[May-14-2025] Daily Cybersecurity Threat Report

1. Executive Summary

Analysis of cybersecurity incidents reported within the last 24 hours reveals a landscape dominated by alleged data breaches, indicating a persistent focus by malicious actors on the exfiltration and potential sale of sensitive information. A total of twenty-seven incidents were recorded across various categories: fifteen data breaches, three defacements, nine initial access compromises, one malware sale, three data leaks, and three alerts. Notably, several alleged breaches involved substantial volumes of data or targeted high-profile entities such as the National Bureau of Statistics of China and Microsoft, raising concerns about the scale and impact of these potential compromises. Furthermore, the repeated appearance of certain threat actors, such as Machine1337, suggests a degree of specialization and persistent activity within the cybercriminal ecosystem. The apparent market for initial access to compromised networks and systems also highlights a concerning trend where initial footholds are commoditized and sold for further exploitation. The targeting of governmental bodies in China and Poland, along with critical network infrastructure, carries potential national security ramifications. Additionally, the consistent targeting of India by multiple threat actors for defacement and initial access attempts points towards focused campaigns against this region.

2. Daily Incident Breakdown

2.1 Data Breach Incidents
2.1.1 Alleged data leak of Global Scout Co., Ltd.

Incident Overview: A claim surfaced on Telegram regarding the alleged leakage of data from Global Scout Co., Ltd., a human resources company based in South Korea.
Threat Actor Analysis: The threat actor identified in this incident is “Team 1722.” At present, publicly available information directly linking to a specific, established threat group known as “Team 1722” is limited. The moniker is relatively generic, which could indicate a new or less established group, or potentially an existing group operating under a new alias to evade tracking. The focus on a human resources company suggests the potential compromise of sensitive employee information, including personal details, employment records, and potentially financial data. Such information is highly valuable for various malicious purposes, including identity theft and social engineering attacks.
Potential Impact: The exposure of employee data could lead to identity theft and financial fraud for the affected individuals. Global Scout Co., Ltd. faces significant reputational damage, potential legal liabilities, and regulatory scrutiny if the breach is confirmed.
Source Links:

Published URL: https://t.me/x1722x/2549
Screenshot: https://d34iuop8pidsy8.cloudfront.net/2e503926-3d24-400d-903d-3f251d55a8a3.png
2.1.2 Alleged database leak of myfuturejob.in

Incident Overview: A threat actor claimed on a dark web forum to have leaked the database of myfuturejob.in, an Indian human resources website. This platform was reportedly previously breached by an actor known as “Zeta_Frls” in April 2024.
Threat Actor Analysis: The current alleged breach is attributed to “ZEROLEGIONCREWINDONESIAN.” The name itself suggests an Indonesian origin. Research indicates that groups with similar naming conventions have been involved in past defacement and data leak incidents, often with a nationalistic or hacktivist undertone. The fact that myfuturejob.in was previously compromised indicates potential persistent vulnerabilities within their security infrastructure or inadequate remediation efforts following the initial breach. This pattern of re-exploitation of previously targeted systems is a common tactic among cybercriminals, as known weaknesses can offer an easier path to re-entry.
Potential Impact: Users of myfuturejob.in could have their personal information, including resumes, contact details, and employment history, exposed. This could lead to identity theft, spam, and targeted phishing attacks. The repeated breach will likely severely damage the reputation and user trust in myfuturejob.in.
Source Links:

Published URL: https://darkforums.st/Thread-Database-User-myfuturejob-in-Leaked-By-ZLC-ID
Screenshot: https://d34iuop8pidsy8.cloudfront.net/26e27dc1-cd87-4577-9559-8758b28b61e3.png
2.1.3 Alleged data leak of National Job Portal, Pakistan

Incident Overview: An individual threat actor claimed on a dark web forum to have leaked the database of the National Job Portal of Pakistan.
Threat Actor Analysis: The actor identified is “gemgardner3456.” This appears to be an individual actor, as the username does not immediately associate with any known established threat groups. Individual actors, while sometimes less sophisticated than organized groups, can still pose significant risks, especially when targeting sensitive government infrastructure. The motivation behind such an attack could range from financial gain through the sale of the data to politically motivated hacktivism. The compromise of a government job portal could expose a wide range of personal information belonging to Pakistani citizens seeking employment.
Potential Impact: The potential exposure of sensitive personal information of Pakistani citizens registered on the job portal could lead to identity theft, social engineering attacks, and potential misuse of government data. This incident also raises concerns about the security of government-operated online platforms.
Source Links:

Published URL: https://demonforums.net/Thread-National-Job-Portal-Pakistan-Database-Leak
Screenshot: https://d34iuop8pidsy8.cloudfront.net/b3687704-802b-44b8-a918-91d8d4ce8719.png
2.1.4 Alleged data breach of MGM Resorts International

Incident Overview: A claim appeared on a dark web forum stating that the full database of MGM Resorts International, a major hospitality and tourism company in the USA, was being offered for sale.
Threat Actor Analysis: The threat actor behind this alleged breach is “elpatron85.” Research into this actor’s online presence suggests they are active on various dark web forums known for trading compromised data. The targeting of a large organization like MGM Resorts International indicates the potential for a massive data breach affecting a significant number of customers. The fact that the database is being offered for sale strongly suggests a financial motivation behind the attack. Large hospitality companies often store vast amounts of customer data, including personal details, contact information, and potentially payment card information, making them lucrative targets for cybercriminals.
Potential Impact: A confirmed data breach of MGM Resorts International could lead to the exposure of sensitive personal and financial information of millions of customers. This could result in identity theft, financial fraud, and significant reputational damage for the company, along with potential legal and regulatory consequences.
Source Links:

Published URL: https://darkforums.st/Thread-Selling-MGM-RESORTS-DATA
Screenshot: https://d34iuop8pidsy8.cloudfront.net/4d466008-a0b3-4a37-90c9-c2faa938fd5f.png
2.1.5 Alleged data breach of Salemerode Investments Ltd.

Incident Overview: A threat actor claimed on a dark web forum to have breached Salemerode Investments Ltd., an Indian financial services company. The allegedly compromised data includes confidential files, customer data, and financial data.
Threat Actor Analysis: The threat actor identified is “Dedale.” While specific information about this actor’s past activities requires further investigation, the targeting of a financial services company in India aligns with a broader trend of cybercriminals focusing on organizations that handle sensitive financial information. The claim of possessing confidential files suggests the potential theft of intellectual property or internal business documents, which could be used for extortion or sold to competitors. The inclusion of customer data and financial data further underscores the high value of this alleged breach to malicious actors.
Potential Impact: The exposure of sensitive financial data and customer information could lead to financial fraud and identity theft for the affected individuals. Salemerode Investments Ltd. would likely face severe reputational damage, loss of customer trust, and potential regulatory penalties if the breach is confirmed.
Source Links:

Published URL: https://darkforums.st/Thread-Document-Salemerode-com-Database-leaks
Screenshot: https://d34iuop8pidsy8.cloudfront.net/4710443a-72f8-4ef6-962b-1a79c0c936f9.png
2.1.6 Alleged data breach of Ministry of the Interior and Administration (Poland)

Incident Overview: A group claimed on Telegram to have leaked the PESEL (personal identification number) and Civil Registry systems of Poland’s Ministry of the Interior and Administration.
Threat Actor Analysis: The group claiming responsibility is “CyberVolk. Group.” The name “CyberVolk” suggests a potential connection to hacktivism or politically motivated cyber activities, possibly with a nationalistic undertone. The targeting of a government ministry responsible for critical citizen data such as PESEL numbers and civil registry information represents a significant national security concern. A successful breach of these systems could have far-reaching consequences for the Polish population. The level of access required to compromise such sensitive databases suggests a highly skilled and potentially well-resourced threat actor.
Potential Impact: The massive exposure of PESEL numbers and civil registry data of Polish citizens could lead to widespread identity theft, fraud, and other malicious activities. This incident has significant national security implications and could severely erode public trust in the government’s ability to protect sensitive data.
Source Links:

Published URL: https://t.me/CyberVolk_VolkX/41
Screenshot: https://d34iuop8pidsy8.cloudfront.net/e3d36b87-1085-4dbe-b19f-fca7ffb68038.png
2.1.7 Alleged data breach of Snapchat

Incident Overview: A threat actor claimed on a dark web forum to have breached Snapchat and obtained 5 million records.
Threat Actor Analysis: The actor behind this claim is “Machine1337.” This actor appears to be highly active, as evidenced by their involvement in multiple other alleged breaches reported within the same timeframe. The targeting of a popular social media platform like Snapchat indicates the potential for the compromise of a large volume of user data, including personal information, usernames, and potentially private communications. Social media platforms are frequently targeted due to the sheer number of users and the wealth of personal information they store.
Potential Impact: If confirmed, this breach could expose the personal data of millions of Snapchat users, potentially leading to privacy violations, targeted phishing attacks, and reputational damage for Snapchat.
Source Links:

Published URL: https://xss.is/threads/137669/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/f190d4e1-03ad-4361-8557-b33d365ab966.png
2.1.8 Alleged data breach of Umba

Incident Overview: A threat actor claimed on a dark web forum to have breached Umba, a fintech platform, and obtained 5 million records.
Threat Actor Analysis: This alleged breach is also attributed to “Machine1337,” further highlighting this actor’s active role in the current threat landscape. The focus on a fintech platform like Umba underscores the continued targeting of financial services by cybercriminals. Fintech companies often handle sensitive financial data, making them attractive targets for financially motivated threat actors. The claim includes the provision of 3,000 sample entries as evidence, suggesting a genuine attempt to sell the compromised data.
Potential Impact: A confirmed data breach at Umba could expose sensitive financial data and personal information of its users, potentially leading to financial fraud, identity theft, and significant reputational damage for the company.
Source Links:

Published URL: https://xss.is/threads/137670/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/42ba52f6-f4a4-4bbe-8e1f-40e7218b35c3.png
2.1.9 Alleged sale of census data from National Bureau of Statistics (China)

Incident Overview: A threat actor claimed on a dark web forum to be selling data allegedly obtained from the February 2025 census of the National Bureau of Statistics of China. The purported leak includes 92 million individual records containing highly sensitive personal information.
Threat Actor Analysis: The actor claiming to possess this highly sensitive data is “heiwukoong.” The alleged breach of national census data is a significant event with potentially severe implications. The data reportedly includes full names, ID card numbers, addresses, mobile numbers (with carrier and location), gender, and birthdates, representing an extremely valuable dataset for malicious actors. The compromise of such comprehensive demographic information could be leveraged for a wide range of illicit activities, including identity theft, large-scale surveillance, and targeted social engineering attacks.
Potential Impact: The exposure of such a vast amount of highly sensitive personal data of Chinese citizens could have devastating consequences, leading to widespread identity theft, financial fraud, and potential national security risks. The credibility of the National Bureau of Statistics would also be severely impacted.
Source Links:

Published URL: https://darkforums.st/Thread-Selling-China-s-February-2025-census-database-leaked-a-total-of-92-million-records
Screenshot: https://d34iuop8pidsy8.cloudfront.net/c1795df4-85f3-4220-9e68-94ae28614ba9.png
2.1.10 Alleged data breach of Microsoft

Incident Overview: A threat actor claimed on a dark web forum to have breached Microsoft.com and is offering a database containing 4 million records related to Office 365 and Microsoft 365 accounts for sale.
Threat Actor Analysis: This claim is also attributed to “Machine1337,” further emphasizing their focus on high-profile targets and large-scale data acquisition. The targeting of Microsoft, a major global software vendor, could potentially impact a vast number of users and organizations worldwide. The alleged database contains information related to widely used productivity services, suggesting the compromise of user credentials or account details.
Potential Impact: The exposure of 4 million records related to Microsoft accounts could lead to unauthorized access to user accounts, data breaches within those accounts, and potential for further attacks targeting individuals and organizations using Microsoft services. This incident would also cause significant reputational damage to Microsoft.
Source Links:

Published URL: https://xss.is/threads/137668/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/124c05f0-4118-4f81-90d0-6c9d1547d213.png
2.1.11 Alleged data breach of Autoridad Educativa Federal en la Ciudad de México

Incident Overview: A threat actor claimed on a dark web forum to have gained access to the Autoridad Educativa Federal en la Ciudad de México (Federal Educational Authority in Mexico City). The compromised data allegedly includes sensitive personal details.
Threat Actor Analysis: The threat actor identified in this incident is “Ranssi.” The targeting of an educational authority suggests the potential compromise of student and staff data. Such information can include names, addresses, contact details, academic records, and potentially more sensitive information. Cyberattacks against educational institutions are becoming increasingly common, as these organizations often hold large amounts of personal data and may have less robust security measures compared to other sectors.
Potential Impact: The exposure of sensitive personal information of students and staff could lead to identity theft, privacy violations, and potential harm to the individuals affected. The Autoridad Educativa Federal en la Ciudad de México would also face reputational damage and potential regulatory consequences.
Source Links:

Published URL: https://darkforums.st/Thread-aefcm-gob-mx-LEAK-DATABASE
Screenshot: https://d34iuop8pidsy8.cloudfront.net/95f8c105-cb28-455b-a20d-94b806d3d1ef.png
2.1.12 Alleged data breach of Emirates Islamic

Incident Overview: A threat actor claimed on a dark web forum to be selling data allegedly breached from Emirates Islamic Bank. The breach reportedly includes 920,000 records.
Threat Actor Analysis: This alleged breach is also attributed to “Machine1337,” further solidifying their apparent focus on targeting financial institutions. Emirates Islamic Bank is a major financial institution in the UAE, making this a potentially significant breach. The claim includes the provision of 200 sample entries as evidence, adding credibility to the assertion. The compromise of a large number of records from a bank could involve highly sensitive financial and personal data.
Potential Impact: The exposure of nearly a million records from Emirates Islamic Bank could lead to severe consequences for the affected customers, including financial fraud, identity theft, and privacy violations. The bank would also face significant reputational damage and regulatory scrutiny.
Source Links:

Published URL: https://xss.is/threads/137667/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/af0fdf62-ee73-498a-ba9c-28a28679b4eb.png
2.1.13 Alleged data breach of Kaefer

Incident Overview: A threat actor claimed on a dark web forum to have breached Kaefer, a German company in the building and construction sector. The allegedly compromised data consists of an employee database.
Threat Actor Analysis: The threat actor identified is “Everest.” This name is associated with a known ransomware group that has been active in recent years. Ransomware groups often engage in data exfiltration prior to encrypting systems, using the stolen data as additional leverage to pressure victims into paying the ransom. The targeting of an employee database suggests the potential exposure of personal information of Kaefer employees.
Potential Impact: The exposure of Kaefer’s employee database could lead to identity theft and other malicious activities targeting the employees. If the attack involved ransomware, Kaefer could also face significant operational disruptions and financial losses.
Source Links:

Published URL: https://xss.is/threads/137664/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/bad7d019-449f-496b-b3e6-af481d053c75.png
2.1.14 Alleged data breach of Khidmah

Incident Overview: A threat actor claimed on a dark web forum to have breached Khidmah, a facilities services company based in the UAE. The allegedly compromised data consists of an employee database.
Threat Actor Analysis: This alleged breach is also attributed to “Everest,” further indicating the group’s activity during this period. Similar to the alleged attack on Kaefer, the focus on an employee database suggests a potential pattern in Everest’s recent targeting, possibly as part of a wider ransomware campaign. The simultaneous claims against companies in different countries but with the same type of compromised data (employee databases) could indicate a coordinated effort by the group.
Potential Impact: The exposure of Khidmah’s employee database could lead to identity theft and other malicious activities targeting the employees. If ransomware was involved, Khidmah could also experience significant operational disruptions.
Source Links:

Published URL: https://xss.is/threads/137663/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/608d34ff-880e-4e90-9350-ae9b7d9b956f.png
2.1.15 Alleged data breach of MEXC

Incident Overview: A threat actor claimed on a dark web forum to be selling data allegedly breached from MEXC, a cryptocurrency exchange platform. The breach reportedly involves 12 million records.
Threat Actor Analysis: This alleged breach is also attributed to “Machine1337,” marking their fifth claimed incident within this reporting period and highlighting a significant focus on financial platforms, including cryptocurrency exchanges. The large number of records claimed to be compromised underscores the potential scale of this breach. Cryptocurrency exchanges are highly attractive targets for cybercriminals due to the potential for direct financial gain through the theft of cryptocurrency or the sale of user data.
Potential Impact: A confirmed data breach of MEXC involving 12 million records could have severe consequences for its users, including the exposure of personal information, trading history, and potentially account credentials, leading to potential financial losses and account takeovers. The reputation of MEXC would also be significantly damaged.
Source Links:

Published URL: https://xss.is/threads/137665/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/027c6fba-6b0a-4aa2-a811-2ab74c0c78b3.png
2.2 Defacement Incidents
2.2.1 DCG ( Dark Cyber Gang) targets the website of Sunil Linus De

Incident Overview: A group claimed on Telegram to have defaced the website of Sunil Linus De, an individual in India associated with fine art.
Threat Actor Analysis: The group claiming responsibility is “DCG (Dark Cyber Gang).” Research suggests that this group has been involved in past website defacement campaigns, often targeting entities in India. Their motivations appear to be varied, possibly including hacktivism or seeking notoriety. The targeting of an individual in the fine art industry might suggest a specific, potentially politically motivated agenda or could be an opportunistic attack.
Potential Impact: The defacement of the website could cause temporary disruption and reputational damage to Sunil Linus De.
Source Links:

Published URL: https://t.me/dcg_muslims/25
Screenshot: https://d34iuop8pidsy8.cloudfront.net/6cc0d88b-119b-4ef1-b630-f1d9f58b6efe.png
2.2.2 DCG ( Dark Cyber Gang) targets the website of Pardeep Khatri & Associates

Incident Overview: The same group, DCG (Dark Cyber Gang), also claimed on Telegram to have defaced the website of Pardeep Khatri & Associates, an Indian law firm.
Threat Actor Analysis: The repeated activity of “DCG (Dark Cyber Gang)” within a short timeframe, again targeting an Indian entity, indicates a focused campaign against this region. The shift in target from an individual in the arts to a law firm suggests a potentially broader scope in their targeting or perhaps different motivations for each attack. Defacements are often used to spread propaganda or make a statement, and the choice of targets can sometimes provide clues about the attackers’ objectives.
Potential Impact: The defacement of the law firm’s website could lead to temporary disruption of their online presence and potential reputational damage.
Source Links:

Published URL: https://t.me/dcg_muslims/26
Screenshot: https://d34iuop8pidsy8.cloudfront.net/c628188d-9785-42a6-9242-0dbfd4b7eaf8.png
2.2.3 JAKARTA CYBER WHITE targets the website of SD Negeri Pudakpayung 01

Incident Overview: A group claimed on Telegram to have defaced the website of SD Negeri Pudakpayung 01, an elementary school in Indonesia.
Threat Actor Analysis: The group identifying itself as “JAKARTA CYBER WHITE” appears to be involved in website defacements. Targeting an elementary school website might suggest a less sophisticated actor seeking easy targets or could be related to specific local motivations or hacktivism. Defacing websites with low security postures is a common tactic for less experienced attackers to gain notoriety or practice their skills.
Potential Impact: The defacement of the school’s website could cause temporary disruption of access to information for students, parents, and staff, and may lead to minor reputational damage.
Source Links:

Published URL: https://t.me/jktcyberwhite4/26
Screenshot: https://d34iuop8pidsy8.cloudfront.net/cdaba194-843c-4058-917a-e60a58db4055.png
2.3 Initial Access Incidents
2.3.1 Alleged access sale to an unidentified Chinese Organization

Incident Overview: A threat actor claimed on a dark web forum to be selling access to the account of an unidentified organization in China. The access reportedly includes extensive privileges to routers, CISCO devices, and firewalls.
Threat Actor Analysis: The actor offering this access is “LongNight.” The claim of having access to core network infrastructure components like routers and firewalls is highly concerning, as it suggests a significant level of compromise within the targeted organization. Such access could allow a malicious actor to intercept network traffic, move laterally to other systems, and potentially cause widespread disruption or data theft. The unidentified nature of the victim makes it difficult to assess the specific impact, but the type of access being offered indicates a severe security breach.
Potential Impact: Complete network compromise, data theft, and significant disruption of operations are potential outcomes for the unidentified Chinese organization if this claim is accurate and the access is exploited.
Source Links:

Published URL: https://xss.is/threads/137690/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/34388f3e-f5e7-4587-82d9-0c3fdf6f6607.PNG
2.3.2 Alleged leak of admin access to Dr. Surakshith T.K.

Incident Overview: A group claimed on Telegram to have leaked admin credentials belonging to Dr. Surakshith T.K., an individual in India working in the hospital and health care sector.
Threat Actor Analysis: The group claiming responsibility is “Dark Engine.” The leak of administrative credentials for a healthcare professional in India is concerning due to the potential access to sensitive patient data. Even individual accounts with administrative privileges can be leveraged to gain broader access to systems and compromise sensitive information. The healthcare sector is increasingly targeted by cybercriminals due to the valuable personal and medical data it holds.
Potential Impact: Unauthorized access to Dr. Surakshith T.K.’s accounts could lead to privacy violations, potential manipulation of patient records, and disruption of healthcare services.
Source Links:

Published URL: https://t.me/Dark_Engine_1/3130
Screenshot: https://d34iuop8pidsy8.cloudfront.net/fda64892-4c66-4b69-b4e3-89bf6e90bd67.png
2.3.3 Alleged sale of root access to an unidentified Mexican company

Incident Overview: A threat actor claimed on a dark web forum to be selling root access to the core infrastructure of a major Mexican company listed on ZoomInfo, with significant revenue and employee count.
Threat Actor Analysis: The actor offering this high level of access is “bmox.” The sale of root access signifies a severe compromise of the targeted company’s systems. Root access provides the attacker with complete control over the affected servers and network, allowing them to perform any action, including data theft, deletion, and the deployment of malware. The detailed information provided about the company’s size and revenue suggests the seller is attempting to attract serious buyers who understand the value of such extensive access.
Potential Impact: Complete compromise of the company’s network, significant data theft, disruption of operations, and substantial financial losses are highly likely if this root access is acquired and exploited by a malicious actor.
Source Links:

Published URL: https://xss.is/threads/137672/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/bbc112b7-858a-41d4-a301-6a56386cb660.png
2.3.4 Alleged sale of U.S.-based Amazon buyer logs

Incident Overview: A threat actor claimed on a dark web forum to be selling Amazon buyer logs from the U.S. The offer includes access cookies and the option to change email, phone, and two-factor authentication credentials.
Threat Actor Analysis: The actor offering these logs is “stewie99k.” The sale of Amazon buyer logs, especially with the inclusion of access cookies and the ability to modify account recovery information, poses a significant risk to the affected users. Access cookies can allow an attacker to bypass the standard login process, while the ability to change account details enables them to take full control of the victim’s Amazon account. This type of access is highly valuable for fraudulent purchases and potentially gaining access to stored payment information.
Potential Impact: Account takeovers, fraudulent purchases, and exposure of personal and financial information of U.S.-based Amazon users are likely consequences if these logs are exploited.
Source Links:

Published URL: https://forum.exploit.in/topic/259069/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/334dac41-0b8e-41db-908d-d3b66d8c5851.png
2.3.5 Alleged sale of eBay buyer and seller accounts

Incident Overview: A threat actor claimed on a dark web forum to be selling aged eBay buyer accounts from 2010–2022 and eBay seller accounts from 2012–2022.
Threat Actor Analysis: The entity offering these accounts is “Accs-Store.com.” This appears to be a marketplace specializing in the sale of compromised accounts from various online platforms. Aged accounts, particularly those with established transaction history and positive feedback, are valuable to cybercriminals for conducting fraudulent activities, such as selling counterfeit goods or running scams, as they often have higher trust scores and are less likely to be flagged by security systems.
Potential Impact: The sale and subsequent use of these compromised eBay accounts could lead to various forms of fraud and scams targeting eBay users, as well as potential reputational damage to the eBay platform.
Source Links:

Published URL: https://forum.exploit.in/topic/259068/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/d9fc4c05-dc19-411c-9c0d-a4b39f97c21e.png
2.3.6 Alleged sale of multiple access to Health Village Hospital

Incident Overview: A group claimed on Telegram to be selling admin, editor, and manager credentials to Health Village Hospital in India.
Threat Actor Analysis: This incident is also attributed to “Dark Engine,” indicating a continued focus on the healthcare sector in India. The sale of multiple types of administrative credentials (admin, editor, manager) suggests a significant level of compromise within the hospital’s systems. This could allow an attacker to gain access to various levels of sensitive data and functionalities within the hospital’s network.
Potential Impact: Unauthorized access to Health Village Hospital’s systems could lead to the exposure of patient data, manipulation of medical records, disruption of hospital operations, and potential harm to patients.
Source Links:

Published URL: https://t.me/Dark_Engine_1/3134
Screenshot: https://d34iuop8pidsy8.cloudfront.net/d6933686-4e6c-4673-9fec-67fb68361aeb.png
2.3.7 Alleged sale of unauthorized web shell access to multiple unidentified websites

Incident Overview: A threat actor claimed on a dark web forum to be selling web shell access to several compromised websites across different countries, including Poland, Italy, and the Netherlands.
Threat Actor Analysis: The actor offering this access is “Mr Root.” The sale of web shell access indicates that these websites have already been compromised, and the attacker is providing a backdoor for persistent remote access. A web shell allows the attacker to execute commands on the compromised server, enabling them to perform various malicious activities, such as uploading more malware, stealing data, or further compromising the website. Targeting websites across multiple countries suggests an opportunistic approach, exploiting vulnerabilities wherever they are found.
Potential Impact: The buyers of this web shell access could further exploit the compromised websites for various purposes, including data theft, defacement, or using them as part of a botnet for launching other attacks.
Source Links:

Published URL: https://xss.is/threads/137657/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/df18fd1a-c779-4c29-8f75-cf4073aa969b.png
2.3.8 Alleged sale of unauthorized access to multiple government GitLab servers

Incident Overview: A threat actor claimed on a dark web forum to be selling unauthorized access to multiple government GitLab servers across several countries: Bolivia, Pakistan, Malawi, Brazil, and Indonesia. The access reportedly includes full source code, database backups, private projects, CI/CD secrets, private keys, tokens, and internal files.
Threat Actor Analysis: The actor offering this significant level of access is “Stephanie.” The compromise of government GitLab servers across multiple nations is a serious security incident. GitLab is a platform widely used for software development and version control, often containing sensitive source code, configuration details, and secrets. Access to this information could enable malicious actors to understand government systems, identify vulnerabilities, and potentially launch further attacks or steal sensitive data. The variety of countries affected suggests a broad targeting effort.
Potential Impact: The exposure of source code, database backups, and other sensitive information from government GitLab servers could have severe consequences, including intellectual property theft, the discovery of critical vulnerabilities that could be exploited, and potential national security risks.
Source Links:

Published URL: https://darkforums.st/Thread-Selling-Gov-GitLab-Access-%E2%80%93-Multiple-Countries
Screenshot: https://d34iuop8pidsy8.cloudfront.net/e1d8f2e5-5097-4060-90c2-705649600b83.png
2.3.9 Alleged sale of unauthorized access to an unidentified Malaysian Company

Incident Overview: A threat actor claimed on a dark web forum to be selling extensive unauthorized access to the internal systems and accounts of an unidentified Malaysian company. The claimed access includes email accounts for key personnel, Google Workspace admin privileges, Anydesk access to POS systems, ERP console credentials, and access to third-party platforms and network devices.
Threat Actor Analysis: The actor offering this comprehensive access is “Bazoka666.” The sheer breadth of access being advertised indicates a deep and significant compromise of the target company’s digital infrastructure. Gaining control over email accounts, cloud services, point-of-sale systems, enterprise resource planning systems, and network devices would provide an attacker with the ability to cause widespread disruption, steal sensitive data, and potentially inflict significant financial damage. The mention of the CEO’s email being linked to banking services further highlights the potential for severe financial impact.
Potential Impact: Complete compromise of the Malaysian company’s operations, significant financial losses due to potential fraud and theft, extensive data breaches, and severe disruption of business activities are likely if this access is exploited.
Source Links:

Published URL: https://darkforums.st/Thread-MalaysianCompany-email-workspace-access-Data-Anydesk
Screenshot: https://d34iuop8pidsy8.cloudfront.net/f3862651-dff7-4cd4-93aa-9005fe04c9e0.png
2.4 Malware Incidents
2.4.1 Alleged sale of Katz Stealer malware

Incident Overview: A threat actor claimed on a dark web forum to be selling “Katz Stealer,” a lightweight infostealer capable of extracting a wide range of data from web browsers, crypto wallets, and messaging applications.
Threat Actor Analysis: The actor offering this malware is identified as “KatzStealer,” likely the developer or a close affiliate. The advertised capabilities of “Katz Stealer” indicate a sophisticated piece of malware designed to steal a broad spectrum of sensitive information, including credentials, cookies, autofill data, financial details, cryptocurrency wallet information, and data from popular communication platforms. The inclusion of a customizable build panel and a web-based control panel suggests an effort to make the malware user-friendly for other cybercriminals, lowering the barrier to entry for conducting information-stealing attacks.
Potential Impact: The sale and subsequent use of “Katz Stealer” could lead to widespread data theft from individuals and organizations, resulting in account compromises, financial losses, and privacy violations. The availability of such a comprehensive infostealer poses a significant threat to internet users.
Source Links:

Published URL: https://forum.exploit.in/topic/259073/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/a36ee589-8783-405f-8bd9-0c9c1d231739.png
2.5 Data Leak Incidents
2.5.1 alleged sale of mail pass from Europe personal traffic

Incident Overview: A threat actor claimed on a dark web forum to be selling a dataset containing 20,000 email and password combinations allegedly sourced from personal internet traffic in Europe, specifically targeting individuals in Germany, France, and Spain.
Threat Actor Analysis: The actor offering this data is “X4Logs.” The sale of email and password combinations suggests these credentials were likely obtained through various methods, such as data breaches of online services, phishing attacks, or malware infections like keyloggers or infostealers. The specific targeting of European personal traffic indicates a potential focus on users in these countries, possibly for subsequent account takeover attempts or spam campaigns.
Potential Impact: The exposed email and password combinations could be used to gain unauthorized access to various online accounts belonging to individuals in Germany, France, and Spain, potentially leading to identity theft, financial fraud, and further targeted attacks.
Source Links:

Published URL: https://xss.is/threads/137674/
Screenshot: https://d34iuop8pidsy8.cloudfront.net/a91de9e9-e12d-4f4e-b76c-1a89e0edf0f0.png
2.5.2 Alleged data leak of Tencent Related Logins

Incident Overview: A threat actor claimed on a dark web forum to be selling 85 Tencent-related login credentials, allegedly obtained through info stealer malware.
Threat Actor Analysis: The actor offering these credentials is “desoxy.” Tencent is a major Chinese technology conglomerate with a wide range of online services, including social media, gaming, and payment platforms. The theft of login credentials for these services could provide unauthorized access to user accounts and potentially sensitive personal information stored within them. The mention of info stealer malware as the source indicates a common method used by cybercriminals to harvest user credentials from infected devices.
Potential Impact: Unauthorized access to Tencent accounts could lead to privacy violations, financial fraud through associated payment platforms, and the spread of further malicious activity.
Source Links:

Published URL: https://darkforums.st/Thread-85x-Tencent-Related-Logins
Screenshot: https://d34iuop8pidsy8.cloudfront.net/204f859c-8926-46ae-acaf-352d702b9c0d.png
2.5.3 Alleged data leak of Chinese Government Logins

Incident Overview: A threat actor claimed on a dark web forum to be selling 264 compromised login credentials for Chinese government (.gov.cn) websites.
Threat Actor Analysis: This claim is also attributed to “desoxy,” highlighting their activity in trading compromised credentials. The sale of login credentials for Chinese government websites raises significant security concerns. Unauthorized access to government systems could potentially lead to data breaches, espionage, or disruption of government services. The method of obtaining these credentials is not specified, but it could involve various techniques such as phishing, exploitation of vulnerabilities, or even insider threats.
Potential Impact: Unauthorized access to Chinese government websites could lead to the exposure of sensitive government information, potential national security risks, and the disruption of online services provided by these websites.
Source Links:

Published URL: https://darkforums.st/Thread-264x-Chinese-Government-Logins
Screenshot: https://d34iuop8pidsy8.cloudfront.net/21a17146-edb3-49d2-8651-2904b3621344.png
2.5.4 Alleged data leak of Webmail Logins

Incident Overview: A threat actor claimed on a dark web forum to be selling over 1,400 webmail login credentials in ULP format, allegedly extracted from info stealer malware logs.
Threat Actor Analysis: This claim is also attributed to “desoxy,” indicating a consistent pattern of selling credentials likely obtained through malware infections. The focus on webmail logins is significant as these accounts often provide access to a wealth of personal and professional information. The claim that the leaked data includes access to corporate and government accounts further amplifies the potential impact. Info stealer malware is a common tool used by cybercriminals to harvest login credentials and other sensitive data from infected computers.
Potential Impact: Unauthorized access to webmail accounts, including corporate and government accounts, could lead to significant data breaches, business email compromise attacks, and further targeted phishing campaigns.
Source Links:

Published URL: https://darkforums.st/Thread-1400-Webmail-Logins
Screenshot: https://d34iuop8pidsy8.cloudfront.net/77327359-05e0-4480-899c-cd53dd673fc8.png
2.5.5 Alleged data breach of Federal Security Service of the Russian Federation (FSB)

Incident Overview: A threat actor claimed on a dark web forum to be selling top secret documents allegedly from the Russian Federal Security Service (FSB), covering highly sensitive intelligence topics.
Threat Actor Analysis: The actor making this extraordinary claim is “Michealgabbert.” The alleged compromise of top secret documents from a major intelligence agency like the FSB, if verified, would represent a significant intelligence breach with potentially profound geopolitical implications. The claimed topics of the documents, including counterintelligence operations, Huawei-related activities, and strategic planning related to various countries, underscore the sensitivity of the alleged data. Such claims should be treated with caution, as they could be disinformation or an attempt to sell fabricated information. However, if genuine, the motivation could range from financial gain to political activism or even state-sponsored activity.
Potential Impact: The exposure of top secret FSB documents could severely damage Russian intelligence operations, compromise sources and methods, and significantly impact international relations. The information could be highly valuable to foreign intelligence agencies and other malicious actors.
Source Links:

Published URL: https://darkforums.st/Thread-Selling-Top-Secret-FSB-Documents-For-Sale
Screenshot: https://d34iuop8pidsy8.cloudfront.net/b7125a7f-ce21-4421-9436-f2f3d6d55351.png
2.6 Alert Incidents
2.6.1 Electronic Army Special Forces claims to target Cambodia

Incident Overview: A recent post by the group “Electronic Army Special Forces” on Telegram claimed that they are targeting Cambodia.
Threat Actor Analysis: Research into “Electronic Army Special Forces” suggests they are a hacktivist group with a history of targeting organizations and governments for political reasons. Their claims of targeting Cambodia indicate a potential upcoming wave of cyberattacks against entities within the country. Understanding the group’s past targets and motivations could provide insights into the likely nature and scope of these attacks.
Potential Impact: Increased cyberattacks targeting various sectors in Cambodia, including government organizations, businesses, and critical infrastructure.
Source Links:

Published URL: https://t.me/Anonymous_VNLBN_0/600
Screenshot: https://d34iuop8pidsy8.cloudfront.net/ca571f2d-52ee-4896-b95d-07db5b69223b.png
2.6.2 KAL EGY 319 claims to target India

Incident Overview: A recent post by the group “KAL EGY 319” on Telegram claimed that they are targeting India.
Threat Actor Analysis: Information about “KAL EGY 319” requires further investigation. However, their claim of targeting India aligns with the observed trend of increased cyber activity directed towards Indian entities during this reporting period, as seen in the defacement incidents by “DCG (Dark Cyber Gang)” and the initial access sale to a hospital by “Dark Engine.” This could indicate a broader campaign or a heightened level of opportunistic attacks targeting India.
Potential Impact: Increased cyberattacks targeting various sectors in India, potentially including government organizations, businesses, and individuals.
Source Links:

Published URL: https://t.me/KALE3G1Y9/466
Screenshot: https://d34iuop8pidsy8.cloudfront.net/dc3d41ac-2cd2-4fc8-97d2-a247e4656a06.png

3. Threat Actor Spotlight

Machine1337: This threat actor has demonstrated significant activity in the past 24 hours, claiming responsibility for five separate alleged data breaches. These incidents targeted a diverse range of high-profile organizations, including financial institutions such as Umba, Emirates Islamic, and MEXC, as well as a major software vendor, Microsoft, and the social media platform Snapchat. The actor’s focus on large-scale data theft from prominent entities across different sectors suggests a financially motivated operation with potentially considerable resources and technical skills. The repeated appearance of this actor underscores their prolific nature and warrants further monitoring of their activities and tactics.
DCG (Dark Cyber Gang): This group has been responsible for multiple website defacements within the reporting period, specifically targeting entities in India. Their activity suggests a focused campaign against this region, possibly driven by hacktivist motivations or a specific agenda related to India. Analyzing the content of the defaced websites and the group’s communications on Telegram could provide more clarity on their objectives and the potential for future attacks.
Dark Engine: This group has been linked to two initial access incidents targeting the healthcare sector in India. These include the alleged leak of admin credentials for an Indian doctor and the sale of multiple access types to an Indian hospital. This pattern indicates a specific interest in compromising healthcare organizations in India, potentially to exploit the sensitive patient data they hold or to disrupt their operations for financial gain or other malicious purposes.

4. Trends and Observations

A prominent trend observed in the reported incidents is the high number of alleged data breaches. This underscores the continued prioritization by threat actors on compromising organizations to exfiltrate and potentially monetize sensitive information. The sheer volume of these claims highlights the persistent need for organizations to bolster their data protection strategies and implement robust security measures to prevent such incidents.

Another significant observation is the targeting of specific geographic regions. India appears to be a focal point for cyberattacks, with multiple defacement incidents and initial access attempts reported. Additionally, China and the USA are frequently identified as victim countries in alleged data breach incidents, likely due to the high concentration of large organizations and valuable data within these nations. This regional focus could be attributed to various factors, including geopolitical tensions, the presence of vulnerable infrastructure, or the targeted campaigns of specific threat actor groups.

The use of Telegram as a platform for disclosing cyber incidents by several threat actors is also noteworthy. This encrypted messaging platform has become increasingly popular among cybercriminal groups for disseminating information about their activities, likely due to the perceived anonymity and ease of communication it offers. Monitoring these channels can provide valuable insights into emerging threats and the tactics employed by malicious actors.

Furthermore, financial institutions continue to be prime targets for cyberattacks. Multiple incidents involve alleged breaches or the sale of access related to financial organizations, including fintech platforms, traditional banks, and cryptocurrency exchanges. The high value of financial data and the potential for direct financial gain make this sector a persistent target for cybercriminals.

Table 1: Summary of Data Breach Incidents

Victim Organization	Victim Country	Victim Industry	Threat Actor	Size of Alleged Breach	Published URL
global scout co., ltd.	South Korea	Human Resources	Team 1722	Unknown	https://t.me/x1722x/2549
myfuturejob.in	India	Human Resources	ZEROLEGIONCREWINDONESIAN	Unknown	https://darkforums.st/Thread-Database-User-myfuturejob-in-Leaked-By-ZLC-ID
national job portal, pakistan	Pakistan	Government Relations	gemgardner3456	Unknown	https://demonforums.net/Thread-National-Job-Portal-Pakistan-Database-Leak
mgm resorts international	USA	Hospitality & Tourism	elpatron85	Full Database	https://darkforums.st/Thread-Selling-MGM-RESORTS-DATA
salemerode investments ltd.	India	Financial Services	Dedale	Unknown	https://darkforums.st/Thread-Document-Salemerode-com-Database-leaks
ministry of the interior and administration	Poland	Government Administration	CyberVolk. Group.	Unknown	https://t.me/CyberVolk_VolkX/41
snapchat	USA	Software Development	Machine1337	5 Million Records	https://xss.is/threads/137669/
umba	USA	Financial Services	Machine1337	5 Million Records	https://xss.is/threads/137670/
national bureau of statistics	China	Government Administration	heiwukoong	92 Million Records	https://darkforums.st/Thread-Selling-China-s-February-2025-census-database-leaked-a-total-of-92-million-records
microsoft	USA	Software Development	Machine1337	4 Million Records	https://xss.is/threads/137668/
autoridad educativa federal en la ciudad de méxico	Mexico	Education	Ranssi	Unknown	https://darkforums.st/Thread-aefcm-gob-mx-LEAK-DATABASE
emirates islamic	UAE	Banking & Mortgage	Machine1337	920,000 Records	https://xss.is/threads/137667/
kaefer	Germany	Building and construction	Everest	Employee Database	https://xss.is/threads/137664/
khidmah	UAE	Facilities Services	Everest	Employee Database	https://xss.is/threads/137663/
mexc	Seychelles	Financial Services	Machine1337	12 Million Records	https://xss.is/threads/137665/

Table 2: Threat Actor Activity Log

Threat Actor	Number of Incidents	Incident Categories	Primary Target Region(s)	Notable Tools/Techniques (if identified)
Machine1337	5	Data Breach	USA, UAE, Seychelles	Selling large databases
DCG (Dark Cyber Gang)	2	Defacement	India	Website defacement
Dark Engine	2	Initial Access	India	Selling credentials
Everest	2	Data Breach	Germany, UAE	Employee database compromise
desoxy	3	Data Leak	China, Europe	Selling compromised credentials
Team 1722	1	Data Breach	South Korea	Data leak
ZEROLEGIONCREWINDONESIAN	1	Data Breach	India	Data leak, re-exploitation
gemgardner3456	1	Data Breach	Pakistan	Data leak
elpatron85	1	Data Breach	USA	Selling large databases
Dedale	1	Data Breach	India	Leak of confidential and financial data
CyberVolk. Group.	1	Data Breach	Poland	Leak of sensitive government data
Ranssi	1	Data Breach	Mexico	Leak of personal details
LongNight	1	Initial Access	China	Selling access to network devices
bmox	1	Initial Access	Mexico	Selling root access
stewie99k	1	Initial Access	USA	Selling Amazon buyer logs
Accs-Store.com	1	Initial Access	N/A	Selling aged eBay accounts
Mr Root	1	Initial Access	Poland, Italy, Netherlands	Selling web shell access
Stephanie	1	Initial Access	Bolivia, Pakistan, Malawi, Brazil, Indonesia	Selling access to government GitLab servers
Bazoka666	1	Initial Access	Malaysia	Selling extensive organizational access
KatzStealer	1	Malware	N/A	Selling infostealer malware
X4Logs	1	Data Leak	Europe	Selling email and password combinations
Michealgabbert	1	Data Leak	Russia	Alleged sale of top secret documents
Electronic Army Special Forces	1	Alert	Cambodia	Claiming to target Cambodia
KAL EGY 319	1	Alert	India	Claiming to target India

5. Conclusion

The cybersecurity incidents reported in the last 24 hours paint a picture of a dynamic and persistent threat landscape. The prevalence of alleged data breaches across various sectors and geographies highlights the ongoing success and appeal of this type of cybercrime. The repeated targeting of specific regions like India, coupled with the focus on critical infrastructure and financial institutions, underscores the diverse motivations and objectives of threat actors. The emergence and sale of sophisticated malware like “Katz Stealer” indicate a continuous evolution in attack capabilities. Furthermore, the alleged breach of the Russian FSB, while requiring further verification, signifies a potential escalation in the scale and sensitivity of targeted information. Organizations and individuals must remain vigilant, prioritize robust security practices, and stay informed about the evolving tactics of cyber adversaries to effectively mitigate the risks posed by these persistent threats. The observed trends emphasize the need for proactive threat intelligence gathering and analysis to anticipate and respond to the ever-changing cybersecurity landscape.

Related Posts

[April-22-2025] Daily Cybersecurity Threat Report – Part 1

[April-05-2025] Daily Cybersecurity Threat Report

[April-21-2025] Daily Cybersecurity Threat Report