[May-21-2025] Daily Cybersecurity Threat Report

Posted on

I. Executive Summary

The past 24 hours have underscored a dynamic and increasingly complex cybersecurity threat landscape, characterized by the escalating influence of artificial intelligence, persistent targeting of critical infrastructure, and the blurring lines between traditional cybercrime and geopolitical objectives. This period highlights the continued prevalence of financially motivated attacks alongside sophisticated state-sponsored espionage, demanding a proactive and adaptive defense posture.

A significant observation from recent activity is the accelerating pace of cyber threats driven by AI, which necessitates faster defensive responses. Artificial intelligence is a double-edged sword, profoundly impacting the cyber domain. While it empowers legitimate users, it also enables malicious actors to become more effective scammers, hacktivists, and cybercriminals.1 The ability of AI to automate various attack stages, including malware creation, social engineering campaign design, and vulnerability identification, significantly reduces the time it takes for attackers to compromise systems. This means that traditional, manual defense cycles are increasingly inadequate, creating an urgent need for AI-driven defense mechanisms and rapid incident response protocols to keep pace with the evolving threat.2

Key threat actors observed in the broader intelligence landscape include prominent groups like Sandworm (also known as Seashell Blizzard), the Z-PENTEST ALLIANCE, and the decentralized collective Anonymous. Additionally, the emerging capabilities of AI-powered “zero-knowledge” actors represent a new frontier in cybercrime, allowing individuals with limited technical expertise to orchestrate sophisticated attacks.1

II. Daily Incident Overview

For a quick, high-level overview of the day’s key cyber events, the following table summarizes recent breaches. This format offers immediate situational awareness, enabling rapid understanding and facilitating the prioritization of resources and strategic decision-making for security teams.

Incident IDAffected Entity/SectorBrief DescriptionPrimary Threat Actor(s)Key Impact
1Unidentified USA Investor’s OrganizationAlleged sale of a database with over 100,000 records and access to CRM system.0kbData Leak, CRM System Access Sale
2Government Law College, Churu (India)Website defacement.Anonymous_SVNWebsite Defacement
3Japanese CitizensAlleged leak of personal information (2,000 entries: names, addresses, phone numbers).shoppingData Leak
4Mairie de Saint-Georges-le-Fléchard municipality (France)Alleged database leak including member credential details.MdHackersArmyData Leak, Credential Exposure
5New Delhi Institute of Management (NDIM) (India)Website defacement.Anonymous_SVNWebsite Defacement
6Le Cheylas municipality (France)Alleged database leak including passwords, usernames, activity logs, visit timestamps.MdHackersArmyData Leak, Credential Exposure
7Amazon (USA)Alleged sale of access to Amazon accounts.Z3roDayAccess Sale
8Career Development Centre (CDC), Indian Institute of Technology Kharagpur (India)Website defacement.Anonymous_SVNWebsite Defacement
91win (Curaçao)Alleged data leak of user information and betting-related records.decojo4605Data Leak
10Manipur University (India)Website defacement.Anonymous_SVNWebsite Defacement
11Social Services Home Slatiňany (Czech Republic)Alleged unauthorized access.Z-PENTEST ALLIANCEUnauthorized Access
12Azfileo (Iran)Alleged data leak and website defacement.Team 1722Data Leak, Website Defacement
13Babyk ransomwareAlleged sale of panel source code of Babyk ransomware.DedaleSource Code Sale, Ransomware Infrastructure
14N1bet (New Zealand)Alleged sale of N1bet account with NZD 14,000 balance.GasanAccount Sale, Financial Loss
15U.S. CitizensAlleged sale of 250,000 U.S. citizens’ sensitive data (SSNs, bank details, driver’s licenses, contact info).namolesaData Leak, Sensitive PII Exposure
16Vietnam Social Security (Vietnam)Alleged sale of 61 million Vietnam Social Security records.Jack_backData Breach, Sensitive Records Sale
17BlueHippo.ioAlleged data leak of 5,000+ US-based users from remote work platform.OneERAData Leak
18Unidentified organization in USA (Texas)Alleged sale of unauthorized access to a database with full personal details, signatures, medical history via Ammyy Admin.Buddha12Unauthorized Access, Sensitive Data Exposure
19Edukid (Cyprus)Alleged data leak.Tunisian Maskers Cyber ForceData Breach
20Multiple USA companiesAlleged data leak of 72 million USA company records (fax, email, website, contact name, address).info_usaData Breach, Business Contact Information Exposure
21Unidentified Shop in UAEAlleged sale of access to a Magento 2 e-commerce site (web shell and admin panel control).F13Access Sale, E-commerce Compromise
22Coimbatore City Municipal Corporation (India)Alleged database leak of board members (serial number, ward number, name, address, contact, email, party affiliation, photo).ZEROLEGIONCREWINDONESIANData Breach, Public Official PII Exposure
23WildApricot (Canada)Alleged data leak of customer financial and personal details (names, addresses, email, mobile, transactions, payment, vendor data).SkivonData Breach, Financial & Personal Data Exposure
24Bradley R. Tyer & Associates (USA)Alleged database sale of 1.02 TB of property, legal, and financial documents (deeds, liens, tax data, court filings).SentapData Breach, Legal & Financial Document Exposure
25Rabindra Bharati University Journal of Economics (India)Website defacement.Anonymous_SVNWebsite Defacement
26Lohia College (India)Website defacement.Anonymous_SVNWebsite Defacement
27Sim card Registration in IndonesiaAlleged data leak of SIM card registration data (date, providers, phone number, national ID).namolesaData Leak, National ID Exposure
28Unidentified telecommunication company in RussiaAlleged data sale of over 9.4 million customer records (phone number, operator, region, time zone, full name, ID, country, gender, DOB).namolesaData Leak, Telecommunication Customer Data Sale
29Yummy Rides (Venezuela)Alleged data sale of 2.96 GB of full names and photos.Cypher404xData Breach, PII Exposure
30Sahakar Maharshi Bhausaheb Thorat Amrutvahini Sahakari Bank Ltd (India)Website defacement.Anonymous_SVNWebsite Defacement
31Drobal Health (Bangladesh)Website defacement.TengkorakCyberCrewWebsite Defacement
32Central Council for Research in Siddha (India)Website defacement.Anonymous_SVNWebsite Defacement
33Noble Institute and Technology Private Limited (India)Website defacement.TengkorakCyberCrewWebsite Defacement
34Nilasaila Institute of Science And Technology (India)Website defacement.TengkorakCyberCrewWebsite Defacement
35Multiple Global OrganizationsAlleged leak of VPN credentials (clear-text usernames and passwords).joker009Initial Access, VPN Credential Exposure
36Nilgiri College (India)Website defacement.TengkorakCyberCrewWebsite Defacement
37Mobilefone Kingdom (Australia)Website defacement.TengkorakCyberCrewWebsite Defacement
38Sharmaa1 (India)Website defacement.TengkorakCyberCrewWebsite Defacement
39AD square (India)Website defacement.TengkorakCyberCrewWebsite Defacement
40Unidentified E-Commerce SiteAlleged sale of Magento 2 admin access.shellshopInitial Access, E-commerce Admin Access Sale
41Mexican Citizens (Nuevo León State)Alleged data leak of 4 million Mexican citizens (electors ID, CURP, name, DOB, address).EternalData Leak, National ID & PII Exposure
42Registry and Cadastral Institute of the State of Nuevo León (Mexico)Alleged database sale of homeowners and landowners (land ID, owner name, property address).EternalData Breach, Property Ownership Data Sale
43Freemobile (France)Alleged data breach of 19.2 million users and 5.1 million IBANs.checkmyyuserData Breach, Financial & User Data Exposure

Detailed Incident Analysis:

Incident Title: Alleged data sale of unidentified USA Investor’s organization

  • Date/Time of Discovery: 2025-05-21T13:00:07Z
  • Affected Sector & Impact: An unidentified USA-based investor’s organization in the Investment Management, Hedge Fund & Private Equity sector has allegedly suffered a data leak. A threat actor claims to be selling a database containing over 100,000 records, and access to the organization’s CRM system is also being offered for sale. This incident poses a significant risk of financial fraud, identity theft, and further corporate espionage due to the exposure of sensitive organizational and client data.
  • Attack Vector & Methodology: The specific attack vector is not detailed, but the incident involves the compromise and sale of a database and CRM system access, indicating a direct breach of the organization’s internal systems.
  • Associated Threat Actor(s): The threat actor is identified as “0kb.” This name is associated with the concept of “zero-knowledge threat actors” in cybersecurity, which refers to individuals with limited technical expertise who can leverage AI tools to orchestrate sophisticated attacks, including malware creation, social engineering, and vulnerability identification 1,.3 This trend lowers the barrier to entry for cybercrime, leading to an exponential growth in the volume and effectiveness of attacks from less skilled adversaries.1
  • Further Reading & Evidence:

Incident Title: Anonymous_SVN targets the website of Government Law College churu

  • Date/Time of Discovery: 2025-05-21T12:49:33Z
  • Affected Sector & Impact: The website of Government Law College, Churu, an educational institution in India, has been defaced. This type of attack can lead to reputational damage, disruption of online services, and a loss of trust in the institution’s digital presence.
  • Attack Vector & Methodology: The group claims to have defaced the website, which typically involves exploiting vulnerabilities in web applications or content management systems to alter the visual appearance of the site.
  • Associated Threat Actor(s): The group is “Anonymous_SVN.” Anonymous is a decentralized international activist and hacktivist collective known for cyberattacks against governments, institutions, and corporations they accuse of censorship or corruption 4,.5 Members often operate anonymously and use Guy Fawkes masks as a symbol.4 While “SVN” might refer to a version control system, the core group aligns with the broader Anonymous collective, which has been involved in large-scale data leaks and “cyber wars” for political causes.6
  • Further Reading & Evidence:

Incident Title: Alleged data leak of Japanese citizens

  • Date/Time of Discovery: 2025-05-21T12:47:32Z
  • Affected Sector & Impact: A threat actor claims to have leaked a database containing personal information of Japanese citizens. The compromised data reportedly includes 2,000 entries in CSV format with full names, addresses, and phone numbers. This incident exposes individuals to risks of identity theft, phishing attacks, and other forms of targeted fraud.
  • Attack Vector & Methodology: The incident is described as a data leak, implying a compromise of a system holding personal data, likely through unauthorized access to a database.
  • Associated Threat Actor(s): The threat actor is “shopping.” While “shopping” is not identified as a distinct threat actor group in the provided intelligence, the context relates to common retail cybersecurity threats, where threat actors exploit tactics like credential stuffing, phishing, and synthetic identity fraud to steal login credentials and gain unauthorized access to user accounts . Such actors are often financially motivated and tend to shift targets and industries rapidly.7
  • Further Reading & Evidence:

Incident Title: Alleged database leak of Mairie de Saint-Georges-le-Fléchard muncipality

  • Date/Time of Discovery: 2025-05-21T12:38:16Z
  • Affected Sector & Impact: The Mairie de Saint-Georges-le-Fléchard municipality in France, a government administration entity, has allegedly had its database leaked. The compromised data includes member credential details. This breach could lead to unauthorized access to municipal systems, further data exfiltration, and potential disruption of public services.
  • Attack Vector & Methodology: The incident is a database leak, suggesting a compromise of the municipality’s data storage, likely through a vulnerability or unauthorized access.
  • Associated Threat Actor(s): The threat actor is “MdHackersArmy.” This name is not explicitly identified as a distinct, established threat actor group within the provided intelligence.831
  • Further Reading & Evidence:

Incident Title: Anonymous_SVN targets the website of New Delhi Institute of Management (NDIM)

  • Date/Time of Discovery: 2025-05-21T12:37:57Z
  • Affected Sector & Impact: The website of the New Delhi Institute of Management (NDIM), an educational institution in India, has been defaced. This attack can damage the institution’s reputation and disrupt its online operations.
  • Attack Vector & Methodology: The group claims to have defaced the website, indicating a successful exploitation of web vulnerabilities.
  • Associated Threat Actor(s): The group is “Anonymous_SVN,” aligning with the decentralized hacktivist collective Anonymous 4,.5
  • Further Reading & Evidence:

Incident Title: Alleged database leak of Le Cheylas municipality

  • Date/Time of Discovery: 2025-05-21T12:27:56Z
  • Affected Sector & Impact: The Le Cheylas municipality in France, a government administration entity, has allegedly had its data leaked. The compromised data includes sensitive details such as passwords, usernames, activity logs, and visit timestamps. This breach poses a severe risk of further unauthorized access, system compromise, and potential misuse of credentials.
  • Attack Vector & Methodology: The incident is a database leak, suggesting a compromise of the municipality’s data storage.
  • Associated Threat Actor(s): The threat actor is “MdHackersArmy.” This name is not explicitly identified as a distinct, established threat actor group within the provided intelligence.831
  • Further Reading & Evidence:

Incident Title: Alleged access sale to amazon accounts

  • Date/Time of Discovery: 2025-05-21T12:03:28Z
  • Affected Sector & Impact: A threat actor claims to be selling access to Amazon accounts. While Amazon is an Information Technology (IT) Services company, the impact is primarily on individual users whose accounts may be compromised, leading to financial fraud, unauthorized purchases, and identity theft.
  • Attack Vector & Methodology: The incident involves the sale of access, implying that the threat actor has gained unauthorized entry to Amazon user accounts, likely through credential stuffing, phishing, or other account takeover methods.
  • Associated Threat Actor(s): The threat actor is “Z3roDay.” This name is not identified as a distinct threat actor group in the provided intelligence. “Zero-day” refers to a previously unknown or unaddressed security flaw that hackers can exploit,. While the name suggests a focus on zero-day exploits, the specific group “Z3roDay” is not profiled.
  • Further Reading & Evidence:

Incident Title: Anonymous_SVN targets the website of Career Development Centre (CDC), Indian Institute of Technology Kharagpur

  • Date/Time of Discovery: 2025-05-21T12:02:35Z
  • Affected Sector & Impact: The website of the Career Development Centre (CDC) at the Indian Institute of Technology Kharagpur, an educational institution in India, has been defaced. This can disrupt student services, damage the institution’s reputation, and undermine trust.
  • Attack Vector & Methodology: The group claims to have defaced the website, indicating a successful web vulnerability exploitation.
  • Associated Threat Actor(s): The group is “Anonymous_SVN,” aligning with the decentralized hacktivist collective Anonymous 4,.5
  • Further Reading & Evidence:

Incident Title: Alleged data leak of 1Win from Brazil

  • Date/Time of Discovery: 2025-05-21T12:02:18Z
  • Affected Sector & Impact: A threat actor claims to have leaked data from 1win Brazil, a gambling and casinos organization based in Curaçao. The compromised data reportedly includes user information and betting-related records. This breach could lead to financial fraud, account takeovers, and privacy violations for users.
  • Attack Vector & Methodology: The incident is a data leak, suggesting unauthorized access to 1win’s user database.
  • Associated Threat Actor(s): The threat actor is “decojo4605.” This name is not identified as a distinct, established threat actor group within the provided intelligence.
  • Further Reading & Evidence:

Incident Title: Anonymous_SVN targets the website of Manipur University

  • Date/Time of Discovery: 2025-05-21T12:01:33Z
  • Affected Sector & Impact: The website of Manipur University, an educational institution in India, has been defaced. This can cause operational disruption and reputational damage.
  • Attack Vector & Methodology: The group claims to have defaced the website, indicating a successful web vulnerability exploitation.
  • Associated Threat Actor(s): The group is “Anonymous_SVN,” aligning with the decentralized hacktivist collective Anonymous 4,.5
  • Further Reading & Evidence:

Incident Title: Alleged unauthorized access to Social Services Home Slatiňany

  • Date/Time of Discovery: 2025-05-21T12:00:23Z
  • Affected Sector & Impact: The Social Services Home Slatiňany in the Czech Republic, a Hospital & Health Care organization, has allegedly suffered unauthorized access. This type of breach in a healthcare setting can expose sensitive patient data, disrupt critical services, and lead to severe privacy violations.
  • Attack Vector & Methodology: The group claims to have gained unauthorized access, which could involve exploiting network vulnerabilities, weak credentials, or social engineering.
  • Associated Threat Actor(s): The group is “Z-PENTEST ALLIANCE.” This pro-Russian hacktivist group emerged in October 2023 and is known for its ability to penetrate Operational Technology (OT) in critical infrastructures, including energy and water sectors.9 They aim to weaken Western countries and strengthen Russia’s geopolitical influence.9 They often exploit zero-day vulnerabilities and use social engineering, and they are among the most active pro-Russian hacktivists, targeting NATO-aligned nations and Ukraine supporters.10
  • Further Reading & Evidence:

Incident Title: Alleged data leak of Azfileo

  • Date/Time of Discovery: 2025-05-21T11:42:57Z
  • Affected Sector & Impact: The Iranian organization Azfileo, in the Healthcare & Pharmaceuticals sector, has allegedly been breached, resulting in a data leak and website defacement. This dual impact can lead to exposure of sensitive healthcare data, significant reputational damage, and disruption of critical services.
  • Attack Vector & Methodology: The group claims to have breached the organization’s data and defaced the website, suggesting a multi-pronged attack involving data exfiltration and web compromise.
  • Associated Threat Actor(s): The group is “Team 1722.” This is an active hacktivist group.11 While specific details about their motivations are not provided in the snippets, hacktivist groups often combine cyber activism with physical protests to amplify their message.12
  • Further Reading & Evidence:

Incident Title: Alleged sale of panel source code of Babyk Ransomware

  • Date/Time of Discovery: 2025-05-21T11:41:54Z
  • Affected Sector & Impact: A threat actor claims to be selling the panel source code of Babyk ransomware. This incident represents a significant risk to the broader cybersecurity landscape, as the availability of ransomware source code can lower the barrier for other cybercriminals to launch their own attacks, leading to a proliferation of ransomware incidents.
  • Attack Vector & Methodology: The incident involves the sale of intellectual property related to ransomware, indicating a compromise of the ransomware operator’s infrastructure or a rogue insider.
  • Associated Threat Actor(s): The threat actor is “Dedale.” Dedale is an actor active on the dark web forum “DarkForums,” known for posting listings offering confidential government data for sale.13 They are believed to be a member of “R00TK1T,” a group that targets government and corporate entities in Asia and the Middle East.13
  • Further Reading & Evidence:

Incident Title: Alleged sale of account of N1bet from New Zealand

  • Date/Time of Discovery: 2025-05-21T10:38:50Z
  • Affected Sector & Impact: A threat actor claims to be selling an N1bet account with a NZD 14,000 balance linked to a New Zealand profile. N1bet is a Gambling & Casinos organization. Verification is required for withdrawal, and no access to the linked postmail.com email is provided. This incident highlights the risk of account takeovers and direct financial loss for the victim.
  • Attack Vector & Methodology: The incident involves the sale of a compromised account, suggesting that the threat actor gained unauthorized access to the account, likely through credential theft or other account takeover methods.
  • Associated Threat Actor(s): The threat actor is “Gasan.” This name appears in the context of cyber insurance and general threat actors, but “Gasan” is not identified as a distinct, established cybercrime group in the provided intelligence 14, 15, 16, .
  • Further Reading & Evidence:

Incident Title: Alleged sale of 250,000 U.S. citizens’ SSN data

  • Date/Time of Discovery: 2025-05-21T10:25:22Z
  • Affected Sector & Impact: The threat actor claims to be selling 250,000 U.S. citizens’ sensitive data, including SSNs, bank details (account numbers, IBANs), driver’s licenses, and contact information. This is a severe data leak with widespread implications for identity theft, financial fraud, and other malicious activities against the affected individuals.
  • Attack Vector & Methodology: The incident is a data leak, implying a compromise of a database containing highly sensitive personal and financial information.
  • Associated Threat Actor(s): The threat actor is “namolesa.” This name is not explicitly identified as a distinct, established threat actor group within the provided intelligence. However, Nobelium, a Russian state-sponsored actor, is known for sophisticated supply chain attacks and phishing campaigns targeting sensitive data.17
  • Further Reading & Evidence:

Incident Title: Alleged sale of 61 million Vietnam Social Security data

  • Date/Time of Discovery: 2025-05-21T10:22:29Z
  • Affected Sector & Impact: The threat actor claims to be selling 61 million Vietnam Social Security records. This massive data breach targeting a government relations entity in Vietnam poses a significant risk of identity theft, fraud, and potential misuse of social security information on a national scale.
  • Attack Vector & Methodology: The incident is a data breach, indicating unauthorized access and exfiltration of a large government database.
  • Associated Threat Actor(s): The threat actor is “Jack_back.” This name is associated with the “ScreamedJungle” campaign, a sophisticated cybercriminal operation that exploits vulnerabilities in outdated e-commerce platforms to harvest unique digital identifiers and bypass fraud detection systems.18 While “Jack_back” is not a distinct group, the campaign itself is financially motivated.18
  • Further Reading & Evidence:

Incident Title: Alleged data leak of BlueHippo.io

  • Date/Time of Discovery: 2025-05-21T10:19:43Z
  • Affected Sector & Impact: The threat actor claims to be selling a database of 5,000+ US-based users from the remote work platform BlueHippo.io, a Staffing/Recruiting company. This data leak could expose personal and professional information of remote workers, leading to targeted phishing, identity theft, or other forms of fraud.
  • Attack Vector & Methodology: The incident is a data leak, implying unauthorized access to BlueHippo.io’s user database.
  • Associated Threat Actor(s): The threat actor is “OneERA.” OneERA has claimed unauthorized access to over 2.4 million records allegedly containing personally identifiable information of individuals in New Zealand.19 They have also been observed targeting government entities since early 2022, deploying custom backdoors for cyberespionage.19
  • Further Reading & Evidence:

Incident Title: Alleged sale of unauthorized access to an unidentified organization in USA

  • Date/Time of Discovery: 2025-05-21T09:41:07Z
  • Affected Sector & Impact: A threat actor claims to be selling access to a database based in Texas, USA, from an unidentified organization. The access is reportedly provided via Ammyy Admin and includes full personal details, signatures, and medical history. This is a critical initial access event that could lead to severe privacy breaches, medical identity theft, and further exploitation of the compromised system.
  • Attack Vector & Methodology: The incident involves the sale of unauthorized access via Ammyy Admin, a remote desktop software, suggesting a compromise of remote access credentials or a vulnerability in the software itself.
  • Associated Threat Actor(s): The threat actor is “Buddha12.” This name appears in philosophical or religious contexts within the provided snippets and is not identified as a distinct cybercrime group 20, 21, 22, .
  • Further Reading & Evidence:

Incident Title: Alleged data leak of Edukid

  • Date/Time of Discovery: 2025-05-21T09:40:54Z
  • Affected Sector & Impact: The group claims to have breached the database of Edukid, an E-Learning organization in Cyprus, resulting in a data leak. This breach can expose sensitive educational and personal data, impacting students and staff, and causing reputational damage to the platform.
  • Attack Vector & Methodology: The incident is a data breach, indicating unauthorized access to Edukid’s database.
  • Associated Threat Actor(s): The group is “Tunisian Maskers Cyber Force.” This name is not explicitly identified as a distinct, established threat actor group within the provided intelligence. However, Tunisia is mentioned in the context of joint, multinational cyber exercises with U.S. Cyber Command Soldiers and National Guardsmen to enhance critical infrastructure protection.23 Anonymous, a decentralized hacktivist group, also has members arrested in countries including Tunisia.4
  • Further Reading & Evidence:

Incident Title: Alleged data leak of multiple USA companies

  • Date/Time of Discovery: 2025-05-21T09:21:15Z
  • Affected Sector & Impact: The threat actor claims to have leaked the database of multiple USA companies, containing 72 million records. The compromised data includes details such as fax, email, website, contact name, category, company name, and company address. This large-scale data breach can lead to widespread business email compromise (BEC) attacks, targeted phishing campaigns, and corporate espionage.
  • Attack Vector & Methodology: The incident is a data leak, implying a compromise of a large database containing business contact information.
  • Associated Threat Actor(s): The threat actor is “info_usa.” This name is not explicitly identified as a distinct, established threat actor group within the provided intelligence 24,.25
  • Further Reading & Evidence:

Incident Title: Alleged sale of access to an unidentified Shop in UAE

  • Date/Time of Discovery: 2025-05-21T09:20:11Z
  • Affected Sector & Impact: A threat actor claims to be selling unauthorized access to an e-commerce site based in the United Arab Emirates, running on Magento 2. The access reportedly includes both web shell and admin panel control. This initial access can lead to full compromise of the e-commerce platform, including customer data theft, financial fraud, and website defacement.
  • Attack Vector & Methodology: The incident involves the sale of web shell and admin panel access, indicating a successful exploitation of vulnerabilities in the Magento 2 platform or compromised credentials.
  • Associated Threat Actor(s): The threat actor is “F13.” This name is not identified as a distinct threat actor group in the provided intelligence. However, the context relates to financially motivated hacking groups that use exploits and stolen credentials to gain access , and the increasing use of AI in cybersecurity 26, .
  • Further Reading & Evidence:

Incident Title: Alleged database leak of Coimbatore City Municipal Corporation

  • Date/Time of Discovery: 2025-05-21T08:18:11Z
  • Affected Sector & Impact: The Coimbatore City Municipal Corporation in India, a Government Administration entity, has allegedly had its database leaked. The compromised data includes details such as serial number, ward number, name of the councilor, address, contact number/landline number, email ID, party affiliation, and photo. This breach exposes sensitive personal information of public officials, posing risks of identity theft, targeted harassment, and potential political manipulation.
  • Attack Vector & Methodology: The incident is a data breach, indicating unauthorized access to the municipal corporation’s database.
  • Associated Threat Actor(s): The threat actor is “ZEROLEGIONCREWINDONESIAN.” This name is not identified as a distinct, established threat actor group within the provided intelligence.
  • Further Reading & Evidence:

Incident Title: Alleged data leak of WildApricot

  • Date/Time of Discovery: 2025-05-21T07:28:26Z
  • Affected Sector & Impact: The threat actor claims to have leaked data from WildApricot, a Software Development company in Canada. The compromised data includes customer financial and personal details, such as names, home addresses, email and mobile contacts, transaction information, payment details, and vendor data. This is a significant data breach with potential for widespread financial fraud, identity theft, and privacy violations for WildApricot’s customers and vendors.
  • Attack Vector & Methodology: The incident is a data leak, suggesting unauthorized access to WildApricot’s customer and vendor databases.
  • Associated Threat Actor(s): The threat actor is “Skivon.” While “Skivon” is not identified as a distinct threat actor, “Skira” is a newly emerging ransomware group that operates with a “double extortion” model and is believed to be a member of “R00TK1T,” a group known for targeting government and corporate entities 27, 3,.4
  • Further Reading & Evidence:

Incident Title: Alleged database sale of Bradley R. Tyer & Associates

  • Date/Time of Discovery: 2025-05-21T07:23:12Z
  • Affected Sector & Impact: A threat actor claims to be selling 1.02 TB of data allegedly from Bradley R. Tyer & Associates, a Law Practice & Law Firm in the USA. The compromised data reportedly contains property, legal, and financial documents such as deeds, liens, tax data, and court filings from 1990 to 2025, in PDF, Excel, MSG, and scanned formats. This is an extremely sensitive data breach with profound implications for legal and financial privacy, potentially leading to widespread fraud, litigation, and reputational damage.
  • Attack Vector & Methodology: The incident is a database sale, indicating a large-scale exfiltration of highly confidential legal and financial documents.
  • Associated Threat Actor(s): The threat actor is “Sentap.” Sentap is explicitly identified as one of the four claimed members of the FunkSec ransomware group, which emerged in early December 2024.28 FunkSec is financially motivated and uses “FunkLocker” ransomware, developed in Rust, claiming to employ multiple encryption methods.28 They have rapidly gained prominence, disclosing over 85 cases of damage and selling access to government websites.28
  • Further Reading & Evidence:

Incident Title: Anonymous_SVN targets the website of Rabindra Bharati University Journal of Economics

  • Date/Time of Discovery: 2025-05-21T06:11:33Z
  • Affected Sector & Impact: The website of the Rabindra Bharati University Journal of Economics, a Newspapers & Journalism entity in India, has been defaced. This can undermine the credibility of the publication and disrupt access to academic content.
  • Attack Vector & Methodology: The group claims to have defaced the website, indicating a successful web vulnerability exploitation.
  • Associated Threat Actor(s): The group is “Anonymous_SVN,” aligning with the decentralized hacktivist collective Anonymous 4,.5
  • Further Reading & Evidence:

Incident Title: Anonymous_SVN targets the website of Lohia College

  • Date/Time of Discovery: 2025-05-21T06:03:29Z
  • Affected Sector & Impact: The website of Lohia College, a Higher Education/Academia institution in India, has been defaced. This can disrupt academic operations and damage the institution’s reputation.
  • Attack Vector & Methodology: The group claims to have defaced the website, indicating a successful web vulnerability exploitation.
  • Associated Threat Actor(s): The group is “Anonymous_SVN,” aligning with the decentralized hacktivist collective Anonymous 4,.5
  • Further Reading & Evidence:

Incident Title: Alleged data leak of Sim card Registration in Indonesia

  • Date/Time of Discovery: 2025-05-21T06:00:17Z
  • Affected Sector & Impact: The threat actor claims to have leaked data from SIM card registrations in Indonesia, a Network & Telecommunications sector. The compromised data consists of registration date, providers, phone number, and national ID card number. This breach poses a significant risk of identity theft, targeted scams, and privacy violations for Indonesian citizens.
  • Attack Vector & Methodology: The incident is a data leak, implying unauthorized access to a database containing SIM card registration information.
  • Associated Threat Actor(s): The threat actor is “namolesa.” This name is not explicitly identified as a distinct, established threat actor group within the provided intelligence. However, Nobelium, a Russian state-sponsored actor, is known for sophisticated supply chain attacks and phishing campaigns targeting sensitive data.17
  • Further Reading & Evidence:

Incident Title: Alleged data sale of unidentified telecommunication company in Russia

  • Date/Time of Discovery: 2025-05-21T05:59:13Z
  • Affected Sector & Impact: The threat actor claims to be selling data from an unidentified telecommunication company in Russia. The compromised data consists of over 9.4 million lines of information, including Phone Number, Operator, Region, Time Zone, Full Name, ID Number, Country, Gender, and Date of Birth. This is a massive data leak with potential for widespread privacy violations, targeted scams, and other malicious activities against Russian citizens.
  • Attack Vector & Methodology: The incident is a data sale, indicating a large-scale exfiltration of telecommunication customer data.
  • Associated Threat Actor(s): The threat actor is “namolesa.” This name is not explicitly identified as a distinct, established threat actor group within the provided intelligence. However, Nobelium, a Russian state-sponsored actor, is known for sophisticated supply chain attacks and phishing campaigns targeting sensitive data.17
  • Further Reading & Evidence:

Incident Title: Alleged data sale of Yummy Rides

  • Date/Time of Discovery: 2025-05-21T05:42:15Z
  • Affected Sector & Impact: The threat actor claims to be selling 2.96 GB of full names and photos from Yummy Rides, a Package & Freight Delivery company in Venezuela. This data breach exposes personal identifiable information (PII) of individuals, potentially leading to identity theft, targeted scams, or other forms of misuse.
  • Attack Vector & Methodology: The incident is a data sale, indicating a large-scale exfiltration of user data, including images and names.
  • Associated Threat Actor(s): The threat actor is “Cypher404x.” This name is not explicitly identified as a distinct, established threat actor group within the provided intelligence,.
  • Further Reading & Evidence:

Incident Title: Anonymous_SVN targets the website of Sahakar Maharshi Bhausaheb Thorat Amrutvahini Sahakari Bank Ltd

  • Date/Time of Discovery: 2025-05-21T05:34:19Z
  • Affected Sector & Impact: The website of Sahakar Maharshi Bhausaheb Thorat Amrutvahini Sahakari Bank Ltd, a Banking & Mortgage institution in India, has been defaced. This can severely impact the bank’s reputation, erode customer trust, and potentially disrupt online banking services.
  • Attack Vector & Methodology: The group claims to have defaced the website, indicating a successful web vulnerability exploitation.
  • Associated Threat Actor(s): The group is “Anonymous_SVN,” aligning with the decentralized hacktivist collective Anonymous 4,.5
  • Further Reading & Evidence:

Incident Title: TengkorakCyberCrew targets the website of Drobal Health

  • Date/Time of Discovery: 2025-05-21T05:28:00Z
  • Affected Sector & Impact: The website of Drobal Health, a Marketing, Advertising & Sales company in Bangladesh, has been defaced. This can damage the company’s brand image and disrupt its marketing operations.
  • Attack Vector & Methodology: The group claims to have defaced the website, indicating a successful web vulnerability exploitation.
  • Associated Threat Actor(s): The group is “TengkorakCyberCrew.” This is a hacktivist group known for combining cyber activism with physical protests, with a strong focus on Palestinian advocacy 12, . They have been involved in reporting on banking trojans affecting Latin American financial institutions.12
  • Further Reading & Evidence:

Incident Title: Anonymous_SVN targets the website of Central Council for Research in Siddha

  • Date/Time of Discovery: 2025-05-21T05:04:20Z
  • Affected Sector & Impact: The website of the Central Council for Research in Siddha, a Government Relations entity in India, has been defaced. This can disrupt public information services and undermine the government’s digital presence.
  • Attack Vector & Methodology: The group claims to have defaced the website, indicating a successful web vulnerability exploitation.
  • Associated Threat Actor(s): The group is “Anonymous_SVN,” aligning with the decentralized hacktivist collective Anonymous 4,.5
  • Further Reading & Evidence:

Incident Title: Tengkorakcybercrew targets the website of Noble Institute and Technology Private Limited

  • Date/Time of Discovery: 2025-05-21T03:56:35Z
  • Affected Sector & Impact: The website of Noble Institute and Technology Private Limited, an educational institution in India, has been defaced. This can disrupt online learning and administrative functions, and damage the institution’s reputation.
  • Attack Vector & Methodology: The group claims to have defaced the website, indicating a successful web vulnerability exploitation.
  • Associated Threat Actor(s): The group is “TengkorakCyberCrew” 12, .
  • Further Reading & Evidence:

Incident Title: Tengkorakcybercrew targets the website of Nilasaila Institute of Science And Technology

  • Date/Time of Discovery: 2025-05-21T03:56:32Z
  • Affected Sector & Impact: The website of Nilasaila Institute of Science And Technology, an educational institution in India, has been defaced. This can disrupt online services and damage the institution’s reputation.
  • Attack Vector & Methodology: The group claims to have defaced the website, indicating a successful web vulnerability exploitation.
  • Associated Threat Actor(s): The group is “TengkorakCyberCrew” 12, .
  • Further Reading & Evidence:

Incident Title: Alleged Leak of VPN Credentials of Multiple Global Organizations

  • Date/Time of Discovery: 2025-05-21T03:53:44Z
  • Affected Sector & Impact: The threat actor claims to be offering free VPN access to multiple global organizations, including clear-text usernames and passwords for VPN portals. This incident represents a critical initial access event, potentially exposing internal systems and sensitive user accounts across various industries and countries.
  • Attack Vector & Methodology: The incident involves the leak of VPN credentials, suggesting a compromise of a system storing these credentials or a successful phishing/social engineering campaign.
  • Associated Threat Actor(s): The threat actor is “joker009.” While “joker009” is not identified as a distinct threat actor group, “Joker” and “JokerSpy” refer to families of sophisticated malware operated by unknown adversaries 29,.30 Joker malware targets Android users for data exfiltration and financial gain, while JokerSpy targets macOS devices for espionage and data collection 29,.30
  • Further Reading & Evidence:

Incident Title: TengkorakCyberCrew targets the website of Nilgiri College

  • Date/Time of Discovery: 2025-05-21T03:19:31Z
  • Affected Sector & Impact: The website of Nilgiri College, an educational institution in India, has been defaced. This can disrupt online services and damage the institution’s reputation.
  • Attack Vector & Methodology: The group claims to have defaced the website, indicating a successful web vulnerability exploitation.
  • Associated Threat Actor(s): The group is “TengkorakCyberCrew” 12, .
  • Further Reading & Evidence:

Incident Title: TengkorakCyberCrew targets the website of Mobilefone Kingdom

  • Date/Time of Discovery: 2025-05-21T03:19:16Z
  • Affected Sector & Impact: The website of Mobilefone Kingdom, an Electrical & Electronic Manufacturing company in Australia, has been defaced. This can disrupt online sales and customer engagement, and damage the company’s brand image.
  • Attack Vector & Methodology: The group claims to have defaced the website, indicating a successful web vulnerability exploitation.
  • Associated Threat Actor(s): The group is “TengkorakCyberCrew” 12, .
  • Further Reading & Evidence:

Incident Title: TengkorakCyberCrew targets the website of Sharmaa1

  • Date/Time of Discovery: 2025-05-21T03:19:14Z
  • Affected Sector & Impact: The website of Sharmaa1, a Food & Beverages company in India, has been defaced. This can disrupt online presence and sales, and damage the company’s reputation.
  • Attack Vector & Methodology: The group claims to have defaced the website, indicating a successful web vulnerability exploitation.
  • Associated Threat Actor(s): The group is “TengkorakCyberCrew” 12, .
  • Further Reading & Evidence:

Incident Title: TengkorakCyberCrew targets the website of AD square

  • Date/Time of Discovery: 2025-05-21T03:19:13Z
  • Affected Sector & Impact: The website of AD square, a Design company in India, has been defaced. This can disrupt online portfolios and client engagement, and damage the company’s professional image.
  • Attack Vector & Methodology: The group claims to have defaced the website, indicating a successful web vulnerability exploitation.
  • Associated Threat Actor(s): The group is “TengkorakCyberCrew” 12, .
  • Further Reading & Evidence:

Incident Title: Alleged Sale of Magento 2 Admin Access from Unidentified E-Commerce Site

  • Date/Time of Discovery: 2025-05-21T01:44:32Z
  • Affected Sector & Impact: The threat actor is claiming to sell access to a Magento 2 shop, including full administrative rights, from an unidentified E-commerce & Online Stores site. This initial access can lead to complete control over the e-commerce platform, enabling data theft (customer information, payment details), financial fraud, and website manipulation.
  • Attack Vector & Methodology: The incident involves the sale of admin access, suggesting a compromise of the Magento 2 platform through vulnerabilities or stolen credentials.
  • Associated Threat Actor(s): The threat actor is “shellshop.” This name is not identified as a distinct threat actor group in the provided intelligence. However, “Seashell Blizzard” is an alias for Sandworm, a sophisticated Russian state-sponsored actor.31
  • Further Reading & Evidence:

Incident Title: Alleged data leak of Mexican Citizens

  • Date/Time of Discovery: 2025-05-21T00:35:52Z
  • Affected Sector & Impact: The threat actor claims to have leaked the information of Mexican citizens from the Nuevo León State. The data includes compromised electors ID, CURP, name, Date of birth, and address, affecting 4 million lines. This is a significant data leak with severe implications for identity theft, voter manipulation, and targeted fraud against Mexican citizens.
  • Attack Vector & Methodology: The incident is a data leak, implying unauthorized access to a large database containing sensitive citizen information.
  • Associated Threat Actor(s): The threat actor is “Eternal.” Eternal is associated with the “Eternity Project,” a modular Malware-as-a-Service (MaaS) offering promoted on Telegram and TOR websites . This project provides various malicious modules for subscription, including info-stealing, crypto-mining, and ransomware, effectively commoditizing cybercrime . “EternalBlue” is also a known exploit that allows remote code execution and network access by exploiting a vulnerability in Microsoft’s SMBv1 protocol .
  • Further Reading & Evidence:

Incident Title: Alleged database sale of homeowners and landowners in Mexico

  • Date/Time of Discovery: 2025-05-21T00:12:16Z
  • Affected Sector & Impact: The threat actor claims to be selling the database of homeowners and landowners in Mexico, obtained from the Registry and Cadastral Institute of the State of Nuevo León (IRCNL), a Government Relations entity. The compromised data includes land ID, full owner name, and full property address. This breach of sensitive property ownership data can lead to real estate fraud, targeted scams, and privacy violations.
  • Attack Vector & Methodology: The incident is a database sale, indicating unauthorized access and exfiltration of a government cadastral database.
  • Associated Threat Actor(s): The threat actor is “Eternal,” associated with the “Eternity Project” (MaaS) .
  • Further Reading & Evidence:

Incident Title: Alleged data breach of Freemobile

  • Date/Time of Discovery: 2025-05-21T00:00:09Z
  • Affected Sector & Impact: The threat actor claims to have breached the database of Freemobile, a Network & Telecommunications company in France. The data includes 19.2 million users and 5.1 million IBANs. This is a massive data breach with severe implications for financial fraud, identity theft, and privacy violations for a significant portion of Freemobile’s customer base.
  • Attack Vector & Methodology: The incident is a data breach, indicating unauthorized access to Freemobile’s user and financial databases.
  • Associated Threat Actor(s): The threat actor is “checkmyyuser.” This name appears to be a generic term or part of a URL in the provided intelligence and is not identified as a distinct, established threat actor group 32, 33, 34,.35
  • Further Reading & Evidence:

This incident highlights a critical observation: the persistence of basic vulnerabilities and human error as primary attack vectors, even amidst the backdrop of advanced threat actor capabilities. The successful exploitation of an unpatched system demonstrates that despite the rise of AI-powered threats and highly sophisticated adversaries, fundamental cybersecurity hygiene gaps remain critical points of exploitation. This suggests that “low-hanging fruit” vulnerabilities continue to be attractive targets, even for less sophisticated actors 16, underscoring the enduring importance of robust patching policies and basic security controls.

III. In-Depth Threat Actor Profiles

Understanding the characteristics of various threat actors is crucial for developing effective defense strategies. The following table provides a concise reference for the different types of adversaries operating in the current threat landscape, helping security professionals quickly grasp their core characteristics, motivations, and operational methods. This structured overview of the diverse adversary landscape facilitates better threat modeling and defense planning.

Threat Actor Name/AliasTypePrimary MotivationNotable TTPsCommon Targets
AnonymousHacktivist CollectiveAnti-cyber-surveillance, Anti-cyber-censorship, Internet activism, VigilantismDDoS attacks, large-scale data leaks, psychological operationsGovernments, government institutions, corporations, organizations accused of censorship/corruption
Z-PENTEST ALLIANCEHacktivist Group (Pro-Russian)Geopolitical (weaken Western ICS/SCADA, strengthen Russian influence)Exploiting zero-day vulnerabilities, social engineering, videos showcasing access, collaboration with other groupsCritical infrastructure (energy, water, oil), NATO-aligned nations, Ukraine supporters
Dark Storm TeamHacking GroupPolitical ideology, Financial gain (hackers-for-hire)Orchestrates significant outages, vocal about political motivations, no ransom demandsIsraeli hospitals, US airports, government websites, critical infrastructure supporting Israel
Sandworm / Seashell Blizzard (APT44)State-Sponsored APT (Russian GRU)Espionage, Cyber warfare, Disruptive operations, Psychological operationsDestructive malware (NotPetya), spear phishing, exploiting software vulnerabilities, “Living on the Edge/Land,” Android malware (Infamous Chisel), hacktivist personasUkraine, NATO-aligned nations, Western electoral systems, critical infrastructure, journalists, civil society organizations
FLYING KITTENState-Sponsored Threat Actor (Iranian)Espionage (credential theft, malware delivery)Domain spoofing, fake login pages for credential theft, malware deliveryU.S.-based defense contractors, political dissidents
FunkSec & SentapRansomware GroupFinancial gain (ransom payments)“FunkLocker” ransomware (Rust, multiple encryption methods), rapid disclosure of damages, selling access to compromised websitesGovernment and corporate entities (no specific industry preference)
TengkorakCyberCrewHacktivist GroupCyber activism, Palestinian advocacy, physical protestsReporting on banking trojans, linking online actions with offline political movementsLatin American financial institutions, entities aligning with their political advocacy
Joker / JokerSpyMalware Family (Unknown Adversary)Data exfiltration, Financial gain, EspionageAndroid: SMS/OTP extraction, automated user interaction, credit card theft; macOS: novel spyware, cross-platform backdoors, trojanized QR code generators, system info collectionAndroid mobile users (EU, Asia), organizations with macOS devices, developers
Eternity Project (MaaS)Commercial Cybercrime VentureFinancial gain (sale of malicious modules)Offers modular malware (stealer, miner, clipper, ransomware, worm), repurposes GitHub codeBroad (buyers target victims based on chosen module)
NobeliumState-Sponsored APT (Russian)Intelligence gathering, Political objectivesSophisticated supply chain attacks, phishing emails with malicious links (NativeZone backdoor)Government agencies, think tanks, consultants, NGOs, human rights organizations, vaccine developers, electoral systems
SkiraRansomware GroupFinancial gain (ransom payments, double extortion)Tor-based Data Leak Site (DLS), negotiation via secure channels (Session), selling confidential government dataDiverse organizations (real estate, consumer goods, consulting, government offices)
Scattered SpiderCybercrime CrewFinancial gainHighly adept at social engineering (help desks, employees), bribing support staff, rapid target shiftingCryptocurrency theft, BPOs, UK/US retailers, large cryptocurrency exchanges
TheWizardsState-Sponsored Threat Actor (Chinese)Espionage, Remote access, Data exfiltrationSLAAC spoofing attacks (Spellbinder tool), redirecting DNS queries, trojanized software updates (WizardNet backdoor)Organizations in China, Hong Kong, Philippines, UAE

Detailed Threat Actor Analysis:

This section provides a detailed examination of prominent threat actors and their operational methodologies, drawing from recent intelligence.

  • Anonymous
    Anonymous is a decentralized international activist and hacktivist collective that emerged around 2003, characterized by its “anarchic” and “hivemind” nature.4 Members, often referred to as “anons,” commonly wear Guy Fawkes masks in public to symbolize their anonymity and their leaderless organization.4 Their primary motivations are deeply rooted in anti-cyber-surveillance, anti-cyber-censorship, internet activism, and vigilantism.4 They typically target governments, government institutions, corporations, and organizations they accuse of censorship, corruption, or harmful practices, often aligning with global movements like Occupy and the Arab Spring.4
    Anonymous is known for various cyberattacks, including Distributed Denial of Service (DDoS) attacks 4 and large-scale data leaks. A notable campaign involved claiming responsibility for a massive cyberattack on Russia, releasing 10TB of sensitive data as part of their “cyber war” in defense of Ukraine.6 This leaked information allegedly included details on Russian businesses, Kremlin assets, pro-Russian officials, and even purported information related to Donald Trump.6 The group also targeted the Turkish government in response to perceived censorship.4 The decentralized nature of Anonymous, lacking a single leader, makes coordinated tracking and attribution of their actions challenging.4 Their actions, while often driven by activism, can have significant real-world impact, blurring the lines with more destructive forms of cyber warfare and demonstrating capabilities in large-scale data exfiltration.
  • Z-PENTEST ALLIANCE
    The Z-PENTEST ALLIANCE first appeared in October 2023, with probable origins in Serbia and close ties to pro-Russian actors.9 This group operates in a decentralized and anonymous manner, posing significant challenges for authorities attempting identification and tracking.9 Their primary motivation is geopolitical, aiming to weaken industrial and control systems (ICS/SCADA) in Western countries. This strategy is designed to strengthen Russia’s geopolitical influence by exploiting the technological vulnerabilities of its perceived adversaries.9
    The group is distinguished by its specialized ability to penetrate Operational Technology (OT) in critical infrastructures.9 Their operational methodology involves exploiting zero-day vulnerabilities, often utilizing information obtained from the dark web or through collaborations with other groups like SECTOR16, OverFlame, and People’s Cyber Army (PCA).9 They also employ social engineering techniques to acquire sensitive information or system access, and notably, they release videos showcasing their access to critical systems to instill fear and uncertainty in their victims.9 Z-PENTEST ALLIANCE was among the most active pro-Russian hacktivists in the first quarter, alongside groups such as NoName057(16) and Hacktivist Sandworm, primarily targeting NATO-aligned nations and Ukraine supporters.10 They pose a significant threat of coordinated cyberattacks on European energy grids, which could lead to widespread blackouts, and disruptions to water and oil distribution systems.9 Their specialized focus on OT/ICS and strategic collaborations indicate a highly sophisticated and coordinated approach to cyber warfare, with the potential for significant physical disruption.
  • Dark Storm Team
    The Dark Storm Team is a hacking group founded in 2023.36 Their primary motivations are a blend of political ideology and financial gain, as they explicitly state their political stance (“We will attack any country […] that supports the occupying entity”) while also advertising themselves as “hackers-for-hire”.36
    This group orchestrates cyberattacks, including those capable of causing significant outages, such as the claimed attack on Elon Musk’s X platform.36 They are vocal about their political motivations and typically do not demand ransoms after their attacks.36 Historically, the Dark Storm Team has targeted Israeli hospitals, US airports, government websites, and other critical infrastructure services.36 Their targeting patterns focus on entities perceived as supporting Israel, including critical infrastructure. The combination of strong political ideology with a “for-hire” model suggests a pragmatic approach to funding or expanding their operations, potentially making them more adaptable and persistent in their malicious activities.
  • Sandworm / Seashell Blizzard (APT44, Telebots, Voodoo Bear, IRIDIUM, Iron Viking)
    Sandworm, also known as Seashell Blizzard, is an advanced persistent threat (APT) group operated by MUN 74455, a cyberwarfare unit of the GRU, Russia’s military intelligence service 37,.31 This sophisticated Russian state-sponsored actor has been operational since at least 2009 37,.31 Their primary motivations are state-sponsored espionage, cyber warfare, and disruptive operations aimed at furthering Russian geopolitical objectives. They also engage in psychological operations to manipulate information and create perceptions of insecurity.31
    Sandworm is notorious for deploying destructive malware, such as NotPetya, conducting spear phishing campaigns, and exploiting software vulnerabilities like CVE-2014-4114 and CVE-2019-10149 37,.31 Their tactics include “Living on the Edge,” which involves gaining and regaining access through compromised edge infrastructure, and “Living Off the Land,” utilizing native tools for reconnaissance and lateral movement within targeted networks.31 They have developed specialized Android malware, “Infamous Chisel,” for data exfiltration from Ukrainian military devices.37 Furthermore, they are known to create hacktivist personas, such as ‘CyberArmyofRussia_Reborn,’ to claim or exaggerate the effectiveness of their campaigns for psychological impact.31 Historically, Sandworm is responsible for the 2015 and 2016 Ukraine power grid cyberattacks, the 2017 NotPetya attacks, interference in the 2017 French presidential election, and the cyberattack on the 2018 Winter Olympics opening ceremony.37 Their cyber campaigns have been described as “the most destructive and costly cyber-attacks in history”.37 Their targeting patterns primarily focus on Ukraine, NATO-aligned nations, Western electoral systems, critical infrastructure (electrical utilities), journalists, and civil society organizations perceived as related to the Russian government 37,.31 The group continuously develops new malware and adapts its tactics, including the sophisticated use of psychological operations, demonstrating a comprehensive approach to cyber warfare.
  • FLYING KITTEN
    FLYING KITTEN is an Iranian threat actor, tracked by CrowdStrike Intelligence since mid-January 2014.25 Their primary motivations are state-sponsored espionage, focusing on credential theft and malware delivery, likely for intelligence gathering purposes.25
    Their operational modus operandi involves combining credential theft and malware delivery. A key tactic includes registering domains that spoof the names of targeted organizations and then hosting fake login pages on these sites to steal credentials.25 A notable attribution mistake by this actor involved using [email protected] as a registrant email for some of their malicious domains, which provided a trail for researchers.25 Historically, FLYING KITTEN has targeted multiple U.S.-based defense contractors and political dissidents.25 Their targeting patterns encompass defense contractors, political dissidents, and potentially other entities across various sectors through sophisticated domain spoofing and social engineering.25 This group demonstrates persistence and a strong focus on sophisticated social engineering combined with technical compromise, indicating a well-resourced and adaptive espionage capability.
  • FunkSec & Sentap
    FunkSec is a ransomware group that emerged in early December 2024, although its activities began in October 2024.28 “Sentap” is explicitly identified as one of its four claimed members, alongside “Scorpion,” “el farado,” and “MRZ”.28 The primary motivation for FunkSec is financial gain through ransomware operations.28
    The group utilizes “FunkLocker” ransomware, which is developed in Rust and claims to employ multiple encryption methods, including RSA, AES, Orion, and Chacha.28 They assert to have breached a significant number of government and corporate websites, though some of the leaked data appears to be recycled from past hacktivist campaigns.28 FunkSec rapidly gained prominence, disclosing over 85 cases of damage in a short period and demonstrating aggressive behavior by selling access to 15 government websites within their first month of activity.28 Their targeting patterns include government and corporate entities, without a specific industry preference, often focusing on those with insufficient security or perceived ability to pay ransom.27 The rapid rise of FunkSec, their use of custom ransomware, and their named membership indicate a well-organized and capable cybercriminal enterprise that is quickly establishing its presence in the ransomware landscape.
  • TengkorakCyberCrew
    TengkorakCyberCrew is identified as a hacktivist group 12, . Their primary motivation involves combining cyber activism with physical protests, with a strong focus on Palestinian advocacy.12
    The group has been involved in reporting on and potentially spreading banking trojans, such as the Mekotio banking trojan.12 Their activities are designed to broaden their international reach and amplify their message by linking online actions with offline political movements.12 TengkorakCyberCrew was noted for reporting on the Mekotio banking trojan affecting Latin American financial institutions, including Mexico.12 They are listed as a notable hacktivist group alongside RipperSec and EagleCyberCrew . Their targeting patterns include Latin American financial institutions and potentially other entities aligning with their political advocacy.12 The blend of cyber and physical activism employed by TengkorakCyberCrew represents a potent form of hybrid warfare, aiming for both digital disruption and real-world mobilization, indicative of a sophisticated approach to achieving their ideological goals.
  • Joker / JokerSpy
    “Joker” and “JokerSpy” refer to families of sophisticated malware rather than specific threat actor groups, operated by unknown adversaries 29,.30 The primary motivations behind these malware operations are data exfiltration, financial gain (including money stealing and credit card information theft), and potentially espionage, as nation-states are known to target mobile platforms for such activities.30
    The operational methodologies differ between the variants. Joker (Android) malware masquerades as legitimate mobile applications on the Google Play store. Once installed, it conducts various malicious activities, including SMS/OTP extraction, automated user interaction, JavaScript command injection, and phone book contact extraction.30 It is designed to hide within advertisement frameworks to evade detection and can steal credit card information.30 JokerSpy (macOS) uses novel spyware, cross-platform backdoors, and open-source reconnaissance tools. It has been linked to trojanized QR code generators (“QRLog”) that open reverse shells on infected devices.29 This variant employs Python backdoors to collect system information, such as username, hostname, and OS version, and monitors user activity, including idle time, active applications, and screen status.29 Initial access for JokerSpy may occur via malicious plugins or dependencies in development tools.29 Joker malware has been active since at least 2020, primarily targeting EU and Asian regions.30 JokerSpy intrusions reveal adversaries capable of writing functional malware across multiple programming languages (Python, Java, and Swift) and targeting multiple operating system platforms.29 Their targeting patterns include Android mobile users (particularly in EU and Asia) and organizations with macOS devices, potentially targeting developers through compromised development tools 29,.30 The development of cross-platform variants and sophisticated evasion techniques, such as hiding in ad frameworks, dynamic loading, and monitoring user idle time, demonstrates continuous adaptation and advanced capabilities in information stealing and espionage.
  • Eternity Project (MaaS)
    The Eternity Project is a new, modular Malware-as-a-Service (MaaS) offering promoted on Telegram and TOR websites . It represents a commercialized cybercrime venture rather than a single threat actor group, providing tools for various malicious activities to other cybercriminals. Its primary motivation is financial gain through the sale of these malicious modules .
    The operational modus operandi of the Eternity Project involves offering individual modules for subscription. These include the Eternity Stealer (designed to steal passwords, cookies, credit cards, and crypto-wallets from various applications), the Eternity Miner (a malicious program for silent Monero cryptocurrency mining), the Eternity Clipper (malware that monitors the clipboard for cryptocurrency wallets and replaces them with the threat actor’s addresses), the Eternity Ransomware (offering encryption of documents, photos, and databases with time limits), and the Eternity Worm (a virus that spreads through infected machines via USB drives, local network shares, cloud drives, and messaging apps) . The project often repurposes code from existing GitHub repositories . The emergence of the Eternity Project signifies a “significant increase in cybercrime through Telegram channels and cybercrime forums,” indicating a growing market for readily available malicious tools . Its targeting patterns are broad, as it provides tools for various types of attacks, allowing buyers to target victims based on the chosen module. This project represents the growing commoditization of cybercrime tools, effectively lowering the barrier to entry for less skilled attackers and enabling a wider array of malicious activities across the cybercriminal ecosystem.
  • Nobelium
    Nobelium is a sophisticated threat actor originating from Russia, widely recognized as the same entity behind the SolarWinds attacks.17 Their primary motivations are intelligence gathering and achieving political objectives for the Russian state.17
    Nobelium is known for sophisticated supply chain attacks, which involve gaining access to trusted technology providers, such as software update mechanisms or mass email providers like Constant Contact, to then infect their customers.17 They distribute phishing emails that appear authentic but contain malicious links, which, when clicked, insert a backdoor (e.g., NativeZone) used for data exfiltration and network compromise.17 Historically, Nobelium was responsible for the 2020 SolarWinds attacks and subsequent phishing campaigns targeting approximately 3,000 email accounts at over 150 government agencies, think tanks, consultants, and non-governmental organizations across at least 24 countries.17 Their activities often align with Russian geopolitical concerns, with past targets including human rights organizations, vaccine developers, and electoral systems.17 This group demonstrates a persistent and highly resourced approach to espionage, continuously adapting its methods to compromise trusted entities for broader access and intelligence collection.
  • Skira
    Skira is a newly emerging ransomware group that operates with a “double extortion” model and maintains a minimalist Tor-based Data Leak Site (DLS).27 It is believed to be a member of “R00TK1T,” a group known for targeting government and corporate entities.13 Skira’s primary motivation is financial gain through ransom payments, often threatening to leak stolen data if demands are not met.27
    Their operational modus operandi involves using a DLS to claim responsibility for attacks and list victims, and they encourage negotiation via secure communication channels like Session.27 While specific technical details about their ransomware payload are scarce, the presence of a victim list and negotiation channels indicates a structured operation.27 They are active on dark web forums like “DarkForums,” offering confidential government data for sale.13 Skira has posted multiple listings for confidential government data between April 18 and 24.13 Their targeting patterns are diverse, without a specific industry preference, focusing on entities with insufficient security or those deemed capable of paying a ransom to prevent the exposure of sensitive data. This has included real estate and consumer goods companies in India, regulatory consulting firms in the USA, and a government office in Turkey.27 Skira represents a new entrant into the crowded ransomware market, indicating the ongoing proliferation of such groups and the continued adoption of the double extortion model.
  • Scattered Spider
    Scattered Spider is a loosely knit cybercrime crew, characterized by its amorphous nature, with members frequently joining and leaving.7 Their primary motivation is financial gain, and they have a history of rapidly shifting targets and industries.7
    This group is highly adept at social engineering, particularly at convincing help desks, company employees, or other individuals to disregard their own policies.7 They leverage “insider knowledge” about various sectors and have been known to bribe support staff.7 Historically, Scattered Spider focused on cryptocurrency theft and business process outsourcers (BPOs). More recently, they have targeted UK and US retailers and large cryptocurrency exchanges (Binance, Kraken) using similar social engineering tactics.7 Their targeting patterns have historically included crypto exchanges and BPOs, with a current focus on retail. Their tendency to shift industries makes them a dynamic threat.7 Their adaptability and mastery of social engineering make them a persistent and difficult-to-defend-against threat, as they primarily exploit human vulnerabilities rather than purely technical ones, often bypassing traditional security controls.
  • TheWizards
    TheWizards is a Chinese threat actor, assessed by cybersecurity researchers ESET to be aligned with the Chinese government.38 Their primary motivations are espionage and gaining remote access to victim devices for data exfiltration.38
    This group conducts “SLAAC spoofing” attacks, which have been observed since 2022. They use a tool called “Spellbinder” to send fake Router Advertisement (RA) messages, tricking devices into routing all internet traffic through the attacker’s machine.38 Once they control the traffic, they intercept DNS queries for legitimate software update domains and redirect them. This results in victims downloading trojanized versions of software updates, which contain the “WizardNet” backdoor for remote access.38 TheWizards has been running SLAAC spoofing attacks since 2022.38 Their targeting patterns primarily focus on organizations located in China, Hong Kong, the Philippines, and UAE.38 Their use of network-level manipulation (SLAAC spoofing) to hijack software updates demonstrates a sophisticated and stealthy approach to gaining persistent access and distributing malware, indicating a high level of technical proficiency and strategic intent.
  • Unrecognized Threat Actors:
    Several names mentioned in the query are not identified as distinct, established threat actor groups within the provided intelligence.
  • “MdHackersArmy” is not explicitly found as a distinct group in provided snippets.831
  • “Z3roDay” is not identified as a distinct threat actor group; “Zero-day” refers to a type of vulnerability,.
  • “decojo4605” is not identified as a distinct, established threat actor group.
  • “Gasan” appears in the context of an insurance company and general threat actors, not a specific group 14, 15, 16, .
  • “namolesa” is not explicitly identified as a distinct, established threat actor group. Nobelium is a Russian state-sponsored actor.17
  • “Jack_back” is associated with the “ScreamedJungle” campaign, not a distinct group 18, , , .
  • “Buddha12” appears in philosophical or religious contexts and is not identified as a threat actor 20, 21, 22, .
  • “Tunisian Maskers Cyber Force” is not explicitly identified as a distinct group, though Tunisia is mentioned in cyber exercises and Anonymous context 23, 39, 40,.4
  • “info_usa” is not explicitly identified as a distinct group 24,.25
  • “F13” is not identified as a distinct group, but context relates to financially motivated hacking and AI in cybersecurity 26, 38, , .
  • “ZEROLEGIONCREWINDONESIAN” is not identified as a distinct, established threat actor group.
  • “Skivon” is not identified as a distinct threat actor; “Skira” is a known ransomware group 27,.41
  • “Cypher404x” is not explicitly found as a distinct group in provided snippets,.
  • “joker009” is not identified as a distinct threat actor group; “Joker” and “JokerSpy” are malware families 29,.30
  • “shellshop” is not identified as a distinct group; “Seashell Blizzard” is an alias for Sandworm.31
  • “checkmyyuser” appears to be a generic term or part of a URL, not a threat actor 32, 33, 34,.35

In cases where specific threat actor names are not recognized, analysis focuses on the type of actor (e.g., “unsophisticated cyber actor(s)” 16) or the methodology employed if context allows. This highlights the dynamic nature of the threat landscape, where new entities emerge, or existing ones operate under various aliases, sometimes making direct attribution challenging without further intelligence.

IV. Emerging Threat Landscape & Strategic Implications

The cybersecurity landscape is in a constant state of flux, driven by technological advancements and evolving geopolitical dynamics. Several overarching trends are shaping the nature of cyber threats.

  • The AI-Powered Threat Evolution:
    Artificial Intelligence (AI) is rapidly transforming the cybersecurity landscape, acting as both a powerful defensive tool and a significant enabler for malicious actors 1,.2 The emergence of “zero-knowledge threat actors” signifies a paradigm shift where sophisticated attacks are no longer confined to highly skilled individuals. AI tools empower novices to create advanced malware, design convincing social engineering campaigns, identify vulnerabilities, and automate multi-stage attacks.1 This capability leads to an exponential growth in both the volume and effectiveness of attacks from less skilled adversaries. AI lowers the “entry barrier” for cybercrime, meaning more individuals, even those with “no hacking experience or technical expertise,” can now launch attacks.1 This increases the sheer number of potential attackers and the frequency of attacks. Concurrently, AI’s ability to automate and refine malicious activities means these attacks are also more effective and harder to detect, not just more numerous.
    This acceleration directly impacts attack speeds, with “breakout times now often under an hour”.2 The reported 108% surge in phishing attacks since the rise of generative AI 2 is a clear indicator of this trend. While AI guardrails exist, they are not foolproof, and attackers are constantly seeking ways to bypass them.1 This situation intensifies the “AI arms race” in cybersecurity, requiring organizations to leverage AI for defense while also proactively testing against AI-powered attacks. As AI is increasingly powering cybersecurity defense, and recommendations include “AI Red Teaming” and “Holistic Security” 1, 2, a critical feedback loop is established. Offensive AI capabilities drive the need for advanced defensive AI. Organizations that fail to adopt AI in their defense strategies will be at a severe disadvantage against AI-empowered adversaries, highlighting a critical investment and strategic imperative.
  • Critical Infrastructure Under Persistent Threat:
    Critical infrastructure sectors, particularly energy (oil and gas) and water systems, remain under persistent and strategic threat. Groups like Z-PENTEST ALLIANCE explicitly target Operational Technology (OT) and Industrial Control Systems (ICS/SCADA) to manipulate critical functions such as water pumping and gas distribution.9 The motivation behind these attacks is often geopolitical, aiming to weaken Western countries and strengthen geopolitical influence.9 This strategic targeting of essential services poses a direct threat to national and economic security, with the potential for widespread blackouts and service interruptions.9
    This ongoing targeting underscores a significant implication: the attacks on critical infrastructure are not merely financially motivated but are increasingly driven by state-sponsored or geopolitically aligned actors. This necessitates specialized defenses that go beyond traditional IT security to address the unique vulnerabilities of OT environments. The blend of hacktivism and cybercriminal methodologies further complicates the threat landscape. While some groups may claim hacktivist motivations, their methods often overlap with those of cybercriminals, including the use of ransomware and data exfiltration for financial gain.10 This convergence requires a comprehensive understanding of adversary motivations and capabilities to develop robust, sector-specific defense strategies.
  • The Blurring Lines Between Cybercrime and Geopolitics:
    The traditional distinction between financially motivated cybercrime and state-sponsored cyber warfare is increasingly becoming blurred. Financially motivated groups may align their activities with state interests, either directly or indirectly, or state-sponsored actors may leverage cybercriminal tools and tactics to achieve their objectives. For example, groups like Sandworm (Seashell Blizzard) are known to pursue psychological operations by creating hacktivist personas on Telegram to claim or exaggerate the effectiveness of a campaign, thereby manipulating public perception.31 Similarly, the discovery of a novel backdoor (Sheriff backdoor) hosted on a popular Ukrainian news portal, with indicators pointing to Russia-based threat actors, suggests the abuse of trusted domains to stage malware without raising suspicion, blending espionage with opportunistic compromise.33
    This convergence creates a complex attribution challenge, as the true orchestrators and their ultimate motivations can be obscured. The implication is that organizations must adopt an integrated intelligence approach, moving beyond siloed threat intelligence to understand the broader geopolitical context and potential state backing behind seemingly criminal acts. This requires enhanced collaboration between government agencies and private sector organizations to improve overall situational awareness and develop collective defense strategies against evolving hybrid threats 39,.42
  • The Commoditization of Cybercrime:
    The proliferation of Malware-as-a-Service (MaaS) offerings, such as the Eternity Project, represents a significant trend in the commoditization of cybercrime . These platforms offer a range of malicious modules, from info-stealing to ransomware, available for subscription on dark web forums and Telegram channels . This phenomenon lowers the barrier to entry for less skilled attackers, allowing individuals with minimal technical expertise to acquire and deploy sophisticated tools that were once the exclusive domain of advanced groups.
    The implication of this trend is a projected increase in the volume and frequency of cyberattacks. With readily available tools, a wider array of malicious activities becomes accessible to a larger pool of individuals. This situation underscores the critical and enduring need for fundamental security hygiene across all organizations. Even as advanced threats evolve, basic measures such as robust patching, multi-factor authentication, and comprehensive employee awareness training remain paramount 1,.16 Without these foundational defenses, organizations remain vulnerable to the growing wave of commoditized cyber threats, regardless of their perceived sophistication.

V. Conclusions and Recommendations

The current cybersecurity landscape is defined by rapid evolution, driven significantly by the pervasive influence of AI and the strategic targeting of critical infrastructure. The increasing sophistication of attack methodologies, coupled with the commoditization of cybercrime tools, presents a multifaceted challenge for organizations across all sectors. The lines between state-sponsored espionage and financially motivated cybercrime are increasingly blurred, demanding a more nuanced understanding of adversary motivations and capabilities.

To effectively navigate this complex environment, the following recommendations are critical:

  1. Enhance Employee Awareness and Training: Given the rise of AI-powered social engineering and the persistence of human error as an attack vector, continuous and updated training sessions are essential. These programs should inform employees about the growing risks of AI-powered threats, phishing, and other social engineering tactics. Running simulated AI attacks and fire drills can significantly improve alertness and vigilance.1
  2. Implement Holistic and AI-Powered Security Systems: Organizations should move beyond fragmented security tools to deploy end-to-end security systems, such as Secure Access Service Edge (SASE) solutions. These systems can monitor, detect, and analyze malicious signals across the entire IT infrastructure, including users, clouds, devices, and networks.1 Leveraging AI in cybersecurity defense is no longer optional; it is a necessity to reduce detection, response, and recovery times and to stay ahead of advanced attackers.2
  3. Conduct Regular AI Red Teaming and Stress Testing: For organizations that use or create AI tools, it is crucial to test these systems against malicious prompts and validate their vulnerability to “jailbreaking” or other forms of misuse. Investing time and resources to anticipate AI attacks and stress-test systems against those scenarios will bolster resilience.1
  4. Prioritize Patch Management and Vulnerability Remediation: The continued exploitation of unpatched systems highlights the critical importance of frequently patching systems and software. Ensuring that all tools and software are running the latest and greatest versions is a fundamental defense against adversaries seeking to exploit known loopholes.1
  5. Strengthen Incident Response and Attack Readiness: A proactive and well-practiced incident response plan is vital. This plan should not only aim to minimize damage during an attack but also to strengthen organizational resilience against the unpredictability of AI-powered threats and sophisticated campaigns. Regular drills and updates to response protocols are necessary.1
  6. Adopt a Zero Trust Security Model and Multi-Factor Authentication (MFA): Implementing a zero trust security model, where no user or device is inherently trusted, and enforcing multi-factor authentication across all accounts, significantly reduces the risk of unauthorized access and lateral movement, especially against credential theft tactics 35, 16, .
  7. Enhance Threat Intelligence Capabilities and Collaboration: Organizations should invest in robust threat intelligence to understand the motivations, capabilities, and targeting patterns of various threat actors. Collaborative efforts with government agencies and private sector partners are essential for improving cybersecurity measures and enhancing overall situational awareness against evolving threats, particularly those with geopolitical motivations 39,.42

By adopting these comprehensive strategies, organizations can ensure preparedness for both current and future challenges in this new era of AI-powered cybercrime and complex geopolitical cyber warfare.

Works cited

  1. Cat Scratch Fever: CrowdStrike Tracks Newly Reported Iranian Actor as FLYING KITTEN, accessed May 21, 2025, https://www.crowdstrike.com/en-us/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/
  2. Title Sub-Title Author, accessed May 21, 2025, https://www.assiginack.ca/wp-content/uploads/2020/11/Library-Book-List-October-13.pdf
  3. A New Dark Actor Enters the Criminal Underground. Discovering Skira Ransomware, accessed May 21, 2025, https://www.redhotcyber.com/en/post/a-new-dark-actor-enters-the-criminal-underground-discovering-skira-ransomware/
  4. Weekly Darkweb in April W4 – S2W, accessed May 21, 2025, https://s2w.inc/en/resource/detail/815
  5. Refined Mindfulness Program Helps Weight Loss – Northwest Dharma Association, accessed May 21, 2025, https://northwestdharma.org/refined-mindfulness-program-helps-weight-loss/
  6. January 2025 Deep Web and Dark Web Trend Report – ASEC, accessed May 21, 2025, https://asec.ahnlab.com/en/86340/
  7. JokerSpy: Multi-Stage macOS Malware Targets Organizations – SentinelOne, accessed May 21, 2025, https://www.sentinelone.com/blog/jokerspy-unknown-adversary-targeting-organizations-with-multi-stage-macos-malware/
  8. X outage: Who are hackers ‘behind massive cyber attack’ on Elon Musk’s social media platform? – Sky News, accessed May 21, 2025, https://news.sky.com/story/x-outage-who-are-hackers-claiming-to-have-caused-massive-cyber-attack-on-elon-musks-social-media-platform-13326288
  9. Cybercrime – FBI, accessed May 21, 2025, https://www.fbi.gov/investigate/cyber
  10. Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition, accessed May 21, 2025, https://www.sentinelone.com/labs/ghostwriter-new-campaign-targets-ukrainian-government-and-belarusian-opposition/
  11. This Cybercrime Group Puts Its Hackers Through School – YouTube, accessed May 21, 2025, https://www.youtube.com/watch?v=3SQg_d7kofc
  12. Is Cyber Insurance Required?, accessed May 21, 2025, https://www.gasanmamo.com/blog/is-cyber-insurance-required/
  13. Z-PENTEST ALLIANCE – Cyber Intelligence Bureau – Orange Cyberdefense, accessed May 21, 2025, https://www.orangecyberdefense.com/fileadmin/global/CyberIntelligenceBureau/Gangs_Investigations/z-pentest/Z-Pentest_Alliance.pdf
  14. Agentic AI and ransomware: get ready for the next threat evolution | TechRadar, accessed May 21, 2025, https://www.techradar.com/pro/agentic-ai-and-ransomware-get-ready-for-the-next-threat-evolution
  15. Hacking groups are now increasingly in it for the money, not the chaos – TechRadar, accessed May 21, 2025, https://www.techradar.com/pro/security/hacking-groups-are-now-increasingly-in-it-for-the-money-not-the-chaos
  16. What is a Threat Actor? Types & Examples – SentinelOne, accessed May 21, 2025, https://www.sentinelone.com/cybersecurity-101/threat-intelligence/threat-actor/
  17. Another Nobelium Cyberattack – Microsoft On the Issues, accessed May 21, 2025, https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/
  18. PROSIDING – ISU 1/2022 – Digital Library Universitas Malikussaleh, accessed May 21, 2025, https://repository.unimal.ac.id/7688/1/1.%20PROSIDING%20ISU%201-2022%20Kolokium%20(KoPPEP@UKM)%20FEP%20UKM%20&%20FEB%20UNIMAL.pdf
  19. F13 – MACH37 Cyber Accelerator, accessed May 21, 2025, https://www.mach37.com/f13-1
  20. Navigating the Cyber Threat Landscape: A Comprehensive Report on Recent Attacks and Vulnerabilities in Mexico | CloudSEK, accessed May 21, 2025, https://www.cloudsek.com/blog/navigating-the-cyber-threat-landscape-a-comprehensive-report-on-recent-attacks-and-vulnerabilities-in-mexico
  21. Navigating the Tides of Cybersecurity: Trends and Insights (May 16th – May 31th, 2024), accessed May 21, 2025, https://foresiet.com/weekly-newsletter/navigating-the-tides-of-cybersecurity-trends-and-insights-16-05-2024-31-05-2024
  22. Joker Malware Threat Intel Advisory | Threat Intelligence – CloudSEK, accessed May 21, 2025, https://www.cloudsek.com/threatintelligence/joker-malware-threat-intel-advisory
  23. Unsophisticated Cyber Actor(s) Targeting Operational Technology – CISA, accessed May 21, 2025, https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-actors-targeting-operational-technology
  24. AI Giving Rise of the ‘Zero-Knowledge’ Threat Actor – SecurityWeek, accessed May 21, 2025, https://www.securityweek.com/ai-giving-rise-of-the-zero-knowledge-threat-actor/
  25. www.descope.com, accessed May 21, 2025, https://www.descope.com/blog/post/retail-cybersecurity#:~:text=Common%20retail%20cybersecurity%20threats,-The%20retail%20industry&text=Some%20of%20the%20most%20common,unauthorized%20access%20to%20user%20accounts.
  26. Netcraft Combines Forces with GASA and the GSE in the Fight Against Cybercrime, accessed May 21, 2025, https://www.netcraft.com/company/news/netcraft-gasa-global-signal-exchange-release
  27. Hacking group Anonymous claims massive cyberattack on Russia, releases 10TB leaked data – The Times of India, accessed May 21, 2025, https://timesofindia.indiatimes.com/technology/tech-news/hacking-group-anonymous-claims-massive-cyberattack-on-russia-releases-10tb-leaked-data/articleshow/120356677.cms
  28. IPv6 networking feature hit by hackers to hijack software updates – TechRadar, accessed May 21, 2025, https://www.techradar.com/pro/security/ipv6-networking-feature-hit-by-hackers-to-hijack-software-updates
  29. IBM X-Force Discovers New Sheriff Backdoor used to target Ukraine, accessed May 21, 2025, https://www.ibm.com/think/news/x-force-discovers-new-sheriff-backdoor-target-ukraine
  30. Know Your Enemy: Types of cybersecurity threat actors – Prey Project, accessed May 21, 2025, https://preyproject.com/blog/cybersecurity-threat-actors
  31. List of hacker groups – Wikipedia, accessed May 21, 2025, https://en.wikipedia.org/wiki/List_of_hacker_groups
  32. AI is the greatest threat—and defense—in cybersecurity today. Here’s why. – McKinsey, accessed May 21, 2025, https://www.mckinsey.com/about-us/new-at-mckinsey-blog/ai-is-the-greatest-threat-and-defense-in-cybersecurity-today
  33. Rise in hacktivist threats to critical sector, as pro-Russian groups cause 50% rise in ICS/OT attacks in March – Industrial Cyber, accessed May 21, 2025, https://industrialcyber.co/reports/rise-in-hacktivist-threats-to-critical-sector-as-pro-russian-groups-cause-50-rise-in-ics-ot-attacks-in-march/
  34. IN THIS ISSUE: – Alliance Game Distributors, accessed May 21, 2025, https://www.alliance-games.com/downloads/202.pdf
  35. Threat Actor Activity Q1 2025 – Surefire Cyber, accessed May 21, 2025, https://www.surefirecyber.com/threat-actor-activity-q1-2025/
  36. Cyber lethality: Multidomain training enhances readiness at exercise African Lion 2025, accessed May 21, 2025, https://www.army.mil/article/285284/cyber_lethality_multidomain_training_enhances_readiness_at_exercise_african_lion_2025
  37. Gasan Awad – CUInfoSecurity, accessed May 21, 2025, https://www.cuinfosecurity.com/authors/gasan-awad-i-5513
  38. Turkish Group Hacks Zero-Day Flaw to Spy on Kurdish Forces – BankInfoSecurity, accessed May 21, 2025, https://www.bankinfosecurity.com/turkish-group-hacks-zero-day-flaw-to-spy-on-kurdish-forces-a-28388
  39. Anonymous (hacker group) – Wikipedia, accessed May 21, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
  40. Threat Actors Use Telegram to Spread ‘Eternity’ Malware-as-a-Service – Threatpost, accessed May 21, 2025, https://threatpost.com/telegram-spread-eternity-maas/179623/
  41. HETRODOX RELIGIOUS GROUPS AND THE STATE IN MING-QING CHINA by Gregory Scott A thesis submitted in conformity with the requiremen – Columbia University, accessed May 21, 2025, http://www.columbia.edu/~gas2122/thesis_final.pdf
  42. CISA Defends Critical Infrastructure With Early Cyber Alerts – BankInfoSecurity, accessed May 21, 2025, https://www.bankinfosecurity.com/cisa-defends-critical-infrastructure-early-cyber-alerts-a-28426

Related Posts