[May-05-2025] Daily Cybersecurity Threat Report

Posted on

Executive Summary

This report details significant cybersecurity incidents reported within the 24-hour period ending May 5, 2025. Analysis is based on publicly available information, dark web forum posts, and threat intelligence sources. Key activities observed include a high volume of website defacements driven by hacktivism, particularly related to geopolitical tensions involving India, Pakistan, and the Middle East. The underground economy remains highly active, with numerous actors offering stolen data, initial network access, vulnerability exploits, and malware for sale on specialized forums. Notably, the INTERLOCK ransomware group continues its operations, targeting a US manufacturer, while several Initial Access Brokers (IABs) advertised access to critical sectors like telecommunications and e-commerce. Several claimed data breaches involve highly sensitive information, including government databases and corporate intellectual property, highlighting significant potential risks.

Detailed Incident Analysis

This section provides detailed analysis of observed incidents, grouped by the attributed or claiming threat actor. Information is derived from the provided incident data and supplemented by external threat intelligence research.

Threat Actor: kazuya

  • Profile:
  • Activity: This actor claimed responsibility for a large-scale defacement campaign targeting at least seven organizations across India and one in the USA on May 5, 2025. Claims were posted on a dark web forum (darkforums.st).
  • Motivation: Appears to be hacktivism, specifically targeting Indian entities across diverse sectors (Religious, Software, Manufacturing, Government, Media, Banking). The targeting aligns with common patterns observed in politically motivated cyber campaigns, particularly those involving India.1 The inclusion of a US software company (IonIdea) with potential Indian ties could be related or opportunistic.
  • TTPs: Website defacement, leveraging a single forum thread for multiple claims. The scale suggests potential automation or exploitation of a common vulnerability across targets. Defacement is a common tactic used by hacktivists to spread messages, claim credit, or disrupt services.3
  • Attribution Confidence: Moderate for the specific campaign based on consistent claims. The handle “kazuya” itself does not appear directly linked to known groups in the provided research, though the tactics are typical of hacktivist entities operating in the region.2 The sheer number of diverse Indian targets defaced in a short period indicates a coordinated effort aimed at widespread disruption, a hallmark of politically motivated campaigns seeking visibility.1 The forum thread detailing the attacks was inaccessible, limiting verification of specific claims or motivations stated by the actor.7
  • Incidents (Representative Examples):
  • Title: Kazuya targets the website of Vizag Durga Puja
  • Timestamp: 2025-05-05T13:56:11Z
  • Victim: Vizag Durga Puja (vizagdurgapuja.in), Religious Institutions, India.
  • Description: The threat actor “kazuya” claimed to have defaced the website of this Indian religious institution as part of a broader campaign targeting multiple Indian organizations.
  • Evidence/Source:
  • Published URL: https://darkforums.st/Thread-Multiple-Indian-Critical-Websites-Defaced?pid=46184#pid46184 (Note: Forum thread content unverified due to inaccessibility 7).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/07056044-20a1-4d1e-a6b6-061c93bb74d2.jpg
  • Title: Kazuya targets the website of IonIdea
  • Timestamp: 2025-05-05T13:50:27Z
  • Victim: IonIdea (ionidea.com), Software Development, USA.
  • Description: “kazuya” claimed defacement of the US-based software development company IonIdea’s website.
  • Evidence/Source:
  • Published URL: https://darkforums.st/Thread-Multiple-Indian-Critical-Websites-Defaced?pid=46184#pid46184 (Note: Forum thread content unverified due to inaccessibility 7).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/a4f30dc7-212b-4290-b5b5-05f1bbe380af.jpg
  • Title: Kazuya targets the website of Bharat Heavy Electricals Limited
  • Timestamp: 2025-05-05T13:46:00Z
  • Victim: Bharat Heavy Electricals Limited (bhel.com), Manufacturing, India.
  • Description: Claimed defacement of the major Indian manufacturing company’s website by “kazuya”.
  • Evidence/Source:
  • Published URL: https://darkforums.st/Thread-Multiple-Indian-Critical-Websites-Defaced?pid=46184#pid46184 (Note: Forum thread content unverified due to inaccessibility 7).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/baf9bfc5-d6e4-49b8-b009-6363d03be67b.jpg
  • Title: kazuya targets the website of Public Grievances Division, Punjab Police
  • Timestamp: 2025-05-05T13:36:12Z
  • Victim: Public Grievances Division, Punjab Police (pgd.punjabpolice.gov.in), Government & Public Sector, India.
  • Description: Claimed defacement of a Punjab Police website by “kazuya”.
  • Evidence/Source:
  • Published URL: https://darkforums.st/Thread-Multiple-Indian-Critical-Websites-Defaced?pid=46184#pid46184 (Note: Forum thread content unverified due to inaccessibility 7).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/a6d98a20-b6bb-4db9-b625-6a75c42cbd76.png
  • Title: Kazhuya targets the website of DNews Network
  • Timestamp: 2025-05-05T13:33:03Z
  • Victim: DNews Network (dnewsnetwork.in), Newspapers & Journalism, India.
  • Description: Claimed defacement of an Indian news network website by “kazuya”.
  • Evidence/Source:
  • Published URL: https://darkforums.st/Thread-Multiple-Indian-Critical-Websites-Defaced?pid=46184#pid46184 (Note: Forum thread content unverified due to inaccessibility 7).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/156326b1-54a0-4cf5-940d-f29b10fad51a.jpg
  • Title: kazuya targets the website of Punjab Police Saanjh
  • Timestamp: 2025-05-05T13:31:48Z
  • Victim: Punjab Police Saanjh (ppsaanjh.in), Government & Public Sector, India.
  • Description: Claimed defacement of another Punjab Police related website by “kazuya”.
  • Evidence/Source:
  • Published URL: https://darkforums.st/Thread-Multiple-Indian-Critical-Websites-Defaced?pid=46184#pid46184 (Note: Forum thread content unverified due to inaccessibility 7).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/01f51fa0-5700-4ade-8089-d2ae0711b005.png
  • Title: kazuya targets the website of Apex Bank
  • Timestamp: 2025-05-05T13:24:49Z
  • Victim: Apex Bank (user.apexbank.in), Banking & Mortgage, India.
  • Description: Claimed defacement of an Indian bank’s user portal by “kazuya”.
  • Evidence/Source:
  • Published URL: https://darkforums.st/Thread-Multiple-Indian-Critical-Websites-Defaced?pid=46184#pid46184 (Note: Forum thread content unverified due to inaccessibility 7).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/88469e9b-ec17-417c-8c13-5d60761f3193.png

Threat Actor: CyberJund

  • Profile:
  • Activity: Claimed defacement of an Iranian design company website (copperwood.ir) on May 5, 2025.
  • Affiliation/History: Previously identified as operating under the name “Anonymous Morocco” and primarily associated with Distributed Denial of Service (DDoS) attacks, often targeting French interests or participating in broader MENA-region campaigns.8
  • Motivation: Likely hacktivism. Targeting an Iranian entity suggests potential anti-Iran sentiment or alignment with broader geopolitical campaigns involving Middle Eastern actors.9
  • TTPs: Website defacement (current incident), DDoS (historical).8 Claims disseminated via Telegram. The shift from primarily DDoS to defacement could indicate tactical flexibility, targeting specific vulnerabilities, or evolving objectives from disruption to messaging.
  • Attribution Confidence: Moderate, based on the link to “Anonymous Morocco”.8
  • Incident:
  • Title: CyberJund targets the website of Copper Wood
  • Timestamp: 2025-05-05T13:40:23Z
  • Victim: Copper Wood (copperwood.ir), Design, Iran.
  • Description: The group CyberJund, previously known as Anonymous Morocco and linked to DDoS activities 8, claimed responsibility for defacing the website of Copper Wood, an Iranian design firm. The claim was made via their Telegram channel.
  • Evidence/Source:
  • Published URL: https://t.me/cyberjund/329
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/c28c753d-23e4-4a2d-b776-c26f3c574bd7.PNG

Threat Actor: RASHTRIYA CYBER FORCE

  • Profile:
  • Activity: Claimed leak of admin panel access credentials for a Pakistani women’s college (ccwj.edu.pk) on May 5, 2025, via X.com (formerly Twitter).
  • Motivation: The name strongly suggests pro-India nationalist hacktivism. Targeting a Pakistani educational institution fits squarely within the well-documented pattern of cyber conflict between Indian and Pakistani hacktivist groups, often escalating around geopolitical events or anniversaries.1
  • TTPs: Initial Access credential leak, public disclosure via social media. Leaking credentials aims to cause disruption, embarrassment, and potentially enable further compromise by others.
  • Attribution Confidence: Moderate likelihood of being a pro-India hacktivist entity based on name and target selection, but low confidence in linking it to specific known groups. No research explicitly mentions “RASHTRIYA CYBER FORCE”. It could represent a new entrant or an alias for established groups like the Indian Cyber Force (ICF).2 The proliferation of groups with patriotic names is characteristic of this conflict space, making precise attribution challenging but highlighting the high level of decentralized activity.1
  • Incident:
  • Title: Alleged leak of admin panel access to City Postgraduate College for Women Jhelum
  • Timestamp: 2025-05-05T13:03:07Z
  • Victim: City Postgraduate College for Women Jhelum (ccwj.edu.pk), Education, Pakistan.
  • Description: The threat actor “RASHTRIYA CYBER FORCE”, assessed as a likely pro-India hacktivist group operating within the context of ongoing India-Pakistan cyber conflict 2, claims to have obtained and leaked administrative panel access credentials for the college’s website. The claim was publicly posted on X.com.
  • Evidence/Source:
  • Published URL: https://x.com/indian_rcf/status/1918508436884533565?s=46
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/75f9dc8f-9dd8-48e6-88d1-2e1a8b2229a2.jpg

Threat Actor: INDIAN CYBER MAFIA

  • Profile:
  • Activity: Claimed defacement of a Pakistani educational authority website (steda.gos.pk) on May 5, 2025, via X.com.
  • Motivation: Ambiguous based on name, but actions suggest hacktivism. While “Mafia” often implies financial motivation 17, the defacement of a Pakistani government-related entity strongly points towards pro-India hacktivism, consistent with the regional cyber conflict.2
  • TTPs: Website defacement, public claim via social media.
  • Attribution Confidence: Low. The name conflicts with typical hacktivist naming conventions and, more significantly, contradicts research mentioning a “TEAM CYBER MAFIA” involved in attacks against India.1 This discrepancy suggests either multiple distinct groups using similar names, a group changing allegiance or targets, a potential false flag operation, or inaccurate reporting in one of the sources. Given the specific target (Pakistan Education Authority), hacktivism appears the most plausible driver for this particular incident, despite the naming confusion. No direct link to known hacker groups was found.18
  • Incident:
  • Title: INDIAN CYBER MAFIA targets the website of Sindh Teachers Education Development Authority
  • Timestamp: 2025-05-05T12:44:45Z
  • Victim: Sindh Teachers Education Development Authority (steda.gos.pk), Education, Pakistan.
  • Description: A group identifying as “INDIAN CYBER MAFIA” claimed responsibility for defacing the website of this Pakistani educational authority. Despite the potentially misleading name, the action aligns with common pro-India hacktivist tactics observed in the India-Pakistan cyber conflict.2 The claim was posted on X.com. Caution is advised due to potential confusion with a similarly named group reportedly targeting India.1
  • Evidence/Source:
  • Published URL: https://x.com/indiacybermafia/status/1919352395001221254?s=46
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/b5b9f5a3-aa76-41c6-bab5-254777376725.png

Threat Actor: FirewallFalcon

  • Profile:
  • Activity: Claimed leak or sale of access to an Open SSTP (Secure Socket Tunneling Protocol) client via Telegram on May 5, 2025. The associated domain (zfirewallfalcon.quantumz.co.uk) might belong to the victim or the actor.
  • Motivation: Likely financial, operating as an Initial Access Broker (IAB). Selling access to VPN infrastructure is a common and lucrative activity for IABs.19
  • TTPs: Initial access acquisition (method unknown), access packaging and sale/leak via Telegram.
  • Attribution Confidence: Low. No specific information linking this actor to known groups or campaigns was found in the provided research.20 The name might imply a focus on network security devices, but this remains speculative. Research on Fortinet exploits 22 is not directly linked to this actor. Selling access to VPN infrastructure like SSTP clients is particularly significant, as it can provide deep, persistent network access, bypassing perimeter defenses, making it highly valuable to subsequent attackers like ransomware groups or state-sponsored actors.19
  • Incident:
  • Title: Alleged access leak of an Open SSTP client
  • Timestamp: 2025-05-05T12:21:35Z
  • Victim: Unspecified organization, potentially associated with the domain zfirewallfalcon.quantumz.co.uk. Country and industry are unknown.
  • Description: Threat actor “FirewallFalcon” claims via Telegram to be leaking or selling access to an Open SSTP client, a form of VPN. Compromise of such infrastructure can grant attackers significant capabilities for network intrusion and persistence.
  • Evidence/Source:
  • Published URL: https://t.me/FirewallFalcons/96?single
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/8435082f-d922-4d65-8489-b6f5e2c6d927.png, https://d34iuop8pidsy8.cloudfront.net/81a5ab2c-b224-49a6-9b33-42ffa7f50e82.png

Threat Actor: Nick Diesel

  • Profile:
  • Activity: Claimed leak or sale of a CSV file containing data on 15,000 European individuals, including photo IDs and IBANs, on the XSS cybercrime forum on May 5, 2025.
  • Motivation: Financial gain through data brokerage.
  • TTPs: Data acquisition (method unknown), data packaging, sale/leak via a known cybercrime forum (XSS is noted for hosting such activities 25).
  • Attribution Confidence: Low. No specific intelligence available on this actor handle. The activity profile is typical of data brokers operating on underground forums. The alleged inclusion of highly sensitive Personally Identifiable Information (PII) such as photo IDs and International Bank Account Numbers (IBANs) elevates the severity of this potential leak. Such comprehensive data enables severe forms of identity theft and financial fraud, making it highly valuable in the underground economy.27 Verification of the claim is hampered by the inaccessibility of the forum post.28
  • Incident:
  • Title: Alleged leak of 15,000 European Citizens data
  • Timestamp: 2025-05-05T11:45:14Z
  • Victim: 15,000 European individuals. The source organization or specific country/countries are not identified.
  • Description: Actor “Nick Diesel” posted on the XSS cybercrime forum 25 claiming to possess and potentially sell a CSV file containing data on 15,000 European citizens. The data is alleged to include highly sensitive information like photo IDs and IBANs, posing a significant risk of identity theft and financial fraud to the affected individuals.
  • Evidence/Source:
  • Published URL: https://xss.is/threads/137123/ (Note: Forum thread content unverified due to inaccessibility 28).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/1000bff3-7b14-4502-9a56-f73d34db538b.png

Threat Actor: Cypher404x

  • Profile:
  • Activity: Offering for sale an alleged MOVISTAR vulnerability exploit, accompanied by a Python script for extracting customer information and account balances, on darkforums.st on May 5, 2025.
  • History: This actor, “Cypher404x”, was previously linked to a claimed data breach affecting Movistar Venezuela in April 2025, where customer data was allegedly exfiltrated and offered.29
  • Motivation: Financial gain through the sale of exploits and associated tools.
  • TTPs: Vulnerability discovery or acquisition, exploit development, custom tool creation (Python script), marketing and sales via cybercrime forums. The progression from a data leak claim 29 to selling an exploit for the same target suggests either persistent access allowing deeper vulnerability discovery, or an attempt to further monetize initial findings by packaging the exploit method itself. This represents a common pattern where actors maximize returns from a compromise. Verification of exploit details and pricing is hindered by the inaccessible forum post.30
  • Attribution Confidence: Moderate, due to the confirmed link to previous activity targeting the same entity (Movistar) reported in threat intelligence feeds.29
  • Incident:
  • Title: Alleged sale of MOVISTAR vulnerability
  • Timestamp: 2025-05-05T11:06:22Z
  • Victim: Implied target is MOVISTAR (Telecommunications). The specific country or division is not explicitly stated in this particular claim.
  • Description: Threat actor “Cypher404x”, previously associated with a data leak claim against Movistar Venezuela 29, is advertising the sale of a vulnerability exploit targeting MOVISTAR on the darkforums.st platform. The offering purportedly includes a Python script capable of extracting customer information and account balances, indicating a potentially severe vulnerability that could lead to significant data exposure and financial fraud if exploited.
  • Evidence/Source:
  • Published URL: https://darkforums.st/Thread-Selling-SELLING-MOVISTAR-VULNERABILITY (Note: Forum thread content unverified due to inaccessibility 30).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/9ebb3c49-1c87-455a-ab52-0912c4846ea1.png

Threat Actor: urbsnv

  • Profile:
  • Activity: Selling a batch of 150 stolen credit card records, described as “fullz”, originating from the USA, Chile, and Turkey. The sale was advertised on the Exploit.in forum on May 5, 2025.
  • Motivation: Financial gain through carding (selling stolen credit card data).
  • TTPs: Acquisition of credit card data (potentially via skimming, Point-of-Sale malware, infostealers, or breaches of e-commerce sites/payment processors), data packaging (including comprehensive details), sale via established cybercrime forums like Exploit.in.26 The term “fullz” indicates the data includes not just the card number, expiry, and CVV, but also extensive cardholder PII (name, address, phone, email, IP address). Obtaining such complete datasets often points to compromises beyond simple card skimming, such as database breaches or widespread infostealer infections capturing browser autofill data, making the data more valuable for fraud.27 Verification of specific data fields and price is not possible due to the inaccessible forum post.32
  • Attribution Confidence: Low. This profile is typical of numerous carders operating on underground forums, with no specific distinguishing information available in the provided research.
  • Incident:
  • Title: Alleged sale of credit card data from Chile, Turkey and USA
  • Timestamp: 2025-05-05T10:56:01Z
  • Victim: Credit card holders from the USA, Chile, and Turkey. The source of the compromised data is unknown.
  • Description: Actor “urbsnv” advertised a batch of 150 stolen credit card records for sale on the Exploit.in forum. The data is claimed to be “fullz,” containing comprehensive cardholder details beyond the basic card information, originating from the USA, Chile, and Turkey. Such data is highly sought after for conducting financial fraud.
  • Evidence/Source:
  • Published URL: https://forum.exploit.in/topic/258527/ (Note: Forum thread content unverified due to inaccessibility 32).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/3d58727f-9213-4f10-b073-c1a0d0cfcfe7.PNG

Threat Actor: Hunt

  • Profile:
  • Activity: Offering for sale data allegedly sourced from the Spanish Citizens Database, specifically linked to the DGT (Dirección General de Tráfico – Directorate-General for Traffic). The claim was made on darkforums.st on May 5, 2025.
  • Motivation: Financial gain through the sale of highly sensitive government-held citizen data.
  • TTPs: Data acquisition (likely requiring significant intrusion capabilities against government systems or potentially leveraging an insider threat), data packaging, advertisement and sale via a dark web forum. A breach of a national citizen or driver database like the DGT represents an extremely serious security incident. The claimed data fields (National ID Number, Full Name, Date of Birth, Address, Marital Status, etc.) constitute a comprehensive PII dataset. If authentic, this data could be exploited for mass identity theft, sophisticated social engineering campaigns, espionage, or potentially influencing populations, posing a national security risk for Spain.4 Verification is not possible due to the inaccessible forum link.33
  • Attribution Confidence: Low. No specific intelligence on this actor handle was found. The context of threat hunting 34 is general and not linked to this actor.
  • Incident:
  • Title: Alleged data leak of Spain’s Citizens
  • Timestamp: 2025-05-05T10:26:15Z
  • Victim: Spanish Citizens, with data allegedly originating from the DGT.
  • Description: Threat actor “Hunt” posted on the darkforums.st platform claiming to be selling data purportedly obtained from Spain’s Directorate-General for Traffic (DGT). The extensive list of allegedly included sensitive personal details (National ID, full name, DOB, address, marital status, etc.) signifies a potentially major government data breach with severe privacy and security implications for Spanish citizens if the claim is accurate.
  • Evidence/Source:
  • Published URL: http://darkforums.st/Thread-Selling-SPAIN-CITIZEN-DATABASE-DGT (Note: Forum thread content unverified due to inaccessibility 33).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/6d8ba5c5-127f-40c8-9947-1bebc6f0cbaa.png

Threat Actor: Arabian Ghosts

  • Profile:
  • Activity: Claimed responsibility for three website defacements on May 5, 2025, targeting diverse entities: ExecutorX (a US Gaming website), Massage Fitness Health Studio and Shop (a Hungarian Health & Fitness site), and Brahmel International Impex (an Indian Import/Export company). Claims were disseminated via Telegram.
  • Motivation: Likely hacktivism, although the diverse and seemingly apolitical nature of some targets (gaming, fitness, import/export) across different countries (USA, Hungary, India) makes a single, coherent political motive difficult to ascertain. It could reflect opportunistic attacks based on vulnerability, general anti-Western or anti-India sentiment, or simply be aimed at gaining notoriety.
  • TTPs: Website defacement, communication and claims via Telegram.
  • Attribution Confidence: Low. The name suggests a Middle Eastern connection. While other hacktivist groups use “Ghost” in their names (e.g., AnonGhost/GHOST JACKAL 35, GhostSec 36, Ghost Algéria 37), there is no confirmed link to this specific group. Previous reporting associated “Arabian_Ghosts” with targeting an Israeli entity 29, which would align with pro-Palestinian motives common in the region 35, but the current target set is much broader and less focused. The recurring use of “Ghost” among hacktivist groups can lead to confusion and potential misattribution.
  • Incidents (3):
  • Title: Arabian Ghosts targets the website of ExecutorX
  • Timestamp: 2025-05-05T10:18:37Z
  • Victim: ExecutorX (executorx.com), Gaming, USA.
  • Description: The hacktivist group “Arabian Ghosts” claimed via Telegram to have defaced the website of ExecutorX, a US-based gaming entity. This was one of several disparate targets claimed by the group on this date.
  • Evidence/Source:
  • Published URL: https://t.me/ARABIAN_GHOSTS/769
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/bc0920b7-7859-4526-808b-0bcff2280c1d.png, https://d34iuop8pidsy8.cloudfront.net/d4c30440-1ca3-45a6-b48a-9b96050abef2.png
  • Title: Arabian Ghosts targets the website of Massage Fitness Health Studio and Shop
  • Timestamp: 2025-05-05T07:13:13Z
  • Victim: Massage Fitness Health Studio and Shop (masszazsfitness.hu), Health & Fitness, Hungary.
  • Description: “Arabian Ghosts” claimed via Telegram to have defaced the website of a Hungarian health and fitness studio.
  • Evidence/Source:
  • Published URL: https://t.me/ARABIAN_GHOSTS/768
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/8aed9559-fccf-4c5c-9a89-b7f37bd9fbba.png, https://d34iuop8pidsy8.cloudfront.net/e3f3b2ea-9bcb-4b51-b784-cae4ca7d6018.png
  • Title: Arabian Ghosts targets the website of Brahmel International Impex
  • Timestamp: 2025-05-05T01:36:44Z
  • Victim: Brahmel International Impex (brahmelimpex.com), Import & Export, India.
  • Description: “Arabian Ghosts” claimed via Telegram to have taken down (likely defaced) the website of an Indian import/export company.
  • Evidence/Source:
  • Published URL: https://t.me/ARABIAN_GHOSTS/767
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/b8f387a0-1367-40cc-b802-1581ff9d60ee.png, https://d34iuop8pidsy8.cloudfront.net/e2aea199-dadb-4308-ba2d-de32b7fc03cd.png

Threat Actor: GARUDA ERROR SYSTEM

  • Profile:
  • Activity: Posted an alert on a Telegram channel on May 5, 2025, stating intent to target India and Israel.
  • Motivation: Assumed hacktivism. Targeting India and Israel are common objectives for hacktivist groups motivated by geopolitical or religious ideologies, often operating from regions like Pakistan or Indonesia.1
  • TTPs: Public declaration of intent via Telegram. This is often a precursor to coordinated attacks like DDoS or website defacements.3 The “ERROR SYSTEM” part of the name might suggest an intent to cause system disruptions.
  • Attribution Confidence: Low. The name “GARUDA” presents conflicts. Legitimate cybersecurity services and platforms use the name Garuda.39 Additionally, research identifies “Team Garuna” as a pro-India hacktivist group.1 The targeting of India by “GARUDA ERROR SYSTEM” directly contradicts a pro-India stance, making it highly likely this is an unrelated entity adopting the name, possibly for recognition, misdirection, or based on regional symbolism. The stated targets (India, Israel) strongly suggest standard anti-India/anti-Israel hacktivism.
  • Incident:
  • Title: GARUDA ERROR SYSTEM claims to target India and Israel
  • Timestamp: 2025-05-05T06:31:19Z
  • Victim: Stated intended targets are entities within India and Israel.
  • Description: A group identifying as “GARUDA ERROR SYSTEM” posted an alert on Telegram declaring India and Israel as future targets. This likely signals impending hacktivist attacks (e.g., DDoS, defacement) against organizations within these countries, a common feature of geopolitical cyber conflicts.2 Note the potential for confusion with other entities using the “Garuda” name.1
  • Evidence/Source:
  • Published URL: https://t.me/c/2389724308/613 (Note: Link may require specific Telegram channel access).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/db5b84ca-6f39-4e91-8a14-cc0da141c32f.jpg

Threat Actor: GEOLORD

  • Profile:
  • Activity: Selling administrative (admin) and shell access to an unidentified Greek e-commerce website running on the OpenCart Content Management System (CMS). The sale was advertised on the Exploit.in forum on May 5, 2025. The claim includes specific capabilities like payment redirection via Eurocommerce.gr and JavaScript (JS) injection.
  • Motivation: Financial gain, operating as an Initial Access Broker (IAB).
  • TTPs: Network intrusion (method unspecified), privilege escalation (gaining admin/shell), access packaging (detailing CMS and specific capabilities), advertisement and sale via a cybercrime forum. The specific capabilities offered – payment redirection and JS injection – significantly increase the value and potential impact of this access. Payment redirection allows direct theft of funds, while JS injection can be used for credential theft, credit card skimming, or delivering malware to site visitors, posing severe risks to the business and its customers.42 Verification of details is limited by the inaccessible forum post.43
  • Attribution Confidence: Low. No specific intelligence linking this actor to known groups. The profile is consistent with typical IAB operations.19
  • Incident:
  • Title: Alleged sale of admin and shell access to an unidentified Greek e-commerce website
  • Timestamp: 2025-05-05T06:13:54Z
  • Victim: An unidentified Greek e-commerce site utilizing the OpenCart CMS.
  • Description: Actor “GEOLORD” is advertising the sale of administrative and shell-level access to a Greek e-commerce website on the Exploit.in forum. The access allegedly includes potent capabilities facilitating financial fraud, such as redirecting payments (reportedly via Eurocommerce.gr integration) and injecting malicious JavaScript code into the site. This represents a significant risk to the targeted business and its clientele.
  • Evidence/Source:
  • Published URL: https://forum.exploit.in/topic/258516/ (Note: Forum thread content unverified due to inaccessibility 43).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/f49f5913-9e09-4d02-82a9-228a2c0ac384.png

Threat Actor: 303security

  • Profile:
  • Activity: Selling initial access, obtained via shell or exploit, to Telia Norway (Telia Norge), a major Norwegian telecommunications provider with reported revenue of $8.3 billion USD. The sale was advertised on the Exploit.in forum on May 5, 2025.
  • History: This actor handle, ‘303security’, was previously observed in April 2025 selling access to a major Taiwanese telecommunications company, also on the Exploit.in forum.31
  • Motivation: Financial gain, operating as an Initial Access Broker apparently specializing in high-value telecommunications targets.
  • TTPs: Network intrusion (exploiting vulnerabilities or gaining shell access), access packaging, advertisement and sale via cybercrime forums. The consistent targeting of large telecommunications providers across different geographic regions (Taiwan 31, Norway) suggests a degree of sophistication and potentially specialized knowledge or tooling for compromising telecom infrastructure. Such access is highly valuable for espionage, large-scale disruption, or facilitating further attacks.19 Verification of the access method and price is hindered by the inaccessible forum post.44
  • Attribution Confidence: High, based on the corroborating report 31 confirming prior, similar activity by the same actor handle (‘303security’) on the same forum (Exploit.in) targeting a similar high-value sector (telecommunications).
  • Incident:
  • Title: Alleged sale of access to Telia Norge
  • Timestamp: 2025-05-05T06:10:31Z
  • Victim: Telia Norge (telia.no), Network & Telecommunications, Norway. (Claimed victim revenue: $8.3 billion USD).
  • Description: Threat actor “303security”, previously identified selling access to a major Taiwanese telecom provider 31, is now advertising initial access (reportedly obtained via shell or exploit) to Telia Norway on the Exploit.in forum. The targeting of major telecommunications providers appears to be a specialization for this actor, posing a significant threat due to the critical nature of the sector and the sensitivity of data handled by such organizations.
  • Evidence/Source:
  • Published URL: https://forum.exploit.in/topic/258515/ (Note: Forum thread content unverified due to inaccessibility 44).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/0aeb1437-c09c-41e5-99a5-a2c98b2c8411.png

Threat Actor: Sentap

  • Profile:
  • Activity: Selling a substantial 195 GB data package allegedly exfiltrated from Navee Teknoloji ve Bilişim A.Ş., described as a prominent maritime technology firm based in Istanbul, Turkey. The sale was advertised on the Exploit.in forum on May 5, 2025.
  • Motivation: Likely financial gain through data brokerage, but the nature of the claimed data could also point towards industrial espionage.
  • TTPs: Network intrusion, large-scale data exfiltration, data packaging (with detailed description of contents), advertisement and sale via a cybercrime forum. The highly detailed description of the allegedly stolen data (technical, operational, financial documents, personnel records, satellite communication configurations, ship blueprints, compliance documents for SOLAS/MARPOL/ISO 9001, contracts with international partners like Inmarsat and SIRM UK) suggests an extremely deep and targeted compromise. If authentic, this breach represents a severe loss of intellectual property and operational secrets, potentially impacting Navee Technology’s competitive standing, operational security, and potentially having broader implications for maritime security involving Turkish interests.4 Verification of the data’s authenticity and scope is limited by the inaccessible forum post.45
  • Attribution Confidence: Low. No specific intelligence on this actor handle was found. The profile fits that of a data broker dealing in high-value corporate data.
  • Incident:
  • Title: Alleged data sale of Navee Technology
  • Timestamp: 2025-05-05T05:58:54Z
  • Victim: Navee Technology (naveetechnology.com), Network & Telecommunications (specializing in Maritime Technology), Turkey.
  • Description: Actor “Sentap” is advertising a massive 195 GB data package for sale on the Exploit.in forum, allegedly stolen from the Turkish maritime technology firm Navee Technology. The claimed contents encompass highly sensitive technical, operational, financial, personnel, and contractual data, including proprietary information like ship blueprints and satellite communication configurations. This suggests a severe data breach with potentially significant strategic and competitive implications.
  • Evidence/Source:
  • Published URL: https://forum.exploit.in/topic/258517/ (Note: Forum thread content unverified due to inaccessibility 45).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/d400f618-fb3b-478d-9ff9-e3dbc0c6f260.png

Threat Actor: Keymous+

  • Profile:
  • Activity: Claimed compromise and leak of United Arab Emirates (UAE) government ID databases, potentially providing access to e-services. The claim was made via X.com on May 5, 2025.
  • History/Affiliation: Identified in threat reporting as an active hacktivist group during the first quarter of 2025, known for targeting government and critical infrastructure sectors.38 The “+” suffix might indicate an evolution of the group or an alliance.
  • Motivation: Hacktivism, likely politically motivated against the UAE government or its policies.
  • TTPs: Network intrusion into government systems, data exfiltration (sensitive ID databases), public disclosure and claims via social media (X.com). This incident aligns with observed trends of hacktivist groups targeting government infrastructure and using public platforms for maximum impact and visibility.38
  • Attribution Confidence: Moderate. The activity aligns well with the reported profile and typical TTPs of the Keymous+ hacktivist group.38
  • Incident:
  • Title: Alleged leak of UAE government ID databases
  • Timestamp: 2025-05-05T05:58:44Z
  • Victim: UAE Government Administration, specifically targeting citizen ID databases.
  • Description: The hacktivist group “Keymous+”, previously reported as active in targeting government sectors 38, claimed on X.com to have compromised UAE government ID databases. The alleged leak purportedly includes citizen ID numbers and could potentially grant access to associated e-services, representing a significant security and privacy incident for the UAE if confirmed.
  • Evidence/Source:
  • Published URL: https://x.com/KeymousTeam/status/1919029171356938509
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/d874f501-3fe1-48c4-bd2b-c45f0e2702e3.png

Threat Actor: davidwilson6514

  • Profile:
  • Activity: Selling a sophisticated Remote Access Trojan (RAT) on the Exploit.in forum on May 5, 2025.
  • Motivation: Financial gain through malware development and sales.
  • TTPs: Malware development (RAT), implementation of advanced features focused on stealth and persistence (unattended access, hidden operation via blank screen, anti-detection measures like disabling Windows Defender, CTRL+ALT+DEL, and uninstall options), marketing and sales via a cybercrime forum. The advertised features go beyond basic RAT capabilities and are indicative of malware designed for persistent, covert operations such as espionage or facilitating more complex attacks like ransomware deployment. Such tools are valuable assets in the cybercrime ecosystem.47 Verification of the RAT’s capabilities and price is not possible due to the inaccessible forum post.48
  • Attribution Confidence: Low. This is a typical profile for a malware developer/seller on underground forums, with no specific distinguishing intelligence available.
  • Incident:
  • Title: Alleged sale of a sophisticated RAT
  • Timestamp: 2025-05-05T05:38:02Z
  • Victim: Potential buyers/users of the RAT malware.
  • Description: Actor “davidwilson6514” is advertising a sophisticated Remote Access Trojan (RAT) for sale on the Exploit.in forum. The malware is marketed with features designed to ensure stealth, persistence, and evasion of common security controls (including disabling Windows Defender and user intervention methods like CTRL+ALT+DEL). These capabilities make it a dangerous tool for covert surveillance, data theft, or as a foothold for deploying further malware like ransomware.
  • Evidence/Source:
  • Published URL: https://forum.exploit.in/topic/258512/ (Note: Forum thread content unverified due to inaccessibility 48).
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/ede3ff91-6f9b-4585-b6f3-12e09ec077f0.png

Threat Actor: Dark Engine

  • Profile:
  • Activity: Responsible for two reported incidents on May 5, 2025, both targeting entities in the UAE and announced via the same Telegram channel:
  1. Claimed leak of administrative credentials for IOF General Trading LLC (Oil & Gas sector).
  2. Claimed website defacement of DG TOP SCALES F.Z.E (Business Supplies & Equipment sector), providing a mirror link.
  • Motivation: Unclear. The consistent targeting of UAE entities suggests a regional focus or specific anti-UAE campaign. The mix of TTPs (credential leak vs. defacement) and targeted sectors could indicate opportunistic attacks based on discovered vulnerabilities rather than a single strategic objective.
  • TTPs: Initial access credential leak, website defacement, communication and claims via Telegram. The use of varied TTPs against different sectors within the same geographic region (UAE) suggests adaptability or exploitation of diverse opportunities. Leaking credentials from an Oil & Gas firm generally carries higher potential impact than defacing a business supplies website.
  • Attribution Confidence: Low. No specific intelligence links this group to known actors. Any name similarity to other groups like “Dark Storm” 49 is likely coincidental without further evidence.
  • Incidents (2):
  • Title: Alleged leak of admin access to IOF General Trading LLC
  • Timestamp: 2025-05-05T02:03:37Z
  • Victim: IOF General Trading LLC (iof.ae), Oil & Gas, UAE.
  • Description: The group “Dark Engine” claimed via their Telegram channel to have compromised and subsequently leaked administrative access credentials for IOF General Trading LLC, an Oil & Gas company based in the UAE.
  • Evidence/Source:
  • Published URL: https://t.me/Dark_Engine_1/3057?single
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/96848e32-db74-4f7c-95fb-e85b619dcb1b.png
  • Title: Dark Engine targets the website of DG TOP SCALES F.Z.E
  • Timestamp: 2025-05-05T01:01:39Z
  • Victim: DG TOP SCALES F.Z.E (dgtopscales.com), Business Supplies & Equipment, UAE.
  • Description: The group “Dark Engine” claimed via Telegram to have defaced the website of DG TOP SCALES F.Z.E, a business supplies company operating in the UAE. A mirror link archiving the defacement was provided in their communication.
  • Evidence/Source:
  • Published URL: https://t.me/Dark_Engine_1/3060
  • Mirror Link (provided in content): https://www.haxor.id/archive/mirror/219424
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/fefa3bfb-12c3-49ce-9439-82b0a61bd60a.png

Threat Actor: INTERLOCK

  • Profile:
  • Activity: Claimed a ransomware attack against Bentley Pontoons, a US-based pontoon boat manufacturer, on May 5, 2025. The claim involves the theft of 348 GB of data (215,868 files across 28,577 folders) and was posted on the group’s Tor-based Data Leak Site (DLS) named “Worldwide Secrets Blog”.
  • History/Affiliation: INTERLOCK emerged in September 2024 and operates as an independent ransomware group, not following a Ransomware-as-a-Service (RaaS) model.51 They are known for Big Game Hunting (BGH), targeting larger, potentially more lucrative organizations, and employing double extortion tactics (encrypting data and threatening to leak stolen data).51 Their targets historically span various sectors across North America and Europe, with previous campaigns notably impacting the healthcare sector.52
  • Motivation: Primarily financial gain through ransom payments extorted from victims under threat of data encryption and public leak.52
  • TTPs: INTERLOCK employs a multi-stage attack chain. Initial access is often gained through social engineering, such as tricking users into downloading fake software updates (e.g., for browsers or security tools) from compromised websites, sometimes using techniques like ClickFix to bypass security warnings.51 Post-compromise, they utilize custom PowerShell backdoors, infostealers (including LummaStealer and BerserkStealer since early 2025), and a custom RAT.51 Lateral movement is often achieved using legitimate remote administration tools like RDP, Putty, and AnyDesk, leveraging stolen credentials.52 Data exfiltration frequently uses cloud storage services.52 They deploy custom ransomware payloads for both Windows and Linux systems and operate their own Tor DLS for victim shaming and negotiation.51 The group demonstrates tactical evolution, incorporating new tools and techniques like ClickFix and different infostealers over time.51
  • Attribution Confidence: High. The reported incident against Bentley Pontoons aligns perfectly with INTERLOCK’s established profile, including their operational timeline, independent status, BGH approach, double extortion TTPs, use of a Tor DLS, and targeting of North American organizations.51 The claimed data includes proprietary information (designs, contracts, blueprints), consistent with targeting valuable assets in a manufacturing BGH scenario.
  • Incident:
  • Title: Bentley Pontoons falls victim to INTERLOCK Ransomware
  • Timestamp: 2025-05-05T01:23:37Z
  • Victim: Bentley Pontoons (bentleypontoons.com), Shipbuilding, USA.
  • Description: The INTERLOCK ransomware group has listed US boat manufacturer Bentley Pontoons on its Tor-based data leak site (“Worldwide Secrets Blog”). This action signifies a ransomware attack employing double extortion tactics, consistent with INTERLOCK’s known modus operandi.51 The group claims to have exfiltrated 348 GB of sensitive data, comprising 215,868 files, allegedly including proprietary designs, supplier contracts (specifically mentioning Mercury Motors partnerships), and manufacturing blueprints. This attack underscores the ongoing threat INTERLOCK poses to organizations, particularly in North America and Europe, leveraging evolving TTPs.51
  • Evidence/Source:
  • Published URL: http://ebhmkoohccl45qesdbvrjqtyro2hmhkmh6vkyfyjjzfllm3ix72aqaid.onion/leaks.php (Tor Link)
  • Screenshot(s): https://d34iuop8pidsy8.cloudfront.net/28441ea1-d254-4d60-b97d-6cd92349b8a5.png

Observations & Potential Implications

Based on the incidents reported over the past 24 hours, several key trends and implications emerge:

  • Hacktivism Remains Prevalent: A significant portion of the reported activity (nearly half of the distinct incidents) involved website defacements or explicit declarations of intent attributed to hacktivist groups. This activity appears strongly correlated with geopolitical tensions, particularly the ongoing India-Pakistan cyber conflict (evidenced by targets of kazuya, RASHTRIYA CYBER FORCE, INDIAN CYBER MAFIA) and broader Middle Eastern dynamics (CyberJund, Arabian Ghosts, GARUDA ERROR SYSTEM alert, Keymous+).1 These campaigns often utilize public platforms like Telegram and X.com for claims, aiming for disruption and visibility.
  • Underground Marketplaces Fuel Cybercrime: Dedicated forums like Exploit.in, darkforums.st, and XSS serve as critical hubs for the cybercrime economy, facilitating the buying and selling of various illicit goods and services.25 The incidents highlight the diversity of offerings: stolen PII and financial data (Nick Diesel, urbsnv), compromised government databases (Hunt, Keymous+), corporate secrets (Sentap), initial network access (FirewallFalcon, GEOLORD, 303security, Dark Engine), vulnerability exploits (Cypher404x), and sophisticated malware (davidwilson6514). This ecosystem enables specialization among threat actors and lowers the barrier to entry for complex attacks. However, verifying claims made on these forums remains challenging, as demonstrated by the inaccessibility of several source links.7
  • Initial Access Brokers (IABs) Pose Significant Risk: Multiple incidents involved the sale of initial access to organizational networks, often targeting high-value sectors like telecommunications (303security), e-commerce (GEOLORD), Oil & Gas (Dark Engine), and VPN infrastructure (FirewallFalcon). IABs act as crucial enablers for subsequent, more damaging attacks, such as ransomware deployment or espionage.19 The apparent specialization of actors like 303security in targeting telecommunications infrastructure underscores the sophisticated and targeted nature of some IAB operations.31
  • Ransomware Groups Continue to Evolve: The INTERLOCK ransomware incident involving Bentley Pontoons exemplifies the persistent threat from sophisticated ransomware operations. INTERLOCK utilizes established double extortion tactics and demonstrates continuous evolution by incorporating new initial access methods (like ClickFix) and tooling (infostealers like LummaStealer) to bypass defenses and maximize impact.51 This highlights the need for adaptive security strategies that address the entire attack chain.
  • High-Impact Data Breaches Threaten More Than Finances: Several claimed breaches involve data with implications far beyond immediate financial loss. The alleged leaks of the Spanish DGT database (Hunt), UAE government IDs (Keymous+), Navee Technology’s maritime secrets (Sentap), and Bentley Pontoons’ proprietary designs (INTERLOCK) could facilitate mass identity theft, espionage, severe operational disruption, and potentially impact national security or competitive landscapes.4 The nature and scale of the data claimed in these incidents underscore the escalating severity of data breaches.

Recommendations

Organizations should consider the following actions to mitigate the threats highlighted in this report:

  • Enhance Vigilance Around Geopolitical Tensions: Organizations operating in or connected to regions with heightened geopolitical conflict (e.g., India, Pakistan, Middle East, UAE) should anticipate increased hacktivist activity (DDoS, defacement, data leaks). Implement robust DDoS mitigation, web application firewalls (WAFs), and monitor public channels for targeted threats.1
  • Counter Initial Access Brokers: Strengthen defenses against common IAB tactics by enforcing multi-factor authentication (MFA) universally, ensuring timely patching of internet-facing systems (VPNs, firewalls, web servers) 22, conducting regular security awareness training focused on phishing and social engineering, and monitoring for anomalous login activity and credential exposure on dark web forums.19
  • Bolster Ransomware Defenses:
  • Address common initial vectors: Train users to recognize fake software updates and social engineering lures like ClickFix.51 Secure remote access protocols like RDP and VPNs.52
  • Improve detection and response: Deploy endpoint detection and response (EDR) solutions capable of identifying credential theft tools (e.g., infostealers used by INTERLOCK 53) and anomalous use of legitimate administration tools for lateral movement.
  • Ensure resilience: Maintain regularly tested, offline, and immutable backups, alongside a comprehensive incident response plan.4
  • Implement Robust Data Security: Protect sensitive PII, financial data, and intellectual property through encryption (at rest and in transit), access controls based on the principle of least privilege, and data loss prevention (DLP) technologies. Monitor network traffic for signs of large-scale data exfiltration, particularly for organizations in targeted sectors (Finance, Government, Manufacturing, Telecom, Maritime Tech).4
  • Prioritize Vulnerability Management: Maintain a rigorous patch management program, especially for vulnerabilities known to be exploited or sold (e.g., potentially MOVISTAR 29). Conduct regular vulnerability scanning and penetration testing to identify and remediate weaknesses proactively.
  • Secure E-commerce Operations: For businesses using platforms like OpenCart (targeted by GEOLORD), ensure secure configuration, apply updates promptly, use security plugins, and monitor for signs of unauthorized code injection or payment process tampering.
  • Utilize Threat Intelligence: Leverage threat intelligence feeds and services to monitor cybercrime forums for mentions of organizational assets or credentials being sold, track evolving TTPs of relevant threat actors (like INTERLOCK or IABs), and inform defensive priorities.26 Exercise caution regarding unverified claims.
  • Reinforce Security Fundamentals: Continuously reinforce foundational security practices: strong, unique passwords managed securely; MFA implementation across all possible services; ongoing user education; network segmentation to limit lateral movement; and strict adherence to the principle of least privilege.4

Works cited

  1. Cybercriminals are Targeting Elections in India with Influence Campaigns – Resecurity, accessed May 5, 2025, https://www.resecurity.com/blog/article/cybercriminals-are-targeting-elections-in-india-with-influence-campaigns
  2. Indian Cyber Force – Wikipedia, accessed May 5, 2025, https://en.wikipedia.org/wiki/Indian_Cyber_Force
  3. Threat Actor Profile: Peoples Cyber Army of Russia – Cyble, accessed May 5, 2025, https://cyble.com/threat-actor-profiles/peoples-cyber-army-of-russia/
  4. Election Security Spotlight – Cyber Threat Actors, accessed May 5, 2025, https://www.cisecurity.org/insights/spotlight/cybersecurity-spotlight-cyber-threat-actors
  5. Hacktivist Entity USDoD Claims to Have Leaked CrowdStrike’s Threat Actor List, accessed May 5, 2025, https://www.crowdstrike.com/en-us/blog/hacktivist-usdod-claims-to-have-leaked-threat-actor-list/
  6. Hacktivism: India vs. Pakistan – Recorded Future, accessed May 5, 2025, https://www.recordedfuture.com/blog/india-pakistan-cyber-rivalry
  7. accessed January 1, 1970, https://darkforums.st/Thread-Multiple-Indian-Critical-Websites-Defaced?pid=46184#pid46184
  8. Hacktivists Increasingly Target France for Its Diplomatic Efforts – Cyble, accessed May 5, 2025, https://cyble.com/blog/hacktivists-france-for-its-diplomatic-efforts/
  9. OpIsrael 2025: Hacktivist Coordination Intensifies Ahead of April 7 – Radware, accessed May 5, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/opisrael-2025-hacktivist-coordination-intensifies-ahead-of-april-7/
  10. Pahalgam attack: Code of war – India and Pakistan take their battle to the (web)front, accessed May 5, 2025, https://m.economictimes.com/news/india/code-of-war-india-and-pakistan-take-their-battle-to-the-webfront/articleshow/120842154.cms
  11. Cyber attack alert: Pakistan cyber force claims breach of Indian Defence Institutions websites – The Economic Times, accessed May 5, 2025, https://m.economictimes.com/news/defence/cyber-attack-alert-pakistan-cyber-force-claims-breach-of-indian-defence-institutions-websites/articleshow/120898543.cms
  12. Experts actively monitor cyberspace after claims made on X of gaining access to military website – The Indian Express, accessed May 5, 2025, https://indianexpress.com/article/india/military-website-cyberspace-x-pakistan-9984159/
  13. Pak hackers allegedly gain access to Indian military data, personal information compromised – India News | The Financial Express, accessed May 5, 2025, https://www.financialexpress.com/india-news/pak-hackers-allegedly-gain-access-to-indian-military-data-personal-information-compromised/3833429/
  14. Researchers warn internet users, Pakistani hackers targeting your PCs, laptops and mobile: What to know – The Times of India, accessed May 5, 2025, https://timesofindia.indiatimes.com/technology/tech-news/researchers-warn-internet-users-pakistani-hackers-targeting-your-pcs-laptops-and-mobile-what-to-know/articleshow/120787649.cms
  15. Pakistan- based hackers target Armed Forces’ websites, India foils repeated attempts, accessed May 5, 2025, https://www.newindianexpress.com/nation/2025/Apr/29/pakistan-based-hackers-target-armed-forces-websites-india-foils-repeated-attempts
  16. Decoding Pak-based cyberattacks that targeted government sites ahead of G20, accessed May 5, 2025, https://www.indiatoday.in/india/story/behind-cyberattacks-pakistan-based-groups-indian-government-websites-before-g20-2433530-2023-09-09
  17. Job scams to digital slavery, how India battles China’s cyber mafia – India Today, accessed May 5, 2025, https://www.indiatoday.in/india-today-insight/story/job-scams-to-digital-slavery-how-india-battles-chinas-cyber-mafia-2692621-2025-03-12
  18. List of hacker groups – Wikipedia, accessed May 5, 2025, https://en.wikipedia.org/wiki/List_of_hacker_groups
  19. Know Your Enemy: Types of cybersecurity threat actors – Prey, accessed May 5, 2025, https://preyproject.com/blog/cybersecurity-threat-actors
  20. What is a Cyber Threat Actor? | CrowdStrike, accessed May 5, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
  21. 1 | Page – India Water Foundation, accessed May 5, 2025, https://www.indiawaterfoundation.org/wp-content/uploads/2024/04/CHRONICLE-X.pdf
  22. FBI TLP White Flash Report: APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity – May 27, 2021 | AHA, accessed May 5, 2025, https://www.aha.org/fbi-tlp-alert/2021-05-27-fbi-flash-tlp-white-apt-actors-exploiting-fortinet-vulnerabilities-gain
  23. Detected in the Wild: How we Identified a Real Threat Actor Exploiting an Unpatched Fortinet Product – CounterCraft, accessed May 5, 2025, https://www.countercraftsec.com/blog/how-we-identified-a-threat-actor-exploiting-unpatched-fortinet-product/
  24. Security Vendors Are Constantly Being Attacked | Lawfare, accessed May 5, 2025, https://www.lawfaremedia.org/article/security-vendors-are-constantly-being-attacked
  25. Threat Actor Spotlight: Pryx – Morado, accessed May 5, 2025, https://www.morado.io/blog-posts/threat-actor-spotlight-pryx
  26. Dynamics on Hacking Forums: How do Threat Actors Trust Each Other? – Searchlight Cyber, accessed May 5, 2025, https://slcyber.io/blog/dynamics-on-hacking-forums-how-do-threat-actors-trust-each-other/
  27. Radware Study: Analysis of Over 26000 Web Forum Threads Reveals Cyber Threats to Financial Services, accessed May 5, 2025, https://www.radware.com/blog/radware-study-cyber-threats-financial-services/
  28. accessed January 1, 1970, https://xss.is/threads/137123/
  29. Breaking Cyber News From Cyberint, accessed May 5, 2025, https://cyberint.com/news-feed/
  30. accessed January 1, 1970, https://darkforums.st/Thread-Selling-SELLING-MOVISTAR-VULNERABILITY
  31. Weekly Darkweb in April W2 – S2W, accessed May 5, 2025, https://www.s2w.inc/en/resource/detail/803
  32. accessed January 1, 1970, https://forum.exploit.in/topic/258527/
  33. accessed January 1, 1970, http://darkforums.st/Thread-Selling-SPAIN-CITIZEN-DATABASE-DGT
  34. A Guide to Cyber Threat Hunting – BitSight Technologies, accessed May 5, 2025, https://www.bitsight.com/learn/cti/guide-to-cyber-threat-hunting
  35. Ghost Jackal – crowdstrike.com, accessed May 5, 2025, https://www.crowdstrike.com/adversaries/ghost-jackal/
  36. Road to redemption: GhostSec’s hacktivists went to the dark side. Now they want to come back., accessed May 5, 2025, https://therecord.media/ghostsec-hacktivism-cybercrime-interview-click-here-podcast
  37. FunkSec – Alleged Top Ransomware Group Powered by AI – Check Point Research, accessed May 5, 2025, https://research.checkpoint.com/2025/funksec-alleged-top-ransomware-group-powered-by-ai/
  38. Rise in hacktivist threats to critical sector, as pro-Russian groups cause 50% rise in ICS/OT attacks in March – Industrial Cyber, accessed May 5, 2025, https://industrialcyber.co/reports/rise-in-hacktivist-threats-to-critical-sector-as-pro-russian-groups-cause-50-rise-in-ics-ot-attacks-in-march/
  39. GARUDA Services – GDXTech, accessed May 5, 2025, https://gdxtech.net/service-list/garuda-mobile-forensic-van
  40. Unlocking Service Reliability: Exploring SLO as a Service (SLOaaS) with Garuda Platform, accessed May 5, 2025, https://live.paloaltonetworks.com/t5/community-blogs/unlocking-service-reliability-exploring-slo-as-a-service-sloaas/ba-p/577816
  41. Garuda – Fourth Command, accessed May 5, 2025, https://thefourthcommand.com/garuda/
  42. What are the Types of Cyber Threat Actors? – Sophos, accessed May 5, 2025, https://www.sophos.com/en-us/cybersecurity-explained/threat-actors
  43. accessed January 1, 1970, https://forum.exploit.in/topic/258516/
  44. accessed January 1, 1970, https://forum.exploit.in/topic/258515/
  45. accessed January 1, 1970, https://forum.exploit.in/topic/258517/
  46. Hacktivists Target Critical Infrastructure, Move Into Ransomware – Cyble, accessed May 5, 2025, https://cyble.com/blog/hacktivists-infrastructure-move-into-ransomware/
  47. What is Cyber Threat Intelligence? [Beginner’s Guide] | CrowdStrike, accessed May 5, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/
  48. accessed January 1, 1970, https://forum.exploit.in/topic/258512/
  49. How hacker groups like Dark Storm leverage botnets – Fastly, accessed May 5, 2025, https://www.fastly.com/blog/how-hacker-groups-like-dark-storm-leverage-botnets
  50. Massive DDoS on X: Dark Storm or Cyber Fog? | Bitsight, accessed May 5, 2025, https://www.bitsight.com/blog/massive-ddos-cyber-fog
  51. Interlock ransomware evolving under the radar – Sekoia.io Blog, accessed May 5, 2025, https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/
  52. How Interlock Ransomware Infects Healthcare Organizations – The Hacker News, accessed May 5, 2025, https://thehackernews.com/2025/01/how-interlock-ransomware-infects.html
  53. Interlock ransomware evolves tactics with ClickFix, infostealers – SC Media, accessed May 5, 2025, https://www.scworld.com/news/interlock-ransomware-evolves-tactics-with-clickfix-infostealers

Related Posts