claimed motivation was simply disruption for “lulz” or notoriety 40, contemporary groups using the name often have clearer, albeit sometimes shifting, political agendas.13 Some associated groups may also blend political motives with financial ones, such as offering DDoS-for-hire services.13
  • Known TTPs: Based on the activities of the original LulzSec and affiliated modern groups, likely TTPs include Distributed Denial of Service (DDoS) attacks aimed at disrupting websites, website defacements to convey messages, and potentially data breaches followed by leaks to embarrass targets or expose sensitive information.14 Communication and coordination often occur via platforms like Telegram.
  • Contextual Analysis: This alert serves as a declaration of intent, signaling potential upcoming cyber operations against UK-based targets. Considering the group’s probable motivations and the common tactics employed by LulzSec-affiliated entities, potential attacks could range from nuisance-level DDoS disruptions against government or corporate websites to more damaging data leaks or defacements designed to make political statements.14 This aligns with the broader trend of hacktivist groups targeting nations based on geopolitical alignments and events.13 Such public announcements, even lacking specific targets, function as a form of psychological warfare. They create uncertainty, force organizations within the target nation (the UK) to elevate their defensive posture, and expend resources on heightened monitoring and preparedness, thereby achieving a disruptive effect even before any technical attack succeeds.41
  • 3. Supporting Evidence & References:

E. Incident: Laneh Dark claims to target the company in saudi arabia

  • 1. Incident Overview:
  • Summary: A Telegram post attributed to a group or individual named “Laneh Dark” indicated that they are targeting an unspecified company located in Saudi Arabia. The alert lacked details regarding the specific target, the nature of the intended attack, or the group’s motivations.
  • Category: Alert
  • Date Reported: 2025-04-23T12:39:48Z
  • Victim: An unidentified company in Saudi Arabia.
  • 2. Threat Actor Profile: Laneh Dark
  • Background & Affiliations: Specific information regarding the “Laneh Dark” group or persona was not found in the analyzed intelligence sources. It is likely a lesser-known or newly emerged hacktivist entity or individual actor utilizing Telegram for communication. General classifications of threat actors suggest motivations could range from financial gain to political activism, espionage, or personal vendettas.42 The use of Telegram is common among hacktivist and cybercriminal groups for announcements and coordination.
  • Motivations & Objectives: The motivations behind targeting a company in Saudi Arabia remain unknown due to the lack of information about Laneh Dark. Potential drivers could include political opposition to Saudi Arabia or its policies, activism related to specific industries within the country, ideological conflict, or simply opportunistic targeting of a vulnerable entity for disruption or potential financial gain. Hacktivist activity targeting Middle Eastern countries is a well-documented phenomenon.12
  • Known TTPs: Without specific information on Laneh Dark, their TTPs are unknown. Common methods employed by similar groups announcing attacks via Telegram include DDoS attacks, website defacements, vulnerability exploitation, and data leakage. The speed at which threat actors can move from planning and reconnaissance to active exploitation can be very rapid, sometimes occurring within minutes of identifying a target or vulnerability.45
  • Contextual Analysis: Similar to the alert from Lulzsec Arabs targeting the UK, this announcement signals potential hostile cyber activity directed towards an entity in Saudi Arabia. The lack of specific details regarding the target or attack method makes proactive defense challenging for individual companies, necessitating a state of heightened general vigilance across the region’s business community. This incident contributes to the pattern of hacktivist groups leveraging platforms like Telegram to declare campaigns against nations or entities in the Middle East.12 The ambiguity inherent in such vague threats serves to multiply their impact. By not naming a specific company, the alert creates widespread uncertainty, compelling a large number of organizations within Saudi Arabia to consider themselves potential targets and allocate resources towards enhanced security monitoring and defense, thus achieving a level of disruption and imposing costs even without a confirmed successful compromise.45
  • 3. Supporting Evidence & References:

F. Incident: Arab Ghost Hackers claims to target 4 banks in Uganda, Australia, Israel and America

  • 1. Incident Overview:
  • Summary: The group “Arab Ghosts Hackers” announced via Telegram their intention to target four banks located in Uganda, Australia, Israel, and the United States. The announcement indicated collaboration with other hacktivist groups, namely Vortex, KeymousTeam, and LulzSec Arabs. Specific banking institutions were not identified.
  • Category: Alert
  • Date Reported: 2025-04-23T12:06:53Z
  • Victim: Unidentified banking institutions in Uganda, Australia, Israel, and the USA, operating within the Banking & Mortgage sector.
  • 2. Threat Actor Profile: Arab Ghosts Hackers
  • Background & Affiliations: This entity appears to be a hacktivist group, likely with a focus on Middle Eastern geopolitical issues and perceived adversaries. Their collaboration with LulzSec Arabs (profiled in Incident D) and other named groups (Vortex, KeymousTeam) points towards a coalition structure or coordinated campaign, a common feature in hacktivist operations.15 While direct links are unconfirmed, their name and targeting patterns might align ideologically with known Middle Eastern groups like Molerats/Gaza Cybergang 49 or potentially draw inspiration from state-influenced operations, such as those attributed to Iran which target Israel, the US, and regional adversaries.48 The use of “Ghost” in their name is likely unrelated to the financially motivated “Ghost Ransomware” group linked to China.52
  • Motivations & Objectives: The primary motivation is assessed as political and ideological hacktivism.16 Targeting banks in Israel and the USA is consistent with common anti-Western and anti-Israel agendas prevalent among hacktivist groups operating in relation to Middle Eastern conflicts.13 The inclusion of Uganda and Australia could be symbolic, perhaps related to perceived political stances or alliances, or represent opportunistic targeting alongside the primary objectives. The overarching goal is likely disruption of financial services, spreading propaganda, damaging reputations, or potentially attempting data theft for public exposure.16
  • Known TTPs: Expected tactics include DDoS attacks aimed at disrupting online banking services, website defacements to display political messages, and potentially attempts at data breaches or credential harvesting campaigns against the targeted banks or their customers. The explicit mention of collaboration suggests the potential for coordinated, multi-pronged attacks leveraging the combined resources and skills of the participating groups. Communication and claims are made via Telegram.
  • Contextual Analysis: This alert signals a potentially significant, coordinated, multi-national campaign targeting the financial sector. Attacks against banks, even if limited to DDoS or defacement, can cause considerable disruption, financial loss, and erosion of customer confidence. The targeting of Israel and the US aligns with established hacktivist patterns 13, while the inclusion of Uganda and Australia indicates a broad, global scope. This incident highlights the increasing trend of collaboration among hacktivist groups. Such coalitions act as force multipliers, enabling potentially larger-scale, more simultaneous, or technically more complex operations than a single group might be capable of mounting alone. Sharing resources, target lists, or specialized expertise within the coalition enhances their collective operational capability and presents a more significant challenge to defenders across the multiple targeted nations.
  • 3. Supporting Evidence & References:

G. Incident: N8XT PTE. LTD. falls victim to CRYPTO24 Ransomware

  • 1. Incident Overview:
  • Summary: A ransomware group identifying itself as “CRYPTO24” claimed responsibility for an attack against N8XT PTE. LTD., a firm specializing in Business and Economic Development based in Singapore. The group alleges it exfiltrated 3 terabytes (TB) of data from the organization and has likely encrypted its systems. The claim was posted on a dedicated site hosted on the Tor network.
  • Category: Ransomware
  • Date Reported: 2025-04-23T11:40:42Z
  • Victim: N8XT PTE. LTD. (n8xt pte. ltd.), located in Singapore, operating in the Business and Economic Development sector. Affected site: n8xt.net.
  • 2. Threat Actor Profile: CRYPTO24
  • Background & Affiliations: Specific intelligence regarding the “CRYPTO24” ransomware group is not available in the analyzed sources. This could indicate a newly emerged group, a rebrand of a previous operation, or a private group not yet widely tracked by security researchers. The name strongly implies a focus on cryptocurrency for ransom payments, which is the standard practice for virtually all modern ransomware operations.55 The group maintains a presence on the Tor network, hosting a leak site to publish victim information and pressure targets.
  • Motivations & Objectives: The primary motivation is undoubtedly financial gain through extortion.31 The claim of having exfiltrated a substantial volume of data (3 TB) strongly suggests the use of a double extortion strategy. This involves not only encrypting the victim’s data to render it unusable but also threatening to publicly release the stolen data if the ransom demand is not met.1
  • Known TTPs: Based on the incident report, the group’s TTPs include data exfiltration prior to encryption, deployment of ransomware to encrypt victim systems, and operating a Tor-based leak site for victim shaming and communication. Common initial access vectors for ransomware groups include exploiting vulnerabilities in public-facing applications 53, executing phishing campaigns to steal credentials 55, compromising remote access services (like RDP or VPN), or purchasing access from Initial Access Brokers.57 The specific methods used by CRYPTO24 in this case are unknown.
  • Contextual Analysis: This incident represents a typical ransomware attack employing the prevalent double extortion model.1 The claimed exfiltration volume of 3 TB is exceptionally large and, if accurate, signifies a deep and extensive compromise of the victim’s network. For a firm in the Business and Economic Development sector, such data could encompass highly sensitive client information, proprietary business strategies, financial records, intellectual property, and internal communications. The threat to leak this volume of data exerts immense pressure on the victim to pay the ransom.57 The use of a Tor site for publishing claims and potentially hosting leaked data is standard operational procedure for ransomware groups, providing anonymity and resilience against takedown efforts.6 The tactic of claiming an extremely large volume of exfiltrated data, such as 3 TB, serves as a potent psychological lever in the extortion process. Whether entirely accurate or potentially exaggerated, such a claim is designed to maximize the perceived risk and potential damage from a public leak in the victim’s mind, thereby strengthening the ransomware group’s negotiating position and increasing the perceived urgency to pay the ransom.
  • 3. Supporting Evidence & References:

H. Incident: Mafi Naturholzboden falls victim to HUNTERS INTERNATIONAL Ransomware

  • 1. Incident Overview:
  • Summary: The Hunters International ransomware group added Mafi Naturholzboden GmbH, an Austrian company specializing in natural wood flooring (Furniture sector), to its list of victims on its Tor-based data leak site. The group claims to have obtained 66.7 GB of the organization’s data, specifying that this includes 112,530 files related to 60 employees.
  • Category: Ransomware
  • Date Reported: 2025-04-23T08:45:13Z
  • Victim: Mafi Naturholzboden GmbH (mafi naturholzboden gmbh), located in Austria, operating in the Furniture industry. Affected site: mafi.com.
  • 2. Threat Actor Profile: HUNTERS INTERNATIONAL
  • Background & Affiliations: Hunters International emerged in the latter half of 2023 and quickly gained attention due to code similarities with the Hive ransomware, a major RaaS operation dismantled by law enforcement earlier that year. Hunters International representatives claimed they purchased Hive’s source code and infrastructure components.2 The group operates a RaaS program, recruiting affiliates to conduct attacks. While there were reports suggesting a potential rebranding or split (mentioning “World Leaks”) in late 2024, Hunters International has remained active into 2025.60 Their operational model heavily emphasizes data exfiltration as a core component of their double extortion strategy.2
  • Motivations & Objectives: The group’s primary motivation is financial gain through the extortion of ransom payments from victims.3 They exhibit an opportunistic targeting strategy, attacking organizations across a wide range of industries and geographical locations, including healthcare, education, finance, and manufacturing.2
  • Known TTPs: Hunters International affiliates typically gain initial access through social engineering, phishing campaigns designed to deliver malicious payloads, or by exploiting vulnerabilities in Remote Desktop Protocol (RDP).2 Once inside, they escalate privileges, sometimes impersonating legitimate tools or processes, and move laterally within the network.2 Defense evasion techniques include using seemingly legitimate methods and potentially impairing security software.2 Data exfiltration is a key focus, potentially involving SQL database dumps or uploads to cloud storage, followed by the deployment of their Rust-based ransomware for encryption.2 They utilize OSINT and may engage in direct victim contact (calls, emails) to pressure payment.3 Specific observed techniques map to MITRE ATT&CK TIDs including T1106 (Native API), T1129 (Shared Modules), T1547 (Boot or Logon Autostart Execution), T1027 (Obfuscated Files or Information), T1562 (Impair Defenses), T1083 (File and Directory Discovery), T1082 (System Information Discovery), T1057 (Process Discovery), T1071 (Application Layer Protocol), and T1486 (Data Encrypted for Impact).2 Tools like xp_cmdshell, WinRAR, vssadmin, wmic, and bcdedit have been observed in their attacks for execution and disabling recovery options.4
  • Contextual Analysis: This attack on Mafi Naturholzboden aligns precisely with the known modus operandi of Hunters International. The targeting of a European manufacturing-related company, the emphasis on data exfiltration with specific metrics provided (66.7 GB, 112,530 files, 60 employees), and the publication on their Tor leak site are all characteristic elements.2 The specificity in the data claim serves a dual purpose: it quantifies the breach for the attackers and, more importantly, acts as credible proof of compromise to the victim. By providing details that only the attackers would likely know (exact file/employee counts), they aim to convince the victim that the threat of data leakage is real and imminent, thereby increasing the pressure to negotiate and pay the ransom. The exfiltrated data likely contains sensitive employee PII, potentially exposing Mafi to regulatory issues, alongside potentially valuable company operational or financial data. The group’s use of code derived from Hive suggests access to relatively sophisticated ransomware capabilities.2
  • 3. Supporting Evidence & References:

I. Incident: R00TK1T ISC CYBER TEAM claims to target the website of ByteDance and Tiktok

  • 1. Incident Overview:
  • Summary: The hacktivist group calling itself “R00TK1T ISC CYBER TEAM” posted a message on their Telegram channel claiming to have targeted the operations of ByteDance and its widely used platform, TikTok. The group alleges responsibility for causing widespread account lockouts, unjust suspensions, and general platform instability. Furthermore, they threatened to expose sensitive data through a purported new feature within the TikTok application itself.
  • Category: Alert
  • Date Reported: 2025-04-23T08:00:43Z
  • Victim: ByteDance (bytedance), headquartered in China, operating in the Software Development sector. Affected site: bytedance.com. The claim explicitly includes the TikTok platform.
  • 2. Threat Actor Profile: R00TK1T ISC CYBER TEAM
  • Background & Affiliations: R00TK1T ISC CYBER TEAM is a known hacktivist group that has previously claimed responsibility for attacks against various high-profile corporations (including L’oreal, Qatar Airways, Sodexo, Nestle, Maxis) and government entities (in Malaysia, India, Lebanon).62 The name “R00TK1T” suggests a potential focus on or use of rootkits, a type of malware designed for stealthy, persistent access, although this is not confirmed.63 The group actively uses Telegram to announce targets, make claims, and issue threats.
  • Motivations & Objectives: The group’s motivations appear rooted in hacktivism, often aiming for disruption, generating chaos, and potentially achieving political objectives or simply gaining notoriety.62 Their targeting rationale can be diverse, ranging from anti-corporate actions to involvement in geopolitical conflicts (e.g., claiming attacks on Lebanon allegedly on behalf of Israeli interests).63 Targeting a major global entity like ByteDance/TikTok could be driven by anti-China sentiment, protests against the platform’s content policies or data handling practices, or the desire to impact a highly visible target for maximum public attention.42
  • Known TTPs: The group’s claimed TTPs include data breaches and exfiltration, gaining system access, causing operational disruptions (as alleged against TikTok), issuing public threats, and potentially utilizing rootkits for stealth.62 They may exploit software vulnerabilities or leverage disgruntled insiders to gain access.63 Communication and dissemination of claims primarily occur via Telegram.
  • Contextual Analysis: This alert represents a significant claim against one of the world’s largest social media platforms and its parent company. While the allegations of causing widespread instability and account lockouts require independent verification, they represent a direct attack on the platform’s core functionality and user experience. The threat to expose sensitive data via a new in-app feature is an unusual and potentially complex tactic, possibly intended more for psychological impact or extortion than as a technically feasible plan. R00TK1T’s documented history of targeting prominent organizations lends some credibility to their claims, although exaggeration is common among hacktivist groups seeking attention.63 This incident highlights the vulnerability of large digital platforms to disruption campaigns aimed at undermining operational integrity and user trust. Such attacks aim to damage the platform’s reputation for reliability and security, impacting user engagement and business value, which represents a strategic objective for hacktivists seeking to inflict harm beyond simple data theft or website defacement.
  • 3. Supporting Evidence & References:

J. Incident: UNITED CAPS falls victim to Qilin Ransomware

  • 1. Incident Overview:
  • Summary: The Qilin ransomware group claimed responsibility for an attack against UNITED CAPS, a company specializing in packaging and containers, headquartered in Luxembourg. The group asserted that they obtained organizational data and provided sample screenshots as proof of compromise on their Tor-based data leak site.
  • Category: Ransomware
  • Date Reported: 2025-04-23T07:58:25Z
  • Victim: UNITED CAPS (united caps), located in Luxembourg, operating in the Packaging & Containers industry. Affected site: unitedcaps.com.
  • 2. Threat Actor Profile: Qilin
  • Background & Affiliations: Qilin, also known by the name Agenda, is a Ransomware-as-a-Service (RaaS) operation active since at least August 2022.5 The group is believed to have Russian origins and actively recruits affiliates through underground forums, typically excluding targets within the Commonwealth of Independent States (CIS).6 Qilin gained significant notoriety for high-impact attacks, such as the one against Synnovis which disrupted NHS hospital services in London, often demanding multi-million dollar ransoms.27 They consistently employ a double extortion model, threatening to leak exfiltrated data if ransom demands are not met.5
  • Motivations & Objectives: The primary motivation driving Qilin and its affiliates is financial gain.5 They adopt an opportunistic targeting strategy, hitting organizations across a diverse range of sectors (including healthcare, manufacturing, education, energy, finance, and legal services) and geographic locations worldwide.5 While the group made unusual claims of political motivation following the Synnovis attack, their overall operational history strongly indicates that financial profit is the dominant objective.64
  • Known TTPs: Qilin affiliates utilize various methods for initial access, including spear-phishing campaigns, exploiting vulnerabilities in public-facing applications (e.g., Veeam CVE-2023-27532, Fortinet SSL VPN flaws), leveraging Remote Monitoring and Management (RMM) tools, and deploying Cobalt Strike beacons.5 Their ransomware payload, available in both Go and Rust versions, is highly customizable by affiliates and targets Windows systems, with Linux variants specifically designed for VMware ESXi environments also identified.6 Post-compromise activities include privilege escalation and defense evasion using techniques like process injection, leveraging valid (stolen/purchased) accounts, modifying the registry, and altering Group Policy settings.5 They operate a dedicated data leak site (DLS) on the Tor network to publish victim names, stolen data samples, and facilitate ransom negotiations.6 Key TTPs map to MITRE ATT&CK TIDs such as T1133 (External Remote Services), T1190 (Exploit Public-Facing Application), T1566 (Phishing), T1053.005 (Scheduled Task/Job), T1059 (Command and Scripting Interpreter), T1055 (Process Injection), T1078 (Valid Accounts), T1112 (Modify Registry), and T1484.001 (Group Policy Modification).5
  • Contextual Analysis: The attack against UNITED CAPS is a characteristic operation for the Qilin RaaS group, aligning with their established model.5 Targeting a company in the manufacturing supply chain (Packaging & Containers) fits within their known victimology profile.5 Providing sample screenshots on their DLS is a standard procedure for Qilin affiliates to substantiate their claims of compromise and initiate the extortion process by pressuring the victim into negotiation.5 This incident further demonstrates the ongoing threat Qilin poses to industrial and manufacturing organizations across Europe. Because Qilin operates as a RaaS platform, the specific intrusion vector and post-compromise actions taken within UNITED CAPS’ network were likely determined and executed by the specific affiliate responsible for this attack. While the core ransomware payload and the extortion infrastructure (leak site, negotiation channels) are provided and managed by the Qilin operators, the initial access methods and lateral movement techniques can vary significantly depending on the skills and preferences of the individual affiliate involved.5 This distributed nature underscores the challenge in defending against RaaS threats, as defenders must anticipate a wide range of potential attack paths.
  • 3. Supporting Evidence & References:

K. Incident: RRS Foodservice falls victim to DragonForce Ransomware

  • 1. Incident Overview:
  • Summary: The DragonForce ransomware group claimed an attack against RRS Foodservice, a company operating in the Food & Beverages sector within the United States. The group alleges it exfiltrated 25.94 GB of data and posted the claim on its Tor-based blog/leak site.
  • Category: Ransomware
  • Date Reported: 2025-04-23T05:26:04Z
  • Victim: RRS Foodservice (rrs foodservice), located in the USA, operating in the Food & Beverages industry. Affected site: rrsfoodservice.com.
  • 2. Threat Actor Profile: DragonForce
  • Background & Affiliations: DragonForce represents an interesting evolution in the threat landscape, having originated as a Malaysian hacktivist collective with pro-Palestinian political motivations before transitioning into a financially driven RaaS operation.7 Their ransomware is reported to be based on leaked builders, notably from LockBit (specifically a 2022 version) and potentially incorporating elements from Conti variants.7 The group actively recruits affiliates, offering high commission rates (up to 80%) and providing significant technical support, including tools for data management, call services for victim pressure, and hash decryption assistance.8
  • Motivations & Objectives: While initially driven by political activism 65, DragonForce’s current operations are primarily motivated by financial gain achieved through ransomware extortion.7 However, their hacktivist roots may still occasionally influence target selection or operational tactics.65 They target a diverse range of industries globally, including manufacturing, real estate, transportation, and now food services.7
  • Known TTPs: DragonForce employs a standard double extortion strategy, utilizing a Tor-based leak site that often features countdown timers for data publication.7 Initial access is typically gained through phishing emails or by exploiting vulnerabilities in remote access solutions like RDP and VPNs.8 Their TTPs include delivering malicious files, deleting or modifying files to hinder recovery, discovering sensitive files and directories, encrypting data for impact, and leaking stolen data.65 They are known to use the “Bring Your Own Vulnerable Driver” (BYOVD) technique for defense evasion (disabling security tools) and leverage legitimate file transfer tools like SFTP and MEGA clients for data exfiltration, making detection challenging.8 They also utilize cloud-based extortion methods 66 and communicate with affiliates and victims via channels like TOR-based instant messaging (TOX) and potentially underground forums like RAMP for recruitment.8 The group has demonstrated unconventional and aggressive negotiation tactics, such as publishing audio recordings of calls with victims.8
  • Contextual Analysis: The attack on RRS Foodservice aligns with DragonForce’s current profile as a financially motivated RaaS group targeting diverse industries in various geographic locations.7 The targeting of a US company in the Food & Beverages sector fits this pattern.59 The claimed data exfiltration volume (25.94 GB) and the use of their Tor leak site are standard components of their double extortion methodology.7 The group’s notable evolution from a politically focused hacktivist collective to a sophisticated RaaS provider highlights a significant trend where ideologically driven actors adopt financially motivated cybercrime models, potentially bringing unique perspectives or more aggressive tactics to the ransomware landscape.7 This hybrid origin might manifest in more aggressive public shaming tactics or a willingness to target specific entities that align with residual political biases, even within financially driven campaigns.8
  • 3. Supporting Evidence & References:

L. Incident: Phelps United falls victim to MEDUSA Ransomware

  • 1. Incident Overview:
  • Summary: The Medusa ransomware group claimed an attack against Phelps United, an Information Technology (IT) Services provider based in the United States. The group alleges it has obtained organizational data, providing sample screenshots as evidence on its Tor-based data leak site. Medusa stated its intention to publish the exfiltrated data within 8 to 9 days if its ransom demands are not met.
  • Category: Ransomware
  • Date Reported: 2025-04-23T05:17:04Z
  • Victim: Phelps United (phelps united), located in the USA, operating in the Information Technology (IT) Services industry. Affected site: phelpsunited.com.
  • 2. Threat Actor Profile: MEDUSA
  • Background & Affiliations: Medusa is a RaaS operation active since June 2021.9 Initially operating as a closed group, it transitioned to an affiliate-based model, although core developers reportedly retain control over negotiations.9 The group is suspected of having Russian origins or ties, based on activity on Russian-language forums and use of specific slang.30 Medusa employs double and potentially triple extortion tactics (re-extorting victims after payment).9 Security researchers have linked the organized cybercrime group known as Frozen Spider to Medusa’s operations.30 The group actively recruits affiliates and utilizes Initial Access Brokers (IABs) to gain entry into target networks.9
  • Motivations & Objectives: Medusa’s primary motivation is financial gain through ransom payments.9 They target a wide array of organizations globally, with a notable focus on critical infrastructure sectors including healthcare, education, manufacturing, legal, insurance, and technology.9
  • Known TTPs: Medusa affiliates gain initial access through various means, heavily relying on IABs who provide access obtained via phishing or credential stuffing.30 They also directly exploit unpatched vulnerabilities in public-facing applications, such as ConnectWise ScreenConnect (CVE-2024-1709), Fortinet EMS (CVE-2023-48788), and Microsoft Exchange (ProxyShell flaws).9 Post-compromise, they utilize Living-off-the-Land (LOTL) techniques, employing built-in Windows tools like PowerShell, WMI, cmd.exe, and certutil for enumeration, lateral movement, and file transfer.9 They leverage legitimate remote access tools (e.g., AnyDesk, ConnectWise, Splashtop, PDQ Deploy) often already present in the victim environment, alongside RDP and PsExec.10 Network scanning tools like Advanced IP Scanner and SoftPerfect Network Scanner are used for discovery.9 Defense evasion techniques include script obfuscation (e.g., base64 encoding, string manipulation in PowerShell), using vulnerable drivers (BYOVD) to disable EDR solutions, deleting command history, and rebooting systems into Safe Mode.9 Extortion is managed via their Tor leak site, which features victim names, countdown timers, and options for victims to pay ($10,000 USD in crypto) to extend the publication deadline by 24 hours.10 They may also use public internet channels (Telegram, X/Twitter under the “OSINT Without Borders” brand) for additional pressure.30
  • Contextual Analysis: The attack on Phelps United is a textbook Medusa operation. Targeting a US-based IT Services company aligns with their known victimology, as IT providers can be lucrative targets due to the sensitive data they hold and potential access to their clients’ networks.9 The use of double extortion, providing proof-of-compromise via screenshots, setting a specific deadline (8-9 days), and leveraging their Tor portal are all standard elements of Medusa’s playbook.9 Medusa’s strategy of setting short, specific deadlines, coupled with the option to purchase extensions, represents a calculated psychological pressure tactic. This structure forces victims into rapid decision-making under duress and allows Medusa to monetize the extortion process further by extracting smaller payments even if the full ransom is ultimately not paid, demonstrating a sophisticated approach to maximizing financial returns.10 The group’s reliance on IABs and their documented exploitation of recent critical vulnerabilities like the ScreenConnect flaw make them a persistent and adaptive threat.9
  • 3. Supporting Evidence & References:

M. Incident: Alleged reflected-XSS vulnerability in the website of Travel Desk Georgia

  • 1. Incident Overview:
  • Summary: The hacktivist group “Anonymous Operations Vendetta” claimed via Telegram to have identified and exploited a reflected Cross-Site Scripting (XSS) vulnerability on traveldesk.ge, the website for Travel Desk Georgia, an entity in the Leisure & Travel sector.
  • Category: Vulnerability
  • Date Reported: 2025-04-23T03:11:12Z
  • Victim: Travel Desk Georgia (travel desk georgia), located in Georgia, operating in the Leisure & Travel industry. Affected site: traveldesk.ge.
  • 2. Threat Actor Profile: Anonymous Operations Vendetta
  • Background & Affiliations: This group operates under the well-known Anonymous hacktivist banner.15 Anonymous is not a centralized organization but a decentralized, international movement of digital activists who conduct cyberattacks typically motivated by political or social causes, often protesting censorship, government actions, or corporate practices.15 The “Vendetta” moniker, referencing the V for Vendetta graphic novel and film whose Guy Fawkes mask became an Anonymous symbol, suggests a retaliatory or justice-seeking theme to their operations.15
  • Motivations & Objectives: The core motivation is hacktivism.15 The specific reason for targeting a Georgian travel website is unclear from the available information. It could be opportunistic exploitation – finding and publicizing a vulnerability to demonstrate technical capability or embarrass the organization. Alternatively, it might be part of a larger, politically motivated campaign targeting Georgian entities for reasons related to regional politics or specific grievances held by the group. Anonymous actions often align with causes such as free speech, human rights, or opposition to perceived injustices.15
  • Known TTPs: Historically, the broader Anonymous movement heavily relied on Distributed Denial of Service (DDoS) attacks to disrupt websites and data leaks (often obtained through hacking) to expose sensitive information or embarrass targets.15 Website defacement is also a common tactic.15 This incident, along with Incident O, demonstrates their use of specific web vulnerability exploitation techniques, namely XSS. Communication and claims are frequently disseminated via social media and platforms like Telegram.
  • Contextual Analysis: This incident involves the claimed exploitation of a Reflected XSS vulnerability, a common type of client-side code injection flaw.23 In a reflected XSS attack, malicious script is typically embedded within a URL or form submission. When a user clicks the malicious link or submits the form, the vulnerable website reflects the script back to the user’s browser, which then executes it within the context of the trusted site.23 This can enable attackers to steal session cookies, hijack user sessions, capture credentials entered into forms, deface parts of the website visible to the user, or redirect users to malicious sites.23 While Anonymous Operations Vendetta frames this as identifying a vulnerability, hacktivist groups often weaponize such findings for disruptive purposes or as a prelude to further attacks. The targeting of a Leisure & Travel company in Georgia is somewhat atypical compared to Anonymous’s more common focus on government or large corporate targets, suggesting potentially opportunistic exploitation based on vulnerability discovery. Claiming the discovery and exploitation of such a vulnerability serves multiple purposes for a hacktivist group: it demonstrates technical prowess (however basic the flaw), publicly embarrasses the victim organization for inadequate security practices 34, and can function as a public warning or statement aligned with the group’s agenda.16
  • 3. Supporting Evidence & References:

N. Incident: Alleged Data Breach of VFS Global

  • 1. Incident Overview:
  • Summary: A threat actor using the handle “Machine1337” posted on the xss.is forum, offering for sale data allegedly stolen from VFS Global. VFS Global is a major international company specializing in visa processing and government relations services, with headquarters in the UAE.
  • Category: Data Breach
  • Date Reported: 2025-04-23T02:20:43Z
  • Victim: VFS Global (vfs global), headquartered in the UAE, operating in the Government Relations sector. Affected site: vfsglobal.com.
  • 2. Threat Actor Profile: Machine1337
  • Background & Affiliations: “Machine1337” appears to be a username on the xss.is cybercrime forum.17 The suffix “1337” is derived from leetspeak, often used within hacker communities to signify “elite” status. No specific affiliation with a known threat group is identified from this handle alone. The actor’s activity involves selling data allegedly obtained through a breach.
  • Motivations & Objectives: The primary motivation is assessed as financial gain through the sale of compromised data.31 Targeting VFS Global indicates an understanding of the potential value of the data handled by such an organization, which likely includes sensitive personal information related to visa applicants.
  • Known TTPs: The actor demonstrates capabilities in data exfiltration and utilizes cybercrime forums (xss.is) as a marketplace to sell stolen data. The specific methods used to breach VFS Global are unknown but could involve various techniques such as exploiting web application vulnerabilities (e.g., XSS 23, SQL injection), compromising employee credentials via phishing, exploiting unpatched system vulnerabilities, or potentially leveraging insider access.
  • Contextual Analysis: A data breach affecting VFS Global carries potentially severe consequences due to the highly sensitive nature of the information the company processes on behalf of numerous governments worldwide. This data typically includes extensive Personally Identifiable Information (PII), passport details, biometric data identifiers, travel itineraries, financial information, and other personal details submitted during visa applications. The sale of such data on a platform like xss.is creates significant risks for the affected individuals, including identity theft, sophisticated financial fraud, targeted phishing or social engineering attacks, and potential misuse by state-sponsored actors for intelligence gathering or targeting individuals based on their travel or nationality. This incident highlights the attractiveness of visa processing services and similar data aggregators as targets for cybercriminals. Compromising organizations like VFS Global, which centralize vast amounts of sensitive data from large populations, offers a high return on investment for attackers compared to breaching smaller, individual entities. A single successful breach yields a rich dataset valuable for various illicit purposes.19
  • 3. Supporting Evidence & References:

O. Incident: Alleged reflected-XSS vulnerability in the website of RENTALS Ltd

  • 1. Incident Overview:
  • Summary: The hacktivist group “Anonymous Operations Vendetta” claimed a second reflected XSS vulnerability exploitation within hours of the first (Incident M), this time targeting rentals.ge, a website belonging to RENTALS Ltd, a Real Estate company in Georgia. In this claim, the group added that they achieved “full DOM takeover through remote JavaScript injection.”
  • Category: Vulnerability
  • Date Reported: 2025-04-23T01:50:20Z
  • Victim: RENTALS Ltd (rentals ltd), located in Georgia, operating in the Real Estate industry. Affected site: rentals.ge.
  • 2. Threat Actor Profile: Anonymous Operations Vendetta
  • Background & Affiliations: This is the same Anonymous-affiliated hacktivist group identified in Incident M.15 They operate as part of the decentralized Anonymous movement.
  • Motivations & Objectives: Hacktivism remains the primary motivation.15 Targeting another Georgian website, this time in the Real Estate sector, reinforces the possibility of either an opportunistic campaign focused on exploiting easily found vulnerabilities in the region or a specific anti-Georgia agenda. The claim of achieving “full DOM takeover” suggests an intent to portray a more significant impact or control compared to the previous claim, possibly aiming for greater notoriety or to amplify their message.
  • Known TTPs: Consistent with Incident M and the broader Anonymous collective: DDoS, data leaks, defacement, and web vulnerability exploitation (XSS).15 Communication occurs via Telegram.
  • Contextual Analysis: This second claimed XSS exploitation targeting a Georgian website in quick succession strengthens the hypothesis of a focused campaign or vulnerability scanning effort by Anonymous Operations Vendetta in the region. The added assertion of achieving “full DOM takeover through remote JavaScript injection” elevates the claim beyond a simple reflected XSS. While reflected XSS typically involves script execution tied to a specific user interaction with a malicious link 23, achieving DOM takeover implies a more persistent or impactful manipulation of the webpage’s structure and content as rendered in the victim’s browser. This could potentially align more closely with DOM-based XSS, where vulnerabilities in client-side scripts allow attackers to modify the Document Object Model dynamically 23, or it could indicate a successful injection enabling substantial control over the client-side environment. Such control could facilitate actions like stealing user input from forms (e.g., login credentials, search queries), dynamically altering website content, or forcing malicious redirects.25 Whether the claim of “full DOM takeover” is accurate or an exaggeration for effect, it signifies an escalation in the group’s rhetoric regarding their impact on the targeted site.
  • 3. Supporting Evidence & References:

P. Incident: Alleged sale of 12k Full private corporate mail access credentials

  • 1. Incident Overview:
  • Summary: A threat actor using the handle “TheLibertyCity” posted an offer on the exploit.in forum to sell a large collection of corporate email access credentials. The post content claims the dataset contains 12 million email and password combinations (mail:pass format), purportedly sourced from companies in the USA and Europe. The actor described the data as “private” (implying not widely circulated) and deduplicated. Note: The incident title mentions “12k,” while the content description specifies “12 million.” Given the context of large-scale data sales on such forums, the 12 million figure in the description is more likely representative of the intended offer, with “12k” in the title potentially being a typographical error.
  • Category: Data Leak / Sale
  • Date Reported: 2025-04-23T01:26:04Z
  • Victim: Multiple unspecified corporations located in the USA and Europe.
  • 2. Threat Actor Profile: TheLibertyCity
  • Background & Affiliations: “TheLibertyCity” is identified as a user operating on the Exploit.in forum. Exploit.in is a well-established and prominent Russian-language dark web forum serving as a major marketplace for various cybercriminal tools, services, and data, including malware, zero-day exploits, stolen databases, and initial access credentials.22 Actors on this forum range from individual sellers to organized groups and Initial Access Brokers (IABs).22
  • Motivations & Objectives: The motivation is clearly financial gain, achieved through the bulk sale of compromised corporate credentials.22 The scale of the offering (12 million credentials) suggests a significant operation aimed at maximizing profit from the collected data.
  • Known TTPs: The actor is involved in either large-scale credential harvesting or the aggregation and resale of credentials obtained from various sources. Harvesting methods could include widespread phishing campaigns, deployment of infostealer malware, exploiting vulnerabilities in web applications or authentication systems, or purchasing/trading data from other breaches. The core TTP demonstrated here is offering large datasets of compromised credentials for sale on specialized underground forums.22
  • Contextual Analysis: This incident represents a significant offering of compromised corporate credentials, a highly valuable commodity in the cybercrime underground. Access to valid corporate email accounts serves as a primary vector for numerous high-impact attacks, including Business Email Compromise (BEC) fraud, spear-phishing campaigns targeting colleagues or partners, deployment of malware and ransomware within corporate networks, corporate espionage, and lateral movement to access more sensitive systems. The sale of such a large volume of credentials on a major forum like Exploit.in makes this access readily available to a wide spectrum of malicious actors, from sophisticated groups to lower-skilled criminals.22 The claims of the data being “private” and “without duplicates” are common marketing tactics used on these forums to enhance the perceived quality and value of the offering. The availability of such large credential dumps acts as a crucial fuel source for the broader cybercrime ecosystem. These validated initial access points enable a multitude of downstream attacks, significantly lowering the barrier to entry for actors seeking to perpetrate BEC scams, deploy ransomware, or conduct espionage, as they can bypass the often difficult initial intrusion phase.9
  • 3. Supporting Evidence & References:

Q. Incident: Anonymous Italia targets the website of Praim Group

  • 1. Incident Overview:
  • Summary: The hacktivist group “Anonymous Italia” claimed responsibility via Telegram for defacing the website of Praim Group (praim-group.ru). Based on the domain, Praim Group appears to be a Russian entity operating in the Business Supplies & Equipment sector.
  • Category: Defacement
  • Date Reported: 2025-04-23T01:04:42Z
  • Victim: Praim Group (praim group), identified as a Russian entity via the.ru domain, operating in the Business Supplies & Equipment industry. Affected site: praim-group.ru.
  • 2. Threat Actor Profile: Anonymous Italia
  • Background & Affiliations: Anonymous Italia identifies itself as an Italian contingent or cell operating under the umbrella of the global Anonymous hacktivist movement.15 Like the broader movement, it is decentralized and likely comprises individuals collaborating based on shared ideologies or objectives.
  • Motivations & Objectives: The group’s actions are driven by hacktivism, almost certainly with political motivations.16 Targeting a Russian entity strongly suggests that the attack is related to geopolitical events, most likely the ongoing conflict in Ukraine. The global Anonymous collective has taken a strong stance against the Russian invasion, and actions by regional cells like Anonymous Italia often align with this broader position.15 The objective of the defacement is likely to disrupt the target’s online presence, spread anti-Russian propaganda or pro-Ukraine messages, and make a visible political statement.
  • Known TTPs: Website defacement is the tactic employed in this incident. Consistent with the broader Anonymous movement, Anonymous Italia likely also utilizes Distributed Denial of Service (DDoS) attacks and potentially engages in data leakage campaigns.15 They use platforms like Telegram for communication, coordination, and claiming responsibility for attacks.
  • Contextual Analysis: This defacement is a clear instance of politically motivated hacktivism directly linked to international conflict. Anonymous Italia is participating in the wider cyber campaign conducted by various Anonymous factions against Russian targets since the invasion of Ukraine.15 While website defacements typically have limited direct operational impact on the victim organization, they serve as a highly visible form of protest and contribute to the ongoing information warfare surrounding the conflict. The existence and activity of geographically named cells like “Anonymous Italia” illustrate how large, decentralized movements like Anonymous can effectively organize and execute actions. These regional groups allow for focused operations that reflect local perspectives while contributing to the overarching goals and campaigns of the global collective, leveraging the internationally recognized Anonymous brand.15
  • 3. Supporting Evidence & References:

R. Incident: Anonymous Italia targets the website of London School

  • 1. Incident Overview:
  • Summary: Anonymous Italia claimed a second defacement attack via Telegram, occurring shortly after the Praim Group incident. This time, the target was the website englishgel.ru, associated with an entity named “London School,” operating in the Education sector and, based on the domain, located in Russia.
  • Category: Defacement
  • Date Reported: 2025-04-23T00:26:51Z
  • Victim: London School (london school), identified as a Russian entity via the.ru domain, operating in the Education sector. Affected site: englishgel.ru.
  • 2. Threat Actor Profile: Anonymous Italia
  • Background & Affiliations: This is the same Anonymous-affiliated hacktivist group identified in Incident Q.15
  • Motivations & Objectives: The motivation remains hacktivism driven by political opposition, likely related to the war in Ukraine.15 Targeting an educational institution within Russia, even one with a Western-associated name, fits the pattern of disrupting Russian entities as part of their ongoing campaign.
  • Known TTPs: Primarily defacement in these reported incidents. Other likely capabilities include DDoS and potentially data leaks, consistent with Anonymous TTPs.15 Communication and claims are made via Telegram.
  • Contextual Analysis: This second defacement by Anonymous Italia within a short timeframe reinforces their focus on conducting an anti-Russia cyber campaign. While targeting an English language school might seem less impactful than attacking government or critical infrastructure, hacktivist target selection is often broad and symbolic. Any entity associated with the opposed nation can become a target, regardless of its direct involvement in the conflict or its strategic importance. The goal is often disruption and visibility for their political message.16 This demonstrates how hacktivists may choose targets based on their association with an adversary nation or ideology, aiming for symbolic impact or simply attacking accessible targets within their defined scope, rather than focusing solely on targets with high strategic or economic value.
  • 3. Supporting Evidence & References:

III. Conclusions

The cybersecurity events reported on April 23, 2025, depict a dynamic and multifaceted threat landscape characterized by the persistent pressure of financially motivated ransomware operations and a concurrent surge in politically charged hacktivist activity.

Key conclusions drawn from the day’s incidents include:

  1. Ransomware Remains a Dominant and Evolving Threat: Established RaaS groups like Hunters International, Qilin, DragonForce, and Medusa continue to successfully compromise organizations across diverse sectors and geographies. Their reliance on affiliate models, double/triple extortion tactics, and exploitation of known vulnerabilities underscores the need for robust preventative measures (patching, access control) and comprehensive incident response and recovery plans. The potential emergence of new groups like CRYPTO24 and the observed reuse of code (Hunters/Hive, DragonForce/LockBit) suggest a lowering barrier to entry and continuous adaptation within the ransomware ecosystem.2
  2. Hacktivism is a Significant Disruptive Force Tied to Geopolitics: Hacktivist groups, often operating in coalitions and leveraging platforms like Telegram, actively engage in disruptive activities (defacement, DDoS, vulnerability exploitation, threats) aligned with real-world political conflicts and ideologies. Groups like SYLHET GANG-SG, Lulzsec Arabs, Anonymous Italia, and R00TK1T demonstrated activity linked to conflicts or political stances involving the Middle East, Russia/Ukraine, and major global powers. Their actions, while sometimes limited to symbolic defacements, can also involve targeting critical sectors or aiming to undermine platform integrity and user trust, demanding vigilance from potentially targeted nations and organizations.11
  3. The Underground Economy is a Critical Enabler: The illicit sale of compromised data (credentials, databases, PII) and initial access (SSH) on dedicated forums (xss.is, leakbase.io, exploit.in) is a foundational element of the threat landscape. Actors like 108111118101, credits, Machine1337, and TheLibertyCity fuel subsequent attacks by providing resources to other cybercriminals, including ransomware affiliates and BEC operators. Monitoring these platforms remains crucial for threat intelligence.17
  4. Exploitation of Known Weaknesses Persists: Threat actors continue to successfully exploit known vulnerabilities in public-facing applications and common web flaws like XSS. This highlights the critical importance of timely patch management, secure coding practices, and robust web application security measures.6 The use of LOTL techniques further emphasizes the need for behavioral detection capabilities alongside signature-based defenses.9
  5. Threat Actors Employ Psychological Tactics: Beyond technical exploitation, threat actors utilize psychological pressure. Ransomware groups use specific data claims, short deadlines, and multi-layered extortion to compel payment.3 Hacktivists use vague public threats and vulnerability disclosures to create uncertainty, incite fear, and maximize disruption even without successful technical compromise.34

In summary, the threat landscape observed on this day requires organizations to maintain a multi-layered defense strategy encompassing technical controls, threat intelligence monitoring, user awareness training, and robust incident response capabilities to address the diverse and interconnected threats posed by both financially motivated cybercriminals and ideologically driven hacktivists.

Works cited

  1. Ransomware Tactics By Threat Actors In 2024 – Cyble, accessed April 23, 2025, https://cyble.com/knowledge-hub/ransomware-tactics-adopted-by-threat-actors-in-2024/
  2. Is Your Organization Safe From Hunters International Ransomware? – Vectra AI, accessed April 23, 2025, https://www.vectra.ai/threat-actors/hunters
  3. The beginning of the end: the story of Hunters International | Group-IB Blog, accessed April 23, 2025, https://www.group-ib.com/blog/hunters-international-ransomware-group/
  4. Hunters International Ransomware: Tactics, Impact, and Defense Strategies – Picus Security, accessed April 23, 2025, https://www.picussecurity.com/resource/blog/hunters-international-ransomware
  5. Threat Actor Profile: Qilin Ransomware Group – Cyble, accessed April 23, 2025, https://cyble.com/threat-actor-profiles/qilin-ransomware-group/
  6. qilin-threat-profile-tlpclear.pdf – HHS.gov, accessed April 23, 2025, https://www.hhs.gov/sites/default/files/qilin-threat-profile-tlpclear.pdf
  7. DragonForce Ransomware: Unveiling Its Tactics and Impact, accessed April 23, 2025, https://www.cyfox.com/blog-posts/dragonforce-ransomware-unveiling-its-tactics-and-impact
  8. DragonForce Ransomware Group is Targeting Saudi Arabia – Resecurity, accessed April 23, 2025, https://www.resecurity.com/blog/article/dragonforce-ransomware-group-is-targeting-saudi-arabia
  9. Medusa Ransomware Analysis, Simulation, and Mitigation – CISA Alert AA25-071A, accessed April 23, 2025, https://www.picussecurity.com/resource/blog/medusa-ransomware-cisa-alert-aa25-071a
  10. US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector – Industrial Cyber, accessed April 23, 2025, https://industrialcyber.co/cisa/us-exposes-medusa-ransomware-threat-as-over-300-organizations-targeted-across-critical-infrastructure-sector/
  11. SYLHET GANG-SG (Threat Actor) – Malpedia, accessed April 23, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/sylhet_gang-sg
  12. An Overview of Cyber Attacks in the Middle East 2024[Threat Note] – CybelAngel, accessed April 23, 2025, https://cybelangel.com/cyber-attacks-middle-east-2024/
  13. Cyber Risk Intelligence Update: Hacktivist Involvement in Israel-Hamas War Reflects Possible Shift in Threat Actor Focus – SecurityScorecard, accessed April 23, 2025, https://securityscorecard.com/research/hacktivist-involvement-in-israel-hamas-war-reflects-possible-shift-in-threat-actor-focus/
  14. LulzSec Muslims Resumes their Cyberattack on UAE and Bahrain – The Cyber Express, accessed April 23, 2025, https://thecyberexpress.com/lulzsec-muslims-cyberattack-on-uae-and-bahrain/amp/
  15. Anonymous | Definition, History, Purpose, Mask, & Facts | Britannica, accessed April 23, 2025, https://www.britannica.com/topic/Anonymous-hacking-group
  16. Knowing the threat actors behind a cyber attack – Packt, accessed April 23, 2025, https://www.packtpub.com/en-us/learning/how-to-tutorials/knowing-the-threat-actors-behind-a-cyber-attack/
  17. Top 10 Dark Web Forums Of 2025 And Deep Web Communities – Cyble, accessed April 23, 2025, https://cyble.com/knowledge-hub/top-10-dark-web-forums/
  18. Swachhta platform hacked by Threat Actor “LeakBase” – Cyble, accessed April 23, 2025, https://cyble.com/blog/swachhta-platform-hacked-by-threat-actor-leakbase/
  19. Cybercrime Current Events: Background Check Organization Breach, a Repossessed Ransomware Blog, Feuding Forums, and Double Arrest of “J.P. Morgan” – Flare | Cyber Threat Intel | Digital Risk Protection, accessed April 23, 2025, https://flare.io/learn/resources/blog/cybercrime-current-events-background-check-organization-breach-a-repossessed-ransomware-blog-feuding-forums-and-double-arrest-of-j-p-morgancybercrime-current-events/
  20. Crypto and NFT Threat Landscape Report – SOCRadar, accessed April 23, 2025, https://socradar.io/wp-content/uploads/2024/03/SOCRadar-Cryptocurrency-NFT-Threat-Landscape-Report.pdf
  21. Top 10 Dark Web Forums – ThreatMon, accessed April 23, 2025, https://threatmon.io/top-10-dark-web-forums/
  22. Exploit Forum, Initial Access Brokers, and Cybercrime on the Dark Web – Flare, accessed April 23, 2025, https://flare.io/learn/resources/blog/exploit-forum/
  23. What Is Cross-Site Scripting (XSS)? – Palo Alto Networks, accessed April 23, 2025, https://www.paloaltonetworks.co.uk/cyberpedia/xss-cross-site-scripting
  24. What Is Cross-Site Scripting (XSS)? Types, Risks & Prevention – eSecurity Planet, accessed April 23, 2025, https://www.esecurityplanet.com/networks/cross-site-scripting-xss/
  25. What is an XSS Attack. Understanding and Mitigating Cross-Site Scripting Attacks, accessed April 23, 2025, https://ccoe.dsci.in/blog/what-is-xss-attack
  26. The Dangers of Cross-Site Scripting: How to Secure Your Website – Pentest Wizard, accessed April 23, 2025, https://pentestwizard.com/the-dangers-of-cross-site-scripting/
  27. Qilin Ransomware: Exposing the TTPs Behind One of the Most Active Ransomware Campaigns of 2024 – Picus Security, accessed April 23, 2025, https://www.picussecurity.com/resource/blog/qilin-ransomware
  28. #StopRansomware: Medusa Ransomware | CISA, accessed April 23, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
  29. Breaking Down Medusa Ransomware – Armis, accessed April 23, 2025, https://www.armis.com/blog/breaking-down-medusa-ransomware/
  30. Medusa ransomware and its cybercrime ecosystem | Barracuda Networks Blog, accessed April 23, 2025, https://blog.barracuda.com/2025/02/25/medusa-ransomware-and-its-cybercrime-ecosystem
  31. Threat actor | Flashpoint, accessed April 23, 2025, https://flashpoint.io/intelligence-101/threat-actor/
  32. What is a Cross-Site Scripting Attack – Graylog, accessed April 23, 2025, https://graylog.org/post/what-is-a-cross-site-scripting-attack/
  33. Cross-Site Scripting (XSS) | What is XSS & How to Prevent It | Bugcrowd, accessed April 23, 2025, https://www.bugcrowd.com/glossary/cross-site-scripting-xss/
  34. What Is Cross-site Scripting (XSS)? – Feroot Security, accessed April 23, 2025, https://www.feroot.com/education-center/what-is-cross-site-scripting-xss/
  35. Cross-site Scripting (XSS) in codingms/additional-tca | CVE-2025-30083 | Snyk, accessed April 23, 2025, https://security.snyk.io/vuln/SNYK-PHP-CODINGMSADDITIONALTCA-9572897
  36. Resecurity warns of increased cyber threats to energy and nuclear facilities from hacktivists and nation-states, accessed April 23, 2025, https://industrialcyber.co/utilities-energy-power-water-waste/resecurity-warns-of-increased-cyber-threats-to-energy-and-nuclear-facilities-from-hacktivists-and-nation-states/
  37. Hacktivism Unveiled Q1 2025: How Hacktivists Zeroed In on the US – Radware, accessed April 23, 2025, https://www.radware.com/blog/threat-intelligence/hacktivism-unveiled-q1-2025/
  38. DDoS Threats – Latest Cyber Threat Intelligence Report, accessed April 23, 2025, https://www.netscout.com/threatreport/2h2023/ddos-threats/
  39. Top Middle East Cyber Threats – April 02, 2024 – Help AG, accessed April 23, 2025, https://www.helpag.com/top-middle-east-cyber-threats-april-02-2024/
  40. 10 Years Later, What Did LulzSec Mean for Cybersecurity? – Security Intelligence, accessed April 23, 2025, https://securityintelligence.com/articles/lulzsec-10-years-later-cybersecurity-influence-meaning/
  41. Holy League: A Unified Threat Against Western Nations, NATO, India and Israel – Radware, accessed April 23, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/holy-league-a-unified-threat-against-western-nations/
  42. Decoding Threat Actors: 5 Motives of Industrial Cyber Attack | OTORIO, accessed April 23, 2025, https://www.otorio.com/blog/5-cyber-attack-motives-your-industry-may-face/
  43. Know Your Enemy: Types of cybersecurity threat actors – Prey, accessed April 23, 2025, https://preyproject.com/blog/cybersecurity-threat-actors
  44. Top Threat Actors on the Dark Web | 2023 Recap – CybelAngel, accessed April 23, 2025, https://cybelangel.com/top-threat-actors-on-the-dark-web-recap/
  45. Cybersecurity In The Fast Lane | Why Speed Is Key In Incident Response & Mitigation, accessed April 23, 2025, https://www.sentinelone.com/blog/why-speed-is-key-in-incident-response-mitigation/
  46. What is a Threat Actor? Motivations, Targeting and Staying Ahead – Critical Start, accessed April 23, 2025, https://www.criticalstart.com/what-is-a-threat-actor-motivations-targeting-and-staying-ahead/
  47. The Psychology of Cyber Threats: Decoding Attacker Motives | LRQA, accessed April 23, 2025, https://www.lrqa.com/en/insights/articles/the-psychology-behind-cyber-threats-leveraging-cyber-threat-intelligence-to-decode-attacker-motivations/
  48. Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations – CISA, accessed April 23, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
  49. Groups | MITRE ATT&CK®, accessed April 23, 2025, https://attack.mitre.org/groups
  50. Anonymous (hacker group) – Wikipedia, accessed April 23, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
  51. APT33 Targets Aerospace & Energy Sectors | Spear Phishing | Google Cloud Blog, accessed April 23, 2025, https://cloud.google.com/blog/topics/threat-intelligence/apt33-insights-into-iranian-cyber-espionage
  52. CISA, FBI, MS-ISAC warn of Ghost ransomware exploiting outdated systems across critical infrastructure – Industrial Cyber, accessed April 23, 2025, https://industrialcyber.co/cisa/cisa-fbi-ms-isac-warn-of-ghost-ransomware-exploiting-outdated-systems-across-critical-infrastructure/
  53. #StopRansomware: Ghost (Cring) Ransomware | CISA, accessed April 23, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
  54. What are the Types of Cyber Threat Actors? – Sophos, accessed April 23, 2025, https://www.sophos.com/en-us/cybersecurity-explained/threat-actors
  55. What is Crypto Ransomware? – Check Point Software, accessed April 23, 2025, https://www.checkpoint.com/cyber-hub/ransomware/what-is-crypto-ransomware/
  56. Crypto Ransomware | CISA, accessed April 23, 2025, https://www.cisa.gov/news-events/alerts/2014/10/22/crypto-ransomware
  57. trinity-ransomware-threat-actor-profile.pdf – HHS.gov, accessed April 23, 2025, https://www.hhs.gov/sites/default/files/trinity-ransomware-threat-actor-profile.pdf
  58. Qilin Ransomware: Detection and Analysis – Darktrace, accessed April 23, 2025, https://www.darktrace.com/blog/a-busy-agenda-darktraces-detection-of-qilin-ransomware-as-a-service-operator
  59. DragonForce Ransomware Group | Group-IB Blog, accessed April 23, 2025, https://www.group-ib.com/blog/dragonforce-ransomware/
  60. Bitdefender Threat Debrief | April 2025, accessed April 23, 2025, https://www.bitdefender.com/en-us/blog/businessinsights/bitdefender-threat-debrief-april-2025
  61. What is a Cyber Threat Actor? – CrowdStrike.com, accessed April 23, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
  62. R00TK1T Cyber Ceasefire: Malaysia Breathes Amidst Temporary Truce, accessed April 23, 2025, https://thecyberexpress.com/r00tk1t-ceasefire-of-cyberattacks-on-malaysia/
  63. R00TK1T Hacker Group Posts of Upcoming Nestle Cyberattack – The Cyber Express, accessed April 23, 2025, https://thecyberexpress.com/nestle-cyberattack-claims-r00tk1t/
  64. Qilin Ransomware: What You Need To Know – Tripwire, accessed April 23, 2025, https://www.tripwire.com/state-of-security/qilin-ransomware-what-you-need-know
  65. DragonForce Ransomware Group: Tactics, Targets & Mitigation – Cyble, accessed April 23, 2025, https://cyble.com/threat-actor-profiles/dragonforce-ransomware-group/
  66. Dragos Industrial Ransomware Analysis: Q4 2024, accessed April 23, 2025, https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q4-2024/
  67. #OptivNews: James Turgal on Medusa Ransomware Warning – YouTube, accessed April 23, 2025, https://www.youtube.com/watch?v=i0zvSkKlkXQ
  68. ANONYMOUS’ NEW VENDETTA – Patrick Henry College, accessed April 23, 2025, https://www.phc.edu/intelligencer/anonymous-new-vendetta
  69. Threat Actor – Arctic Wolf, accessed April 23, 2025, https://arcticwolf.com/resources/glossary-uk/what-is-a-threat-actor/

Related Posts