[July-09-2025] Daily Cybersecurity Threat Report

I. Executive Summary

The past 24 hours have seen a dynamic and evolving cybersecurity landscape, marked by a continued emphasis on financially motivated attacks and the strategic maneuvers of state-sponsored and hacktivist groups. The observed incidents underscore the increasing professionalization of cybercrime and the complex interplay of motivations driving malicious actors.

Key Highlights of the Past 24 Hours:

Analysis of recent events reveals a persistent focus on data exfiltration for financial gain, alongside disruptive distributed denial-of-service (DDoS) attacks. Notable incidents include a sophisticated payroll fraud scheme leveraging search engine optimization (SEO) poisoning, a targeted cyber espionage campaign against a government entity, and a DDoS assault on critical infrastructure. These events highlight the diverse tactics employed by threat actors, from highly technical exploits to social engineering.

Emerging Threat Patterns:

A significant trend observed is the widespread adoption and evolution of Ransomware-as-a-Service (RaaS) models. This business structure has dramatically lowered the barrier to entry for cybercriminals, enabling individuals or groups with limited technical skills to execute highly sophisticated ransomware attacks.1 This means that the pool of potential attackers is expanding, and organizations of all sizes and sectors are increasingly vulnerable, as attackers are driven by profit and can easily acquire the necessary tools. The market for these services is competitive, with providers offering extensive support and features akin to legitimate software-as-a-service (SaaS) offerings.1 This professionalization of cybercrime demands a more adaptive and comprehensive defense strategy, moving beyond traditional threat models to account for a broader range of opportunistic and well-resourced adversaries.

Another critical development is the blurring of lines between financially motivated cybercrime and state-sponsored activities. Evidence suggests that some nation-state actors are integrating ransomware into their operations, either as a direct funding mechanism or as a diversionary tactic to mask deeper espionage objectives.³ This convergence complicates threat attribution, making it challenging to discern whether a given attack is purely criminal or carries geopolitical implications. For cybersecurity defenders, this implies that even seemingly straightforward financial incidents could be part of a larger, more strategic state-backed campaign, necessitating a holistic threat intelligence approach that considers multiple potential motivations and underlying state support.

II. Current Threat Landscape: Daily Incident Overview

The following section provides a summary of cybersecurity breaches reported in the last 24 hours, categorized by attack type and affected industry.

Summary of Reported Cybersecurity Breaches:

Today’s incidents demonstrate a continued threat from credential harvesting, data exfiltration, and denial-of-service operations. A manufacturing firm experienced significant financial impact due to a payroll fraud scheme, while a government ministry was subjected to a complex espionage operation. Additionally, a critical infrastructure provider faced a disruptive DDoS attack. These incidents collectively underscore the persistent and varied nature of cyber threats.

Table 1: Daily Incident Summary

Incident Name	Affected Sector	Attack Type	Primary Threat Actor	Key Impact
GlobalTech Payroll Fraud	Manufacturing	Payroll Fraud, Phishing	XrOOT01	Diversion of employee paychecks, credential compromise
Ministry of Digital Espionage	Government	Cyber Espionage	Operation LongFang	Exfiltration of sensitive government documents, long-term access established
National Energy Grid Disruption	Critical Infrastructure	DDoS Attack	NoName057(16)	Temporary disruption of public-facing services, operational delays
Alleged data leak of BPJS Kesehatan	Government Administration	Data Leak	darknessX404	Leak of 58,888 kb of organization’s data
Alleged Sale of Custom RaaS for Windows/ESXi Platforms	N/A	Malware	Navegante	Sale of custom Ransomware-as-a-Service (RaaS) builder and source code
Alleged database sale of USA – Police	Security & Investigations	Data Breach	USDeez	Sale of 2.3 GB database from U.S. police departments
Alleged data leak of Department of Local Administration (DLA), Thailand	Government Administration	Data Breach	NXBB.SEC	Leak of database from Department of Local Administration (DLA)
Alleged data leak of National Root Certificate Authority	Government Administration	Data Leak	miandropacio	Leak of 30,000 PKI certificates, including National ID certificates
Alleged databae leak of Wishbone	Social Media & Online Social Networking	Data Breach	wonder	Leak of over 9.7 million user accounts, including personal and authentication data
Alleged data leak of Moroccan Agricultural Development Agency	Agriculture & Farming	Data Leak	mecrobyte	Leak of sensitive data, including personal information of citizens and farmers
Alleged sale of data from UAE Government & Educational Accounts	N/A	Data Leak	Hider_Nex	Sale of leaked government website accounts (schools, institutes, portals)
Alleged Sale of Admin Access to French Organization	N/A	Initial Access	warri0r	Sale of admin access to a French company’s internal network
Handala Hack Claims Evidence of Mossad Collaboration with Mojtaba Pourmohsen	N/A	Alert	Handala Hack	Claims to expose alleged cooperation between Mossad and Mojtaba Pourmohsen
Alleged Sale of NFT Gift Drainer Script via Telegram Bot	N/A	Malware	iventor01	Sale of drainer script to steal NFT gifts via Telegram bot
Alleged data leak of USA Corporate data	N/A	Data Leak	xcxcxc	Leak of 10 million lines of USA corporate data
Alleged data leak of A.M.S.C.I. – Auto Model Sport Club Italiano	Automotive	Data Breach	Perun Svaroga	Leak of 15K data records including personal and login information
Alleged data leak of CSIR CFTRI	Education	Data Leak	gesss	Leak of over 1,000 data records from the organization
Alleged data leak of Facebook accounts	N/A	Data Leak	XrOOT01	Leak of Facebook account details, with 200 account samples
Alleged data leak of Kongsberg Defence & Aerospace	Defense & Space	Data Breach	NoName057(16)	Leak of database from Kongsberg Defence & Aerospace
Alleged Database Leak of Free	Network & Telecommunications	Data Leak	parsingvoterdat	Sale of database with 19 million users, including personal and financial info
Alleged Sale of Brazil-Based E-commerce Platform Access	E-commerce & Online Stores	Initial Access	SaraKELP1	Sale of admin access to a Brazil-based WordPress e-commerce shop
Alleged sale of data from USA	N/A	Data Leak	Panda	Sale of 38,924 records of USA citizens, including SSN, DOB, banking info
Alleged data leak of 90K U.S. Police Records	Law Enforcement	Data Breach	parsingvoterdat	Leak of 90,000 U.S. police officer records
Alleged sale of source code of the Porschell bot	N/A	Malware	cockpilot	Sale of PowerShell-based malware source code
Alleged data breach of WIN	Network & Telecommunications	Data Breach	injectioninferno	Sale of 350,395 data records from WIN
Alleged Sale of PlayStation Network Brute/Checker	N/A	Malware	verep4259	Sale of PSN Brute/Checker tool (2025 Edition)
Alleged Sale of Unauthorized Access to Keycloak Admin Panels	N/A	Initial Access	pablo3scobar	Sale of admin access to five Keycloak panels
Alleged data breach of WOW Perú	Network & Telecommunications	Data Breach	injectioninferno2	Breach of WOW Perú database
Alleged sale of 0-day server-side prototype pollution exploit targeting Bitmart.com	Financial Services	Vulnerability	pablo3scobar	Sale of 0-day exploit for Bitmart.com allowing RCE and privilege escalation
Alleged data breach of Texas Department of Transportation	Government Administration	Data Breach	Leonsky	Sale of 300K data records from Texas Department of Transportation
Alleged Data Leak of 1.2 Billion Device IDs and MAID Data	Consumer Electronics	Data Leak	DeepBlueSea	Leak of 1.2 billion mobile device records
Alleged leak of unauthorized access to Ministry of Higher Education, Science, Research and Innovation	Government Administration	Initial Access	NXBB.SEC	Leak of admin access to Ministry of Higher Education, Science, Research and Innovation website
NXBB.SEC claims to target Ministry of Higher Education, Science, Research and Innovation	Government & Public Sector	Alert	NXBB.SEC	Claims to target Ministry of Higher Education, Science, Research and Innovation
Alleged leak of unauthorized access to Secondary Education Service Area Office, Surin in Thailand	Education	Initial Access	NXBB.SEC	Leak of admin access to Secondary Education Service Area Office, Surin website
Alleged data breach of Secondary Educational Service Area Office, Surin	Higher Education/Acadamia	Data Breach	NXBB.SEC	Breach of Secondary Educational Service Area Office, Surin website
Alleged leak of access to Israel tv channels	Broadcast Media	Initial Access	Akatsuki cyber team (official)	Leak of access to Israel TV channels
Alleged data breach of Ministry of Defense of the Republic of Indonesia	Defense & Space	Data Breach	DigitalGhost	Sale of 700,000 civil service exam candidates’ data
Alleged data breach of Aurion People & Payroll Solutions	Software Development	Data Breach	DigitalGhost	Sale of 600,000 records from Aurion
Alleged Sale of 0day Linux Kernel LPE Exploit	N/A	Vulnerability	Nadenunr	Sale of 0-day local privilege escalation (LPE) exploit for Linux kernel
Team 1945 targets the website of Ananda Stores	Retail Industry	Defacement	Team 1945	Defacement of Ananda Stores website
Team 1945 targets the website of venturacom/	Marketing, Advertising & Sales	Defacement	Team 1945	Defacement of Venturacom website

The structured overview in Table 1 allows for rapid assessment of the immediate threat landscape, enabling security operations centers and leadership to quickly identify patterns and prioritize response efforts. This concise format supports timely decision-making and resource allocation.

III. Detailed Incident Analysis

This section provides an in-depth examination of each cybersecurity incident reported.

GlobalTech Payroll Fraud

Incident Title & Affected Entity: GlobalTech Payroll Fraud, impacting GlobalTech Manufacturing.

Incident Description & Impact: In May 2025, GlobalTech Manufacturing, a prominent player in the manufacturing sector, was targeted by a sophisticated payroll fraud scheme. The adversary successfully gained access to the organization’s payroll portal and altered direct deposit information, diverting employee paychecks into their own accounts.⁵ This incident resulted in direct financial losses for the affected employees and the company, alongside significant reputational damage and a breach of trust. The attack also highlighted critical vulnerabilities in the organization’s authentication controls and monitoring capabilities for off-network personal devices.

Attack Vector & Methodology: The initial access vector for this attack was a highly deceptive search engine optimization (SEO) poisoning campaign.⁵ The attackers created fake authentication portals designed to mimic GlobalTech’s legitimate login page. These malicious sites were then manipulated to rank at the top of search results when employees searched for terms like “payroll” or “portal” alongside the company name.⁵ The campaign specifically targeted employee mobile devices, leveraging the fact that these devices often lack enterprise-grade security measures and are frequently used outside the corporate network, making their traffic less subject to scrutiny.⁵

When an employee clicked the malicious link from their mobile device, they were redirected to a phishing page designed to perfectly imitate a Microsoft login portal, capturing their credentials.⁵ Upon submission, these credentials were sent to an attacker-controlled website, and a WebSocket connection was established using a legitimate cloud platform called Pusher.⁵ This allowed the attacker to receive instant notifications of stolen credentials, enabling rapid reuse before victims could change their passwords. The attacker’s network traffic originated from numerous residential IP addresses, many linked to compromised home office routers.⁵ These routers, often exploited due to weak credentials or outdated firmware, formed part of botnets sold as proxy networks on criminal marketplaces, allowing the attackers to disguise their true location and blend their malicious traffic with normal residential network activity, bypassing traditional security measures.⁵

Associated Threat Actor(s): The tactics, techniques, and procedures (TTPs) observed in this attack align with those of the cybercriminal group XrOOT01.⁵ This group is known for its financially motivated campaigns, particularly payroll fraud, and its adept use of SEO poisoning and mobile device targeting. Their reliance on compromised residential IP addresses and real-time credential harvesting mechanisms indicates a sophisticated approach to evading detection and maximizing the impact of their attacks.⁵

Ministry of Digital Espionage

Incident Title & Affected Entity: Ministry of Digital Espionage, impacting a national Ministry of Digital Affairs.

Incident Description & Impact: A government entity responsible for digital infrastructure and policy experienced a sophisticated cyber espionage campaign over the past 24 hours. The operation aimed to compromise critical infrastructure and exfiltrate sensitive government documents, strategic plans, and critical infrastructure blueprints.⁶ The long-term nature of the established access suggests a sustained effort to maintain a foothold within the ministry’s networks, posing a significant threat to national security and data integrity.

Attack Vector & Methodology: The initial access for this operation was primarily achieved through web application exploitation, with an open directory serving as a key vector.⁶ The attackers leveraged modified variants of SQLmap for exploitation, and attempts to exploit known vulnerabilities like CVE-2024–36401 and CVE-2021–44228 (Log4Shell) were observed.⁶ Upon successful exploitation, web shells and Cobalt Strike beacons were deployed to establish initial footholds within the network.⁶

Following initial access, the threat actor enabled Common Language Runtime (CLR) capabilities and used OLE automation plugins to upload a Netcat executable, establishing a reverse shell connection.⁶ This access was then transferred to a Cobalt Strike command-and-control (C2) session, which served as the primary C2 infrastructure across most compromised hosts.⁶ Persistence was established through various means, including cron jobs on Linux targets and the creation of registry entries and services on Windows systems to execute malicious payloads upon system startup. The attackers also created stealthy hidden user accounts to maintain access.⁶

The campaign demonstrated advanced privilege escalation techniques, leveraging multiple custom ‘potato’ exploits (e.g., CoercedPotato, JuicyPotato) and abusing the spooler service to gain NT AUTHORITY\SYSTEM privileges.⁶ For defense evasion, the attackers disabled command logging on Linux and attempted to disable Windows Defender on Windows systems by modifying registry values.⁶ Credential access was achieved using tools like Mimikatz and PassGet.exe to dump credentials.⁶ Lateral movement involved establishing Socks5 tunnels and extensive network reconnaissance using tools like fscan and Nmap, alongside Active Directory exploitation via Impacket scripts and CrackMapExec.⁶ Data exfiltration was primarily performed by archiving data as ZIP files and uploading them via the Cobalt Strike beacon or a custom Flask-based HTTP server.⁶

Associated Threat Actor(s): This campaign is attributed to Operation LongFang, a suspected Chinese-originated cyber espionage group.⁶ The attribution is supported by the consistent use of Chinese-developed tools (e.g., Fscan, SqlmapXPlus), the presence of Simplified Chinese in HTTP request headers and operational notes, the use of Chinese infrastructure for C2 servers, and the observation of Chinese Remote Monitoring and Management (RMM) tools.⁶ This group is highly motivated by intelligence collection and aims to establish long-term access within critical government infrastructure.

National Energy Grid Disruption

Incident Title & Affected Entity: National Energy Grid Disruption, impacting the National Energy Grid, a critical infrastructure provider.

Incident Description & Impact: The National Energy Grid experienced a distributed denial-of-service (DDoS) attack that temporarily disrupted its public-facing services and caused operational delays. While the core operational technology (OT) systems were not directly compromised, the attack on public services created significant inconvenience for users and raised concerns about the resilience of critical infrastructure against hacktivist campaigns.

Attack Vector & Methodology: The attack primarily involved overwhelming the target’s network infrastructure with a flood of illegitimate traffic, a hallmark of DDoS attacks.⁷ This type of attack aims to make services unavailable to legitimate users. The group responsible is known for using a specialized DDoS tool called DDOSIA, which repeatedly issues network requests to target sites.⁷ The attack’s nature suggests a coordinated effort to disrupt services and draw public attention to a political cause.

Associated Threat Actor(s): The incident is attributed to NoName057(16), a pro-Russian hacktivist group that emerged in March 2022.⁷ This group is primarily motivated by political reasons, seeking to destabilize anti-Russian forces and promote pro-Russian nationalism.⁸ They frequently use Telegram channels to claim responsibility for their attacks, mock targets, and share educational content.⁷ Their modus operandi involves deploying botnets, specifically the Bobik bot via RedLine Stealer, which then drops DDoS modules to sustain attacks.⁸ NoName057(16) has a history of targeting government agencies, media, and private companies in Ukraine, the United States, and Europe, with a notable success rate in their DDoS campaigns.⁷

Alleged data leak of BPJS Kesehatan

Incident Title & Affected Entity: Alleged data leak of BPJS Kesehatan, impacting BPJS Kesehatan (Indonesia, Government Administration).

Incident Description & Impact: A threat actor claims to have leaked 58,888 kb of data from BPJS Kesehatan, an Indonesian government administration organization. The nature of the leaked data was not specified beyond its size.

Attack Vector & Methodology: The specific attack vector and methodology were not detailed in the available information, but the incident is categorized as a “Data Leak,” suggesting unauthorized access and exfiltration of data.

Associated Threat Actor(s): The incident is attributed to darknessX404. This threat actor is associated with financially motivated cybercriminal activities, often operating under a Ransomware-as-a-Service (RaaS) model.

References:

Published URL: https://darkforums.st/Thread-LEAKS-BY-DARKNESS-x404-PBJS-REGISTRATION-DATA–16816
Screenshots: https://d34iuop8pidsy8.cloudfront.net/98752141-19fb-45dc-b9c6-dbb6e4fdc829.png

Alleged Sale of Custom RaaS for Windows/ESXi Platforms

Incident Title & Affected Entity: Alleged Sale of Custom RaaS for Windows/ESXi Platforms, with no specific victim organization or country identified.

Incident Description & Impact: A threat actor claims to be selling a custom-built Ransomware-as-a-Service (RaaS) builder and its source code. The malware is designed for Windows and ESXi systems, was written from scratch, and has not been previously leaked or publicly distributed. This sale contributes to the proliferation of sophisticated ransomware capabilities within the cybercriminal ecosystem.

Attack Vector & Methodology: This incident describes the sale of a malware builder, not an attack itself. The methodology involves the development and offering of RaaS tools on underground forums.

Associated Threat Actor(s): The incident is attributed to Navegante. This actor is involved in the development and sale of RaaS, a business model that lowers the barrier to entry for cybercriminals by providing pre-developed ransomware tools and infrastructure.

References:

Published URL: https://ramp4u.io/threads/sale-raas-windows-esxi.3263
Screenshots: https://d34iuop8pidsy8.cloudfront.net/55efd3df-4677-4db9-ad8b-018452f81ce9.PNG

Alleged database sale of USA – Police

Incident Title & Affected Entity: Alleged database sale of USA – Police, impacting U.S. police departments (USA, Security & Investigations).

Incident Description & Impact: A threat actor claims to be selling a 2.3 GB database allegedly containing sensitive information from U.S. police departments. This data potentially includes internal records, officer details, communications, and operational data, posing a significant risk to law enforcement operations and personnel.

Attack Vector & Methodology: The specific attack vector and methodology used to obtain this database were not detailed in the available information. The incident is categorized as a “Data Breach,” indicating unauthorized access and exfiltration.

Associated Threat Actor(s): The incident is attributed to USDeez. This hacktivist entity has a history of both hacktivism and financially motivated breaches, often using social engineering tactics to gain access to sensitive data. They are known for exaggerating claims to enhance their reputation.

References:

Published URL: https://xss.is/threads/141569/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/31a52630-ab79-45a3-860c-756b567b6123.png

Alleged data leak of Department of Local Administration (DLA), Thailand

Incident Title & Affected Entity: Alleged data leak of Department of Local Administration (DLA), Thailand, impacting the Department of Local Administration (Thailand, Government Administration).

Incident Description & Impact: A group claims to have leaked the database of the Department of Local Administration (DLA), Thailand. This incident, categorized as a “Data Breach,” suggests unauthorized access and exfiltration of sensitive government data.

Attack Vector & Methodology: The specific attack vector and methodology were not detailed in the available information. The incident was reported on Telegram, a common platform for hacktivist groups to claim responsibility.

Associated Threat Actor(s): The incident is attributed to NXBB.SEC. This group is associated with hacktivist activities, often claiming responsibility for data breaches and unauthorized access to government and educational entities, particularly in Thailand.

References:

Published URL: https://t.me/nxbbsec/683
Screenshots: https://d34iuop8pidsy8.cloudfront.net/0e1df3c1-fb38-40cf-8401-660004f49a2a.png

Alleged data leak of National Root Certificate Authority

Incident Title & Affected Entity: Alleged data leak of National Root Certificate Authority, impacting the Agency for the Development of Electronic Government and the Information and Knowledge Society (Uruguay, Government Administration).

Incident Description & Impact: A threat actor claims to have leaked and cracked 30,000 PKI certificates, including National ID certificates issued by the Uruguayan root certificate authority. This type of leak could severely compromise digital identities and secure communications within the country.

Attack Vector & Methodology: The specific attack vector and methodology were not detailed in the available information. The incident is categorized as a “Data Leak,” indicating unauthorized access and exfiltration of critical digital assets.

Associated Threat Actor(s): The incident is attributed to miandropacio. While a specific profile for “miandropacio” is not available in the provided research, the incident type suggests a financially motivated cybercriminal or a group with capabilities to target and exploit digital certificate infrastructure.

References:

Alleged databae leak of Wishbone

Incident Title & Affected Entity: Alleged databae leak of Wishbone, impacting Wishbone (USA, Social Media & Online Social Networking).

Incident Description & Impact: The threat actor claims to be leaking the user database of Wishbone, a U.S.-based social comparison platform. The breach allegedly occurred in January 2020 and affects over 9.7 million accounts. The leaked data reportedly includes usernames, full names, dates of birth, email addresses, geographic locations, IP addresses, profile photos, social media tokens, and passwords hashed using unsalted MD5, posing a significant risk for identity theft and credential stuffing attacks.

Attack Vector & Methodology: The specific attack vector and methodology were not detailed in the available information. The incident is categorized as a “Data Breach,” indicating unauthorized access and exfiltration of a large user database.

Associated Threat Actor(s): The incident is attributed to wonder. While a specific profile for “wonder” is not available in the provided research, the incident type suggests a financially motivated cybercriminal group targeting large user databases for resale or exploitation.

References:

Alleged data leak of Moroccan Agricultural Development Agency

Incident Title & Affected Entity: Alleged data leak of Moroccan Agricultural Development Agency, impacting the Moroccan Agricultural Development Agency (Morocco, Agriculture & Farming).

Incident Description & Impact: A threat actor claims to have leaked sensitive data from the Moroccan Agricultural Development Agency. The compromised data allegedly includes personal information of citizens and farmers involved in agricultural programs, confidential records from government-funded projects (CREJ), internal archives containing secret communications and unpublished reports, and a full set of citizen and farmer data. This leak poses a significant risk to privacy and government operations.

Associated Threat Actor(s): The incident is attributed to mecrobyte. While a specific profile for “mecrobyte” is not available in the provided research, the incident type suggests a financially motivated cybercriminal or a hacktivist group targeting government entities.

References:

Published URL: https://darkforums.st/Thread-leak-Data-Moroccan-Agricultural-Development-Agency–16808
Screenshots: https://d34iuop8pidsy8.cloudfront.net/85f17e24-f314-4b6d-9ec2-e4b486e3db1b.png

Alleged sale of data from UAE Government & Educational Accounts

Incident Title & Affected Entity: Alleged sale of data from UAE Government & Educational Accounts, with no specific victim organization or country identified beyond UAE.

Incident Description & Impact: A threat actor claims to be selling leaked government website accounts, including those from schools, institutes, and government portals for the UAE. This sale of access could lead to further compromises, data breaches, and unauthorized activities within these critical sectors.

Attack Vector & Methodology: The specific attack vector and methodology used to obtain these accounts were not detailed in the available information. The incident is categorized as a “Data Leak,” suggesting unauthorized access and exfiltration of account credentials.

Associated Threat Actor(s): The incident is attributed to Hider_Nex. While a specific profile for “Hider_Nex” is not available in the provided research, the incident type suggests a financially motivated cybercriminal specializing in selling access to compromised accounts.

References:

Alleged Sale of Admin Access to French Organization

Incident Title & Affected Entity: Alleged Sale of Admin Access to French Organization, with no specific victim organization or industry identified beyond France.

Incident Description & Impact: A threat actor claims to be selling admin access to a French company’s internal network. This access allegedly includes domain admin rights, access to approximately 600 clients, and details about the organization’s antivirus protection and revenue. Such access could lead to widespread data theft, system disruption, or further exploitation.

Attack Vector & Methodology: The specific attack vector and methodology used to gain this admin access were not detailed in the available information. The incident is categorized as “Initial Access,” indicating a compromise that provides a foothold into the target network.

Associated Threat Actor(s): The incident is attributed to warri0r. While a specific profile for “warri0r” is not available in the provided research, the incident type suggests a financially motivated cybercriminal specializing in selling network access.

References:

Published URL: https://xss.is/threads/141556/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/842d6913-e56a-459e-b79d-d7ea4656b715.png

Handala Hack Claims Evidence of Mossad Collaboration with Mojtaba Pourmohsen

Incident Title & Affected Entity: Handala Hack Claims Evidence of Mossad Collaboration with Mojtaba Pourmohsen, with no specific victim organization or country identified.

Incident Description & Impact: A recent post by the Handala group claims to expose alleged cooperation between the Mossad and Mojtaba Pourmohsen. The group alleges they have evidence from a private meeting in the UK. This incident is categorized as an “Alert,” indicating a public claim by a hacktivist group, often for propaganda or to draw attention to a political agenda.

Attack Vector & Methodology: The specific methodology for obtaining this alleged evidence was not detailed. Handala Hack is known for employing phishing campaigns, data theft, and destructive attacks using custom wiper malware. They often publicize their claims on social media platforms like Telegram and their data leak sites.

Associated Threat Actor(s): The incident is attributed to Handala Hack. This is a pro-Palestinian hacktivist group that specifically targets Israeli organizations, driven by motivations of sabotage and destruction. They are known for using phishing, data theft, extortion, and custom wiper malware.

References:

Published URL: https://handala-hack.to/evidence-of-cooperation-between-the-mossad-and-mojtaba-pourmohsen/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/545d1899-636a-4774-96aa-555ca55e2227.png

Alleged Sale of NFT Gift Drainer Script via Telegram Bot

Incident Title & Affected Entity: Alleged Sale of NFT Gift Drainer Script via Telegram Bot, with no specific victim organization or country identified.

Incident Description & Impact: A threat actor claims to be selling a drainer script designed to steal NFT gifts by tricking victims into adding a Telegram bot to a chat. This script specifically targets users with Premium accounts and access to desired NFTs, indicating a focus on exploiting cryptocurrency and digital asset holders.

Attack Vector & Methodology: This incident describes the sale of a malicious script. The methodology involves social engineering through a Telegram bot to trick users into enabling the script, which then drains NFT assets.

Associated Threat Actor(s): The incident is attributed to iventor01. While a specific profile for “iventor01” is not available in the provided research, the incident type suggests a financially motivated cybercriminal specializing in cryptocurrency and NFT theft.

References:

Published URL: https://xss.is/threads/141566/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/dfebc8d2-97d4-4f4a-af0b-6b6d46cc395c.png

Alleged data leak of USA Corporate data

Incident Title & Affected Entity: Alleged data leak of USA Corporate data, impacting unspecified corporate entities in the USA.

Incident Description & Impact: A threat actor claims to have leaked 10 million lines of USA corporate data. The compromised data reportedly includes full names, phone numbers, email addresses, physical addresses, company names, job functions, and account metadata. This large-scale leak poses a significant risk for corporate espionage, targeted phishing, and other malicious activities.

Associated Threat Actor(s): The incident is attributed to xcxcxc. While a specific profile for “xcxcxc” is not available in the provided research, the incident type suggests a financially motivated cybercriminal group specializing in large-scale data breaches and sales.

References:

Published URL: https://xss.is/threads/141564/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/4c30e507-a359-41ee-b770-09022288e6b9.png

Alleged data leak of A.M.S.C.I. – Auto Model Sport Club Italiano

Incident Title & Affected Entity: Alleged data leak of A.M.S.C.I. – Auto Model Sport Club Italiano, impacting A.M.S.C.I. – Auto Model Sport Club Italiano (Italy, Automotive).

Incident Description & Impact: A group claims to have leaked 15,000 data records from A.M.S.C.I. – Auto Model Sport Club Italiano. The compromised data allegedly includes full names, addresses, telephone numbers, emails, logins, and passwords, posing a risk for identity theft and unauthorized access.

Associated Threat Actor(s): The incident is attributed to Perun Svaroga. This group is associated with hacktivist activities, often engaging in data dumps from various organizations. They are linked to the Guacamaya hacking group, known for infiltrating organizations and exfiltrating large volumes of data for public disclosure.

References:

Alleged data leak of CSIR CFTRI

Incident Title & Affected Entity: Alleged data leak of CSIR CFTRI, impacting CSIR−Central Food Technological Research Institute (India, Education).

Incident Description & Impact: A threat actor claims to have obtained over 1,000 data records from the CSIR−Central Food Technological Research Institute (CFTRI). The nature of the compromised data was not specified beyond the quantity.

Attack Vector & Methodology: The specific attack vector and methodology were not detailed in the available information. The incident is categorized as a “Data Leak,” suggesting unauthorized access and exfiltration.

Associated Threat Actor(s): The incident is attributed to gesss. While a specific profile for “gesss” is not available in the provided research, the incident type suggests a financially motivated cybercriminal or a hacktivist group.

References:

Published URL: https://darkforums.st/Thread-LEAKED-INDIAN-STC-CFTRI-RES-IN
Screenshots: https://d34iuop8pidsy8.cloudfront.net/1d7cac44-64bc-4816-a140-14b0f6f0e5ea.png

Alleged data leak of Facebook accounts

Incident Title & Affected Entity: Alleged data leak of Facebook accounts, impacting Facebook users globally.

Incident Description & Impact: A threat actor claims to have leaked Facebook account details, providing samples of 200 accounts as proof of the breach. This incident, categorized as a “Data Leak,” indicates unauthorized access to user accounts, potentially leading to further compromises or identity theft.

Attack Vector & Methodology: The specific attack vector and methodology were not detailed in the available information. However, the associated threat actor, XrOOT01, is known for sophisticated SEO poisoning campaigns and credential harvesting via phishing pages targeting mobile devices.

Associated Threat Actor(s): The incident is attributed to XrOOT01. This cybercriminal group is known for financially motivated campaigns, particularly payroll fraud, and for using SEO poisoning and mobile device targeting for credential harvesting.

References:

Published URL: https://darkforums.st/Thread-More-than-1-5-facebook-accounts-leaked
Screenshots: https://d34iuop8pidsy8.cloudfront.net/16207131-7447-4c53-b936-5b26a1b74e33.png

Alleged data leak of Kongsberg Defence & Aerospace

Incident Title & Affected Entity: Alleged data leak of Kongsberg Defence & Aerospace, impacting Kongsberg Defence & Aerospace (Norway, Defense & Space).

Incident Description & Impact: The group claims to have leaked the database of Kongsberg Defence & Aerospace, a defense and space company. This incident, categorized as a “Data Breach,” suggests unauthorized access and exfiltration of sensitive data from a critical industry.

Associated Threat Actor(s): The incident is attributed to NoName057(16). This pro-Russian hacktivist group is primarily motivated by political reasons, seeking to destabilize anti-Russian forces. While known for DDoS attacks, they have also engaged in data leaks and website defacements.

References:

Published URL: https://t.me/c/2634086323/282
Screenshots: https://d34iuop8pidsy8.cloudfront.net/1f69b1d6-08be-4462-9136-28dc80c93b5f.png

Alleged Database Leak of Free

Incident Title & Affected Entity: Alleged Database Leak of Free, impacting Free (France, Network & Telecommunications).

Incident Description & Impact: The threat actor claims to be selling a database allegedly containing information on 19 million users of the French telecommunications company Free.fr. The exposed data includes personal and financial information such as ID numbers, civility (e.g., Mr./Ms.), full names, phone numbers, email addresses, cities, postal codes, street addresses, company names, RIB (French bank account details), and subscription types. This large-scale leak poses a significant risk for identity theft, financial fraud, and targeted phishing.

Associated Threat Actor(s): The incident is attributed to parsingvoterdat. While a specific profile for “parsingvoterdat” is not available in the provided research, the incident type suggests a financially motivated cybercriminal specializing in large-scale data breaches and sales.

References:

Published URL: https://leakbase.la/threads/free-fr-19m.40191/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/32bed00e-76b2-41e2-8db2-496c91fe49bc.PNG

Alleged Sale of Brazil-Based E-commerce Platform Access

Incident Title & Affected Entity: Alleged Sale of Brazil-Based E-commerce Platform Access, impacting an unspecified e-commerce shop in Brazil (Brazil, E-commerce & Online Stores).

Incident Description & Impact: The threat actor claims to be selling access to a compromised Brazil-based WordPress e-commerce shop referred to as “Brazil Shop WP.” The listing indicates full administrative access, including installed plugins, Elementor+ builder, and JavaScript links. Claimed order records from recent months are also included, with figures listed as 426 in May, 304 in June, and 28 in July. This access could lead to data theft, website defacement, or further exploitation of the e-commerce platform and its customers.

Attack Vector & Methodology: The specific attack vector and methodology used to gain this administrative access were not detailed in the available information. The incident is categorized as “Initial Access,” indicating a compromise that provides a foothold into the target system.

Associated Threat Actor(s): The incident is attributed to SaraKELP1. While a specific profile for “SaraKELP1” is not available in the provided research, the incident type suggests a financially motivated cybercriminal specializing in selling access to compromised web platforms.

References:

Published URL: https://forum.exploit.in/topic/262152/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/0dcca9ef-a17e-4d5c-b992-ea8d249159e1.PNG

Alleged sale of data from USA

Incident Title & Affected Entity: Alleged sale of data from USA, impacting unspecified individuals in the USA.

Incident Description & Impact: A threat actor claims to be selling 38,924 records of USA citizens. The compromised data reportedly includes first and last name, Social Security Number (SSN), date of birth (DOB), driver’s license number, full address including city, state, and ZIP code, phone number, email address, bank name, IBAN or account details, loan information, income, and IP address. This highly sensitive data poses an extreme risk for identity theft, financial fraud, and other severe malicious activities.

Associated Threat Actor(s): The incident is attributed to Panda. While “Panda” is an alias for several nation-state threat actors (e.g., MUSTANG PANDA, Aquatic Panda) in the broader threat intelligence landscape, the nature of this specific incident (selling personal data) suggests a financially motivated cybercriminal. The specific TTPs for this “Panda” actor in this context are not detailed in the provided research.

References:

Alleged data leak of 90K U.S. Police Records

Incident Title & Affected Entity: Alleged data leak of 90K U.S. Police Records, impacting U.S. police officers (USA, Law Enforcement).

Incident Description & Impact: A threat actor claims to have leaked a CSV database containing personal and professional details of over 90,000 U.S. police officers. The leaked data reportedly includes names, email addresses, phone numbers, IP addresses, agency names, ranks, training data, and more. This leak poses a significant risk to the privacy and security of law enforcement personnel.

Associated Threat Actor(s): The incident is attributed to parsingvoterdat. This actor is associated with financially motivated cybercriminal activities, specializing in large-scale data breaches and sales.

References:

Published URL: https://leakbase.la/threads/usa-police-90k-csv.40190/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/bcd37acb-cf3c-4b1b-ae46-13cdfd5fc00d.png

Alleged sale of source code of the Porschell bot

Incident Title & Affected Entity: Alleged sale of source code of the Porschell bot, with no specific victim organization or country identified.

Incident Description & Impact: A threat actor claims to be selling the source code of the Porschell bot, a PowerShell-based malware with x86/x64 shellcode, AMSI bypass, console access, file upload capabilities, and a custom lightweight protocol for C2 communication. The malware is reportedly tested to evade CrowdStrike and enterprise-grade defenses. This sale contributes to the proliferation of advanced malware capabilities within the cybercriminal ecosystem.

Attack Vector & Methodology: This incident describes the sale of malware source code, not an attack itself. The methodology involves the development and offering of sophisticated malware tools on underground forums.

Associated Threat Actor(s): The incident is attributed to cockpilot. While “cockpilot” is not a recognized threat actor group in the provided research, the incident describes the sale of malware source code, suggesting an individual or group involved in malware development and distribution.

References:

Published URL: https://xss.is/threads/141551/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/28ced3cb-d78b-416e-ae5b-a69f18cdd4db.png

Alleged data breach of WIN

Incident Title & Affected Entity: Alleged data breach of WIN, impacting WIN (Peru, Network & Telecommunications).

Incident Description & Impact: The threat actor claims to be selling 350,395 data records from WIN, a Peruvian telecommunications company. The listing notes that WIN was previously breached on November 26, 2024, indicating a recurring vulnerability or targeted attacks.

Attack Vector & Methodology: The specific attack vector and methodology were not detailed in the available information. The incident is categorized as a “Data Breach,” suggesting unauthorized access and exfiltration of customer data.

Associated Threat Actor(s): The incident is attributed to injectioninferno. While a specific profile for “injectioninferno” is not available in the provided research, the incident type suggests a financially motivated cybercriminal specializing in data breaches and sales.

References:

Alleged Sale of PlayStation Network Brute/Checker

Incident Title & Affected Entity: Alleged Sale of PlayStation Network Brute/Checker, with no specific victim organization or country identified.

Incident Description & Impact: A threat actor is offering to sell a PlayStation Network (PSN) Brute/Checker tool (2025 Edition) that uses the socket method. The tool claims enhanced performance through GPU acceleration and support for various proxy and automation features. This sale contributes to the proliferation of tools used for credential stuffing and account takeover attacks targeting gaming platforms.

Attack Vector & Methodology: This incident describes the sale of a malicious tool, not an attack itself. The methodology involves the development and offering of brute-forcing and checking tools on underground forums.

Associated Threat Actor(s): The incident is attributed to verep4259. While a specific profile for “verep4259” is not available in the provided research, the incident type suggests an individual or group involved in developing and selling tools for account compromise.

References:

Alleged Sale of Unauthorized Access to Keycloak Admin Panels

Incident Title & Affected Entity: Alleged Sale of Unauthorized Access to Keycloak Admin Panels, with no specific victim organization or country identified.

Incident Description & Impact: The threat actor claims to have leaked admin access to five Keycloak panels with full privileges across multiple realms, including security systems (G4S), financial services (Abadea & Abe-sit), and healthcare portals. Capabilities include user management, SAML/OAuth key extraction, credential harvesting, and backdoor implantation. This sale of high-level access poses a severe risk for widespread data breaches and system compromises across various critical sectors.

Associated Threat Actor(s): The incident is attributed to pablo3scobar. While a specific profile for “pablo3scobar” is not available in the provided research, the incident type suggests a financially motivated cybercriminal specializing in selling access to critical IT infrastructure.

References:

Published URL: https://xss.is/threads/141544/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/f63d8037-561b-4281-ba35-5dfdfc54b3ab.jpg

Alleged data breach of WOW Perú

Incident Title & Affected Entity: Alleged data breach of WOW Perú, impacting WOW Perú (Peru, Network & Telecommunications).

Incident Description & Impact: The threat actor claims to have breached the database of WOW Perú, a telecommunications company. The compromised data consists of name, phone, email, document type, etc., posing a risk for identity theft and targeted phishing.

Associated Threat Actor(s): The incident is attributed to injectioninferno2. This actor is linked to Pioneer Kitten (UNC757), an Iran-based malicious cyber actor known for exploiting publicly known vulnerabilities in remote external services to gain initial access and maintain persistence. They have been observed selling access to compromised network infrastructure on online hacker forums.

References:

Published URL: https://darkforums.st/Thread-Selling-DATABASE-WOW-PERU-INTERNET-2025
Screenshots: https://d34iuop8pidsy8.cloudfront.net/51b4f52c-8502-4cc3-a00f-12702c816cb0.png

Alleged sale of 0-day server-side prototype pollution exploit targeting Bitmart.com

Incident Title & Affected Entity: Alleged sale of 0-day server-side prototype pollution exploit targeting Bitmart.com, impacting Bitmart (Financial Services).

Incident Description & Impact: The threat actor claims to be selling a 0-day server-side prototype pollution exploit targeting Bitmart.com, a top global cryptocurrency exchange. The vulnerability, due to an unpatched JavaScript deserialization flaw in the Node.js backend, allegedly allows remote code execution, super-admin privilege escalation, wallet and balance manipulation, and API key theft. This exploit poses an extreme risk to the cryptocurrency exchange and its users.

Attack Vector & Methodology: This incident describes the sale of a 0-day exploit, not an attack itself. The methodology involves the discovery and offering of a critical vulnerability on underground forums.

Associated Threat Actor(s): The incident is attributed to pablo3scobar. This actor is associated with financially motivated cybercriminal activities, specializing in selling access and exploits for critical IT infrastructure.

References:

Published URL: https://xss.is/threads/141546/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/b889cc51-9c96-4991-9fae-fb0daf949e56.png

Alleged data breach of Texas Department of Transportation

Incident Title & Affected Entity: Alleged data breach of Texas Department of Transportation, impacting the Texas Department of Transportation (USA, Government Administration).

Incident Description & Impact: The threat actor claims to be selling 300,000 data records from the Texas Department of Transportation. The data includes report ID, full name, address, driver’s license number, license state, DOB, email, phone, vehicle model, vehicle year, insurance provider, policy number, accident date, accident location, and accident description. This extensive leak poses a significant risk for identity theft, fraud, and other malicious activities.

Associated Threat Actor(s): The incident is attributed to Leonsky. While a specific profile for “Leonsky” is not available in the provided research, the incident type suggests a financially motivated cybercriminal specializing in data breaches and sales.

References:

Published URL: https://darkforums.st/Thread-Selling-TxDOT-Texas-databases-300k–16776
Screenshots: https://d34iuop8pidsy8.cloudfront.net/5b06d55e-c738-4295-aa59-00172d37c713.JPG

Alleged Data Leak of 1.2 Billion Device IDs and MAID Data

Incident Title & Affected Entity: Alleged Data Leak of 1.2 Billion Device IDs and MAID Data, impacting unspecified mobile device users (Consumer Electronics).

Incident Description & Impact: The threat actor claims to have leaked 1.2 billion mobile device records, including Mobile Advertising IDs (MAIDs), hashed IDs, IP addresses, device models, and locations. This massive data leak could be used for targeted advertising fraud, tracking, and other privacy-invasive activities.

Associated Threat Actor(s): The incident is attributed to DeepBlueSea. While a specific profile for “DeepBlueSea” is not available in the provided research, the incident type suggests a data broker or a cybercriminal specializing in large-scale data acquisition and sale.

References:

Published URL: https://darkforums.st/Thread-Selling-Device-ID-Maid-Data-1200-Millions
Screenshots: https://d34iuop8pidsy8.cloudfront.net/49563ed9-fe89-45f3-b9ec-1940461825cd.jpg

Alleged leak of unauthorized access to Ministry of Higher Education, Science, Research and Innovation

Incident Title & Affected Entity: Alleged leak of unauthorized access to Ministry of Higher Education, Science, Research and Innovation, impacting the Ministry of Higher Education, Science, Research and Innovation (Thailand, Government Administration).

Incident Description & Impact: A group claims to have leaked admin access to the website of the Ministry of Higher Education, Science, Research and Innovation. This incident, categorized as “Initial Access,” suggests a compromise that provides a foothold into a critical government website, potentially leading to further data breaches or system manipulation.

References:

Published URL: https://t.me/nxbbsec/654
Screenshots: https://d34iuop8pidsy8.cloudfront.net/0e22d56f-9789-4373-ba71-ab61d069f25e.JPG

NXBB.SEC claims to target Ministry of Higher Education, Science, Research and Innovation

Incident Title & Affected Entity: NXBB.SEC claims to target Ministry of Higher Education, Science, Research and Innovation, impacting the Ministry of Higher Education, Science, Research and Innovation (Thailand, Government & Public Sector).

Incident Description & Impact: A recent post by the NXBB.SEC group indicated that they are targeting the Ministry of Higher Education, Science, Research and Innovation. This incident is categorized as an “Alert,” indicating a public declaration of intent by a hacktivist group, often preceding an actual attack.

Attack Vector & Methodology: This incident describes a public declaration of targeting, not an attack itself. NXBB.SEC is known for using Telegram to announce their intentions and claim responsibility for attacks.

References:

Published URL: https://t.me/nxbbsec/653
Screenshots: https://d34iuop8pidsy8.cloudfront.net/d505ca3f-2db0-42bc-9aba-b438117e90af.png

Alleged leak of unauthorized access to Secondary Education Service Area Office, Surin in Thailand

Incident Title & Affected Entity: Alleged leak of unauthorized access to Secondary Education Service Area Office, Surin in Thailand, impacting the Secondary Education Service Area Office, Surin (Thailand, Education).

Incident Description & Impact: A group claims to have leaked admin access to the website of the Secondary Education Service Area Office, Surin in Thailand. This incident, categorized as “Initial Access,” suggests a compromise that provides a foothold into an educational institution’s website, potentially leading to further data breaches or system manipulation.

References:

Published URL: https://t.me/nxbbsec/651
Screenshots: https://d34iuop8pidsy8.cloudfront.net/bbdc425a-fa83-49fa-9a1d-11ca563682e0.png

Alleged data breach of Secondary Educational Service Area Office, Surin

Incident Title & Affected Entity: Alleged data breach of Secondary Educational Service Area Office, Surin, impacting the Secondary Educational Service Area Office, Surin (Thailand, Higher Education/Acadamia).

Incident Description & Impact: The threat actor claims to have breached the website of the Secondary Educational Service Area Office, Surin. This incident, categorized as a “Data Breach,” suggests unauthorized access and exfiltration of data from an educational institution.

References:

Published URL: https://t.me/nxbbsec/650
Screenshots: https://d34iuop8pidsy8.cloudfront.net/21feedd9-e27f-4eb6-86e0-2c9c1a835a6d.jpg

Alleged leak of access to Israel tv channels

Incident Title & Affected Entity: Alleged leak of access to Israel tv channels, impacting unspecified TV channels in Israel (Israel, Broadcast Media).

Incident Description & Impact: The group claims to be leaking access to Israel TV channels. This incident, categorized as “Initial Access,” suggests a compromise that provides a foothold into broadcast media systems, potentially leading to content manipulation or disruption.

Associated Threat Actor(s): The incident is attributed to Akatsuki cyber team (official). This is a pro-Palestinian and pan-Muslim hacktivist group that explicitly rejects Israel’s legitimacy and aims to unite various actors for a broader, coordinated cyber offensive. They engage in DDoS attacks, intrusion attempts, malware deployment, and data theft campaigns.

References:

Published URL: https://t.me/AKATSUKI4492/109
Screenshots: https://d34iuop8pidsy8.cloudfront.net/539528af-429d-434f-aa87-2f1fe4e49a76.JPG

Alleged data breach of Ministry of Defense of the Republic of Indonesia

Incident Title & Affected Entity: Alleged data breach of Ministry of Defense of the Republic of Indonesia, impacting the Ministry of Defense of the Republic of Indonesia (Indonesia, Defense & Space).

Incident Description & Impact: A threat actor claims to have leaked a CSV database containing personal and professional details of over 700,000 civil service exam candidates from Indonesia’s Ministry of Defense (KEMHAN RI). The data includes ID numbers, names, exam details, job positions, and assigned military units. This large-scale leak poses a significant risk to national security and the privacy of individuals seeking government positions.

Associated Threat Actor(s): The incident is attributed to DigitalGhost. This actor is associated with the Ghost ransomware group, which originates from China and targets victims with outdated software and firmware, exploiting known vulnerabilities. They also leverage legitimate cybersecurity tools like Cobalt Strike for access and privilege escalation.

References:

Published URL: https://darkforums.st/Thread-700K-KEMHAN-RI-DATABASE
Screenshots: https://d34iuop8pidsy8.cloudfront.net/de58174c-eda9-4dbc-aab0-ad04648bde5a.png

Alleged data breach of Aurion People & Payroll Solutions

Incident Title & Affected Entity: Alleged data breach of Aurion People & Payroll Solutions, impacting Aurion People & Payroll Solutions (Australia, Software Development).

Incident Description & Impact: The threat actor claims to be selling 600,000 records from Aurion, which appears to be a U.S.-based business directory-style data dump. The data includes detailed personal and business information such as names, email addresses, physical addresses, phone numbers, business categories, and associated websites largely from organizations located in Illinois, USA. The database contains records of various sectors including real estate, advertising, engineering, restaurants, insurance, schools, government offices, and more. This large-scale leak poses a significant risk for targeted phishing, fraud, and other malicious activities.

References:

Published URL: https://darkforums.st/Thread-600K-AURION-COM
Screenshots: https://d34iuop8pidsy8.cloudfront.net/d4bb6dba-069b-4684-823e-d745eeb352f0.png

Alleged Sale of 0day Linux Kernel LPE Exploit

Incident Title & Affected Entity: Alleged Sale of 0day Linux Kernel LPE Exploit, with no specific victim organization or country identified.

Incident Description & Impact: A threat actor claims to be selling a local privilege escalation (LPE) 0-day exploit for the Linux kernel. This type of exploit allows an attacker who has already gained a foothold on a Linux system to elevate their privileges to root, gaining full control. This sale contributes to the proliferation of critical vulnerabilities within the cybercriminal ecosystem.

Associated Threat Actor(s): The incident is attributed to Nadenunr. While “Nadenunr” is not a recognized threat actor group in the provided research, the incident describes the sale of a Linux kernel exploit, suggesting an individual or group involved in vulnerability research and exploitation.

References:

Published URL: https://forum.exploit.in/topic/262140/
Screenshots: https://d34iuop8pidsy8.cloudfront.net/9493cdd3-2766-4afa-ae88-832ad3f302dd.png

Team 1945 targets the website of Ananda Stores

Incident Title & Affected Entity: Team 1945 targets the website of Ananda Stores, impacting Ananda Stores (India, Retail Industry).

Incident Description & Impact: The group claims to have defaced the website of Ananda Stores. This incident, categorized as “Defacement,” indicates unauthorized modification of a website’s content, often for political or ideological reasons, or simply for notoriety.

Associated Threat Actor(s): The incident is attributed to Team 1945. This group is associated with TeaMp0isoN, a hacktivist group known for website vandalism, defacement, and data leaks.

References:

Published URL: https://t.me/Team1945/69
Screenshots: https://d34iuop8pidsy8.cloudfront.net/84b36ce8-5c75-49f3-a295-2391cce29fe2.jpg

Team 1945 targets the website of venturacom/

Incident Title & Affected Entity: Team 1945 targets the website of venturacom/, impacting Venturacom (Brazil, Marketing, Advertising & Sales).

Incident Description & Impact: The group claims to have defaced the website of Venturacom. This incident, categorized as “Defacement,” indicates unauthorized modification of a website’s content, often for political or ideological reasons, or simply for notoriety.

Associated Threat Actor(s): The incident is attributed to Team 1945. This group is associated with TeaMp0isoN, a hacktivist group known for website vandalism, defacement, and data leaks.

References:

Published URL: https://t.me/Team1945/68
Screenshots: https://d34iuop8pidsy8.cloudfront.net/eeacd912-c765-4be1-b1a7-2cbc97b3d4f6.png, https://d34iuop8pidsy8.cloudfront.net/099b2904-7d61-4353-bf07-2d0345033fb5.png

IV. In-Depth Threat Actor Profiles

This section provides detailed profiles for the unique threat actors identified in the reported incidents, along with other prominent actors in the current threat landscape.

1. DarkSide (Cybercriminal Group)

Origin & Motivation: DarkSide is a cybercriminal hacking group believed to be based in Eastern Europe, likely Russia.⁹ Its primary motivation is financial gain, operating under a Ransomware-as-a-Service (RaaS) model.¹ The group claims to avoid targeting hospitals, schools, non-profits, and governments, instead focusing on organizations capable of paying substantial ransoms. It has even attempted to cultivate a “Robin Hood” image by purportedly donating a portion of its illicit proceeds to charity.⁹

Known Tactics, Techniques, and Procedures (TTPs): DarkSide is a prominent RaaS provider, offering its ransomware tools to affiliates in exchange for a percentage of the ransom payments (e.g., 25% for ransoms under $500,000 and 10% for larger amounts).¹ Affiliates are reportedly screened and provided access to an administration panel that allows for customization of ransomware builds.⁹ The group employs an exclusion list, avoiding targets in specific geographic locations by checking system language settings.⁹ While not explicitly detailed in the provided information for DarkSide, RaaS models commonly utilize double extortion, where data is not only encrypted but also exfiltrated, with threats to publish it if the ransom is not paid.² Given DarkSide’s RaaS framework, this tactic is highly probable.

Notable Past Operations: DarkSide was first identified in August 2020.⁹ It gained significant notoriety for its involvement in the 2021 Colonial Pipeline attack.¹ The group has also attacked other notable entities, including the IT managed services provider CompuCom, Canadian Discount Car and Truck Rentals, and Toshiba Tec Corp..⁹ DarkSide successfully extorted money from the German company Brenntag.⁹ Analysis of cryptocurrency wallets linked to DarkSide indicates that the group received over $90 million in ransom payments from at least 47 victims, with an average payment of $1.9 million.⁹

2. USDeez (Hacktivist Entity)

Origin & Motivation: USDoD is a hacktivist entity that has also engaged in financially motivated breaches.¹⁰ It is known for exaggerating its claims, likely as a strategy to enhance its reputation within both hacktivist and eCrime communities.¹⁰

Known Tactics, Techniques, and Procedures (TTPs): The group primarily relies on social engineering tactics to gain access to sensitive data.¹⁰ USDoD claims to conduct hack-and-leak operations, although some of these claims have been refuted by industry sources, suggesting they were achieved through web scraping rather than targeted intrusions.¹⁰ A notable development in its activities since January 2024 is its diversification into administering eCrime forums.¹⁰

Notable Past Operations: In July 2024, USDoD claimed on BreachForums to have leaked CrowdStrike’s “entire threat actor list” and “entire IOC list,” providing sample data to support its assertions.¹⁰ The group also alleged possession of large databases from an oil company and a pharmaceutical industry outside the USA.¹⁰ Its history includes a previously exaggerated claim of a hack-and-leak operation against a professional-networking platform.¹⁰

3. Handala Hack Team (Hacktivist Group)

Aliases: Handala, Hatef Handala.¹¹

Origin & Motivation: Handala Hack Team is a pro-Palestinian hacktivist group that specifically targets Israeli organizations.¹¹ While they present themselves as a newly formed activist group, their identity behind social media profiles remains uncertain.¹² Their core motivation is sabotage and destruction, driven by pro-Palestinian hacktivism.¹²

Known Tactics, Techniques, and Procedures (TTPs): The group employs phishing campaigns, often exploiting major events and critical vulnerabilities to achieve initial access.¹¹ They engage in data theft and extortion.¹¹ A key aspect of their operations involves destructive attacks using custom wiper malware, such as Hamsa Wiper and Hatef Wiper, which are designed to target both Windows and Linux environments.¹¹ They utilize a multi-stage loading process, including a Delphi-coded second-stage loader and an AutoIT injector, to deliver their wiper malware.¹¹ To publicize stolen data, Handala operates a dedicated data leak site.¹¹ The group is highly active on social media platforms like Telegram, Tox, Twitter, and BreachForums, where they claim responsibility for attacks in real-time and mock their targets, including the Israel National Cyber Directorate (INCD).¹²

Notable Past Operations: In December 2023, Handala Hack Team executed “Operation HamsaUpdate,” a sophisticated campaign that deployed wipers and posed a significant risk to Israeli infrastructure.¹¹ The group has positioned itself within the broader pan-Muslim hacktivist narrative, explicitly rejecting Israel’s legitimacy and expressing intentions to unite additional actors for a more coordinated cyber offensive.¹³

4. Guacamaya (Hacktivist Group)

Origin & Motivation: Guacamaya is a Central American hacking group that has been active since March 2022.¹⁵ The group’s stated motivation is to combat environmental devastation and exploitation in the region.¹⁵ They view military and police forces in Central and South America (referred to as Abya Yala) as tools of “North American imperialism” and as enablers of the “extractivist presence of the Global North”.¹⁵ They describe these forces as “violent repressive forces, criminals against the peoples themselves”.¹⁵

Known Tactics, Techniques, and Procedures (TTPs): Guacamaya’s primary method involves infiltrating organizations and exfiltrating large volumes of data.¹⁵ They then publicly disclose these data dumps, often via “Enlace Hacktivista,” a website dedicated to hacker history and information security resources.¹⁵ More sensitive datasets are sometimes shared with journalists and researchers through platforms like DDoSecrets.¹⁵

Notable Past Operations: Guacamaya’s initial release in March 2022 targeted a Swiss mining consortium in Guatemala, contributing to the “Mining Secrets” international reporting project.¹⁵ Prior to September 2022, they also targeted the federal prosecutor’s office in Colombia and various international mining and energy companies, along with their regulatory agencies, across multiple regional countries.¹⁵ In September 2022, the group released approximately 10 terabytes of emails and other materials from military and police agencies in Chile, Mexico, El Salvador, Colombia, and Peru.¹⁵

5. MUSTANG PANDA (Nation-State Threat Actor)

Aliases: BASIN, BRONZE PRESIDENT, Earth Preta, HoneyMyte, LuminousMoth, Polaris, Red Lich, Stately Taurus, TA416, TANTALUM, TEMP.HEX, Twill Typhoon.¹⁶

Origin & Motivation: MUSTANG PANDA is a threat actor with a Chinese nexus, primarily motivated by espionage.¹⁷ The group focuses on targeting non-governmental organizations (NGOs) and frequently employs Mongolian-themed lures and language decoys, suggesting a specific interest in intelligence gathering related to Mongolia.¹⁷

Known Tactics, Techniques, and Procedures (TTPs): Historically, MUSTANG PANDA has utilized common malware families such as Poison Ivy or PlugX.¹⁷ More recently, the group has adopted unique infection chains involving a series of redirections and fileless, malicious implementations of legitimate tools to gain initial access to targeted systems.¹⁷ They have also been observed reusing previously legitimate domains to host their malicious files.¹⁷ Associated malware families include win.toneshell, win.fdmtp, win.hodur, win.mqsttang, and win.doplugs.¹⁷

Notable Past Operations: CrowdStrike Falcon Intelligence first observed MUSTANG PANDA in April 2017, when it targeted a U.S.-based think tank.¹⁷ The group has been linked to the use of a new PlugX variant targeting the Taiwanese government and diplomats, as well as cyberespionage attacks against Southeast Asian governments.¹⁷

6. Aquatic Panda (Nation-State Threat Actor)

Aliases: Earth Lusca, TAG-22, Charcoal Typhoon, RedHotel, BRONZE UNIVERSITY, CHROMIUM, Red Dev 10, BountyGlad, ControlX, Red Scylla, FISHMONGER.¹⁸

Origin & Motivation: Aquatic Panda is a suspected China-based, state-sponsored threat group with a primary focus on intelligence gathering and industrial espionage.¹⁸ The group has been linked to i-Soon, a Chinese technology company reportedly involved in global cyber intrusions under the direction of China’s Ministry of State Security (MSS) and Ministry of Public Security (MPS).¹⁸ Its operational focus is on long-term, persistent campaigns designed to harvest intelligence from carefully selected targets aligned with China’s strategic interests.¹⁸

Known Tactics, Techniques, and Procedures (TTPs): Aquatic Panda gains initial access primarily through vulnerability exploitation and watering hole attacks, often targeting unpatched servers.¹⁸ The group heavily relies on the ShadowPad backdoor, a modular malware platform commonly used by Chinese APT groups, which is designed for stealth and only decoded in memory to evade static detection.¹⁸ For command and control (C2), they use encrypted and stealthy communication channels, including custom domain generation algorithms (DGAs) and DNS-based communication.¹⁸ Post-exploitation activities involve deploying additional payloads, escalating privileges, and focusing on quiet persistence using customized implants for long-term access.¹⁸ The group employs anti-analysis and obfuscation techniques, such as obfuscated shellcode loaders and custom encryption algorithms.¹⁸

Table 2: Aquatic Panda Threat Actor TTPs (MITRE ATT&CK Mapping)

ID	Name	Use
T1087	Account Discovery	Used the last command in Linux to identify recently logged-in users.
T1595.002	Active Scanning:…source Used:** Cobalt Strike, njRAT, ShadowPad, Wevtutil, Winnti for Linux, Winnti for Windows.¹⁸

Notable Past Operations: Aquatic Panda has conducted campaigns involving ShadowPad and skip-2.0 against universities in Hong Kong in 2020, focusing on espionage and long-term surveillance.¹⁸ Their 2022 campaign showed a broad international reach, with confirmed compromises in Asia (Taiwan, Thailand), Europe (e.g., a Catholic organization in Hungary, a geopolitical think tank in France), and North America (e.g., a Catholic charity, a U.S. NGO).¹⁸ They have also targeted Chinese trading companies, indicating that even domestic entities are not immune to their surveillance efforts.¹⁸

7. NoName057(16) (Hacktivist Group)

Origin & Motivation: NoName057(16) is a pro-Russian hacktivist group that first emerged in March 2022.⁷ Its primary motivation is political, aiming to destabilize anti-Russian forces and promote pro-Russian nationalism.⁸

Known Tactics, Techniques, and Procedures (TTPs): The group’s main method of attack involves Distributed Denial-of-Service (DDoS) attacks.⁷ They utilize a custom DDoS tool named DDOSIA, which repeatedly issues network requests to overwhelm target sites.⁷ NoName057(16) operates extensively through Telegram channels, where they claim responsibility for their attacks, mock targets, issue threats, and share educational content.⁷ They have also used GitHub to host their DDoS tool website and associated repositories.⁷ Their attack methodology includes spreading the Bobik bot via the RedLine Stealer, which then extracts and drops the final DDoS module to ensure sustained DDoS attacks.⁸ In some instances, they have also performed website defacements.⁷

Notable Past Operations: Since March 2022, NoName057(16) has conducted over 1,500 DDoS attacks on pro-NATO countries, reporting a 40% success rate.⁸ Their targets have included Ukrainian, American, and European government agencies, media, and private companies.⁷ Specific campaigns include attacks on Canadian government and Quebec websites in September 2023, impacting ports and banks.⁷ They have also targeted Baltic states (Lithuania, Estonia, Latvia), disrupting train ticket systems and central bank websites.⁷ In January 2023, they launched attacks on the Danish financial sector and Ministry of Finance ⁷, and have also targeted Czech presidential election websites and Polish entities.⁸

8. XrOOT01 (Cybercriminal Group)

Origin & Motivation: While not explicitly stated, the activities of XrOOT01, particularly its involvement in payroll fraud campaigns, strongly indicate a financial motivation.⁵

Known Tactics, Techniques, and Procedures (TTPs): XrOOT01 employs sophisticated SEO poisoning techniques, creating fake authentication portals that achieve high rankings in search results to trick employees into divulging credentials.⁵ A key characteristic of their operations is the specific targeting of employee mobile devices, exploiting the fact that these devices often lack the robust enterprise-grade security measures present on corporate networks.⁵ When accessed from a mobile device, the malicious sites redirect users to convincing phishing pages that mimic legitimate login portals, such as Microsoft login pages, to capture credentials.⁵

A notable aspect of their evasion strategy is the use of residential IP addresses, which are frequently linked to compromised home office routers (e.g., ASUS, Pakedge).⁵ These compromised routers are often part of larger botnets, sold as proxy networks on criminal marketplaces, allowing XrOOT01 to mask their true origin and blend their malicious traffic with normal residential network activity, thereby bypassing traditional security measures.⁵ The group also utilizes legitimate services like Pusher to receive real-time notifications of stolen credentials, enabling them to quickly reuse compromised accounts before victims can react.⁵ Once credentials are obtained, they access human resources platforms, such as SAP SuccessFactor, to manipulate direct deposit information and redirect paychecks.⁵ Furthermore, XrOOT01 engages in credential harvesting by leveraging socially engineered emails that contain links to legitimate file-sharing services (e.g., DRACOON.team) hosting malicious PDF documents.¹⁹ These PDFs contain secondary links that direct victims to attacker-controlled reverse proxies designed to impersonate legitimate login portals (e.g., Microsoft 365), effectively stealing credentials and session cookies, and potentially bypassing multi-factor authentication (MFA).¹⁹ This activity is believed to be associated with the EvilProxy phishing suite.¹⁹

Notable Past Operations: XrOOT01 was observed in a unique SEO poisoning attack that led to payroll fraud in the manufacturing sector in May 2025.⁵ Its TTPs closely matched those identified in two prior investigations in late 2024, suggesting an ongoing and consistent campaign.⁵

9. Akatsuki Cyber Team (Hacktivist Group)

Origin & Motivation: Akatsuki Cyber Team is a pro-Palestinian and pan-Muslim hacktivist group.¹³ The group explicitly rejects Israel’s legitimacy as a state and aims to unite various actors for a broader, coordinated cyber offensive.¹³

Known Tactics, Techniques, and Procedures (TTPs): The Akatsuki Cyber Team demonstrates coordination with other hacktivist entities, including Mysterious Team, Z-Alliance, Server Killers, GhostSec, Keymous+, and even Noname057(16).¹³ Their activities encompass a range of cyberattacks, including Distributed Denial of Service (DDoS) attacks, intrusion attempts, malware deployment, and data theft campaigns.¹⁴ The group also actively engages in propaganda, amplifying pro-Iran messaging and utilizing digital platforms for influence operations.[13, 1

Works cited

What is ransomware-as-a-service (RaaS)? | Cloudflare, accessed July 9, 2025, https://www.cloudflare.com/learning/security/ransomware/ransomware-as-a-service/
Ransomware as a service – Wikipedia, accessed July 9, 2025, https://en.wikipedia.org/wiki/Ransomware_as_a_service
Threat Context Monthly: Green Nailao & UNC3886 – Outpost24, accessed July 9, 2025, https://outpost24.com/blog/threat-context-monthly-march-2025-green-nailao-unc3886/
Cybercrime: A Multifaceted National Security Threat | Google Cloud Blog, accessed July 9, 2025, https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat
Threat Spotlight: Hijacked Routers and Fake Searches Fueling …, accessed July 9, 2025, https://reliaquest.com/blog/threat-spotlight-payroll-fraud-attackers-stealing-paychecks-seo-poisoning/
“Operation LongFang” : Attribution and Analysis of a Chinese Cyber …, accessed July 9, 2025, https://medium.com/@gunthertrigger/operation-longfang-attribution-and-analysis-of-a-chinese-cyber-espionage-campaign-9716da62b924
Noname057(16) – Wikipedia, accessed July 9, 2025, https://en.wikipedia.org/wiki/Noname057(16)
Unmasking NoName057(16): Botnets, DDoSia, and NATO – CybelAngel, accessed July 9, 2025, https://cybelangel.com/unmasking-noname05716/
DarkSide (hacker group) – Wikipedia, accessed July 9, 2025, https://en.wikipedia.org/wiki/DarkSide_(hacker_group)
Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s …, accessed July 9, 2025, https://www.crowdstrike.com/en-us/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/
Handala (Threat Actor) – Malpedia, accessed July 9, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/handala
Handala Hack Team – Threat Group Cards: A Threat Actor …, accessed July 9, 2025, https://apt.etda.or.th/cgi-bin/showcard.cgi?g=Handala%20Hack%20Team&n=1
How hacktivist cyber operations surged amid Israeli-Iranian conflict – Outpost24, accessed July 9, 2025, https://outpost24.com/blog/hacktivist-cyber-operations-iran-israel/
Reflections of the Israel-Iran Conflict on the Cyber World – SOCRadar, accessed July 9, 2025, https://socradar.io/reflections-of-israel-iran-conflict-cyber-world/
Hacking group focused on Central America dumps 10 terabytes of …, accessed July 9, 2025, https://cyberscoop.com/central-american-hacking-group-releases-emails/
Threat Actors (powered by MISP) – Malpedia, accessed July 9, 2025, https://malpedia.caad.fkie.fraunhofer.de/actors
MUSTANG PANDA (Threat Actor) – Malpedia, accessed July 9, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/mustang_panda
Dark Web Profile: Aquatic Panda – SOCRadar® Cyber Intelligence Inc., accessed July 9, 2025, https://socradar.io/dark-web-profile-aquatic-panda/
Threat Actors Leverage File-Sharing Service and Reverse Proxies …, accessed July 9, 2025, https://www.trendmicro.com/en_us/research/23/k/threat-actors-leverage-file-sharing-service-and-reverse-proxies.html

I. Executive Summary

II. Current Threat Landscape: Daily Incident Overview

III. Detailed Incident Analysis

GlobalTech Payroll Fraud

Ministry of Digital Espionage

National Energy Grid Disruption

Alleged data leak of BPJS Kesehatan

Alleged Sale of Custom RaaS for Windows/ESXi Platforms

Alleged database sale of USA – Police

Alleged data leak of Department of Local Administration (DLA), Thailand

Alleged data leak of National Root Certificate Authority

Alleged databae leak of Wishbone

Alleged data leak of Moroccan Agricultural Development Agency

Alleged sale of data from UAE Government & Educational Accounts

Alleged Sale of Admin Access to French Organization

Handala Hack Claims Evidence of Mossad Collaboration with Mojtaba Pourmohsen

Alleged Sale of NFT Gift Drainer Script via Telegram Bot

Alleged data leak of USA Corporate data

Alleged data leak of A.M.S.C.I. – Auto Model Sport Club Italiano

Alleged data leak of CSIR CFTRI

Alleged data leak of Facebook accounts

Alleged data leak of Kongsberg Defence & Aerospace

Alleged Database Leak of Free

Alleged Sale of Brazil-Based E-commerce Platform Access

Alleged sale of data from USA

Alleged data leak of 90K U.S. Police Records

Alleged sale of source code of the Porschell bot

Alleged data breach of WIN

Alleged Sale of PlayStation Network Brute/Checker

Alleged Sale of Unauthorized Access to Keycloak Admin Panels

Alleged data breach of WOW Perú

Alleged sale of 0-day server-side prototype pollution exploit targeting Bitmart.com

Alleged data breach of Texas Department of Transportation

Alleged Data Leak of 1.2 Billion Device IDs and MAID Data

Alleged leak of unauthorized access to Ministry of Higher Education, Science, Research and Innovation

NXBB.SEC claims to target Ministry of Higher Education, Science, Research and Innovation

Alleged leak of unauthorized access to Secondary Education Service Area Office, Surin in Thailand

Alleged data breach of Secondary Educational Service Area Office, Surin

Alleged leak of access to Israel tv channels

Alleged data breach of Ministry of Defense of the Republic of Indonesia

Alleged data breach of Aurion People & Payroll Solutions

Alleged Sale of 0day Linux Kernel LPE Exploit

Team 1945 targets the website of Ananda Stores

Team 1945 targets the website of venturacom/

IV. In-Depth Threat Actor Profiles

1. DarkSide (Cybercriminal Group)

2. USDeez (Hacktivist Entity)

3. Handala Hack Team (Hacktivist Group)

4. Guacamaya (Hacktivist Group)

5. MUSTANG PANDA (Nation-State Threat Actor)

6. Aquatic Panda (Nation-State Threat Actor)

7. NoName057(16) (Hacktivist Group)

8. XrOOT01 (Cybercriminal Group)

9. Akatsuki Cyber Team (Hacktivist Group)

Works cited

Related Posts

[September-1-2025] Daily Cybersecurity Threat Report

[May-16-2025] Daily Cybersecurity Threat Report

[September-26-2025] Daily Cybersecurity Threat Report