[April-25-2025] Daily Cybersecurity Threat Report

Posted on

1. Executive Summary

This report details significant cybersecurity incidents reported within the last 24 hours, ending April 26, 2025. Key activities include multiple ransomware attacks by the LYNX group targeting organizations in North America, continued hacktivist operations primarily focused on South Asian geopolitical tensions involving India and Pakistan, and the active sale of compromised data and initial access on cybercrime forums. Notably, the LYNX ransomware group, linked to the earlier INC ransomware, continues its campaign with attacks on Pay4Freight (USA) and Impact Public Affairs (Canada). Hacktivist groups such as SYLHET GANG-SG, RASHTRIYA CYBER FORCE, and DCG were observed targeting entities in India and Pakistan. Data breaches affecting citizens and organizations in Singapore, Germany, Brazil, and Indonesia were advertised on forums. Furthermore, the promotion of an AI tool for malicious purposes and the sale of initial access to a Spanish organization highlight evolving threats and the persistent market for cybercrime enablers.

2. Methodology

This report is based on the analysis of structured incident data provided via JSON format, covering events reported on April 25-26, 2025. Each incident was enriched through targeted online research focusing on the attributed threat actors, their known Tactics, Techniques, and Procedures (TTPs), motivations, and historical campaigns. Research utilized open-source intelligence (OSINT), cybersecurity vendor reports, forum monitoring, and analysis of provided research snippets. Claims made by threat actors, particularly on forums and Telegram, are reported as allegations unless independently verified. The analysis synthesizes incident details with threat actor intelligence to provide context and identify emerging trends. All publication and screenshot URLs are included as provided in the source data.

3. Detailed Incident Reports

3.1 Incident: Alleged Data Sale of UIN Sultan Maulana Hasanuddin Banten

  • Category: Data Breach
  • Threat Actor: ClayOxtymus1337
  • Date: 2025-04-25T02:14:55Z
  • Victim: UIN Sultan Maulana Hasanuddin Banten (uinbanten.ac.id), Indonesia (Education Sector)
  • Details: A threat actor, identified as ClayOxtymus1337, claims to be selling leaked student data allegedly originating from UIN Sultan Maulana Hasanuddin Banten, an Indonesian university. The dataset reportedly contains records for 7,000 students, including sensitive information such as student identification numbers, full names, academic programs, and tuition balances. The claim was posted on the ‘darkforums.st’ open web forum.
  • Threat Actor Intelligence: No specific information regarding the history or TTPs of “ClayOxtymus1337” was found in the available research materials (124). Based on the incident context, this actor is likely financially motivated, seeking to profit from selling compromised student data on a cybercrime forum. The chosen platform (‘darkforums.st’) is commonly used for trading illicit data.
  • Analysis & Context: The alleged sale of detailed student records poses significant risks to the affected individuals, including identity theft, targeted phishing, and other forms of fraud. Educational institutions remain frequent targets due to the large volumes of PII they hold and sometimes varying levels of security maturity. The specificity of the data claimed (including tuition balances) suggests a potentially deep compromise of university systems if the claim is accurate. The public advertisement on a forum aims to attract buyers interested in exploiting this specific dataset.
  • Evidence Links:
  • Publication: https://darkforums.st/Thread-Document-7K-Leak-Data-UIN-Banten
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/cff76c9e-9065-466a-8178-0b40ae3837f7.png

3.2 Incident: Impact Public Affairs falls victim to the Lynx Ransomware

  • Category: Ransomware
  • Threat Actor: LYNX
  • Date: 2025-04-25T02:24:10Z
  • Victim: Impact Public Affairs (impactcanada.com), Canada (Public Relations/PR Sector)
  • Details: The LYNX ransomware group claims to have compromised Impact Public Affairs, a Canadian PR firm. The group alleges the exfiltration of 130 GB of the organization’s data. The claim was posted on the LYNX TOR-based leak site.
  • Threat Actor Intelligence: LYNX Ransomware
  • Background & Motivation: LYNX emerged in mid-2024 (5) and operates a Ransomware-as-a-Service (RaaS) model (5). It is financially motivated, employing double extortion tactics (5). Analysis indicates a significant code overlap with the earlier INC ransomware, suggesting LYNX is a rebrand or adaptation, potentially built from INC source code sold on underground forums (4). The group recruits affiliates, offering an 80% share of ransoms and providing a structured affiliate panel (8).
  • Known TTPs: Initial access often via phishing or exploiting vulnerabilities (5). Exfiltrates data before encryption (double extortion) (5). Encrypts files using AES-128 and Curve25519, appending the .lynx extension (7). Uses Windows Restart Manager API to terminate processes holding files hostage (7). Deletes volume shadow copies to hinder recovery (12). Employs privilege escalation techniques (e.g., SeTakeOwnershipPrivilege) (5). Uses a TOR-based leak site (DLS) to publish victim data (4). Provides cross-platform binaries (Windows, Linux, ESXi) (8).
  • Typical Targets: Broad targeting across sectors including finance, manufacturing, PR, legal, energy, retail, and utilities, primarily in North America, Europe, and Australia (4). Despite claiming an “ethical” stance avoiding healthcare and government, they have hit critical infrastructure (10).
  • Analysis & Context: This attack aligns with LYNX’s established pattern of targeting organizations across various sectors in North America. The targeting of a PR firm is notable, as such firms often hold sensitive client information, potentially increasing the pressure to pay the ransom to avoid third-party data exposure. The claimed exfiltration volume (130 GB) is substantial. The LYNX operation demonstrates the effectiveness of the RaaS model combined with code reuse; adapting existing malware like INC allows groups to quickly stand up sophisticated operations, contributing to the proliferation of ransomware threats (5). This reuse lowers the barrier to entry for launching new, potent ransomware campaigns, suggesting that the frequency of such attacks may increase.
  • Evidence Links:
  • Publication: http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion/leaks/680ad489d5daa03fd36c1bcf (TOR Link)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/ef9b4711-b5bf-4656-aab6-4d282e0d28ff.png

3.3 Incident: Pay4Freight falls victim to the Lynx Ransomware

  • Category: Ransomware
  • Threat Actor: LYNX
  • Date: 2025-04-25T02:26:50Z
  • Victim: Pay4Freight (pay4freight.com), USA (Financial Services Sector)
  • Details: Shortly after the Impact Public Affairs claim, the LYNX ransomware group also listed Pay4Freight, a US-based financial services company (likely factoring for the freight industry), as a victim on their TOR leak site. The group claims to have obtained 20 GB of the organization’s data.
  • Threat Actor Intelligence: See Section 3.2 for LYNX ransomware details.
  • Analysis & Context: This second LYNX claim within minutes highlights the group’s operational tempo. Targeting a financial services company like Pay4Freight fits within LYNX’s known target sectors (5). Financial services firms are prime targets due to the sensitive financial data they handle and the potential for significant disruption, increasing the likelihood of ransom payment. The claimed 20 GB of data could include customer financial details, transaction records, and internal company data. This incident further underscores LYNX’s position as an active and significant ransomware threat, particularly to North American organizations (4).
  • Evidence Links:
  • Publication: http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion/leaks/680ac683d5daa03fd36b19e1 (TOR Link)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/dd306c0e-9270-4b60-a330-627e75492fa4.png

3.4 Incident: Alleged sale of access to an unidentified Spanish organization

  • Category: Initial Access
  • Threat Actor: OpenProcess
  • Date: 2025-04-25T06:27:51Z
  • Victim: Unidentified Spanish organization ($6 million revenue)
  • Details: A threat actor using the handle “OpenProcess” posted an advertisement on the xss.is forum claiming to sell domain administrator-level access to a Spanish organization with reported revenue of $6 million. The access method is specified as being via FortiVPN.
  • Threat Actor Intelligence: While the name “OpenProcess” relates to a Windows API function often used or monitored in malware analysis (13), no specific profile information for a threat actor or group named “OpenProcess” acting as an Initial Access Broker (IAB) was found in the provided materials (19172). This actor operates on the xss.is forum, a known hub for cybercrime activities (21). Their motivation is financial gain through selling network access. Their TTP involves compromising network perimeter devices (FortiVPN) to gain high-privilege access (Domain Admin) and then monetizing this access by selling it to other malicious actors, such as ransomware groups.
  • Analysis & Context: This incident exemplifies the role of Initial Access Brokers (IABs) within the cybercrime ecosystem. IABs specialize in gaining entry into networks and then selling that access, often forming the first stage of a larger attack like ransomware deployment. The specificity of the offer (Domain Admin access, FortiVPN vector, victim revenue, geography) is typical for IAB listings, designed to attract buyers looking for specific types of targets. The targeting of VPN vulnerabilities is a common initial access vector exploited by ransomware groups and IABs (22). The sale of high-level access like Domain Admin is particularly dangerous as it grants attackers extensive control over the victim’s network. The focus on compromising edge devices like VPNs underscores the critical importance of securing the network perimeter and applying patches promptly. Such vulnerabilities provide a direct pathway into corporate networks for actors like OpenProcess.
  • Evidence Links:
  • Publication: https://xss.is/threads/136676/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/940c5c2b-da7e-427c-9fac-5bb3cef6cdb2.png

3.5 Incident: Nytheon Ai is being promoted

  • Category: Malware
  • Threat Actor: Agent X
  • Date: 2025-04-25T08:15:12Z
  • Victim: N/A (Tool Promotion)
  • Details: A threat actor identified as “Agent X” is actively promoting “Nytheon AI” on the xss.is forum. Nytheon AI is described as a publicly accessible, 80-billion-parameter AI model hosted on the dark web. It reportedly uses default credentials, making it easily accessible. The promotion claims the AI enables users without coding expertise to create undetectable malware, forge identities, and automate scams. It is advertised as having voice-enabled, multilingual capabilities and integration with platforms like Telegram and WhatsApp.
  • Threat Actor Intelligence: No specific information regarding “Agent X” was found in the available research materials (124). This actor functions as a promoter or seller of a malicious tool/service on a cybercrime forum (xss.is). Their motivation is likely financial gain or potentially building reputation by distributing a powerful tool.
  • Analysis & Context: This incident highlights the emerging threat of Artificial Intelligence being weaponized for cybercrime. The promotion of a tool like Nytheon AI, specifically designed to lower the barrier for creating malware and conducting scams, is concerning. If the claims are accurate, such a tool could significantly increase the volume and sophistication of attacks, particularly from less technically skilled actors. The features described (undetectable malware generation, identity forgery, automated scams, multilingual voice capabilities, platform integration) represent a potential force multiplier for criminal activities. The accessibility via default credentials further lowers the barrier to misuse. This development signifies a potential escalation in the cyber threat landscape, where AI is not just a target but also an enabler of attacks, necessitating proactive research and adaptation by security defenders to counter AI-generated threats.
  • Evidence Links:
  • Publication: https://xss.is/threads/136609/#post-969372
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/f0250c2f-2ef7-4954-a284-ba9bfbe8decc.png

3.6 Incident: Advanced Simulation Technology falls victim to Silent Ransomware

  • Category: Ransomware
  • Threat Actor: Silent
  • Date: 2025-04-25T09:27:44Z
  • Victim: Advanced Simulation Technology Inc (ASTi) (asti-usa.com), USA (Defense & Space Sector)
  • Details: The Silent ransomware group claims to have compromised Advanced Simulation Technology Inc (ASTi), a US company in the Defense & Space sector. The group alleges data theft and threatens to publish the obtained data within 13-14 days if their demands are not met. The claim was made on the group’s TOR-based leak site.
  • Threat Actor Intelligence: Silent Ransomware
  • Background & Motivation: Silent Ransomware is a recognized, financially motivated ransomware group active enough to be mentioned in cybersecurity briefings alongside other major threats (22).
  • Known TTPs: Employs ransomware to encrypt victim data and extort payment (23). Utilizes double extortion tactics, threatening to leak stolen data via a TOR leak site, as seen in this incident. One potential initial access vector associated with the group is callback phishing, where victims are socially engineered over the phone into installing malware after responding to a fake invoice email (22). General ransomware TTPs like exploiting vulnerabilities or using compromised credentials are also likely methods. The ransomware might download stealthily onto victim systems (24).
  • Typical Targets: Appears opportunistic, but this incident shows targeting within the high-value Defense Industrial Base (DIB).
  • Analysis & Context: The targeting of ASTi, a company operating in the Defense & Space sector, is particularly concerning. While the primary motivation of Silent ransomware is financial (23), the exfiltration of data from a DIB contractor poses potential national security risks. Sensitive, albeit unclassified, information (CUI), intellectual property related to simulation technologies, or project details could be exposed if the data is leaked publicly or acquired by nation-state adversaries from the ransomware group. This highlights the dual threat faced by DIB organizations. The explicit deadline (13-14 days) for data publication is a standard pressure tactic in double extortion schemes. The group’s mention in official advisories (22) and potential use of evolving social engineering techniques like callback phishing (22) indicate it is a monitored threat employing methods designed to bypass technical defenses, emphasizing the need for robust security awareness training.
  • Evidence Links:
  • Publication: http://silentbgdghp3zeldwpumnwabglreql7jcffhx5vqkvtf2lshc4n5zid.onion/ (TOR Link)
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/dd3f99aa-d94e-4e3d-9bb8-b112e87c4ed5.png

3.7 Incident: Alleged database leak of Khyber Pakhtunkhwa

  • Category: Data Breach
  • Threat Actor: RASHTRIYA CYBER FORCE
  • Date: 2025-04-25T09:41:07Z
  • Victim: Khyber Pakhtunkhwa (kphcip.gkp.pk), Pakistan (Investment Management, Hedge Fund & Private Equity – Note: Likely Government/Provincial Entity)
  • Details: A group identifying as “RASHTRIYA CYBER FORCE” claims via Telegram to have leaked data belonging to an entity associated with Khyber Pakhtunkhwa, a province in Pakistan. The targeted site URL (kphcip.gkp.pk) suggests a connection to investment or projects within the province, though the JSON’s industry classification might be inaccurate.
  • Threat Actor Intelligence: No specific information regarding “RASHTRIYA CYBER FORCE” was found in the available research (124). However, the name (“Rashtriya” meaning “National” in Hindi) strongly suggests an Indian hacktivist group. Their motivation is likely political and nationalistic, targeting Pakistani entities as part of the ongoing low-level cyber conflict between hacktivists from the two nations (3). Their TTPs likely include data breaches/leaks, website defacement, and potentially DDoS attacks, using Telegram for publicizing their claims.
  • Analysis & Context: This incident appears to be another example of politically motivated hacktivism within the India-Pakistan sphere. Targeting provincial government-related entities like those in Khyber Pakhtunkhwa is a common tactic used by these groups to cause disruption, gain notoriety, or make a political statement. Claims made on Telegram by hacktivist groups often require independent verification, as the actual impact or novelty of the leaked data can vary. Such activities represent the use of cyber operations as a tool for nationalist expression and are a persistent feature of the regional geopolitical landscape (3).
  • Evidence Links:
  • Publication: https://t.me/indian_rcf/48
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/e21a3b88-5e0a-42f1-97e3-ba36673faba5.png

3.8 Incident: Dex4o4 claims to target pakistan

  • Category: Alert
  • Threat Actor: Dex4o4
  • Date: 2025-04-25T10:16:18Z
  • Victim: Pakistan (Nation)
  • Details: An actor using the handle “Dex4o4” posted a message on Telegram indicating their intention to target Pakistan.
  • Threat Actor Intelligence: No specific information regarding “Dex4o4” was found in the available research (124). Given the target (Pakistan) and the context of other incidents in this report, Dex4o4 is likely a hacktivist, possibly of Indian origin, motivated by political or nationalistic reasons. Their known TTPs, based solely on this incident, involve making threat announcements via Telegram. They likely engage in common hacktivist methods like DDoS, defacement, or data leaks.
  • Analysis & Context: This alert signifies a declared intent to attack, rather than a confirmed compromise. Such announcements are common in hacktivist communities using platforms like Telegram (25). These declarations serve multiple purposes: to signal upcoming campaigns, potentially rally support from like-minded individuals, create psychological pressure on the target, and gain visibility within the hacktivist scene. While not confirming an attack has occurred, it provides an early warning for defenders in Pakistan to heighten monitoring and defensive postures.
  • Evidence Links:
  • Publication: https://t.me/cryptojackersofindia/675
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/02142769-0728-4aa7-97f8-9b758262e4e0.png

3.9 Incident: SYLHET GANG-SG targets Multilple websites in India

  • Category: Defacement
  • Threat Actor: SYLHET GANG-SG
  • Date: 2025-04-25T10:49:12Z
  • Victim: Multiple Indian websites (e.g., Kalam’s Vision Academy – digitalmaths.co.in), India (Education Sector)
  • Details: The hacktivist group “SYLHET GANG-SG” claimed via Telegram to have defaced 15 Indian websites, including educational institutions like Kalam’s Vision Academy. They also claimed to have gained full database access to these sites.
  • Threat Actor Intelligence: SYLHET GANG-SG
  • Background & Motivation: SYLHET GANG-SG is an active hacktivist group, likely with ties to Bangladesh (Sylhet is a major city there). Their motivations appear multifaceted, driven by geopolitical and religious factors. They have targeted China over policies towards Muslims (3), entities supporting Israel as part of pro-Palestine campaigns (25), and frequently target India (25, JSON incident), often under banners like #OpIndia (3).
  • Known TTPs: Website defacement and DDoS attacks are common tactics (3). They have also been linked to data leaks (25). Telegram is their primary platform for announcing attacks and making claims (25).
  • Typical Targets: Their targets are diverse, reflecting their varied campaigns, including government sites, educational institutions, airports, and private companies in India, China, and countries perceived as pro-Israel (e.g., UK, South Korea, Italy) (3).
  • Analysis & Context: This mass defacement claim against Indian educational websites is consistent with SYLHET GANG-SG’s known anti-India activities and preferred TTPs. Educational websites are often targeted by hacktivists because they are numerous and sometimes possess lower security postures, making them relatively easy targets for achieving widespread visibility (3). The claim of gaining “full database access” alongside defacement should be viewed critically; while possible, access sufficient for defacement does not always guarantee a full database compromise, and hacktivist claims can be exaggerated. The group’s involvement in multiple campaigns (anti-China, pro-Palestine, anti-India) demonstrates how hacktivist targeting can be fluid and reactive to current global and regional events (3).
  • Evidence Links:
  • Publication: https://t.me/SylhetGangSG1/6282
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/4fe643e2-9e31-4369-957a-596d9c33cefc.png

3.10 Incident: Alleged data breach of Municipality of Jaraguá do Sul

  • Category: Data Breach
  • Threat Actor: Vortex
  • Date: 2025-04-25T11:03:24Z
  • Victim: Prefeitura Municipal de Jaraguá do Sul (jaraguadosul.sc.gov.br), Brazil (Government Administration Sector)
  • Details: An actor or group named “Vortex” claimed via Telegram to have leaked data from the Municipality of Jaraguá do Sul in Brazil.
  • Threat Actor Intelligence: The name “Vortex” is associated with multiple, likely unrelated, cyber entities. Research identified STARK#VORTEX (UAC-0154), a Russian GRU-linked APT group targeting Ukraine with malware like MerlinAgent delivered via lures themed around UAV manuals (26). Separately, an author of “Polski, Vortex and Flotera Ransomware” was reportedly arrested (27). The term “vortex” is also used metaphorically in cybersecurity discussions (28). Crucially, none of the available information links these known entities to the actor targeting a Brazilian municipality via Telegram in this incident. Therefore, this “Vortex” should be considered a distinct entity, likely a hacktivist group, possibly local to Brazil or specifically targeting Brazilian government institutions for political reasons. Their TTPs, based on this incident, involve data leaks claimed on Telegram.
  • Analysis & Context: This incident involves an unverified claim of a data leak affecting a local government entity in Brazil. The ambiguity surrounding the “Vortex” name highlights a common challenge in threat intelligence: name reuse or collision requires careful contextual analysis to avoid misattribution. Assuming this is a hacktivist operation, the targeting of municipal governments, while potentially less impactful than national breaches, can still cause significant local disruption, compromise citizen PII, and undermine public trust in government cybersecurity (28). The use of Telegram for the claim is standard for hacktivist groups. Further investigation would be needed to verify the leak and assess its contents.
  • Evidence Links:
  • Publication: https://t.me/Vvorttexx/51
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/0aab1999-bc8e-4963-a687-88d77a9cb8f4.png

3.11 Incident: Alleged database sale of unidentified German Banks

  • Category: Data Breach
  • Threat Actor: santander777
  • Date: 2025-04-25T11:23:41Z
  • Victim: Unidentified German Banks (Banking & Mortgage Sector)
  • Details: An actor using the handle “santander777” advertised the sale of “verified customer databases” allegedly from German banks on the xss.is forum. The compromised data reportedly includes extensive PII: country, city, street, postal code, first name, last name, phone number, email, IBAN, and bank name.
  • Threat Actor Intelligence: No specific profile information for “santander777” was found in the available research (124). The actor operates on the xss.is cybercrime forum and is financially motivated, aiming to sell highly sensitive banking data. Their TTPs involve obtaining (method unknown) and selling customer financial data. The claim of “verified” data is common but requires scrutiny.
  • Analysis & Context: This represents a serious potential breach involving sensitive financial PII from customers of German banks. Data including names, contact details, addresses, and especially IBANs is highly valuable for launching sophisticated financial fraud, identity theft, and targeted phishing attacks. The advertisement on xss.is targets other cybercriminals seeking such data for exploitation. The actor’s choice to advertise “German Banks” data specifically points towards a degree of specialization within the cybercrime market, where buyers seek data relevant to particular geographic regions or industries for their campaigns. The anonymity regarding the specific banks involved could be a tactic to maximize sales or hinder immediate mitigation efforts.
  • Evidence Links:
  • Publication: https://xss.is/threads/136680/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/06e5c853-caf2-42c6-a990-350255aeaf00.PNG

3.12 Incident: Alleged database leak of Maranhão Vehicle

  • Category: Data Leak
  • Threat Actor: memberphpp
  • Date: 2025-04-25T11:49:03Z
  • Victim: Maranhão Vehicle (Likely DETRAN-MA – State Dept. of Transit), Brazil (Automotive/Government Sector)
  • Details: An actor named “memberphpp” posted on the ‘darkforums.st’ forum, claiming to leak data related to vehicles in the Brazilian state of Maranhão. The forum thread title explicitly mentions leaking “500k of 2M Maranhão Vehicle Db DETRAN-MA Records,” indicating the data likely originates from the state’s Department of Transit (DETRAN) and represents a partial leak from a larger database.
  • Threat Actor Intelligence: No specific profile information for “memberphpp” was found in the available research (124). This actor operates on dark web forums and appears motivated by gaining notoriety or potentially advertising a future sale by leaking a portion of the data. The handle might suggest proficiency in PHP, potentially used to exploit web application vulnerabilities. Their TTPs involve data exfiltration and leaking/posting data on forums.
  • Analysis & Context: This alleged leak involves sensitive vehicle registration and potentially owner data from a Brazilian state government agency (DETRAN-MA). Such data is attractive to criminals for various purposes, including vehicle cloning, targeted theft, insurance fraud, and locating individuals. Leaking a substantial subset (500k records) is a common tactic used by data brokers to prove they possess the data and entice buyers for the complete dataset. Government databases, particularly at state or regional levels, continue to be valuable targets due to the large amounts of citizen PII and specific data they contain, making them frequent victims of breaches aimed at data monetization or causing disruption.
  • Evidence Links:
  • Publication: https://darkforums.st/Thread-2025-Brazil-500k-of-2M-Maranh%C3%A3o-Vehicle-Db-DETRAN-MA-Records
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/ad42734e-aacc-4865-83d7-62fc46b3b98a.png

3.13 Incident: Alleged data sale of Singapore citizens

  • Category: Data Breach
  • Threat Actor: LongNight
  • Date: 2025-04-25T12:23:30Z
  • Victim: Singapore citizens (Source organization unspecified)
  • Details: An actor using the handle “LongNight” advertised data allegedly belonging to 75,000 Singapore citizens for sale on the xss.is forum. The compromised data reportedly includes full names, email addresses, phone numbers, physical addresses, and potentially other details. The original source of the breach was not specified.
  • Threat Actor Intelligence: Available research materials containing the term “LongNight” (1) did not provide any relevant information about this threat actor. Based on the context, “LongNight” is likely an individual or group operating on the xss.is cybercrime forum, motivated by financial gain from selling PII. Their TTPs involve acquiring (method unknown) and selling citizen PII datasets.
  • Analysis & Context: This incident involves the claimed sale of a large dataset of PII belonging to Singaporean citizens. Such data is valuable for a wide range of malicious activities, including identity theft, spam campaigns, phishing, and various types of scams. The lack of information about the source breach makes it difficult to identify the compromised organization(s) or the specific vulnerability exploited. The sale of geographically targeted PII datasets (similar to the German bank data in section 3.11) caters to threat actors planning campaigns focused on specific regions, indicating segmentation and demand within the data trading market on cybercrime forums.
  • Evidence Links:
  • Publication: https://xss.is/threads/136684/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/c229a6cd-4940-4887-a158-1d585528c980.PNG

3.14 Incident: DCG targets the website of Bandhu Sundar Pharmacy Academy

  • Category: Defacement
  • Threat Actor: DCG ( Dark Cyber Gang)
  • Date: 2025-04-25T13:00:20Z
  • Victim: Bandhu Sundar Pharmacy Academy (bspacademy.org), India (Education Sector)
  • Details: A group calling itself “DCG (Dark Cyber Gang)” claimed via Telegram to have defaced the website of Bandhu Sundar Pharmacy Academy, an Indian educational institution.
  • Threat Actor Intelligence: No specific profile information for “DCG (Dark Cyber Gang)” was found in the available research (124). The name and target suggest a hacktivist group, potentially with anti-India motivations, similar to other groups observed in this reporting period. Their use of Telegram for claims aligns with common hacktivist practices. Their TTPs, based on this incident, include website defacement.
  • Analysis & Context: This is a typical hacktivist defacement claim targeting the Indian education sector. Similar to the SYLHET GANG-SG incident (Section 3.9), educational institutions are frequently chosen targets for such groups seeking visibility and disruption. The persistent targeting of these institutions by various groups (DCG, SYLHET GANG-SG) suggests they are perceived as relatively accessible targets for making political statements related to regional conflicts or ideologies (3). Verification of the defacement would require checking the target website.
  • Evidence Links:
  • Publication: https://t.me/c/2546752362/8
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/8612b912-8edf-4456-88d1-4fe14eb7ad73.png

4. Emerging Threats & Observations

Analysis of the incidents reported over the past 24 hours reveals several key trends and emerging threats:

  • LYNX Ransomware Persistence: The LYNX RaaS group continues to demonstrate significant activity, claiming multiple victims (Impact Public Affairs, Pay4Freight) in North America across different sectors (PR, Financial Services) (3). Their operational model, leveraging adapted code likely from INC ransomware (5) and employing sophisticated TTPs including double extortion, process termination, and privilege escalation (7464), solidifies their status as a major threat. The success of groups like LYNX underscores a broader trend where the RaaS model and code reuse lower the barrier to entry for launching potent ransomware campaigns, likely leading to an increase in such attacks.
  • Geopolitically Motivated Hacktivism: A significant portion of reported activity stems from hacktivist groups engaged in cyber conflicts linked to real-world geopolitical tensions. The India-Pakistan cyber front remains highly active, with groups like RASHTRIYA CYBER FORCE, Dex4o4, SYLHET GANG-SG, and DCG claiming attacks (defacements, data leaks, threat announcements) against targets in both countries (1). SYLHET GANG-SG’s activities also reflect broader motivations, including pro-Palestine actions (3). Similarly, the alleged leak by “Vortex” against a Brazilian municipality points to potential hacktivism targeting South American governments. These incidents demonstrate the continued use of cyberspace for nationalist expression and low-intensity conflict, with Telegram serving as a key platform for communication and claims (3).
  • Thriving Cybercrime Marketplaces: Underground forums (xss.is, darkforums.st) and Telegram channels remain critical infrastructure for the cybercrime economy. This reporting period saw active advertisements for valuable stolen data, including PII from Singapore (31), German bank customer details (29), Brazilian vehicle records (32), and Indonesian student data (35). Furthermore, the sale of initial network access, such as the FortiVPN access to a Spanish company offered by “OpenProcess” (36), highlights the specialized roles within this ecosystem, directly enabling more severe attacks like ransomware.
  • AI as a Cybercrime Enabler: The promotion of “Nytheon AI” (34) represents a tangible example of AI being weaponized to create cybercrime tools. Claims that it can generate undetectable malware and automate scams without requiring coding expertise, if accurate, signify a potential shift in the threat landscape. Such tools could dramatically lower the skill threshold for conducting sophisticated attacks, increasing the overall volume and diversity of threats defenders face.
  • Initial Access Brokers (IABs): The activity of IABs like “OpenProcess” (36) remains a crucial precursor to many major cyber incidents, particularly ransomware. Their focus on compromising perimeter devices (e.g., FortiVPN) and selling high-privilege access highlights the importance of robust perimeter security, vulnerability management, and monitoring for unauthorized access attempts.
  • Sector Targeting: Specific sectors faced notable targeting: Education (UIN Banten, Bandhu Sundar Pharmacy Academy, multiple Indian sites), Government (Khyber Pakhtunkhwa, Jaraguá do Sul Municipality, Maranhão DETRAN), Financial Services (Unidentified German Banks, Pay4Freight), Public Relations (Impact Public Affairs), and Defense (Advanced Simulation Technology Inc).

5. High-Level Recommendations

Based on the observed activities and trends, organizations should consider the following defensive measures:

  • Enhance Ransomware Resilience: Prioritize timely patching of vulnerabilities, especially those in internet-facing systems like VPNs (22) and remote access services. Implement and regularly test a robust backup and recovery strategy that includes offline or immutable backups, mitigating the impact of shadow copy deletion (12). Deploy and maintain advanced Endpoint Detection and Response (EDR) solutions configured to detect ransomware TTPs such as suspicious process termination (6), credential dumping, and privilege escalation (6). Strengthen user awareness training to recognize phishing emails (5) and emerging social engineering tactics like callback phishing (22). Monitor dark web/TOR leak sites for potential exposure (3).
  • Mitigate Hacktivist Threats: Implement strong web application security measures, including Web Application Firewalls (WAFs) and regular vulnerability scanning, to defend against defacements and common exploits. Employ DDoS mitigation services for critical public-facing websites, particularly government portals and high-profile organizational sites (3). Monitor relevant social media platforms (especially Telegram) and forums associated with regional or ideologically motivated hacktivist groups for early warnings of potential targeting (26).
  • Strengthen Data Protection: Secure databases containing PII and other sensitive information through robust access controls, encryption (at rest and in transit), and regular security audits. Monitor for anomalous data access patterns or large data egress (31). Implement data loss prevention (DLP) solutions.
  • Prepare for AI-Driven Threats: Stay informed about the development and potential misuse of AI in cyberattacks (34). Ensure security monitoring tools utilize behavioral analysis and machine learning capable of detecting novel or rapidly mutating threats that AI tools might generate.
  • Manage Supply Chain and IAB Risk: Assess and manage the cybersecurity risks associated with third-party vendors and partners, as compromises can lead to breaches (e.g., LYNX targeting firms holding client data 6). Secure all remote access pathways (VPNs, RDP) with strong authentication (MFA) and diligent patching, as these are prime targets for IABs (36). Consider threat intelligence services that monitor IAB marketplaces for mentions of your organization or sector.

Works cited

  1. Full text of “The Austin Chronicle 2009-02-13” – Internet Archive, accessed April 25, 2025, https://archive.org/stream/The_Austin_Chronicle-2009-02-13/The_Austin_Chronicle-2009-02-13_djvu.txt
  2. Cripto-ransomware: Análisis y detección temprana basada en el uso de archivos trampa – DIGIBUG Principal, accessed April 25, 2025, https://digibug.ugr.es/bitstream/handle/10481/76803/94887%281%29.pdf?seque
  3. Tactics and Motivations of Modern Hacktivists – CYFIRMA, accessed April 25, 2025, https://www.cyfirma.com/research/tactics-and-motivations-of-modern-hacktivists/
  4. BlackBerry Quarterly Global Threat Report — January 2025, accessed April 25, 2025, https://www.blackberry.com/us/en/solutions/threat-intelligence/threat-report
  5. New Threat on the Prowl: Investigating Lynx Ransomware – Darktrace, accessed April 25, 2025, https://www.darktrace.com/ja/blog/new-threat-on-the-prowl-investigating-lynx-ransomware
  6. Unraveling Lynx Ransomware – Loginsoft, accessed April 25, 2025, https://www.loginsoft.com/post/unraveling-lynx-ransomware
  7. Defending Against Lynx Ransomware (Strategies for 2025), accessed April 25, 2025, https://cybelangel.com/lynx-ransomware-double-extortion/
  8. Lynx Ransomware Group Unveiled with Sophisticated Affiliate …, accessed April 25, 2025, https://www.infosecurity-magazine.com/news/lynx-ransomware-sophisticated/
  9. Cat’s out of the bag: Lynx Ransomware-as-a-Service | Group-IB Blog, accessed April 25, 2025, https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/
  10. Lynx Ransomware Pouncing on Utilities, accessed April 25, 2025, https://www.cisecurity.org/insights/blog/lynx-ransomware-pouncing-utilities
  11. Lynx Ransomware: A Rebranding of INC Ransomware, accessed April 25, 2025, https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/
  12. Ransomware Groups Demystified: Lynx Ransomware | Rapid7 Blog, accessed April 25, 2025, https://www.rapid7.com/blog/post/2024/09/12/ransomware-groups-demystified-lynx-ransomware/
  13. Automated Malware Analysis Report for o9B7y2ZGmy.exe – Generated by Joe Sandbox, accessed April 25, 2025, https://www.joesandbox.com/analysis/1366754/0/html
  14. PoS RAM Scraper Malware: Past, Present, and Future – Threat Encyclopedia, accessed April 25, 2025, https://documents.trendmicro.com/assets/wp/wp-pos-ram-scraper-malware.pdf
  15. windows-security/Readme_full.md at master – GitHub, accessed April 25, 2025, https://github.com/alphaSeclab/windows-security/blob/master/Readme_full.md?plain=1
  16. Defending Against Malicious Software – CiteSeerX, accessed April 25, 2025, https://citeseerx.ist.psu.edu/document?repid=rep1&type=pdf&doi=0c350fed1848e2177a265a50124095592c136dd3
  17. The Antivirus Hacker’s Handbook – Security and Ethical Hacking, accessed April 25, 2025, https://kneda.net/documentos/The%20Antivirus%20Hacker’s.pdf
  18. 1.36 MB – Hugging Face, accessed April 25, 2025, https://huggingface.co/datasets/clydeiii/cybersecurity/resolve/main/2023.clean.txt?download=true
  19. Search Results – CVE, accessed April 25, 2025, https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=hp
  20. Automated Malware Analysis Report for file.exe – Generated by Joe Sandbox, accessed April 25, 2025, https://www.joesandbox.com/analysis/1569476/0/html
  21. Automated Malware Analysis Management Report for file.exe – Generated by Joe Sandbox, accessed April 25, 2025, https://www.joesandbox.com/analysis/1385148/0/executive
  22. Cybersecurity Briefing | A Recap of Cybersecurity News in …, accessed April 25, 2025, https://www.dnsfilter.com/blog/cybersecurity-briefing-a-recap-of-cybersecurity-news-in-november-2023
  23. DISSERTATION DOCTEUR DE L’UNIVERSITÉ DU LUXEMBOURG EN INFORMATIQUE Ziya Alper GENÇ Dissertation defence committee, accessed April 25, 2025, https://orbilu.uni.lu/bitstream/10993/44662/1/phd-thesis-genc%CC%A7.pdf
  24. 3.Hackathon Content 3 : Teaching Cyber Security in Classrooms, accessed April 25, 2025, https://innovateuttarakhand.com/storage/files/ATZejvERvX25jf0J6EU0lXBNEpPiRdzd1JnKBWxR.pdf
  25. Reflections of the Israel-Palestine Conflict on the Cyber World …, accessed April 25, 2025, https://socradar.io/reflections-of-the-israel-palestine-conflict-on-the-cyber-world/
  26. OCR of the Document | National Security Archive, accessed April 25, 2025, https://nsarchive.gwu.edu/media/29562/ocr
  27. Sitemap – Cybersecurity Insiders, accessed April 25, 2025, https://www.cybersecurity-insiders.com/sitemap/
  28. cybersecurity threats to the us electric grid and technology advancements to minimize such threats – GovInfo, accessed April 25, 2025, https://www.govinfo.gov/content/pkg/CHRG-115shrg24977/pdf/CHRG-115shrg24977.pdf
  29. What Is Phishing? – Palo Alto Networks, accessed April 25, 2025, https://www.paloaltonetworks.com/cyberpedia/what-is-phishing
  30. Bugs in the system – OMFIF, accessed April 25, 2025, https://www.omfif.org/wp-content/uploads/2019/09/Btn.Q4.19.web-min.pdf
  31. KA_Jun_23_2017 – Flipbook by aaron – FlipHTML5, accessed April 25, 2025, https://fliphtml5.com/ejbae/aahd/KA_Jun_23_2017/
  32. https://www.barnesandnoble.com/detail86.xml, accessed April 25, 2025, https://www.barnesandnoble.com/detail86.xml
  33. R E P O R T – Congress.gov, accessed April 25, 2025, https://www.congress.gov/113/crpt/hrpt448/CRPT-113hrpt448.pdf
  34. Tech & Policy Initiative, Working Paper Series 2 | Columbia SIPA, accessed April 25, 2025, https://www.sipa.columbia.edu/sites/default/files/2022-09/Working%20Paper%20Series%202.pdf
  35. News – Cyber Florida at USF, accessed April 25, 2025, https://cyberflorida.org/news/
  36. Convergence: Illicit Networks and National Security in the Age of Globalization – DTIC, accessed April 25, 2025, https://apps.dtic.mil/sti/tr/pdf/ADA590461.pdf
  37. CHAPTER 3 Challenges and risks of generative AI – AWS, accessed April 25, 2025, https://fsi9-prod.s3.us-west-1.amazonaws.com/s3fs-public/2024-09/GenAI_Report_Ch3.pdf

Related Posts