[April-27-2025] Daily Cybersecurity Threat Report

1. Executive Summary

Overview: The 24-hour period ending April 27, 2025, witnessed significant cyber threat activity across multiple fronts. Key observations include a high volume of Initial Access Brokerage (IAB) offerings on dark web forums, persistent hacktivist operations driven by geopolitical conflicts, major data breach and leak claims impacting diverse global sectors, ongoing ransomware campaigns employing double extortion tactics, and the notable sale of alleged exploits and malicious remote access tools.

Dominant Trends:

Initial Access Sales: A thriving market for initial network access was evident, with multiple actors advertising footholds into corporate and government systems. Actors including “xsskiller,” “combolists,” “Rivka,” and “caustic” offered unauthorized access credentials (including RDP, government emails/portals, OSINT API keys) targeting entities across Latin America, Europe, the USA, Portugal, Italy, and other unspecified regions.¹ This access is often a precursor to more damaging attacks like ransomware deployment or espionage campaigns. Platforms like darkforums.st, ramp4u.io, and exploit.in served as key marketplaces for these transactions.¹
Hacktivism: Politically and ideologically motivated groups remained highly active. Actors such as RASHTRIYA CYBER FORCE, Lulzsec Arabs, 7 Proxies, DCG (Dark Cyber Gang), INDOHAXSEC, and Mr Hamza conducted website defacements and claimed data breaches or leaks. Targets were concentrated in India, Pakistan, and Bangladesh, alongside entities perceived as supporting Israel or opposing specific political agendas, such as US government and military sites.³ Telegram continues to be the preferred platform for coordinating attacks, announcing claims, and disseminating propaganda.³ While often technically unsophisticated, these actions contribute to geopolitical tensions.¹³
Data Breaches/Leaks: Numerous incidents involved the alleged sale or leakage of substantial datasets containing sensitive information. Affected industries included Education, Insurance, Government Administration, Healthcare, Automotive, Marketing, Retail, and Finance across Pakistan, the USA, India, Peru, South Korea, the Netherlands, and Indonesia. Actors involved included RASHTRIYA CYBER FORCE, RonyKingSourcingINC, h4ck3r, Randy72, Nick Diesel, Gatito_FBI_Nz, Thales, WantsMore1337, and INDOHAXSEC. Some claims involved exceptionally large volumes, such as 4TB allegedly from Ascent Pharmaceuticals, 7.7 million records from Quality Used Transmissions, and 80GB from Grupo Intercorp, exposing vast amounts of Personally Identifiable Information (PII), financial data, and corporate secrets.
Ransomware Activity: The Gunra and RALord ransomware groups were observed conducting active campaigns. Both groups employed double extortion tactics, exfiltrating data before encryption and threatening publication on Tor-based data leak sites (DLS) to pressure victims.¹⁴ Targets included manufacturing (KLINGER Italy) and telecommunications (Diallog Telecommunications Corp, Canada).¹⁵
Exploit/Tool Sales: Significant offerings on underground markets included an alleged Android Remote Code Execution (RCE) 0-day exploit targeting versions 15 and below, advertised by “APTLab”.²¹ Additionally, “Grand_Ceaser” offered illicit ScreenConnect panels on the Exploit.in forum, promoting them as tools for large-scale device takeover, capitalizing on the known abuse potential of this RMM software.²³

The high frequency of IAB postings alongside the sale of tools like illicit ScreenConnect panels points towards a specialized cybercrime ecosystem. Different threat actors focus on distinct stages of the attack lifecycle – some gain initial access, while others purchase this access or specialized tools to deploy final payloads like ransomware or conduct espionage.¹ This division of labor enhances the overall efficiency and potency of cybercriminal operations, enabling actors lacking advanced exploitation skills to leverage the capabilities of others, thereby increasing the overall threat level.²⁴

Incident Summary Overview

Incident Title	Category	Threat Actor(s)	Victim Organization	Victim Country	Victim Industry
RASHTRIYA CYBER FORCE targets the website of Government College Women University Faisalabad	Data Breach	RASHTRIYA CYBER FORCE	government college women university faisalabad	Pakistan	Education
Alleged sale of unauthorized access to INTERPOL IP Crime Investigators College	Initial Access	xsskiller	international ip crime investigators college	France	Education
Alleged database sale of Secure Agent Leads	Data Breach	RonyKingSourcingINC	secure agent leads	USA	Insurance
Alleged sale of access to government emails from multiple countries	Initial Access	combolists	Multiple Govt Entities	Brazil (primary)	Government Administration
Alleged sale of access to Multiple Colombian Goverment sites	Initial Access	xsskiller	office of the ombudsman (and others)	Colombia	Government Administration
Mr Hamza claims to target the USA sites	Alert	Mr Hamza	US Govt/Military	USA	Government Administration
Alleged sale of Android RCE exploit 0-day	Vulnerability	APTLab	N/A (Android OS)
KLINGER Italy falls victim to Gunra Ransomware	Ransomware	Gunra	klinger italy	Italy	Machinery Manufacturing
Lulzsec Arabs targets the website of Ram Aluminium & Glass	Defacement	Lulzsec Arabs	ram aluminium & glass	India	Manufacturing
Alleged sale of access to an unidentified Portugal document management company	Initial Access	Rivka	Unidentified	Portugal	Document Management
Alleged sale of RDP access to Italy Company	Initial Access	Rivka	Unidentified	Italy	Information Technology (IT) Services
Alleged data leak of Indian Government Employees	Data Leak	h4ck3r	Indian Govt Employees	India	Government Administration
7 Proxies targets the website of Peshawar Public School, Pakistan	Defacement	7 Proxies	peshawar public school	Pakistan	Education
Alleged database leak of Ascent Pharmaceuticals	Data Breach	Randy72	ascent pharmaceuticals	USA	Healthcare & Pharmaceuticals
Alleged data leak of Quality Used Transmissions	Data Breach	Nick Diesel	quality used transmissions	USA	Automotive
Alleged database leak of METEOR	Data Breach	Nick Diesel	meteor	USA	Marketing, Advertising & Sales
DCG targets the website of Unite Corporation and Resources	Defacement	DCG ( Dark Cyber Gang)	unite corporation and resources	India	Mechanical or Industrial Engineering
7Proxies targets the website of Feni District Council	Defacement	7Proxies	feni district council	Bangladesh	Government & Public Sector
7Proxies targets the website of Grameen Caledonian College of Nursing	Defacement	7Proxies	grameen caledonian college of nursing	Bangladesh	Education
7 Proxies targets the website of Financial Management Academy – FIMA	Defacement	7 Proxies	financial management academy – fima	Bangladesh	Government Administration
Alleged data breach of Grupo Intercorp	Data Breach	Gatito_FBI_Nz	grupo intercorp	Peru	Retail Industry
Alleged data sale of KSJOB Korea	Data Leak	Thales	KSJOB Korea	South Korea	Unspecified
Alleged data sale of Albert Heijn	Data Breach	WantsMore1337	albert heijn	Netherlands	Retail Industry
Alleged sale of access to an unidentified Latin American (LATAM) insurance company	Initial Access	caustic	Unidentified		Insurance
Diallog Telecommunications Corp falls victim to RALord Ransomware	Ransomware	RALord	diallog telecommunications corp	Canada	Network & Telecommunications
Alleged sale of ScreenConnect panels	Alert	Grand_Ceaser	N/A (Tool Sale)
Alleged data leak of K-CLOUD KOMINFO	Data Breach	INDOHAXSEC	ministry of communication and digital affairs	Indonesia	Government Administration

2. Detailed Incident Analysis

(Note: Each incident below includes a summary, threat actor context derived from research, and evidence links as provided in the JSON.)

Incident 1: RASHTRIYA CYBER FORCE targets Government College Women University Faisalabad

Incident Title: RASHTRIYA CYBER FORCE targets the website of Government College Women University Faisalabad
Date Reported: 2025-04-27T13:30:12Z
Category: Data Breach
Victim Details:

Organization: government college women university faisalabad
Industry: Education
Country: Pakistan
Site: gcwuf.edu.pk

Incident Summary & Analysis: The hacktivist group “RASHTRIYA CYBER FORCE” has claimed responsibility for breaching and subsequently leaking data associated with the Government College Women University Faisalabad, located in Pakistan. This claim was disseminated via a Telegram channel, a platform frequently utilized by hacktivist collectives for communication, coordination, and propaganda dissemination.³ Although categorized as a “Data Breach,” the specific nature, volume, and authenticity of the leaked data remain unverified. Hacktivist claims, particularly regarding data exfiltration, can sometimes be inflated or involve the reuse of previously leaked datasets to garner attention.⁶ The targeting of a Pakistani educational institution by a group whose name suggests Indian nationalistic alignment strongly indicates a politically motivated cyberattack, likely stemming from the persistent geopolitical tensions between India and Pakistan.¹³
Threat Actor Analysis:

Identified Actor(s): RASHTRIYA CYBER FORCE
Profile & Context: “RASHTRIYA CYBER FORCE” is assessed to be an Indian hacktivist group, potentially operating within or closely affiliated with the broader “Indian Cyber Force” (ICF) ecosystem.³ ICF has established a pattern of conducting cyber operations, including Distributed Denial-of-Service (DDoS) attacks, website defacements, and claimed data leaks, against entities perceived as opposing Indian interests. Their targeting frequently focuses on organizations in Pakistan and other neighboring countries, often driven by Hindu nationalist ideologies or in response to specific geopolitical events.³ The Tactics, Techniques, and Procedures (TTPs) commonly associated with such groups typically involve exploiting relatively simple web application vulnerabilities or executing DDoS attacks, rather than engaging in sophisticated, state-level espionage.¹³ Telegram serves as a primary medium for announcing their activities and potentially recruiting members.³ This incident aligns with the established modus operandi of low-complexity, high-visibility cyber actions characteristic of the ongoing India-Pakistan cyber conflict, which contrasts with the more advanced espionage operations conducted by state-sponsored groups like Pakistan’s Transparent Tribe (APT36).⁹ While sometimes characterized as “amateur” ³, these hacktivist actions actively contribute to the cyber dimension of regional tensions.
Evidence & Sources:

Published URL: https://t.me/indian_rcf/52
Screenshots: https://d34iuop8pidsy8.cloudfront.net/4e3f5097-e86a-4c42-ac57-b72145474b7a.png

Incident 2: Alleged sale of unauthorized access to INTERPOL IP Crime Investigators College

Incident Title: Alleged sale of unauthorized access to INTERPOL IP Crime Investigators College
Date Reported: 2025-04-27T13:24:03Z
Category: Initial Access
Victim Details:

Organization: international ip crime investigators college (IIPCIC)
Industry: Education (Law Enforcement affiliated)
Country: France (Presumed based on Interpol HQ, portal may have broader scope)
Site: college.iipcic.org

Incident Summary & Analysis: The threat actor identified as “xsskiller” is reportedly offering unauthorized access for sale to the International IP Crime Investigators College (IIPCIC) portal via the “darkforums.st” underground forum. The listing specifies that the access pertains to a “Colombian panel” within the portal. Given IIPCIC’s affiliation with INTERPOL, this represents a potentially high-impact sale targeting infrastructure used for international law enforcement training, specifically related to intellectual property crime. This activity is classified as Initial Access Brokerage (IAB), where compromised access is sold to other malicious actors.
Threat Actor Analysis:

Identified Actor(s): xsskiller
Profile & Context: The alias “xsskiller,” while potentially hinting at expertise in Cross-Site Scripting (XSS) vulnerabilities ³¹, is currently engaged in activities typical of an Initial Access Broker (IAB). IABs specialize in compromising systems and networks – often through methods like phishing, exploiting vulnerabilities, or using credentials stolen via infostealer malware – and then monetizing this access by selling it on dark web forums.¹ Buyers may then use this access for various malicious purposes, including ransomware deployment, data theft, or espionage. Specific intelligence on “xsskiller” is limited in the available data, suggesting they may be a relatively new or less prominent actor. However, their concurrent offering of access to multiple Colombian government platforms (refer to Incident 5) indicates a possible operational focus or specialization in compromising entities within Colombia or the broader Latin American region. The specific mention of a “Colombian panel” within the IIPCIC access offering further supports this potential regional targeting. Offering access to an Interpol-affiliated entity is notable for its audacity and suggests the perceived high value of such access to potential buyers in the cybercrime ecosystem.
Evidence & Sources:

Published URL: https://darkforums.st/Thread-Selling-Access-to-colombian-interpol-college-panel
Screenshots: https://d34iuop8pidsy8.cloudfront.net/f0814b19-b5b5-4061-8527-5cb1b948e42c.png

Incident 3: Alleged database sale of Secure Agent Leads

Incident Title: Alleged database sale of Secure Agent Leads
Date Reported: 2025-04-27T13:17:23Z
Category: Data Breach
Victim Details:

Organization: secure agent leads
Industry: Insurance
Country: USA
Site: secureagentleads.com

Incident Summary & Analysis: The threat actor “RonyKingSourcingINC” claims to be selling a database allegedly exfiltrated from Secure Agent Leads, a US-based company operating in the insurance sector. The post, located on the XSS.is forum, advertises a dataset containing 634,302 records. The compromised information reportedly includes sensitive business and contact details such as Office365 emails, business IDs, names, addresses, phone/fax numbers, websites, contact names, employee counts, sales figures, and industry classification codes (SIC and NAICS). Such data is valuable for targeted phishing, business email compromise (BEC) schemes, corporate espionage, and other forms of fraud.
Threat Actor Analysis:

Identified Actor(s): RonyKingSourcingINC
Profile & Context: Specific threat intelligence regarding the actor “RonyKingSourcingINC” is not available in the provided materials. However, their activity – selling a large database containing corporate and contact information on a known cybercrime forum (XSS.is) – places them within the category of data brokers or actors involved in data breaches.³⁴ The alias itself might suggest involvement in sourcing or lead generation, potentially indicating an insider threat or compromise of a business involved in data aggregation or sales intelligence, although this is speculative. The platform used, XSS.is, is a well-established Russian-language forum frequented by cybercriminals for trading stolen data, malware, and exploits.³⁴ The actor is monetizing compromised business intelligence data within this underground economy.
Evidence & Sources:

Published URL: https://xss.is/threads/136766/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/d2466497-3282-49fd-89b8-6758956514d7.png

Incident 4: Alleged sale of access to government emails from multiple countries

Incident Title: Alleged sale of access to government emails from multiple countries
Date Reported: 2025-04-27T12:47:52Z
Category: Initial Access
Victim Details:

Organization: Multiple Govt Entities
Industry: Government Administration
Country: Brazil, India, Ukraine, Germany, Spain, United Kingdom, Thailand, and others.
Site: N/A

Incident Summary & Analysis: An actor using the alias “combolists” is advertising the sale of access to government emails, government portals, and Open Source Intelligence (OSINT) API keys originating from a diverse range of countries. The offering was posted on the “darkforums.st” underground marketplace. This represents a significant potential compromise of sensitive government communications and data access across multiple nations, indicative of widespread credential compromise or system intrusions.
Threat Actor Analysis:

Identified Actor(s): combolists
Profile & Context: The alias “combolists” directly refers to compilations of usernames and passwords, often aggregated from numerous data breaches and infostealer logs.³⁶ These lists are primarily used for credential stuffing attacks, where attackers automate attempts to log into various online services using the leaked credentials, exploiting password reuse.³⁷ The actor “combolists” is likely leveraging access gained through such methods – potentially using large-scale credential stuffing campaigns against government login portals or obtaining credentials from infostealer malware logs – to monetize the resulting access.³⁶ Selling access to government emails, portals, and especially OSINT API keys (which provide programmatic access to potentially sensitive data) across multiple countries suggests a broad, opportunistic approach fueled by the availability of compromised credentials rather than highly targeted intrusions against specific agencies. The use of “darkforums.st” aligns with platforms where such illicit access is commonly traded.
Evidence & Sources:

Published URL: https://darkforums.st/Thread-Selling-selling-gov-mails-and-portals-and-osint-api-keys
Screenshots: https://d34iuop8pidsy8.cloudfront.net/dd88ce61-2f1f-41ab-b95a-0b71275922a1.png

Incident 5: Alleged sale of access to Multiple Colombian Goverment sites

Incident Title: Alleged sale of access to Multiple Colombian Goverment sites
Date Reported: 2025-04-27T12:41:09Z
Category: Initial Access
Victim Details:

Organization: office of the ombudsman (Defensoría del Pueblo), Superintendency of Surveillance and Private Security (Superintendencia de Vigilancia y Seguridad Privada), National Police of Colombia (Policía Nacional de Colombia – SINCO portal)
Industry: Government Administration
Country: Colombia
Site: campusvirtual.defensoria.gov.co (and others)

Incident Summary & Analysis: The threat actor “xsskiller” claims to be selling access credentials (“worker accesses”) linked to several Colombian government platforms. The specific entities mentioned are the Office of the Ombudsman, the Superintendency of Surveillance and Private Security, and the SINCO portal of the National Police. This offering, posted on “darkforums.st,” provides potential buyers with footholds into multiple sensitive government systems within Colombia.
Threat Actor Analysis:

Identified Actor(s): xsskiller
Profile & Context: This is the second observed Initial Access Brokerage (IAB) activity by “xsskiller” within this reporting period, following the alleged sale of access to the Interpol-affiliated IIPCIC portal (Incident 2). Both incidents involve access related to Colombian entities and were posted on the same forum (“darkforums.st”). This strengthens the assessment that “xsskiller” may specialize in compromising Colombian targets or have significant success operating in that region. Selling “worker accesses” implies the compromise of employee credentials, likely obtained through phishing, malware (infostealers), or exploitation of vulnerabilities in the targeted government portals. The simultaneous offering of access to multiple distinct government agencies suggests either a widespread campaign targeting Colombian government employees or successful intrusions into several different systems.
Evidence & Sources:

Published URL: https://darkforums.st/Thread-Selling-Selling-workers-accesses-to-gov-co
Screenshots: https://d34iuop8pidsy8.cloudfront.net/0844923a-ffad-40ac-922d-d40fcf276c8f.png

Incident 6: Mr Hamza claims to target the USA sites

Incident Title: Mr Hamza claims to target the USA sites
Date Reported: 2025-04-27T12:34:05Z
Category: Alert
Victim Details:

Organization: US Govt/Military
Industry: Government Administration
Country: USA
Site: N/A

Incident Summary & Analysis: The threat actor “Mr Hamza” has announced via Telegram a planned cyber operation, designated “Op_Usa,” targeting the United States. The post indicates a coordinated effort involving two other groups, “Vortex” and “Arab Ghosts Hackers.” Declared targets include US ministries and sensitive security and military sites. This alert signals intent by a known hacktivist collective to conduct disruptive activities against high-profile US entities.
Threat Actor Analysis:

Identified Actor(s): Mr Hamza (in coordination with Vortex, Arab Ghosts Hackers)
Profile & Context: “Mr. Hamza” is a recognized hacktivist entity, likely of Moroccan origin, active since at least October 2024.⁸ Their primary tactics involve Distributed Denial-of-Service (DDoS) attacks and claiming data leaks, often targeting government institutions, critical infrastructure (including energy and nuclear facilities), financial services, and military sectors in Western nations and countries perceived as supporting Israel.⁸ Their motivations are strongly geopolitical and ideological, with a pro-Palestinian and anti-Western stance.⁸ Mr. Hamza is known for collaborating with other hacktivist groups, such as Holy League, NoName057(16), and Z-Pentest, often coordinating via Telegram.⁸ This announced “Op_Usa,” involving collaboration with “Vortex” and “Arab Ghosts Hackers” (groups not detailed in provided materials), fits their established pattern of joint operations aimed at amplifying impact.⁸ While their claims sometimes involve exaggeration, their focus on DDoS against critical targets poses a genuine disruptive threat.⁸ The specific targeting of “sensitive security, and military sites” warrants attention, although DDoS remains the most probable attack vector.
Evidence & Sources:

Published URL: https://t.me/blackopmrhamza9/6
Screenshots: https://d34iuop8pidsy8.cloudfront.net/38f496c2-0e82-4023-870a-4903291c0ec2.png

Incident 7: Alleged sale of Android RCE exploit 0-day

Incident Title: Alleged sale of Android RCE exploit 0-day
Date Reported: 2025-04-27T12:18:12Z
Category: Vulnerability
Victim Details:

Organization: N/A (Android OS)
Industry: N/A
Country: N/A
Site: N/A

Incident Summary & Analysis: A threat actor using the alias “APTLab” is advertising an alleged zero-day Remote Code Execution (RCE) exploit for sale on the “darkforums.st” marketplace. The exploit purportedly targets Android operating system versions 15 and below. If legitimate, this vulnerability could allow an attacker to execute arbitrary code on a vulnerable Android device remotely, potentially leading to full device compromise.
Threat Actor Analysis:

Identified Actor(s): APTLab
Profile & Context: No specific information on the actor “APTLab” is available in the provided research. The alias itself may be an attempt to imply association with Advanced Persistent Threat (APT) groups or sophisticated capabilities, a common tactic in underground forums. The activity involves the sale of a high-impact exploit (0-day RCE for a major mobile OS) on a dark web forum. This aligns with the market for vulnerabilities and exploits where actors trade tools that can be used for espionage, cybercrime, or other malicious activities.²¹ Similar sales of exploits targeting widely used platforms like Fortinet firewalls have been observed on such forums, sometimes preceding or coinciding with active exploitation campaigns.²¹ The credibility of the 0-day claim requires verification, but the offering itself highlights the ongoing efforts by malicious actors to find and weaponize vulnerabilities in ubiquitous mobile operating systems.
Evidence & Sources:

Published URL: https://darkforums.st/Thread-Selling-Android-RCE-Exploit-0day
Screenshots: https://d34iuop8pidsy8.cloudfront.net/886f77fe-bfe8-40e3-b727-c83422c06c29.png

Incident 8: KLINGER Italy falls victim to Gunra Ransomware

Incident Title: KLINGER Italy falls victim to Gunra Ransomware
Date Reported: 2025-04-27T11:57:35Z
Category: Ransomware
Victim Details:

Organization: klinger italy
Industry: Machinery Manufacturing
Country: Italy
Site: klinger.it

Incident Summary & Analysis: The Gunra ransomware group has listed KLINGER Italy, a machinery manufacturer, as a victim on its Tor-based data leak site (DLS). The group claims to have exfiltrated organizational data and threatens to publish it by May 3, 2025, if their demands are not met. This represents a typical double extortion ransomware attack.
Threat Actor Analysis:

Identified Actor(s): Gunra
Profile & Context: Gunra is identified as an active ransomware operation as of April 2025, utilizing a Tor network presence for its leak site (gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion) and potentially a chat/negotiation site (apdk7hpbbquomgoxbhutegxco6btrz2ara3x2weqnx65tt45ba3sclyd.onion).¹⁸ Available public information on Gunra appears limited, with some sources noting the entry is “under construction,” suggesting it might be a newer or less-documented group.¹⁸ Ransomware operations frequently emerge, operate for a period, and sometimes rebrand or disappear.⁴⁷ Their modus operandi aligns with common Ransomware-as-a-Service (RaaS) or independent group tactics, including data exfiltration prior to encryption and leveraging a DLS for extortion.¹⁴ Manufacturing is a commonly targeted sector by ransomware groups.¹⁴ The lack of detailed public profiles suggests Gunra is not currently among the most dominant players like RansomHub or the remnants of LockBit ⁴⁷, but represents the ongoing proliferation of ransomware threats.
Evidence & Sources:

Published URL: http://gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion/klinger/index.php?p=
Screenshots: https://d34iuop8pidsy8.cloudfront.net/adbe3a55-3d9f-4772-a277-83f0b9070fa5.png

Incident 9: Lulzsec Arabs targets the website of Ram Aluminium & Glass

Incident Title: Lulzsec Arabs targets the website of Ram Aluminium & Glass
Date Reported: 2025-04-27T11:18:15Z
Category: Defacement
Victim Details:

Organization: ram aluminium & glass
Industry: Manufacturing
Country: India
Site: ramaluminumglass.com

Incident Summary & Analysis: The hacktivist group “Lulzsec Arabs” claims to have defaced the website of Ram Aluminium & Glass, an Indian manufacturing company. The claim was made via Telegram. Website defacement is a common tactic used by hacktivist groups to gain attention, spread a message, or cause reputational damage to the target.
Threat Actor Analysis:

Identified Actor(s): Lulzsec Arabs
Profile & Context: The name “Lulzsec Arabs” evokes the original LulzSec (Lulz Security) group, notorious for high-profile hacks around 2011, often motivated by “lulz” (amusement) but also involving hacktivism.⁴ While the original LulzSec largely disbanded after key arrests ⁴, various groups have since used the name or variations, often adopting hacktivist stances. “Lulzsec Arabs” likely represents one such successor or inspired group, focusing on targets relevant to Arab or Middle Eastern political interests, or potentially broader anti-Western/anti-Israel sentiments common among regional hacktivist collectives.⁵² Their TTPs likely involve exploiting common web vulnerabilities for defacement, similar to other hacktivist groups operating in regions like the Middle East or South Asia.⁵² Targeting an Indian company could be related to various geopolitical factors or simply opportunistic targeting of a vulnerable website.
Evidence & Sources:

Published URL: https://t.me/LulzsecArabs/37
Screenshots: https://d34iuop8pidsy8.cloudfront.net/70625db8-c296-4047-a5c1-5889d9a05df6.png

Incident 10: Alleged sale of access to an unidentified Portugal document management company

Incident Title: Alleged sale of access to an unidentified Portugal document management company
Date Reported: 2025-04-27T10:21:04Z
Category: Initial Access
Victim Details:

Organization: Unidentified
Industry: Document Management
Country: Portugal
Site: N/A

Incident Summary & Analysis: The threat actor “Rivka” is offering Remote Desktop Protocol (RDP) access with domain user privileges to an unnamed document management company based in Portugal. The sale is advertised on the “ramp4u.io” forum, a known marketplace for illicit access. This provides potential buyers with a foothold into the company’s network.
Threat Actor Analysis:

Identified Actor(s): Rivka
Profile & Context: “Rivka” appears to be operating as an Initial Access Broker (IAB), specializing in selling RDP access. This is evidenced by this incident and the concurrent sale of RDP access to an Italian IT company (Incident 11), both posted on the “ramp4u.io” forum. RDP remains a highly sought-after access vector, frequently exploited by ransomware groups and other actors for lateral movement and deploying payloads.¹⁷ Forums like “ramp4u.io” facilitate the connection between IABs like Rivka and actors seeking such access. No further specific profile information for “Rivka” is available from the provided materials, but their activity clearly places them within the cybercrime supply chain, providing entry points for subsequent attacks.
Evidence & Sources:

Published URL: https://ramp4u.io/threads/portugal-document-management-corp.3032/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/63060826-c201-4207-b322-8c1a5c0739db.png

Incident 11: Alleged sale of RDP access to Italy Company

Incident Title: Alleged sale of RDP access to Italy Company
Date Reported: 2025-04-27T10:07:14Z
Category: Initial Access
Victim Details:

Organization: Unidentified
Industry: Information Technology (IT) Services
Country: Italy
Site: N/A

Incident Summary & Analysis: Threat actor “Rivka” is advertising the sale of Remote Desktop Protocol (RDP) access, granting domain user rights, to an unspecified IT company located in Italy. This offering was posted on the “ramp4u.io” forum. Similar to the previous incident involving this actor, this provides an initial foothold for potential buyers into an Italian IT services firm.
Threat Actor Analysis:

Identified Actor(s): Rivka
Profile & Context: This incident further solidifies the assessment of “Rivka” as an Initial Access Broker (IAB) specializing in RDP access, operating on the “ramp4u.io” marketplace. Their targeting appears opportunistic across different European countries (Portugal and Italy) and sectors (Document Management and IT Services). The sale of RDP access, particularly with domain user rights, is a common commodity in underground forums, enabling buyers to bypass initial intrusion efforts and proceed directly to internal reconnaissance, lateral movement, or payload deployment.¹⁷
Evidence & Sources:

Published URL: https://ramp4u.io/threads/italy-access.3031/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/37a1c64b-d391-462c-8b8d-4daf48e692a2.png

Incident 12: Alleged data leak of Indian Government Employees

Incident Title: Alleged data leak of Indian Government Employees
Date Reported: 2025-04-27T09:54:22Z
Category: Data Leak
Victim Details:

Organization: Indian Govt Employees (incl. Army)
Industry: Government Administration
Country: India
Site: N/A

Incident Summary & Analysis: A threat actor using the alias “h4ck3r” claims on the “darkforums.st” platform to have leaked a document containing Personally Identifiable Information (PII) of Indian government employees. The claim specifies that personnel from the Indian Army and various other government sectors are included in the leak. Such data leaks pose significant risks for espionage, identity theft, and targeted attacks against government personnel.
Threat Actor Analysis:

Identified Actor(s): h4ck3r
Profile & Context: The alias “h4ck3r” is generic, making specific attribution difficult without further indicators. However, the act of leaking alleged Indian government employee data, including military personnel, on a dark web forum aligns with several potential motivations. It could be politically motivated hacktivism, potentially linked to regional conflicts (e.g., India-Pakistan tensions ¹³ or India-China tensions ⁵⁷), aiming to embarrass the government or expose sensitive information. Alternatively, it could be financially motivated cybercrime, where the data might be offered for sale later or used for extortion.⁵⁸ Espionage campaigns targeting Indian government and defense sectors are known, sometimes using modified open-source stealers or phishing attacks.⁵⁷ The platform “darkforums.st” hosts various illicit activities. Without more context on “h4ck3r,” assessing the exact nature and origin of the leak is challenging, but the potential impact on national security and individual safety is high.
Evidence & Sources:

Published URL: https://darkforums.st/Thread-Document-Indian-Government-Personel-Data-Leaked
Screenshots: https://d34iuop8pidsy8.cloudfront.net/d2be2fa3-c696-42f4-a6ab-0feea95737e6.png

Incident 13: 7 Proxies targets the website of Peshawar Public School, Pakistan

Incident Title: 7 Proxies targets the website of Peshawar Public School, Pakistan
Date Reported: 2025-04-27T09:17:46Z
Category: Defacement
Victim Details:

Organization: peshawar public school
Industry: Education
Country: Pakistan
Site: pps.edu.pk

Incident Summary & Analysis: The hacktivist group “7 Proxies” claims responsibility for defacing the website of Peshawar Public School in Pakistan. The claim was posted on Telegram and includes a link to a mirror site (defacer.id) archiving the defacement. This action is typical of hacktivist groups seeking to disrupt websites and gain visibility for their cause or group.
Threat Actor Analysis:

Identified Actor(s): 7 Proxies
Profile & Context: “7 Proxies” appears to be an active hacktivist group involved in multiple defacement incidents within this reporting period (See also Incidents 18, 19, 20 targeting Bangladeshi sites). Their TTPs primarily involve website defacement, a common tactic for groups motivated by political or ideological agendas.⁵ The use of Telegram for announcements and mirror sites like defacer.id for proof is standard practice in the hacktivist community. Targeting educational institutions in Pakistan could be linked to regional conflicts (e.g., India-Pakistan) or other political motivations specific to the group’s agenda, which is not clearly defined in the available data. The name “7 Proxies” might allude to the use of proxy servers for anonymity, a common technique ⁴⁰, but doesn’t reveal specific affiliations. Their activity across Pakistan and Bangladesh suggests a potential focus on South Asian targets.
Evidence & Sources:

Published URL: https://t.me/werfsocity/276
Screenshots: https://d34iuop8pidsy8.cloudfront.net/b06bcdbd-e827-4249-89b6-b21818089288.png
Mirror: https://defacer.id/mirror/id/156373

Incident 14: Alleged database leak of Ascent Pharmaceuticals

Incident Title: Alleged database leak of Ascent Pharmaceuticals
Date Reported: 2025-04-27T09:10:09Z
Category: Data Breach
Victim Details:

Organization: ascent pharmaceuticals
Industry: Healthcare & Pharmaceuticals
Country: USA
Site: ascentpharm.com

Incident Summary & Analysis: A threat actor using the alias “Randy72” claims on the “leakbase.io” forum to have compromised Ascent Pharmaceuticals, a US-based company. The actor alleges the exfiltration of approximately 4 Terabytes (TB) of data. The claimed compromised data is extensive and highly sensitive, reportedly including financial reports, contracts, test results, employee PII (passport/license scans, SSNs, tax forms), banking details, and more. A breach of this scale involving a pharmaceutical company could have severe consequences, including regulatory fines, intellectual property loss, and significant risk to employee and potentially patient privacy.
Threat Actor Analysis:

Identified Actor(s): Randy72
Profile & Context: Specific intelligence on “Randy72” is not available in the provided snippets. Their activity involves posting a major data breach claim on “leakbase.io,” a forum likely dedicated to sharing or selling leaked data. This positions “Randy72” as either the direct perpetrator of the breach or a broker handling the data. The sheer volume (4TB) and sensitivity of the claimed data (financials, IP, extensive PII including SSNs) suggest a potentially sophisticated intrusion or access to poorly secured, large-scale data repositories. The healthcare and pharmaceutical sector is a frequent target for both financially motivated actors (ransomware, data theft for sale) and state-sponsored espionage groups seeking intellectual property.¹⁴ Without further information on “Randy72,” the exact motivation remains unclear, but the potential impact is significant.
Evidence & Sources:

Published URL: https://leakbase.io/threads/ascent-pharmaceuticals.38203/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/edc4a4d5-1c9b-4e67-bcf3-478982ee1323.png

Incident 15: Alleged data leak of Quality Used Transmissions

Incident Title: Alleged data leak of Quality Used Transmissions
Date Reported: 2025-04-27T08:26:45Z
Category: Data Breach
Victim Details:

Organization: quality used transmissions
Industry: Automotive
Country: USA
Site: qualityusedtransmissions.com

Incident Summary & Analysis: The threat actor “Nick Diesel” claims on the XSS.is forum to have leaked data from Quality Used Transmissions, a US automotive parts company. The alleged leak reportedly contains information on 7.7 million unique car owners, including details about their vehicles and spare part requirements. Additionally, a smaller collection of databases in CSV format is mentioned. This data could be valuable for targeted marketing, phishing, vehicle theft rings, or identity theft.
Threat Actor Analysis:

Identified Actor(s): Nick Diesel
Profile & Context: This is the second major data leak claim attributed to “Nick Diesel” on the XSS.is forum within this reporting period (following Incident 16, METEOR). XSS.is is a prominent Russian-language cybercrime forum.³⁴ “Nick Diesel” appears to be actively involved in acquiring and leaking or selling large datasets pertaining to US individuals and companies across different sectors (Automotive, Marketing). The data types claimed (car owner details, PII) are consistent with information valuable in underground markets. Their consistent activity suggests they are either a prolific intruder or a data broker with access to significant amounts of compromised information.
Evidence & Sources:

Published URL: https://xss.is/threads/136758/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/2b45a37d-4057-4cae-b2b5-e5b8b5295654.png

Incident 16: Alleged database leak of METEOR

Incident Title: Alleged database leak of METEOR
Date Reported: 2025-04-27T07:52:01Z
Category: Data Breach
Victim Details:

Organization: meteor
Industry: Marketing, Advertising & Sales
Country: USA
Site: meteorgo.com

Incident Summary & Analysis: Threat actor “Nick Diesel” posted on the XSS.is forum, claiming to have leaked a database from METEOR, a US-based company in the Marketing, Advertising & Sales industry. The dataset is alleged to be substantial and highly sensitive, containing 400,000 unique Social Security Numbers (SSNs), 4 million unique email addresses, and 5 million unique phone numbers. Other exposed fields reportedly include full names, addresses, city/state/zip codes, vendor information, and timestamps. Such a comprehensive PII leak poses a severe risk of identity theft, widespread phishing campaigns, and other fraudulent activities targeting the affected individuals.
Threat Actor Analysis:

Identified Actor(s): Nick Diesel
Profile & Context: As noted in Incident 15, “Nick Diesel” is actively posting large-scale data leaks concerning US entities on the XSS.is cybercrime forum.³⁴ This incident, involving millions of records including SSNs, further establishes “Nick Diesel” as a significant source or broker of highly sensitive PII data within the cybercrime ecosystem. The targeting of a marketing/advertising company suggests a potential compromise of a large customer or lead database. The actor’s ability to obtain and offer such extensive datasets highlights the ongoing threat of mass PII exposure from commercial organizations handling consumer data.
Evidence & Sources:

Published URL: https://xss.is/threads/136761/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/1ffc5ac2-4545-4b93-b0e4-9ed143ac5347.png

Incident 17: DCG targets the website of Unite Corporation and Resources

Incident Title: DCG targets the website of Unite Corporation and Resources
Date Reported: 2025-04-27T06:41:12Z
Category: Defacement
Victim Details:

Organization: unite corporation and resources
Industry: Mechanical or Industrial Engineering
Country: India
Site: unitecorp.in

Incident Summary & Analysis: The group “DCG (Dark Cyber Gang)” claims via Telegram to have defaced the website of Unite Corporation and Resources, an Indian company in the industrial engineering sector. This is another instance of hacktivist activity targeting an Indian entity.
Threat Actor Analysis:

Identified Actor(s): DCG ( Dark Cyber Gang)
Profile & Context: Specific information about “DCG (Dark Cyber Gang)” is not present in the provided snippets. However, their name and actions (website defacement claimed via Telegram) fit the profile of a hacktivist group.⁵ The term “Gang” is sometimes used by hacktivist or cybercrime collectives.⁵ Targeting an Indian company could stem from various motivations, including geopolitical tensions (e.g., India-Pakistan), internal political issues, or broader anti-establishment sentiments. Without more context, their specific agenda is unclear, but the method (defacement) is typical for groups seeking visibility and disruption.³
Evidence & Sources:

Published URL: https://t.me/c/2546752362/9
Screenshots: https://d34iuop8pidsy8.cloudfront.net/38633c30-fbaa-4e45-9ac4-96b37bc582f2.png

Incident 18: 7Proxies targets the website of Feni District Council

Incident Title: 7Proxies targets the website of Feni District Council
Date Reported: 2025-04-27T05:57:24Z
Category: Defacement
Victim Details:

Organization: feni district council
Industry: Government & Public Sector
Country: Bangladesh
Site: zpfeni.gov.bd

Incident Summary & Analysis: The hacktivist group “7Proxies” claims to have defaced the website of the Feni District Council, a government entity in Bangladesh. The claim, made on Telegram, includes a proof-of-concept (POC) link to a defacement archive (ownzyou.com). This marks the group’s second reported defacement in this period, shifting target country from Pakistan (Incident 13) to Bangladesh.
Threat Actor Analysis:

Identified Actor(s): 7Proxies
Profile & Context: As established in Incident 13, “7Proxies” is an active hacktivist group primarily engaged in website defacements, using Telegram for announcements and mirror sites for proof.⁵ This attack on a Bangladeshi government site, along with subsequent attacks on other Bangladeshi entities (Incidents 19, 20), confirms their operational focus extends to Bangladesh. The motivations could be varied, potentially linked to regional politics, specific grievances against the Bangladeshi government, or broader hacktivist campaigns targeting South Asian nations.³
Evidence & Sources:

Published URL: https://t.me/werfsocity/269
Screenshots: https://d34iuop8pidsy8.cloudfront.net/77a580fb-14d8-4ed2-888d-ab22cb257349.png
POC: https://ownzyou.com/zone/263669

Incident 19: 7Proxies targets the website of Grameen Caledonian College of Nursing

Incident Title: 7Proxies targets the website of Grameen Caledonian College of Nursing
Date Reported: 2025-04-27T05:54:36Z
Category: Defacement
Victim Details:

Organization: grameen caledonian college of nursing
Industry: Education
Country: Bangladesh
Site: gccn.ac.bd

Incident Summary & Analysis: Continuing their activity in Bangladesh, “7Proxies” claimed via Telegram to have defaced the website of the Grameen Caledonian College of Nursing. A proof-of-concept (POC) link to a defacement archive (ownzyou.com) was provided.
Threat Actor Analysis:

Identified Actor(s): 7Proxies
Profile & Context: This is the third defacement claimed by “7Proxies” in this report, and the second targeting Bangladesh. Attacking an educational institution aligns with common hacktivist targeting patterns.³ The group demonstrates consistent use of Telegram and defacement archives for their claims, reinforcing their identity as a typical hacktivist outfit operating in South Asia.⁵
Evidence & Sources:

Published URL: https://t.me/werfsocity/270
Screenshots: https://d34iuop8pidsy8.cloudfront.net/77163448-dfd2-457a-9846-44b9404bdc9b.png
POC: https://ownzyou.com/zone/263671

Incident 20: 7 Proxies targets the website of Financial Management Academy – FIMA

Incident Title: 7 Proxies targets the website of Financial Management Academy – FIMA
Date Reported: 2025-04-27T05:46:52Z
Category: Defacement
Victim Details:

Organization: financial management academy – fima
Industry: Government Administration
Country: Bangladesh
Site: fima.gov.bd

Incident Summary & Analysis: The hacktivist group “7 Proxies” claimed another defacement via Telegram, this time targeting the website of the Financial Management Academy (FIMA), a government administration entity in Bangladesh. A mirror link (ownzyou.com) was provided as proof.
Threat Actor Analysis:

Identified Actor(s): 7 Proxies
Profile & Context: This marks the fourth claimed defacement by “7 Proxies” in this 24-hour period, and the third consecutive attack targeting Bangladesh, spanning government and educational sectors. The group exhibits a clear operational tempo and focus on disrupting Bangladeshi web presences through defacement.⁵ Their consistent methodology suggests a coordinated campaign against targets in the region.
Evidence & Sources:

Published URL: https://t.me/werfsocity/266
Screenshots: https://d34iuop8pidsy8.cloudfront.net/2df9363a-06e3-44ed-bee4-3ca25e947d3d.png
Mirror: https://ownzyou.com/zone/263669 (Note: Same mirror link as Incident 18)

Incident 21: Alleged data breach of Grupo Intercorp

Incident Title: Alleged data breach of Grupo Intercorp
Date Reported: 2025-04-27T05:46:50Z
Category: Data Breach
Victim Details:

Organization: grupo intercorp
Industry: Retail Industry
Country: Peru
Site: intercorp.com.pe

Incident Summary & Analysis: Threat actor “Gatito_FBI_Nz” claims on the “darkforums.st” platform to be selling data leaked from Grupo Intercorp, a major Peruvian holding company with significant retail operations (PlazaVea, Vivanda, Promart, RealPlaza). The leaked data allegedly includes images and PII of customers and employees involved in online order pickups, specifically ID photos. The actor offers an initial 721 MB package but claims the full dataset spans 80 GB, covering records from March 2021 to March 2025. This type of breach, exposing visual identification and PII related to retail transactions, poses serious risks for identity fraud and physical security.
Threat Actor Analysis:

Identified Actor(s): Gatito_FBI_Nz
Profile & Context: No specific profile for “Gatito_FBI_Nz” is available in the provided data. The alias itself is unusual (“Gatito” means kitten in Spanish, combined with “FBI”). Their activity involves selling a large, sensitive dataset allegedly from a major Peruvian company on a dark web forum, characteristic of data breach actors or brokers.⁶⁷ The claim of possessing 80 GB of data spanning four years, including ID photos, suggests a significant intrusion or long-term access to systems handling customer order fulfillment and verification processes. The retail industry is a common target for data breaches due to the large volumes of customer PII and payment information processed.⁵⁹ The actor is leveraging the dark web marketplace to monetize this potentially extensive data compromise.⁵⁵
Evidence & Sources:

Published URL: https://darkforums.st/Thread-GROUP-INTERCORP-RETAIL-PERU-LEAK-DATABASE-2025
Screenshots: https://d34iuop8pidsy8.cloudfront.net/0aecf04b-4562-4b0f-a241-3ac610996f6d.png

Incident 22: Alleged data sale of KSJOB Korea

Incident Title: Alleged data sale of KSJOB Korea
Date Reported: 2025-04-27T03:55:51Z
Category: Data Leak
Victim Details:

Organization: KSJOB Korea
Industry: Unspecified (likely Employment/Recruitment)
Country: South Korea
Site: N/A

Incident Summary & Analysis: A threat actor using the alias “Thales” is advertising a database allegedly from “KSJOB Korea” for sale on the Exploit.in forum. The claimed data is exceptionally sensitive and comprehensive, reportedly including full names, addresses, dates of birth, social security numbers (SSNs), phone numbers, emails, passwords, face/signature images, job history, banking details, school/military info, family lists, insurance/education records, and financial receipts. The actor suggests the data is suitable for Know Your Customer (KYC) purposes, implying its value for identity verification fraud.
Threat Actor Analysis:

Identified Actor(s): Thales
Profile & Context: The alias “Thales” is notable as it is also the name of a major multinational defense, aerospace, and security company.⁵⁷ It’s highly unlikely the actor is affiliated with the legitimate Thales Group; aliases are often chosen for misdirection or perceived prestige. This actor is operating on Exploit.in, a prominent Russian-language hacking forum known for hosting sophisticated actors and trading high-value data, malware, and access.¹ The level of detail claimed in the KSJOB Korea leak (including SSNs, biometrics like face/signature images, extensive personal history) suggests a compromise of a highly sensitive database, potentially from an employment agency, HR platform, or government service. Actors on Exploit.in can range from individual criminals to affiliates of organized groups like FIN7 or TA505.³⁵ Selling data suitable for KYC fraud indicates a clear financial motivation, targeting buyers involved in identity theft, financial fraud, or potentially state-sponsored actors seeking detailed personal information.
Evidence & Sources:

Published URL: https://forum.exploit.in/topic/258062/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/b0d87c2c-4029-4030-a1da-f7640c3950ac.png

Incident 23: Alleged data sale of Albert Heijn

Incident Title: Alleged data sale of Albert Heijn
Date Reported: 2025-04-27T03:33:45Z
Category: Data Breach
Victim Details:

Organization: albert heijn
Industry: Retail Industry
Country: Netherlands
Site: ah.nl

Incident Summary & Analysis: The threat actor “WantsMore1337” claims on the Exploit.in forum to be selling a database containing sensitive customer information from Albert Heijn, a major supermarket chain in the Netherlands. The leak allegedly comprises 135,000 records collected between April 1 and April 26, 2025. Exposed data reportedly includes full names, gender, addresses, emails, phone numbers, dates of birth, and bank account numbers of grocery shoppers.
Threat Actor Analysis:

Identified Actor(s): WantsMore1337
Profile & Context: “WantsMore1337” is operating on the Exploit.in forum, a significant hub for cybercrime.¹ Their activity involves selling recently acquired, sensitive customer data (including financial details like bank account numbers) from a major European retailer. This indicates financial motivation and the capability to breach or access systems holding valuable consumer PII and payment-related information. The timeframe specified (April 1-26, 2025) suggests a recent compromise or access to live transaction/customer data. Retailers are frequent targets due to the wealth of data they possess.⁵⁹ Actors on Exploit.in are known to trade such databases for use in phishing, identity theft, and financial fraud.² The alias “1337” (leetspeak for “elite”) is common in hacking circles, but provides little specific attribution.
Evidence & Sources:

Published URL: https://forum.exploit.in/topic/258080/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/a265a49e-dbe7-4cfa-a4a2-9ee3f018d14c.png

Incident 24: Alleged sale of access to an unidentified Latin American (LATAM) insurance company

Incident Title: Alleged sale of access to an unidentified Latin American (LATAM) insurance company
Date Reported: 2025-04-27T03:05:37Z
Category: Initial Access
Victim Details:

Organization: Unidentified
Industry: Insurance
Country: LATAM Region
Site: N/A

Incident Summary & Analysis: An actor using the alias “caustic” is offering initial access for sale to an insurance company located in Latin America. The post, found on the Exploit.in forum, highlights the target’s significant revenue (over $500 million) to emphasize its potential value to buyers. This is another instance of Initial Access Brokerage activity targeting a high-value sector.
Threat Actor Analysis:

Identified Actor(s): caustic
Profile & Context: “caustic” is operating as an IAB on the Exploit.in forum.¹ Their offering targets the insurance sector in Latin America, a region potentially attractive to actors interested in financial data or conducting ransomware attacks against organizations perceived as capable of paying large ransoms.⁵⁶ The alias “caustic” could imply destructive intent, but their current activity is focused on selling access, which is a common financially motivated precursor to various types of attacks.⁵⁶ Exploit.in hosts numerous IABs selling access obtained through various means, including vulnerability exploitation, phishing, or credential theft.¹ Targeting a high-revenue company increases the potential sale price and attracts buyers interested in significant financial gain or espionage against major regional players.
Evidence & Sources:

Published URL: https://forum.exploit.in/topic/258057/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/fd017aaf-8311-4adf-bf25-8ed22b239d17.png

Incident 25: Diallog Telecommunications Corp falls victim to RALord Ransomware

Incident Title: Diallog Telecommunications Corp falls victim to RALord Ransomware
Date Reported: 2025-04-27T03:02:47Z
Category: Ransomware
Victim Details:

Organization: diallog telecommunications corp
Industry: Network & Telecommunications
Country: Canada
Site: diallog.com

Incident Summary & Analysis: The RALord ransomware group has claimed Diallog Telecommunications Corp, a Canadian provider, as a victim on their Tor-based data leak site. They allege the exfiltration of 50 GB of data and have set a deadline of 7-8 days for its publication, employing their standard double extortion strategy. Compromising a telecommunications company can be particularly impactful due to the critical nature of services and potential access to customer data or downstream networks.
Threat Actor Analysis:

Identified Actor(s): RALord
Profile & Context: RALord is assessed as a relatively new but active ransomware operation, likely emerging in March 2025.¹⁵ It may operate as part of the NOVA RaaS platform or have connections to the older RAWorld/RAGroup.¹⁵ The group utilizes Rust-based ransomware (encrypting files with .RALord or .nova extensions) and maintains multiple Tor leak sites.¹⁵ Their business model includes RaaS (offering 85% profit share to affiliates), standalone encryptor sales, and data sales.¹⁵ A notable tactic is their detailed public reporting of victim security failures on their DLS to increase extortion pressure.¹⁵ RALord targets a wide array of sectors globally, including healthcare, education, IT, media, construction, agriculture, and telecommunications.¹⁵ Known communication channels include qTox, Session, and Jabber.¹⁵ Their TTPs likely involve exploiting CVEs, network penetration, and defense evasion techniques.¹⁵ This attack on a Canadian telecom fits their pattern of targeting diverse, potentially high-value organizations across different regions. The potential publication of detailed security failures for a telecom provider represents a significant reputational and operational risk for the victim.¹⁵
Evidence & Sources:

Published URL: http://ralordqe33mpufkpsr6zkdatktlu3t2uei4ught3sitxgtzfmqmbsuyd.onion/DIALLOG/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/f956e8c5-ca36-4af0-8fa0-06535c4e3f92.png

Incident 26: Alleged sale of ScreenConnect panels

Incident Title: Alleged sale of ScreenConnect panels
Date Reported: 2025-04-27T03:00:01Z
Category: Alert
Victim Details:

Organization: N/A (Tool Sale)
Industry: N/A
Country: N/A
Site: N/A

Incident Summary & Analysis: A threat actor named “Grand_Ceaser” is advertising the sale of illicit ScreenConnect panels on the Exploit.in forum. The actor promotes these panels as tools for large-scale remote device control with capabilities similar to Remote Access Trojans (RATs), emphasizing high uptime and abuse-resistant hosting. This offering facilitates the abuse of legitimate Remote Monitoring and Management (RMM) software for malicious purposes.
Threat Actor Analysis:

Identified Actor(s): Grand_Ceaser
Profile & Context: “Grand_Ceaser” is operating on the Exploit.in forum, a known marketplace for cybercrime tools and services.¹ They are selling access to or control of ScreenConnect infrastructure, likely either compromised instances or panels set up specifically for malicious use.²³ ScreenConnect has been heavily targeted recently due to critical vulnerabilities (CVE-2024-1709, CVE-2024-1708) that allowed authentication bypass and remote code execution, leading to widespread exploitation by various threat actors, including ransomware groups like LockBit, Black Basta, and Bl00dy.²⁴ “Grand_Ceaser’s” offering commoditizes this attack vector, providing buyers with ready-to-use infrastructure for controlling compromised endpoints, potentially bypassing the need for initial exploitation if the buyer can trick victims into installing a malicious ScreenConnect agent.²³ The emphasis on abuse-resistant hosting suggests the infrastructure is set up on bulletproof hosting providers known for ignoring takedown requests.²³ This sale lowers the barrier for actors seeking persistent remote access and control capabilities.
Evidence & Sources:

Published URL: https://forum.exploit.in/topic/258084/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/baaa1eab-deba-46e6-b362-245f48bcc74e.png

Incident 27: Alleged data leak of K-CLOUD KOMINFO

Incident Title: Alleged data leak of K-CLOUD KOMINFO
Date Reported: 2025-04-27T02:53:56Z
Category: Data Breach
Victim Details:

Organization: ministry of communication and digital affairs (KOMINFO) K-Cloud service
Industry: Government Administration
Country: Indonesia
Site: kominfo.go.id

Incident Summary & Analysis: The Indonesian hacktivist group “INDOHAXSEC” claims on the “darkforums.st” platform to have leaked a 25 GB database and documents originating from K-CLOUD KOMINFO, a cloud service associated with Indonesia’s Ministry of Communication and Digital Affairs. This represents a potential breach of sensitive government data hosted on a cloud platform.
Threat Actor Analysis:

Identified Actor(s): INDOHAXSEC
Profile & Context: INDOHAXSEC is identified as an Indonesian hacktivist collective that emerged around October 2024.⁷ Their activities include DDoS attacks, website defacements, ransomware deployment (using a locker called ExorLock, potentially linked to their previous iteration “AnonBlackFlag”), and hack-and-leak operations.⁷ They maintain a presence on GitHub (sharing custom tools, often rudimentary scripts) and Telegram (for communication, coordination, and propaganda).¹² Initially motivated by pro-Palestinian sentiments and religious ideology, targeting entities perceived as supporting Israel, their focus has reportedly shifted to include more nationalistic and politically motivated attacks against entities believed to act against Indonesian interests.¹² They have announced partnerships with other hacktivist groups like the pro-Russian NoName057(16).⁷ This claimed leak from a government cloud service fits their pattern of hack-and-leak operations targeting government entities, potentially driven by political motivations or seeking notoriety.
Evidence & Sources:

Published URL: https://darkforums.st/Thread-Document-25-GB-DATABASE-AND-DOCUMENTS-K-CLOUD-KOMINFO
Screenshots: https://d34iuop8pidsy8.cloudfront.net/d9499e29-cbf2-4778-b2f7-e43b51a2feeb.png

3. Emerging Threats & Vulnerabilities

This section highlights specific threats and vulnerabilities observed in the reporting period that warrant particular attention due to their potential impact or novelty.

Android RCE Exploit 0-day Sale (APTLab):

Summary: Actor “APTLab” advertised an alleged Remote Code Execution (RCE) 0-day exploit targeting Android versions 15 and below on the “darkforums.st” forum.
Analysis: The potential availability of a 0-day RCE exploit for a dominant mobile operating system like Android represents a critical threat. Such an exploit, if authentic, would grant attackers the ability to execute arbitrary code remotely on vulnerable devices, facilitating complete device takeover for data theft, surveillance, malware deployment, or integration into botnets. While verification is needed, the mere offering reflects the high value placed on mobile exploits in underground markets.²¹ Sophisticated actors, including state-sponsored groups (APTs) and top-tier cybercriminals, actively seek such capabilities.⁴³ The alias “APTLab” might be intended to suggest this level of sophistication. This sale underscores the persistent vulnerability of mobile ecosystems and the continuous efforts by threat actors to develop or acquire tools to compromise them. Organizations relying heavily on Android devices must maintain rigorous security postures, including timely patching and potentially deploying Mobile Threat Defense solutions.
Evidence & Sources: See Incident 7.
Illicit ScreenConnect Panel Sale (Grand_Ceaser):

Summary: Actor “Grand_Ceaser” offered illicit ScreenConnect panels for sale on the Exploit.in forum, marketed for large-scale device control with RAT-like functionality.
Analysis: The abuse of legitimate Remote Monitoring and Management (RMM) tools like ScreenConnect is a well-documented and ongoing threat vector.²³ Recent critical vulnerabilities (CVE-2024-1709, CVE-2024-1708) led to mass exploitation, enabling attackers to gain initial access and deploy various malware, including prominent ransomware strains.²⁴ “Grand_Ceaser’s” offering likely involves pre-compromised ScreenConnect instances or infrastructure specifically configured for malicious use, potentially hosted on resilient infrastructure.²³ By selling ready-made control panels on a major cybercrime forum ¹, this actor commoditizes a potent attack capability. Buyers can bypass the exploitation phase and focus on deploying the ScreenConnect agent onto victim machines, often via social engineering.²³ This significantly lowers the barrier to entry for actors seeking persistent remote access and control, fueling the trend of RMM tool abuse and complicating detection efforts due to the potential for traffic to initially appear legitimate.
Evidence & Sources: See Incident 26.
“Op_Usa” Alert (Mr Hamza, Vortex, Arab Ghosts Hackers):

Summary: The hacktivist actor “Mr Hamza” announced a coordinated campaign, “Op_Usa,” in collaboration with “Vortex” and “Arab Ghosts Hackers,” targeting US ministries and sensitive military/security sites.
Analysis: This alert signals a declared intent by a known hacktivist network to conduct operations against high-value US targets. Mr. Hamza, assessed to be of Moroccan origin and active since late 2024, typically employs DDoS attacks and claims data leaks, driven by anti-Western/anti-Israel political motivations.⁸ They frequently collaborate with other groups (e.g., Holy League, NoName057(16)) to amplify their impact, often coordinating via Telegram.⁸ While hacktivist capabilities can vary and claims may be exaggerated ⁶, coordinated DDoS attacks against government and critical infrastructure can cause significant disruption.⁸ The specific mention of “sensitive security, and military sites” elevates the potential severity, although DDoS or website defacement remain the most likely methods. This planned operation reflects the continued use of hacktivism as a tool for geopolitical messaging and low-level cyber conflict, warranting heightened vigilance for US government and military web assets.
Evidence & Sources: See Incident 6.

4. Key Threat Actor Activity

This section summarizes the activities of threat actors observed engaging in multiple incidents during this reporting period, highlighting recurring threats and patterns.

Key Threat Actor Summary

Threat Actor	Incidents	Primary Category Observed	Primary TTPs Observed	Key Targets Observed (Industry/Region)	Platforms Used
xsskiller	2	Initial Access	Selling unauthorized access credentials	Education (Interpol-affiliated), Government (Colombia)	darkforums.st
Rivka	2	Initial Access	Selling RDP access with domain user rights	Document Management (Portugal), IT Services (Italy)	ramp4u.io
Nick Diesel	2	Data Breach	Leaking/Selling large PII/customer databases	Automotive (USA), Marketing/Advertising (USA)	xss.is
7 Proxies / 7Proxies	4	Defacement	Website defacement, using mirror sites for proof	Education (Pakistan, Bangladesh), Government (Bangladesh)	Telegram, ownzyou.com
RASHTRIYA CYBER FORCE	1	Data Breach	Claiming data leak (hacktivism)	Education (Pakistan)	Telegram
combolists	1	Initial Access	Selling access (govt emails/portals/API keys) via combos	Government (Multiple Countries)	darkforums.st
Mr Hamza	1	Alert	Announcing coordinated DDoS campaign (hacktivism)	Government/Military (USA)	Telegram
APTLab	1	Vulnerability	Selling alleged 0-day exploit	Mobile (Android OS)	darkforums.st
Gunra	1	Ransomware	Double extortion via Tor DLS	Machinery Manufacturing (Italy)	Tor
Lulzsec Arabs	1	Defacement	Website defacement (hacktivism)	Manufacturing (India)	Telegram
h4ck3r	1	Data Leak	Leaking alleged government employee PII	Government (India)	darkforums.st
Randy72	1	Data Breach	Claiming massive data leak (incl. PII, financials, IP)	Healthcare/Pharmaceuticals (USA)	leakbase.io
DCG ( Dark Cyber Gang)	1	Defacement	Website defacement (hacktivism)	Industrial Engineering (India)	Telegram
Gatito_FBI_Nz	1	Data Breach	Selling large retail customer/employee data (incl. IDs)	Retail (Peru)	darkforums.st
Thales	1	Data Leak	Selling highly sensitive PII/employment data for KYC fraud	Employment/Recruitment? (South Korea)	exploit.in
WantsMore1337	1	Data Breach	Selling recent retail customer data (incl. bank accts)	Retail (Netherlands)	exploit.in
caustic	1	Initial Access	Selling access to high-revenue company	Insurance (LATAM)	exploit.in
RALord	1	Ransomware	Double extortion via Tor DLS	Telecommunications (Canada)	Tor
Grand_Ceaser	1	Alert	Selling illicit RMM (ScreenConnect) panels	Tooling/Infrastructure	exploit.in
INDOHAXSEC	1	Data Breach	Claiming government cloud data leak (hacktivism)	Government (Indonesia)	darkforums.st
RonyKingSourcingINC	1	Data Breach	Selling business intelligence/contact database	Insurance (USA)	xss.is

Actor Highlights:

xsskiller: Demonstrated capability or focus in compromising Colombian entities, offering valuable initial access to both government and international organization-affiliated systems via dark web forums. Their operations highlight the market for targeted access within specific regions.
7 Proxies: Conducted a high-volume defacement campaign targeting South Asian educational and governmental websites in both Pakistan and Bangladesh. Their consistent use of Telegram and mirror sites points to standard hacktivist operating procedures aimed at disruption and visibility.⁵
Nick Diesel: Emerged as a significant potential source or broker of large PII datasets on the XSS.is forum, claiming breaches impacting millions of US individuals across unrelated sectors (Automotive, Marketing). This underscores the pervasive threat of mass PII exposure from commercial data holders.
Rivka: Specialized in selling RDP access on the ramp4u.io forum, targeting European companies in Portugal and Italy. Their activity feeds the demand for RDP access, a common pathway for ransomware deployment.¹⁷
combolists: Leveraged the availability of compromised credentials (likely from combo lists or stealer logs) to offer widespread access to government systems across numerous countries.³⁶ Their alias and offering exemplify the threat posed by credential reuse and large-scale credential harvesting operations.

The varied activities observed across these actors underscore the specialization prevalent in the cybercrime ecosystem. Dedicated roles such as IABs (xsskiller, Rivka, combolists), data brokers/leakers (Nick Diesel, Randy72, Gatito_FBI_Nz), exploit sellers (APTLab), tool providers (Grand_Ceaser), ransomware operators (Gunra, RALord), and hacktivists (RASHTRIYA CYBER FORCE, Lulzsec Arabs, 7 Proxies, DCG, Mr Hamza, INDOHAXSEC) operate concurrently, often utilizing specific platforms like dark web forums (darkforums.st, xss.is, ramp4u.io, exploit.in, leakbase.io) or communication channels like Telegram. Understanding these distinct roles, their preferred TTPs, and operational platforms is essential for anticipating threat trajectories and developing effective defenses.

5. Actionable Recommendations

Based on the threats and activities observed in the past 24 hours, the following actions are recommended:

Prioritize Patching & Vulnerability Management:

Mobile Security: In light of the alleged Android RCE 0-day sale (APTLab), organizations utilizing Android devices should enforce timely OS and application patching, activate built-in security features, evaluate Mobile Threat Defense (MTD) solutions, and monitor vendor advisories closely.
RMM Tool Security: Given the sale of illicit ScreenConnect panels (Grand_Ceaser) and the history of RMM tool abuse ²³, organizations using ScreenConnect (especially on-premise) must confirm patching against critical vulnerabilities like CVE-2024-1709 and CVE-2024-1708. Conduct audits of ScreenConnect instances for unauthorized user accounts or extensions.²⁴ Implement stricter access controls and enhanced monitoring for all RMM software.
General Patching: Maintain aggressive patching schedules for all internet-facing systems and software, particularly those related to government portals, VPNs, and RDP services, which are actively targeted by IABs.
Enhance Credential Security & Access Management:

Multi-Factor Authentication (MFA): The significant IAB activity (xsskiller, Rivka, combolists, caustic) often relies on compromised credentials.¹ Mandate MFA across all critical access points, including VPNs, RDP, cloud services, email, and administrative interfaces. Prioritize phishing-resistant MFA methods.
Account Hygiene: Implement regular audits of user accounts. Promptly disable accounts for departed employees.⁸² Enforce the principle of least privilege rigorously.
Credential Monitoring: Utilize breach notification services ³⁷ and dark web monitoring tools ³⁹ to detect exposure of corporate credentials. Defend against credential stuffing attacks by implementing CAPTCHA, rate limiting, and monitoring for anomalous login patterns ³⁷, especially for portals targeted by actors like “combolists.”
RDP Security: Secure RDP deployments with strong passwords, MFA, Network Level Authentication (NLA). Minimize direct internet exposure and closely monitor RDP logs, as actors like Rivka specifically target and sell this type of access.
Monitor for Specific Threat Actor TTPs:

Targeted Awareness: Organizations within the sectors and regions targeted in this report (e.g., Pakistan/India Education/Govt, Colombian Govt, US/LATAM Insurance, Italian Manufacturing/IT, Peruvian Retail, Netherlands Retail, Canadian Telecoms, US Healthcare/Pharma/Marketing/Automotive) should heighten awareness regarding the specific actors observed (RASHTRIYA CYBER FORCE, xsskiller, Gunra, Nick Diesel, Gatito_FBI_Nz, WantsMore1337, RALord, Randy72, etc.) and monitor for associated indicators (Defacement signatures, IAB forum postings, ransomware IOCs, signs of large data exfiltration).
Hacktivist Monitoring: Monitor public Telegram channels associated with hacktivist groups known to target your region or industry (e.g., Indian/Pakistani groups, pro-Palestine groups like Mr Hamza, INDOHAXSEC) for early warning of campaigns or claims.³
Dark Web Intelligence: Where feasible and appropriate, monitor key dark web forums (darkforums.st, xss.is, ramp4u.io, exploit.in) for mentions of your organization, sector, or supply chain partners in access or data sales listings.
Defend Against Ransomware:

Resilience: Maintain robust, regularly tested backup and recovery procedures, including offline and immutable backups.
Segmentation: Implement network segmentation to impede lateral movement by ransomware actors.⁸³
Endpoint & Network Defense: Deploy and maintain updated Endpoint Detection and Response (EDR) solutions, recognizing that actors actively attempt to disable them.⁴⁹ Augment EDR with Network Detection and Response (NDR) capabilities for broader visibility.⁸⁴
Threat-Specific Awareness: Stay informed about the TTPs of currently active ransomware groups like Gunra and RALord.¹⁵
Address Data Leak Risks:

Data Security Controls: Organizations handling large volumes of PII or sensitive corporate data (e.g., Healthcare, Finance, Retail, Marketing, Government, Pharma) must enforce strong data security measures, including encryption at rest and in transit, strict access controls, and Data Loss Prevention (DLP) technologies.
Incident Response Planning: Develop and rehearse incident response plans specifically addressing large-scale data breaches, ensuring clear procedures for containment, investigation, and legally required notifications.

Works cited

Exploit Forum Initial Access Broker Landscape for NATO Countries – Flare, accessed April 27, 2025, https://flare.io/learn/resources/blog/initial-access-broker-landscape-in-nato-member-states-on-exploit-forum/
Exploit Forum, Initial Access Brokers, and Cybercrime on the Dark Web – Flare, accessed April 27, 2025, https://flare.io/learn/resources/blog/exploit-forum/
Indian Cyber Force – Wikipedia, accessed April 27, 2025, https://en.wikipedia.org/wiki/Indian_Cyber_Force
Hunter and hunted: Ex-FBI agent and LulzSec leader dish on adversarial innovation and AI’s dark turn – Research & Development World, accessed April 27, 2025, https://www.rdworldonline.com/hunter-and-hunted-ex-fbi-agent-and-lulzsec-leader-dish-on-adversarial-innovation-and-ais-dark-turn/
Understanding Hacktivists: The Overlap of Ideology and Cybercrime | Trend Micro (US), accessed April 27, 2025, https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/understanding-hacktivists-the-overlap-of-ideology-and-cybercrime
Global Hacktivist Threats – Graphika, accessed April 27, 2025, https://graphika.com/reports/global-hacktivist-threats
Weekly Recap: Chrome 0-Day, IngressNightmare, Solar Bugs, DNS Tactics, and More, accessed April 27, 2025, https://thehackernews.com/2025/03/weekly-recap-chrome-0-day.html
Mr.Hamza Group – Cyber Intelligence Bureau – Orange Cyberdefense, accessed April 27, 2025, https://www.orangecyberdefense.com/fileadmin/global/CyberIntelligenceBureau/Gangs_Investigations/MrHamza/Mr_HamzaGroup.pdf
Cyble’s Insights on Independence Day Hacktivist Attacks, accessed April 27, 2025, https://cyble.com/blog/from-celebrations-to-cyber-strikes-hacktivism-incidents-spark-amidst-independence-day-celebrations/
Check Point Research Report: Iranian Hacktivist Proxies Escalate Activities Beyond Israel, accessed April 27, 2025, https://blog.checkpoint.com/research/check-point-research-report-shift-in-cyber-warfare-tactics-iranian-hacktivist-proxies-extend-activities-beyond-israel/
Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on “The Five Families” Cybercrime Reputation – SentinelOne, accessed April 27, 2025, https://www.sentinelone.com/blog/dragon-raas-pro-russian-hacktivist-group-aims-to-build-on-the-five-families-cybercrime-reputation/
INDOHAXSEC – Emerging Indonesian Hacking Collective – Arctic Wolf, accessed April 27, 2025, https://arcticwolf.com/resources/blog-uk/indohaxsec-indonesian-hacking-collective/
Hotspot Analysis: Regional rivalry between India- Pakistan: tit-for-tat in cyberspace – CSS/ETH Zürich, accessed April 27, 2025, https://css.ethz.ch/content/dam/ethz/special-interest/gess/cis/center-for-securities-studies/pdfs/Cyber-Reports-2018-04.pdf
The Top Ransomware Groups Targeting the Healthcare Sector – Flashpoint, accessed April 27, 2025, https://flashpoint.io/blog/ransomware-groups-targeting-healthcare-sector/
RALord Ransomware Group: Threat Profile & Attack Tactics – Cyble, accessed April 27, 2025, https://cyble.com/threat-actor-profiles/ralord-ransomware-group/
From RA Group to RA World: Evolution of a Ransomware Group – Palo Alto Networks Unit 42, accessed April 27, 2025, https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-set/
trinity-ransomware-threat-actor-profile.pdf – HHS.gov, accessed April 27, 2025, https://www.hhs.gov/sites/default/files/trinity-ransomware-threat-actor-profile.pdf
Gunra Ransomware | WatchGuard Technologies, accessed April 27, 2025, https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/gunra
ARaaStocracy – RALord ransomware emerges with new DLS – CYJAX, accessed April 27, 2025, https://www.cyjax.com/resources/blog/araastocracy-ralord-ransomware-emerges-with-new-dls/
RALord Ransomware | WatchGuard Technologies, accessed April 27, 2025, https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/ralord
Threat Advisory: critical zero-day vulnerability in Fortinet’s FortiOS and FortiProxy productsC, accessed April 27, 2025, https://insights.integrity360.com/threat-advisory-critical-zero-day-vulnerability-in-fortinets-fortios-and-fortiproxy-products
Threat Actor Allegedly Selling Fortinet Firewall Zero-Day Exploit – SecurityWeek, accessed April 27, 2025, https://www.securityweek.com/threat-actor-allegedly-selling-fortinet-firewall-zero-day-exploit/
Threat Actors Still Leveraging Legit RMM Tool ScreenConnect for Persistence in Cyberattacks – Silent Push, accessed April 27, 2025, https://www.silentpush.com/blog/screenconnect/
ConnectWise ScreenConnect Threat – Risk Ledger, accessed April 27, 2025, https://riskledger.com/resources/connectwise-screenconnect-emerging-threat
Critical ScreenConnect Flaw Under Active Exploitation | Decipher – Duo Security, accessed April 27, 2025, https://duo.com/decipher/critical-screenconnect-flaw-under-active-exploitation
Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities | Trend Micro (US), accessed April 27, 2025, https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
ScreenConnect exploit – Silent Push publishes 50+ attacker IPs, accessed April 27, 2025, https://www.silentpush.com/blog/screenconnect-exploit/
FunkSec – Alleged Top Ransomware Group Powered by AI – Check Point Research, accessed April 27, 2025, https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s Threat Actor List, accessed April 27, 2025, https://www.crowdstrike.com/en-us/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/
Pakistani hackers may have hit 3 major Indian defence firms. Find out which, accessed April 27, 2025, https://www.business-standard.com/external-affairs-defence-security/news/pakistani-hackers-may-have-hit-3-major-indian-defence-firms-find-out-which-124052801049_1.html
What is XSS? Impact, Types, and Prevention – Bright Security, accessed April 27, 2025, https://brightsec.com/blog/xss/
What Is Cross-Site Scripting (XSS)? Types, Risks & Prevention – eSecurity Planet, accessed April 27, 2025, https://www.esecurityplanet.com/networks/cross-site-scripting-xss/
What Is a Cross-Site Scripting (XSS) Attack? | CrowdStrike, accessed April 27, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/cross-site-scripting-xss/
Top 10 Deep Web and Dark Web Forums – SOCRadar® Cyber Intelligence Inc., accessed April 27, 2025, https://socradar.io/top-10-deep-web-and-dark-web-forums/
FIN7 | Blackpoint Cyber – THREAT PROFILE:, accessed April 27, 2025, https://blackpointcyber.com/wp-content/uploads/2024/09/FIN7-Threat-Profile_Adversary-Pursuit-Group-Blackpoint-Cyber_2024Q3.pdf
Exposed Credentials & Ransomware Operations: Using LLMs to Digest 200K Messages from the Black Basta Chats – SpyCloud, accessed April 27, 2025, https://spycloud.com/blog/digesting-messages-from-the-black-basta-chats/
A Quick Guide to Dark Web Combo Lists – Breachsense, accessed April 27, 2025, https://www.breachsense.com/blog/dark-web-combo-list/
Leaked Credentials – Where Do They Come From? – Truesec, accessed April 27, 2025, https://www.truesec.com/security/leaked-credentials-where-do-they-come-from
Combo Lists & the Dark Web: Understanding Leaked Credentials – Flare, accessed April 27, 2025, https://flare.io/learn/resources/blog/combo-lists-the-dark-web-understanding-leaked-credentials/
Threat Actors’ Arsenal: How Hackers Target Cloud Accounts | Proofpoint AU, accessed April 27, 2025, https://www.proofpoint.com/au/blog/cloud-security/threat-actors-arsenal-how-hackers-target-cloud-accounts
Plot Twist: Combolists Are Still A Threat – SpyCloud, accessed April 27, 2025, https://spycloud.com/blog/plot-twist-combolists-are-still-a-threat/
Ongoing Threat of “Mr. Hamza” and Allied Hacktivist Groups – Homeland Security Today, accessed April 27, 2025, https://www.hstoday.us/subject-matter-areas/cybersecurity/ongoing-threat-of-mr-hamza-and-allied-hacktivist-groups/
APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus, accessed April 27, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a
FBI TLP White Flash Report: APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity – May 27, 2021 | AHA, accessed April 27, 2025, https://www.aha.org/fbi-tlp-alert/2021-05-27-fbi-flash-tlp-white-apt-actors-exploiting-fortinet-vulnerabilities-gain
Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) | Mandiant | Google Cloud Blog, accessed April 27, 2025, https://cloud.google.com/blog/topics/threat-intelligence/chinese-actors-exploit-fortios-flaw
Gunra Ransomware, accessed April 27, 2025, https://www.broadcom.com/support/security-center/protection-bulletin/gunra-ransomware
GRIT Ransomware Report: July 2024 – GuidePoint Security, accessed April 27, 2025, https://www.guidepointsecurity.com/blog/grit-ransomware-report-july-2024/
2025 Ransomware: Business as Usual, Business is Booming | Rapid7 Blog, accessed April 27, 2025, https://www.rapid7.com/blog/post/2025/04/08/2025-ransomware-business-as-usual-business-is-booming/
The New Face of Ransomware: Key Players and Emerging Tactics of 2024 – Trustwave, accessed April 27, 2025, https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-new-face-of-ransomware-key-players-and-emerging-tactics-of-2024/
Episode 187 – Malicious Life, accessed April 27, 2025, https://malicious.life/episode/episode-187/
Anonymous, LulzSec: Heroes or Villains? – InfoRiskToday, accessed April 27, 2025, https://www.inforisktoday.com/blogs/anonymous-lulzsec-heroes-or-villains-p-1012
Misinformation and Hacktivist Campaigns Target the Philippines Amidst Rising Tensions with China – Resecurity, accessed April 27, 2025, https://www.resecurity.com/blog/article/misinformation-and-hacktivist-campaigns-target-the-philippines-amidst-rising-tensions-with-china
Geopolitical Tensions Drive Explosion in DDoS Attacks – Infosecurity Magazine, accessed April 27, 2025, https://www.infosecurity-magazine.com/news/geopolitical-tensions-drive-ddos/
Hacktivist Groups: The Shadowy Links to Nation-State Agendas – Trellix, accessed April 27, 2025, https://www.trellix.com/blogs/research/hacktivist-groups-the-shadowy-links-to-nation-state-agendas/
Dark Web Activity January 2025: A New Hacktivist Group Emerges – Cyble, accessed April 27, 2025, https://cyble.com/blog/dark-web-activity-new-hacktivist-group-emerges/
Ransomware Payments Rise As Public Sector Is Targeted – Coveware, accessed April 27, 2025, https://www.coveware.com/blog/q3-ransomware-marketplace-report
South Asia | Cyber Solutions By Thales, accessed April 27, 2025, https://cds.thalesgroup.com/en/cyberthreat/areas-south-asia
India’s government, energy sector breached in cyber-espionage campaign, accessed April 27, 2025, https://therecord.media/india-infostealer-government-energy-sector-espionage
Top 25 Biggest Cyber Attacks in India: Major Data Breaches & Cybercrime – Sattrix, accessed April 27, 2025, https://www.sattrix.com/blog/biggest-cyber-attacks-in-india/
India’s biggest data breach? Hacking gang claims to have stolen 815 million people’s personal information – Bitdefender, accessed April 27, 2025, https://www.bitdefender.com/en-au/blog/hotforsecurity/indias-biggest-data-breach-hacking-gang-claims-to-have-stolen-815-million-peoples-personal-information/
NetMission Case Study Series 2024 – Cybersecurity Challenges in South Asia: India’s Largest Data Breaches and Cyberattack on Pakistan’s National Institutional Facilitation Technologies, accessed April 27, 2025, https://netmission.asia/2024/04/08/netmission-case-study-series-2024-cybersecurity-challenges-in-south-asia-indias-largest-data-breaches-and-cyberattack-on-pakistans-national-institutional-facilitation-technologie/
Hackers Hit Indian Defense, Energy Sectors with Malware Posing as Air Force Invite, accessed April 27, 2025, https://thehackernews.com/2024/03/hackers-target-indian-defense-and.html
SVR Cyber Actors Adapt Tactics for Initial Cloud Access – CISA, accessed April 27, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a
Russian Cyber Actors Target Cloud-Hosted Infrastructure – National Security Agency, accessed April 27, 2025, https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3686651/russian-cyber-actors-target-cloud-hosted-infrastructure/
Russian Threat Actors Targeting the HPH Sector – HHS.gov, accessed April 27, 2025, https://www.hhs.gov/sites/default/files/russian-threat-actors-targeting-the-hph-sector-tlpclear.pdf
List of hacker groups – Wikipedia, accessed April 27, 2025, https://en.wikipedia.org/wiki/List_of_hacker_groups
Large Peruvian bank warns of data theft after dark web post emerges, accessed April 27, 2025, https://therecord.media/interbank-peru-data-breach
Hacker Targets Early Settler Furniture, Customer Data on Dark Web, accessed April 27, 2025, https://australiancybersecuritymagazine.com.au/hacker-targets-early-settler-furniture-customer-data-on-dark-web/
BlackBerry Cylance Data Offered for Sale on Dark Web – SecurityWeek, accessed April 27, 2025, https://www.securityweek.com/blackberry-cylance-data-offered-for-sale-on-dark-web/
Top Threat Actors on the Dark Web | 2023 Recap – CybelAngel, accessed April 27, 2025, https://cybelangel.com/top-threat-actors-on-the-dark-web-recap/
Security Updates – Knowledge Article View – Thales Customer Support, accessed April 27, 2025, https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=5c18186b478aa950128dca72e36d4391&sysparm_article=KB0027106&data1=CactRev
COVID-19 CYBERSECURITY RESPONSE PACKAGE An ECSO Cyber Solidarity Campaign, accessed April 27, 2025, https://ecs-org.eu/ecso-uploads/2022/10/602a75ed59f64.pdf
TA505 (Threat Actor) – Malpedia, accessed April 27, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/ta505
ATK104 – Cyber Solutions By Thales, accessed April 27, 2025, https://cds.thalesgroup.com/en/node/637
Threat actor is selling data on 5.4 million Twitter users for $30K on hacking forum, accessed April 27, 2025, https://www.bitdefender.com/en-us/blog/hotforsecurity/threat-actor-is-selling-data-on-5-4-million-twitter-users-for-30k-on-hacking-forum
How a new wave of deepfake-driven cyber crime targets businesses | IBM, accessed April 27, 2025, https://www.ibm.com/think/insights/new-wave-deepfake-cybercrime
RALord Ransomware, accessed April 27, 2025, https://www.broadcom.com/support/security-center/protection-bulletin/ralord-ransomware
Yet another threat actor seen exploiting ConnectWise ScreenConnect – Cybersecurity Dive, accessed April 27, 2025, https://www.cybersecuritydive.com/news/threat-actor-exploiting-connectwise-screenconnect/709487/
High-Risk Vulnerabilities in ConnectWise ScreenConnect | Rapid7 Blog, accessed April 27, 2025, https://www.rapid7.com/blog/post/2024/02/20/etr-high-risk-vulnerabilities-in-connectwise-screenconnect/
Threat Brief: ConnectWise ScreenConnect Vulnerabilities (CVE-2024-1708 and CVE-2024-1709) – Unit 42 – Palo Alto Networks, accessed April 27, 2025, https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1708-cve-2024-1709/
Top Middle East Cyber Threats – March 25th, 2025 – Help AG, accessed April 27, 2025, https://www.helpag.com/top-middle-east-cyber-threats-march-25th-2025/
Threat Actor Leverages Compromised Account of Former Employee to Access State Government Organization | CISA, accessed April 27, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-046a
Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | CISA, accessed April 27, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a
RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate’s Arsenal, accessed April 27, 2025, https://www.darktrace.com/blog/ransomhub-ransomware-darktraces-investigation-of-the-newest-tool-in-shadowsyndicates-arsenal
Ransomware Group Hacks Webcam to Evade Endpoint Defenses – BankInfoSecurity, accessed April 27, 2025, https://www.bankinfosecurity.com/ransomware-group-hacks-webcam-to-evade-endpoint-defenses-a-28078
Nova RaaS: The Ransomware That ‘Spares’ Schools and Nonprofits—For Now – SonicWall, accessed April 27, 2025, https://www.sonicwall.com/blog/nova-raas-the-ransomware-that-spares-schools-and-nonprofits-for-now

1. Executive Summary

2. Detailed Incident Analysis

3. Emerging Threats & Vulnerabilities

4. Key Threat Actor Activity

5. Actionable Recommendations

Works cited

Related Posts

[April-10-2025] Daily Cybersecurity Threat Report

[April-11-2025] Daily Cybersecurity Threat Report – Part 2

[April-16-2025] Daily Cybersecurity Threat Report