[July-26-2025] Daily Cybersecurity Threat Report

Posted on

This report details a series of recent cyber incidents, providing key information for each event, including published URLs and associated screenshots, strictly based on the provided data, with incidents updated as of July 26, 2025.1 The information presented herein reflects claims made by threat actors and is compiled without additional external verification, serving as a direct representation of observed activities within the cyber underground.

Incident Details

The following section presents a chronological compilation of recent cyber incidents, each categorized by the nature of the event and detailing the claims made by the respective threat actors. The consistent use of “Alleged” in many incident titles indicates that the information is derived from threat actor postings and claims, rather than independently verified breaches or access confirmations.1 This linguistic precision is crucial for understanding the origin and context of the intelligence, emphasizing that these are reports of observed threat actor activity and their asserted capabilities or acquisitions.

  1. Alleged leak of admin access to Scout, Red Cross Cadet & Student Affairs Bureau
  • Category: Initial Access 1
  • Content: Group claims to have leaked admin access to the website of Scout, Red Cross Cadet & Student Affairs Bureau in Thailand. 1
  • Date: 2025-07-26T14:43:12Z 1
  • Network: telegram 1
  • Published URL: (https://t.me/nxbbsec/1536) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/63bf5bb7-c435-4a94-b93e-6825a0cb2231.JPG 1

    https://d34iuop8pidsy8.cloudfront.net/a82163c9-4bdc-4bff-8442-026d2550d2ae.jpeg 1
  • Threat Actors: NXBB.SEC 1
  • Victim Country: Thailand 1
  • Victim Industry: Government Administration 1
  • Victim Organization: scout, red cross cadet & student affairs bureau 1
  • Victim Site: bureausrs.moe.go.th 1
  1. Alleged leak of unauthorized access to Pattaya human resource management system
  • Category: Initial Access 1
  • Content: The group claims to have gained unauthorized access belonging to Pattaya Human Resource Management System 1
  • Date: 2025-07-26T14:37:50Z 1
  • Network: telegram 1
  • Published URL: (https://t.me/nxbbsec/1542) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/cc1823b8-3d56-4e05-9112-c821aad9ca7b.png 1
  • Threat Actors: NXBB.SEC 1
  • Victim Country: Thailand 1
  • Victim Industry: Government Administration 1
  • Victim Organization: pattaya human resource management system 1
  • Victim Site: hr.pattaya.go.th 1
  1. Alleged unauthorized access to Great Lakes Water Authority
  • Category: Initial Access 1
  • Content: The group claims to have gained unauthorized access to Great Lakes Water Authority (GLWA). 1
  • Date: 2025-07-26T14:15:36Z 1
  • Network: telegram 1
  • Published URL: (https://t.me/Golden_falcon_team/442) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/91a5e7a5-382c-4e35-aeff-87796e3217cb.png 1
  • Threat Actors: Golden falcon 1
  • Victim Country: USA 1
  • Victim Industry: Energy & Utilities 1
  • Victim Organization: great lakes water authority (glwa) 1
  • Victim Site: glwater.org 1
  1. H3C4KEDZ claims to target Thailand
  • Category: Alert 1
  • Content: A recent post by the group indicates that they are targeting Thailand. 1
  • Date: 2025-07-26T14:07:10Z 1
  • Network: telegram 1
  • Published URL: ((https://t.me/We_H3c4kedz1/330)) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/5e7cf2c3-a2d3-4b2e-a4f2-b0a990827e04.png 1
  • Threat Actors: H3C4KEDZ 1
  • Victim Country: Thailand 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. JoKeiR 07x claims to target Tunisia
  • Category: Alert 1
  • Content: A recent post by the group indicates that they are targeting Tunisia. 1
  • Date: 2025-07-26T13:56:14Z 1
  • Network: telegram 1
  • Published URL: ((https://t.me/JokeirR07x/151?single)) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/c197a11e-a20b-4205-9164-600b941b0b66.JPG 1
  • Threat Actors: JoKeiR 07x 1
  • Victim Country: Tunisia 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged Sale of Saudi Citizen Database
  • Category: Data Leak 1
  • Content: The threat actor claims to be selling a vast dataset containing millions of Saudi citizen records. The leaked data allegedly includes full names, birth dates, genders, contact numbers, job titles, educational backgrounds, and detailed social media handles (LinkedIn, Twitter, Facebook), along with street addresses and geographic details. 1
  • Date: 2025-07-26T13:52:36Z 1
  • Network: openweb 1
  • Published URL: ((https://darkforums.st/Thread-%F0%9F%94%A5-FOR-SALE-Massive-Saudi-Citizens-Data-Leak-%F0%9F%87%B8%F0%9F%87%A6%F0%9F%A7%BE-Millions-of-Profiles-%E2%80%93-10-ONL)) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/b50949a9-2b40-4888-8be2-1bf0d7186129.png 1
  • Threat Actors: Hider__Nex 1
  • Victim Country: Saudi Arabia 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged Sale of 9 Million Romanian Citizens’ Data
  • Category: Data Leak 1
  • Content: The threat actor claims to be selling a 580.7MB dataset containing personal details of 9 million Romanian citizens, spanning all major cities including Bucharest, Craiova, Cluj, and Galati. The compromised data includes full names, street-level addresses (with building, floor, and apartment numbers), and phone numbers. 1
  • Date: 2025-07-26T13:52:26Z 1
  • Network: openweb 1
  • Published URL: ((https://darkforums.st/Thread-9-Million-Romanian-People)) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/8a85a2d6-b3d7-4cb0-8e9e-fd7464800a6c.png 1
  • Threat Actors: technology 1
  • Victim Country: Romania 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged data breach of OLX Ukraine
  • Category: Data Breach 1
  • Content: The group claims to have obtained more than thousands of user accounts from the organization. 1
  • Date: 2025-07-26T13:50:48Z 1
  • Network: telegram 1
  • Published URL: (https://t.me/usersecc/386) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/09160aa9-908b-4c9e-a4c6-55e88f2537ad.png 1
  • Threat Actors: UserSec 1
  • Victim Country: Ukraine 1
  • Victim Industry: Social Media & Online Social Networking 1
  • Victim Organization: olx ukraine 1
  • Victim Site: olx.ua 1
  1. Alleged data breach of Chaiyaphum Primary Education Area Office District 3
  • Category: Data Breach 1
  • Content: The group claims to have obtained organization’s data. 1
  • Date: 2025-07-26T13:25:51Z 1
  • Network: telegram 1
  • Published URL: (https://t.me/nxbbsec/1531) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/6ee2a58a-fb5f-4002-8ada-853df567c9ec.png 1
  • Threat Actors: NXBB.SEC 1
  • Victim Country: Thailand 1
  • Victim Industry: Government Administration 1
  • Victim Organization: chaiyaphum primary education area office district 3 1
  • Victim Site: chaiyaphum3.go.th 1
  1. Alleged sale of admin access to Compromised U.S.-Based Server
  • Category: Initial Access 1
  • Content: The threat actor claims to be selling lifetime access to a compromised Microsoft Windows Server 2022 Standard located in the USA, offering full administrative control via RDP and SSH. The server boasts 16 AMD64 processors, 64 GB RAM, and 800 GB SSD storage. 1
  • Date: 2025-07-26T12:44:38Z 1
  • Network: tor 1
  • Published URL: ((http://breached26tezcofqla4adzyn22notfqwcac7gpbrleg4usehljwkgqd.onion/Thread-RDP-Lifetime-Access-to-Server-%D0%9F%D0%BE%D0%B6%D0%B8%D0%B7%D0%BD%D0%B5%D0%BD%D0%BD%D1%8B%D0%B9-%D0%B4%D0%BE%D1%81%D1%82%D1%83%D0%BF-%D0%BA-%D1%81%D0%B5%D1%80%D0%B2%D0%B5%D1%80%D1%83)) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/792c7ffa-6da9-41ef-a937-c3549ddb9832.png 1
  • Threat Actors: Kobal 1
  • Victim Country: USA 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged Leak of Sa Kaeo Primary Educational Service Area Office 1
  • Category: Data Breach 1
  • Content: The group claims to have leaked usernames and passwords from Sa Kaeo Primary Educational Service Area Office 1 in Thailand. 1
  • Date: 2025-07-26T12:10:30Z 1
  • Network: telegram 1
  • Published URL: (https://t.me/nxbbsec/1523) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/0338f076-b227-4b6e-b609-67edb99b90d3.JPG 1
  • Threat Actors: NXBB.SEC 1
  • Victim Country: Thailand 1
  • Victim Industry: Education 1
  • Victim Organization: sa kaeo primary educational service area office 1 1
  • Victim Site: sk1edu.go.th 1
  1. Alleged data sale of Bybit
  • Category: Data Leak 1
  • Content: The threat actor claims to be selling a full SQL database allegedly leaked from Bybit, containing data on over 27 million users. The dataset includes user information, transaction records, and other sensitive details 1
  • Date: 2025-07-26T12:00:31Z 1
  • Network: openweb 1
  • Published URL: ((https://darkforums.st/Thread-BYBIT-USER-LEAK-27M-USERS-FULL-SQL)) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/5ef32c14-b2b8-4c24-af5a-d3fdd36cce38.png 1

    https://d34iuop8pidsy8.cloudfront.net/acf24447-9d74-4e21-ac27-5568745d1042.png 1
  • Threat Actors: nigxs 1
  • Victim Country: UAE 1
  • Victim Industry: Financial Services 1
  • Victim Organization: bybit 1
  • Victim Site: bybit.com 1
  1. Alleged data sale of YPBM (Yayasan Pendidikan Budi Mulia)
  • Category: Data Breach 1
  • Content: The threat actor claims to be selling 1.27MB SQL database from YPBM (Yayasan Pendidikan Budi Mulia). The compromised data contains over 3,000 student registration records, including student and guardian names, contact numbers, previous school details, birthdates, enrollment IDs, and religion information. 1
  • Date: 2025-07-26T11:46:38Z 1
  • Network: openweb 1
  • Published URL: ((https://darkforums.st/Thread-Selling-center-b-%F0%9F%87%AE%F0%9F%87%A9-Indonesia-YPBM-Yayasan-Pendidikan-Budi-Mulia-%E2%80%94-Student-Breach)) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/63a791ce-739e-4174-b9a6-2208b54c3bf8.png 1

    https://d34iuop8pidsy8.cloudfront.net/cfcc9441-beca-4933-b90b-00890bc4cc75.png 1
  • Threat Actors: lCap0ne 1
  • Victim Country: Indonesia 1
  • Victim Industry: Education 1
  • Victim Organization: ypbm (yayasan pendidikan budi mulia) 1
  • Victim Site: bmdunia.sch.id 1
  1. NXBB.SEC claims to target Thailand
  • Category: Alert 1
  • Content: A recent post by the group indicates that they are targeting Thailand. 1
  • Date: 2025-07-26T11:37:40Z 1
  • Network: telegram 1
  • Published URL: (https://t.me/nxbbsec/1518) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/1a19f3f8-13d4-402d-aa57-2a3e9acff07d.JPG 1
  • Threat Actors: NXBB.SEC 1
  • Victim Country: Thailand 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged data breach of Ministry of Public Health Thailand
  • Category: Data Breach 1
  • Content: Threat actor claims to have obtained 1.2 TB of organization’s data, including internal health policy documents, vaccination and outbreak records, hospital communications, ministerial files, staff credentials, and budget-related materials, later alleging the data was permanently deleted from origin servers, rendering critical systems non-functional and irrecoverable. 1
  • Date: 2025-07-26T10:25:25Z 1
  • Network: telegram 1
  • Published URL: ((https://t.me/We_H3c4kedz1/321)) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/ae93c25d-c87e-40b4-bd38-d66760e07769.png 1
  • Threat Actors: H3C4KEDZ 1
  • Victim Country: Thailand 1
  • Victim Industry: Government Administration 1
  • Victim Organization: ministry of public health (moph) 1
  • Victim Site: moph.go.th 1
  1. Alleged Sale of iOS RCE 0-Day Exploit
  • Category: Malware 1
  • Content: The threat actor claims to be selling a powerful iOS remote code execution (RCE) 0-day exploit that works via 1Click or ZeroClick vectors, granting full root access to iPhones running iOS 18.5 and future iOS 18 updates. 1
  • Date: 2025-07-26T10:18:32Z 1
  • Network: openweb 1
  • Published URL: ((https://darkforums.st/Thread-Selling-Selling-iOS-RCE-Exploit-0day)) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/835dfb93-8b9e-4459-8108-f496f2db79a2.png 1
  • Threat Actors: Bucad 1
  • Victim Country: Unknown 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged Sale of AWS S3 Access Targeting Casino and Betting Platforms
  • Category: Initial Access 1
  • Content: The threat actor claims to be selling administrative access to Amazon AWS S3 storage buckets used by multiple entities in the casino and online betting industry. The access allegedly allows full control – including uploading, deleting, and replacing files within the cloud infrastructure. 1
  • Date: 2025-07-26T10:13:28Z 1
  • Network: openweb 1
  • Published URL: (https://forum.exploit.in/topic/263118/) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/fbceab56-087f-4180-9d8a-c16e1b0af506.PNG 1
  • Threat Actors: cobenotow 1
  • Victim Country: Unknown 1
  • Victim Industry: Gambling & Casinos 1
  • Victim Organization: umbet88.net 1
  • Victim Site: umbet88.net 1
  1. Alleged RDWeb Access to Canadian Industrial Machinery Firm
  • Category: Initial Access 1
  • Content: The threat actor claims to be offering remote desktop access to a network in Canada, associated with the industrial machinery and equipment sector. The access reportedly comes with Domain User privileges, although OS and security solution details were not disclosed. 1
  • Date: 2025-07-26T10:05:45Z 1
  • Network: openweb 1
  • Published URL: (https://forum.exploit.in/topic/263119/) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/4984d291-3157-4cea-9e5a-5743cdf67688.PNG 1
  • Threat Actors: Faramir 1
  • Victim Country: Canada 1
  • Victim Industry: Machinery 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged Network Access to French Marine Manufacturer
  • Category: Initial Access 1
  • Content: The threat actor claims to be selling access to a system in France belonging to a boats and submarines manufacturer. The remote desktop environment is running Windows Server 2012 R2 and is said to be protected by Bitdefender Endpoint 1
  • Date: 2025-07-26T10:04:06Z 1
  • Network: openweb 1
  • Published URL: (https://forum.exploit.in/topic/263119/) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/be648386-6a24-475f-a3c6-a809dcc065a3.PNG 1
  • Threat Actors: Faramir 1
  • Victim Country: France 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged leak of 1.7 Billion Indian SIM and Aadhaar Records
  • Category: Data Leak 1
  • Content: A threat actor claims to have leaked a database containing 1.7 billion Indian SIM and Aadhaar-linked records. The leaked data allegedly includes names, addresses, Aadhaar numbers, emails, phone numbers, and dates of birth. 1
  • Date: 2025-07-26T10:01:59Z 1
  • Network: openweb 1
  • Published URL: (https://leakbase.la/threads/1-7-billion-indian-sim-database-leaked-2025-icmr-indian-aadhar-card-database-hi-tech-syndicate.40788/) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/bef5fa1d-e9a0-4a76-add1-3c1e338ae649.png 1
  • Threat Actors: CyWar 1
  • Victim Country: India 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged Remote Access Offered to French GM Sector Entity
  • Category: Initial Access 1
  • Content: The threat actor claims to be offering RDWeb access to a network based in France, operating in the GM sector (likely “General Management” or Government). The access is said to come with Domain User rights and is protected by Bitdefender Endpoint. 1
  • Date: 2025-07-26T09:54:58Z 1
  • Network: openweb 1
  • Published URL: (https://forum.exploit.in/topic/263119/) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/724e5e53-ce00-4bfe-854f-05d1b2a1dfd2.PNG 1
  • Threat Actors: Faramir 1
  • Victim Country: France 1
  • Victim Industry: Government Relations 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged RDWeb Access Sale – Accounting Services Firm in France
  • Category: Initial Access 1
  • Content: The threat actor claims to be selling remote desktop (RDWeb) access to a system located in France, belonging to an Accounting Services firm. The access is said to offer Domain User privileges and runs on Windows Server 2019. 1
  • Date: 2025-07-26T09:53:24Z 1
  • Network: openweb 1
  • Published URL: (https://forum.exploit.in/topic/263119/) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/5c58bbd1-6c94-422d-b2d0-4f84db8bcfd9.PNG 1
  • Threat Actors: Faramir 1
  • Victim Country: France 1
  • Victim Industry: Accounting 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1

Incidents 18, 19, 21, and 22, all attributed to “Faramir” and sharing the same published URL, collectively highlight the active market for initial access within the cybercriminal ecosystem. These entries demonstrate that gaining initial access, such as RDWeb access or network access, is a distinct and valuable commodity. This specialization within the cybercriminal supply chain allows actors to focus solely on breaching networks, subsequently selling that access to other actors who may then pursue data exfiltration, ransomware deployment, or other malicious activities. This division of labor lowers the barrier for less skilled criminals to execute complex attacks, underscoring the critical importance of preventing initial footholds for effective cybersecurity defense.

  1. Alleged Sale of AWS S3 Access Related to Kudos Technology Pty Ltd
  • Category: Initial Access 1
  • Content: The threat actor claims to be selling administrative-level access to an Amazon AWS S3 bucket associated with the organization Kudos Technology Pty Ltd. The actor states that this access allows for full control – including uploading, deleting, and replacing files within the compromised storage. 1
  • Date: 2025-07-26T09:38:26Z 1
  • Network: openweb 1
  • Published URL: (https://forum.exploit.in/topic/263117/) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/0026c32f-4b97-4c16-a2f6-bd31d900ea52.PNG 1
  • Threat Actors: cobenotow 1
  • Victim Country: Canada 1
  • Victim Industry: Financial Services 1
  • Victim Organization: kudos technology pty ltd 1
  • Victim Site: kudostech.com.au 1
  1. Alleged AWS S3 Admin Access Sale – Upswell Marketing
  • Category: Initial Access 1
  • Content: The threat actor claims to be selling administrative access to an AWS S3 bucket allegedly linked to Upswell Marketing, a U.S.-based digital marketing firm serving dental clinics. The listing states that the access includes the ability to upload, delete, and replace files within the storage system. 1
  • Date: 2025-07-26T09:28:06Z 1
  • Network: openweb 1
  • Published URL: (https://forum.exploit.in/topic/263116/) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/57cb18fc-081f-4fd2-9b12-31410f0d2fac.PNG 1
  • Threat Actors: cobenotow 1
  • Victim Country: USA 1
  • Victim Industry: Marketing, Advertising & Sales 1
  • Victim Organization: upswell marketing 1
  • Victim Site: upswellmarketing.com 1

Incidents 17, 23, and 24, all attributed to “cobenotow” and concerning AWS S3 access, highlight a specific type of initial access being traded in the cybercriminal underground. These entries demonstrate that gaining administrative control over cloud storage buckets is a valuable commodity, allowing threat actors to manipulate or exfiltrate data stored in the cloud. This trend underscores the importance of securing cloud configurations and access management, as compromised cloud environments can lead to significant data breaches and operational disruptions.

  1. Alleged data Leak of Tea App including Selfies and IDs
  • Category: Data Breach 1
  • Content: The threat actor claims that a database tied to the Tea App has been leaked, reportedly exposing approximately 55 GB of personal user data, including selfies and identification documents (IDs). The data was allegedly scraped from a public database. The post also mentions unverified rumors of an additional folder containing 70–120 GB of similar data. 1
  • Date: 2025-07-26T09:25:35Z 1
  • Network: openweb 1
  • Published URL: (https://forum.exploit.in/topic/263115/) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/5dc4c702-fb9b-4c99-a87c-493a65a0ed43.PNG 1
  • Threat Actors: thebitty 1
  • Victim Country: USA 1
  • Victim Industry: Social Media & Online Social Networking 1
  • Victim Organization: tea app 1
  • Victim Site: teaforwomen.com 1
  1. Alleged data breach of Directorate of Monitoring Pakistan
  • Category: Data Breach 1
  • Content: The threat actor claims to have obtained organization’s data, including information related to call centers, prisons, public complaints, and disaster management systems. 1
  • Date: 2025-07-26T09:21:12Z 1
  • Network: telegram 1
  • Published URL: (https://t.me/c/2362414795/17772) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/7dd3f594-2ed5-4efd-95bd-956bc31dd952.png 1
  • Threat Actors: THE NIGHT HUNTERS 1
  • Victim Country: Pakistan 1
  • Victim Industry: Government Administration 1
  • Victim Organization: directorate of monitoring – home department, government of punjab 1
  • Victim Site: dm-hd.gop.pk 1
  1. Alleged data breach of Ministry of Corporate Affairs
  • Category: Data Breach 1
  • Content: The threat actor claims to have leaked a database allegedly sourced from India’s Ministry of Corporate Affairs (MCA), containing 1.9 million corporate records. The 2.5GB dataset includes detailed information such as Corporate Identification Numbers (CIN), company names, categories, statuses, dates of registration, registered office addresses, email IDs, authorized and paid-up capital, principal business activities, and statutory filing details. 1
  • Date: 2025-07-26T06:27:03Z 1
  • Network: openweb 1
  • Published URL: ((https://darkforums.st/Thread-1-9-2-5GB-Million-Indian-MCA-DATABASE)) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/f2577bba-90b2-4998-a27c-3bf48ec0d512.png 1
  • Threat Actors: DigitalGhostt 1
  • Victim Country: India 1
  • Victim Industry: Government Administration 1
  • Victim Organization: ministry of corporate affairs 1
  • Victim Site: mca.gov.in 1
  1. GARUDA ERROR SYSTEM targets the website of OS CLiCKS Ltd
  • Category: Defacement 1
  • Content: The threat actor claims to have defaced the website of OS CLiCKS Ltd. 1
  • Date: 2025-07-26T05:34:14Z 1
  • Network: telegram 1
  • Published URL: (https://t.me/c/2008069971/4314) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/96815b93-a741-450f-9138-3e79665de47e.jpg 1

    https://d34iuop8pidsy8.cloudfront.net/4ee81506-122f-4307-92b8-756af7d662cc.jpg 1
  • Threat Actors: GARUDA ERROR SYSTEM 1
  • Victim Country: Bangladesh 1
  • Victim Industry: Software Development 1
  • Victim Organization: os clicks ltd 1
  • Victim Site: osclicks.com 1
  1. Alleged data leak of Online Legal Consultation Users Database
  • Category: Data Leak 1
  • Content: The threat actor claims to have leaked the Online Legal Consultation Users Database 1
  • Date: 2025-07-26T05:08:23Z 1
  • Network: openweb 1
  • Published URL: (https://leakbase.la/threads/online-legal-consultation-users-database.40782/) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/2fe0ccf4-7592-4bfa-816e-d59a89e0da6b.jpg 1
  • Threat Actors: sicatar245 1
  • Victim Country: Unknown 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged data leak of Maldives Phone Number Data
  • Category: Data Leak 1
  • Content: The threat actor claims to have leaked the Maldives Phone Number Data 1
  • Date: 2025-07-26T05:05:28Z 1
  • Network: openweb 1
  • Published URL: (https://leakbase.la/threads/maldives-phone-number-data.40783/) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/e1c09b37-0127-49a9-b65b-cc730ebffc2b.jpg 1
  • Threat Actors: potova3920 1
  • Victim Country: Maldives 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged data leak of Netherlands Hotmail Email Database
  • Category: Data Leak 1
  • Content: The threat actor claims to have leaked the Netherlands Hotmail email database. 1
  • Date: 2025-07-26T05:00:43Z 1
  • Network: openweb 1
  • Published URL: (https://leakbase.la/threads/netherlands-hotmail-email-database.40784/) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/3079dd3a-99d0-43fa-be0b-8f3608fdb440.jpg 1
  • Threat Actors: rofoy2984lu 1
  • Victim Country: Netherlands 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged data leak of Lebanon Phone Database
  • Category: Data Leak 1
  • Content: The threat actor claims to have leaked the Lebanon Phone Database. 1
  • Date: 2025-07-26T04:56:44Z 1
  • Network: openweb 1
  • Published URL: (https://leakbase.la/threads/lebanon-phone-database.40785/) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/1a0ed1ad-d38e-41ba-8f23-34e00aa64176.jpg 1
  • Threat Actors: bowera6262 1
  • Victim Country: Lebanon 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged data breach of Vehicle Emissions Control (VEC)
  • Category: Data Breach 1
  • Content: The threat actor claims to have breached the official website of Vehicle Emissions Control (VEC) Mexico, a private company based in Mexico City that provides vehicle emissions testing and certification services. The compromised data reportedly includes over 38,000 PDF records. 1
  • Date: 2025-07-26T03:18:26Z 1
  • Network: openweb 1
  • Published URL: ((https://darkforums.st/Thread-Selling-Official-Website-of-Vehicle-Emissions-Control-VEC-Mexico-Breach)) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/ef2b4952-b0df-419b-9118-49bf429eb6ee.png 1
  • Threat Actors: Kazu 1
  • Victim Country: Mexico 1
  • Victim Industry: Automotive 1
  • Victim Organization: vehicle emissions control (vec) 1
  • Victim Site: vec.emissions.mx 1
  1. Alleged data breach of AdultFriendFinder
  • Category: Data Breach 1
  • Content: The threat actor claims to have leaked the 2016 database of AdultFriendFinder.com, a dating platform, containing compromised user data. The exposed information includes email addresses, passwords, spoken languages, and usernames. 1
  • Date: 2025-07-26T02:28:40Z 1
  • Network: tor 1
  • Published URL: (http://xssforum7mmh3n56inuf2h73hvhnzobi7h2ytb3gvklrfqm7ut3xdnyd.onion/threads/142501/) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/0532c484-968a-42d5-b465-32db9ff483f7.png 1

    https://d34iuop8pidsy8.cloudfront.net/eef608f8-1893-4f43-a966-bc2c1a336a0f.png 1
  • Threat Actors: bemka 1
  • Victim Country: USA 1
  • Victim Industry: Social Media & Online Social Networking 1
  • Victim Organization: adultfriendfinder 1
  • Victim Site: adultfriendfinder.com 1
  1. Alleged unauthorized access to an unidentified organization in Italy
  • Category: Initial Access 1
  • Content: The threat actor claims to be selling unauthorized access to an unidentified organization in Italy. 1
  • Date: 2025-07-26T02:05:13Z 1
  • Network: telegram 1
  • Published URL: ((https://t.me/n2LP_wVf79c2YzM0/719)) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/69d549bd-0139-46d9-bedc-3dd42e550b30.jpg 1
  • Threat Actors: Infrastructure Destruction Squad 1
  • Victim Country: Italy 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1
  1. Alleged data breach of Municipio de Querétaro
  • Category: Data Breach 1
  • Content: The threat actor claims to be selling the official website of the Municipio de Querétaro (municipiodequeretaro.gob.mx), the local government portal for Santiago de Querétaro in Mexico. The actor alleges exfiltration of data belonging to 26,509 users from the municipal platform, which provides services such as permits, payments, civil records, and employment listings. 1
  • Date: 2025-07-26T01:50:19Z 1
  • Network: openweb 1
  • Published URL: ((https://darkforums.st/Thread-Selling-official-Website-of-the-Municipality-of-Quer%C3%A9taro-Brach-municipiodequeretaro-gob-mx)) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/c9dbc581-bcf9-4965-9592-82168482902d.png 1

    https://d34iuop8pidsy8.cloudfront.net/73d80ea8-0774-4a26-a871-a2b7aa599b4b.png 1
  • Threat Actors: Kazu 1
  • Victim Country: Mexico 1
  • Victim Industry: Government Administration 1
  • Victim Organization: municipio de querétaro 1
  • Victim Site: municipiodequeretaro.gob.mx 1
  1. Alleged data breach of New Valley University
  • Category: Data Breach 1
  • Content: The group claims to have breached the data of New Valley University (nvu.edu.eg), the official website of the public university located in Kharga Oasis, New Valley Governorate, Egypt. The compromised data includes user information, email addresses, gender, phone numbers, first and last names, birthdates, addresses. 1
  • Date: 2025-07-26T01:02:39Z 1
  • Network: telegram 1
  • Published URL: (https://t.me/ruskinet/118) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/fe4a706c-461c-4094-b970-10b26634c548.png 1
  • Threat Actors: RuskiNet 1
  • Victim Country: Egypt 1
  • Victim Industry: Education 1
  • Victim Organization: new valley university 1
  • Victim Site: nvu.edu.eg 1
  1. Alleged data breach of Dakahlia Drinking Water and Wastewater
  • Category: Data Breach 1
  • Content: A threat actor claims to have breached dkwasc.com.eg, the official website of the Dakahlia Drinking Water and Sanitation Company in Egypt. The compromised data allegedly includes national IDs, names, phone numbers, colleges, villages, city names, emails, and more. 1
  • Date: 2025-07-26T00:59:12Z 1
  • Network: telegram 1
  • Published URL: (https://t.me/ruskinet/120) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/50041eb4-1a39-4a03-9715-d1f769df8b14.png 1
  • Threat Actors: RuskiNet 1
  • Victim Country: Egypt 1
  • Victim Industry: Energy & Utilities 1
  • Victim Organization: dakahlia drinking water and wastewater 1
  • Victim Site: dkwasc.com.eg 1
  1. Alleged data breach of Dakahlia Drinking Water and Wastewater (Duplicate Entry)
  • Category: Data Breach 1
  • Content: A threat actor claims to have breached dkwasc.com.eg, the official website of the Dakahlia Drinking Water and Sanitation Company in Egypt. The compromised data allegedly includes national IDs, names, phone numbers, colleges, villages, city names, emails, and more. 1
  • Date: 2025-07-26T00:54:45Z 1
  • Network: telegram 1
  • Published URL: (https://t.me/ruskinet/120) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/50041eb4-1a39-4a03-9715-d1f769df8b14.png 1
  • Threat Actors: RuskiNet 1
  • Victim Country: Egypt 1
  • Victim Industry: Energy & Utilities 1
  • Victim Organization: dakahlia company for drinking water and wastewater 1
  • Victim Site: dkwasc.com.eg 1
  1. Alleged data leak of active American credit card details with user selfie photos
  • Category: Data Leak 1
  • Content: The threat actor claims to be selling active American credit card data allegedly extracted from hotel systems. The actor states that the leak includes images of credit cards, linked user selfie photos, card details in PDF format, and complete reservation documents containing full user information. 1
  • Date: 2025-07-26T00:52:31Z 1
  • Network: openweb 1
  • Published URL: ((https://darkforums.st/Thread-Selling-ACTIVE-CREDIT-CARD-WITH-FULL-INFORMATION-LINKED-USER-SELFIE-PHOTOS)) 1
  • Screenshots:
    https://d34iuop8pidsy8.cloudfront.net/1e071fa5-b5ed-4703-9b8a-4bcbdb67fd1c.png 1
  • Threat Actors: SuperNOVA 1
  • Victim Country: USA 1
  • Victim Industry: Unknown 1
  • Victim Organization: Unknown 1
  • Victim Site: Unknown 1

Conclusion

The incidents detailed in this report highlight a diverse and active landscape of cyber threats. Data breaches and leaks are prominent, affecting various sectors from government administration, education, and financial services to social media, marketing, and automotive, and impacting countries including Thailand, USA, Saudi Arabia, Romania, Ukraine, Indonesia, UAE, Canada, France, India, Pakistan, Bangladesh, Maldives, Netherlands, Lebanon, Mexico, Italy, and Egypt.1 The compromised data ranges from personal user information, credit card details with selfies, and phone numbers to sensitive government records, corporate data, large customer databases (e.g., 27 million Bybit users, 9 million Romanian citizens), and even highly sensitive national SIM and Aadhaar records (1.7 billion in India).1 This prevalence of data exfiltration and initial access sales as primary threat actor objectives is a consistent pattern observed throughout the reported events, confirming that these are persistent and significant threat vectors.

Beyond data compromise, the report also reveals significant activity in initial access sales, with threat actors offering unauthorized access to government systems (e.g., Thai bureaus, Great Lakes Water Authority, Mexican municipality), compromised servers (e.g., US-based Windows Server), cloud storage (AWS S3 buckets targeting casino/betting, tech, and marketing firms), and corporate networks (including RDWeb access to Canadian and French firms).1 The sale of malware, such as an iOS RCE 0-Day Exploit, and website defacements further underscore the availability and diversity of offensive capabilities in the cyber underground.1 The synthesis of these individual data points into observable trends provides a higher-level understanding of the current threat landscape, indicating where threat actors are presently concentrating their efforts and what types of illicit commodities are most actively traded.The incidents collectively demonstrate that organizations across various industries and geographies face persistent threats from data exfiltration, unauthorized network access, and the proliferation of malicious tools. The nature of these incidents emphasizes the critical importance of robust cybersecurity measures, including strong access controls, data protection strategies, continuous vulnerability management, and proactive threat intelligence to defend against a wide array of sophisticated and opportunistic attacks.1 This understanding translates raw intelligence into strategic guidance, indicating that the purpose of collecting and reporting these incidents is not merely for awareness but to inform and drive improvements in defensive posture. The specific measures highlighted are directly responsive to the types of incidents detailed, underscoring the continuous, evolving nature of cyber threats and the necessity for a multi-faceted and proactive defense strategy.

Related Posts