[May-15-2025] Daily Cybersecurity Threat Report

Posted on

1. Executive Summary:

Recent analysis of the cyber threat landscape reveals a persistent and evolving environment characterized by an increasing volume and sophistication of attacks targeting a wide array of sectors globally.1 The observed surge in malicious activity underscores the necessity for organizations to maintain a proactive and adaptive security posture. No industry appears to be immune, as threat actors continue to identify and exploit vulnerabilities across diplomacy, education, finance, government, and technology sectors.1 This sustained increase signifies a systemic challenge requiring continuous monitoring and the implementation of robust defense mechanisms.

Furthermore, the nature of hacktivism is undergoing a transformation, extending beyond traditional disruptive tactics such as Distributed Denial of Service (DDoS) attacks and website defacements into more impactful and potentially damaging operations.3 The adoption of sophisticated techniques, including ransomware deployment and targeting of critical infrastructure, indicates a convergence with the methods employed by cybercriminal and potentially nation-state actors. This evolution complicates threat attribution and necessitates a more comprehensive approach to security that accounts for ideologically motivated actors wielding advanced capabilities. The increasing interconnectedness of the threat landscape is further evidenced by alliances forming between hacktivist groups with differing motivations.5

The widespread use of information-stealing malware as an initial access vector remains a significant concern.6 These versatile tools facilitate a range of malicious activities, including account takeover, data breaches, and ransomware deployment. The effectiveness and accessibility of infostealers highlight the critical importance of robust endpoint security measures and comprehensive user awareness training programs aimed at preventing credential theft and the initial compromise of systems.

2. Incident Analysis:

This section will detail the analysis of specific cybersecurity breaches based on the information provided in the JSON data. For each incident, the identified threat actor(s) will be profiled using the available research material.

Threat Actor Profile:

TengkorakCyberCrew (if identified):

This threat actor has been observed reporting on the activities of the Mekotio banking trojan, which targets financial institutions across Latin America, including Mexico.1 This activity was noted as early as July 2024.1 The focus on banking trojans, particularly Mekotio, which is known for targeting financial theft and unauthorized access to banking systems, strongly suggests a primary motivation centered around financial gain.1 The actor’s emphasis on cooperation with first-hand data providers, excluding Russia and China, and their willingness to pay for legitimate databases further supports this assessment.1 This indicates a deliberate and organized approach to acquiring resources that can be leveraged for financial cybercrime.

Z-PENTEST ALLIANCE (if identified):

The Z-PENTEST ALLIANCE is identified as a pro-Russian hacktivist group, likely originating from Serbia, with their initial appearance noted in October 2023.7 Their operational focus lies in the penetration of operational control systems (OT) within critical infrastructure sectors, primarily targeting energy (oil and gas) and water industries.7 This includes disruptive actions against critical systems such as oil wells and water treatment plants.7 The group’s geopolitical motivation is to undermine the industrial and control systems of Western countries, thereby bolstering Russia’s geopolitical influence by exploiting technological vulnerabilities. They also aim to erode Western solidarity and sow divisions within NATO.7 Countries known to have been targeted by this alliance include the United States, Canada, Australia, France, South Korea, Taiwan, Italy, Romania, Germany, and Poland.7

The capabilities of Z-Pentest include sophisticated techniques for accessing and manipulating SCADA (Supervisory Control and Data Acquisition) and ICS (Industrial Control Systems), enabling them to inflict significant disruptions on critical infrastructure.7 They infiltrate OT systems to manipulate essential functions like water pumping, gas flaring, and oil collection. The group has been observed exploiting zero-day vulnerabilities to gain unauthorized access, often leveraging information sourced from the dark web or through collaborative efforts with other threat groups.7 Social engineering tactics are also employed to obtain sensitive information or system access by exploiting human trust or error. Furthermore, the group utilizes data obtained from dark web leaks to refine and execute more targeted attacks. Collaboration is a key aspect of their operations, frequently working in conjunction with groups such as SECTOR16, OverFlame, and the People’s Cyber Army (PCA) to coordinate attacks and share resources, thereby enhancing their overall effectiveness.7 Communication and propaganda efforts are conducted through platforms like Telegram and X (formerly Twitter), where they engage with supporters, recruit new members, and amplify the perceived impact of their operations.7 The release of videos showcasing the manipulation of OT systems serves to instill fear and reinforce their operational capabilities.7

INDOHAXSEC (if identified):

INDOHAXSEC is an Indonesian-based hacktivist collective that emerged in early October 2024.5 Initially, their activities appeared to be driven by pro-Palestinian sentiments and religious ideology, with frequent targeting of entities perceived as supporting Israel.5 Notably, they announced an alliance with the pro-Russian hacktivist group NoName057(16) within a month of their formation.5 However, the group’s motivations have since evolved to encompass a more nationalistic and politically driven agenda.5 This shift is evident in their engagement in cyberattacks against entities they believe have acted against core Indonesian interests, including doxxing campaigns targeting Malaysian officials in response to the fatal shooting of an Indonesian migrant worker.5 While expressing intentions to pursue judicial avenues with the Malaysian government, they temporarily suspended attacks on Malaysia to avoid interfering with ongoing domestic protests in Indonesia, emphasizing their independence from the Indonesian government.5

The group employs a range of attack techniques, including DDoS attacks, website defacements, ransomware deployments, and hack-and-leak operations.5 They maintain a presence on GitHub, where they host their custom tooling, and utilize a Telegram channel for communication, coordination, and propaganda dissemination.5 Their activities reflect a blend of ideological motivations, initially focused on pro-Palestinian and religious causes, which have broadened to include nationalistic and political objectives related to Indonesia’s interests.5

Machine1337 (if identified):

In May 2025, a threat actor identified as Machine1337, also known as EnergyWeaponsUser, claimed to have compromised 89 million user records from Steam, a leading PC gaming distribution platform owned by Valve Corporation.8 This alleged breach, if verified, would represent a significant security incident impacting approximately two-thirds of Steam’s user base.8 The compromised data purportedly includes historical SMS text messages containing one-time passcodes for Steam authentication, along with users’ phone numbers.8 Machine1337 reportedly offered this data for sale on a dark web forum for $5,000.8

Valve Corporation has denied any breach of their own systems, attributing the exposure to the inherent insecurity of SMS as a communication method, noting that such messages are unencrypted in transit and routed through multiple third-party providers.8 Twilio, a cloud communications platform whose backend systems were initially suspected as a potential source due to the nature of the leaked data, has also explicitly denied any compromise of their infrastructure.8 Independent analysis of the leaked data by a games journalist from the SteamSentinels community group identified technical indicators suggesting the real-time SMS log entries originated from Twilio’s backend systems, hinting at a possible supply-chain compromise.8 Despite the denials, the incident highlights the potential vulnerabilities associated with SMS-based two-factor authentication and the complexities of securing data within intricate digital supply chains.

Fallaga Team (if identified):

The Fallaga Team, also known as Rebel Jackal, is a pro-Islamist organization that typically conducts cyberattacks motivated by real-world events where its members believe Muslims have been wronged.13 Their attacks commonly involve website defacements, often incorporating jihadist messages and imagery related to perceived persecution of Muslims.13 The group also developed a Remote Access Trojan (RAT) referred to as Fallaga RAT, which is believed to be a modified version of the njRAT malware frequently used by hackers in the Middle East and North Africa.13

Past activities attributed to the Fallaga Team include a campaign targeting Thai websites in August 2015, where they posted jihadist messages and images concerning Rohingya Muslims.14 In January 2015, following the “Je suis Charlie” edition of Notepad++, the group defaced the Notepad++ website with anti-Western messages set to a pro-Mahomed musical background.15 They also claimed responsibility for a website defacement campaign in February 2017 that targeted NHS websites in the United Kingdom, displaying graphic photos from the Syrian Civil War.17 These actions demonstrate the group’s propensity to leverage cyberattacks as a form of ideological protest and to react to specific geopolitical events they deem relevant to their cause.

Sylhet Gang-SG (if identified):

SYLHET GANG-SG is a hacktivist group known for targeting critical infrastructure and various other entities, including the Central European University and the EU Parliament.18 They have been involved in DDoS attacks against Western targets, such as the personal website of the UK Prime Minister Sunak and the Cyprus police.18 The group has publicly declared its allegiance to the KillNet 2.0 hacker collective, indicating a focus on threats against allies of Israel.18 SYLHET GANG-SG has also been promoted by other pro-Palestinian hacktivist groups, including Mr Hamza and LazaGrad Hack, suggesting potential alliances and coordinated activities within the hacktivist community.19 Their targeting patterns and affiliations suggest an ideologically driven motivation, primarily focused on geopolitical issues and conflicts perceived to involve “Zionist” entities and their allies.19

OneSec (if identified):

The term “OneSec” has been associated with a threat actor who successfully bypassed SentinelOne Endpoint Detection and Response (EDR) protections to deploy a variant of the Babuk ransomware.20 This bypass was achieved by exploiting a vulnerability in the local upgrade/downgrade process of the SentinelOne agent.20 Forensic analysis revealed suspicious activities, including the creation of multiple legitimate SentinelOne installer files and rapid product version changes, indicating a deliberate attempt to manipulate the EDR software.20 The vulnerability allowed the threat actor to disable the EDR agent without requiring the anti-tamper code by interrupting the Windows Installer process during an upgrade initiated via an MSI installer.20 Testing confirmed that during this brief window, all SentinelOne processes were terminated, leaving the system unprotected.20 The impacted environment lacked the critical “online authorization” feature for upgrades, which, if enabled, would have prevented this bypass method.20 The deployment of Babuk ransomware suggests a financially motivated objective, consistent with the typical goals of ransomware attacks involving data encryption and ransom demands.20

Table: Identified Threat Actors and Key Characteristics

Threat Actor Name/AliasPrimary MotivationTypical TargetsKnown Tactics, Techniques, and Procedures (TTPs)Known Affiliations
TengkorakCyberCrewFinancialFinancial institutions in Latin AmericaBanking trojans (e.g., Mekotio)Unknown
Z-PENTEST ALLIANCEGeopoliticalEnergy, water, critical infrastructure in Western countriesICS/SCADA manipulation, zero-day exploits, social engineering, dark web dataSector 16, OverFlame, PCA, pro-Russian actors
INDOHAXSECIdeological, NationalisticEntities perceived as supporting Israel, those against Indonesian interestsDDoS, website defacement, ransomware, hack-and-leak, doxxingNoName057(16)
Machine1337UnknownSteam usersAlleged data breach via SMS supply chainUnknown
Fallaga TeamIdeologicalWebsites related to perceived mistreatment of MuslimsWebsite defacement, propaganda, Fallaga RAT (njRAT variant)Pro-Islamist
Sylhet Gang-SGIdeologicalCritical infrastructure, Western targets, allies of IsraelDDoSKillNet 2.0, Mr Hamza, LazaGrad Hack
OneSecFinancialOrganizations using SentinelOne EDRExploiting EDR upgrade vulnerabilities, deploying Babuk ransomwareUnknown

3. Emerging Threat Trends:

Analysis of recent cybersecurity events and threat actor activities reveals several significant trends shaping the current threat landscape. A notable trend is the increasing targeting of critical infrastructure by politically motivated groups.3 This indicates a growing recognition by these actors of the potential for significant disruption and impact by compromising essential services such as energy and water supply. The geopolitical context often plays a crucial role, with attacks frequently aligning with international tensions and conflicts.3

Furthermore, hacktivist groups are progressively adopting more sophisticated tactics that were previously associated with cybercriminal or nation-state actors.3 This includes the deployment of ransomware, which suggests a shift towards more impactful and potentially financially motivated operations, even among groups with primarily ideological goals. The technical capabilities of these ideologically driven actors are advancing, blurring the lines between different categories of threat actors.4

Phishing continues to be a highly prevalent initial attack vector across various types of cyber threats.24 Despite increasing awareness, threat actors are constantly refining their techniques to deceive users into revealing sensitive information or installing malware. The adaptability and effectiveness of phishing highlight the ongoing need for robust security awareness training and the implementation of technical controls to mitigate this risk.

Social media and messaging platforms, particularly Telegram, are increasingly utilized by threat actors for communication, coordination, and the dissemination of propaganda.5 These platforms offer a convenient and often less scrutinized environment for organizing attacks, sharing information, and amplifying their message. Monitoring these channels can provide valuable insights into the activities and intentions of various threat groups.

The exploitation of known vulnerabilities in software and hardware remains a significant pathway for threat actors to gain unauthorized access.20 This underscores the critical importance of timely patching and vulnerability management processes for organizations to reduce their attack surface. Threat actors often actively seek out and leverage publicly disclosed vulnerabilities to compromise systems before patches can be widely implemented.

Finally, the rise of “cybercrime-as-a-service” (CaaS) is making sophisticated attack tools and services accessible to a wider range of individuals, including those with limited technical skills.26 This lowers the barrier to entry for cybercrime and contributes to the increasing volume and diversity of threats observed in the landscape. These platforms facilitate the buying and selling of stolen data, hacking tools, and even access to compromised systems.

4. Recommendations:

To effectively mitigate the risks posed by the evolving cyber threat landscape, organizations should implement a range of robust security measures. Employing strong and unique passwords across all accounts, coupled with the enforcement of multi-factor authentication (MFA), is crucial for protecting against unauthorized access resulting from compromised credentials.24 Organizations should prioritize the implementation of phishing-resistant MFA methods to further enhance security.

Comprehensive cybersecurity awareness training for all employees is essential to educate them about the risks of phishing attacks and other social engineering tactics.24 Regular training and simulated phishing exercises can significantly improve an organization’s resilience to these common attack vectors.

Maintaining up-to-date software and systems through timely patching is critical for addressing known vulnerabilities that threat actors can exploit.24 Implementing automated patching processes can help ensure that security updates are applied promptly.

Deploying robust Endpoint Detection and Response (EDR) solutions provides the necessary visibility and control over endpoints to detect and respond to malicious activity, including sophisticated bypass attempts.20 Continuous monitoring of network activity for any unusual or suspicious behavior is also vital for early threat detection.24

Implementing network segmentation can help limit the lateral movement of attackers within a network in the event of a breach, thereby reducing the potential impact of a successful compromise.3 Organizations should develop and regularly test comprehensive incident response plans to ensure they can effectively manage and recover from cybersecurity incidents.24

Consideration should be given to using Virtual Private Networks (VPNs) and guest networks to restrict access to sensitive data and systems.24 Encrypting sensitive data both while it is being transmitted and when it is stored can protect it from unauthorized access, even if a breach occurs.1

Adopting strict access controls and adhering to the principle of least privilege ensures that users only have the necessary permissions to perform their job functions, minimizing the potential for misuse or compromise.1 Finally, organizations should consider monitoring the dark web for any indications of compromised credentials or potential threats targeting their infrastructure or employees.37

Organizations operating in sectors frequently targeted by politically motivated groups should implement enhanced security measures and threat monitoring specific to the tactics, techniques, and procedures associated with these actors. Continuous threat intelligence gathering and analysis are essential for staying informed about the evolving threat landscape and proactively adapting security defenses.

5. Conclusion:

The daily cybersecurity landscape presents a complex and dynamic array of threats, encompassing both financially motivated cybercrime and ideologically driven hacktivism. The activities of various threat actors, employing increasingly sophisticated tactics, highlight the persistent challenges faced by organizations in safeguarding their digital assets. The convergence of geopolitical tensions with cyber operations further underscores the need for a holistic and adaptive security strategy. Continuous learning and adaptation are paramount for cybersecurity professionals to effectively defend against the ever-evolving tactics and techniques of threat actors. Staying informed about the latest threats, vulnerabilities, and security best practices remains crucial for maintaining a strong security posture in this constantly shifting environment.

Works cited

  1. Navigating the Cyber Threat Landscape: A Comprehensive Report …, accessed May 15, 2025, https://www.cloudsek.com/blog/navigating-the-cyber-threat-landscape-a-comprehensive-report-on-recent-attacks-and-vulnerabilities-in-mexico
  2. What is a Threat Actor? Types & Examples – SentinelOne, accessed May 15, 2025, https://www.sentinelone.com/cybersecurity-101/threat-intelligence/threat-actor/
  3. Hacktivists Target Critical Infrastructure, Move Into Ransomware – Cyble, accessed May 15, 2025, https://cyble.com/blog/hacktivists-infrastructure-move-into-ransomware/
  4. Hacktivist Groups Evolve into Sophisticated Threat Actors – IDM Magazine, accessed May 15, 2025, https://www.idm.net.au/article/0015154-hacktivist-groups-evolve-sophisticated-threat-actors
  5. INDOHAXSEC – Emerging Indonesian Hacking Collective – Arctic Wolf, accessed May 15, 2025, https://arcticwolf.com/resources/blog-uk/indohaxsec-indonesian-hacking-collective/
  6. Infostealers fueled cyberattacks and snagged 2.1B credentials last year | CyberScoop, accessed May 15, 2025, https://cyberscoop.com/infostealers-cybercrime-surged-2024-flashpoint/
  7. Z-PENTEST ALLIANCE – Cyber Intelligence Bureau – Orange Cyberdefense, accessed May 15, 2025, https://www.orangecyberdefense.com/fileadmin/global/CyberIntelligenceBureau/Gangs_Investigations/z-pentest/Z-Pentest_Alliance.pdf
  8. Steam Hit by Major Data Breach: 89M User Records Allegedly …, accessed May 15, 2025, https://mobileidworld.com/steam-hit-by-major-data-breach-89m-user-records-allegedly-compromised/
  9. Hacker Claims Steam Database Breach; Valve Denies Attack – Lowyat.NET, accessed May 15, 2025, https://www.lowyat.net/2025/351679/hacker-claims-steam-breach-valve-denies/
  10. Details of 89 million Steam accounts for sale on the dark web – Computing UK, accessed May 15, 2025, https://www.computing.co.uk/news/2025/security/details-89-million-steam-accounts-for-sale
  11. Steam’s 89M Password Leak Scare Refuted By Communications Firm – OpenCritic, accessed May 15, 2025, https://opencritic.com/news/16527/steams-89m-password-leak-scare-refuted-by-communications-firm
  12. Data breach dismissed by Twilio after alleged Steam records leak | SC Media, accessed May 15, 2025, https://www.scworld.com/brief/data-breach-dismissed-by-twilio-after-alleged-steam-records-leak
  13. Rebel Jackal (Threat Actor) – Malpedia, accessed May 15, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/rebel_jackal
  14. North African Group Targets Thai Websites in Islamist Cyber Attack – Benar News, accessed May 15, 2025, https://www.benarnews.org/english/news/thai/fallaga-cyberattack-08242015153150.html
  15. Notepad++ Defaced by Islamist Hackers after ËœJe suis Charlie` Edition – Bitdefender, accessed May 15, 2025, https://www.bitdefender.com/en-us/blog/hotforsecurity/notepad-defaced-by-islamist-hackers-after-je-suis-charlie-edition
  16. ‘Cyberjhadists’ Hack Hundreds of French Websites – NDTV, accessed May 15, 2025, https://www.ndtv.com/world-news/cyberjhadists-hack-hundreds-of-french-websites-726323
  17. Doxing and Defacements: Examining the Islamic State’s Hacking Capabilities, accessed May 15, 2025, https://ctc.westpoint.edu/doxing-defacements-examining-islamic-states-hacking-capabilities/
  18. SYLHET GANG-SG (Threat Actor) – Malpedia, accessed May 15, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/sylhet_gang-sg
  19. Hacktivist Group DieNet Claims DDoS Attacks against U.S. CNI, accessed May 15, 2025, https://www.cisecurity.org/insights/blog/hacktivist-group-dienet-claims-ddos-attacks-against-u-s-c-n-i
  20. Threat Actor Evades SentinelOne EDR to Deploy Babuk Ransomware, accessed May 15, 2025, https://gbhackers.com/threat-actor-evades-sentinelone-edr/
  21. S1 vulnerable to ransom attacks: Threat Actor Bypass SentinelOne EDR to Deploy Babuk Ransomware : r/msp – Reddit, accessed May 15, 2025, https://www.reddit.com/r/msp/comments/1kg17bl/s1_vulnerable_to_ransom_attacks_threat_actor/
  22. VirusTotal releases its first ransomware activity report – Информационная безопасность в Узбекистане – ONESEC.UZ, accessed May 15, 2025, https://onesec.uz/en/news/show/1
  23. Rise in hacktivist threats to critical sector, as pro-Russian groups cause 50% rise in ICS/OT attacks in March – Industrial Cyber, accessed May 15, 2025, https://industrialcyber.co/reports/rise-in-hacktivist-threats-to-critical-sector-as-pro-russian-groups-cause-50-rise-in-ics-ot-attacks-in-march/
  24. What is a Cyber Threat Actor? | CrowdStrike, accessed May 15, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
  25. Iranian Hackers Maintain 2-Year Access to Middle East CNI via VPN Flaws and Malware, accessed May 15, 2025, https://thehackernews.com/2025/05/iranian-hackers-maintain-2-year-access.html
  26. Law enforcement takes down two largest cybercrime forums in the world – Europol, accessed May 15, 2025, https://www.europol.europa.eu/media-press/newsroom/news/law-enforcement-takes-down-two-largest-cybercrime-forums-in-world
  27. Why Cybercrime Forum Collaboration Is Making Attacks More Efficient, And How To Stay Ahead – Information Security Buzz, accessed May 15, 2025, https://informationsecuritybuzz.com/why-cybercrime-forum-collaboration-is-making-attacks-more-efficient-and-how-to-stay-ahead/
  28. The rise and fall of the BreachForums cybercrime network – Barracuda Blog, accessed May 15, 2025, https://blog.barracuda.com/2024/10/24/the-rise-and-fall-of-the-BreachForums-cybercrime-network
  29. 8 Common Cyber Attack Vectors & How to Avoid Them – Balbix, accessed May 15, 2025, https://www.balbix.com/insights/attack-vectors-and-breach-methods/
  30. NSA’S Top Ten Cybersecurity Mitigation Strategies, accessed May 15, 2025, https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/csi-nsas-top10-cybersecurity-mitigation-strategies.pdf
  31. 17 Ways To Prevent Insider Threats: Steps, Tips & Tools – Teramind, accessed May 15, 2025, https://www.teramind.co/blog/how-to-prevent-insider-threats/
  32. Cybersecurity Best Practices | Cybersecurity and Infrastructure Security Agency CISA, accessed May 15, 2025, https://www.cisa.gov/topics/cybersecurity-best-practices
  33. How To Prevent Cyber Attacks (Solutions & Best Practices) – PurpleSec, accessed May 15, 2025, https://purplesec.us/learn/prevent-cyber-attacks/
  34. Threat Actors: Common Types & Best Defenses Against Them | Splunk, accessed May 15, 2025, https://www.splunk.com/en_us/blog/learn/threat-actors.html
  35. Security guidance for dark web leaks (ITSAP.00.115) – Canadian Centre for Cyber Security, accessed May 15, 2025, https://www.cyber.gc.ca/en/guidance/security-guidance-dark-web-leaks-itsap00115
  36. Dark web secrets: exploring the cyber threats – Prey Project, accessed May 15, 2025, https://preyproject.com/blog/dark-web-cyber-threats
  37. Mandiant Digital Threat Monitoring | Google Cloud, accessed May 15, 2025, https://cloud.google.com/security/products/digital-threat-monitoring
  38. Dark Web Threat Intelligence | ZeroFox, accessed May 15, 2025, https://www.zerofox.com/glossary/dark-web-threat-intelligence/
  39. Dark Web Monitoring – Flare | Cyber Threat Intel | Digital Risk Protection, accessed May 15, 2025, https://flare.io/solutions/use-case/dark-web-monitoring/
  40. Searching dark web engines for personal information leaks – ManageEngine, accessed May 15, 2025, https://www.manageengine.com/log-management/cyber-security/personal-data-leaks-detection.html

Related Posts