[December-28-2025] Daily Cybersecurity Threat Report

Posted on

This report categorizes the 71 recorded incidents into major threat vectors: Ransomware Campaigns, State-Focused Espionage & Access Leaks, Data Breaches, and Hacktivist Defacement.

Executive Summary

A massive surge in cyber activity was recorded on December 28, 2025, involving diverse threat actors ranging from sophisticated ransomware groups like Qilin and DEVMAN 2.0 to high-volume hacktivist groups like IndoClaySec and Chennel G.H.G.K. The victims span critical sectors including Government, Education, Industrial Control Systems (ICS), and Healthcare across Thailand, the USA, France, and India.

1. Major Ransomware Campaigns

Several established ransomware groups launched coordinated attacks, utilizing double-extortion tactics (stealing data before encryption).

Qilin Ransomware

The Qilin group was highly active, targeting organizations in the US, Italy, Canada, and France.

  • Goodwin University (USA): The group claims to have compromised the university’s data.
  • SEAC Corporate (Italy): A sporting goods manufacturer; data was allegedly obtained.
  • Questica (Canada): A budgeting software provider (subsidiary of Euna Solutions). Qilin claims to have exfiltrated 72 GB of data.
  • ATALIAN (France): A major facility services company. The group claims to hold 500 GB of data, threatened for release in 9-10 days.

DEVMAN 2.0 Campaign

This group executed a rapid series of attacks primarily against US-based entities, threatening data publication within 2–5 days.

  • Jennings Heating & Cooling Co.: 50 GB of Financial and HR data stolen.
  • Intonu: A mining/metals company; Financial and HR documents compromised.+1
  • SHAR, Inc: A non-profit organization; 20 GB of data stolen.
  • Unknown Victim (oppor…org): 60 GB of patient and financial information stolen.

Other Ransomware Activities

  • INC RANSOM: Targeted Klingele Paper & Packaging (Germany), claiming theft of 450 GB of sensitive corporate and client data.
  • DragonForce: Targeted Neurological Associates (USA), stealing 72.53 GB of medical and organizational data.

2. Regional Focus: The Thailand Cyber-Wave

A significant portion of the incidents (approx. 20%) targeted Thailand’s government and educational infrastructure. Two primary actors were responsible for the majority of these breaches.

Threat Actor: Chennel G.H.G.K

This actor focused on unauthorized access to high-value government and university portals:

  • Ministry of Public Health (MOPH): Breached the Health KPI system.
  • Labour Protection and Welfare Department: Website unauthorized access.
  • Chulalongkorn University: Breached the Academic Testing Center (CUATC) and gained login access.+1
  • YaleCom Co., Ltd: Accessed the customer login portal of this IT service provider.
  • Pongsawadi Technological College: Unauthorized website access.
  • National Research Council: Defaced the Digital Research Information Center website.

Threat Actor: Blue Shadow

This group focused on leaking credentials for educational and public platforms:

  • KidDiary: Leaked login credentials for this government-linked health platform.
  • Ramkhamhaeng University: Leaked administrator credentials for the e-Service system.
  • Eastern Technological College (E.TECH): Leaked login credentials for the e-Student portal.
  • Maejo University: Leaked user login credentials.

3. Critical Infrastructure & Industrial Control Systems (ICS)

Attacks on physical infrastructure and industrial systems pose a severe physical safety risk.

  • Techma S.A. (France): The “Infrastructure Destruction Squad” claims access to ICS used for managing oyster-cleaning pools, posing a risk to food processing facilities.
  • Water Management System (France): The group NoName057(16) claims access to a water supply management system, stating they can interfere with heating and pressure parameters to cause physical damage.

4. Data Breaches & Dark Web Sales

A high volume of data was listed for sale or leaked on open web and dark web forums.

Government & Military

  • U.S. Classified Docs: Threat actor jrintel is selling allegedly Top Secret documents attributed to the DoD, CIA, NATO, and AUKUS partners.
  • Venezuela (UNES): Actor malconguerra2 leaked 1TB of data from the National Experimental University of Security, including student records and identity documents.
  • Israel: The group Handala Hack claims to have compromised the personal device of Tzachi Braverman.
  • Pajemploi (France): Actor missan leaked social security numbers (NIR) and addresses from this government agency.

Commercial & Financial Data

  • Allegro Musique (France): 161,413 records leaked, including customer identities.
  • Cal-Comp Electronics (Thailand): 80 GB of proprietary design files and employee info for sale.
  • Ermilo E. Richer A.A. (Mexico): 5.6 GB of logistics and tax records for sale.
  • Banking Data: A database containing IBANs for individuals in Germany and France was offered by actor Sadnigga.

5. Hacktivism & Defacement Campaigns

Several groups engaged in website defacement, likely for ideological or reputation-building purposes.

  • IndoClaySec: This group was extremely prolific, targeting websites in India (KMT Silks, KET Instruments, Thengu Coconut Oil), Qatar (Islam Hendawy Accountants), and Pakistan (NI Webmaster).+3
  • 404 CREW CYBER TEAM: Defaced the US legal firm Siskind Susser.
  • Legion: Targeted religious institutions in Iran (Kalam Imamiya).
  • BONDOWOSO BLACK HAT: Focused on the Indonesian travel/leisure sector.

Conclusion

The intelligence report from December 28, 2025, indicates a volatile global cyber threat landscape.

  1. Ransomware is industrializing: Groups like Qilin and DEVMAN 2.0 are hitting multiple targets daily across varied sectors (manufacturing, education, healthcare).
  2. Thailand is under siege: A coordinated wave of attacks by Chennel G.H.G.K and Blue Shadow suggests a specific campaign against the Thai public and education sectors.
  3. Physical Risk is elevated: The claimed breaches of French water and food processing ICS systems by groups threatening “physical damage” represent a dangerous escalation from digital theft to kinetic threats.
  4. Data Trafficking is rampant: From US military secrets to French social security numbers, the volume of sensitive data available for purchase indicates widespread vulnerabilities in both government and private sector defenses.

Immediate Action Recommendation: Organizations in the Education and Government sectors in Thailand, and Industrial sectors in France, should immediately review access logs and patch external-facing vulnerabilities.

Related Posts