1. Executive Summary
This report details a series of recent cyber incidents, providing key information for each event, strictly based on the provided data. The dataset contains draft data for 110 discrete cybersecurity events recorded on March 7, 2026. The threat landscape outlined in this report is highly varied, encompassing initial access claims, massive data breaches, website defacements, malware sales, and targeted cyber attacks spanning multiple geographic regions and industries.
2. Global Threat Landscape Analysis
2.1 Geographic Distribution
The incidents target a wide array of nations across the globe. Notable targeted countries include:
- India: Targeted across education, manufacturing, health & fitness, non-profit, retail, and construction sectors.
- USA: Targeted across e-commerce, legal, IT, military, network telecommunications, and education sectors.
- Israel: A heavy focus of targeted attacks, alerts, and data breaches affecting water supply, retail, energy, performing arts, and government.
- Indonesia: Affected in manufacturing, government administration, and education sectors.
- United Kingdom (UK): Affected in leisure, travel, and construction.
- France: Impacted in healthcare, telecommunications, and IT services.
2.2 Prominent Threat Actors
Several threat actor groups and individuals demonstrated high activity levels within the reporting period:
- Pharaohs Team market / Pharaohs Team Channel: Highly active in claiming initial access across multiple global targets and selling web shell access.
- Fatimion cyber team: Claimed responsibility for data breaches, alerts, and access across India, Egypt, British Virgin Islands, USA, and Israel.
- BABAYO EROR SYSTEM: Responsible for a large volume of website defacements globally.
- CyberOprationCulture: Focused heavily on defacing UK-based construction and production websites.
- Rayzky_: Conducted targeted defacement campaigns against Israeli businesses.
3. Comprehensive Analysis of Data Breaches
Data breaches represent a significant portion of the threat landscape, with threat actors leaking or attempting to sell highly sensitive personal, corporate, and governmental data.
3.1 Corporate and Financial Data Leaks
- Unidentified Corporate Data (USA and Canada): Threat Actor Benneton claims to be selling a 20TB dataset compiled from more than 20 targeted organizations. The data reportedly relates to companies in sectors such as legal services, construction, software development, military, accounting, and IT.
- U.S. Bank Leads: Threat Actor sqBooT claims to sell targeted bank leads associated with individuals in the United States, containing personal and banking-related information.
- OneClickMoney (Russia): Threat Actor KOPblTO claims to have accessed the client database, leaking customer personal information, addresses, employment info, passport data, and images of identity documents.
- Spiral Tubes Pvt Ltd (India): The Fatimion cyber team breached this construction company, exporting project records from Mumbai, Hyderabad, and Bangalore, which contained customer information, tax IDs, and physical addresses, before allegedly deleting the database.
- SYNLAB (France): Threat Actor HexDex claims to have breached 161 GB of data, containing database dumps from over 1,700 tables and 1.2 million documents (PDFs, emails, spreadsheets), primarily related to financial and industrial records.
3.2 Healthcare and Medical Data
- Ordoclic (France): Threat Actor ImVec4 claimed to leak a partial database of this French digital healthcare platform. The JSON files allegedly include over 3,000 contacts and 1,520 patient records with names, emails, phones, genders, birth dates, and medical-related metadata.
- TriZetto Provider Solutions (USA): A breach at this Cognizant-owned healthcare IT company exposed the personal and insurance information of approximately 3.4 million individuals. The breach involved unauthorized access to an insurance verification portal, exposing SSNs and health insurance details, though payment data was reportedly unaffected.
- Natclar Health (South Africa): Threat Actor XP95 is allegedly selling 1.8TB of data containing 7.6 million records.
- Health Time (Spain): Threat Actor XP95 claims to have leaked 2.2 million records including names, DNI, birth dates, emails, and addresses.
3.3 Education Sector Breaches
- U.S. School Superintendent Database: ShadowNex claims to have leaked a list of school superintendents in the USA. Similarly, Noaharnaut leaked 9,000 records associated with EmailListUS, exposing district names, individual names, emails, and NCES IDs of U.S. school officials.
- TNJFU – (IPGS) Vaniyanchavadi (India): BROTHERHOOD CAPUNG INDONESIA claimed to leak login credentials.
- Stych (France): Threat Actor keta leaked roughly 1.3 million records (0.9 GB) of driving school student info, including names, addresses, and phone numbers.
- State University of New York at New Paltz (USA): Rakyat Digital Crew leaked administrator/student usernames, passwords, hashed credentials, and database administrator credentials.
- Universitas Kristen Immanuel Yogyakarta (Indonesia): JunedXsec leaked a student database.
- GetMyUni (India): Shadow Warrior breached a 5 GB SQL database containing roughly 8.5 million records from 2023, including names, emails, course preferences, and lead-generation data.
3.4 Government and Infrastructure Breaches
- Wajo Regency Government (Indonesia): BROTHERHOOD CAPUNG INDONESIA claimed to leak login credentials.
- East Kalimantan Social Services (Indonesia): CinCauGhas breached 978,000 records of Balikpapan residents, exposing names, IDs, family card numbers, insurance numbers, education, finances, and location coordinates.
- Israeli Ministry of Defense: Shenira6core leaked a database allegedly containing intel profiles, ops records, asset seizures, and investigative data.
- Jerusalem Water Supply Facilities (Israel): Handala Hack claimed to have leaked data belonging to this utility.
3.5 Large-Scale PII and Miscellaneous Sales
- Multiple Country PII Database: Threat Actor 053o is selling a database of 1,000,000 records containing PII (names, NIK/SSN fragments, physical addresses) from individuals in Indonesia, Israel, India, and the USA.
- Chinese Americans Personal Data: Threat Actor ailin1199632 is selling 150,000 records (SSNs, names, DOBs) of Chinese Americans. A separate leak by TeaMp0isooN exposed 100,000 records of Chinese residents in the US, allegedly sourced from AT&T.
- Chinese Evernote Yinxiang Accounts: Avglow is selling 358K email/password combinations collected over several years; some accounts reportedly remain valid despite a 2025 password reset.
4. Initial Access and Infrastructure Compromise
Threat actors actively advertised or claimed unauthorized access to various networks, often serving as precursors to ransomware or deeper data exfiltration.
4.1 Pharaohs Team Market Campaign
The “Pharaohs Team market” and “Pharaohs Team Channel” claimed initial access to a wide string of victims globally via Telegram on March 7, 2026:
- Education: Madd Subba Rao English Medium High School (India).
- Packaging: Arneja Packaging India (India).
- Manufacturing: PT AMALINDO MAKMUR INDONESIA (Indonesia) , Aliz Enterprises (Pakistan).
- Non-profit: Arunya (India).
- Hospitality: Ace Support Cooperative (Japan).
- Construction: 777constructions (Australia).
- E-commerce/Retail: 61Deals (USA) , Mendwell Agencies (India).
- Health & Fitness: Superhuman Gym (India).
4.2 Infrastructure and Point-of-Sale (POS) Access
- U.S. POS Access: Threat Actor privisnanet is selling unauthorized remote access via AnyDesk to a U.S.-based Aldelo POS environment across multiple terminals in New York.
- Khmelnytskyi City Council (Ukraine): Perun Svaroga obtained root access to a CentOS 7 hosting server, compromising the administrative services center. They accessed sensitive personal records (birth certificates) and deleted backups to delay system recovery. Compromised domains include cnap.khm.gov.ua, khm.gov.ua, and euprize.khm.gov.ua.
- ASEZA Solar Project (Jordan): APT IRAN exploited an outdated FileManager component to gain unauthorized access to the Aqaba Special Economic Zone solar project management systems, executing code on a central server. This access reportedly allowed them to compromise Bank al Etihad’s technical infrastructure.
- Water Infrastructure (Israel): Team Bangladesh cyber squad claimed access to an unidentified water pump system. Furthermore, NoName057(16) gained VNC access to an industrial pump control system, claiming the ability to change valve positions and disable protections.
- Surveillance Systems (Israel and Gulf Countries): The 404 CREW CYBER TEAM and Rakyat Digital Crew claimed unauthorized access to CCTV cameras in Israel. LulzSec Black claimed access to unidentified surveillance cameras across Arab Gulf countries.
5. Website Defacements
Defacement campaigns were highly prevalent, indicating organized activist or script-kiddie activities targeting global web facing assets.
| Threat Actor | Victim Organization | Country | Industry | Source |
| Rakyat Digital Crew | SUNY New Paltz | USA | Education | |
| rosa | SMA Ibnu Hajar Boarding School | Indonesia | Education | |
| SILENT ERROR SYSTEM | Indian Staffing Federation | India | Staffing/Recruiting | |
| DEFACER INDONESIAN TEAM | Ecuadorian Coastal Properties | Ecuador | Real Estate | |
| Mr. BDKR28 | Linq LLC | UAE | Outsourcing | |
| chinafans | Suncart Electric Cars Trading | UAE | Manufacturing | |
| CyberOprationCulture | eyeswideshut.co.uk | UK | Unknown | |
| CyberOprationCulture | EWS Productions | UK | Entertainment | |
| CyberOprationCulture | Compare My Builder | UK | Construction | |
| CyberOprationCulture | APS Building & Plumbing Services | UK | Construction | |
| CyberOprationCulture | allosamatechnicien.com | Unknown | Unknown | |
| Hax.or | emperor-rak.ae | UAE | Unknown | |
| Hax.or | Tarbisan Agricultural Products | Turkey | Agriculture | |
| BABAYO EROR SYSTEM | Lodex Studios | Unknown | Unknown | |
| BABAYO EROR SYSTEM | SkillMarket | Australia | Education | |
| BABAYO EROR SYSTEM | Mint Eyewear | Unknown | Unknown | |
| BABAYO EROR SYSTEM | Tasbih Food | Unknown | Food & Beverages | |
| BABAYO EROR SYSTEM | Digitallanding.top | Unknown | E-commerce | |
| BABAYO EROR SYSTEM | orderifike | Unknown | Unknown | |
| BABAYO EROR SYSTEM | lodexstudios.com | Unknown | Unknown | |
| Nicotine | WeGotYou | UAE | Events Services | |
| Nicotine | Saray Trading | UAE | Unknown | |
| Panataran | Park n Shop | UAE | Supermarkets | |
| BROKENPIPE | Dusoul | UAE | Retail Industry | |
| Rayzky_ | Alisa Barlev Levenberg | Israel | Medical Practice | |
| Rayzky_ | Goldmold Technology | Israel | Manufacturing | |
| Rayzky_ | Think&Drink Different | Israel | Food & Beverages | |
| Rayzky_ | Hapina Pub | Israel | Food & Beverages |
6. Targeted Cyber Attacks and Threat Alerts
Multiple threat groups published alerts declaring their intent to attack specific targets, alongside claims of ongoing disruptive operations.
6.1 Geopolitically Motivated Alerts
- Israel / Zionist Targets: NATION OF SAVIORS targeted the Association of Americans & Canadians in Israel. Fatimion cyber team targeted the Hamama chain of stores, Zionist media websites, and other Zionist sites. Moroccon Black Cyber Army also announced targeting of Zionist websites.
- Azerbaijan: DieNet announced plans to target vital websites in Azerbaijan in response to the country’s cooperation with Israel and the US.
- Gulf Countries: LulzSec Black indicated that Gulf countries are being targeted in upcoming cyber operations to support Iran amid ongoing conflicts.
- Russia: The IT ARMY of Ukraine claimed to be targeting Russian satellite internet communications.
- Bahrain: 313 Team claimed to be targeting all of Bahrain’s servers.
- Israel and USA: INDOHAXSEC issued a broad alert targeting both nations.
6.2 Disruptive Cyber Attacks
- Haifa Infrastructure (Israel): Cyber Islamic resistance claimed to have targeted the Haifa Power Station, transmission lines, and industrial zone facilities, attempting to disrupt power distribution control systems.
- Technion Campus (Israel): Cyber Islamic resistance claimed to have disrupted the lighting network and control systems at the Technion campus.
- Shefa Birkat Ha Shem (Israel): Reports indicate a cyberattack altered system settings at this supermarket chain.
- PalkaVPN: The group HackHax carried out an attack against PalkaVpnRobot (operated by a blogger named “Slash”), disrupting payment systems and VPN connectivity, resulting in a total shutdown.
7. Malware and Malicious Tools
The dataset highlights a thriving underground market for malware and exploitation tools designed to facilitate further network compromise.
- Manual SIP Caller ID Spoofing: Threat Actor Spoof advertised services with custom caller ID spoofing.
- Low-Authority Websites List: Pharaohs Team market claimed to be selling a list of low-authority websites, likely intended for use in future attacks.
- Python-based Malware: V FOR VENDETTA CYBER TEAM claimed to sell source code for malware written in Python.
- Arsenal Kit (Cobalt Strike): Threat Actor 0xBaph0met shared a download link for an “Arsenal kit” associated with Cobalt Strike, heavily used for post-exploitation and command-and-control.
- AV/EDR Kill Process Software: 0xBaph0met also advertised a tool designed to disable advanced antivirus and EDR systems, allowing the termination of protected processes.
8. Conclusion
Based on the draft data provided , the cyber threat landscape as of March 7, 2026, is characterized by widespread, opportunistic initial access sales (spearheaded largely by the Pharaohs Team market) , severe data breaches affecting healthcare and government sectors , and highly active, geopolitically motivated defacement and disruption campaigns. Industrial Control Systems (ICS), particularly water and power infrastructure in Israel and Jordan, are actively being probed and compromised. Furthermore, the open availability of advanced EDR-killing tools and Cobalt Strike kits suggests that threat actors will continue to easily bypass standard security perimeters. Organizations must prioritize securing exposed infrastructure, implementing robust multi-factor authentication, and monitoring dark web and Telegram channels for leaked credentials.