[April-28-2025] Daily Cybersecurity Threat Report

1. Executive Summary

Overview: This report details significant cybersecurity incidents observed within the 24-hour period ending April 28, 2025, based on analyzed intelligence feeds. Activity spanned multiple threat categories, including ransomware, initial access brokerage, data leaks/breaches, hacktivist operations, and targeted alerts. A total of 21 distinct incidents were analyzed.

Key Threat Landscape Observations:

• Ransomware Dominance: Ransomware-as-a-Service (RaaS) operations remain a primary threat vector. Prominent groups such as Akira, RHYSIDA, Qilin, HUNTERS INTERNATIONAL, and Gunra were observed actively compromising organizations across various sectors. Targeted industries included Manufacturing, Healthcare, Legal, Insurance, and Architecture & Planning, with a notable concentration of victims in the USA. These groups consistently employ double extortion tactics, involving both data encryption and the threat of leaking exfiltrated data to pressure victims into payment.¹
• Active Illicit Marketplaces: Cybercriminal forums (e.g., Exploit.in, XSS.is, Leakbase.io, bhf.pro, Darkforums.st) and secure messaging platforms like Telegram serve as critical hubs for the illicit trade of stolen data, compromised credentials, and network access. Threat actors including UFO MARKET, personX, wonder, labirimt, Sofywka, Nick Diesel, Shinchan, Lions8711, l33tfg, and rassvettt were observed leveraging these platforms to advertise or leak compromised assets. The persistence of these marketplaces, despite law enforcement actions against predecessors like Raid Forums and BreachForums ¹³, underscores their resilience and importance within the cybercrime ecosystem.
• Data Leak Proliferation: Significant volumes of sensitive data were advertised for sale or leaked during this period. This included Personally Identifiable Information (PII), financial records, corporate documents, user credentials, digital certificates, and specialized datasets like vehicle telematics. These incidents impacted individuals and organizations in the USA, India, South Korea, Vietnam, Indonesia, and Fiji, demonstrating the global scale of data compromise. Actors like UFO MARKET appeared particularly active in trading large datasets from the APAC region.
• Exploitation Focus: Evidence suggests continued exploitation of known vulnerabilities, particularly within Virtual Private Network (VPN) solutions, such as those affecting Cisco devices.² Configurations lacking Multi-Factor Authentication (MFA) remain a common target for initial access by groups like Akira and Rhysida.² Remote Desktop Protocol (RDP) also continues to be a likely vector.³
• Hacktivism Presence: Geopolitically motivated hacktivism persists as a noticeable threat. Groups like Arab Ghosts Hackers and The Anonymous 71 were observed conducting website defacements and issuing general threats, often linking their actions to regional conflicts or political statements.¹⁵ These activities, while sometimes less directly damaging than ransomware, serve propaganda purposes and highlight underlying vulnerabilities.

Notable Actors: Akira ¹, RHYSIDA ⁴, Qilin ⁷, HUNTERS INTERNATIONAL ¹⁰, and UFO MARKET demonstrated significant activity or were involved in high-impact events during this reporting period.

Emerging Trend: The reported transition of Hunters International from a traditional RaaS model to an extortion-only operation under the name ‘World Leaks’ ¹⁰ may signal a broader shift. Established ransomware operators might increasingly pivot to pure data extortion models, potentially perceiving this approach as less complex, less likely to trigger certain security defenses focused on encryption, or more profitable under current law enforcement pressures and victim recovery capabilities.

The distinct categories of threats observed—Ransomware, Initial Access Brokerage (IAB), Data Leaks—operate within an interconnected ecosystem. IABs, such as personX, Sofywka, and rassvettt, provide the initial network footholds often necessary for RaaS affiliates, like those potentially deploying Akira, RHYSIDA, or Qilin ransomware, to launch their attacks. Data leaked or sold by actors like wonder, UFO MARKET, and Nick Diesel can subsequently be used to fuel further attacks, including phishing, credential stuffing, or social engineering, potentially leading back to initial access compromises or ransomware incidents. Even hacktivist defacements, like the one attributed to The Anonymous 71, might exploit vulnerabilities that could later be leveraged by financially motivated threat actors. This interconnectedness means that defensive strategies must be holistic; protecting against initial access directly mitigates ransomware risk, monitoring data leak forums provides early warnings of credential compromise, and addressing vulnerabilities exploited by hacktivists strengthens systems against a wider range of threats.

2. Detailed Incident Analysis

The following table provides a summary of the incidents analyzed for this report.

Table 1: Incident Summary (April 28, 2025)

Date (UTC)	Category	Threat Actor	Victim Organization	Victim Industry	Victim Country
2025-04-28T14:38:32Z	Ransomware	akira	Tolerance Masters	Manufacturing	USA
2025-04-28T14:32:07Z	Initial Access	personX	Unidentified	Unidentified	India
2025-04-28T14:17:45Z	Data Leak	labirimt	Unidentified (EV-Sign Global Certs)	Unidentified	Unidentified
2025-04-28T14:13:07Z	Data Breach	wonder	Acuity Insurance	Insurance	USA
2025-04-28T13:00:45Z	Ransomware	RHYSIDA	LaBella Associates	Architecture & Planning	USA
2025-04-28T12:59:22Z	Initial Access	Sofywka	Open Computer Network (OCN)	Network & Telecommunications	Japan
2025-04-28T12:50:20Z	Data Leak	UFO MARKET	EduHub	Education	South Korea
2025-04-28T12:20:22Z	Data Leak	UFO MARKET	Unidentified (Korea RFID Data)	Unidentified	South Korea
2025-04-28T11:40:06Z	Data Leak	UFO MARKET	Unidentified (Vietnam Citizen PII)	Unidentified	Vietnam
2025-04-28T11:27:35Z	Data Leak	Nick Diesel	Megaoffersale & others	E-commerce & Online Stores	India
2025-04-28T10:20:46Z	Ransomware	Gunra	Bioprofarma Bagó S.A.	Healthcare & Pharmaceuticals	Argentina
2025-04-28T08:28:41Z	Data Breach	Unk9vvN	Shopify	E-commerce & Online Stores	Unidentified
2025-04-28T08:25:46Z	Alert	Arab Ghosts Hackers	USA Targeted	Unidentified	USA
2025-04-28T06:57:25Z	Ransomware	Qilin	Whitley Law Firm	Law Practice & Law Firms	USA
2025-04-28T06:13:32Z	Defacement	The Anonymous 71	Sprint Integrated Solutions Pvt Ltd	Aviation & Aerospace	India
2025-04-28T05:23:49Z	Ransomware	HUNTERS INTERNATIONAL	Minnesota Lawyers Mutual Insurance Company	Insurance	USA
2025-04-28T03:56:19Z	Data Leak	Shinchan	Unidentified (Indonesian Yahoo Users)	Unidentified	Indonesia
2025-04-28T03:42:41Z	Data Leak	Lions8711	Unidentified (US Credit Cards)	Unidentified	USA
2025-04-28T03:33:49Z	Data Leak	l33tfg	PJM Interconnection, L.L.C	Energy & Utilities	USA
2025-04-28T03:27:06Z	Ransomware	Qilin	RC Manubhai & Co. Pte Ltd	Retail Industry	Fiji
2025-04-28T00:48:38Z	Initial Access	rassvettt	Unidentified (USA Tax Service)	Financial Services	USA

2.1 Ransomware Incidents

2.1.1 Akira Ransomware Attack on Tolerance Masters (USA, Manufacturing)

• Incident Summary: The Akira ransomware group posted a claim on their Tor leak site asserting a compromise of Tolerance Masters, a US-based manufacturing entity (tolerancemasters.com). The group alleges the exfiltration of 80 GB of sensitive data, encompassing employee personal details, customer information, financial records such as audits and payments, corporate Non-Disclosure Agreements (NDAs), confidentiality agreements, and other proprietary business documents.
• Threat Actor Context (Akira):

• Background & Operations: First identified around March-May 2023 ¹, Akira rapidly established itself as a potent ransomware threat. By early 2024, it had impacted over 250 organizations globally, accumulating ransom proceeds estimated at $42 million USD.² Akira functions under a Ransomware-as-a-Service (RaaS) model, collaborating with affiliates who execute attacks, and subsequently sharing the extortion profits.¹ Their methodology involves double extortion: they steal sensitive data before encrypting systems, then demand separate payments for data decryption and for ensuring the non-disclosure of the stolen information.¹ Akira utilizes a dedicated leak site on the Tor network to publicly list victims and potentially release exfiltrated data.¹
• TTPs: Akira affiliates frequently gain initial access by exploiting vulnerabilities in Virtual Private Network (VPN) services, particularly those lacking Multi-Factor Authentication (MFA). Known Cisco vulnerabilities (CVE-2020-3259, CVE-2023-20269) are commonly targeted vectors.² Other observed initial access methods include abusing Remote Desktop Protocol (RDP), spear phishing campaigns, and leveraging compromised valid credentials.³ Following initial access, Akira actors engage in network reconnaissance using tools like SoftPerfect, Advanced IP Scanner, and native Windows net commands.³ Credential access techniques include Kerberoasting, dumping credentials from the Local Security Authority Subsystem Service (LSASS) process memory ², and utilizing tools like Mimikatz and LaZagne.³ Persistence is often achieved by creating new domain accounts.³ Defense evasion involves disabling security software, potentially using tools like PowerTool to terminate antivirus processes.³ Lateral movement across the network precedes data exfiltration, for which tools like FileZilla, WinSCP, RClone, and AnyDesk are employed.³ In one investigated case, attackers pivoted through an unpatched IoT webcam to bypass Endpoint Detection and Response (EDR) controls.²²
• Malware Details: Early Akira ransomware variants were developed in C++ and appended the .akira extension to encrypted files.² Starting around August 2023, new variants emerged, including “Megazord” (written in Rust, using the .powerranges extension) and “Akira_v2” (also Rust-based, featuring enhanced capabilities).² The ransomware employs a hybrid encryption scheme combining the ChaCha20 stream cipher with RSA public-key cryptography for efficiency and secure key exchange.² A key feature is the use of PowerShell commands to delete Volume Shadow Copies (VSS), thereby hindering system recovery efforts.² Akira also developed Linux variants specifically designed to target VMware ESXi virtual machines.³
• Targets: While global in scope, Akira has shown a focus on organizations within the United States, particularly in California, Texas, Illinois, and the Northeast.¹ However, they also target entities in the UK, Canada, Australia, New Zealand, and other nations.¹ Common industry verticals include manufacturing, goods and services, construction, education, finance, legal, and healthcare.¹ The attack on Tolerance Masters aligns directly with Akira’s established targeting profile (US-based, Manufacturing sector).
• Potential Conti Link: Technical analyses have suggested potential links or code similarities between Akira and the defunct Conti ransomware group, which could imply shared developers, affiliates, or inherited operational sophistication.¹

The repeated emphasis in intelligence reports ² on Akira’s exploitation of VPN vulnerabilities, especially targeting Cisco devices lacking MFA, strongly suggests this is a primary and successful TTP for the group. This incident involving a US manufacturer likely represents another instance of this tactic. Consequently, organizations must view the security of their VPN infrastructure as a critical control point. Prioritizing the patching of known VPN flaws (such as CVE-2020-3259 and CVE-2023-20269) and the universal enforcement of MFA on all VPN access points is not merely a best practice but an urgent necessity to close a significant, actively exploited pathway used by capable adversaries like Akira.

• Published URL: https://akiral2iz6a7qgd3ayp3l6yub7xx2uep76idk3u2kollpj5z3z636bad.onion/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/c0bdeaee-6f15-4ffb-989b-2b380ba8485a.png

2.1.2 RHYSIDA Ransomware Attack on LaBella Associates (USA, Architecture & Planning)

• Incident Summary: The RHYSIDA ransomware group has claimed responsibility for compromising LaBella Associates (labellapc.com), an Architecture & Planning firm located in the United States. The group announced on its Tor leak site that it has obtained the organization’s data and plans to publish it within 6-7 days, implying a deadline for ransom payment.
• Threat Actor Context (RHYSIDA):

• Background & Operations: RHYSIDA emerged as a ransomware threat in May 2023.⁵ It operates a RaaS model, providing its ransomware tools and infrastructure to affiliates in exchange for a share of the ransom payments.⁴ The group presents a unique facade, describing itself as a “cybersecurity team” aiming to highlight security vulnerabilities in victim organizations.⁵ RHYSIDA employs double extortion tactics, threatening to publicly release stolen data via its Tor-based leak site if demands are not met.⁴ High-profile victims attributed to RHYSIDA include the British Library, Insomniac Games, and the Chilean army.⁴ The group’s name and logo are derived from a genus of centipedes.⁴ Targeting patterns suggest a possible origin or base of operations within the Commonwealth of Independent States (CIS), as they tend to avoid targeting former Soviet bloc countries.⁴
• TTPs: Rhysida actors gain initial access through various means, including phishing campaigns ⁵, exploiting external-facing remote services like VPNs (often using compromised valid credentials, particularly where MFA is absent ¹¹), and leveraging vulnerabilities such as Zerologon (CVE-2020-1472).¹¹ Post-compromise, they often deploy frameworks like Cobalt Strike for command and control (C2) and lateral movement.⁵ Rhysida affiliates make extensive use of “living off the land” techniques, utilizing legitimate system tools to evade detection. This includes native Windows utilities like PowerShell, RDP for lateral movement ¹¹, PsExec for remote code execution ¹¹, ntdsutil.exe for dumping Active Directory credentials ¹¹, and wevtutil.exe for clearing event logs.¹¹ Defense evasion tactics may involve terminating antivirus processes, potentially using custom scripts like SILENTKILL.²³
• Malware Details: The Rhysida ransomware is typically a 64-bit Portable Executable (PE) Windows application compiled using MINGW/GCC.⁶ Early analyses indicated a relative lack of maturity (e.g., version “Rhysida-0.1”), initially missing features like integrated VSS deletion ⁵, although later reports suggest shadow copies are deleted, possibly via external scripts.²³ The encryption process utilizes a 4096-bit RSA key combined with the ChaCha20 symmetric algorithm.⁵ Encrypted files are appended with the .rhysida extension.⁵ Uniquely, ransom notes are delivered as PDF documents named “CriticalBreachDetected.pdf” placed in affected folders.⁶
• Targets: Rhysida is known to strike “targets of opportunity” across diverse sectors, including education, healthcare, manufacturing, information technology, and government.⁴ Victims have been identified globally, spanning Western Europe, North and South America, and Australia.⁵ This attack against a US-based Architecture & Planning firm is consistent with their opportunistic targeting strategy.

Although Rhysida was a relatively new entrant to the ransomware scene in 2023 ⁵, it rapidly adopted the standard RaaS operational model, including double extortion ⁴ and affiliate partnerships.⁴ The TTPs employed rely heavily on tools and techniques common across the ransomware landscape, such as Cobalt Strike ⁵, PsExec ¹¹, phishing ⁵, compromised credentials ¹¹, and living-off-the-land methods.¹¹ CISA has even noted similarities between Rhysida’s TTPs and those of the Vice Society group.²³ While initial malware versions might have lacked certain refinements ⁵, the overall attack playbook aligns with established ransomware practices. This indicates that defending against Rhysida necessitates addressing the common core TTPs prevalent in ransomware attacks, rather than focusing solely on unique indicators. Essential defenses include robust credential management (strong passwords, MFA), effective anti-phishing measures, EDR and network monitoring capable of detecting misuse of tools like Cobalt Strike and PsExec, and comprehensive backup strategies (including offline/immutable backups, as VSS deletion is a common tactic, even if executed via script ²³). The RaaS model implies that affiliate capabilities may vary, but the fundamental tools and strategic approach likely remain consistent.

• Published URL: http://rhysidafc6lm7qa2mkiukbezh7zuth3i4wof4mh2audkymscjm6yegad.onion/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/fd02ca11-9fff-4e42-9a48-d4d4573366b8.png

2.1.3 Gunra Ransomware Attack on Bioprofarma Bagó S.A. (Argentina, Healthcare & Pharmaceuticals)

• Incident Summary: The Gunra ransomware group has claimed a successful attack against Bioprofarma Bagó S.A. (bioprofarma-bago.com.ar), a pharmaceutical company based in Argentina. According to their post on a Tor leak site, they possess the organization’s data and have set a deadline of May 4, 2025, for its publication, indicating a ransom demand.
• Threat Actor Context (Gunra):

• Background & Operations: Available intelligence provides limited specific, verified details about the Gunra group itself. General ransomware trends, activities of other groups (like FunkSec ²⁴, LockBit ²⁵, RansomHub ²⁵), the prevalence of RaaS models ²⁵, double extortion tactics ²⁵, and commonly observed TTPs ²⁵ are well-documented. One source confirms Gunra’s existence and operation via Tor infrastructure (leak site and chat portal) as of April 2025, but notes the intelligence entry is “under construction”.³²
• Inferred TTPs/Model: Based on the incident’s characteristics (claim posted on a Tor leak site, threat to publish exfiltrated data, implied ransom demand) and the established patterns of modern ransomware operations ²⁵, it is highly probable that Gunra operates using a RaaS model and employs double extortion. Their methods likely involve common initial access vectors such as phishing, exploitation of exposed RDP services, or unpatched vulnerabilities, followed by standard post-exploitation activities including network reconnaissance, credential theft, lateral movement, and data exfiltration prior to any encryption deployment.²⁵ The targeting of a healthcare organization aligns with sectors frequently impacted by ransomware attacks.¹

The emergence of Gunra and its successful compromise of a healthcare entity, even without extensive public reporting on the group itself, underscores the persistent and pervasive nature of the ransomware threat. The lack of specific intelligence might suggest Gunra is a newer operation, maintains a lower profile, or is possibly a rebrand of a previous entity. However, its core actions—data theft, encryption threat (implied), and use of a leak site—mirror the standard playbook employed by numerous ransomware groups.²⁵ The broader research highlights the common TTPs used across this threat landscape.²⁵ This situation emphasizes that organizations cannot afford to wait for detailed intelligence on every newly named ransomware group before taking action. Implementing robust, foundational cybersecurity measures is crucial for defending against the common attack methodologies used by groups like Gunra. Essential defenses include diligent patch management, universal MFA deployment, network segmentation, effective EDR solutions, ongoing user awareness training, and maintaining reliable, tested, offline backups.²⁶ This incident serves as a reminder that even less “well-known” ransomware groups can pose a significant threat and successfully compromise substantial targets.

• Published URL: http://gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad.onion/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/eeb9186b-c22b-4076-8888-255ce0c1bc30.png

2.1.4 Qilin Ransomware Attack on Whitley Law Firm (USA, Law Practice & Law Firms)

• Incident Summary: The Qilin ransomware group has claimed responsibility for an attack targeting Whitley Law Firm (whitleylawfirm.com), a law practice based in the United States. The group asserts it has exfiltrated the firm’s data, providing sample screenshots as proof on its dark web portal. They have indicated an intention to publish the data between May 5 and May 7, 2025, setting a clear deadline for ransom negotiations.
• Threat Actor Context (Qilin / Agenda):

• Background & Operations: Qilin, which previously operated under the name Agenda ⁷, has been active since mid-2022.⁸ It functions as a RaaS operation ⁷, employing double extortion tactics ⁷ and utilizing a Tor-based Data Leak Site (DLS).⁷ Qilin actively recruits affiliates through Russian-language cybercrime forums, with recruitment posts specifying that attacks against CIS countries are prohibited.⁷ Reports suggest affiliates receive high commission rates, potentially 80-85% of ransom payments.⁸ The group has demonstrated increasing sophistication, potentially collaborating with North Korean state-sponsored actors (identified by Microsoft as Moonstone Sleet) ⁷, and has even launched an open-web leak site called “WikiLeaksV2” to amplify pressure on victims.⁷
• TTPs: Qilin affiliates employ multiple initial access vectors, including phishing and spear phishing emails ⁸, exploitation of exposed applications like Citrix and RDP ¹², use of compromised valid credentials ⁸, and targeting Managed Service Providers (MSPs) through compromised remote management tools like ScreenConnect.⁷ Post-exploitation activities involve deploying tools such as Cobalt Strike ⁹, PsExec ¹², and Remote Monitoring and Management (RMM) tools.¹² They engage in credential harvesting, potentially using Group Policy Objects (GPOs) and scripts to steal browser-saved credentials.⁸ Network scanning ⁹, lateral movement via RDP or SSH ¹², and data exfiltration using tools like WinRAR ⁷ or protocols like FTP ⁹ are common. Defense evasion techniques include clearing event logs, deleting tools after use, utilizing browser incognito mode ⁷, stopping the Volume Shadow Copy Service (VSS) ⁷, and potentially using vulnerable SYS drivers.¹²
• Malware Details: Qilin ransomware exists in variants written in both Golang and Rust ⁸, enabling attacks against Windows and Linux operating systems, including VMware ESXi environments.⁸ The ransomware is highly customizable through an affiliate control panel, allowing operators to tailor attacks.⁸ Supported encryption algorithms include AES, ChaCha20, and RSA.⁸ Newer iterations, like “Qilin.B,” reportedly use AES-256-CTR and RSA-4096, incorporate enhanced defense evasion features like self-deletion, and specifically target security tools.⁸
• Targets: Qilin targets a wide array of industries globally, including healthcare, education, critical services, manufacturing, legal and professional services, and financial services.⁹ Their attacks have impacted organizations in the US, UK, Canada, Australia, and other nations.¹² This compromise of a US-based law firm aligns with their known targeting of the professional services sector.

The Qilin operation demonstrates considerable sophistication, evidenced by its multi-language malware capabilities (Golang, Rust) ⁸, the provision of a highly customizable affiliate panel ⁸, attractive affiliate payout structures ⁸, and a diverse range of TTPs, including the notable targeting of MSP software like ScreenConnect.⁷ The potential involvement of state-sponsored actors ⁷ further elevates the threat posed by this group. Their ability to target both Windows and Linux/ESXi environments ⁸ significantly broadens their potential impact. Consequently, defending against Qilin requires a comprehensive strategy. Beyond standard ransomware defenses, organizations must address supply chain risks associated with MSPs ⁷, secure their virtualization infrastructure (ESXi) ⁹, monitor for the specific tools Qilin affiliates are known to use (e.g., Cobalt Strike, PsExec, certain RMMs), and anticipate highly customized attacks potentially tailored to their specific environment.⁹ The high reported affiliate commissions suggest Qilin attracts skilled operators, increasing the likelihood of successful intrusions against targeted organizations.

• Published URL: http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=9b08c539-9628-346e-b4bc-50e77c5aac97
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/9d5b2a46-7250-495a-961e-ee094f570294.png

2.1.5 HUNTERS INTERNATIONAL Ransomware Attack on Minnesota Lawyers Mutual Insurance Company (USA, Insurance)

• Incident Summary: The HUNTERS INTERNATIONAL ransomware group has listed Minnesota Lawyers Mutual Insurance Company (mlmins.com), an insurance provider based in the USA, on its Tor leak site. The group claims to have exfiltrated 383.7 GB of the organization’s data as part of the compromise.
• Threat Actor Context (HUNTERS INTERNATIONAL):

• Background & Operations: Hunters International emerged in the latter part of 2023. Code similarities quickly led to speculation that it might be a rebrand or successor to the notorious Hive ransomware operation.¹⁰ Operating as a RaaS group, Hunters International claimed responsibility for over 280 attacks worldwide by early 2025.¹⁰ Their list of notable victims included prominent organizations such as Tata Technologies, AutoCanada, the U.S. Marshals Service, Hoya, Austal USA, Integris Health, and the Fred Hutch Cancer Center.¹⁰ Ransom demands were observed to vary significantly, often correlating with the size and perceived value of the victim organization.¹⁰
• Shift to Extortion-Only (‘World Leaks’): Reports indicate that around January 1, 2025, Hunters International ceased its ransomware deployment activities and rebranded as “World Leaks”.¹⁰ This strategic shift was reportedly driven by declining ransomware profitability and increased pressure from law enforcement. The new entity, World Leaks, focuses exclusively on data theft and subsequent extortion, utilizing a custom or upgraded data exfiltration tool (potentially derived from ‘Storage Software’) rather than encrypting victim systems.¹⁰
• Malware (Pre-Rebrand): Prior to this reported shift, the Hunters International ransomware was capable of targeting a wide range of operating systems, including Windows, Linux, FreeBSD, SunOS, and VMware ESXi, with support for x64, x86, and ARM architectures.¹⁰ They practiced double extortion, combining encryption with data theft and leak threats.
• Targets: Hunters International targeted organizations of all sizes across various sectors globally.¹⁰ The compromise of a US-based insurance company aligns with their history of targeting diverse industries.

The reported transformation of Hunters International into the extortion-only “World Leaks” model ¹⁰ highlights the dynamic evolution of cyber extortion tactics. Threat groups continuously adapt their strategies based on factors like perceived risk, potential profitability, and the effectiveness of defensive measures. This specific incident, listed under the “HUNTERS INTERNATIONAL Ransomware” name, occurred after the reported January 2025 rebrand date. This discrepancy raises several possibilities: the rebrand information might be inaccurate or the transition incomplete; the attack may have occurred earlier but was posted later; affiliates might have continued using the old branding temporarily; the group might be operating both models; or the intelligence source simply used the more established name. However, the core claim focuses on data exfiltration (383.7 GB), which aligns with the extortion-only model of ‘World Leaks’.¹⁰ This situation underscores the challenges in accurately attributing and tracking the evolution of threat actors. Defenders should prioritize focusing on the observed TTPs—in this case, large-scale data exfiltration—rather than relying solely on the group’s name. The trend towards extortion-only attacks emphasizes the critical need for robust Data Loss Prevention (DLP) capabilities and effective detection mechanisms for anomalous data egress, supplementing traditional anti-encryption defenses. Even without file encryption, the theft and threatened publication of vast amounts of sensitive data, such as 383.7 GB from an insurance company, represents a severe business continuity and reputational risk.

• Published URL: https://hunters55rdxciehoqzwv7vgyv6nt37tbwax2reroyzxhou7my5ejyid.onion/companies/5301517712
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/564f1215-c70d-4de5-863c-7b6ce3d6746f.png

2.1.6 Qilin Ransomware Attack on RC Manubhai & Co. Pte Ltd (Fiji, Retail Industry)

• Incident Summary: The Qilin ransomware group has claimed another victim, this time RC Manubhai & Co. Pte Ltd (rcmanubhai.com.fj), a retail company operating in Fiji. Consistent with their previous claims, such as the one against Whitley Law Firm, Qilin asserts possession of the company’s data and provides sample screenshots on their dark web portal as evidence.
• Threat Actor Context (Qilin / Agenda): (Detailed context regarding Qilin/Agenda, including Background, TTPs, Malware, RaaS model, and Targets, can be found in section 2.1.4 ⁷). This incident involving a Fijian retail company further illustrates the global operational reach of the Qilin RaaS network. While their activity is frequently observed in North America and Europe, this attack demonstrates their capacity and willingness to target organizations in the Asia-Pacific region. The targeting of the retail sector aligns with their broad, opportunistic approach, attacking various industries ¹² rather than specializing in a single vertical.
  The compromise of a Fijian retail company by Qilin reinforces the global nature and opportunistic targeting strategy common among major RaaS operations. Qilin’s documented attacks span North America, Europe, Australia ¹², and now demonstrably include Fiji. This pattern suggests that these groups often pursue “targets of opportunity” ¹², exploiting vulnerabilities or gaining access wherever feasible, irrespective of the victim’s geographic location or primary industry, provided the target is not within explicitly excluded regions (like the CIS for Qilin ⁸). Therefore, organizations worldwide, regardless of their size, location, or sector, should consider themselves potential targets for sophisticated RaaS groups like Qilin. Geographic isolation or operating outside traditionally targeted industries offers limited protection against such threats. Implementing globally consistent, robust defenses based on cybersecurity best practices—including vulnerability management, strict access controls, and advanced threat detection—is essential.
• Published URL: http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=e88402d2-f278-3d2e-8ce3-911b8ea3cd42
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/eff8062b-a247-4f82-8362-ce3edd86bbbb.png

2.2 Initial Access Brokerage Incidents

2.2.1 ‘personX’ Offering Access to Unidentified Indian Organization

• Incident Summary: An actor using the handle ‘personX’ advertised the sale of “full access” to an unnamed organization in India via the Exploit.in cybercrime forum. The advertised access purportedly includes credentials or control over VPN, Domain Admin accounts, SSH, Firewalls, the organization’s AV server, routers, and VMware infrastructure.
• Threat Actor Context (personX / IABs):

• ‘personX’ Identity: The term “PersonX” is frequently used as a generic placeholder or anonymized identifier in academic research and technical documentation.³⁵ However, within the context of a post on the Exploit.in forum, ‘personX’ almost certainly refers to the specific username chosen by the threat actor offering the access for sale. Without additional correlating intelligence linking this username to known campaigns or infrastructure, ‘personX’ should be considered an individual Initial Access Broker (IAB).
• IAB Operations: IABs represent a specialized segment of the cybercrime ecosystem. They focus on breaching corporate networks and subsequently selling the access they obtain to other malicious actors. Buyers often include ransomware affiliates seeking entry points or state-sponsored groups looking for espionage footholds. IABs employ diverse methods to gain access, such as exploiting known vulnerabilities, conducting phishing campaigns, credential stuffing, or deploying malware. Forums like Exploit.in serve as established marketplaces where IABs advertise their offerings. The level of access claimed by ‘personX’—including VPN, Domain Admin privileges, SSH, and control over virtualization infrastructure (VMware)—indicates a potentially deep and persistent compromise, making this offering highly valuable to subsequent attackers.

The activity of actors like ‘personX’, openly selling comprehensive network access packages (including high-privilege accounts like Domain Admin and control over critical infrastructure like VMware and VPNs) on well-known forums such as Exploit.in, underscores the maturity and commoditization of the underground market for corporate intrusions. Network access itself has become a tradable commodity. Achieving Domain Admin level access, as claimed, suggests the initial compromise was successful in escalating privileges significantly beyond a simple foothold. This commoditization implies that organizations must operate under the assumption that any breach resulting in compromised access could be quickly monetized and transferred to other, potentially more destructive, threat actors like ransomware groups. Consequently, implementing defense-in-depth strategies is critical. This includes not only preventing initial compromise but also robustly monitoring for post-exploitation activities such as lateral movement and privilege escalation, even if initial access vectors appear secured. The existence of a thriving market for access lowers the barrier to entry for sophisticated attacks, as the buyers may not require advanced initial access skills themselves.

• Published URL: https://forum.exploit.in/topic/258142/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/fa3146db-baf2-4128-b1b9-e5c332b4293a.png

2.2.2 ‘Sofywka’ Offering SMTP Access to OCN (Japan)

• Incident Summary: A threat actor identified as ‘Sofywka’ posted an offer on the XSS.is forum to sell SMTP (Simple Mail Transfer Protocol) access associated with Japan’s Open Computer Network (OCN – ocn.ne.jp). OCN is a major Network & Telecommunications provider in Japan.
• Threat Actor Context (Sofywka / SMTP Access):

• ‘Sofywka’ Identity: As with ‘personX’, ‘Sofywka’ is presumed to be the actor’s chosen username on the XSS.is forum. No further information attributing this actor to specific campaigns or groups is available in the provided materials.
• SMTP Access Significance: Gaining unauthorized access to an organization’s SMTP server allows an attacker to send emails that appear to originate legitimately from that organization’s domain (ocn.ne.jp in this instance). This capability is highly prized by cybercriminals for conducting more convincing phishing campaigns, distributing malware payloads hidden in seemingly legitimate communications, or sending large volumes of spam, all while leveraging the reputation and trust associated with the compromised entity. Targeting a major telecommunications provider like OCN significantly amplifies the potential reach and impact of such malicious activities.

The sale of SMTP access, particularly for a large and reputable network provider like OCN, represents a specific niche within the IAB market. Unlike offers of broad network access, this focuses specifically on compromising and abusing core communication infrastructure. The primary value for a buyer lies in the ability to leverage OCN’s trusted domain (ocn.ne.jp) to increase the success rate of malicious email campaigns targeting OCN’s customers, business partners, or the general public. This highlights the risk posed by compromises of essential communication systems. Organizations must implement strong security controls around their mail server infrastructure, including strict access management, vigilant monitoring for anomalous sending patterns or authentication attempts, and the robust implementation and enforcement of email authentication standards like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to make email spoofing significantly more difficult.

• Published URL: https://xss.is/threads/136822/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/acfc170a-3cac-4c91-823f-def45a8ceefb.png

2.2.3 ‘rassvettt’ Offering Database Access to US Tax Service

• Incident Summary: An actor operating under the handle ‘rassvettt’ advertised the sale of database access to an unidentified tax service organization based in the USA. The advertisement, posted on the Exploit.in forum, claims the access provides visibility into highly sensitive client information, including identification documents, tax returns, bank account details, and employment records.
• Threat Actor Context (rassvettt / Database Access):

• ‘rassvettt’ Identity: This is likely the threat actor’s username on the Exploit.in forum. No further attribution details are provided in the available intelligence.
• Database Access Significance: Offering direct database access, especially to a system belonging to a tax service provider, represents a severe security breach. Such databases contain a concentrated wealth of extremely sensitive financial and personal information (tax filings, bank details, government IDs). Selling access to the database, rather than just a static dump of the data, allows potential buyers to perform ongoing data exfiltration, conduct targeted queries for specific individuals, or potentially manipulate data. This type of access is exceptionally valuable for facilitating identity theft, sophisticated financial fraud, targeted extortion attempts, or highly personalized spear-phishing campaigns.

This incident underscores that the IAB market extends beyond selling general network footholds to include direct access to critical data repositories. Tax service providers are particularly attractive targets due to the high concentration and sensitivity of the PII and financial data they process and store. The specific mention of data types like tax returns and bank details significantly increases the perceived value of the access and the potential harm to affected clients. This highlights the immense responsibility and critical need for organizations handling such sensitive information to implement exceptionally robust security measures. Paramount importance must be placed on database security hardening, stringent access controls (including least privilege principles), comprehensive data encryption (both at rest and in transit), and continuous monitoring for any unauthorized access attempts or unusual database query patterns. A compromise of this nature could have devastating and long-lasting consequences for the clients whose data is exposed.

• Published URL: https://forum.exploit.in/topic/258116/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/13e5a059-156f-4051-a785-3cacec51d51c.png

2.3 Data Leak / Data Breach Incidents

2.3.1 ‘labirimt’ Selling EV-Sign Global Digital Certificates

• Incident Summary: A threat actor identified as ‘labirimt’ posted an offer on the bhf.pro forum (a platform often associated with the illicit trade of compromised data, potentially related to forums like BreachForums ¹³) to sell digital certificates purportedly issued by EV-Sign Global.
• Threat Actor Context (labirimt / Certificate Sales):

• ‘labirimt’ Identity: This appears to be the actor’s username on the bhf.pro forum. No further specific intelligence is available on this actor.
• Digital Certificate Significance: The sale of stolen digital certificates, particularly Extended Validation (EV) certificates which require a more rigorous vetting process, poses a significant security risk. Attackers can misuse these certificates to digitally sign malware, making malicious software appear legitimate and potentially allowing it to bypass security controls that rely on code signing verification. Stolen certificates can also be used to impersonate legitimate websites in sophisticated phishing attacks or Man-in-the-Middle (MitM) scenarios, deceiving users into trusting malicious sites. Offering these certificates on illicit forums provides other cybercriminals with tools to enhance the effectiveness and stealth of their campaigns.

Digital certificates serve as a fundamental component of trust infrastructure on the internet, verifying the authenticity of software and websites. The illicit sale of potentially valid (or perhaps recently expired/revoked, but still potentially useful in certain attack scenarios) certificates represents a direct attempt to undermine this trust model. EV certificates are particularly significant due to the stricter validation procedures involved in their issuance, making their compromise potentially more impactful in deceiving users and security systems. This incident highlights the critical importance of securing the entire lifecycle of digital certificates, including issuance, secure storage (e.g., using Hardware Security Modules – HSMs), and timely revocation when compromise is suspected. Organizations must implement secure code signing practices to prevent unauthorized use of their legitimate certificates. Furthermore, security software and web browsers need robust mechanisms to efficiently check certificate validity and revocation status (e.g., via OCSP or CRL). The existence of a market for stolen certificates on forums indicates a demand for tools that help bypass security defenses reliant on trust validation mechanisms.

• Published URL: https://bhf.pro/threads/706534/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/85b167eb-a0ef-4a59-903c-e494002a8aff.png

2.3.2 ‘wonder’ Selling Acuity Insurance Database (USA, Insurance)

• Incident Summary: An actor using the handle ‘wonder’ advertised a large database for sale on the Leakbase.io forum. The database allegedly contains 245 million records originating from Acuity Insurance (acuity.com), a mutual insurance company based in the USA. The data is reported to include customer information dating back to 2020.
• Threat Actor Context (wonder / Large Data Sales):

• ‘wonder’ Identity: This is the username of the actor on the Leakbase.io forum. No additional details linking this actor to specific groups or campaigns are provided.
• Large Database Sales: The trafficking of massive databases, such as the 245 million records claimed in this instance, is a common activity on illicit data marketplaces. Insurance companies are highly attractive targets for data thieves due to the vast quantities of sensitive customer PII, policy details, and potentially financial information they hold. While the reported age of the data (dating back to 2020) might slightly diminish its utility for immediate, time-sensitive financial fraud, it remains extremely valuable for longer-term malicious activities like identity theft, large-scale phishing campaigns, social engineering, and customer profiling. Platforms like Leakbase.io act as intermediaries connecting sellers like ‘wonder’ with potential buyers seeking such datasets.

This incident, involving data allegedly compromised in 2020 but being offered for sale in 2025, starkly illustrates the long-term risks and consequences associated with data breaches. Stolen data frequently resurfaces on underground marketplaces years after the initial compromise occurred, demonstrating its enduring value to cybercriminals. Even older datasets containing PII and customer details can be effectively weaponized for various forms of fraud and abuse. The sheer volume claimed (245 million records) suggests a potentially devastating breach impact for Acuity Insurance and its customers. This underscores the need for organizations to recognize that the repercussions of a data breach extend far beyond the immediate incident response phase. Continuous monitoring of illicit forums (such as Leakbase.io, successors to BreachForums ¹³, and Telegram channels ⁴⁴) for the appearance of organizational or customer data is a necessary component of a mature security posture. Furthermore, it highlights the importance of robust data minimization and retention policies to limit the potential scope and impact of future data leaks. Customers affected by past breaches remain vulnerable for extended periods.

• Published URL: https://leakbase.io/threads/usa-acuity-com-mutual-insurance-company-customers-245-million-2020.38282/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/bc9e9d9a-e5c4-4c6e-a080-4c2439dd7d00.png

2.3.3 ‘UFO MARKET’ Selling EduHub Data (South Korea, Education)

• Incident Summary: The threat actor ‘UFO MARKET’ posted an advertisement on the XSS.is forum offering a database allegedly obtained from EduHub (eduhub.co.kr), an entity related to the education sector in South Korea. The dataset is described as containing 565,550 lines of data (34.1 MB in CSV format), including details such as location phone numbers, full location addresses, business names, service names, and service details. The data was reportedly dumped in April 2025.
• Threat Actor Context (UFO MARKET):

• ‘UFO MARKET’ Identity: This actor name appears multiple times within the analyzed JSON data over a short period, consistently advertising large datasets on the XSS.is forum. The data offered originates from South Korea and Vietnam. This pattern suggests ‘UFO MARKET’ is either a highly active individual data broker or represents a group specializing in acquiring and selling compromised data, possibly with a focus on the Asia-Pacific (APAC) region. The name itself evokes the image of a marketplace or vendor persona. While general information about illicit forums ¹³ and data recycling ⁴⁴ exists, no direct intelligence links ‘UFO MARKET’ to specific known groups or prior campaigns in the provided snippets.
• Data Type: For this specific EduHub leak, the data appears focused on business and location information related to educational services, rather than sensitive student PII, although the description is limited. The file size (34.1 MB) is consistent with the claimed line count for structured data.

The multiple listings attributed to ‘UFO MARKET’ within a compressed timeframe, offering distinct datasets from South Korea and Vietnam, strongly indicate the presence of a specialized or particularly prolific data broker operating on the XSS.is forum. Their use of XSS.is, a prominent Russian-speaking cybercrime forum, highlights the global nature of these illicit marketplaces where data from any region can be traded. The variety in the types of data offered by UFO MARKET (business information, vehicle RFID/telematics data, citizen PII) suggests they may employ diverse data acquisition methods or have access to multiple sources of compromised information. This concentration of activity points towards a significant threat actor actively exploiting or sourcing data breaches within the APAC region, particularly South Korea and Vietnam in this reporting period. Organizations operating in these regions should be aware of this actor’s activity. Monitoring specific actors known to be active in relevant geographic areas or industry sectors on key forums like XSS.is can yield valuable, actionable threat intelligence.

• Published URL: https://xss.is/threads/136819/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/39cc7c02-cf48-4d17-b4b4-4df1720256a7.png

2.3.4 ‘UFO MARKET’ Selling Korea RFID Car Driver Data (South Korea)

• Incident Summary: In a separate listing on XSS.is, ‘UFO MARKET’ advertised a significantly larger dataset allegedly containing data related to RFID-equipped cars and their drivers in South Korea. This dataset is claimed to comprise 10,310,003 lines (11 GB in CSV format, compressed to 1.17 GB) and includes information such as tire pressure readings, trip distances, and telephone numbers. The data dump date is cited as April 2025.
• Threat Actor Context (UFO MARKET): (Refer to section 2.3.3 for general context on UFO MARKET). This listing further solidifies UFO MARKET’s activity and apparent focus on acquiring and selling data originating from South Korea. The nature of this data (RFID/vehicle telematics) is distinct from the EduHub business information leak, suggesting access to different types of compromised systems or data sources, potentially related to connected vehicle platforms or associated services.
  The sale of this specific type of data—RFID car driver information, including telematics like trip distance and potentially linked phone numbers—signals the increasing focus of cybercriminals on targeting Internet of Things (IoT) devices and connected vehicle ecosystems. This data, while perhaps not immediately usable for direct financial fraud in the same way as credit cards, holds significant value for tracking individuals, detailed profiling, social engineering, and potentially enabling other forms of crime, such as targeted theft or harassment. It underscores the growing need for robust security measures within the entire IoT landscape, including connected vehicles and the platforms that manage their data. Data brokers like UFO MARKET clearly recognize the market value of this information. Manufacturers, service providers, and infrastructure operators involved in connected vehicle ecosystems must prioritize implementing strong security controls to protect vehicle, driver, and operational data from breaches and unauthorized access.
• Published URL: https://xss.is/threads/136816/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/ee702ec8-ade3-4cde-bda5-c26ec8b17e42.png

2.3.5 ‘UFO MARKET’ Selling Vietnam Citizen PII (Vietnam)

• Incident Summary: The third observed listing from ‘UFO MARKET’ on the XSS.is forum within this reporting period offers a database containing extensive Personally Identifiable Information (PII) allegedly belonging to 1,010,001 Vietnamese citizens. The data, claimed to have been dumped on April 14, 2025, is provided in CSV format (445 MB total size) and includes a wide range of sensitive details: first name, full name, mobile phone numbers, work phone numbers, national ID numbers (current and former), ID issue date and place, tax number, nationality, Vietnamese name, addresses, country and province names, and postcodes.
• Threat Actor Context (UFO MARKET): (Refer to section 2.3.3 for general context on UFO MARKET). This listing confirms UFO MARKET’s operational scope extends to Vietnam and involves trafficking in highly sensitive PII. The comprehensive and detailed nature of the data points strongly towards a breach of a major database, potentially held by a government agency or a large corporation responsible for collecting extensive citizen records (e.g., telecommunications provider, major financial institution, national registry).
  The availability of such a detailed and extensive dataset of national citizen PII on a public cybercrime forum represents a severe data breach with potentially widespread consequences. The level of detail included (e.g., current and former ID numbers, tax numbers, multiple phone numbers, full addresses) makes this data exceptionally potent for committing identity theft, financial fraud, and targeted social engineering attacks on a mass scale against Vietnamese citizens. The source of such a comprehensive dataset is likely a significant central repository, possibly a government database or a large enterprise mandated to collect this information. This incident highlights the critical risk posed by data thieves targeting national identity databases and large PII repositories. The sale of this data on forums like XSS.is constitutes a significant threat to the national security and personal welfare of the citizens of Vietnam. It underscores the absolute necessity for robust security measures, stringent access controls, and vigilant monitoring to protect national identity databases and similar large-scale PII collections from compromise.
• Published URL: https://xss.is/threads/136815/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/2765ceac-1593-479e-a3d4-a1a52e54a9a3.png

2.3.6 ‘Nick Diesel’ Leaking Data from Multiple Websites (India, E-commerce & others)

• Incident Summary: An actor identified as ‘Nick Diesel’ announced on the XSS.is forum the leak of data compiled from multiple sources. The primary source is stated as megaoffersale.com, an Indian e-commerce website, contributing 3 million unique lines of data. Additional smaller datasets (ranging from 50,000 to 150,000 unique lines each) are included from u-11.com, dotlines.com.sg (Singapore), flyingdoors.co.uk (UK), and suzukihyperlocal.com.
• Threat Actor Context (Nick Diesel):

• ‘Nick Diesel’ Identity: This is the actor’s username on the XSS.is forum. No further specific attribution is available. This actor appears to be involved in leaking data aggregated from several seemingly unrelated websites, suggesting either opportunistic exploitation of multiple targets, participation in data trading circles, or compiling data obtained from various breaches over time.
• Multi-Source Leaks: Compiling data from disparate breaches into a single leak or sale package is a common practice among data brokers and traders. It can increase the overall size and perceived value of the offering or simply represent the actor’s accumulated collection. While the largest component appears to be from an Indian e-commerce site, the inclusion of domains from the UK and Singapore indicates broader, potentially international, activity or data sourcing.

The actions of ‘Nick Diesel’ demonstrate a common pattern where threat actors aggregate data from multiple, geographically dispersed sources across different industry sectors. This behavior could stem from exploiting common vulnerabilities present on various web platforms (particularly prevalent in e-commerce), purchasing or trading smaller breached datasets and then consolidating them, or actively participating in underground data exchange communities. This highlights that vulnerabilities in widely used web platforms or content management systems can lead to breaches affecting numerous sites globally. Furthermore, it shows how data brokers often bundle data from smaller, less significant breaches together. Consequently, organizations should understand that even if they are not considered a primary high-value target, existing vulnerabilities can still lead to their data being compromised and subsequently included in aggregated leaks offered on illicit forums.

• Published URL: https://xss.is/threads/136812/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/75e5dec2-c1ee-46ef-9070-3298165c9a63.png

2.3.7 ‘Unk9vvN’ Claiming Shopify Breach (E-commerce)

• Incident Summary: A group or actor operating under the name ‘Unk9vvN’ made a claim via a Telegram channel asserting that they have breached Shopify, a major global e-commerce platform provider. The provided summary lacks specific details regarding the nature of the breach or the data allegedly compromised.
• Threat Actor Context (Unk9vvN / Platform Claims):

• ‘Unk9vvN’ Identity: This is likely the name of the Telegram channel or the handle used by the actor(s) making the claim. Claims posted on platforms like Telegram require careful verification, as it is a common medium for both legitimate threat actor communications and unsubstantiated boasts or misinformation.¹³
• Platform Breach Claims: Asserting a breach of a large-scale platform like Shopify carries significant implications due to the vast number of merchants and customers potentially affected. However, such claims frequently require substantial proof (e.g., data samples, technical details of the intrusion) before being considered credible. Without supporting evidence, these claims can sometimes be mere attempts by actors to gain notoriety, inflate their reputation, or potentially run scams. Nevertheless, major platforms like Shopify are perpetually high-value targets for sophisticated adversaries.

Threat actors often target major platforms like Shopify precisely because a successful compromise can yield enormous amounts of valuable data and generate significant disruption or publicity. However, the ease with which claims can be made on platforms such as Telegram ¹³ necessitates a rigorous verification process. The lack of specific details in the JSON content (“claims to have breached Shopify”) is typical of initial, unconfirmed alerts often disseminated rapidly by intelligence collectors. This situation highlights the need for security teams consuming such intelligence to maintain a healthy skepticism towards unverified claims, especially those made against high-profile targets. Processes must be in place to actively seek corroborating evidence or official statements before acting solely on such preliminary reports. For major platforms like Shopify, the constant threat necessitates continuous, advanced security monitoring and a highly responsive incident management capability due to their inherent attractiveness as targets.

• Published URL: https://t.me/Unk9vvN/2947
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/8c93c79b-7179-409a-b96d-bd3b7152fb34.png

2.3.8 ‘Shinchan’ Leaking Indonesian Yahoo User Credentials (Indonesia)

• Incident Summary: An actor using the alias ‘Shinchan’ claimed responsibility for leaking a dataset containing email addresses and passwords allegedly belonging to 120,000 Yahoo users in Indonesia. The leak was announced on the Darkforums.st forum, another platform known for hosting illicit data.
• Threat Actor Context (Shinchan / Credential Leaks):

• ‘Shinchan’ Identity: This is the username adopted by the actor on the Darkforums.st platform. The act of leaking email and password combinations, often referred to as “combo lists,” is a very common occurrence on dark web forums and illicit marketplaces.
• Credential Stuffing Risk: Leaks of this nature directly fuel credential stuffing attacks. In these attacks, cybercriminals use automated tools to systematically try the leaked username (email) and password pairs against a wide variety of other online services (e.g., banking, social media, e-commerce). They rely on the common user behavior of password reuse across multiple accounts. Targeting Yahoo users specifically within Indonesia might suggest the data originates from a breach of a regional service that integrated with Yahoo authentication, a localized phishing campaign, or simply reflects the demographic focus of the actor’s collection efforts.

The persistence of leaks like this, even involving older or less prominent email providers like Yahoo Mail within a specific geographic region, continuously feeds the significant threat posed by credential stuffing. Attackers understand that a substantial portion of users reuse passwords across different websites and services.⁴⁴ The primary value of such leaked credentials often lies not just in accessing the original compromised accounts (e.g., Yahoo Mail) but in gaining unauthorized access to other, potentially more sensitive or valuable accounts where the victim reused the same login combination. This incident serves as a stark reminder of the critical vulnerability created by password reuse. Organizations must enforce policies requiring strong, unique passwords for their systems and strongly encourage or mandate the use of Multi-Factor Authentication (MFA) wherever feasible. Continuous end-user education regarding the dangers of password reuse is also essential.²⁶ Utilizing services like Have I Been Pwned (HIBP) ⁴⁴ or commercial credential monitoring solutions ⁴⁵ can help individuals and organizations detect when their credentials have been exposed in such breaches.

• Published URL: https://darkforums.st/Thread-120K-INDONESIAN-COMPANY-YAHOO-ACCOUNTS-email-password
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/fdaa220d-e18e-493e-83ed-8dfbb2acc180.png

2.3.9 ‘Lions8711’ Selling US Credit Card Data (USA)

• Incident Summary: An actor identified as ‘Lions8711’ advertised a database containing US credit card details for sale on the Exploit.in forum. The data is claimed to be comprehensive, including card numbers, expiration dates, CVV codes, cardholder names, billing addresses (including city, state, ZIP code), and phone numbers.
• Threat Actor Context (Lions8711 / Carding):

• ‘Lions8711’ Identity: This is the username of an actor engaged in “carding,” which is the illicit trafficking of stolen payment card data. Exploit.in is a known marketplace where such activities occur.
• Carding Market: The sale of complete credit card details, often referred to as “fullz” in underground communities, enables immediate financial fraud. The inclusion of the Card Verification Value (CVV) code, along with billing address and phone number (Address Verification System – AVS data), significantly increases the data’s usability for fraudulent online transactions (“card-not-present” fraud) or potentially for cloning physical cards. This type of data typically originates from breaches of e-commerce websites, compromises of payment processors, malware infections on point-of-sale (POS) systems, or successful phishing campaigns targeting cardholders.

Despite significant advancements in payment security technologies (such as EMV chip cards) and fraud detection systems, the underground market for stolen credit card data continues to thrive. Actors like Lions8711 cater to a persistent demand from criminals seeking to commit direct financial fraud. The availability of “fullz” that include sensitive data like CVV codes indicates that attackers are still successfully breaching systems where this information is stored or processed, potentially circumventing security measures designed to protect it (e.g., non-storage of CVV post-authorization). Protecting payment card data remains a critical security obligation for merchants, processors, and financial institutions, often governed by rigorous standards like the Payment Card Industry Data Security Standard (PCI DSS). Breaches that expose full card data can result in substantial financial losses for consumers, merchants, and issuing banks, alongside severe reputational damage and potential regulatory fines for the compromised entity. Continuous monitoring of carding forums and marketplaces can assist financial institutions in identifying compromised card numbers and proactively mitigating fraudulent activity.

• Published URL: https://forum.exploit.in/topic/258123/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/7cd5a0b7-df37-44f1-be7e-88bd771fe535.png

2.3.10 ‘l33tfg’ Leaking PJM Interconnection Data (USA, Energy & Utilities)

• Incident Summary: An actor using the handle ‘l33tfg’ claimed on the Darkforums.st forum to have leaked a database containing over 4,000 entries originating from PJM Interconnection, L.L.C (pjm.com). PJM is a major Regional Transmission Organization (RTO) responsible for operating a significant portion of the electric grid in the Eastern United States.
• Threat Actor Context (l33tfg / Critical Infrastructure):

• ‘l33tfg’ Identity: This is the username chosen by the actor on the forum. The handle itself (“l33t” being leetspeak for “elite”) suggests a traditional hacker persona.
• Critical Infrastructure Target: PJM Interconnection represents critical national infrastructure, playing a vital role in the reliability of the US power grid. Any security incident or data leak involving such an entity is inherently concerning, regardless of the apparent size (4,000 entries in this claim). The specific nature of the leaked “database entries” is not detailed in the summary, but could potentially include user credentials, employee information, operational data, network details, or other sensitive information. Leaking data from a critical infrastructure operator could be motivated by various factors, including financial gain (selling valuable data), hacktivism (disrupting or embarrassing the organization), or state-sponsored espionage aimed at intelligence gathering or preparing for future disruptive cyberattacks.

Any reported breach or data leak involving operators of critical infrastructure, such as the electric grid managed by PJM, demands significant attention and investigation.¹⁵ Even a seemingly small leak of 4,000 entries could potentially expose sensitive operational procedures, employee details useful for targeted spear-phishing attacks, technical information about systems, or credentials that could facilitate deeper network penetration. The motivation of an actor like ‘l33tfg’ leaking such data on a public dark web forum remains unclear but carries potentially serious implications due to the target’s critical nature. This incident underscores the heightened security requirements for critical infrastructure entities. Data leaks, even those appearing minor initially, must be thoroughly investigated to ascertain the exact scope, the sensitivity of the exposed data, and the potential risk for follow-on attacks or operational disruptions. Close collaboration between the targeted entity, relevant government agencies (like CISA), and threat intelligence providers is crucial in responding to such threats.

• Published URL: https://darkforums.st/Thread-PJM-Interconnection-LLC-DATA-LEAK-LARGEST-POWERGRID-IN-AMERICA
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/63ba1597-46a4-4faf-ae6c-64a35029803d.png

2.4 Alerts & Defacements

2.4.1 Arab Ghosts Hackers Targeting USA

• Incident Summary: The group identifying itself as ‘Arab Ghosts Hackers’ posted a message on their Telegram channel indicating that they are actively targeting the United States. The alert is general in nature and does not specify particular targets or planned actions.
• Threat Actor Context (Arab Ghosts Hackers / Hacktivism):
• Identity & Motivation: ‘Arab Ghosts Hackers’ appears to operate as a hacktivist collective. Their name and stated target (USA) suggest motivations rooted in political or ideological factors, likely connected to Middle Eastern geopolitics, conflicts involving Arab nations, or perceived grievances against US foreign policy.¹⁵ Hacktivist groups frequently use platforms like Telegram for public announcements, recruitment, and coordination.¹⁶ Their typical activities include Distributed Denial of Service (DDoS) attacks aimed at disrupting websites, website defacements to spread propaganda messages, and leaking potentially sensitive data to embarrass or harm targeted entities.¹⁵ While some hacktivist groups strictly adhere to ideological goals ¹⁶, the distinction between hacktivism and financially motivated cybercrime can sometimes become blurred.²⁴ The use of names referencing specific regions or causes (e.g., “Arab,” “Ghosts,” or groups supporting Palestine) is a common characteristic of such collectives.¹⁶

This type of alert exemplifies the often vague but potentially disruptive threats issued by hacktivist groups. While lacking actionable specifics regarding targets or methods, it serves as a signal of intent and reflects ongoing geopolitical tensions manifesting in the cyber domain.¹⁵ Groups like Arab Ghosts Hackers use such announcements to potentially rally supporters, intimidate perceived adversaries (in this case, entities associated with the USA), or claim relevance in ongoing conflicts. The underlying motivation is likely tied to specific international events or broader political stances concerning US involvement in the Middle East.¹⁶ Although difficult to act upon directly due to their lack of specificity, these general threats contribute valuable context to the overall threat landscape awareness. Organizations, particularly government agencies, diplomatic missions, or corporations perceived as representing US interests, should maintain heightened vigilance, especially during periods of increased international tension related to the group’s stated focus. Monitoring known hacktivist communication channels, including Telegram, can provide early, albeit sometimes non-specific, warnings of potential campaigns.

• Published URL: https://t.me/ArabGhostsHackers/41
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/a39f8f3c-54e4-4dd0-bfc3-d98a365679da.png

2.4.2 The Anonymous 71 Defacing Sprint Integrated Solutions (India, Aviation & Aerospace)

• Incident Summary: A group calling itself ‘The Anonymous 71’ claimed via a Telegram message to have successfully defaced the website of Sprint Integrated Solutions Pvt Ltd (sprintint.in). This company is based in India and operates within the Aviation & Aerospace sector.
• Threat Actor Context (The Anonymous 71 / Hacktivism):
• Identity & Motivation: The group’s name clearly co-opts the branding of the well-known decentralized hacktivist collective ‘Anonymous’ ⁴⁷, likely to gain visibility and associate with its anti-establishment image. The inclusion of ’71’ is often used by groups with connections to Bangladesh, referencing the 1971 Bangladesh Liberation War. This strongly suggests a potential Bangladeshi origin or a focus on issues related to Bangladesh-India relations. Hacktivist activity originating from Bangladesh, often targeting Indian websites due to political tensions, historical grievances, or specific incidents, has been documented with groups like ‘Mysterious Team Bangladesh’ ¹⁷ and the historical ‘Bangladesh Black Hat Hackers’.¹⁸ Website defacement is a classic and common tactic employed by hacktivist groups worldwide to deliver political messages, protest actions, or simply demonstrate capability.¹⁵ The motivation behind this specific attack is likely political or nationalistic, targeting an Indian company website.

This incident appears to represent ongoing regional hacktivist activity, potentially stemming from the complex political relationship between Bangladesh and India.¹⁷ The selection of an Aviation & Aerospace company might be symbolic, related to a specific grievance, or simply opportunistic, targeting a website found to be vulnerable. Website defacement primarily serves as a tool for propaganda, digital protest, or public embarrassment.¹⁵ By leveraging the ‘Anonymous’ brand ⁴⁷, the group seeks broader recognition, while the ’71’ likely signals a specific regional identity or political alignment. This highlights the need for organizations, especially those operating in regions with known political sensitivities or historical conflicts, to maintain robust website security against the threat of defacement. While often less financially damaging than ransomware or major data breaches, defacements cause reputational harm, disrupt online presence, and crucially, indicate underlying security weaknesses that could potentially be exploited by other, more malicious actors. Monitoring the activities and communications of regional hacktivist groups can help organizations anticipate potential targeting or campaigns.

• Published URL: https://t.me/TAMBC_71BCD/504
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/f62d0a9c-da2f-4492-88c7-276b320fcbac.png

3. Concluding Remarks & Strategic Recommendations

Summary of Threats: The 24-hour period ending April 28, 2025, presented a multifaceted threat landscape. Key characteristics included the continued dominance of Ransomware-as-a-Service (RaaS) operations like Akira, RHYSIDA, Qilin, Hunters/World Leaks, and Gunra, consistently employing double extortion tactics. A vibrant illicit marketplace for compromised data and network access thrived on cybercrime forums (Exploit.in, XSS.is, etc.) and messaging platforms, facilitated by brokers and data traders such as UFO MARKET, personX, and wonder. Concurrently, geopolitically motivated hacktivist groups like Arab Ghosts Hackers and The Anonymous 71 conducted disruptive activities. Significant threats were observed against organizations in Manufacturing, Insurance, Healthcare, Legal, Energy, and Architecture & Planning sectors, predominantly impacting the USA but also demonstrating global reach into Argentina, Fiji, India, Japan, South Korea, and Vietnam.

Key Trends & Risks:

• Exploitation of Perimeter Weaknesses: Threat actors persistently target vulnerabilities in external-facing systems, particularly VPNs, often exploiting configurations lacking MFA. This remains a primary initial access vector for major ransomware groups.²
• Data as the Primary Target: The core objective for many actors is the acquisition and monetization of sensitive data. This manifests through data exfiltration preceding ransomware deployment ¹, dedicated extortion-only models ¹⁰, and the direct sale of stolen databases on illicit markets.
• Commodification of Access: The IAB market continues to mature, making compromised network access readily available for purchase. This lowers the barrier to entry for sophisticated attacks, as end-stage attackers can bypass the initial intrusion phase.
• RaaS Sophistication and Adaptability: Leading RaaS groups like Qilin exhibit advanced capabilities, including developing malware for multiple operating systems (Windows, Linux/ESXi) and targeting supply chain elements like MSP software.⁷ Groups also demonstrate adaptability, such as Hunters International’s reported shift to an extortion-only model.¹⁰
• Blurred Lines: The motivations and tactics of threat actors can be complex, with lines blurring between financially driven cybercrime and ideologically motivated hacktivism ²⁴, complicating attribution and defensive prioritization.

Actionable Recommendations:

Based on the observed threats and trends, organizations should prioritize the following strategic actions:

1. Strengthen Perimeter Security: Aggressively patch known exploited vulnerabilities, particularly in VPN appliances (e.g., Cisco CVEs exploited by Akira ²) and other internet-facing services like RDP and Citrix.³ Mandate and enforce MFA for all remote access, administrative accounts, critical systems, and cloud service logins.²
2. Enhance Endpoint and Network Detection & Response: Deploy and maintain advanced EDR solutions configured to detect and block common ransomware behaviors, such as process injection, attempts to access LSASS memory for credential dumping ², and the deletion of Volume Shadow Copies.² Implement robust network monitoring to detect suspicious use of legitimate tools often abused for lateral movement and execution (e.g., PowerShell, PsExec ¹¹, RDP ¹¹) and network scanning activities.² Utilize network segmentation to contain the spread of intrusions.¹¹
3. Protect Data Assets: Implement granular data access controls based on the principle of least privilege. Encrypt sensitive data both at rest and in transit. Deploy effective Data Loss Prevention (DLP) technologies capable of detecting and alerting on or blocking large-volume or anomalous data exfiltration attempts, recognizing the threat of extortion-only attacks.¹⁰ Maintain a rigorous backup strategy, ensuring backups are stored securely offline or immutably, regularly tested for restorability, and protected from ransomware targeting VSS.²
4. Manage Credentials Securely: Enforce policies requiring strong, unique passwords across all accounts. Implement solutions or processes to monitor for organizational credentials appearing in publicly leaked datasets ⁴⁴ and ensure timely remediation (password reset, account review) for exposed accounts. Secure Active Directory environments against common attacks like Kerberoasting ² and protect sensitive files like the NTDS.dit database.¹¹
5. Address Supply Chain Risk: Conduct thorough security vetting of third-party vendors and Managed Service Providers (MSPs). Pay close attention to the security of remote access tools they use to connect to organizational environments, as these can be targeted (e.g., ScreenConnect compromise linked to Qilin ⁷).
6. Maintain User Awareness: Conduct regular security awareness training focused on recognizing phishing emails ⁵, understanding the risks associated with downloading files or clicking links from unknown sources, and reinforcing the critical importance of not reusing passwords across different services.⁴⁴
7. Ensure Incident Response Preparedness: Develop, maintain, and regularly test a comprehensive incident response plan tailored to address various scenarios, including ransomware attacks, major data breaches, and extortion demands.³⁰ The plan should cover technical containment and eradication, legal considerations, internal and external communications strategies, and potential engagement with third-party forensic or negotiation specialists.³³
8. Leverage Threat Intelligence: Actively monitor relevant threat intelligence feeds, dark web forum activity ¹³, and hacktivist communication channels.¹⁶ Use this intelligence to understand threats targeting the organization’s specific industry sector or geographic region and to inform defensive priorities and threat hunting activities.

Works cited

1. Akira Ransomware – HHS.gov, accessed April 28, 2025, https://www.hhs.gov/sites/default/files/akira-randsomware-analyst-note-feb2024.pdf
2. #StopRansomware: Akira Ransomware – Internet Crime Complaint Center, accessed April 28, 2025, https://www.ic3.gov/CSA/2024/240418.pdf
3. #StopRansomware: Akira Ransomware | CISA, accessed April 28, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a
4. Rhysida (hacker group) – Wikipedia, accessed April 28, 2025, https://en.wikipedia.org/wiki/Rhysida_(hacker_group)
5. Rhysida | SentinelOne, accessed April 28, 2025, https://www.sentinelone.com/anthology/rhysida/
6. rhysida-ransomware-sector-alert-tlpclear.pdf – HHS.gov, accessed April 28, 2025, https://www.hhs.gov/sites/default/files/rhysida-ransomware-sector-alert-tlpclear.pdf
7. Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream, accessed April 28, 2025, https://news.sophos.com/en-us/2025/04/01/sophos-mdr-tracks-ongoing-campaign-by-qilin-affiliates-targeting-screenconnect/
8. Qilin Ransomware – Blackpoint Cyber, accessed April 28, 2025, https://blackpointcyber.com/wp-content/uploads/2025/01/Qilin-3.pdf
9. Qilin Ransomware: Detection and Analysis – Darktrace, accessed April 28, 2025, https://www.darktrace.com/blog/a-busy-agenda-darktraces-detection-of-qilin-ransomware-as-a-service-operator
10. Hunters International shifts from ransomware to pure data extortion, accessed April 28, 2025, https://www.bleepingcomputer.com/news/security/hunters-international-rebrands-as-world-leaks-in-shift-to-data-extortion/
11. #StopRansomware: Rhysida Ransomware | CISA, accessed April 28, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a
12. qilin-threat-profile-tlpclear.pdf – HHS.gov, accessed April 28, 2025, https://www.hhs.gov/sites/default/files/qilin-threat-profile-tlpclear.pdf
13. Breach Forums | Flashpoint, accessed April 28, 2025, https://flashpoint.io/intelligence-101/breach-forums/
14. Ransomware Review: First Half of 2024 – Unit 42, accessed April 28, 2025, https://unit42.paloaltonetworks.com/unit-42-ransomware-leak-site-data-analysis/
15. From Hacktivists to Cyberterrorists: Understanding Modern Motivations – SOCRadar® Cyber Intelligence Inc., accessed April 28, 2025, https://socradar.io/hacktivists-to-cyberterrorists-understanding-modern-motivations/
16. Caught in the Crossfire : How International Relationships Generate Cyber Threats – cyfirma, accessed April 28, 2025, https://www.cyfirma.com/research/caught-in-the-crossfire-how-international-relationships-generate-cyber-threats/
17. Hacktivist Group: Mysterious Team Bangladesh – Radware, accessed April 28, 2025, https://www.radware.com/cyberpedia/ddos-attacks/hacktivist-group-mysterious-team-bangladesh/
18. Bangladesh Black Hat Hackers – Wikipedia, accessed April 28, 2025, https://en.wikipedia.org/wiki/Bangladesh_Black_Hat_Hackers
19. Hacktivist Collective “Mysterious Team Bangladesh” Revealed – Infosecurity Magazine, accessed April 28, 2025, https://www.infosecurity-magazine.com/news/mysterious-team-bangladesh-revealed/
20. CISA and Partners Release Advisory on Akira Ransomware, accessed April 28, 2025, https://www.cisa.gov/news-events/alerts/2024/04/18/cisa-and-partners-release-advisory-akira-ransomware
21. Ransomware Trends | Red Canary Threat Detection Report, accessed April 28, 2025, https://redcanary.com/threat-detection-report/trends/ransomware/
22. Ransomware Group Hacks Webcam to Evade Endpoint Defenses – BankInfoSecurity, accessed April 28, 2025, https://www.bankinfosecurity.com/ransomware-group-hacks-webcam-to-evade-endpoint-defenses-a-28078
23. Ransomware Spotlight: Rhysida | Trend Micro (US), accessed April 28, 2025, https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-rhysida
24. FunkSec – Alleged Top Ransomware Group Powered by AI – Check Point Research, accessed April 28, 2025, https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
25. 2025 Ransomware: Business as Usual, Business is Booming | Rapid7 Blog, accessed April 28, 2025, https://www.rapid7.com/blog/post/2025/04/08/2025-ransomware-business-as-usual-business-is-booming/
26. LockBit: The World’s Most Active Ransomware Group – Flashpoint, accessed April 28, 2025, https://flashpoint.io/blog/lockbit/
27. Extortion and Ransomware Trends January-March 2025 – Unit 42, accessed April 28, 2025, https://unit42.paloaltonetworks.com/2025-ransomware-extortion-trends/
28. The New Face of Ransomware: Key Players and Emerging Tactics of 2024 – Trustwave, accessed April 28, 2025, https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-new-face-of-ransomware-key-players-and-emerging-tactics-of-2024/
29. DarkSide Ransomware as a Service (RaaS) – United States Department of State, accessed April 28, 2025, https://www.state.gov/darkside-ransomware-as-a-service-raas/
30. Understanding, Preventing, and Responding to a Ransomware Attack – Flashpoint, accessed April 28, 2025, https://flashpoint.io/intelligence-101/ransomware/
31. Top 10 Ransomware TTPs I Arctic Wolf, accessed April 28, 2025, https://arcticwolf.com/resources/blog-uk/top-10-ransomware-ttps/
32. Gunra Ransomware | WatchGuard Technologies, accessed April 28, 2025, https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/gunra
33. SANS Ransomware Summit 2025 – SANS Institute, accessed April 28, 2025, https://www.sans.org/cyber-security-training-events/ransomware-summit-2025/
34. GOLD FEATHER | Threat Profile Detail – Secureworks, accessed April 28, 2025, https://www.secureworks.com/research/threat-profiles/gold-feather
35. PEACOK: Persona Commonsense Knowledge for Consistent and Engaging Narratives – ACL Anthology, accessed April 28, 2025, https://aclanthology.org/2023.acl-long.362.pdf
36. Hybrid Knowledge Architectures for Question Answering – Language Technologies Institute, accessed April 28, 2025, https://www.lti.cs.cmu.edu/people/alumni/alumni-thesis/ma-kaixin-thesis.pdf
37. Emails being moved to Deleted Items by Unknown Mechanism : r/Office365 – Reddit, accessed April 28, 2025, https://www.reddit.com/r/Office365/comments/191tzfy/emails_being_moved_to_deleted_items_by_unknown/
38. Open-Orca/SlimOrca · Datasets at Hugging Face, accessed April 28, 2025, https://huggingface.co/datasets/Open-Orca/SlimOrca
39. LLaMA-Factory/data/kto_en_demo.json at main – GitHub, accessed April 28, 2025, https://github.com/hiyouga/LLaMA-Factory/blob/main/data/kto_en_demo.json
40. Recognizing Affective Events and Embodied Emotions in Natural Language, accessed April 28, 2025, http://www2.cs.arizona.edu/~riloff/pdfs/YuanZhuang-Dissertation.pdf
41. Knowledge-enhanced Representation Learning for Multiview Context Understanding – Language Technologies Institute, accessed April 28, 2025, https://www.lti.cs.cmu.edu/people/alumni/alumni-thesis/francis-jonathan-thesis.pdf
42. AI & Society – American Academy of Arts and Sciences, accessed April 28, 2025, https://www.amacad.org/sites/default/files/daedalus/downloads/Daedalus_Sp22_AI%20%26%20Society_2.pdf
43. Automation is reaching more companies | Hacker News, accessed April 28, 2025, https://news.ycombinator.com/item?id=29984833
44. ALIEN TXTBASE data-dump analysis: Dangerous or junk? – Specops Software, accessed April 28, 2025, https://specopssoft.com/blog/alien-txtbase-data-dump-analysis/
45. Telegram Cyber Threat Intelligence (CTI) Threat Actor channels – Breachsense, accessed April 28, 2025, https://www.breachsense.com/threat-actor-channels/
46. Ghost Squad Hackers – Modem Mischief Podcast, accessed April 28, 2025, https://www.modemmischief.com/episodes/episode-44-ghost-squad-hackers
47. Anonymous (hacker group) – Wikipedia, accessed April 28, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
48. What is Anonymous hacking group? The Digital Activism Movement, accessed April 28, 2025, https://cyberpedia.reasonlabs.com/EN/anonymous%20hacking%20group.html
49. How to Run a Ransomware Tabletop Exercise [+ Scenarios] – AlertMedia, accessed April 28, 2025, https://www.alertmedia.com/blog/ransomware-tabletop-exercise/
50. Incident Response Service – Palo Alto Networks, accessed April 28, 2025, https://www.paloaltonetworks.com/unit42/respond/incident-response