Daily Cybersecurity Threat Roundup

Posted on

On April 3, 2025, organizations worldwide were hit by a wave of cyber incidents across multiple categories. This report summarizes the day’s key cybersecurity threats – including DDoS attacks, data breaches, leaks, website defacements, initial access sales, discovered vulnerabilities, malware, and notable threat actor alerts – highlighting the threat actors involved, targeted entities, affected countries, and industries. All evidence and announcements come from threat actors’ own postings and proofs on that date.

DDoS Attacks

Distributed denial-of-service (DDoS) attacks were especially prominent on April 3, with hacktivist groups targeting government and corporate websites in various countries:

  • NoName057(16): The pro-Russian group launched a series of DDoS attacks against multiple government websites in Spain and Ukraine. Targets included Spanish regional government sites (e.g. the Assembly of Madrid) and Ukrainian energy/transportation sites (such as the Port of Odesa and Gasolina Online, a fuel supplier). These attacks caused website outages as evidenced by the threat actor’s posted downtime proofs.
  • Dark Storm Team: This hacktivist team expanded its attacks across continents, hitting an airport in the United States and defense-related sites in the Middle East. They claimed credit for knocking offline the website of Grand Forks International Airport in the U.S. and for taking down the Ministry of Defence websites in Israel and the UAE. Earlier in the day, Dark Storm Team had also disrupted the UAE’s Ministry of Industry and Advanced Technology site.
  • TwoNet: The TwoNet group conducted DDoS attacks on both UK and Spanish targets. In the UK, they struck law enforcement and infrastructure, including the Metropolitan Police’s website () and Royal Mail’s site. In Spain, they targeted organizations like media outlet Newtral and IT firm Indra. TwoNet’s campaign demonstrates a breadth of targets from government pages to private companies.
  • Mr Hamza: Operating on Telegram, “Mr Hamza” focused on Indian government sites. He claimed responsibility for taking down the Defence Research and Development Organisation (DRDO) website and the Indian Ministry of Defence’s site (). Additionally, Mr Hamza targeted India’s national police academy, according to his posts.
  • CyberBulletin: This actor coordinated attacks on Slovakia’s government infrastructure. CyberBulletin flooded several Slovak government websites, including the Nuclear Regulatory Authority () and the Office of Geodesy, Cartography and Cadastre (), as well as the Constitutional Court. Each attack was accompanied by check-host reports as proof of downtime.
  • Java DDOS Power Proof: This group surfaced with at least two attacks. One notable target was Jesus Calls, a Christian non-profit site in India, which was knocked offline (). (Another reported target was a platform called “FP Miner.”) Java DDOS Power Proof shared screenshots demonstrating the sites’ unavailability.
  • Mysterious Team Bangladesh (MTB): MTB also engaged in DDoS activity, mirroring some of CyberBulletin’s focus. The Bangladeshi hacktivists claimed attacks on the same Slovak government agencies – for instance, taking credit for the takedown of Slovakia’s Nuclear Regulatory Authority website (). This suggests multiple actors were hitting the same targets or reposting each other’s successes.
  • RipperSec: RipperSec concentrated on South Korean government tech sites. They announced the takedown of the Korea Internet & Security Agency (KISA) website (), South Korea’s cyber defense agency. RipperSec also claimed to have taken down the eGovFrame Portal (a government software portal) in South Korea ().
  • ZAIDDOS: This threat actor turned their DDoS tools against other hacker forums and services. ZAIDDOS claimed attacks on the CyberKazakhstan community and the ZeroStresser DDoS-for-hire service (), suggesting a possible feud in the cybercriminal underground. Both sites were reported downed in posts by ZAIDDOS.
  • s4zuC2Api: An actor with this alias targeted a U.S. software company. They boasted taking down the website of Hash, Inc. – an American animation software firm – via DDoS (). The site (hash.com) was rendered inaccessible according to their evidence.
  • Fatimion Cyber Team: This group, active in Middle Eastern hacktivism, claimed to have shut down an online platform called “Bengal Cats.” The site (catsbengal.com), apparently a social networking or pet-related platform, was taken offline by Fatimion Cyber Team ().
  • OverFlame: OverFlame targeted a European tech company. They directed a DDoS attack at Imatia, an IT services firm in Spain, causing its website to go down (). The actor shared proof of the Spanish site’s downtime.
  • Z-Pentest Alliance: This collective targeted Spain’s royal institutions. They launched a DDoS attack on the official website of Casa de Su Majestad el Rey (the Spanish Royal Household), taking down the casareal.es site (). The attack on Spain’s monarchy site was publicized with check-host reports by Z-Pentest Alliance.

Data Breaches

Multiple data breaches were revealed or advertised on April 3, with hackers offering stolen databases on forums. Threat actors leaked or sold data from a wide range of industries and countries:

  • Sophia: A prolific data broker going by “Sophia” advertised databases from at least five Russian companies. These included an e-commerce platform (OCStore) (), an online classifieds site (Tolku4ka), an electronics retailer (Z-Plus), a tech firm (Fermoved), and an IT services company (Olof LLC) (). Sophia’s posts offered millions of user records from these Russian organizations for sale.
  • st0jke: This actor leaked databases belonging to Indian entities. st0jke claimed to have breached the Government of Madhya Pradesh (state government database) (), as well as an environmental services firm EKI Energy Services Ltd (). The leaked Indian government data and corporate records were posted on a forum, purportedly containing sensitive personal and official information.
  • G_fuck: Using a controversial alias, this threat actor offered two major databases for sale – one from the Vietnam Navy and another from the Bank of China. The Vietnam Navy data (nearly 9.8 million records) includes personal identification details of naval personnel (). Even more significant, the Bank of China breach comprises 87 million customer records () (8.3 GB of data), including names, birth dates, phone numbers, bank account numbers, ID numbers, and addresses. These massive datasets were put on the market on April 3.
  • Vergi: Another seller, Vergi, focused on Vietnamese organizations. Vergi listed a database from Vietnam Electricity (EVN) – roughly 2 million user records from the state power utility () – and data from Vua Hàng Hiệu Trading Company Limited, a Vietnamese luxury e-commerce platform (around 520k records of orders and customer info) (). Both Vietnamese databases were advertised on a breach forum as being available for purchase.
  • JumboJet: The actor “JumboJet” was active in selling breached data from Asia. They offered an alleged breach of SubDeliver (an Indian online service) with 76+ MB of user info (), and a large database from STMIK DCI, an Indonesian educational institution (containing over 292,000 academic and personal records) (). JumboJet’s listings included details like names, emails, passwords, and other user data from these sites.
  • Sythe: Sythe was involved in multiple breaches of smaller platforms. On this day they leaked the user database of “OG Email” (a service, containing over 100 user credentials) () and a database from Leakbin (a leak aggregation site) (). Both datasets were relatively small (dozens of users) but included plaintext passwords and other sensitive fields. Sythe’s activity shows that even minor services were not spared.
  • Other breaches: Several other organizations around the world saw their data leaked on April 3 by various actors:
    • In Argentina, a hacker called G0DHAND leaked client data from Marcovecchio Real Estate, a realty firm ().
    • In France, an actor named NOR published a database from the regional news site Toulouseblog, exposing user contact information ().
    • In Indonesia, a hacker (ClaratZ) leaked data from the government’s “Sicantik” licensing portal (Sistem Cerdas Layanan Perizinan Terpadu), which handles public service permits ().
    • In the Philippines, a breach of the Solaire Online casino’s member database was reported by n1ghtRag3, including personal and passport details of customers ().
  • More victims: Additional U.S. organizations were hit as well: A user named Weyhro leaked internal files from Montgomery Little & Soran, a law firm in Colorado (), while another actor (CrackedGotSeized) put up for sale the user database of PuppyFinder.com, a popular pet adoption website (155k records) (). These U.S. breaches contained client case files in the law firm’s case and user account info in the PuppyFinder breach.

(Overall, at least 21 distinct breach incidents were recorded on this date, showing a busy day on cybercrime forums for leaked data.)

Data Leaks

Apart from outright breaches, several threat actors publicly leaked or sold sensitive data (not necessarily via hacking but through other means like open databases or stolen files) on April 3:

  • BanyuwangiXploit: This group leaked data from two Israeli businesses. They released customer data (names, emails, phone numbers) from Villas A (an Israeli real estate or rental service) and Zipedia (a hospitality/tourism site in Israel) (). Screenshots of databases for both Israeli sites were shared as proof of the leaks.
  • ExPresidents: Using a name referencing former leaders, this actor leaked data from multiple organizations in Uruguay. In particular, they posted data belonging to Uruguay’s National Institute for Donation and Transplantation of Cells, Tissues, and Organs (INDT) () and possibly other Uruguayan firms. Personal and medical-related information was included in the dump.
  • Indian ID Leaks: In India, two significant leaks of personal data occurred. An actor called ShuiYaZi leaked a trove of government identification records – specifically about 500 scans of Aadhaar and PAN cards (Indian national ID and tax IDs) () – potentially exposing citizens’ identities. Around the same time, Sosyopat3 dumped a database from Marg Education Academy (an educational institute), containing student names, emails, passwords, phone numbers, and other details (). These leaks raise concerns about identity theft and privacy in India.
  • Johntate22222: Operating on a forum, this user shared a set of UK driver’s licenses images. The leak consisted of unidentified British driver’s license scans (personal IDs from the UK) (), which could facilitate identity fraud. The actor did not specify how these were obtained, only that they were “unidentified” licenses from the UK.
  • nxe: This actor (who also appeared in other contexts) put up for sale data labeled “UAE NOCs.” Specifically, Non-Objection Certificates from the United Arab Emirates were being sold (). NOCs are official documents; the leaked set likely contains government-issued certificate records, marking a compromise of UAE bureaucratic data.
  • Sythe (Doxbin phones): The actor Sythe also had a presence in data leaks. On this date, Sythe offered a list of phone numbers of Doxbin users (). Doxbin is a notorious doxing platform, and the leaked phone number list could expose users of that site to harassment or further attacks.
  • louna: Another hacker, louna, leaked data from an Egyptian government website – the educational portal of the Cairo Governorate (). The data likely includes student or teacher information from Cairo’s education system. This leak demonstrates how regional government sites in the Middle East were also targeted.
  • GrandVault: GrandVault published a leak of French consumer data. They posted about an unidentified car accessories shop in France, leaking a list of customer phone numbers and names (approximately 200 records of WhatsApp contacts) (). Though relatively small, this leak shows personal data from a French retail context being exposed.
  • Psychotide: This actor put a cache of stolen financial data up for sale. Psychotide claimed to be selling compromised credit card details from multiple countries (). The ad did not specify how many cards, but the wording suggests a collection of payment card data (likely including card numbers, expiry dates, CVVs) from an international base – a clear warning of potential fraud operations.

Defacements

Website defacement attacks – where attackers break into websites to vandalize pages with their own messages – were also rampant on April 3. Hacker crews used defacements to spread political messages or demonstrate their reach:

  • Moroccan Black Cyber Army: This group defaced six different websites in India across various sectors. Targets included educational and business sites – for example, Explicit Estimating Services (a construction estimating firm) () and Vaishnav Samaj Online (a community portal) – as well as a publishing house and a water utility site. Each site was left with the Moroccan Black Cyber Army’s signature or propaganda, indicating a widespread campaign against Indian websites.
  • BEN MHIDI 54: Named after an Algerian revolutionary, this hacker defaced several French websites on April 3. Among the four known targets were personal or small business sites such as Alexandre Déon’s website, a financial calculator site, and a tech firm. One confirmed example is the defacement of K Technologies (k-techno.fr) (). BEN MHIDI 54’s activity suggests a Francophone focus, likely motivated by anti-French sentiments or cyber bragging rights.
  • LulzSec Arabs: The Middle Eastern offshoot of the LulzSec collective hit at least three websites in India. They defaced a computer repair service site (Mobile Laptop Fix) (), the site of Kundarali Parnalee Educational & Cultural Samity (an NGO), and a religious ministry site (Faith Ministry, Assam International) (). The defacements were presented as part of an ongoing campaign (possibly in support of Islamic causes, as LulzSec Arabs has done previously) and left those Indian sites displaying the group’s messages.
  • DXPLOIT (Officials): This group defaced two unrelated targets in Europe. They breached and defaced Mazsi’s Workshop Decor (a home/wedding decor business in Hungary) (), as well as Personallis (a health & fitness site in Portugal) (). Both small business websites were left with defacement notices. DXPLOIT’s multi-country hits show their focus on relatively soft targets in different countries.
  • Bangladesh Civilian Force: This Bangladeshi hacktivist group struck a high-profile local target, defacing the official website of the Bangladesh Technical Education Board (BTEB) (). The education board’s site was likely plastered with the group’s logo or a political message. This incident represents a domestic cyber protest, as BTEB is a government body in charge of technical education.
  • INDOHAXSEC: An Indonesian hacking collective, INDOHAXSEC, defaced the news website Mata Rakyat Nusantara (matarakyatnusantara.com) (). The site, which is an online media outlet, was left with the hackers’ calling card. This was part of a pattern of Indonesian hackers defacing local news and government sites, possibly as a statement or challenge to authorities.

Initial Access Sales

Criminal marketplaces were active on April 3 with threat actors selling initial access to compromised systems. These sales offer credentials or backdoors that other attackers can use as a foothold into organizations. Notable initial access listings include:

  • Bangladesh Government and ISP Access: Multiple actors targeted Bangladesh. RASHTRIYA CYBER SENA leaked login credentials for the Directorate General of Health Services (DGHS), Bangladesh’s health ministry portal (). Separately, TPNET CYBER claimed admin access to the Mirsharai Upazila Development Plan web portal (a local government site), and an actor named sentap offered “exclusive” admin account access to JH Global Technology Ltd., a major Bangladeshi ISP (controlling customer data and network systems) (). These sales indicate a serious compromise of Bangladeshi government and telecom resources.
  • United Arab Emirates: In the UAE, an actor known as nxe advertised credentials for an email administrator panel of a UAE Ministry of Defence-related magazine system (allowing management of official email addresses). Around the same time, ZeroSevenGroup was selling admin-level domain access to an unidentified holding company in the UAE (). Both offers would enable an intruder to deeply penetrate UAE networks – targeting defense and corporate sectors respectively.
  • United States: Several initial access offers emerged for U.S. targets. Actors Black18 and x52024 each peddled admin logins to compromised WordPress-based e-commerce websites in the U.S. (), implying those online stores were already breached. Additionally, a seller using the nickname LEMONGRASSS advertised broad local administrator access to a U.S. company’s network () (a firm with ~$56 million revenue). That access bundle included FTP, shell access, database credentials, and more – essentially keys to the kingdom for an attacker.
  • United Kingdom: A threat actor dubbed Belsen_Group was offering a remote code execution foothold into an unidentified UK company in the building materials industry (). RCE access would allow running arbitrary code on the company’s servers. This suggests a UK industrial sector target had a known vulnerability or exposed service that Belsen_Group was exploiting and selling to the highest bidder.
  • Brazil and Netherlands: The actor boukou1 put up two access offerings: one to Goiás Esporte Clube (a popular football club in Brazil) () – specifically, member or internal systems access – and another to De Bergjes Chalets & Caravans (a Dutch RV and chalet retailer’s admin system) (). These would enable buyers to potentially infiltrate the Brazilian sports organization’s network or the Dutch retail company’s website/back-end.
  • Argentina and Yemen: The crew DataSec was selling email account access for two government-related agencies. One was Argentina’s National Food Safety and Quality Service (SENASA), with an official email credential up for sale (). The other was an unspecified Yemeni government agency (“Yemeni PWC”, possibly Public Water Corporation) – showing reach into Middle Eastern government email as well.
  • Mexico: An actor known as RATNICK advertised unauthorized access to a company in Mexico’s food industry (). Though the company wasn’t named, RATNICK specified it was in the food sector, indicating interest in targeting supply chain or food production data in Mexico.
  • Poland and Spain: deepwhale offered admin credentials for a Polish e-commerce platform based on PrestaShop (). Meanwhile, the group SECT0R16 claimed to have leaked access (and data) from TEKROMIN in Spain () – Tekromin is a Spanish industrial equipment company, and the attackers obtained information from its server, possibly via an exposed interface.
  • Other notable sales: KristinaHo was selling a VPN account for the University of the Witwatersrand in South Africa (educational network access), and Akatsuki Cyber Team leaked user/password pairs for SocialBookmarkZone.info (a bookmarking site) (), which could allow logging into those user accounts. These show that initial access sales ranged from academic networks to small web services.

In total, at least 20 initial-access listings were observed on April 3, underscoring how active the market for compromised credentials was on that day.

Vulnerabilities

Newly disclosed or peddled software vulnerabilities also featured in the day’s cyber news:

  • Zero-Day Exploits for Sale: A hacker using the handle Beeper claimed to be selling two Windows zero-day vulnerabilities that allow Local Privilege Escalation (LPE) (). These zero-days (affecting Windows desktop and server versions) were unknown to the public and could let an attacker with limited access elevate to full administrator rights. The post did not detail the exact Windows versions but offered them to buyers on a forum, which is alarming as it hints that critical unpatched Windows flaws were in circulation on the black market.
  • Mexican Government Website XSS: A group called F-SEC INTEL ES disclosed a web vulnerability in the Mexican government’s Tax Administration Service. They leaked details of an XSS (Cross-Site Scripting) flaw on the official SAT website (sat.gob.mx) (). This vulnerability could allow attackers to inject malicious scripts into the tax service’s web pages. F-SEC INTEL ES sharing this suggests it might have been a warning or proof of concept, potentially pressuring the site owners to fix the issue.

Malware and Exploits

At least one malware-related incident occurred:

  • Casino Crypto Exploit – “JumboJet”: The threat actor JumboJet (also active in data breaches) leaked a “crypto reversal” exploit script targeting BetPanda Casino (). The script allegedly could be used to manipulate cryptocurrency transactions on betpandacasino.io to “earn fast” illicit gains. Essentially, it’s a cheat/exploit tool rather than traditional malware, but it was presented as a leaked script that anyone could use against the Malta-based online casino’s crypto system. If legitimate, this could enable theft from the casino or its players by reversing or faking crypto payments.

Threat Actor Alerts

Threat actors sometimes announce upcoming operations. On April 3, one notable alert was observed:

  • Mysterious Team Bangladesh’s Warning: The hacktivist outfit Mysterious Team Bangladesh (MTB) issued an alert that they are planning attacks on the cyberspace of Bulgaria and the Netherlands (). In a Telegram post, MTB claimed they would target digital infrastructure in those countries. (Indeed, as noted earlier, MTB had already attacked some Bulgarian sites in previous days and Slovak sites that day.) This announcement serves as a warning of potentially heightened threat activity against Bulgarian and Dutch targets in the near future.

Conclusion: April 3, 2025 was an active day in cybersecurity, with a barrage of DDoS attacks hitting governments and companies, numerous data breaches and leaks coming to light, websites defaced across several countries, and cybercriminals selling access and exploits. From Europe to Asia, no region was untouched. Organizations are advised to review this roundup to understand the tactics and targets in play – for instance, European government sites facing DDoS by pro-Russian actors, South Asian and Southeast Asian entities being breached or defaced by regional groups, and critical vulnerabilities being sold for Windows. The evidence gathered (downtime proofs, leaked data samples, and forum postings) underscores the importance of bolstering defenses, as threat actors openly demonstrated their successes on this date. Each incident above includes published proof from the threat actors, such as screenshots, check-host reports, or leak samples, which have been documented in their respective references. This daily summary highlights the need for global vigilance in the face of coordinated cyber-attacks.

Related Posts