[May-23-2025] Daily Cybersecurity Threat Report

Executive Summary

The past 24 hours have seen a dynamic and active global cybersecurity landscape, marked by a diverse range of incidents including numerous data breaches, data leaks, initial access sales, and website defacements. Threat actors such as bulkpalace, Machine1337, OneERA, and Jack_back have been involved in significant data compromises affecting organizations across various sectors and countries, including Australia, USA, UK, Russia, and France. Education, financial services, and government administration sectors have been particularly impacted. Hacktivist groups like Tunisian Maskers Cyber Force, Elite Squad, Team 1722, JAKARTA CYBER WHITE, GARUDA ERROR SYSTEM, KAL EGY 319, INDOHAXSEC, DieNet, STORMOUS, Shadow Empire, GoldRabbitMaghreb, and MdHackersArmy continue to leverage cyber operations for ideological or financial motives, targeting entities in Cyprus, India, Israel, Indonesia, Peru, Mexico, and France. These incidents underscore the persistent and evolving nature of cyber threats, requiring robust defenses and continuous threat intelligence.

Recent Breach Incidents Overview

The following table summarizes the cybersecurity incidents observed in the last 24 hours, highlighting affected entities, breach types, and associated threat actors.

Incident ID	Affected Entity	Type of Breach	Date	Status	Associated Threat Actor(s)
INC001	Australian Database	Data Breach	2025-05-23	Alleged Sale	bulkpalace
INC002	Department of Computer Science, University of Cyprus	Data Breach	2025-05-23	Alleged Leak	Tunisian Maskers Cyber Force
INC003	DocuSign	Data Breach	2025-05-23	Alleged Leak	Machine1337
INC004	US and European Domains	Data Leak	2025-05-23	Alleged Leak	TheLibertyCity
INC005	PRIZ Trading House LLC	Data Breach	2025-05-23	Alleged Leak	elpatron85
INC006	Printdesigns Limited	Data Breach	2025-05-23	Alleged Breach	OneERA
INC007	Hong Kong Voter Data	Data Leak	2025-05-23	Alleged Leak	qfruosan
INC008	Multiple Websites (cysco.in)	Defacement	2025-05-23	Claimed Defacement	Elite Squad
INC009	multivendor.co.il	Data Breach	2025-05-23	Alleged Leak	Team 1722
INC010	Indonesia’s First Gold Banking Services (PT Pegadaian)	Data Breach	2025-05-23	Alleged Leak	phack
INC011	Unidentified Organization in UAE	Initial Access	2025-05-23	Alleged Sale	decider
INC012	Assifact	Data Breach	2025-05-23	Alleged Leak	OneERA
INC013	Kemanukan Village, Bagelen District, Purworejo Regency	Defacement	2025-05-23	Claimed Defacement	JAKARTA CYBER WHITE
INC014	Reachout PR	Data Breach	2025-05-23	Alleged Leak	GARUDA ERROR SYSTEM
INC015	Impact	Data Breach	2025-05-23	Alleged Leak	GARUDA ERROR SYSTEM
INC016	AT&T Inc.	Data Breach	2025-05-23	Alleged Sale	Jack_back
INC017	Aviv Energy	Data Breach	2025-05-23	Alleged Leak	GARUDA ERROR SYSTEM
INC018	Mata Sito Devi College of Education	Data Breach	2025-05-23	Alleged Breach	GARUDA ERROR SYSTEM
INC019	Rajkiya Snatkottar Mahavidyalaya Maldevta	Data Breach	2025-05-23	Alleged Leak	GARUDA ERROR SYSTEM
INC020	Multiple Unidentified Organizations in Peru	Data Leak	2025-05-23	Alleged Leak	injectioninferno2
INC021	France Government Administration (Carsat, Finance Ministry, Retraite)	Data Leak	2025-05-23	Alleged Leak	STORMOUS
INC022	Multiple Unidentified Organizations in Mexico	Data Leak	2025-05-23	Alleged Leak	injectioninferno2
INC023	TenderMines	Data Breach	2025-05-23	Alleged Breach	INDOHAXSEC
INC024	Rumah Aqiqah	Data Breach	2025-05-23	Alleged Sale	ClayOxtymus1337
INC025	Cyprus and UAE	Alert	2025-05-23	Claimed Targeting	Shadow Empire
INC026	Assurance Maladie	Data Breach	2025-05-23	Alleged Sale	GoldRabbitMaghreb
INC027	Eternal Hospital	Defacement	2025-05-23	Claimed Defacement	KAL EGY 319
INC028	Israel	Alert	2025-05-23	Claimed Targeting	DieNet
INC029	Caf-Family Allowances	Data Breach	2025-05-23	Alleged Breach	MdHackersArmy

Detailed Incident Descriptions

Incident ID: INC001

A threat actor identified as bulkpalace claims to be selling an Australian database containing over 21,000 records. The compromised data reportedly includes sensitive information such as driver’s licenses, passports, Medicare information, payroll details, credit scores, ABNs, and bank statements.

• Published URL: https://xss.is/threads/138349/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/9e3938e3-d539-4f5e-9927-92e40e99fd3b.png

Incident ID: INC002

The group Tunisian Maskers Cyber Force claims to have leaked data from the Department of Computer Science, University of Cyprus.

• Published URL: https://t.me/CyberforceTn/79
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/afcd4443-994b-49f0-a6e8-3b7494678a63.png

Incident ID: INC003

A threat actor identified as Machine1337 claims to have leaked data from DocuSign. The leaked data reportedly includes 146 million records of information. This incident aligns with Machine1337’s known activities of claiming responsibility for breaches and offering alleged stolen data for sale.1

• Published URL: https://xss.is/threads/138343/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/716b8825-bfa1-4817-af1b-8ee997f8c27d.png

Incident ID: INC004

A threat actor identified as TheLibertyCity claims to have leaked a database containing 210,000 valid email and password combinations (IMAP/web) from US and European domains.

• Published URL: https://forum.exploit.in/topic/259633/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/7b6f9615-0725-4936-be1d-800973f68b6e.png

Incident ID: INC005

A threat actor identified as elpatron85 claims to have leaked the database of PRIZ Trading House LLC. The compromised data reportedly includes 101,610 rows, totaling 22.1 GB, and contains information such as employee names, emails, phone numbers, roles, hire dates, skills, social media profiles, task and project details, call logs, company banking information, client contacts, sales transactions, and lead data. The data is available in formats including XLSX, CSV, Word, PDF, MP4, MP3, and JPEG.

• Published URL: https://darkforums.st/Thread-Selling-Prizmoda-ru-Database-Leak-Russia-May-2025
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/b166a8f0-d476-4950-af26-02fd488687f0.png

Incident ID: INC006

A threat actor identified as OneERA claims to have leaked the database and source code from Printdesigns Limited. The compromised data reportedly includes information on 100,000 individuals, such as full names, email addresses, phone numbers, physical addresses, and timestamps. OneERA is known for exploiting vulnerable internet-facing servers and using spear-phishing to gain initial access, deploying custom backdoors for persistence and cyberespionage.2

• Published URL: https://darkforums.st/Thread-100K-UK-Large-Format-Print-Display-Company-printdesigns-com
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/97bc1d3d-0a8c-4f3c-ac85-f1a861290477.png

Incident ID: INC007

A threat actor identified as qfruosan claims to have leaked personal data related to Hong Kong voters. The leaked data includes document numbers, nationality, sex, and check digits, provided in XLSX format.

• Published URL: https://darkforums.st/Thread-HK-VOTE-LEAK
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/d81e1d67-beb5-4758-a487-b96f1b2c667b.png

Incident ID: INC008

The group Elite Squad claims to have defaced 20 websites, including cysco.in, an Indian software development company.

• Published URL: https://t.me/alnaaze757/155
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/9e1c6547-9c76-4652-995e-0e8b66d44081.png, https://d34iuop8pidsy8.cloudfront.net/124e664b-43dc-4828-9c48-a08e6661e320.png

Incident ID: INC009

The group Team 1722 claims to have leaked data from multivendor.co.il, an e-commerce and online stores organization in Israel.

• Published URL: https://t.me/x1722x/2591
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/f551ba0b-fc2f-4cc5-917d-43e69a082758.png

Incident ID: INC010

A threat actor identified as phack claims to have leaked data from Indonesia’s newly launched gold banking services, specifically mentioning PT Pegadaian (Persero) and Bank Syariah Indonesia (BSI). The compromised database reportedly includes personal and professional details of approximately 13,000 employees, including full names, job roles, email addresses, and phone numbers.

• Published URL: https://darkforums.st/Thread-Layanan-Bank-Emas-Terlengkap-Pertama-di-Indonesia
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/db9d7d19-4f4c-4149-a3a3-c91923828fd5.png

Incident ID: INC011

A threat actor identified as decider claims to be selling VPN and RDP access to a consumer services company in the UAE.

• Published URL: https://forum.exploit.in/topic/259627/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/3d0df0d3-8428-4d38-bc36-30155b052c37.png

Incident ID: INC012

A threat actor identified as OneERA claims to have leaked the source code and database from Assifact – Associazione Italiana per il Factoring, a financial services organization in Italy. OneERA is known for targeting government entities and exploiting vulnerabilities to gain unauthorized access.2

• Published URL: https://darkforums.st/Thread-Associazione-Italiana-per-il-Factoring-www-assifact-it
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/ca9e02e0-bba7-4884-9add-d6e583980ebe.png

Incident ID: INC013

The group JAKARTA CYBER WHITE claims to have defaced the website of Kemanukan Village, Bagelen District, Purworejo Regency, a government administration entity in Indonesia.

• Published URL: https://t.me/jktcyberwhite20/36
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/8c7c2519-0f0e-46ed-985f-dd7a466f0e7b.png

Incident ID: INC014

The group GARUDA ERROR SYSTEM claims to have leaked data from Reachout PR, a public relations firm in India. GARUDA ERROR SYSTEM is a pro-Pakistani threat actor known for ideologically motivated cyber operations against Indian targets.3

• Published URL: https://t.me/c/2601559408/752
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/72042007-9713-44df-a0ab-aab3581ffaad.jpg

Incident ID: INC015

The group GARUDA ERROR SYSTEM claims to have leaked data from Impact, a medical equipment manufacturing company in India. GARUDA ERROR SYSTEM frequently engages in DDoS attacks, defacement campaigns, and selective data leaks.3

• Published URL: https://t.me/c/2601559408/751
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/155e2052-b37e-48e7-b101-d9c8a1c42c4b.png

Incident ID: INC016

The threat actor Jack_back claims to be selling over 3.1GB of data from AT&T Inc., a network and telecommunications company in the USA. The compromised data reportedly includes ID, name, date of birth, gender, and more.

• Published URL: https://darkforums.st/Thread-USA-AT-T-DB
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/08dc20e8-c49b-48e7-928b-a15b578a0c9b.png

Incident ID: INC017

The group GARUDA ERROR SYSTEM claims to have leaked data from Aviv Energy, an electrical and electronic manufacturing company in Israel. GARUDA ERROR SYSTEM coordinates its operations through platforms like Telegram and X.3

• Published URL: https://t.me/c/2601559408/749
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/a648989c-e6e3-43f5-945d-9f9cc14d2a84.png

Incident ID: INC018

The group GARUDA ERROR SYSTEM claims to have leaked data from Mata Sito Devi College of Education, an educational institution in India. This group is among the top pro-Pakistani threat actors targeting India.3

• Published URL: https://t.me/c/2601559408/748
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/a6e5f724-0e6c-4abf-b6e9-b84a3b1aa220.png

Incident ID: INC019

The group GARUDA ERROR SYSTEM claims to have leaked data from Rajkiya Snatkottar Mahavidyalaya Maldevta, an educational institution in India. Their activities are part of an organized and sustained campaign against Indian interests.3

• Published URL: https://t.me/c/2601559408/750
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/f183a99a-d314-4ccb-b2a0-46ab5713f567.png

Incident ID: INC020

The threat actor injectioninferno2 claims to have leaked 117 GB of data from multiple unidentified organizations in Peru. The compromised data reportedly consists of emails, information from various companies, WhatsApp leads, and university data.

• Published URL: https://darkforums.st/Thread-Selling-MEGA-DATABASE-PERU-2025-%F0%9F%93%82
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/fe80e474-e2d1-47ff-978f-9ab37e3f0e19.png

Incident ID: INC021

The group STORMOUS claims to have breached multiple French government agencies, including Carsat, Finance Ministry, and Retraite, exfiltrating email addresses and password hashes from critical systems. STORMOUS is a pro-Russian ransomware group known for aggressive attacks and double-extortion tactics.4

• Published URL: http://pdcizqzjitsgfcgqeyhuee5u6uki6zy5slzioinlhx6xjnsw25irdgqd.onion/
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/26ecb60c-91b4-4872-9298-2ea9a1147c89.png

Incident ID: INC022

The threat actor injectioninferno2 claims to have leaked 725 GB of data from multiple unidentified organizations in Mexico. The compromised data reportedly consists of emails, information from various companies, leads, and university data.

• Published URL: https://darkforums.st/Thread-Selling-MEXICO-MEGA-DATABASE-725-GB
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/a3911f6f-5d01-48d4-92e4-f47dde78b8b3.png

Incident ID: INC023

A threat actor identified as INDOHAXSEC claims to have breached a comprehensive database related to Indian government tenders, specifically TenderMines. The leaked database contains extensive personally identifiable information (PII) of individuals, including names, PAN card numbers, mobile numbers, email addresses, Aadhar numbers, physical addresses, state, city, and pincode details. It also includes sensitive financial and employment data such as bank account numbers, IFSC codes, bank names, account types, income details, employment designations, and details from official documents like PAN cards, Aadhar cards, driving licenses, and passports. INDOHAXSEC is an Indonesian-based hacktivist collective with political and nationalistic motivations.6

• Published URL: https://darkforums.st/Thread-Indian-Government-Tenders-Info-Online-Database
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/b09ce38a-b64a-4b15-84ba-69dc0e8015f2.png

Incident ID: INC024

The threat actor ClayOxtymus1337 claims to be selling data from Rumah Aqiqah, a consumer services company in Indonesia. The compromised data reportedly consists of over 7,000 employee records, including NIP, name, class, employment status, position, and other information.

• Published URL: https://darkforums.st/Thread-Selling-Personal-Data-of-7K-rumahaqiqah-co-id-Employees-Special-Price
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/5bf34b91-5c9f-4e45-8768-ca66f20d8c08.png

Incident ID: INC025

A recent post by the group Shadow Empire claims they are targeting Cyprus and UAE. Shadow Empire is a botnet that operated for 20 years, generating illicit revenue through hijacked routers.8

• Published URL: https://t.me/c/2600829716/5
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/2d0d4ed4-2a01-43ae-b18c-0e83baad738f.png

Incident ID: INC026

The threat actor GoldRabbitMaghreb claims to be selling data from Assurance Maladie, an insurance organization in France. The compromised data includes emails and hashed credentials.

• Published URL: https://darkforums.st/Thread-Selling-FOR-SELL-assurance-maladie-fr-%E2%80%93-Credential-Exposure-Dump
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/c13da5da-5755-4aca-882a-b7f6b801479f.png

Incident ID: INC027

The group KAL EGY 319 claims to have defaced the website of Eternal Hospital, a healthcare facility in India. KAL EGY 319 is a hacktivist group with ideological motivations, primarily engaging in web defacement operations.9

• Published URL: https://t.me/KALE3G1Y9/472
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/afa91499-3649-487a-ba12-3e2a4062b7a9.png

Incident ID: INC028

A recent post by the group DieNet claims they are targeting Israel. DieNet is a new hacktivist group that emerged on March 7, 2025, known for claiming numerous Distributed Denial-of-Service (DDoS) attacks against critical infrastructure sectors.11

• Published URL: https://t.me/DIeNlt/199
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/efcb9bd0-c801-4a6d-9460-e7ce14c62e32.png

Incident ID: INC029

A threat actor identified as MdHackersArmy claims to be selling a data dump from Caisse d’Allocations Familiales (CAF), a French government welfare organization. The breach reportedly includes over 150 administrative accounts and internal email addresses. Passwords are hashed using MD5 and SHA-512, and the data is provided in a TXT format sorted by domain.

• Published URL: https://darkforums.st/Thread-Selling-FOR-SELL-CAF-FR-FULL-DUMP-205
• Screenshots: https://d34iuop8pidsy8.cloudfront.net/0b45b3e8-239c-4006-90b4-eb967223d13f.png

In-Depth Threat Actor Profiles

This section provides detailed profiles of the threat actors identified in the recent incidents, offering context on their origins, motivations, typical activities, and methods.

bulkpalace

Actor Profile: Detailed information regarding the origins, motivations, and specific TTPs of the threat actor bulkpalace is not readily available in the provided research. Their activity in this report indicates a focus on selling compromised databases.

Tunisian Maskers Cyber Force

Actor Profile: Tunisian Maskers Cyber Force is a hacktivist group from Tunisia. While specific details about this particular group are limited, broader trends among Tunisian hacker groups indicate a history of politically motivated cyber activities, including website defacements and data leaks.¹³ These groups often target government entities or organizations perceived as opposing their ideologies.¹³

Known Activities & Targets: Historically, Tunisian hacker groups have engaged in defacing websites, leaking emails, and targeting government officials.¹³ They have also been involved in operations against Israeli websites.¹³ Recent activities suggest an ongoing focus on cyber operations, including academic exchanges with international cyber teams to enhance critical infrastructure protection and secure communication.¹⁴

Tactics, Techniques, and Procedures (TTPs): Tunisian hacker groups have been observed using various methods, including website defacement and data exfiltration.¹³ Their operations are often announced or showcased on public platforms, aiming to spread their message and demonstrate their capabilities.¹³

Machine1337

Actor Profile: Machine1337, also known by the alias “EnergyWeaponUser,” is a prominent and English-speaking threat actor who first registered on the xss forum in January 2024.¹ This individual is believed to be associated with other notable threat actors like “Intelbroker” and “Zjj,” as well as the hacker collective “CyberN*ggers”.¹ The association with Intelbroker is particularly strong, with both actors almost certainly involved in a significant network breach of Cisco in October 2024.¹

Known Activities & Targets: Machine1337 has claimed responsibility for at least seven recent cyberattacks, primarily advertising alleged stolen data on the xss forum and their Telegram channel.¹ Their claimed targets include major technology companies such as Apple Inc., Steam, Huawei, Temu, and Snapchat.¹ The actor has also alluded to a possible connection with the recent Coinbase compromise, posting “CoinBase: Coming soon” on their Telegram channel along with password reset messages.¹ This suggests a potential involvement in incidents where customer data and social engineering are leveraged.

Tactics, Techniques, and Procedures (TTPs): Machine1337’s operational methods involve claiming responsibility for breaches and offering alleged stolen data for sale, with prices ranging from USD 2,000 to USD 20,000 depending on the victim and data volume.¹ While data samples are purportedly made available, forum users have reported that these samples are often inaccessible, raising questions about the veracity of all claims.¹ The use of Telegram for announcements, including suggestive messages related to password resets, points to a potential TTP of deploying misleading communications for social engineering campaigns aimed at manipulating users into sharing credentials or transferring assets.¹ As of May 2025, Machine1337 was temporarily banned from the xss forum for “spam activity,” indicating their active and sometimes disruptive presence within cybercriminal communities.¹

TheLibertyCity

Actor Profile: TheLibertyCity appears to be a threat actor involved in data leaks, specifically focusing on credentials. While direct detailed profiles are limited, the name “Liberty City” has been associated with various contexts, including a group of Black men from Miami accused of an alleged al-Qaeda plot, suggesting a potential for ideologically driven or criminal motivations.¹⁵ In a different context, “Liberty City” has been mentioned in relation to data sharing processes and system alignment, which could imply an interest in data infrastructure.¹⁷

Known Activities & Targets: The current incident involves the alleged leak of email credentials from US and European domains. Historically, cybercrime activities related to “Liberty City” have included Distributed Denial-of-Service (DDoS) attacks against educational institutions.¹⁸ The broader context of cybercrime also highlights the use of the internet for radicalization and the potential for small-time criminals to engage in cyber activities.¹⁹

Tactics, Techniques, and Procedures (TTPs): The specific TTPs for TheLibertyCity are not detailed, but the nature of their reported activities (data leaks, credential compromises) suggests methods such as exploiting vulnerabilities, phishing, or leveraging compromised systems to exfiltrate data. The use of online applications to carry out attacks has been observed in related contexts.¹⁸

elpatron85

Actor Profile: Detailed information regarding the origins, motivations, and specific TTPs of the threat actor elpatron85 is not readily available in the provided research. Their activity in this report indicates a focus on leaking databases, specifically from a Russian trading house.

OneERA

Actor Profile: OneERA is identified as a threat actor primarily focused on government entities. Their motivations appear to be related to cyberespionage activities and potentially financial gain through data exfiltration and extortion.²

Known Activities & Targets: This actor has been active since early 2022, primarily targeting government organizations. Their operations have compromised 48 government organizations, including 10 foreign affairs ministries, and have targeted an additional 49 government agencies.² A notable incident involved unauthorized access to over 2.4 million records, allegedly containing personally identifiable information (PII) of individuals in New Zealand.² Following this data exposure, OneERA reportedly engaged in blackmail, demanding a ransom from individual victims to prevent the public release of their data.²

Tactics, Techniques, and Procedures (TTPs): OneERA’s methods involve exploiting vulnerable internet-facing servers and employing spear-phishing emails to gain initial access.² Once a foothold is established, they deploy custom backdoors for persistence and to facilitate cyberespionage.² They also utilize open-source tools and exploit specific vulnerabilities to gain unauthorized access, deploy web shells, and conduct attacks often themed around geopolitical subjects.² The use of compromised Microsoft credentials, often obtained through phishing, to launch business email compromise (BEC) attacks and exploit OneDrive sync misuse to infect local Windows hosts is a sophisticated tactic observed in the broader threat landscape, which aligns with the capabilities of actors like OneERA to move laterally and achieve their objectives.²⁰ This includes replacing shortcut files on a user’s desktop with malicious ones, which, when clicked, can execute a reverse shell, giving the attacker control of the host.²⁰

qfruosan

Actor Profile: Detailed information regarding the origins, motivations, and specific TTPs of the threat actor qfruosan is not readily available in the provided research. Their activity in this report indicates a focus on leaking voter data.

Elite Squad

Actor Profile: Elite Squad is a threat actor group that engages in cyberattacks, specifically website defacements. While detailed profiles are limited, threat actors like Elite Squad are often motivated by various factors, including financial gain, ideological beliefs (hacktivism), or even thrill-seeking.²¹ They typically exploit vulnerabilities to disrupt services or gain notoriety.²²

Known Activities & Targets: Elite Squad has claimed to deface multiple websites. Threat actors, in general, often target organizations for monetary gain, data, sensitive intelligence, or to cause service disruption and reputational harm.²² Hacktivists, for instance, may target organizations to disrupt operations or steal sensitive information as a form of protest.²³

Tactics, Techniques, and Procedures (TTPs): The primary TTP observed for Elite Squad is website defacement. This involves altering the visual appearance of a website. Threat actors often gain access through methods like phishing or exploiting vulnerabilities.²² Understanding TTPs helps security teams detect and mitigate attacks by understanding how threat actors operate.²¹

Team 1722

Actor Profile: Team 1722 is identified as an active hacktivist group. While specific details about their origins and motivations are not extensively documented, they are consistently active alongside other hacktivist groups like Mr Hamza and Keymous+.²⁴ Their activities suggest a focus on data leaks and potentially other forms of cyber disruption.

Known Activities & Targets: Team 1722 has been observed to be consistently active in the first quarter of 2025.²⁴ They have claimed to leak data from organizations, as seen in the incident involving multivendor.co.il. Hacktivist groups often target sectors such as government and law enforcement, banking and financial services, telecommunications, and energy and utilities.²⁴

Tactics, Techniques, and Procedures (TTPs): The primary TTP observed for Team 1722 is data leakage. While specific technical procedures are not detailed, hacktivist groups often employ methods like Distributed Denial-of-Service (DDoS) attacks, website defacements, and data exfiltration.²⁴ They may use legitimate tools for initial user, system, and network enumeration, and deploy encryptors or exfiltrate data using tools like Rclone and PsExec.²⁵

phack

Actor Profile: phack is a threat actor involved in data leaks, particularly from financial services. While a detailed profile for “phack” is not available in the provided research, the name has been associated with phishing scams and attacks.²⁶ This suggests a potential for social engineering tactics to gain initial access.

Known Activities & Targets: The current incident involves the alleged data leak from Indonesia’s gold banking services. Broader trends indicate that threat actors often use API abuse and web scraping to collect large datasets, which are then sold on data breach forums.²⁶

Tactics, Techniques, and Procedures (TTPs): The specific TTPs for phack are not detailed. However, the context of data leaks from financial institutions often involves exploiting vulnerabilities, using stolen credentials, or employing phishing techniques to compromise systems and exfiltrate sensitive information.²⁶

decider

Actor Profile: The term “decider” in the context of cybersecurity can refer to a tool or a threat actor. In this case, the incident describes a threat actor selling access. While the CISA Decider tool exists for mapping adversary behavior ²⁷, the incident refers to a threat actor named decider selling access. Detailed information about this specific threat actor’s origins and motivations is not available. However, the sale of VPN and RDP access indicates a financially motivated actor specializing in initial access brokerage.

Known Activities & Targets: The primary activity of decider is selling initial access, specifically VPN and RDP access, to compromised networks. This type of activity is common among financially motivated cybercriminals who gain access to networks and then sell that access to other malicious actors for further exploitation, such as ransomware deployment or data exfiltration.²⁸ Threat actors involved in selling access often target various industries, including information technology, government, healthcare, financial, insurance, and media sectors.²⁸

Tactics, Techniques, and Procedures (TTPs): Threat actors selling access often gain initial access by exploiting publicly known vulnerabilities in VPN infrastructure (e.g., Pulse Secure, Citrix NetScaler, F5).²⁸ They may conduct mass-scanning to identify open ports and then exploit these vulnerabilities to establish a foothold.²⁸ After gaining access, they typically obtain administrator-level credentials and install web shells to maintain persistence and exfiltrate data.²⁸ They may also use tools like ngrok, fast reverse proxy (FRP), and various web shells.²⁸ The FBI notes that such threat actors have the capability and intent to deploy ransomware.²⁸

JAKARTA CYBER WHITE

Actor Profile: JAKARTA CYBER WHITE is an Indonesian-based hacktivist group. While specific details about their origins are limited, Indonesian hacktivist groups have been active in cybercrime events, including mass data breaches and DDoS attacks.²⁹ They are often part of anonymous collective groups and have been observed sharing tools and techniques for exploitation.²⁹

Known Activities & Targets: JAKARTA CYBER WHITE has claimed to deface websites, as seen in the incident targeting Kemanukan Village. Indonesian hacktivist groups have historically targeted various sectors, including education, local government, agriculture, law enforcement, and public services.²⁹ There have also been threats of attacks on Indian government websites by groups identified as “Hacktivist Indonesia,” which may include members from various Islamic countries.³⁰

Tactics, Techniques, and Procedures (TTPs): JAKARTA CYBER WHITE primarily engages in website defacement. Broader Indonesian hacktivist activities involve mass data breaches and DDoS attacks, often using open-source automated tools for exploitation.²⁹ They may leverage vulnerable websites and have been known to share video tutorials on hacking and automating exploit kits.²⁹ Communication and coordination often occur through Telegram channels and cybercrime forums.²⁹

GARUDA ERROR SYSTEM

Actor Profile: GARUDA ERROR SYSTEM is identified as a pro-Pakistani threat actor, operating with strong ideological motivations rooted in geopolitical conflicts.³

Known Activities & Targets: This group is among the top pro-Pakistani threat actors involved in cyber offensives targeting India.³ Their activities are part of an organized and sustained campaign against Indian interests in cyberspace, often leveraging real-world conflicts to justify digital aggression.³ They specifically target Indian government domains, military assets, and financial platforms.³ Recent incidents show them targeting Indian organizations across various industries, including public relations, medical equipment manufacturing, and education.

Tactics, Techniques, and Procedures (TTPs): GARUDA ERROR SYSTEM primarily employs Distributed Denial-of-Service (DDoS) attacks, website defacement campaigns, and selective data leaks.³ These operations are frequently coordinated through platforms such as Telegram and X (formerly Twitter).³ While their actions are aggressive and ideologically driven, the actual impact on critical infrastructure may vary, with some attacks being swiftly rectified by web managers.³²

Jack_back

Actor Profile: Jack_back is a forum user and threat actor involved in selling compromised data. While detailed information on their origins and motivations is limited, their activities suggest a financially motivated cybercriminal.³³

Known Activities & Targets: Jack_back has been observed uploading samples of compromised data, including employee data and sensitive design files, such as nuclear equipment designs.³³ The current incident involves the alleged sale of a large dataset from AT&T Inc. Their activities align with threat actors who aim for monetary gain by retrieving and selling data.³⁵

Tactics, Techniques, and Procedures (TTPs): The specific TTPs used by Jack_back to acquire the data are not detailed in the provided research. However, threat actors involved in data sales often leverage various methods to gain initial access, such as exploiting vulnerabilities, using compromised credentials, or employing social engineering tactics.³⁶ They may also engage in reconnaissance prior to executing an attack.³⁶ The sale of data on forums indicates a common practice within cybercriminal communities.³⁴

ClayOxtymus1337

Actor Profile: Detailed information regarding the origins, motivations, and specific TTPs of the threat actor ClayOxtymus1337 is not readily available in the provided research. Their activity in this report indicates a focus on selling employee data.

injectioninferno2

Actor Profile: injectioninferno2 is a threat actor involved in large-scale data leaks from multiple unidentified organizations. While specific details about their origins and motivations are not explicitly stated, their activities align with financially motivated cybercriminals who exfiltrate data for sale.

Known Activities & Targets: injectioninferno2 has claimed to leak massive amounts of data (117 GB from Peru, 725 GB from Mexico) from various organizations, including emails, company information, leads, and university data. This actor has been observed exploiting publicly known Common Vulnerabilities and Exposures (CVEs) related to VPN infrastructure (e.g., Pulse Secure, Citrix NetScaler, F5) to gain initial access to targeted networks.²⁸ They often maintain access for several months and have been observed selling access to compromised network infrastructure in online hacker forums.²⁸

Tactics, Techniques, and Procedures (TTPs): injectioninferno2 conducts mass-scanning using tools like Nmap to identify open ports.²⁸ After gaining initial access through VPN vulnerabilities, they obtain administrator-level credentials and install web shells for persistence.²⁸ Their goals appear to be maintaining persistence and exfiltrating data.²⁸ They rely heavily on open-source and operating system (OS) tooling such as ngrok, fast reverse proxy (FRP), and various web shells.²⁸ The FBI notes that this type of Iran-based threat actor has the capability and likely the intent to deploy ransomware.²⁸

STORMOUS

Actor Profile: Stormous is a pro-Russian ransomware group that emerged in mid-2021, known for its aggressive tactics and geopolitical motivations.⁴ This group is part of a larger cybercrime syndicate known as “The Five Families,” which also includes ThreatSec, GhostSec, Blackforums, and SiegedSec.⁴ In 2023, Stormous formed a closer partnership with GhostSec to conduct joint ransomware operations.⁴ Dragon RaaS, another ransomware-as-a-service (RaaS) operation, emerged in July 2024 as an offshoot of the Stormous group.⁴

Known Activities & Targets: Stormous is known for targeting organizations perceived as hostile to Russia, particularly in the United States, Western countries, India, and Ukraine.⁴ Their strategic onslaught extends to sectors pivotal to societal infrastructure and data security, including technology, education, healthcare, and government agencies, chosen for their reliance on digital systems and possession of sensitive data.⁵ While Stormous claims numerous successful attacks, concrete evidence of their intrusions is sometimes lacking, and they have been observed sharing information already publicly accessible.⁵ The current incident involves an alleged data leak from French government administration.

Tactics, Techniques, and Procedures (TTPs): Like its offshoot Dragon RaaS, Stormous heavily relies on several initial access methods: vulnerability exploitation, brute-force credential attacks, compromised credentials obtained from infostealer logs, and abuses of weak configurations (e.g., default admin passwords) to gain access to web panel interfaces like cPanel.⁴ Historically, Stormous has exploited WordPress themes and plugin vulnerabilities to gain entry into target systems, frequently targeting WordPress SMB, LiteSpeed HTTP, and mySQL environments.⁴ Their primary encryption tool for RaaS operations was StormCry ransomware, with the Windows encryptor for Dragon RaaS being a lightly modified version of StormCry.⁴ These groups adopt double-extortion tactics, where victims’ data is both encrypted and threatened with public release unless a ransom is paid.⁵ This method leverages both the power of encryption to hold data hostage and an element of blackmail, significantly increasing the stakes for targeted organizations by threatening their reputation and data privacy.⁵

INDOHAXSEC

Actor Profile: INDOHAXSEC is an Indonesian-based hacktivist collective that emerged in early October 2024.⁶ Their primary motivations are political, driven by pro-Palestinian sentiments and religious ideology, leading them to target entities perceived as supporting Israel.⁶ More recently, their focus has expanded to include a nationalistic agenda, launching cyberattacks against entities they believe have acted against Indonesia’s core interests.⁶ While largely politically motivated, they are occasionally financially driven.⁶

Origins and Affiliations: INDOHAXSEC officially established itself in early October 2024.⁶ Some of its current members have previously been associated with other regional hacktivist groups, including AnonBlackFlag, Hacktivists Indonesia, PaluAnonCyber, and others.⁶ One month after their inception, INDOHAXSEC announced an alliance with the known pro-Russian hacktivist group NoName057(16).⁶ They have also announced collaboration with the Pakistani group Team Azrael – Angel of Death, explicitly stating their intent to target Indian cyberspace.⁷

Known Activities & Targets: INDOHAXSEC has conducted cyberattacks against numerous entities and governmental bodies within Southeast Asia, particularly targeting Malaysian officials and Indian cyberspace.⁶ Their targets include government portals, educational institutions, and news media outlets.⁹ They have also claimed to have infiltrated and leaked the PhpMyAdmin database of an Indian technology firm, though this claim remains unsubstantiated.⁶ The current incident involves an alleged data breach of Indian government tenders.

Tactics, Techniques, and Procedures (TTPs): INDOHAXSEC employs a variety of cyberattack tactics, including website defacements, Distributed Denial-of-Service (DDoS) attacks, ransomware deployments (such as ExorLock ransomware, and claims of a WannaCry 2.0 variant), and hack-and-leak operations.⁶ They have also engaged in doxxing campaigns, particularly targeting Malaysian officials, which indicates an evolving operational playbook.⁶ The group maintains a GitHub repository containing custom tooling, which includes malicious scripts for DDoS attacks (“NUKLIR” and “RUDAL”), website defacement, and tools for compromising web servers (“Rudal-shell”).⁶ Their tools, such as “Dancokware” for website encryption, are often rudimentary but effective.⁶ Communication and coordination are primarily conducted through a Telegram channel with a significant subscriber base, and they also leverage social media platforms like TikTok and X to showcase their activities and spread their message, often with a disregard for operational security in favor of notoriety.⁶

ClayOxtymus1337

Actor Profile: Detailed information regarding the origins, motivations, and specific TTPs of the threat actor ClayOxtymus1337 is not readily available in the provided research. Their activity in this report indicates a focus on selling employee data.

Shadow Empire

Actor Profile: The Shadow Empire botnet, also known as Anyproxy, was a long-running criminal operation that generated significant illicit revenue through hijacked routers.⁸ While the botnet itself has been dismantled by global law enforcement, the incident in this report refers to a threat actor group named “Shadow Empire” claiming to target Cyprus and UAE. This suggests a potential re-emergence or a new group adopting the name.

Known Activities & Targets: Historically, the Shadow Empire botnet infected thousands of aging routers over two decades to fuel an illicit proxy service empire.⁸ These proxies were sold to cybercriminals for various illegal activities, including DDoS attacks, ad fraud, and cryptocurrency theft.⁸ The botnet exploited end-of-life (EoL) routers using a variant of TheMoon malware.⁸ The current incident indicates a claimed targeting of Cyprus and UAE, suggesting a shift towards specific geopolitical or regional interests.

Tactics, Techniques, and Procedures (TTPs): The original Shadow Empire botnet relied on exploiting routers with remote administration features enabled and installing covert proxies.⁸ The FBI warned that the botnet used a new variant of TheMoon malware.⁸ If the current “Shadow Empire” group is a continuation or new entity, their TTPs might involve similar methods of leveraging compromised infrastructure for various cybercrimes.

GoldRabbitMaghreb

Actor Profile: GoldRabbitMaghreb is a threat actor involved in selling compromised credentials. While a direct detailed profile for this specific group is not available, the name “GoldRabbit” or similar “Gold” prefixed groups (e.g., GOLD DRAKE, GOLD WINTER) are often associated with financially motivated cybercriminal threat groups.³⁸ These groups frequently engage in ransomware operations, botnet sales, and data exfiltration.³⁸

Known Activities & Targets: The current incident involves the alleged sale of emails and hashed credentials from Assurance Maladie, an insurance organization in France. Historically, “Gold” prefixed groups have targeted various sectors globally, often using sophisticated tools and tactics.³⁸ Their objectives typically include financial gain.³⁸

Tactics, Techniques, and Procedures (TTPs): While specific TTPs for GoldRabbitMaghreb are not detailed, related “Gold” groups have employed methods such as vulnerability exploitation, brute-force attacks, compromised credentials from infostealer logs, and abuses of weak configurations for initial access.³⁸ They may also use tools like Mimikatz, Cobalt Strike, and various ransomware variants.³⁸ The sale of credentials on dark web forums is a common practice for financially motivated actors.³⁸

KAL EGY 319

Actor Profile: KAL EGY 319 is a hacktivist group that operates with ideological motivations, primarily engaging in cyberattacks amidst geopolitical tensions, particularly those involving India and Pakistan.⁹

Known Activities & Targets: This group is one of the most active hacktivist entities, claiming a significant number of attacks.⁹ Their primary focus has been on India’s educational and medical sectors, with claims of widespread defacement campaigns affecting approximately 40 Indian websites belonging to colleges, universities, and healthcare institutions.⁹ While they claim significant disruption, investigations often reveal minimal actual impact, with defaced websites being quickly restored.⁹ This suggests their operations are often more symbolic than deeply impactful. The current incident involves the defacement of Eternal Hospital’s website in India.

Tactics, Techniques, and Procedures (TTPs): KAL EGY 319 predominantly engages in web defacement operations.⁹ They are also part of broader coalitions of groups that conduct Distributed Denial-of-Service (DDoS) attacks against Indian government websites.³² Their strategy involves public claims of large-scale compromises, often through social media channels like Telegram, to amplify their message and create an illusion of significant impact, even when the technical disruption is limited.⁹

DieNet

Actor Profile: DieNet is a relatively new hacktivist group that emerged on March 7, 2025, announcing its presence through a now-banned Telegram channel.¹¹ The group’s motivations are primarily ideological, espousing pro-Palestinian and anti-President Trump views.¹² They aim to maximize visible disruptions by targeting key infrastructure.¹¹

Known Activities & Targets: Since its debut, DieNet has claimed over 60 Distributed Denial-of-Service (DDoS) attacks within less than two months, consistently taking credit for at least one attack daily.¹¹ Their preferred targets include critical infrastructure, particularly in the U.S. and Iraq.¹¹ Specific U.S. targets have included the Los Angeles Metropolitan Transportation Authority, Port of Los Angeles, Chicago Transit Authority, and the North American Electric Reliability Corporation.¹¹ In Iraq, they have targeted the Ministry of Foreign Affairs.¹¹ The group also targets large centers of digital commerce and communication, such as X, medical websites (e.g., MediTech and Epic), the Internet Archive, NASDAQ, and other large e-commerce and Software-as-a-Service (SaaS) providers.¹¹ While DieNet claims success in its attacks, the actual impact on targets is often difficult to validate.¹¹ The current incident involves a claimed targeting of Israel.

Tactics, Techniques, and Procedures (TTPs): DieNet’s primary method of attack is Distributed Denial-of-Service (DDoS).¹¹ Despite claims of amassing their own large botnet, NETSCOUT assesses that the group likely leverages rented DDoS-as-a-service infrastructure, which is also shared with other threat groups like OverFlame and DenBots Proof.¹¹ Their attacks are characterized by a mixture of vectors, including TCP RST, DNS amplification, TCP Syn, and NTP amplification, with specific patterns varying by target.¹¹ DieNet’s rapid rise highlights the ease with which new actors can launch frequent and large-scale DDoS campaigns by exploiting readily available rented infrastructure.¹¹ The group has been promoted by other pro-Palestinian hacktivist groups such as Mr. Hamza, Sylhet Gang-SG, and LazaGrad Hack, indicating potential alliances and coordinated efforts within the hacktivist community.¹¹

MdHackersArmy

Actor Profile: MdHackersArmy is a threat actor involved in data breaches and the sale of compromised credentials. While detailed information on their origins and motivations is limited, their activities align with cybercriminals or hacktivists who seek to exfiltrate sensitive information for various purposes, including financial gain or ideological protest.²³

Known Activities & Targets: The current incident involves the alleged data breach and sale of administrative accounts and internal email addresses from a French government welfare organization. Threat actors like MdHackersArmy often leverage automation across the attack chain, from reconnaissance to compromise, and may use infostealer malware to fuel credential log activity.⁴⁰ They may target cloud environments due to misconfigurations and credential leaks.⁴⁰

Tactics, Techniques, and Procedures (TTPs): The specific TTPs for MdHackersArmy are not fully detailed, but the nature of their reported activities suggests methods such as exploiting vulnerabilities, credential stuffing, or other techniques to gain initial access and exfiltrate data. Post-breach, attackers often demonstrate precision in lateral movement using tools like RDP and Remote Access Trojans (RATs) to exfiltrate data.⁴⁰ They may also use living-off-the-land techniques and encrypted command-and-control channels to cloak malicious activity.⁴⁰

Conclusions

The analysis of recent cybersecurity incidents reveals a persistent and multifaceted threat landscape. Financially motivated cybercriminals continue to leverage sophisticated ransomware and data exfiltration techniques, as exemplified by Machine1337, elpatron85, Jack_back, phack, decider, injectioninferno2, ClayOxtymus1337, GoldRabbitMaghreb, and MdHackersArmy. The growing trend of selling access to compromised networks and leaked data underscores the need for robust credential management and continuous monitoring.

Simultaneously, ideologically driven hacktivist groups, including Tunisian Maskers Cyber Force, Elite Squad, Team 1722, JAKARTA CYBER WHITE, GARUDA ERROR SYSTEM, qfruosan, KAL EGY 319, INDOHAXSEC, DieNet, STORMOUS, Shadow Empire, and TheLibertyCity remain highly active. While their claimed impacts are often symbolic or limited in actual disruption, their consistent activity and use of readily available tools (like DDoS-as-a-service) highlight the ease of entry into cyber warfare for ideologically motivated actors. The alliances observed between groups like STORMOUS and GhostSec, and the promotion of new groups like DieNet by established hacktivists, indicate a trend towards increased coordination and shared resources within the cybercriminal and hacktivist ecosystems. This collaboration allows for amplified attacks and a broader reach, making it more challenging for organizations to anticipate and defend against varied attack vectors.

The prevalence of data breaches and exposures, whether from direct attacks or compromised third parties, continues to pose significant risks to personal identifiable information (PII) and organizational reputation. The subsequent use of this data for extortion, as seen with OneERA, adds another layer of threat.

To counteract these evolving threats, organizations must adopt a comprehensive cybersecurity strategy that includes:

• Proactive Threat Intelligence: Continuously monitoring threat actor TTPs and affiliations to anticipate potential attacks.
• Robust Access Control: Implementing multi-factor authentication (MFA), strong password policies, and principle of least privilege to mitigate credential-based attacks.
• Vulnerability Management: Regularly patching and securing internet-facing systems and applications to prevent exploitation of known vulnerabilities.
• Incident Response Planning: Developing and regularly testing incident response plans to ensure rapid detection, containment, and recovery from breaches.
• Employee Education: Training employees on recognizing phishing attempts and other social engineering tactics, as human error remains a significant initial access vector.
• Data Protection: Implementing data encryption, regular backups, and data loss prevention (DLP) measures to protect sensitive information from exfiltration and extortion.
• Network Segmentation: Segmenting networks to limit lateral movement in the event of a breach.

The dynamic nature of cyber threats necessitates a proactive and adaptive defense posture, moving beyond reactive measures to anticipate and mitigate risks effectively.

Works cited

1. Flash Report: Actor Seemingly Claims Responsibility for Recent …, accessed May 23, 2025, https://www.zerofox.com/intelligence-feed/flash-report-actor-seemingly-claims-responsibility-for-recent-breaches/
2. MSP cybersecurity news digest, March 28, 2024 – Acronis, accessed May 23, 2025, https://www.acronis.com/en-us/cyber-protection-center/posts/msp-cybersecurity-news-digest-march-28-2024/
3. Pro-Pak hackers launched sustained cyber attacks post Pahalgam …, accessed May 23, 2025, https://www.onmanorama.com/news/kerala/2025/05/11/operation-sindoor-cyber-offensive-target-indian-organisations.html
4. Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on “The …, accessed May 23, 2025, https://www.sentinelone.com/blog/dragon-raas-pro-russian-hacktivist-group-aims-to-build-on-the-five-families-cybercrime-reputation/
5. GhostSec and Stormous – Unveiling the New Era of Cyber Threat Alliances, accessed May 23, 2025, https://cybercentaurs.com/blog/ghostsec-and-stormous-unveiling-the-new-era-of-cyber-threat-alliances/
6. INDOHAXSEC Indonesian Hacking Collective | Arctic Wolf, accessed May 23, 2025, https://arcticwolf.com/resources/blog/indohaxsec-emerging-indonesian-hacking-collective/
7. Reflections of the India–Pakistan Kashmir Escalation on the Cyber World – SOCRadar, accessed May 23, 2025, https://socradar.io/india-pakistan-kashmir-escalation-on-cyber-world/
8. Global Law Enforcement Shatters 20-Year-Old Botnet ‘Shadow …, accessed May 23, 2025, https://www.secureblink.com/cyber-security-news/global-law-enforcement-shatters-20-year-old-botnet-shadow-empire-criminals-raked-in-46-m-via-hijacked-routers-1
9. Brief Disruptions, Bold Claims: The Tactical Reality Behind the India …, accessed May 23, 2025, https://www.cloudsek.com/blog/brief-disruptions-bold-claims-the-tactical-reality-behind-the-india-pakistan-hacktivist-surge
10. Hacktivist Attacks on India Overstated Amid APT36 Espionage Threat, accessed May 23, 2025, https://www.infosecurity-magazine.com/news/hacktivist-attacks-india/
11. Profiling DieNet: A New Hacktivist Threat | NETSCOUT, accessed May 23, 2025, https://www.netscout.com/blog/asert/profiling-dienet-new-hacktivist-threat
12. Hacktivist Group DieNet Claims DDoS Attacks against U.S. CNI, accessed May 23, 2025, https://www.cisecurity.org/insights/blog/hacktivist-group-dienet-claims-ddos-attacks-against-u-s-c-n-i
13. Tunisian Hacker — Latest News, Reports & Analysis | The Hacker …, accessed May 23, 2025, https://thehackernews.com/search/label/Tunisian%20Hacker
14. Cyber lethality: Multidomain training enhances readiness at exercise African Lion 2025, accessed May 23, 2025, https://www.army.mil/article/285284/cyber_lethality_multidomain_training_enhances_readiness_at_exercise_african_lion_2025
15. From the Director of LEAVING NEVERLAND, FRONTLINE Presents U.S. Broadcast Premiere of IN THE SHADOW OF 9/11 – PBS, accessed May 23, 2025, https://www.pbs.org/wgbh/frontline/announcement/from-the-director-of-leaving-neverland-frontline-presents-u-s-broadcast-premiere-of-in-the-shadow-of-9-11/
16. Evaluating the Terrorist Threat Posed by African-American Muslim Groups – Combating Terrorism Center at West Point, accessed May 23, 2025, https://ctc.westpoint.edu/evaluating-the-terrorist-threat-posed-by-african-american-muslim-groups/
17. ECCS Liberty City Focus Group Report Miami Children’s Initiative – USF Health – University of South Florida, accessed May 23, 2025, https://health.usf.edu/-/media/Files/Public-Health/Chiles-Center/ECCS/MCI-Focus-Group-Report-2017.ashx
18. Student arrested in Miami-Dade Schools cyberattacks ‘a good kid,’ neighbors say – WPLG, accessed May 23, 2025, https://www.local10.com/news/local/2020/09/03/student-arrested-in-connection-with-cyber-attacks-against-miami-dade-public-schools/
19. Can Brandenburg v. Ohio Survive the Internet and the Age of Terrorism: The Secret Weakening of a Venerable Doctrine, accessed May 23, 2025, https://kb.osu.edu/bitstream/handle/1811/71357/1/OSLJ_V70N1_0141.pdf
20. This Is How Threat Actors Use OneDrive Compromise to Infect Local Windows Hosts, accessed May 23, 2025, https://www.eye.security/blog/this-is-how-threat-actors-use-onedrive-compromise-to-infect-local-windows-hosts
21. What is Cyber Threat Intelligence? [Beginner’s Guide] | CrowdStrike, accessed May 23, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/
22. What is a Cyber Threat Actor? | CrowdStrike, accessed May 23, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
23. Unmasking The Hackers: A Complete Guide To Threat Actors …, accessed May 23, 2025, https://kravensecurity.com/threat-actors/
24. Rise in hacktivist threats to critical sector, as pro-Russian groups cause 50% rise in ICS/OT attacks in March – Industrial Cyber, accessed May 23, 2025, https://industrialcyber.co/reports/rise-in-hacktivist-threats-to-critical-sector-as-pro-russian-groups-cause-50-rise-in-ics-ot-attacks-in-march/
25. #StopRansomware: Medusa Ransomware | CISA, accessed May 23, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
26. Threat Actor Selling 1.2 Billion Facebook Records, But Details Don’t …, accessed May 23, 2025, https://hackread.com/threat-actor-selling-1-2-billion-facebook-records/
27. CISA Decider tool helps to map adversary behavior against MITRE ATT&CK framework, accessed May 23, 2025, https://industrialcyber.co/cisa/cisa-decider-tool-helps-to-map-adversary-behavior-against-mitre-attck-framework/
28. Iran-Based Threat Actor Exploits VPN Vulnerabilities | CISA, accessed May 23, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-259a
29. Indonesia Under Sophisticated Cyberattacks: A Deep-dive Analysis of Threat Actors Targeting the Indonesian Ecosystem – Cyble, accessed May 23, 2025, https://cyble.com/blog/indonesia-under-sophisticated-cyberattacks-a-deep-dive-analysis-of-threat-actors-targeting-the-indonesian-ecosystem/
30. ‘Hacktivist Indonesia’ claims to attack 12000 Indian govt websites: Cybersecurity alert, accessed May 23, 2025, https://ciso.economictimes.indiatimes.com/news/grc/hacktivist-indonesia-claims-to-attack-12000-indian-govt-websites-cybersecurity-alert/99509357
31. Escalating Hacktivist Attacks Amidst India-Pakistan Tensions – Radware, accessed May 23, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/escalating-hacktivist-attacks-amidst-india-pakistan-tensions/
32. Digital War: Pakistan’s Cyber Activity Against India – Analysis – Eurasia Review, accessed May 23, 2025, https://www.eurasiareview.com/18052025-digital-war-pakistans-cyber-activity-against-india-analysis/
33. Weekly Darkweb in May W2 – S2W, accessed May 23, 2025, https://s2w.inc/en/resource/detail/831
34. Weekly Darkweb in May W2 – S2W, accessed May 23, 2025, https://www.s2w.inc/en/resource/detail/831
35. What is a Threat Actor? Types & Examples – SentinelOne, accessed May 23, 2025, https://www.sentinelone.com/cybersecurity-101/threat-intelligence/threat-actor/
36. TTPs Within Cyber Threat Intelligence | Optiv, accessed May 23, 2025, https://www.optiv.com/explore-optiv-insights/blog/tactics-techniques-and-procedures-ttps-within-cyber-threat-intelligence
37. What Are TTPs and How Understanding Them Can Help Prevent the Next Incident, accessed May 23, 2025, https://www.exabeam.com/explainers/what-are-ttps/what-are-ttps-and-how-understanding-them-can-help-prevent-the-next-incident/
38. GOLD DRAKE | Threat Profile Detail – Secureworks, accessed May 23, 2025, https://www.secureworks.com/research/threat-profiles/gold-drake
39. GOLD WINTER | Threat Profile Detail – Secureworks, accessed May 23, 2025, https://www.secureworks.com/research/threat-profiles/gold-winter
40. Threat Actors Accelerate Transition from Reconnaissance to Compromise – New Report Finds – GBHackers, accessed May 23, 2025, https://gbhackers.com/threat-actors-accelerate-transition-from-reconnaissance/