[April-30-2025] Daily Cybersecurity Threat Report

Posted on

Introduction

This report details significant cybersecurity incidents observed and reported on April 30, 2025. The information is compiled from various sources, including open web, dark web forums, and messaging platforms like Telegram. Today’s activity highlights the continued prevalence of ransomware operations, particularly Ransomware-as-a-Service (RaaS) models targeting diverse sectors globally. Hacktivism remains a notable threat vector, with campaigns linked to geopolitical tensions and ideological motivations resulting in data breaches and website defacements. Furthermore, the cybercrime ecosystem shows sustained activity through the sale of initial access and specialized tooling designed to facilitate attacks.

Ransomware Incidents

Ransomware continues to be a dominant threat, with multiple groups claiming victims across various industries and regions. The Ransomware-as-a-Service (RaaS) model enables widespread attacks, leveraging affiliates to conduct intrusions and deploy encryption payloads.

Qilin (Agenda) Ransomware Campaign

The Qilin ransomware group, also known as Agenda, demonstrated significant activity, claiming multiple victims primarily in the United States and Italy. Qilin emerged in July 2022 and operates a sophisticated RaaS platform, recruiting affiliates often from Russian-speaking forums.1 The group employs double extortion tactics, encrypting victim data and threatening to leak exfiltrated sensitive information on their dedicated leak site if the ransom is not paid.1

Qilin affiliates utilize various initial access vectors, including phishing emails and the exploitation of vulnerabilities in public-facing applications like Citrix, RDP, and Fortinet devices.1 Post-compromise, they leverage tools like Cobalt Strike, PsExec, and native Windows utilities (WMI) for lateral movement and privilege escalation.2 Qilin is known for advanced evasion techniques, such as disabling security tools, rebooting systems into Safe Mode, deleting Volume Shadow Copies to inhibit recovery, and employing DLL sideloading or Bring-Your-Own-Vulnerable-Driver (BYOVD) attacks to bypass EDR solutions.2 Their ransomware, initially written in Go and later evolving to Rust, offers customizable encryption modes and targets a wide range of file types across Windows and Linux systems.1 Qilin frequently targets critical infrastructure, healthcare, manufacturing, education, and financial sectors.2

The following organizations were listed as victims by Qilin on April 30, 2025:

  • DFL S.R.L (Italy, Wholesale): Qilin claims to have obtained 205 GB of data, including Italian national electronic IDs, financial reports, balance sheets, and GDPR privacy notices. The group threatens publication by May 11, 2025.
  • Published URL: http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=b8be14ef-e167-303d-9d90-5d17c873481c
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/824102f4-9306-4c0e-b443-5527087fec6a.png
  • 1st Health Inc. (USA, Hospital & Health Care): The group claims data compromise, providing sample screenshots on their dark web portal. This aligns with Qilin’s known targeting of the healthcare sector.2
  • Published URL: http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=f3817763-cb53-35af-8a18-ea9f06b7c77f
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/c5d269f2-5a98-4dd5-9496-d2bc397c80b3.png
  • Mossy Oak (USA, Retail Industry): Data compromise claimed, with sample screenshots available on their portal.
  • Published URL: http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=1a8f11e2-57fd-3508-adc8-243c411f4cf9
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/718e40db-1280-4163-a022-90ad27d45d06.png
  • De la Cruz Interior Design (USA, Architecture & Planning): Data compromise claimed, with sample screenshots available.
  • Published URL: http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=eac2384b-79ce-3d39-8ea0-230d1b534fb3
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/8a1bccb1-cbda-4917-8816-1122b2ef3350.png
  • Boston Conveyor & Automation (USA, Industrial Automation): Data compromise claimed, with sample screenshots available.
  • Published URL: http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=fcf9f0fe-7e41-39c0-8b1f-6653badad89b
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/309a5320-9d7f-490b-960a-9025de9eea0c.png
  • Rock Falls Elementary School District 13 (USA, Education): Data compromise claimed, with sample screenshots available. This aligns with Qilin’s known targeting of the education sector.2
  • Published URL: http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion/site/view?uuid=0b6b36e3-71fb-34e3-a9cf-7a40f0cc94bb
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/961ce175-2721-4b4e-9bd6-55a99b9c3631.png

The high volume of victims posted by Qilin underscores the efficiency and reach of its RaaS operation, posing a significant threat to organizations across multiple sectors, particularly those holding sensitive data or operating critical services.

LYNX Ransomware Attack

The LYNX ransomware group claimed Penn Emblem Company (USA, Manufacturing) as a victim. LYNX emerged in mid-2024 and operates as a RaaS group, believed to be a rebranded version of the INC ransomware due to significant code similarities.6 The group provides affiliates with a structured platform and tools, including ransomware builds for Windows, Linux, and ESXi, taking an 80% share of ransom proceeds.8

LYNX employs double extortion tactics, encrypting data (appending the .LYNX extension) and threatening to leak stolen information on their dedicated leak site.6 Their TTPs include initial access via phishing, terminating processes, deleting backups (shadow copies), encrypting network shares, and using robust encryption algorithms (Curve25519, AES-128).6 They target various industries globally, including manufacturing, finance, retail, and energy, with a notable concentration of victims in the US.6

  • Victim: Penn Emblem Company (USA, Manufacturing)
  • Claim: The group claims data compromise, providing sample screenshots on its dark web portal.
  • Published URL: http://lynxblogxstgzsarfyk2pvhdv45igghb4zmthnzmsipzeoduruz3xwqd.onion/leaks/67bc964b44fac8dca14e62b0
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/53879f7f-844a-47f5-8170-69f4a498b4de.png

This incident aligns with LYNX’s known targeting of the manufacturing sector and its standard operating procedure of posting victim details and data samples on its leak site.6

Silent Ransomware Attack

The Silent ransomware group claimed Versa Networks (USA, Software Development) as a victim. The group, also known as Luna Moth, has been active since 2020 and is known for financially motivated cyber extortion campaigns.11 Recently, the group has been observed employing “call-back” phishing tactics, particularly against the legal industry.11 This involves sending emails impersonating legitimate services, urging victims to call a number, and then using social engineering to convince them to install Remote Monitoring and Management (RMM) tools like AnyDesk or Zoho Assist, allowing data exfiltration (often via SFTP) and subsequent extortion.11

The claim against Versa Networks involves ransomware deployment, indicating a potential expansion or variation in the group’s tactics beyond pure data theft and extortion, or possibly the involvement of an affiliate using ransomware under the “Silent” banner.

  • Victim: Versa Networks (USA, Software Development)
  • Claim: The group claims access to 764GB of data (186,955 files) and plans to publish it within 13-14 days.
  • Published URL: http://silentbgdghp3zeldwpumnwabglreql7jcffhx5vqkvtf2lshc4n5zid.onion/
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/12da8a29-b2e9-44c9-943f-acc317b524ba.png

The targeting of a software development company highlights the risk to organizations holding valuable intellectual property or customer data. The specific mention of ransomware deployment warrants monitoring for confirmation of this tactical approach by the Silent group.

Data Breach and Access Sale Incidents

Several incidents involved claims of data breaches or the sale of unauthorized access, perpetrated by various actors including individual sellers, hacktivist groups, and Initial Access Brokers (IABs).

Alleged Hospital System Breach (Threat Actor: jaba1234)

A threat actor using the handle “jaba1234” posted on the xss.is forum, claiming to sell web admin access and a database from an unidentified private hospital system. The database allegedly contains highly sensitive personal information, including full identity records (fullz), Social Security Numbers (SSNs), dates of birth, and driver’s license details.

  • Threat Actor: Specific information about “jaba1234” is limited.13 Their operation on xss.is suggests involvement in the underground economy trading compromised data and access. The forum name itself relates to Cross-Site Scripting (XSS), a common web vulnerability used to steal session cookies, credentials, or inject malicious scripts, often facilitating initial access or data theft.17 While the actor’s method isn’t specified, the forum context points towards web-based attack vectors. The motivation is likely financial gain from selling the access and sensitive data.
  • Impact: A breach of this nature targeting a hospital system poses severe risks, including identity theft, financial fraud, and potential disruption of healthcare services. The sale of admin access could lead to further compromise or ransomware deployment.
  • Published URL: https://xss.is/threads/136912/
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/ae82e7fa-8446-49f6-bf21-a5f3f240a5a5.png

This incident highlights the persistent targeting of the healthcare sector due to the high value of patient data and the potential impact of disruption.

Alleged Reggio TV Data Breach (Threat Actor: Team 1722)

The hacktivist group “Team 1722” claimed via Telegram to have taken down the Italian broadcast media channel Reggio TV (reggiotv.it) and seized all its data.

  • Threat Actor: Team 1722 was noted for consistent activity among hacktivist groups in the first quarter of 2025.21 Hacktivist groups are increasingly moving beyond simple DDoS and defacement towards more impactful attacks, sometimes resembling nation-state or financially motivated actors.22 While specific motivations for Team 1722 are not detailed in available sources, their actions align with general hacktivist trends of targeting organizations for political or ideological reasons, often communicated via platforms like Telegram.22
  • Impact: Disruption of a media channel and potential exposure of internal data could impact operations, damage reputation, and potentially compromise sensitive journalistic or business information.
  • Published URL: https://t.me/x1722x/2513
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/aabd92bd-9acf-4a2f-92b7-eebfe25bd394.png

This attack demonstrates the evolving capabilities and targets of hacktivist groups, moving towards potentially more disruptive actions against various sectors.

Alleged Sepehr Energy Corporation Data Breach (Threat Actor: Crescent of Anon)

The hacktivist group “Crescent of Anon” claimed via X (formerly Twitter) to have breached Sepehr Energy Corporation (sepehrenergy.com), a major Oil & Gas company in Iran. The compromised data reportedly includes invoices, contracts, and other sensitive business information.

  • Threat Actor: Crescent of Anon is identified as an all-female hacktivist group affiliated with the Anonymous collective, specifically focused on the #OpIran campaign.23 Their stated goal is to support the “woman, life, freedom” protests in Iran by targeting entities associated with the Iranian regime.23 Their known TTPs include DDoS attacks and website defacements against government and affiliated websites.23 This claimed data breach aligns with their politically motivated hacktivism against high-profile Iranian targets. Anonymous groups broadly oppose censorship and control, often targeting governments and corporations.25
  • Impact: Exposing contracts and invoices of a major energy corporation could reveal sensitive business dealings, potentially causing economic disruption or embarrassment for the targeted entity and the Iranian government. This action serves the group’s objective of applying pressure and gaining visibility for their cause.
  • Published URL: https://x.com/CrescentOfAnon/status/1917451168881561603
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/7674dbda-6894-467f-846c-cbb89c4879e8.png

This incident exemplifies targeted hacktivism where cyber operations are directly linked to specific geopolitical events and social movements.

Alleged Sale of Access to Spanish E-commerce Website (Threat Actor: DB_EMPIRE)

A threat actor named “DB_EMPIRE” advertised the sale of access to an unidentified Spanish e-commerce website on the Exploit.in forum. The actor provided details about the target, including its use of Prestashop CMS, Redsys Redirect payment gateway, and estimated monthly traffic (60-70k visits).

  • Threat Actor & Forum Context: While specific information on DB_EMPIRE is unavailable 27, their activity clearly positions them as an Initial Access Broker (IAB). IABs specialize in gaining unauthorized access to networks and selling that access to other cybercriminals.29 Exploit.in is a well-known Russian-language dark web forum serving as a major marketplace for such illicit goods and services, including stolen data, malware, and initial access.29 The details provided by DB_EMPIRE (CMS, payment method, traffic) are typical marketing information used by IABs to attract buyers by indicating the potential value and exploitability of the access.16
  • Impact & Downstream Risk: The sale of initial access represents a significant threat within the cybercrime ecosystem. The buyer could leverage this access for various malicious activities, including deploying ransomware, stealing customer payment card data (especially relevant given the e-commerce context and mention of Redsys), installing web shells for persistent access, or launching further attacks. This incident highlights the specialization within cybercrime, where IABs facilitate attacks by providing the crucial first step.29
  • Published URL: https://forum.exploit.in/topic/258236/
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/6c4d6e32-1a85-4ff4-9eb5-4a4e6286e13e.png

The activity of IABs on forums like Exploit.in lowers the barrier to entry for sophisticated attacks and increases the overall risk landscape for organizations.

Website Defacement Incidents

Website defacement remains a common tactic for hacktivist groups seeking visibility and to convey political or ideological messages. Significant activity was observed targeting Indian websites.

Team Insane PK Attack on Department of Information and Public Relations (India)

The hacktivist group “Team insane pk” claimed via Telegram to have defaced the website of the Department of Information and Public Relations in Rajasthan, India (diprfile.rajasthan.gov.in). A mirror of the defacement was archived on Zone-H.

  • Threat Actor: Team Insane PK is a known hacktivist group, allegedly based in Pakistan, driven by religious and political motivations, specifically targeting Indian entities.30 Active since early 2023, their actions are often framed as “digital jihad” and linked to real-world events or tensions between India and Pakistan.30 Their primary TTPs are website defacement and DDoS attacks, often coordinated under campaigns like #OpIndia, particularly around significant events like the G20 Summit.30 They utilize Telegram for claims and Zone-H for archiving defacements.
  • Impact: While often causing temporary disruption and reputational damage, defacements serve primarily as a messaging tool for the attackers. Targeting a government public relations department is symbolic, aiming to undermine government communication channels and broadcast the group’s message.
  • Published URL: https://t.me/c/1775646933/2826
  • Mirror URL: https://www.zone-h.org/archive/notifier=TEAM_INSANE_PK
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/cdcd7841-e455-4d3c-b27e-f1d2eeaacaa7.png

This attack is consistent with Team Insane PK’s established operational patterns and motivations, demonstrating their continued focus on Indian government targets.

FANATIX LEGION Defacement Campaign (India)

A group identifying as “FANATIX LEGION” claimed responsibility via a single Telegram post for defacing numerous websites, predominantly targeting Indian organizations across diverse sectors.

  • Threat Actor: Specific intelligence on “FANATIX LEGION” is not available in the reviewed sources.34 The name likely references the “Legion” concept associated with the Anonymous collective (“We are Legion”) 25, suggesting a hacktivist orientation. Based solely on the observed activity, the group appears focused on defacing Indian websites. While their specific motivations are unclear, the consistent targeting of Indian entities across various industries (Furniture, Oil & Gas, Health, Sports, Engineering, Software) suggests an anti-India stance, possibly driven by nationalism or political factors. Their use of Telegram for claims is typical for hacktivist groups.33
  • Impact: This coordinated campaign demonstrates an ability to target multiple websites concurrently, likely using automated tools or exploiting common vulnerabilities. The broad range of victims suggests opportunistic targeting within a specific geographic focus (India). The incident involving Al Nahdha Overseas Contracting L.L.C. (alnahdhauae.com) shows a potential UAE link despite the JSON listing India, which could indicate either an error in the source data or a more complex international connection for the victim company.
  • Victims & Evidence (Consolidated):
  • Vasavi Interiors & Furnishings (vasavii.com, India, Furniture)
  • bedscape (bedscapes.in, India, Furniture)
  • Al Nahdha Overseas Contracting L.L.C. (alnahdhauae.com, India/UAE?, Oil & Gas)
  • Healthy 100 Plus (healthy100plus.in, India, Health & Fitness)
  • Star Academy Basketball Coaching Center (starbasketballacademy.in, India, Sports)
  • TTECH Engineering Solution (ttechindia.com, India, Mechanical or Industrial Engineering)
  • DoItOnWeb (doitonweb.in, India, Software Development)
  • Published URL (for all claims): https://t.me/FanatixZone/153
  • Screenshots:
  • Vasavi: https://d34iuop8pidsy8.cloudfront.net/7562e337-149b-41b1-b050-75ce8c3af063.png
  • bedscape: https://d34iuop8pidsy8.cloudfront.net/fc2860d4-788e-4770-8111-926c35c97a23.png
  • Al Nahdha: https://d34iuop8pidsy8.cloudfront.net/89d53d1a-d095-4f29-bd79-f6a33369e5c1.png
  • Healthy 100 Plus: https://d34iuop8pidsy8.cloudfront.net/1ce69597-e406-4147-b40e-2ec628d32ac0.png
  • Star Academy: https://d34iuop8pidsy8.cloudfront.net/6978d8b0-3c6b-4cfc-b6e2-a5ea0ae23c8e.png
  • TTECH: https://d34iuop8pidsy8.cloudfront.net/5d0fccc7-a215-46bf-8c12-9c3bd37de928.png
  • DoItOnWeb: https://d34iuop8pidsy8.cloudfront.net/3edc51d6-96f3-4d0f-9eae-bdfc5737c2c8.png

This campaign highlights the persistent threat of mass defacement attacks driven by hacktivist motives, often targeting specific nations.

Cybersecurity Tooling and Alerts

The cybercrime ecosystem includes not only direct attacks but also the development and sale of tools that facilitate malicious activities.

Alleged Sale of Veil CLI Checker 0.3 (Threat Actor: VeilGroup)

An actor or group named “VeilGroup” advertised the sale of a tool called “Veil CLI Checker 0.3” on the darkforums.st forum. The tool is described as a lightweight command-line utility designed to analyze Unauthorized Login Panel (ULP) logs. Its purpose is to automatically check these logs for valid credentials and access points to platforms such as Jira, FTP, RDWeb, WordPress, CPanel, and phpMyAdmin.

  • Actor/Tool Context: No specific information on “VeilGroup” is available. However, the name “Veil” likely intends to evoke the well-known Veil Framework, particularly Veil-Evasion, which is designed to create antivirus-evading payloads.37 While this checker tool serves a different purpose (log analysis and credential validation), leveraging the “Veil” brand could be a marketing tactic. The tool addresses a specific need in the cybercrime workflow: efficiently processing large volumes of stolen log data, often acquired through infostealer malware campaigns, to find valuable, working credentials.
  • Functionality & Impact: ULP logs can contain vast amounts of credential pairs and session information. Manually sifting through them is inefficient. Tools like the Veil CLI Checker automate this process, allowing attackers to quickly identify and exploit valid access to valuable corporate platforms (like Jira, CPanel) or infrastructure components (FTP, RDWeb). This automation lowers the effort required to monetize stolen data and potentially increases the speed and scale of subsequent attacks using compromised credentials.
  • Published URL: https://darkforums.st/Thread-Selling-Veil-CLI-Checker-0-3-Jira-FTP-RDWeb-Wordpress-CPanel-phpMyAdmin-ULP-Check
  • Screenshot: https://d34iuop8pidsy8.cloudfront.net/31566448-013b-4f40-8a7c-3ac814789f11.png

The availability of such specialized tools underscores the commoditization of cybercrime capabilities and the ongoing efforts by threat actors to streamline attack processes.

Concluding Remarks

April 30, 2025, presented a dynamic threat landscape characterized by significant ransomware activity, politically motivated hacktivism, and the continued operation of the cybercrime support ecosystem.

  • Ransomware Dominance: RaaS groups, particularly Qilin and LYNX, remain highly active and pose a severe threat globally. Their sophisticated TTPs, including advanced evasion techniques and double extortion, continue to challenge defenders across critical sectors like healthcare, manufacturing, and education. The Silent group’s activity adds complexity, potentially indicating evolving tactics or affiliate actions.
  • Geopolitical Hacktivism: Hacktivist operations remain closely tied to real-world conflicts and ideologies. Groups like Team Insane PK, Crescent of Anon, and the newly observed FANATIX LEGION demonstrate the use of cyberattacks (defacement, data breaches, DDoS) as tools for political messaging and disruption, particularly focused on regions like India and Iran.
  • Cybercrime Ecosystem: The underground economy is robust, evidenced by the sale of initial access by IABs like DB_EMPIRE on dedicated forums (Exploit.in) and the marketing of specialized tools like the Veil CLI Checker designed to automate credential harvesting from stolen logs. This ecosystem lowers barriers for attackers and increases overall threat velocity.

Organizations must maintain heightened vigilance against ransomware, prioritizing vulnerability management (especially for internet-facing systems), robust backup strategies, and advanced endpoint protection (EDR/XDR). Monitoring for compromised credentials and understanding the geopolitical landscape can help anticipate potential hacktivist threats. The activity surrounding access brokers and specialized tools underscores the need for comprehensive security awareness training and strict access controls to mitigate risks from compromised accounts.

Works cited

  1. Agenda (Qilin) | SentinelOne, accessed April 30, 2025, https://www.sentinelone.com/anthology/agenda-qilin/
  2. Threat Actor Profile: Qilin Ransomware Group – Cyble, accessed April 30, 2025, https://cyble.com/threat-actor-profiles/qilin-ransomware-group/
  3. The Top Ransomware Groups Targeting the Healthcare Sector – Flashpoint, accessed April 30, 2025, https://flashpoint.io/blog/ransomware-groups-targeting-healthcare-sector/
  4. Qilin Ransomware: All You Need To Know | Red Piranha, accessed April 30, 2025, https://redpiranha.net/news/qilin-ransomware-all-you-need-know
  5. Qilin Ransomware: Exposing the TTPs Behind One of the Most Active Ransomware Campaigns of 2024 – Picus Security, accessed April 30, 2025, https://www.picussecurity.com/resource/blog/qilin-ransomware
  6. Defending Against Lynx Ransomware (Strategies for 2025), accessed April 30, 2025, https://cybelangel.com/lynx-ransomware-double-extortion/
  7. Lynx Ransomware: Exposing How INC Ransomware Rebrands Itself – Picus Security, accessed April 30, 2025, https://www.picussecurity.com/resource/blog/lynx-ransomware
  8. Lynx Ransomware Group Unveiled with Sophisticated Affiliate Program, accessed April 30, 2025, https://www.infosecurity-magazine.com/news/lynx-ransomware-sophisticated/
  9. Cat’s out of the bag: Lynx Ransomware-as-a-Service | Group-IB Blog, accessed April 30, 2025, https://www.group-ib.com/blog/cat-s-out-of-the-bag-lynx-ransomware/
  10. New Threat on the Prowl: Investigating Lynx Ransomware – Darktrace, accessed April 30, 2025, https://darktrace.com/blog/new-threat-on-the-prowl-investigating-lynx-ransomware
  11. Silent Ransom Group “Call-back” Phishing Campaign – Arctic Wolf, accessed April 30, 2025, https://arcticwolf.com/resources/blog/silent-ransom-group-call-back-phishing-campaign/
  12. FBI issues Notification on Silent Ransom – Virtual Routes, accessed April 30, 2025, https://virtual-routes.org/ransomware-countermeasures-tracker/fbi-issues-notification-on-silent-ransom/
  13. Threat Actors – Google Threat Intelligence – VirusTotal, accessed April 30, 2025, https://gtidocs.virustotal.com/docs/threat-actors-card
  14. Threat Actor Profiles – Cyble, accessed April 30, 2025, https://cyble.com/threat-actor-profiles/
  15. Threat actor – Wikipedia, accessed April 30, 2025, https://en.wikipedia.org/wiki/Threat_actor
  16. Identifying a Threat Actor Profile, accessed April 30, 2025, https://oasis-open.github.io/cti-documentation/examples/identifying-a-threat-actor-profile.html
  17. What Is Cross-Site Scripting (XSS)? – Palo Alto Networks, accessed April 30, 2025, https://www.paloaltonetworks.co.uk/cyberpedia/xss-cross-site-scripting
  18. What is Cross-Site Scripting and How to Prevent it? – Kratikal Blogs – Information Hub For Cyber Security Experts, accessed April 30, 2025, https://kratikal.com/blog/what-is-cross-site-scripting-and-how-to-prevent-it/
  19. XSS Attack: 3 Real Life Attacks and Code Examples – Bright Security, accessed April 30, 2025, https://www.brightsec.com/blog/xss-attack/
  20. What is a cross-site scripting vulnerability? – Invicti, accessed April 30, 2025, https://www.invicti.com/blog/web-security/cross-site-scripting-xss/
  21. Rise in hacktivist threats to critical sector, as pro-Russian groups cause 50% rise in ICS/OT attacks in March – Industrial Cyber, accessed April 30, 2025, https://industrialcyber.co/reports/rise-in-hacktivist-threats-to-critical-sector-as-pro-russian-groups-cause-50-rise-in-ics-ot-attacks-in-march/
  22. Cyble Hacktivists Target Critical Infrastructure, Move Into Ransomware, accessed April 30, 2025, https://cyble.com/blog/hacktivists-infrastructure-move-into-ransomware/
  23. Anonymous continues attacks as part of Op Iran – ICNA, accessed April 30, 2025, https://irancybernews.org/anonymous-continues-attacks-as-part-of-opiran/
  24. An updated history of Anonymous hacking group – ICNA, accessed April 30, 2025, https://irancybernews.org/an-updated-history-of-anonymous-hacking-group/
  25. Anonymous (hacker group) – Wikipedia, accessed April 30, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
  26. What is Hacktivism? – Check Point Software, accessed April 30, 2025, https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-hacktivism/
  27. Threat Actor Allegedly Selling Fortinet Firewall Zero-Day Exploit – SecurityWeek, accessed April 30, 2025, https://www.securityweek.com/threat-actor-allegedly-selling-fortinet-firewall-zero-day-exploit/
  28. Attackers Exploiting Public Cobalt Strike Profiles – Unit 42, accessed April 30, 2025, https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-profiles/
  29. Exploit Forum, Initial Access Brokers, and Cybercrime on the Dark Web – Flare, accessed April 30, 2025, https://flare.io/learn/resources/blog/exploit-forum/
  30. Team Insane PK: The Religious Hacktivist | Radware, accessed April 30, 2025, https://www.radware.com/cyberpedia/ddos-attacks/hacktivist-group-team-insane-pk/
  31. Asia Hacktivist Threat Landscape – SOCRadar® Cyber Intelligence Inc., accessed April 30, 2025, https://socradar.io/asia-hacktivist-threat-landscape/
  32. ‘Your religion won’t save you’: Army College of Nursing website hacked amid worsening India-Pakistan ties – The Financial Express, accessed April 30, 2025, https://www.financialexpress.com/india-news/your-religion-wont-save-you-army-college-of-nursing-website-hacked-amid-worsening-india-pakistan-ties/3822434/
  33. Cyble’s Insights on Independence Day Hacktivist Attacks, accessed April 30, 2025, https://cyble.com/blog/from-celebrations-to-cyber-strikes-hacktivism-incidents-spark-amidst-independence-day-celebrations/
  34. We Are Legion: the Story of the Hacktivists – Amazon.com, accessed April 30, 2025, https://www.amazon.com/We-Are-Legion-Story-Hacktivists/dp/B009PCXGQY
  35. Killnet: Russian Hacktivists DDoS US Airports, Government Websites – Cyber, accessed April 30, 2025, https://westoahu.hawaii.edu/cyber/uncategorized/killnet-russian-hacktivists-ddos-us-airports-government-websites/
  36. U.S. Department of Justice Indicts Hacktivist Group Anonymous Sudan for Prominent DDoS Attacks in 2023 and 2024 – CrowdStrike, accessed April 30, 2025, https://www.crowdstrike.com/en-us/blog/anonymous-sudan-hacktivist-group-ddos-indictment/
  37. Veil Framework 3.0 | AntiVirus Evasion Reconstructed | Google Cloud Blog, accessed April 30, 2025, https://cloud.google.com/blog/topics/threat-intelligence/antivirus-evasion-reconstructed-veil-30/

Related Posts