[June-02-2025] Daily Cybersecurity Threat Report

Posted on

I. Executive Summary

This report provides a comprehensive overview of significant cybersecurity incidents observed within the last 24 hours, alongside an in-depth analysis of the associated threat actors and prevailing trends. The current threat landscape is characterized by a complex interplay of evolving attack methodologies and diversifying threat actor motivations.

Over the reporting period, several critical incidents have emerged, ranging from politically motivated data exfiltrations targeting national institutions to sophisticated ransomware campaigns impacting critical infrastructure and corporate entities. A prominent trend is the increasing convergence of financially motivated cybercrime with ideologically driven hacktivism, as numerous groups adopt hybrid strategies to achieve their objectives. This includes established groups pivoting to new monetization models and the integration of advanced technologies like Artificial Intelligence (AI) into attack operations. Furthermore, critical infrastructure continues to be a primary target for geopolitically motivated actors, highlighting a strategic shift in cyber warfare. Despite the increasing sophistication of these threats, fundamental attack vectors such as compromised software supply chains and stolen employee credentials remain highly effective initial access points for malicious actors.

II. Daily Incident Log and Analysis

This section details the cybersecurity incidents identified and analyzed within the last 24 hours. Each entry provides a summary of the breach, identifies the associated threat actor(s), and includes direct links to published reports and visual evidence.

Incident Summary Table

This table offers a high-level overview of the reported incidents, facilitating rapid understanding and prioritization within the dynamic threat landscape.

Incident TitleVictim OrganizationDate Reported (Approx.)Primary Threat Actor(s)Attack TypeKey Impact
CNSS Data LeakNational Social Security Fund of Morocco (CNSS)April 8, 2025JabarootData Exfiltration, DefacementExposure of 2M employee records, 450k company records; Political retaliation
Krispy Kreme BreachKrispy KremeDec 11, 2024 (Disclosed)Play Ransomware GroupRansomware, Data ExfiltrationOperational disruption, Theft of sensitive corporate/personal data
Ahmadiyya Data BreachAhmadiyya (ahmadiyya.ca)March 24, 2025RansomhubData Exfiltration, RansomwareLeak of 332GB of organizational data
Procolored Software InfectionProcolored (Printer Software)May 2025Unknown (Financially Motivated)Supply Chain Attack, Malware DistributionDistribution of backdoor/stealer malware, Financial gain for actor
Telefónica System BreachTelefónicaJan 9, 2024 (Compromised)Hellcat Ransomware (Grep, Pryx, Rey)Data Exfiltration, Credential ExploitationLeak of 2.3 GB internal data, Compromised ticketing system

Incident 1: National Social Security Fund of Morocco (CNSS) Data Leak

On April 8, 2025, the threat actor known as Jabaroot publicly disclosed confidential data extracted from the National Social Security Fund of Morocco (CNSS) on BreachForums.1 This significant breach involved over 53,000 files, containing detailed records of nearly half a million companies and approximately 2 million employees. The exposed data included sensitive information such as company affiliations, employee identification numbers, salaries, and contact details, much of which was reportedly exposed in clear text on compromised servers.1

This incident exemplifies how cyberattacks are directly leveraged as tools for geopolitical retaliation. Jabaroot explicitly stated that the attack was a “political response” and “in retaliation for an earlier attack on the X (formerly Twitter) account of Algerian Press Service”.1 That previous incident, attributed to Moroccan-affiliated threat actors, involved renaming the account to “Sahara Marocain,” a direct reference to the long-standing geopolitical dispute between Morocco and Algeria over the Western Sahara region.1 The subsequent sharing of a screenshot purportedly showing a defacement on the Moroccan Ministry of Labor’s website by Jabaroot further underscored this as part of a broader cyber campaign aimed at responding to incidents carried out by Moroccan hacking groups against Algerian institutions.1 This chain of events demonstrates that real-world political and territorial tensions can directly translate into cyber warfare, where data leaks and defacements serve as public statements and acts of aggression. Organizations, particularly government entities or those in critical sectors within regions marked by ongoing political disputes, face an elevated risk of becoming direct targets for politically motivated cyberattacks, serving as proxies or platforms for broader conflicts.

Incident 2: Krispy Kreme Operational Disruptions and Data Theft

The U.S. doughnut chain Krispy Kreme disclosed a cyberattack on December 11, 2024, stemming from unauthorized activity detected on its information technology systems on November 29, 2024. This incident led to operational disruptions, particularly affecting the company’s online ordering system.2 The Play Ransomware group, also known as PlayCrypt, subsequently claimed responsibility for the breach on December 19, 2024.2 The group asserted that it had stolen sensitive data, including IDs, client documents, payroll information, financial and budgeting data, accounting records, tax-related information, and other private and personal confidential data, threatening its public release.2

This event highlights the dual impact of modern ransomware operations, which extend beyond mere system encryption to encompass significant data exfiltration. The Play Ransomware group’s use of a “double-extortion model” maximizes pressure on victims, as they face not only the immediate operational disruption caused by encrypted systems but also the potential for public disclosure of highly sensitive information.2 The financial implications of disrupted digital orders, which represent a substantial portion of Krispy Kreme’s sales, underscore the critical nature of maintaining operational integrity in the face of such attacks.2

A particularly concerning aspect of this incident is the confirmed collaboration between Play Ransomware and “North Korean government-backed hackers,” as reported in October 2024.3 This nexus suggests that seemingly criminal acts of ransomware could serve broader state objectives, such as funding illicit programs or conducting disruptive operations under the guise of cybercrime. This strategic implication of state actors leveraging cybercriminal infrastructure profoundly complicates traditional threat modeling, as the capabilities and motivations of these groups are amplified by state resources. Consequently, governments and private sector entities must recognize that ransomware attacks may no longer be purely criminal endeavors but could be proxies for state-sponsored activities, necessitating a more integrated national cybersecurity defense that considers geopolitical contexts and potential state-level responses.

Incident 3: Ahmadiyya Data Breach

On March 24, 2025, the Ahmadiyya religious organization (ahmadiyya.ca) experienced a significant data breach, with 332GB of its data leaked by the Ransomhub threat actor.4

This incident illustrates the expanding scope of ransomware targets to include non-traditional sectors. While Ransomhub is a prominent Ransomware-as-a-Service (RaaS) group known for targeting “high-value organizations” across various industries 5, their compromise of a religious organization like Ahmadiyya demonstrates that even non-profit or community-based entities can become attractive targets. These organizations often handle sensitive personal data but may possess fewer cybersecurity resources compared to large corporations, making them vulnerable to financially motivated groups.6 The widespread nature of Ransomhub’s victims indicates that their attacks are often opportunistic rather than strictly industry-specific.6 This underscores the critical need for cybersecurity awareness and protective measures to extend beyond conventional corporate and governmental sectors, encompassing all organizations that manage sensitive data, irrespective of their perceived financial stature or industry.

Incident 4: Procolored Printer Software Infection (Supply Chain Attack)

In May 2025, it was discovered that software downloads for various Procolored printer products, including models like F13 and F13 Pro, were infected with malicious software.7 The malware identified included Win32.Backdoor.XRedRAT.A and MSIL.Trojan-Stealer.CoinStealer.H.7 Investigations suggest that the infection likely originated from a compromise of a developer’s system or the build servers, indicating a classic supply chain attack.7 This malicious activity resulted in approximately $100,000 in Bitcoin for the threat actor.7

This incident highlights the pervasive nature and profitability of software supply chain attacks, even when deploying commodity malware. The compromise of seemingly innocuous software, such as printer drivers, demonstrates how easily a trusted distribution channel can be weaponized. The fact that standard malware like XRedRAT and CoinStealer, which offer capabilities such as keylogging, file downloads, screenshots, and remote shell access, could yield a significant financial gain of $100,000, indicates the high effectiveness and profitability of this attack vector.7 The initial point of compromise within the “developer’s system or the build servers” points to a critical vulnerability within the software development lifecycle itself.7 This situation necessitates that organizations implement stringent security measures throughout their software development and distribution pipelines. Consumers and businesses must exercise extreme caution when downloading and installing any software, diligently verifying sources, and utilizing robust endpoint security solutions to mitigate these risks.

Incident 5: Telefónica Internal Ticketing System Breach

On January 9, 2024, the Spanish telecommunications giant Telefónica confirmed an unauthorized access to its internal ticketing system, leading to the leak of sensitive data on a hacking forum.8 The breach involved approximately 2.3 GB of data, including documents, tickets, and other internal information. While some tickets referenced customer-related data, they were linked to @telefonica.com email addresses, suggesting they were opened on behalf of customers rather than directly by customers.8 The compromise was attributed to four attackers identified by their aliases: DNA, Grep, Pryx, and Rey, with Pryx specifically stating that the system was compromised using stolen employee credentials.8

This incident underscores the critical importance of credential security in preventing both data breaches and subsequent ransomware attacks. The Hellcat Ransomware group, a newly launched entity, includes Grep, Pryx, and Rey among its members.8 Their involvement highlights that even sophisticated ransomware groups often rely on fundamental weaknesses in credential management for initial access. The severe consequences of compromised credentials, leading to data leaks and potential ransomware deployment, reinforce their status as a primary attack vector.8 Organizations must therefore prioritize robust credential hygiene, which includes implementing multi-factor authentication (MFA), enforcing strong password policies, conducting regular password resets, and continuously monitoring for compromised accounts. Furthermore, advanced endpoint security solutions are essential to prevent the initial theft of these sensitive credentials.

III. In-Depth Threat Actor Intelligence

This section provides detailed profiles of the unique threat actors identified in today’s incident log, offering insights into their classifications, origins, methodologies (Tactics, Techniques, and Procedures – TTPs), historical activities, and underlying motivations. A thorough understanding of these profiles is crucial for developing targeted and effective defensive strategies.

Threat Actor TTPs Matrix

This matrix offers a structured and comparative view of the TTPs employed by various threat actors, enabling security teams to quickly identify common attack techniques, understand the sophistication of different groups, and prioritize defensive measures based on the most prevalent or impactful TTPs.

Threat ActorClassificationInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionDiscoveryLateral MovementImpact
JabarootHacktivist / State-AlignedServer Compromise (implied)Data Exfiltration, Web DefacementNot specifiedNot specifiedNot specifiedNot specifiedNot specifiedData Leak (2M records), Website Defacement
Play Ransomware GroupRaaS / Cybercriminal (State-Affiliated)Not explicitly detailedDouble Extortion (Encrypt + Exfiltrate)Not specifiedNot specifiedNot specifiedNot specifiedNot specifiedOperational Disruption, Data Theft, Ransom
RansomhubRaaS / CybercriminalPhishing, Spear-phishing, Password Spraying, Public-Facing App Exploitation (Zerologon, Citrix ADC), IABsWMI, PowerShell, Malicious ScriptsAccount Creation/Manipulation, Registry ModificationVulnerability Exploitation, Mimikatz (LSASS)Log Deletion, EDRKillShifter (BYOVD), Disable/Modify Security ToolsAngryIPScanner, Nmap, Network Service DiscoveryRDP, AnyDesk, PsExec, Ngrok, Remmina, TailScale VPN, RMM toolsData Encryption (Curve 25519), VSS Deletion, Operational Disruption, Data Leak, Ransom
FunkSec (el_farado)Ransomware / Cybercriminal (AI-centric, Hacktivist leanings)Social Engineering, LOLBins, Leaked CredentialsNative APIs, PowerShellProgram Execution HijackingProcess InjectionDisable/Modify Security Tools, Timestomping, File/Registry ModificationSystem/Network/Security Software/App Window/Registry DiscoveryNot explicitly detailedData Encryption (.funksec), System Recovery Inhibition, Service Stoppage, Site Defacement, Data Leak, Ransom
RedCurlCybercriminal / Corporate Espionage (Ransomware Pivot)Spear-phishing (HR lures, PDF/ISO attachments)DLL Side-loading (ADNotificationManager.exe), Loader/DownloaderScheduled TaskAccess EscalationDistraction Tactics (Indeed login), BYOVD (disable endpoint security)Network Navigation, Intelligence GatheringLateral MovementCorporate Espionage, Ransomware (QWCrypt), VM Disruption
Z-PENTEST ALLIANCEState-Aligned Hacktivist / Critical Infrastructure DisruptorOT System Penetration, Zero-Day Exploitation, Social EngineeringManipulate OT Functions, Videos of AccessNot specifiedNot specifiedNot specifiedNot specifiedNot specifiedCritical Infrastructure Disruption, Fear Instillation, Geopolitical Influence
CyberVolkHacktivist / RaaS (Techno-Nationalist)Hybrid Attacks (DDoS + Ransomware)Malware Deployment, Data ExfiltrationNot specifiedNot specifiedNot specifiedNot specifiedNot specifiedData Breaches, Website Defacing, DDoS, Ransomware (Flawed Encryption), Psychological Impact

Threat Actor Profile: Jabaroot

Classification: Jabaroot operates as a hacktivist, with clear characteristics of a state-aligned actor given its explicit political retaliation motives.1

Probable Origin & Known Affiliations: While a specific origin is not stated, Jabaroot’s actions are deeply rooted in the geopolitical tensions between Morocco and Algeria, suggesting an Algerian origin or strong alignment with Algerian interests.1 The group acts in response to “Moroccan hacking groups,” implying a broader, though unstated, network or alignment.1

Typical Methods & TTPs: Jabaroot’s modus operandi involves compromising servers to exfiltrate large volumes of sensitive data and defacing websites. The incident involving the CNSS data leak indicates capabilities for extensive data extraction, with data often exposed in clear text.1 Their actions also include web defacement, as evidenced by the screenshot purportedly showing the Moroccan Ministry of Labor’s website defaced.1

Past Activities & Notable Campaigns: The primary activities attributed to Jabaroot are the CNSS data leak on April 8, 2025, and the subsequent defacement of the Moroccan Ministry of Labor’s website.1 These actions were framed as direct retaliation for a prior cyberattack on the Algerian Press Service’s X (Twitter) account, which was attributed to Moroccan-affiliated actors.1

Motivations: Jabaroot’s motivations are overtly political and retaliatory. The group explicitly states its actions are a “political response” to ongoing cyber incidents between Moroccan and Algerian hacking groups, driven by the enduring geopolitical dispute over the Western Sahara region.1 This demonstrates how cyber operations are directly integrated into international political conflicts.

Observed Targets: Jabaroot has specifically targeted Moroccan government institutions, including the National Social Security Fund (CNSS) and the Ministry of Labor.1

The use of cyberattacks as a tool for diplomatic messaging and escalation is clearly demonstrated by Jabaroot’s activities. The group’s actions are not merely about data theft; they represent a direct “response” and “retaliation” within an ongoing geopolitical dispute.1 The symbolic renaming of the Algerian Press Service X account to “Sahara Marocain” by Moroccan-affiliated actors, followed by Jabaroot’s subsequent actions, are clear symbolic and disruptive acts intended to send a message and escalate tensions in the cyber domain.1 This highlights the increasing role of cyber operations as a low-cost, high-impact tool in international relations. Consequently, governments and critical infrastructure providers must develop robust cyber diplomacy frameworks and escalation protocols, recognizing that cyber incidents can rapidly become extensions of real-world political conflicts.

Threat Actor Profile: Play Ransomware Group (PlayCrypt)

Classification: The Play Ransomware Group operates as a Ransomware-as-a-Service (RaaS) provider and is fundamentally a cybercriminal entity. However, its confirmed affiliations suggest a more complex classification, involving state-sponsored backing.3

Probable Origin & Known Affiliations: The group emerged in June 2022.2 A critical development in their profile is their reported collaboration with “North Korean government-backed hackers” as of October 2024.3 This alliance suggests that Play Ransomware may receive state backing or engage in resource sharing with state-sponsored entities, blurring the lines between pure cybercrime and state-directed operations.

Typical Methods & TTPs: Play Ransomware employs a “double-extortion model”.2 This involves two primary phases: first, exfiltrating sensitive data from the victim’s systems, and second, encrypting the victim’s network and data. The group then leverages the threat of public release of the stolen information as additional pressure to compel ransom payments.2

Past Activities & Notable Campaigns: Play Ransomware has a history of broad targeting across various sectors. In June 2023, the group targeted Swiss government entities, leading to data breaches that impacted hundreds of thousands of individuals.3 In July 2024, they introduced a new ransomware variant specifically designed to target Linux ESXi environments, indicating an adaptation to virtualized infrastructure.3 As of October 2023, the FBI, CISA, and the Australian Cyber Security Centre (ACSC) issued a joint advisory warning that the group had breached approximately 300 organizations worldwide.2 Other notable victims include the car retailer Arnold Clark, cloud computing company Rackspace, the City of Oakland in California, Dallas County, the Belgian city of Antwerp, and American semiconductor supplier Microchip Technology.2

Motivations: The primary motivation for Play Ransomware is financial gain through ransom demands.2 However, the collaboration with North Korean state-backed hackers suggests potential additional motivations, such as state-sponsored revenue generation or strategic disruption operations conducted under the guise of cybercrime.3

Observed Targets: The group targets a wide array of sectors globally, including business, government, critical infrastructure, healthcare, and media.3 Their attacks have been observed across North America, South America, and Europe.3

The strategic implications of a state-criminal nexus in ransomware operations are profound. The confirmed collaboration between Play Ransomware and North Korean government-backed hackers elevates this group beyond a typical cybercriminal entity.3 This alliance implies that financially motivated attacks could serve broader state objectives, such as funding illicit programs or conducting disruptive operations under the guise of crime. This significantly complicates traditional threat modeling, as the capabilities and motivations of these groups are amplified by state resources. Consequently, governments and and private sector entities must recognize that ransomware attacks may no longer be purely criminal endeavors but could be proxies for state-sponsored activities. This necessitates a more integrated national cybersecurity defense that considers geopolitical contexts and potential state-level responses, particularly concerning the funding and strategic use of cybercriminal networks.

Threat Actor Profile: Ransomhub

Classification: Ransomhub is a prominent Ransomware-as-a-Service (RaaS) operation, functioning primarily as a cybercriminal entity.5

Probable Origin & Known Affiliations: Ransomhub emerged in February 2024 and is widely believed to be a successor or evolution of the notorious Knight ransomware group.5 The group has strong ties to, and actively recruited, former affiliates of the ALPHV (BlackCat) ransomware group following its shutdown in March 2024.5 Evidence for this connection includes “code overlap and shared configuration keys” with BlackCat and Knight ransomware.9 TrendMicro tracks Ransomhub as Water Bakunawa, while CISA has noted its former names as Cyclops and Knight.6 Members of the group are also linked by association with other high-profile RaaS groups such as Scattered Spider and ALPHV.6 A notable operational policy is their list of “forbidden targets,” which includes China, Cuba, North Korea, Romania, and countries part of the Commonwealth of Independent States (CIS), including Russia.6 This policy strongly suggests a potential origin or a deliberate strategy to avoid interference from these regions, implying a level of state association or geopolitical awareness within their operations.6

Typical Methods & TTPs: Ransomhub affiliates employ a diverse range of initial access methods. These include phishing emails, targeted spear-phishing campaigns (sometimes utilizing voice scams with American accents for increased credibility), and password spraying techniques that leverage common or reused passwords, often from previously compromised accounts.10 A significant vector is the exploitation of known vulnerabilities in public-facing applications, such as Zerologon (CVE-2020-1472), Citrix ADC (CVE-2023-3519), FortiOS, Apache ActiveMQ, Confluence Data Center, F5 BIG-IP, and Windows SMB.5 The group also frequently utilizes Initial Access Brokers (IABs) to expedite their operations.10

Once inside, execution involves Windows Management Instrumentation (WMI) and PowerShell scripts to deploy malicious code, download additional payloads, and perform administrative tasks.5 They deploy scripts to disable security tools and clear logs.11 For persistence and privilege escalation, Ransomhub creates or re-enables user accounts, manipulates account settings, modifies registry keys (e.g., setting explorer.exe as the default shell), and exploits vulnerabilities for privilege escalation (e.g., CVE-2020-0787 in conjunction with Zerologon).5 Tools like Mimikatz are used to dump LSASS credentials.10

Defense evasion tactics are sophisticated, including indicator removal (deleting system logs) and impairing defenses by disabling or modifying security tools.9 They notably use EDRKillShifter, a Bring Your Own Vulnerable Driver (BYOVD) technique, which exploits legitimate but vulnerable drivers to gain kernel-level privileges and disable Endpoint Detection and Response (EDR) and antivirus solutions without triggering alerts.10 Obfuscated PowerShell scripts are also used to toggle Windows Defender settings.11

For discovery and lateral movement, Ransomhub operators utilize network scanners such as AngryIPScanner and Nmap to systematically map systems based on IP addresses or hostnames.10 They leverage legitimate remote access tools like Remote Desktop Protocol (RDP), AnyDesk, PsExec, Ngrok, Remmina, TailScale VPN, SplashTop Atera, and Connectwise to move strategically within the network and maintain control.6 Their focus is on strategic advancement to high-value targets, ensuring maximum impact during the final stages of the attack.10 The ultimate impact involves encrypting files using robust cryptographic algorithms like Curve 25519 and deleting Volume Shadow Copies to thwart recovery efforts.11 Ransomhub employs a custom ransomware variant written in C+++ and Go, capable of infecting Windows, Linux, and VMware ESXI systems.9

Past Activities & Notable Campaigns: Ransomhub has significantly ramped up its activity since its emergence in February 2024, quickly earning a reputation as a “big game hunter” in target selection.6 In March 2025 alone, the group posted over 60 new victims to its dark web leak site.6 Notable targets include major telecom companies such as Frontier Communications and healthcare institutions like Change Healthcare and Rite Aid.6

Motivations: The primary motivation for Ransomhub is financial gain through large ransom payouts.5 Their innovative affiliate prepayment model 5 and strategic focus on Operational Technology (OT) environments for “maximum impact” 10 underscore a highly organized and profit-driven approach.

Observed Targets: Ransomhub targets high-value organizations across a diverse range of verticals, including legal, construction, healthcare, finance, real estate, retail, software development, oil & gas, aerospace and defense, government agencies, telecommunications, pharmaceuticals, and manufacturing.5 Their global reach includes victims in the US, Canada, UK, Brazil, Germany, Australia, Italy, Spain, France, and India.9

The business sophistication and resilience of RaaS operations are clearly demonstrated by Ransomhub. Their “innovative affiliate prepayment model” 5 signifies a significant evolution from traditional revenue-sharing schemes, indicating a high level of trust and commitment within the RaaS ecosystem. This, combined with their active recruitment of former BlackCat affiliates 9 and the rapid increase in victims 6, illustrates a robust and resilient business model designed for sustained operations. The existence of “forbidden targets” 6 also points to a strategic operational policy, potentially influenced by geopolitical considerations or a desire to avoid state interference, elevating them beyond mere opportunistic criminals. This means that counter-ransomware efforts must target the entire RaaS ecosystem, including affiliate networks, financial flows, and the underlying infrastructure that supports these business models, rather than solely focusing on individual ransomware variants. The ability of these groups to absorb and re-mobilize after disruptions, such as BlackCat’s shutdown, highlights that resilience is a key characteristic of the evolving threat.

Furthermore, Ransomhub’s deepening penetration into Operational Technology (OT) environments is a critical development. The group “had already shifted its focus to OT environments, specifically onto SCADA systems, indicating that they are deliberately targeting interconnected systems for ‘maximum impact'”.10 This represents a significant evolution from traditional IT-focused ransomware, as successful attacks on OT can lead to severe physical consequences, disrupting essential services and critical infrastructure. Organizations with OT environments must urgently integrate their IT and OT security strategies, implement robust segmentation, and deploy specialized OT security solutions to protect against financially motivated ransomware groups now actively targeting these systems.

Threat Actor Profile: FunkSec (el_farado)

Classification: FunkSec is a ransomware group that operates as a cybercriminal entity, distinguished by its AI-centric approach and affiliate-powered model, with discernible hacktivist leanings.12

Probable Origin & Known Affiliations: Initial reports of FunkSec incidents emerged in November 2024.12 Analysis of their code properties and tool origins suggests connections to GhostAlgeria, a threat actor with hacktivist roots.12 FunkSec has formed alliances with other groups, notably Kosmos and FSociety, with FSociety even offering an affiliate program for FunkSec followers.12 A speculative collaborative relationship with Bjorka (Babuk 2), another entity with hacktivist roots, has also been noted.12 The user “el_farado,” identified as an admin, mod, hacker, lord, and premium member on the FunkSec site, previously sought guidance on BreachForums regarding hacking and data leaking, suggesting an individual with ambition but perhaps initial gaps in technical expertise.12

Typical Methods & TTPs: A defining characteristic of FunkSec is its utilization of Generative AI (GenAI) to create its ransomware code, effectively compensating for any internal coding knowledge gaps.12 The group’s ransomware has undergone multiple updates, progressing through various versions from 1.0 to 2.0.12 FunkSec employs a comprehensive “Hexagon Extortion Model” (FunkSec 3.0), which encompasses encryption, data exfiltration, victim pressure tactics, DDoS attacks, data auctioning, targeting of victim families, and public data leaking.12 They maintain a sophisticated Data Leak Site (DLS) accessible via an onion link, featuring sections for exposed victims, data auctions (FunkBID), a forum for interaction and sharing hacking information, and a ticket system for victim support.12 FunkBID specifically allows for the exchange and sale of data with other parties, generating profit from external sellers.12

Initial access is often achieved through social engineering, leveraging Living Off The Land Binaries (LOLBins), or exploiting leaked credentials.12 For execution, FunkSec utilizes Native APIs or PowerShell scripts.12 Persistence is established by hijacking the flow of a program’s execution 12, while privilege escalation is achieved through process injection.12 Their defense evasion capabilities are extensive, including disabling or modifying security tools and firewalls, time-based evasion, file deletion, registry modification, debugger evasion, altering Windows file and directory permissions, modifying NTFS attributes, and timestomping.12 Discovery operations involve System Network Connections Discovery, Security Software Discovery, Network Share Discovery, Application Window Discovery, and Registry Querying.12 The impact of their ransomware includes encrypting files (typically in the C:\ drive), removing initial file iterations, appending the .funksec extension, inhibiting system recovery, stopping services, and defacing affected websites with their logo and a notice.12 Monetization is further enhanced through premium memberships, offering benefits such as a minilocker ransomware builder and a share of sales transactions for a fee.12

Past Activities & Notable Campaigns: FunkSec’s activities gained recognition following initial reports in November 2024, with their DLS launching in December 2024.12 The group has removed older breach posts from their site. A notable past incident involved claiming responsibility for a fake voicemail leak between Donald Trump and Benjamin Netanyahu, which was later revealed to be AI-generated and attributed to the DesertStorm alias, linked to a FunkSec admin.12 Historically, FunkSec has issued high ransom demands, including $500,000 for a decryptor tool and $1 million for network decryption.12

Motivations: FunkSec is primarily driven by financial gain through ransomware operations, data auctioning, and premium memberships.12 However, hacktivism serves as a “unifying factor” for their alliances, enabling groups with fewer resources to gain reputation and expand their target markets.12

Observed Targets: The group has impacted over 120 organizations, including entities in government and defense, technology, finance, and education, across countries such as the US, India, Spain, and Mongolia.12 FunkSec also engages in “re-victimization,” acquiring and threatening to distribute data from organizations previously targeted by other ransomware groups.12

The democratization of cybercrime through AI and affiliate models is a critical development exemplified by FunkSec. The group’s heavy reliance on AI for code generation 12, coupled with the “el_farado” persona’s initial lack of hacking knowledge (as evidenced by seeking guidance on BreachForums) 12, strongly indicates that AI is lowering the barrier to entry for individuals to participate in complex cybercrime. The Ransomware-as-a-Service (RaaS) model further enables this by providing pre-built tools and infrastructure, meaning sophisticated attacks are no longer exclusive to highly skilled actors. This phenomenon suggests that the cybersecurity industry must anticipate a surge in the number of actors capable of deploying advanced ransomware, even if their underlying technical expertise is limited. This necessitates a heightened focus on automated detection and response mechanisms, as well as proactive disruption of the RaaS ecosystem and the malicious use of AI tools.

Threat Actor Profile: RedCurl (Earth Kapre, Red Wolf)

Classification: RedCurl is a Russian-speaking cybercriminal group that historically focused on corporate espionage. However, it has recently demonstrated a significant pivot to ransomware operations.13

Probable Origin & Known Affiliations: RedCurl is identified as a Russian-speaking hacking group and has been active since at least November 2018.13 While no specific affiliations are explicitly stated, their QWCrypt ransomware note appears “inspired by LockBit, HardBit, and Mimic groups,” suggesting they observe and potentially learn from other prominent ransomware operations.13

Typical Methods & TTPs: RedCurl’s initial access typically involves spear-phishing emails, often utilizing Human Resources (HR)-themed lures or spam PDF attachments masquerading as CVs and cover letters.13 They have also been observed using mountable disk image (ISO) files disguised as CVs to initiate multi-stage infection procedures.13

For execution and persistence, the group employs DLL side-loading, notably using the legitimate Adobe executable “ADNotificationManager.exe” to execute their loader, “netutils.dll”.13 This loader then acts as a downloader for a next-stage backdoor DLL and establishes persistence on the host via a scheduled task.13 A key defense evasion tactic is a “calculated distraction,” where the malware immediately launches a legitimate Indeed login page in the victim’s browser, misleading them into thinking they are simply opening a CV while the malware operates undetected.13 The backdoor implant facilitates lateral movement, allowing the threat actor to navigate the network, gather intelligence, and escalate access.13

In their recent pivot, RedCurl’s ransomware (QWCrypt) targets virtual machines hosted on hypervisors, aiming to inflict “maximum damage with minimum effort” by making entire virtualized infrastructures unbootable.13 The ransomware also employs a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint security software and gathers system information prior to launching its encryption routine.13

Past Activities & Notable Campaigns: RedCurl has been active since November 2018, primarily orchestrating corporate espionage attacks.13 Group-IB documented their use of HR-themed spear-phishing emails in 2020.13 More recently, in early 2025, Huntress detailed their attacks targeting Canadian organizations to deploy a loader dubbed RedLoader with “simple backdoor capabilities”.13 eSentire also revealed their use of spam PDF attachments to sideload RedLoader via ADNotificationManager.exe.13 Their deployment of QWCrypt marks their first-ever documented ransomware campaign.13

Motivations: Historically, RedCurl was motivated by corporate espionage. However, their recent pivot to ransomware clearly indicates a shift towards direct financial gain.13 The strategic focus on hypervisors for “maximum damage” suggests a calculated financial strategy to maximize extortion potential.

Observed Targets: For corporate espionage, RedCurl has targeted various entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States.13 Their ransomware operations specifically target virtualized infrastructure.13

The strategic pivot from espionage to ransomware for established Advanced Persistent Threats (APTs) is a significant development observed with RedCurl. This group, traditionally focused on corporate espionage, has now deployed ransomware for the first time.13 This shift is not merely an adoption of a new tool but a fundamental business decision for a sophisticated threat actor. It suggests that the financial incentives of ransomware are compelling enough for even groups with different primary objectives to integrate it into their operations, potentially leveraging their existing access and stealth capabilities for direct monetization. The targeting of hypervisors for “maximum damage with minimum effort” indicates a refined and efficient approach to ransomware deployment.13 This implies that organizations cannot assume that groups traditionally focused on espionage will not pivot to disruptive or financially motivated attacks. A flexible defense strategy is therefore required, one that can adapt to evolving threat actor motivations and TTPs, and recognizes that internal access gained through espionage could be repurposed for ransomware.

Threat Actor Profile: Z-PENTEST ALLIANCE

Classification: The Z-PENTEST ALLIANCE operates as a state-aligned hacktivist group, primarily focused on disrupting critical infrastructure.14

Probable Origin & Known Affiliations: The group first appeared in October 2023, with a probable origin in Serbia, maintaining “close ties to pro-Russian actors”.14 They actively collaborate with other groups, including SECTOR16, OverFlame, and People’s Cyber Army (PCA), to coordinate attacks and share resources, thereby increasing their collective effectiveness.14 Their broader network of affiliations includes Pro-Palestine Hackers Movement (PPHM), NoName057(16), KillNet, Anonymous Russia, Cyber Army of Russia Reborn, XakNet Team, From Russia with Love (FRwL), Volt Typhoon, Cyb3r Dragonz, and ByteBlitz.14

Typical Methods & TTPs: Z-Pentest is distinguished by its ability to penetrate Operational Technology (OT) control systems within critical infrastructures.14 They develop specialized tools for this purpose and exploit zero-day vulnerabilities, often leveraging information obtained from the dark web or through collaboration with other groups.14 Social engineering techniques are also employed to acquire sensitive information or system access by exploiting human error or trust.14 The group uses platforms like Telegram and X (Twitter) for communication with supporters and recruitment.14

A key tactic involves releasing videos demonstrating their access to critical systems, which serves to instill fear and uncertainty in their victims.14 They manipulate perceptions of vulnerability to provoke disorganized reactions or negotiations.14 The group also strategically shares evidence of successful attacks with its allies, fostering trust and motivation within their alliances through emotionally engaging communication.14

Past Activities & Notable Campaigns: While specific individual campaigns are not detailed in the provided information, Z-Pentest’s characteristic activity involves the penetration of OT systems in critical infrastructure.14 They have publicly demonstrated their access to such systems through videos.14 The group’s potential future TTPs, considered “dangerous hypotheses,” include launching coordinated cyberattacks on European energy grids to cause widespread blackouts, disrupting water and oil distribution systems, exploiting unknown zero-day vulnerabilities, collaborating with state-sponsored actors for more sophisticated operations, leveraging insider threats, and deploying targeted wiper malware on critical infrastructure.14

Motivations: Z-Pentest’s motivations are primarily geopolitical. Their attacks aim to “weaken industrial and control systems (ICS/SCADA) in Western countries, thereby strengthening Russia’s geopolitical influence by exploiting the technological vulnerabilities of its enemies”.14 The group also seeks to weaken Western solidarity and create divisions within NATO.14 Their financing may derive from the sale of access to industrial systems and zero-day vulnerabilities on the dark web.14

Observed Targets: Z-Pentest predominantly targets the energy (oil and gas) and water sectors, aiming to disrupt critical systems like oil wells and water treatment plants.14

The designation of critical infrastructure as a primary vector for geopolitical leverage is a central aspect of Z-PENTEST ALLIANCE’s operations. Their explicit focus on “penetrating operational control systems (OT) in critical infrastructures” 14 and their stated geopolitical motivation to “weaken industrial and control systems… thereby strengthening Russia’s geopolitical influence” 14 signify a clear strategic objective beyond mere disruption. This approach is about using cyber capabilities to exert geopolitical leverage and influence, with the potential to cause widespread societal and economic impact. The “dangerous hypotheses” outlined in their profile, such as coordinated attacks leading to blackouts or disruptions in essential services, underscore their intent for major, coordinated disruption.14 This necessitates that national security and critical infrastructure protection be elevated to a top priority, with a strong emphasis on OT/ICS security. This requires cross-sector collaboration, advanced threat intelligence, and robust incident response plans specifically tailored for industrial environments. The potential for “insider threats” also highlights the need for stringent personnel security measures within critical infrastructure organizations.14

Threat Actor Profile: CyberVolk (GLORIAMIST, Solntsevskaya Bratva, CyberVolk Team)

Classification: CyberVolk is a self-proclaimed hacktivist group that has evolved into a Ransomware-as-a-Service (RaaS) provider, significantly blurring the lines between political and financial cybercrime.15

Probable Origin & Known Affiliations: The group initially operated under the names GLORIAMIST India and Solntsevskaya Bratvaand, forming in March 2024. They adopted their current name, CyberVolk, in May 2024 and launched their RaaS operations in June 2024.16 While they claim a pro-Russian alignment, research from SentinelOne suggests a possible origin in India, supported by their past alias GLORIAMIST India.15 One researcher, however, has claimed a French origin based on the name Cyb3r Bytes, though this remains uncorroborated.15 CyberVolk maintains various allegiances to other hacktivist groups, including Anonymous (and its subsidiaries), White_Hunters, and Cyber Hunters.15 They also claim to work with SRV, a DDoS service, for their extortion attacks.15 Broader affiliations include other pro-Russian hacktivist groups like NoName057(16) and HolyLeague, as well as LAPSUS$, Moroccan Dragons, Mr. Hamza, APT 44, and The Golden Society.16

Typical Methods & TTPs: CyberVolk employs “hybrid attacks” that combine DDoS attacks for initial disruption with ransomware deployments for financial extortion.16 The group demonstrates proficiency in developing various malware, including their own ransomware strains (such as AzzaSec Ransom, Diamond RW, Forks of LockBit, Chaos, HexaLocker, and Parano) and data stealers.16 They adapt and evolve their tools, often drawing inspiration from other groups, indicating a dynamic technological approach.16

Their ransomware’s lineage is traced to the AzzaSec group’s ransomware, which originated from Babuk’s leaked encryptor.15 It utilizes a hybrid encryption scheme involving AES+SHA-512 for file encryption and RSA-4096 for encrypting the AES symmetric key.15 When executed, the ransomware changes the desktop wallpaper, invokes an un-closable modal, and appends specific file extensions such as .cvenc, .petik, or .CyberVolk.15 Interestingly, their encryption mechanism has a flaw: entering any combination of 36 alphanumeric characters into the modal stops the encryption process, and some samples have been observed to perform no encryption at all.15 They demand fixed ransoms to be paid extremely quickly.16

CyberVolk also engages in mass exfiltration of sensitive data.16 They employ rapid tactical adaptation (SWITCH), cycling through different techniques to evade detection and maximize success rates.16 The group uses hybrid systems that combine structured approaches with adaptive methods, including real-time AI.16 A significant component of their operations involves psychological manipulation: they quickly publish large amounts of hacked data or claims to disorient their targets, aiming to saturate public attention and complicate rational analysis of their actions.16 Their communications frequently contain emotionally charged words like “freedom” or “justice” to anchor positive associations and strengthen their image as “heroes” among supporters.16 They spread strong, ideologically driven messages to rally sympathizers, often exploiting confirmation bias, and use threats of data leaks or visible DDoS attacks to instill fear in adversaries.16 They are also known to create detailed psychological profiles of targets to tailor attacks and maximize emotional impact.16

Past Activities & Notable Campaigns: CyberVolk launched its RaaS operations and began claiming ransomware victims in June 2024.16 Throughout 2024, the group primarily targeted organizations in Japan, with additional victims identified in the U.S., Armenia, Venezuela, Albania, and Italy.15

Motivations: CyberVolk is driven by geopolitical motivations, exploiting tensions and targeting entities that oppose Russia, particularly those supporting Ukraine or NATO.16 While politically motivated, they blur the lines with financial cybercrime, identifying ransomware and RaaS as their main sources of funding.16 Their overarching vision is rooted in a “reactionary techno-nationalism,” aiming to preserve a “digital soul of the people” (the Volk) which they perceive as threatened by globalization, mass immigration, AI, and the metaverse.16 This forms a “hybrid cultural war” strategy aimed at re-establishing “rooted” technological sovereignty.16

Observed Targets: The group primarily targets government entities, scientific institutions, and critical infrastructure.16 Their targets include countries perceived as adversaries of their political or national ideologies, such as Japan, Ukraine, Israel, Spain, France, and Western nations including the US and UK.16

The emergence of “Techno-Nationalist” RaaS groups like CyberVolk represents a new and complex hybrid threat. The group’s self-described “reactionary techno-nationalism” and explicit geopolitical motivations (targeting entities opposing Russia) are fused with its RaaS operations.16 This indicates that CyberVolk is not merely financially motivated or purely hacktivist; it is a blend, using cybercrime to fund and amplify its ideological and geopolitical agenda. Their “hybrid cultural war” tactics, which combine technical attacks (DDoS, ransomware) with psychological operations and ideological messaging, demonstrate a sophisticated understanding of influence operations beyond purely technical attacks.16 The use of physical dead drop networks (USB keys) for internal exchanges also suggests a higher level of operational security and commitment than typically observed with less organized cybercriminals.16 This implies that cybersecurity defenses must evolve to understand and counter “hybrid threats” that fuse ideological warfare, geopolitical objectives, and profit motives. This requires a multi-disciplinary approach that integrates technical threat intelligence with geopolitical analysis and insights into psychological operations. The observed flaw in their ransomware, where encryption can be stopped 15, might suggest that data exfiltration and disruption are prioritized over successful encryption for financial gain, aligning more closely with their hacktivist roots and strategic objectives.

IV. Analysis of Current Threat Landscape

The incidents observed in the last 24 hours, combined with broader intelligence, reveal several critical patterns and evolving strategies within the global cybersecurity threat landscape.

Identification of Common Attack Patterns and Vectors

Ransomware Dominance with Double Extortion: The Krispy Kreme and Ahmadiyya incidents, attributed to Play Ransomware and Ransomhub respectively, underscore the continued prevalence and evolution of ransomware.2 Both groups actively employ a double-extortion model, which involves not only encrypting systems to disrupt operations but also exfiltrating sensitive data and threatening its public release.2 This dual pressure significantly increases the leverage over victims and amplifies the potential impact of a breach, making data confidentiality as critical as data availability.

Supply Chain Compromise: The Procolored printer software infection highlights the enduring vulnerability inherent in the software supply chain.7 Compromises occurring at the developer or build server level can lead to the widespread distribution of commodity malware, affecting a broad user base and generating substantial financial gain for the threat actors involved.7 This vector demonstrates that even non-critical software can serve as an effective conduit for malicious payloads.

Credential Theft and Exploitation: The Telefónica breach, initiated by “stolen employee credentials,” reinforces that fundamental security hygiene, particularly around privileged access and multi-factor authentication, remains a critical defense against even sophisticated groups like Hellcat Ransomware.8 The continued success of this vector indicates that human and process vulnerabilities are often the weakest links in an organization’s security posture.

Phishing and Social Engineering as Initial Access: The consistent use of spear-phishing with HR-themed lures and deceptive file extensions by RedCurl 13, and Ransomhub’s reliance on phishing, spear-phishing, and password spraying 10, demonstrates that human-centric vulnerabilities remain primary entry points for threat actors. These methods exploit trust and human error, proving highly effective in bypassing initial defenses.

Exploitation of Known Vulnerabilities: Ransomhub’s frequent exploitation of public-facing application vulnerabilities, such as Zerologon and Citrix ADC 5, underscores that timely patching and robust vulnerability management are not merely best practices but non-negotiable requirements for effective defense. Unpatched systems remain attractive targets, providing easy entry points for even well-resourced groups.

Discussion of Evolving Threat Actor Strategies and Sophistication

Motivations Blurring: A significant and concerning trend is the convergence of motivations among threat actors. Groups traditionally focused on corporate espionage, such as RedCurl, are now deploying ransomware 13, and ideologically driven hacktivist groups like CyberVolk are operating full-fledged Ransomware-as-a-Service (RaaS) models.16 This fluidity in motivation makes threat actor categorization more complex and defense more challenging, as the same group might pursue different objectives depending on the target or perceived opportunity. This requires a more adaptive and holistic threat intelligence approach.

AI in Attack Operations: The integration of Artificial Intelligence (AI) into attack operations, as exemplified by FunkSec’s use of AI for generating ransomware code and compensating for coding gaps 12, marks a critical evolution. This development democratizes access to sophisticated attack capabilities, potentially leading to an increase in both the volume and complexity of attacks from a wider range of actors, including those with limited traditional technical expertise.

Professionalization of Cybercrime and Hacktivism: Ransomware-as-a-Service (RaaS) groups like Ransomhub and FunkSec operate with increasingly sophisticated business models, including innovative affiliate programs and dedicated data auction sites.5 Similarly, hacktivist groups are professionalizing through the creation and sale of offensive hacking courses.17 This indicates a maturing cybercrime ecosystem with clear economic incentives, structured operations, and a focus on scalability and efficiency.

Targeting of Operational Technology (OT): The explicit focus of Z-PENTEST ALLIANCE on penetrating OT environments and SCADA systems 14, coupled with Ransomhub’s observed shift towards such targets 10, represents a deeply concerning trend. Attacks on critical infrastructure have far-reaching societal and economic consequences that extend well beyond traditional data theft, potentially disrupting essential services and causing physical damage.

Insights into Geopolitical Drivers Influencing Cyber Activity

Cyber as a Geopolitical Weapon: Incidents like the Jabaroot data leak, which is explicitly framed as a “political response” and “retaliation” in an ongoing geopolitical dispute 1, and Z-PENTEST ALLIANCE’s stated goal of weakening Western critical infrastructure to strengthen geopolitical influence 14, clearly demonstrate cyberattacks as direct extensions of geopolitical conflicts. These operations serve as tools for political influence, coercion, or direct retaliation, highlighting the growing role of the cyber domain in international relations.

State-Criminal Nexus: The collaboration between Play Ransomware and North Korean state-backed hackers 3 highlights a dangerous trend where nation-states may leverage or direct cybercriminal groups for strategic objectives, such as funding illicit programs or conducting disruptive operations under deniable cover. Ransomhub’s “forbidden targets” list, which includes China, Cuba, North Korea, Romania, and CIS countries 6, also strongly suggests state-level considerations or affiliations, or at least a desire to avoid state interference. This nexus blurs attribution and significantly complicates international response efforts.

Hybrid Warfare: Groups like CyberVolk exemplify a hybrid warfare approach, effectively combining technical attacks (e.g., DDoS, ransomware) with psychological operations and ideological messaging to achieve geopolitical aims.16 Their “reactionary techno-nationalism” and use of emotionally charged language demonstrate an understanding of how to influence public perception and rally support, extending the impact of their cyber operations beyond mere technical disruption.16

V. Recommendations and Defensive Strategies

To mitigate the risks posed by the identified threats and the evolving threat landscape, organizations must adopt a multi-layered and adaptive cybersecurity strategy. The following actionable recommendations are crucial for enhancing resilience and defense capabilities:

Enhanced Ransomware Preparedness

Organizations must assume that ransomware is an inevitable threat and prepare accordingly. This involves implementing robust, immutable, and geographically segmented backup and recovery solutions for all critical data and systems. Regular testing of these recovery procedures is paramount to ensure rapid business continuity in the event of an attack.11 Furthermore, deploying advanced Endpoint Detection and Response (EDR) solutions with behavioral analytics and heuristic scanning capabilities is essential to detect and block exploit-like behaviors, including sophisticated techniques used by groups like Ransomhub (e.g., Bring Your Own Vulnerable Driver, EDRKillShifter) and RedCurl.10 Prioritizing the timely patching of known vulnerabilities, especially those frequently exploited by ransomware groups such as Zerologon, Citrix ADC, FortiOS, Apache ActiveMQ, Confluence Data Center, F5 BIG-IP, and Windows SMB, is a non-negotiable step to close common entry points.6

Strengthen Supply Chain Security

Given the increasing prevalence of supply chain attacks, as demonstrated by the Procolored printer software infection, organizations must implement rigorous vendor risk management programs.7 This includes conducting thorough security assessments of third-party software providers and their development practices. Utilizing software integrity verification tools is critical to detect any tampering in downloaded software before deployment. Additionally, isolating and continuously monitoring systems used for software development and build processes is vital to prevent compromises, such as the SnipVex infection observed in the Procolored incident.7

Fortify Credential and Access Management

The Telefónica breach, initiated by stolen employee credentials, highlights the foundational importance of robust credential and access management.8 Organizations must enforce strong, unique passwords across all accounts and immediately implement phishing-resistant multi-factor authentication (MFA) for all critical systems and user accounts. Continuous monitoring for compromised accounts and unusual login patterns is essential. Implementing a Zero Trust architecture, where no user or device is inherently trusted, can further limit the impact of compromised credentials by strictly controlling access to resources.18

Proactive Threat Intelligence and Adaptive Defenses

Organizations should invest in proactive threat intelligence capabilities to stay informed about emerging threats, evolving TTPs, and the motivations of various threat actors. This includes monitoring for shifts in actor behavior, such as RedCurl’s pivot from espionage to ransomware, or the integration of AI into attack operations by groups like FunkSec.12 Defense strategies must be adaptive, capable of responding to hybrid threats that blend financial, political, and ideological motivations. This requires a multi-disciplinary approach that integrates technical threat intelligence with geopolitical analysis to anticipate and counter evolving attack vectors.

Critical Infrastructure Protection

For organizations operating in or supporting critical infrastructure sectors, an urgent focus on Operational Technology (OT) and Industrial Control Systems (ICS) security is paramount. The explicit targeting of OT environments by groups like Z-PENTEST ALLIANCE and Ransomhub necessitates the integration of IT and OT security strategies, robust network segmentation between IT and OT networks, and the deployment of specialized OT security solutions.10 Incident response plans must be specifically tailored for industrial environments, accounting for potential physical consequences and widespread societal disruption.

Security Awareness and Training

As social engineering and phishing remain primary initial access vectors, continuous and comprehensive security awareness training for all employees is indispensable.13 Training should focus on recognizing sophisticated phishing attempts (including spear-phishing, smishing, and vishing), identifying deceptive lures, and understanding the risks associated with suspicious links or attachments. Employees should be empowered to report suspicious activity without fear of reprisal.

By implementing these comprehensive strategies, organizations can significantly enhance their resilience against the complex and evolving cyber threats that characterize the current landscape.

VI. Additional Incidents from the Last 24 Hours

This section provides details on additional cybersecurity incidents reported within the last 24 hours, offering further insights into the breadth of current threats.

Alleged sale of Revolut Business Account Verified for Czech Republic

  • Category: Data Breach
  • Content: The threat actor claims to be selling a verified Revolut Business account registered in the Czech Republic. The account reportedly has a monthly turnover of around €2,000 and includes access to the associated email, phone number (with 46 days remaining), and communication with the original owner (dropper). The seller offers the web version access only (via cookies, proxy, and login credentials), with optional additional services for the dropper.
  • Date: 2025-06-02T17:23:33Z
  • Network: openweb
  • Threat Actor: Ivan-bro
  • Victim Country: Czech Republic
  • Victim Industry: Financial Services
  • Victim Organization: revolut
  • Victim Site: revolut.com
  • Published URL: https://forum.exploit.in/topic/260172/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/a67acc99-eaa1-487a-a16a-d7559f5e6b0d.png

Alleged sale of 10K+ Bank access login from USA

Alleged data breach of GoldSilver

  • Category: Data Breach
  • Content: Threat actor claims that in October 2018, GoldSilver, a bullion education and dealer services website, suffered a data breach exposing approximately 243,000 unique email addresses from customers and mailing list subscribers. The compromised data includes extensive personal information such as names, addresses, phone numbers, purchase history, passwords and security question answers (stored as MD5 hashes). Additionally, a small subset of records contains sensitive data including passport numbers, social security numbers, partial credit card details, and bank account numbers.
  • Date: 2025-06-02T17:04:40Z
  • Network: openweb
  • Threat Actor: HarleenQuinzel
  • Victim Country: USA
  • Victim Industry: Luxury Goods & Jewelry
  • Victim Organization: goldsilver
  • Victim Site: goldsilver.com
  • Published URL: https://leakbase.la/threads/goldsilver-2018.39031/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/7951ad14-1d36-4b21-bc76-f9376b426170.png

Alleged data breach of FlexBooker

  • Category: Data Breach
  • Content: Threat actor claims that in December 2021, FlexBooker, an online booking service, suffered a data breach exposing approximately 3.7 million accounts. The leaked data reportedly includes email addresses, names, phone numbers, and for some accounts, password hashes and partial credit card information.
  • Date: 2025-06-02T17:01:00Z
  • Network: openweb
  • Threat Actor: HarleenQuinzel
  • Victim Country: USA
  • Victim Industry: Information Technology (IT) Services
  • Victim Organization: flexbooker
  • Victim Site: flexbooker.com
  • Published URL: https://leakbase.la/threads/flexbooker-2021.39030/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/08ac9f09-b0d2-419e-9b80-1288dcc90872.png

Alleged data leak of Regional goods management information system (E-SIMBADA)

Alleged data breach of Qraved

  • Category: Data Breach
  • Content: Threat actor claims that Indonesian restaurant platform Qraved suffered a data breach in July 2021. The compromised data includes nearly 1 million unique email addresses, along with full names, phone numbers, dates of birth, and passwords stored as MD5 hashes.
  • Date: 2025-06-02T16:56:32Z
  • Network: openweb
  • Threat Actor: HarleenQuinzel
  • Victim Country: Indonesia
  • Victim Industry: Food & Beverages
  • Victim Organization: qraved
  • Victim Site: qraved.com
  • Published URL: https://leakbase.la/threads/qraved-2021.39029/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/8bbb9a60-20ef-48d7-8d41-e8b6a0367f0d.png

Alleged sale of access to an unidentified E-commerce store in Israel

Alleged sale of Email Credential Tool

Alleged leak of access to Haussmann Architects

Alleged data sale of Movistar

Alleged sale of Global Identity Documents

Alleged data breach of Oxygen

  • Category: Data Breach
  • Content: The threat actor claims to be selling a 134GB database from Oxygen. The compromised data reportedly includes CSV files containing records for over 90,000 individuals, categorized as accounts (47K), buyers (23K), customers (11K), and borrowers (9K). Additionally, the leak allegedly includes a large volume of documents such as KYC files, proof of address, loan applications, identification documents, and other sensitive personal data.
  • Date: 2025-06-02T16:06:17Z
  • Network: openweb
  • Threat Actor: el_farado
  • Victim Country: Nigeria
  • Victim Industry: Financial Services
  • Victim Organization: oxygen
  • Victim Site: oxygenapp.co
  • Published URL: https://forum.exploit.in/topic/260165/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/39fd23d4-a4bd-44b7-8dc5-eeac6218082f.png

Alleged data breach of Intersport

  • Category: Data Breach
  • Content: The threat actor claims to be selling significant data leak allegedly sourced from Intersport, a major international sporting goods retailer. The post lists multiple CSV files, including e-commerce data, customer service records, and PayPal transaction logs, indicating potential exposure of customer and financial information.
  • Date: 2025-06-02T16:02:21Z
  • Network: openweb
  • Threat Actor: SaltedBiscuit
  • Victim Country: Switzerland
  • Victim Industry: Retail Industry
  • Victim Organization: intersport
  • Victim Site: intersport.com
  • Published URL: https://leakbase.la/threads/intersport.39023/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/972c5252-61bc-43ed-8f32-6cc84389dfda.png

Alleged sale of Worldwide Travel Agent Logins

Alleged data breach of Zlgoon Inc.

  • Category: Data Breach
  • Content: Threat actor claims to have leaked data from Zlgoon Inc.. The compromised data reportedly contains 1.1 M records, including Member ID, Phone numbers, Operating system code, Registration path, Social media ID, Nickname, Email addresses, Birthdate, Calendar type, Gender, Password, Referral code, Profile photo URL, Blog skin URL, Greeting message, Join date.
  • Date: 2025-06-02T15:52:07Z
  • Network: openweb
  • Threat Actor: pryx
  • Victim Country: South Korea
  • Victim Industry: E-commerce & Online Stores
  • Victim Organization: zlgoon inc.
  • Victim Site: zlgoon.co.kr
  • Published URL: https://xss.is/threads/138961/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/a6999228-2801-4619-89e2-c4bb2e125b13.JPG

Alleged leak of access to Government of Lamongan Regency

Alleged sale of 5M Exchange Stockholder’s data from China

Alleged sale of 370k student information from China, Guandong

  • Category: Data Leak
  • Content: Threat actor claims to be selling 370k student information from China, Guandong. The compromised data reportedly contains name, gender, ID number, date of birth, ID expiration date, marital status, ethnicity, issuing party, mobile number, email, political status, employment status, place of origin, contact address, guardian’s name, guardian’s gender, guardian’s identity card, guardian’s date of birth, guardian’s mobile number, college, school etc.
  • Date: 2025-06-02T15:38:09Z
  • Network: openweb
  • Threat Actor: Dedale
  • Victim Country: China
  • Victim Industry:
  • Victim Organization:
  • Victim Site:
  • Published URL: https://darkforums.st/Thread-Selling-China-Guandong-370k-Student
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/a4ab7bea-9131-4641-ba6e-50b2873decfe.png

Narayani Sena targets the website of Osmaniye central 17th family health center in Turkey

Alleged data breach of Sagi Ramakrishnam Raju Engineering College

Alleged data breach of Boulanger

Red Wolf Cyber Team targets NATO members of Portugal

WOLF CYBER ARMY targets the website of State Vocational High School 2 Pangandaran

Alleged sale of unauthorized admin access to an unidentified E-Commerce store in USA

Alleged data breach of Thai Airways International Public Company Limited

  • Category: Data Breach
  • Content: The group claims to have breached the database of Thai Airways International Public Company Limited, compromising the data of 30,000 users.
  • Date: 2025-06-02T13:31:23Z
  • Network: telegram
  • Threat Actor: NDT SEC
  • Victim Country: Thailand
  • Victim Industry: Airlines & Aviation
  • Victim Organization: thai airways international public company limited
  • Victim Site: thaiairways.com
  • Published URL: https://t.me/h3c4kedz0/883
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/298507b3-56cb-487c-ad73-83e30f8ed90e.png

Alleged data sale of Cyprus Airways

Alleged database sale of Jammu and Kashmir Population

Alleged access to surveillance systems of Santa Cruz de la Sierra

Alleged database leak of National Agency for Land Conservation, Cadastre, and Cartography (ANCFCC)

Alleged Data Breach of SMAN 1 Sleman

Alleged leak of 10 million Indian data

Alleged data breach of InfiPower

Alleged Data Breach of TinyChat

  • Category: Data Breach
  • Content: The threat actor claims to have breached the customer database of TinyChat leaking sensitive information amounting to 54 million lines. The exposed data includes username, email, password, gender, age, virtual_balance etc
  • Date: 2025-06-02T11:27:17Z
  • Network: openweb
  • Threat Actor: UnsafeInternet
  • Victim Country: USA
  • Victim Industry: Social Media & Online Social Networking
  • Victim Organization: tinychat
  • Victim Site: tinychat.com
  • Published URL: https://xss.is/threads/138945/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/629b5e91-df84-4c6a-ab4c-448d8bda4386.jpg

Alleged data leak of Alauddin State Islamic University Makassar

Alleged sale of Admin access of beta.gouv.fr.

Alleged database sale of Hi-Tek Syndicate

Alleged leak of admin access to simbada.dpcpppsitubondo.or.id

Alleged database leak of PT TEDS

Alleged Sale of Android Trojan ExodusOS

Alleged sale of access to an unidentified Danish e-commerce website

Alleged Data breach of Weiss Crypto

Alleged data breach of Swan Bitcoin

Alleged Data Leak of Pantera Capital’s Crypto Database

Alleged data breach of Voyager Digital, LLC.

Alleged Sale of Fileless PHP-FPM Backdoor for Server Compromise

  • Category: Malware
  • Content: The threat actor claims to be selling a fileless PHP backdoor called “FPM-Ghost,” which operates entirely in memory and is designed for situations where traditional sniffers or shells cannot be installed due to limited server permissions. According to the listing, the backdoor requires only a single execution of PHP code and remain active without appearing in process lists. It can execute commands via POST requests or cookies, log sensitive activity and inject HTML code stealthily.
  • Date: 2025-06-02T04:44:37Z
  • Network: openweb
  • Threat Actor: Lavender
  • Victim Country:
  • Victim Industry:
  • Victim Organization:
  • Victim Site:
  • Published URL: https://xss.is/threads/138938/
  • Screenshots: https://d34iuop8pidsy8.cloudfront.net/130b5ad6-d520-45aa-9c46-e3dbe3328f5b.png

Alleged data breach of Silver Falls Capital

Alleged 0-Day Exploit Targeting Tunisian Government Database

Alleged source code leak of Occupy White Walls

Alleged Source Code Leak of Sansys Technologies

  • Category: Data Breach
  • Content: The threat actor claims to have leaked source code data from Sansys Technologies.

Works cited

  1. Data leak on Moroccan institutions increases political tensions with …, accessed June 2, 2025, https://www.incibe.es/en/incibe-cert/publications/cybersecurity-highlights/data-leak-moroccan-institutions-increases-political-tensions-algeria
  2. Krispy Kreme breach, data theft claimed by Play ransomware gang, accessed June 2, 2025, https://www.bleepingcomputer.com/news/security/krispy-kreme-breach-data-theft-claimed-by-play-ransomware-gang/
  3. Play Ransomware Claims Krispy Kreme Breach, Threatens Data Leak, accessed June 2, 2025, https://hackread.com/play-ransomware-krispy-kreme-breach-data-leak/
  4. Ahmadiyya Data Breach in 2025 – Breachsense, accessed June 2, 2025, https://www.breachsense.com/breaches/ahmadiyya-data-breach/
  5. Threat Actor Profile: RansomHub Ransomware Group – Cyble, accessed June 2, 2025, https://cyble.com/threat-actor-profiles/ransomhub-ransomware-group/
  6. RansomHub – What You Need to Know About the Rapidly Emerging Threat – Varonis, accessed June 2, 2025, https://www.varonis.com/blog/ransomhub
  7. Printer company provided infected software downloads for half a year, accessed June 2, 2025, https://www.gdatasoftware.com/blog/2025/05/38200-printer-infected-software-downloads
  8. Sensitive Data Leak On Hacking Forum Is From Telefónica System …, accessed June 2, 2025, https://sentrybay.com/sensitive-data-leak-on-hacking-forum-is-from-telefonica-system-breach/
  9. RansomHub Threat Profile | Analyst1, accessed June 2, 2025, https://analyst1.com/threat-actors/ransomhub-threat-profile/
  10. Inside RansomHub: Anatomy of an OT-Focused Operation | TXOne Networks, accessed June 2, 2025, https://www.txone.com/blog/inside-ransomhub-ot-ransomware-operation/
  11. RansomHub: Analyzing the TTPs of One of the Most Notorious Ransomware Variants of 2024 – Picus Security, accessed June 2, 2025, https://www.picussecurity.com/resource/blog/ransomhub
  12. FunkSec: An AI-Centric and Affiliate-Powered Ransomware Group, accessed June 2, 2025, https://www.bitdefender.com/en-au/blog/businessinsights/funksec-an-ai-centric-and-affiliate-powered-ransomware-group
  13. RedCurl Shifts from Espionage to Ransomware with First-Ever …, accessed June 2, 2025, https://thehackernews.com/2025/03/redcurl-shifts-from-espionage-to.html
  14. Z-PENTEST ALLIANCE – Cyber Intelligence Bureau – Orange …, accessed June 2, 2025, https://www.orangecyberdefense.com/fileadmin/global/CyberIntelligenceBureau/Gangs_Investigations/z-pentest/Z-Pentest_Alliance.pdf
  15. CyberVolk Ransomware | WatchGuard Technologies, accessed June 2, 2025, https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/cybervolk
  16. Cyber Intelligence Bureau Orange Cyberdefense, accessed June 2, 2025, https://www.orangecyberdefense.com/fileadmin/global/CyberIntelligenceBureau/Gangs_Investigations/CyberVolk/CyberVolkTeam.pdf
  17. Tactics and Motivations of Modern Hacktivists – CYFIRMA, accessed June 2, 2025, https://www.cyfirma.com/research/tactics-and-motivations-of-modern-hacktivists/
  18. Amid Cyber Attack Recovery, Kansas Courts Advance IT Work – GovTech, accessed June 2, 2025, https://www.govtech.com/security/amid-cyber-attack-recovery-kansas-courts-advance-it-work

Related Posts