[May-27-2025] Daily Cybersecurity Threat Report

I. Executive Summary

This report provides a concise yet comprehensive overview of critical cybersecurity incidents and emerging threat actor trends observed in the latest intelligence cycle. It highlights significant data breaches, evolving adversary tactics, and the sectors most impacted, offering a strategic perspective on the current digital threat landscape.

Recent analyses reveal a notable shift in cybercriminal operations, particularly a strategic adaptation from traditional ransomware, which relies on encryption, to pure data extortion. This evolution, prominently demonstrated by the rebranding of Hunters International to World Leaks, reflects a calculated response to evolving defensive measures that have made encryption less profitable and riskier for threat actors.¹ This change emphasizes the critical need for organizations to prioritize data exfiltration detection and prevention, as relying solely on data backups for recovery is no longer a sufficient defense against the leverage of sensitive information exposure.

The pervasive nature of inaccessible dark web forum links within intelligence gathering efforts underscores the ephemeral and volatile characteristics of cybercriminal infrastructure.² This transience highlights the inherent difficulty in relying on static dark web monitoring for real-time intelligence, necessitating dynamic, persistent monitoring capabilities and specialized access to verify claims and track evolving adversary infrastructure. The rapid disappearance of these platforms means that intelligence gathered can quickly become outdated, posing a continuous challenge for defenders.

II. Incident Overview: Notable Breaches and Vulnerabilities

The following table summarizes recent cybersecurity incidents, providing a quick reference to their key details, impacts, and attributed actors.

Table 1: Summary of Recent Cybersecurity Incidents

Incident Name	Date Reported/Discovered	Target Organization/Sector	Type of Incident	Key Impact	Attributed Threat Actor(s)	Relevant Public Link(s)
Cayman National Bank and Trust (Isle of Man) Data Breach	Nov 18, 2019 (confirmed); Mar 21, 2025 (no new breach statement)	Financial (Isle of Man subsidiaries)	Data Theft	Data theft confirmed in 2019; no financial theft/fraud evident at the time. Separate from Cayman Islands operations.	Criminal hacking group (2019); elpatron85 (alleged dark web sale)	¹⁶
Ministry of Internal Affairs Russia Database Leak	Dec 2019 (listed); 2025 (contextual login attempt)	Government (Russia, US NLRB context)	Data Leak, Unauthorized Access Attempt	Details on Russian troop deployment (2019). Russian IP login attempt on US NLRB systems (2025) after data exfiltration.	elpatron85 (alleged dark web sale); Unidentified actor (2025 Russian IP)	¹⁸
Point Trader Group Data Breach (PointFXLtd)	Unspecified (alleged dark web sale)	Financial (Forex Brokerage Firm)	Alleged Data Leak	Unclear, 7k records alleged.	OneERA (alleged)	⁸
Judiciary of the Province of Catamarca Data Leak	Aug 12, 2019 (broader Argentine gov’t leak)	Government (Argentina Federal Police, Naval Prefecture; alleged Catamarca Judiciary)	Data Leak, Hacking	700 GB data (confidential docs, wiretaps, biometrics, personal data of police officers).	, Nicolái Lobachevski (2019 police leak); Cypher404x (alleged Catamarca Judiciary)	¹⁰
Municipal Government of San Andrés Cholula Data Leak	Jan 26, 2024 (broader Mexican gov’t leak)	Government (Mexican journalists; alleged San Andrés Cholula)	Data Leak	Personal info of 309-324 journalists exposed (names, ID, CURP).	Unidentified actor (2024 journalists leak); aero (alleged San Andrés Cholula)	¹¹
Sylvania Home Data Breach	Unspecified (alleged dark web claim)	Manufacturing (lighting solutions)	Alleged Data Breach	Unclear, no public confirmation.	Worldleaks (alleged)	¹⁴
A M King Data Breach	Unspecified (alleged dark web claim)	Unspecified (construction/industrial)	Alleged Data Breach	Unclear, no public confirmation.	Worldleaks (alleged)	¹⁵
OSSE San Juan Data Leak	Jan 2025 (contextual report)	Public Service/Water Utility (alleged)	Alleged Data Leak	Unclear, full SQL database dump alleged.	aero (alleged)	¹²
Fortinet Vulnerabilities Exploitation	April 11, 2025 (Fortinet warning)	Network Security (FortiOS, FortiGate users)	Vulnerability Exploitation (RCE), Unauthorized Access	Malicious file for read-only access to file system/configurations.	Unidentified threat actor; Belsen Group (linked to earlier Fortinet leaks)	²⁵
Hospital Italiano de Buenos Aires RCE Vulnerability	Unspecified (alleged dark web claim)	Healthcare (Argentina)	Alleged RCE Vulnerability	Unclear, RCE access alleged.	Stephanie (alleged)	¹³
Gladinet CentreStack & Triofox Vulnerability (CVE-2025-30406) Exploitation	April 11, 2025 (Huntress alert)	Enterprise Software Users	RCE Vulnerability Exploitation	Remote Code Execution, privilege escalation to NT AUTHORITY\SYSTEM.	Threat actors (actively exploiting)	²⁷
Gravy Analytics Data Breach	Jan 2025 (reported)	Location Data Broker	Data Breach	Millions affected, 17TB of precise location data, customer lists.	Cybercriminals	²³
Conduent Cyberattack	Jan 2025 (reported)	Government Services, Payments	Cyberattack (potential ransomware)	Disrupted services in at least four US states, affecting government agencies and payments.	Unidentified	²³
Phemex Crypto Exchange Breach	Jan 23, 2025	Financial (Crypto Exchange)	Data Breach, Crypto Theft	$85 million in cryptocurrency stolen.	Threat actors	²⁴
NoOnes Crypto Platform Breach	Jan 1, 2025	Financial (P2P Crypto Trading)	Data Breach, Crypto Theft	$8 million in crypto assets lost due to Solana bridge exploitation.	Unidentified	²⁴
PayPal Data Breach (2022 context)	Jan 23, 2025 (settlement)	Financial (Payment Processor)	Data Breach (credential stuffing)	35,000 accounts breached in 2022. $2 million settlement.	Threat actors	²⁴
Urban One Data Breach	Feb 13, 2025 (start); March 15 (discovered)	Media	Data Breach	Names, addresses, SSNs, direct deposit, W-2 info exfiltrated.	Cactus ransomware gang	²⁹
Alera Group Data Breach	July 19 – Aug 4, 2024 (incident); reported 2025	Financial (Retirement Plan Services)	Data Breach	10,874 individuals affected. Names, addresses, SSNs, driver’s licenses, financial/credit card, passport, medical info.	Unauthorized access	³⁰
Jani-King International, Inc. Security Incident	Nov 26 – Dec 21, 2024 (incident); reported Mar 17, 2025	Franchise/Business Services	Security Incident (files copied)	Personal information potentially exposed.	Unauthorized third party	³¹
Inspira Financial Data Access	Dec 2024 – Jan 2025	Financial (Retirement Plan Services)	Insider Threat (Improper Access)	Personal data of over 2,000 retirement plan participants accessed.	Call center representative	³⁰
ICAO Data Breach	Jan 2025 (reported); 2016-2024 (data scope)	International Aviation Organization	Data Breach (SQL Injection)	Nearly 12,000 job applicants’ PII (names, emails, DOB, employment history). Espionage motive suggested.	Hacker	²³
CHC Clinics Data Breach	Jan 2, 2025 (detected)	Healthcare	Data Breach	1M+ individuals affected (patients, COVID test/vaccine recipients). Sensitive personal, financial, health info.	Unauthorized third party	²³
HCF Management Cyberattack	2025	Healthcare (Nursing Facilities)	Cyberattack	~70,000 residents affected. Sensitive personal and medical information.	Hackers	²³
Law Firm Data Breach	Dec 13, 2023 (detected); reported 2025	Legal Services	Data Breach	~3.4 million individuals affected. Sensitive personal and protected health information (PHI).	Unauthorized actor	²³
AT&T Data Breach	July 2024 (incident); reported Jan 2025	Telecommunications	Data Breach	Sensitive info about FBI agents’ call and text logs (phone numbers, contact details).	Hackers	²⁴

A. Data Breaches

Cayman National Bank and Trust (Isle of Man) Data Breach (2019/2025 Context)

On November 18, 2019, Cayman National Corporation Ltd. publicly announced a data hack impacting its Isle of Man subsidiaries, specifically Cayman National Bank (Isle of Man) Limited (CNBIOM) and Cayman National Trust Company (Isle of Man) Limited (CNTIOM).¹⁶ A criminal hacking group claimed responsibility for this data theft the day prior, on November 17, 2019.¹⁶ It was confirmed that the breach was contained within the Isle of Man operations and did not extend to the separate entities in the Cayman Islands, which maintain distinct systems and databases.¹⁶ At the time of the announcement, there was no evidence of financial theft or fraud related to CNBIOM or CNTIOM clients.¹⁶ The actor “elpatron85” later allegedly offered “Sherwood Copies of the servers of the Cayman National Bank and Trust (Isle of Man)” on a dark web forum, although this link is now inaccessible.⁵

More recently, on March 21, 2025, Cayman National Bank Ltd. issued an information security update, reassuring its customers and stakeholders that it had not experienced a data breach or hacking incident.¹⁷ The bank stated that recent claims of data being found had no impact and did not indicate a compromise of their systems.¹⁷ The contradiction between the 2019 confirmed breach and the 2025 “no data breach detected” statement highlights the complexity of breach reporting and the potential for old data to resurface or for threat actors to make false claims for notoriety or to mislead. The 2025 statement likely refers to new incidents or the re-circulation of old data, a common occurrence where stolen information is traded or leaked years after the initial compromise, leading to renewed claims. The bank’s denial suggests that recent claims were investigated and found to be unsubstantiated regarding a new compromise. This underscores the continuous need for monitoring dark web forums and data leak sites, as old data can be repackaged and sold, creating new risks such as identity theft or phishing, even if the original vulnerabilities have been patched. It also emphasizes the importance of clear and precise communication from affected entities to distinguish between new and historical incidents.

Ministry of Internal Affairs Russia Database Leak (2019/2025 Context)

In December 2019, Distributed Denial of Secrets listed a significant data leak originating from Russia’s Ministry of the Interior.¹⁸ This leak reportedly included sensitive details, such as information concerning the deployment of Russian troops to Ukraine, at a time when the Kremlin officially denied a military presence there.¹⁸ While some of this material had been published as early as 2014, approximately half of the leaked data remained undisclosed.¹⁸ The actor “elpatron85” allegedly offered a “RUSSIAN INTERIOR MINISTRY DATABASE” on a dark web forum, though this link is currently inaccessible.⁷

This historical leak gains additional context from a more recent event in 2025. A user with a Russian IP address attempted to log into National Labor Relations Board (NLRB) systems in the United States.¹⁹ This attempt occurred just minutes after the Department of Government Efficiency (DOGE) had accessed and extracted substantial amounts of sensitive data from the NLRB.¹⁹ This sequence of events suggests a persistent and opportunistic pattern where state-sponsored or affiliated actors exploit vulnerabilities and data exposures for intelligence gathering. The historical leak from the Russian Ministry of Internal Affairs indicates a past compromise of sensitive Russian data, while the 2025 event suggests a potential opportunistic exploitation of a new vulnerability or exposed credentials (possibly from DOGE’s activities) by an actor potentially linked to Russia. The consistent interest in sensitive government data across different contexts points to a strategic objective. This highlights the enduring threat of state-sponsored cyber espionage and the potential for adversaries to leverage any exposed entry points, regardless of their origin, such as domestic misconfigurations or insider threats like DOGE. It emphasizes the critical need for robust supply chain security and vigilance against credential reuse or exposure across government systems.

Point Trader Group Data Breach

Direct details regarding a “Point Trader Group” data breach are not explicitly provided in the available information. However, the research material discusses a “Massive breach at location data seller: ‘Millions’ of users affected” that occurred at Gravy Analytics in January 2025.²³ This incident exposed precise location data, customer lists, and broader industry information, with the cybercriminals claiming to have stolen 17 terabytes of data.²³ Separately, the threat actor “OneERA” allegedly offered a database from a “7k Forex Brokerage Firm www.pointfxltd.com” on a dark web forum, though this link is inaccessible.⁸ It remains unclear if “Point Trader Group” is directly related to “pointfxltd.com” or the Gravy Analytics breach.

The mention of “Point Trader Group data breach” in the query, contrasted with the provided information focusing on Gravy Analytics and a “PointFXLtd” dark web listing, suggests a potential misattribution or conflation of incidents, or it may indicate a broader trend of financial and data brokerage firms being targeted. This situation underscores the challenges of precise incident naming and tracking in the fast-moving cyber threat landscape. The Gravy Analytics breach represents a confirmed, significant event involving highly sensitive location data. The “PointFXLtd” claim, while unverified due to the inaccessible link, suggests a continued focus on financial or brokerage firms. This reinforces the vulnerability of data brokers and financial services to large-scale data exfiltration, driven by the high value of such data for identity theft and other fraudulent activities.

Judiciary of the Province of Catamarca Data Leak

Specific details concerning a data leak from the “Judiciary of the Province of Catamarca” are limited within the provided information. However, broader context points to a significant leak of sensitive government data in Argentina on August 12, 2019.²⁰ This incident involved 700 GB of confidential documents, wiretaps, and biometric information from the Argentine Federal Police, along with personal data of police officers.²⁰ The Twitter account of the Argentine Naval Prefecture was also compromised and used to disseminate links to the stolen information and spread fake news.²⁰ The user “” or “Nicolái Lobachevski” claimed responsibility for this 2019 Argentine police leak.²⁰ Separately, the actor “Cypher404x” allegedly offered a “Judiciary of the Province of Catamarca” database on a dark web forum, but this link is inaccessible.¹⁰

The repeated targeting of Argentine government entities, including the Federal Police, Naval Prefecture, and potentially the Judiciary of Catamarca, as well as Mexican government entities (such as the leak of national journalists’ data and the alleged leak from the Municipal Government of San Andrés Cholula), suggests a regional pattern of cyberattacks against Latin American public sector organizations.¹⁰ This pattern indicates either a systemic vulnerability or sustained targeting of public sector bodies in these countries. Motivations for such attacks could range from hacktivism, as observed with “LaGorraLeaks” and “Nicolái Lobachevski” in Argentina, to financial gain derived from selling sensitive citizen data. Governments in the region are therefore compelled to significantly enhance their cybersecurity posture, focusing on robust data protection, effective incident response, and comprehensive employee training to counter both politically motivated and financially driven attacks. The ease with which sensitive data, such as journalists’ personal information or police data, is compromised carries severe implications for national security and citizen privacy.

Municipal Government of San Andrés Cholula Data Leak

No direct details of a specific data leak affecting the “Municipal Government of San Andrés Cholula” are provided. However, a broader Mexican government data leak occurred on January 26, 2024, which exposed the personal information of at least 309 journalists.²² This information was extracted from an “inactive government website” by an unauthorized individual using the username and password of a former government employee.²² The exposed data included journalists’ full names, CURP codes (a personal identity code similar to a social security number), and copies of personal identification documents, with electoral cards often containing addresses.²² The actor “aero” allegedly offered a “DB from Gobierno Municipal de San Andrés Cholula, México” on a dark web forum, although this link is inaccessible.¹¹

The exposure of journalists’ personal data in a Mexican government leak highlights a critical risk to press freedom and individual safety, particularly in regions where journalists face significant threats.²² Journalists frequently cover sensitive topics, making them potential targets of harassment or violence. The public availability of their addresses, often derived from electoral cards, and other identifying information directly jeopardizes their safety and ability to report freely. This incident necessitates immediate and thorough investigation by authorities, not only for data privacy violations but also for potential threats to human rights. It also calls for stronger data security protocols for government systems that hold sensitive personal information, especially for vulnerable populations like journalists.

Sylvania Home Data Breach

The available information does not confirm a specific “Sylvania Home” data breach. Instead, the provided material includes references to Sylvania Group and OSRAM SYLVANIA privacy policies, which outline their approaches to data protection, personal data breaches, and data transfer.³² Despite the absence of public confirmation, the actor “Worldleaks” allegedly offered details of an “alleged data breach of Sylvania Home” on a dark web forum.¹⁴ This dark web link is currently inaccessible, meaning the claim remains unverified.

The lack of public confirmation of a “Sylvania Home” data breach, despite a dark web claim, and the existence of detailed privacy policies from related entities, underscore the challenges in verifying dark web claims and the importance of official disclosures. Dark web claims are not always legitimate; they may refer to minor incidents not publicly disclosed, or they could be entirely fabricated. Companies like Sylvania and OSRAM SYLVANIA have privacy policies in place, indicating an awareness of data protection, but this does not preclude a breach. This situation highlights the “fog of war” in cyber intelligence, where claims must be rigorously verified. It also suggests that organizations, even those with robust privacy frameworks, may choose not to publicly confirm every alleged breach, particularly if the impact is deemed minor or the claims are unsubstantiated.

A M King Data Breach

There are no direct details concerning an “A M King” data breach in the provided information. However, several other data breaches affecting employee and customer personal information have been documented. For instance, the Alera Group experienced an external system data breach between July and August 2024, impacting 10,874 individuals and exposing sensitive data such as Social Security numbers, financial information, and medical details.³⁰ Jani-King International, Inc. also reported a security incident between November and December 2024, where an unauthorized third party accessed and copied files from their internal systems, potentially exposing personal information.³¹ Additionally, Inspira Financial faced an incident between December 2024 and January 2025, where a call center representative improperly accessed the personal data of over 2,000 retirement plan participants.³⁰ The actor “Worldleaks” allegedly offered details of an “alleged data breach of A M King” on a dark web forum, but this link is inaccessible.¹⁵

The recurrence of data breaches affecting employee and customer personal information across various companies, including Alera Group, Jani-King, Inspira Financial, and the alleged A M King incident, points to a persistent vulnerability in human resources and customer data management systems. These vulnerabilities are often exploited through insider threats or network access. While these incidents are distinct, they share a common theme of sensitive personal data being compromised. The Jani-King incident explicitly mentions an “unauthorized third party accessed and copied files contained within certain segments of our network,” while the Inspira Financial case clearly indicates an insider threat. This highlights the critical need for organizations to implement robust access controls, continuous monitoring of internal systems, and comprehensive employee training on data handling and security best practices. It also emphasizes the significant risk posed by third-party vendors and internal actors within an organization’s security perimeter.

OSSE San Juan Data Leak (January 2025 Context)

No specific details regarding an “OSSE San Juan” data leak are directly provided in the available information. The acronym “OSSE” appears in the context of scientific experiments related to oceanography and ozone observations.³⁴ However, the “January 2025 Data Breaches Report” details several large-scale breaches that occurred or were reported in early 2025.²³ These include a massive breach at Gravy Analytics (a location data seller affecting millions), a cyberattack on Conduent (disrupting government services in multiple states), breaches at crypto exchanges Phemex ($85 million stolen) and NoOnes ($8 million lost), and a PayPal settlement related to a 2022 credential stuffing attack.²³ Additionally, healthcare entities like CHC clinics (over 1 million individuals affected) and HCF Management (approximately 70,000 residents affected) experienced data breaches exposing sensitive health information.²³ An international aviation organization (ICAO) also suffered a data breach via SQL injection, affecting job applicants’ PII.²³ The actor “aero” allegedly offered an “OSSE San Juan Full SQL DATABASE Dump” on a dark web forum, although this link is inaccessible.¹²

The alleged “OSSE San Juan” data leak, despite the term “OSSE” primarily appearing in scientific contexts, suggests that even seemingly non-traditional targets or less-publicized entities can be subject to data exfiltration and dark web claims. The existence of a dark web claim, even if unverified or from an unexpected source, indicates a potential compromise. This underscores the broad scope of cybercriminal targeting, extending beyond typical corporate or government entities to potentially include research institutions or specialized public services. It emphasizes the need for comprehensive asset discovery and protection, as any networked entity holding data can become a target. The clustering of diverse, large-scale data breaches reported in early 2025 across sectors like tech, government, media, healthcare, legal, and telecom indicates a sustained and pervasive threat landscape, with attackers targeting a wide array of sectors and data types.²³ This suggests that cybercriminals and other threat actors are highly active and capable of compromising diverse systems, with motivations ranging from direct financial gain to espionage. Organizations across all sectors must therefore assume they are potential targets and invest in comprehensive, multi-layered cybersecurity defenses, focusing on resilience and rapid response.

B. Vulnerabilities Exploited / RCE Incidents

Fortinet Vulnerabilities Exploitation (April 2025)

On April 11, 2025, Fortinet issued a warning regarding a threat actor actively exploiting vulnerabilities within its FortiOS and FortiGate products.²⁵ This exploitation involved the creation of a malicious file that could enable read-only access to the file system of affected devices, potentially exposing configurations.²⁵ In response, cybersecurity agencies like CISA advised immediate mitigation steps, including upgrading FortiOS to specific versions (7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16), reviewing device configurations, resetting potentially exposed credentials, and considering the temporary disabling of SSL-VPN functionality as a workaround if patching was not immediately feasible.²⁵

The rapid exploitation of newly discovered vulnerabilities in widely used enterprise software, such as Fortinet FortiOS and FortiGate, highlights the critical importance of timely patching and proactive threat intelligence for organizations. This indicates that threat actors are quick to weaponize publicly disclosed vulnerabilities, especially those affecting network security devices like firewalls, which provide high-value access to internal networks. Organizations must implement robust vulnerability management programs, including continuous scanning, rapid patch deployment, and proactive monitoring for indicators of compromise related to newly exploited CVEs. The advice to review configurations and reset credentials further suggests that successful exploitation could lead to persistent access or credential compromise, necessitating a thorough post-incident hygiene.

It is worth noting that the term “Fordnox threat actor” appears in some queries related to Fortinet ², but this seems to be a misinterpretation or conflation of “Fort Knox” (a cybersecurity division or general term for robust security) with a specific threat actor.³⁶ The actual actor noted for leaking Fortinet users’ details on the dark web in January 2025, linked to CVE-2022-40684, is the “Belsen Group”.²⁶ This observation underscores the importance of precise naming conventions and verification in threat intelligence to prevent misattribution, which can lead to misdirected defensive efforts and a skewed understanding of the threat landscape.

Hospital Italiano de Buenos Aires RCE Vulnerability

No direct details of a confirmed Remote Code Execution (RCE) vulnerability or its exploitation at Hospital Italiano de Buenos Aires are provided in the available information. The snippets primarily discuss the hospital’s involvement in medical research, specifically its development of a COVID-19 Severity Index (CSI) clinical prediction rule based on the NEWS-2 scale.³⁹ However, the actor “Stephanie” allegedly offered “RCE in hospitalitaliano.org.ar” on a dark web forum, though this link is inaccessible.¹³

The alleged RCE vulnerability in a healthcare institution like Hospital Italiano de Buenos Aires, coupled with the broader trend of healthcare sector targeting, as seen with breaches at Fred Hutch Cancer Center, Integris Health, CHC clinics, and HCF Management ¹, underscores the persistent high-value nature of healthcare data and systems for cybercriminals. Healthcare organizations hold highly sensitive personal and medical data, making them attractive targets for data exfiltration and extortion. RCE vulnerabilities offer direct and powerful access for attackers, allowing them to execute arbitrary code on compromised systems. This situation emphasizes that healthcare providers must prioritize patching, comprehensive vulnerability management, and robust network segmentation to protect patient data and critical operational systems from sophisticated attacks. The potential for disruption to patient care, as tragically demonstrated by incidents like the Fred Hutch Cancer Center breach, makes these incidents particularly severe and impactful.

Gladinet CentreStack & Triofox Vulnerability (CVE-2025-30406) Exploitation (April 2025)

On April 11, 2025, a critical vulnerability, CVE-2025-30406, affecting Gladinet CentreStack and Triofox servers was identified as being actively exploited by threat actors.²⁷ This vulnerability, rated with a high severity score of 9.0, allows for remote code execution (RCE) through ASPX ViewState deserialization, specifically by leveraging hardcoded keys.²⁷ Successful exploitation of this flaw can lead to privilege escalation, potentially granting attackers NT AUTHORITY\SYSTEM privileges, which would result in a full compromise of the target server.²⁷

The active exploitation of a critical RCE vulnerability with a high severity score and “no prerequisites” beyond knowing default keys highlights the immediate and widespread danger posed by easily exploitable flaws in common enterprise software. The ease of exploitation and the high impact (RCE, privilege escalation to SYSTEM) make this a prime target for opportunistic attackers seeking broad access to victim networks. This emphasizes the critical need for organizations to maintain an accurate inventory of their internet-facing assets, regularly scan for known vulnerabilities, and apply patches immediately, especially for high-severity RCE flaws in widely used applications. Default configurations and hardcoded credentials remain a significant and frequently exploited attack surface that organizations must address proactively.

C. Other Notable Incidents (January-May 2025)

The period between January and May 2025 saw a flurry of significant cybersecurity incidents across various sectors, reinforcing the pervasive nature of cyber threats:

Gravy Analytics Data Breach (Jan 2025): A massive breach at this location data seller affected millions globally, exposing precise location data and customer lists. The incident was attributed to a “misappropriated key” providing unauthorized access to their AWS cloud storage environment.²³
Conduent Cyberattack (Jan 2025): This incident disrupted services in at least four US states, particularly affecting government agencies and their ability to process payments. While the nature of the attack suggested potential ransomware, no specific group claimed responsibility.²³
Phemex Crypto Exchange Breach (Jan 2025): Hackers stole $85 million in cryptocurrency from Phemex’s hot wallet in a sophisticated attack.²⁴
NoOnes Crypto Platform Breach (Jan 2025): This peer-to-peer cryptocurrency trading platform suffered an $8 million loss due to the exploitation of its Solana bridge.²⁴
PayPal Data Breach (Jan 2025, related to 2022 incident): PayPal agreed to a $2 million settlement for failing to comply with New York State’s cybersecurity regulations, following a 2022 credential stuffing attack that breached 35,000 accounts.²⁴
Urban One Data Breach (Feb-March 2025): This media firm, primarily targeting the African American community, experienced a data breach initiated through a “sophisticated social engineering campaign.” The attackers exfiltrated sensitive employee information, including names, addresses, Social Security numbers, direct deposit, and W-2 information. The Cactus ransomware gang claimed responsibility.²⁹
Alera Group Data Breach (July-Aug 2024, reported 2025): An external system breach impacted 10,874 individuals, exposing names, addresses, Social Security numbers, driver’s licenses, financial and credit card information, passport details, and medical information.³⁰
Jani-King International, Inc. Security Incident (Nov-Dec 2024, reported March 2025): An unauthorized third party accessed and copied files from internal systems, potentially exposing personal information.³¹
Inspira Financial Data Access (Dec 2024-Jan 2025): A call center representative improperly accessed the personal data of over 2,000 retirement plan participants, highlighting an insider threat.³⁰
ICAO Data Breach (2025, related to 2016-2024 data): An SQL Injection vulnerability in a web application led to access of 42,000 sensitive documents, affecting nearly 12,000 job applicants’ Personally Identifiable Information (PII), including names, email addresses, dates of birth, and employment history. Espionage was suggested as a motive.²³
CHC Clinics Data Breach (Jan 2025): An unauthorized third party gained access and copied files, affecting over 1 million individuals, including patients and those who received COVID tests or vaccines at CHC clinics. A wide range of sensitive personal, financial, and health information was exposed.²³
HCF Management Cyberattack (2025): This cyberattack affected approximately 70,000 residents across multiple nursing facilities, exposing sensitive personal and medical information.²³
Law Firm Data Breach (Dec 2023, reported 2025): A significant breach affected approximately 3.4 million individuals, exposing sensitive personal and protected health information (PHI).²³
AT&T Data Breach (July 2024, reported Jan 2025): This major incident compromised sensitive information about FBI agents’ call and text logs, including phone numbers and contact details.²⁴

The clustering of these diverse, large-scale data breaches reported in early 2025 indicates a sustained and pervasive threat landscape, with attackers targeting a wide array of sectors and data types. The sheer volume of reported breaches highlights that no industry is immune, and the focus should be on resilience and rapid response. The repeated targeting of financial institutions, as seen with Phemex, NoOnes, and PayPal, and the increasing sophistication of attacks, such as the “sophisticated social engineering” used against Urban One or the “misappropriated key” in the Gravy Analytics breach, demonstrate the high-value nature of financial data and the evolving attack vectors. Financial organizations, in particular, require advanced threat detection, robust fraud prevention, and continuous security audits. The PayPal incident also highlights the regulatory consequences of inadequate cybersecurity controls.

III. Threat Actor Profiles

This section provides detailed profiles of identified threat actors, including their aliases, tactics, techniques, and procedures (TTPs), motivations, and known affiliations.

Table 2: Key Threat Actor Profiles

Threat Actor Name (Primary)	Aliases	Primary TTPs	Key Motivations	Known Affiliations/Groups	Notable Incidents (brief)
Pryx	HolyPryx, Sp1d3r	Malware Development (server-side stealer), Ransomware Operations (Hellcat), Double Extortion, Attention-Grabbing Tactics	Financial gain, political (anti-Israel)	Hellcat ransomware group, XSS cybercrime forum, BreachForums, DangerZone cybercrime forum (moderator), IntelBroker, “Five Families” hacking alliance	Hellcat ransomware operations (4 DLS victims), Schneider Electric (joking ransom), U.S. telecom provider (physical manipulation)
Worldleaks	Hunters International (rebrand), possibly Hive (original)	Extortion-as-a-Service (EaaS), Data Theft & Extortion-Only, Custom Exfiltration Tool, Multi-Platform Operation	Financial gain (increased efficiency, reduced risk)	Hunters International (operators), Secp0 ransomware group (collaborator)	Over 280 attacks (as Hunters International), Fred Hutch Cancer Center (800k patients), Tata Technologies, U.S. Marshals Service
INDOHAXSEC	AnonBlackFlag (earlier iteration)	Distributed Denial-of-Service (DDoS), Ransomware (ExorLock), Website Defacements	Geopolitical (retaliation against India’s missile strikes)	NoName057(16), Team Azrael – Angel of Death	DDoS/ransomware against Australia, India, Israel, Malaysia gov’t/entities; defacement of The World Watch, Godavari Enterprises, Omkar Khabar Odisha
OneERA		Data Exfiltration, Data Sale	Financial gain (identity theft, scams, phishing)		MediaWorks cyberattack (2.46M PII records, NZ), Urban One data breach, alleged PointFXLtd database leak
Cypher404x		Data Leak (alleged)	Unclear (likely financial)		Alleged database leaks from Judiciary of Catamarca (Argentina) and Municipal Government of San Andrés Cholula (Mexico)
AeroBlade		Spear-phishing, Weaponized Documents (VBA macros, remote template injection)	Commercial and competitive cyber espionage		Targeting a US aerospace organization since Sep 2022
Tunisian Maskers Cyber Force		Unspecified (Hacktivism likely: DDoS, defacement, data leaks)	Ideological/Political (alleged target Cyprus)	Anonymous (general hacktivism context)	Alleged claim to target Cyprus
elpatron85		Data Brokerage, Data Sale	Financial gain		Alleged sales of Cayman National Bank server data, Russian Interior Ministry database, Maksym Igor Popov’s private files, Podesta Emails
Stephanie		Alleged RCE sale, AI-enhanced social engineering (general context)	Unclear (likely financial)		Alleged RCE in Hospital Italiano de Buenos Aires
Belsen Group		Data Leak	Unclear (likely financial)		Leaked details of 15,000+ Fortinet firewall users
Cactus Ransomware Gang		Ransomware (via online ads)	Financial gain		Urban One data breach, Americold, Swedish supermarket, Housing Authority of City of Los Angeles, Schneider Electric
Vicioustrap		Vulnerability Exploitation (Cisco routers, CVE-2023-20118), Adversary-in-the-Middle	Unclear (Chinese-speaking origin)		Compromised ~5,300 network edge devices (primarily Macau)
UAT-6382		Vulnerability Exploitation (Trimble Cityworks, CVE-2025-0944), Web Shells, Custom Malware (Cobalt Strike, Tetraloader)	Unclear (Chinese-speaking origin)		Targeted US local governing bodies
Silver Fox		Malware Campaign (Winos 4.0 via fake installers)	Unclear		Targets Chinese-speaking environments
Hellhounds		Decoy Dog Trojan (custom Pupy RAT, DNS tunneling)	Unclear		Compromised 48 victims in Russia (IT, gov’t, space, telecom)
Secshow		Query Amplification (Decoy Dog)	Unclear		Linked to Decoy Dog amplification
Iranian APT actor		Vulnerability Scanning (Acunetix), SQL Injection, Web Shells, Voter Data Exfiltration	State-sponsored espionage, disinformation		Targeted US state election websites (2020)
OPERA1ER	DESKTOP-GROUP, Common Raven, NXSMS	Financial Fraud, Off-the-shelf tools (Cobalt Strike)	Financial gain ($11M+ stolen)		30+ attacks on banks, financial services, telecom in Africa (2018-2022)
RedCurl		Corporate Espionage, Ransomware (QWCrypt)	Corporate espionage		Corporate espionage since late 2018
FamousSparrow		Backdoor Deployment (ShadowPad, SparrowDoor)	Unclear (Chinese hacking crew)		Targeted US trade group, Mexican research institute
Konni		LNK file exploitation, Multi-stage infection, RAT (Konni RAT), Cloud service hosting (Dropbox, Google Drive)	Unclear (North Korea-linked)		Used AsyncRAT in new campaign

A. Pryx (Aliases: HolyPryx, Sp1d3r)

Pryx is a notably active and prolific threat actor, reportedly as young as 17 years old, specializing in malware and ransomware development, as well as identity access brokering.⁴¹

Tactics, Techniques, and Procedures (TTPs): Pryx has demonstrated advanced capabilities in malware development, notably creating a “server-side stealer” malware.⁴¹ This innovative malware inverts traditional information stealer behavior by establishing a secret Tor service directly on the compromised machine, which then functions as a lightweight server to host stolen data.⁴¹ Attackers can subsequently retrieve these stolen files through discrete GET requests, a method designed to reduce the chances of detection by security researchers.⁴¹ The utilization of Tor further obfuscates communication, ensuring the attacker’s anonymity and complicating forensic investigations. The stolen data is not exfiltrated in plain text, requiring a Python script, provided by Pryx, for decryption.⁴¹ This development represents a departure from typical exfiltration methods, which often involve large data transfers that are more easily detectable. By transforming the victim machine into a temporary server, Pryx minimizes outbound traffic anomalies and leverages Tor for anonymity, making it significantly harder for defenders to spot and attribute the activity. This TTP requires advanced detection capabilities that extend beyond traditional network egress monitoring, focusing instead on anomalous internal network behavior and process execution. It highlights the continuous cat-and-mouse game between attackers and defenders, where new methods are constantly devised to bypass existing security controls.

Pryx also founded the Hellcat ransomware group in October 2024.⁴¹ Hellcat employs a double-extortion tactic, stealing sensitive data before encrypting it, and then threatening to release the stolen information to demand higher ransoms.⁴¹ The group is known for its attention-grabbing tactics, such as jokingly demanding “$150,000 in baguettes” from Schneider Electric and manipulating physical systems, including printing ransomware notes, cutting server room power, and sounding alarms, during an attack on a U.S. telecom provider.⁴¹ These actions are designed to attract media and researcher attention, effectively providing free advertisement for the group.

Motivations: Pryx’s motivations appear to be a mix of financial opportunity and political objectives. The actor is noted for being anti-Israel and has stated a focus on the government sector, aligning with Hellcat’s first victim, Israel’s Knesset.⁴¹ However, the targeting of other victims also suggests a primary financial motivation.⁴¹

Affiliations: Pryx is primarily active on the XSS cybercrime forum, where contributions to “Article Competitions” include write-ups on malware and operational security.⁴¹ The actor also has occasional activity on BreachForums ⁴¹ and serves as a moderator for the new DangerZone cybercrime forum, which is accessible on both the dark and clear web.⁴¹ Pryx is associated with IntelBroker, a notorious threat actor responsible for multiple high-profile breaches and the current owner of BreachForums, who is also a notable member of the Hellcat ransomware group.⁴¹ Furthermore, Pryx is linked with members of the “Five Families” hacking alliance, indicating a well-established network of collaborators.⁴¹ The Hellcat group itself consists of nine members, including data brokers who leak or sell compromised data, Initial Access Brokers (IABs) who sell network access, and malware developers.⁴¹

Notable Incidents: Pryx is associated with Hellcat ransomware operations, which have claimed four victims on their data leak site.⁴¹ While not directly attributed to Pryx, the Fred Hutch Cancer Center breach, affecting 800,000 patients, was carried out by Hunters International ¹, a group linked to World Leaks, and Pryx is associated with Hellcat, indicating a complex web of actors in the cybercrime ecosystem. It has also been noted that Pryx, along with Rey, fell victim to info stealer logs themselves.⁴²

B. Worldleaks (Rebranded from Hunters International)

World Leaks is a new extortion platform that emerged in early 2025, launched by the operators of the Hunters International ransomware group.⁴³ Hunters International itself emerged in late 2023 and was quickly identified by researchers as a probable rebrand of the dismantled Hive ransomware group due to overlapping code and infrastructure patterns.¹

Tactics, Techniques, and Procedures (TTPs): World Leaks operates as an Extortion-as-a-Service (EaaS) platform, providing its affiliates with a “custom-built exfiltration tool”.¹ This tool, an enhanced version of the Storage Software utility previously used with Hunters’ ransomware payloads, is now central to their attacks, automating the data theft process across victim networks.¹ The group has strategically shifted its focus from traditional ransomware, which relies on encryption, to pure data theft and threatening to leak stolen information to compel payments.¹ While World Leaks claims to be an extortion-only project, some of their claimed victims have reportedly experienced ransomware deployment on their systems, suggesting a potential flexibility in their tactics or a collaboration with other groups.⁴³ The operation is structured across four distinct platforms: a main data leak site, often referred to as a “trophy wall” for showcasing victim data; a negotiation site for ransom payments; an “Insider platform” for journalists; and an affiliate panel, which indicates an active recruitment of collaborators.¹

Motivations: The primary motivation behind this strategic shift is financial gain, driven by increased risks and reduced profitability associated with traditional ransomware operations.¹ This pivot allows for “faster, stealthier, and harder to trace” operations.¹

Affiliations: World Leaks is operated by the same individuals behind the Hunters International ransomware group.¹ It is also collaborating with the Secp0 ransomware group, with Lexfo noting that Secp0 had previously discussed “testing a software solution designed to streamline the publication of large datasets,” which is believed to refer to World Leaks.⁴³ The strong similarities in design, layout, and functionality between World Leaks and Hunters International platforms, including logo placement, victim listing formats, and file explorers, further support their shared origins.⁴³

Notable Incidents (as Hunters International): In less than a year, Hunters International was responsible for over 280 attacks globally.¹ Notable victims include Tata Technologies, AutoCanada, the U.S. Marshals Service, Hoya Corporation, Austal USA, and Integris Health.¹ One particularly alarming attack in December 2024 involved breaching the Fred Hutch Cancer Center and threatening to release sensitive data belonging to over 800,000 cancer patients if their demands were not met.¹ Ransom demands typically ranged from hundreds of thousands to multi-million-dollar figures, varying based on the victim’s size, sector, and perceived vulnerability.¹

The strategic rebranding and operational shift of Hunters International to World Leaks and its collaboration with Secp0 demonstrate a dynamic and adaptive cybercriminal ecosystem that continuously evolves to maximize profit and evade detection. This complex web of rebrands and collaborations makes it harder for defenders to track and attribute attacks to specific groups, necessitating a focus on TTPs and shared infrastructure rather than solely relying on group names. This also highlights the critical need for intelligence sharing among security organizations to map these evolving criminal networks effectively.

C. INDOHAXSEC

INDOHAXSEC is an Indonesian-based hacktivist collective that emerged in October 2024.⁴²

Tactics, Techniques, and Procedures (TTPs): The group is linked to Distributed Denial-of-Service (DDoS) attacks, ransomware attacks, and website defacements.⁴² Their ransomware attacks have utilized the ExorLock locker, which is believed to have been developed by an earlier iteration of the group known as AnonBlackFlag.⁴² INDOHAXSEC employs a mix of custom and publicly available tools in their operations.⁴²

Motivations: INDOHAXSEC explicitly frames its cyberattacks as direct retaliation against India’s missile strikes on Pakistan-administered territories.⁴⁴ The group has actively encouraged other Indonesian groups to join their campaign against India.⁴⁴ This demonstrates how real-world geopolitical events directly trigger cyber responses. The use of DDoS and defacement is characteristic of hacktivism, aiming for disruption and public messaging rather than covert long-term access.

Affiliations: The collective maintains a presence on GitHub, Telegram, and various social media platforms.⁴² They have announced partnerships with other hacktivist groups, including NoName057(16) and the Pakistani group Team Azrael – Angel of Death.⁴² Their partnerships show a willingness to collaborate across national lines for shared ideological goals.

Notable Incidents: INDOHAXSEC has been linked to a string of DDoS and ransomware attacks against numerous entities and governmental bodies located in Australia, India, Israel, and Malaysia.⁴² They have allegedly defaced websites such as The World Watch, Godavari Enterprises, and Omkar Khabar Odisha, though these links are currently inaccessible.⁴⁵

INDOHAXSEC’s emergence and activities exemplify the growing role of hacktivism in geopolitical conflicts, where cyberattacks are used as a form of digital retaliation and propaganda, often leveraging readily available tools and cross-border collaborations. Organizations, especially those with ties to or operations in regions experiencing geopolitical tensions, must prepare for potential hacktivist targeting. This includes enhancing defenses against DDoS attacks, monitoring for defacement attempts, and understanding the motivations of ideologically driven groups. The blurring lines between state-sponsored and hacktivist groups, particularly if state narratives are echoed, pose a complex attribution challenge.

D. OneERA

OneERA is a threat actor known for operating on the dark web.⁴⁶

Tactics, Techniques, and Procedures (TTPs): OneERA primarily focuses on data exfiltration and the subsequent sale of compromised information.⁴⁶

Motivations: The actor’s motivations are primarily financial gain, with the stolen data intended for identity theft, executing scams, or facilitating phishing attacks.⁴⁷

Notable Incidents: OneERA asserted responsibility for the MediaWorks cyberattack in March 2024, which compromised 2.46 million Personally Identifiable Information (PII) records of New Zealand citizens.⁴⁶ This extensive dataset included full names, addresses, mobile numbers, email addresses, dates of birth, user postal codes, genders, UserIDs, voting information, and even questionnaire responses that contained children’s details, music and video content, and electoral information.⁴⁶ OneERA also claimed the Urban One data breach, which occurred between February and March 2025.²⁹ Additionally, the actor allegedly offered a database from a “7k Forex Brokerage Firm www.pointfxltd.com” on a dark web forum, although this link is inaccessible.⁸

OneERA’s targeting of media companies, such as MediaWorks and Urban One, for large-scale PII exfiltration underscores the vulnerability of organizations that collect extensive customer data. Such organizations become prime targets for identity theft and subsequent fraud. Media companies often accumulate significant amounts of personal data through subscriptions, contests, and various online interactions. This data holds high value on the dark web for a wide array of downstream fraudulent activities. This emphasizes that organizations handling large volumes of PII, regardless of their sector, must prioritize robust data security measures, including encryption, stringent access controls, and regular security audits. The “blackmail tactics” and ransom demands observed in some of these incidents further highlight the immediate financial and reputational risks associated with such breaches.⁴⁶

E. Cypher404x

Cypher404x is a threat actor whose alleged activities include involvement in data breaches.

Notable Incidents: Cypher404x allegedly offered a database from the “Gobierno Municipal de San Andrés Cholula, México” and a “Judiciary of the Province of Catamarca” database on dark web forums.¹⁰ Both of these dark web links are currently inaccessible, meaning these claims remain unverified. The research material also discusses other threat actors, such as Vicioustrap, UAT-6382, Hellhounds, and Secshow, in contexts where “Cypher404x” was queried, suggesting a broader landscape of cybercriminal activity.⁴⁸

The association of “Cypher404x” with claims of government database leaks in Mexico and Argentina points to the persistent targeting of public sector entities for data exfiltration, potentially for sale on dark web markets. Government databases frequently contain sensitive citizen data, legal records, or internal operational information, making them valuable targets for cybercriminals. The inaccessibility of the dark web links means these specific claims are unverified, but their existence is indicative of a clear intent to compromise such entities. This reinforces the need for robust cybersecurity measures within government agencies, particularly in Latin America, to protect sensitive data from compromise and prevent its sale or misuse.

F. AeroBlade

AeroBlade is a previously unknown threat actor identified as of late 2023.⁵⁰

Tactics, Techniques, and Procedures (TTPs): AeroBlade employs spear-phishing as its primary delivery mechanism.⁵⁰ The group utilizes weaponized documents that contain embedded remote template injection techniques and malicious VBA macro code to achieve initial access.⁵⁰ These attacks have been ongoing since September 2022, with multiple phases identified in their attack chain.⁵⁰

Motivations: AeroBlade’s operations are driven by commercial and competitive cyber espionage.⁵⁰

Targets: The threat actor has been observed targeting an aerospace organization in the United States.⁵⁰

AeroBlade’s focus on commercial and competitive cyber espionage against the US aerospace industry, utilizing sophisticated spear-phishing and weaponized documents, highlights the ongoing threat of intellectual property theft and strategic intelligence gathering by state-sponsored or highly organized criminal groups. The aerospace sector is critical for national security and economic competitiveness, and espionage motives suggest a high-value target beyond immediate financial gain. The TTPs employed, such as spear-phishing and weaponized documents, are common for initial access in targeted attacks. Organizations in critical sectors, especially those possessing valuable intellectual property, must implement advanced email security, robust endpoint detection and response (EDR) solutions, and comprehensive user awareness training to counter sophisticated spear-phishing campaigns. A defense-in-depth strategy is crucial to detect and mitigate multi-phase attacks effectively.

G. Tunisian Maskers Cyber Force

Tunisian Maskers Cyber Force is a group that appears to be involved in hacktivism.

Tactics, Techniques, and Procedures (TTPs): While specific TTPs for this particular group are not detailed in the provided information, hacktivism generally involves methods such as website defacement, Distributed Denial-of-Service (DDoS) attacks, and data leaks.⁵¹

Motivations: Hacktivism is typically driven by ideological passion, a desire to protest, expose injustices, or advocate for change.⁵¹

Affiliations: The research material discusses joint cyber teams in Tunisia, involving the U.S. Army Reserve, U.S. Army Cyber Command, Wyoming Air National Guard, and Tunisian Armed Forces, engaged in cyber exchange and training.⁵² Additionally, Anonymous and its offshoots, such as LulzSec and GhostSec, are mentioned as hacktivist groups that have historically targeted governments, including Tunisia during the Arab Spring, and other entities.⁵¹

Notable Incidents: Tunisian Maskers Cyber Force allegedly claimed to target Cyprus, although this dark web link is inaccessible.⁵⁵

The existence of a “Tunisian Maskers Cyber Force,” even if unverified, alongside discussions of joint cyber defense training in Tunisia involving US forces and historical hacktivist activity in Tunisia, points to a complex and evolving cybersecurity landscape in the region. This landscape encompasses both defensive capacity building and potential hacktivist threats. The “Maskers” name could be an allusion to Anonymous’s iconic Guy Fawkes masks. This highlights the dual nature of cyber capabilities in developing regions: while essential for national security, they can also be leveraged by non-state actors for political or ideological ends. It underscores the need for comprehensive national cybersecurity strategies that address both defensive and offensive aspects, as well as the potential for internal threats.

H. Other Noted Actors/Groups

Beyond the primary profiles, several other threat actors and groups have been noted for their activities:

peeksp / Pryx: The actor “peeksp” is linked to Pryx, who is also known as “Sp1d3r”.⁴¹ “peeksp” is also associated with a Microsoft threat description for “TrojanDropper:Win32/Pykspa.A,” a worm that spreads via Skype.⁵⁶ Additionally, “peeksp” allegedly offered an “Arab corporate email list” on a dark web forum, though this link is inaccessible.⁴ The association of “peeksp” with both a sophisticated threat actor like Pryx and a generic malware such as Pykspa suggests either a common naming convention for malware and actors, or a broader spectrum of activities for certain individuals or groups, ranging from developing advanced tools to distributing commodity malware.
elpatron85: This actor allegedly offered server data from Cayman National Bank ⁵, Maksym Igor Popov’s private files ⁶, the Russian Interior Ministry database ⁷, and Podesta Emails ⁹ on dark web forums. All these links are inaccessible. “elpatron85” appears to be a data broker specializing in selling access to or dumps of highly sensitive, high-profile data from various sectors, indicating a financially motivated actor with diverse sources of compromise.
Stephanie: The name “Stephanie” appears in conflicting contexts: an alleged actor offering RCE in Hospital Italiano ¹³, an actress ⁵⁷, and a generic user in a cybersecurity scenario.⁶⁰ This highlights the challenge of disambiguation in threat intelligence when common names are used, requiring careful contextual analysis to avoid misidentification. The mention of AI in social engineering ⁶¹ is a broader trend, not necessarily linked to a specific “Stephanie” actor.
Belsen Group: This group leaked details of over 15,000 Fortinet firewall users on the dark web in January 2025, an incident linked to the exploitation of CVE-2022-40684.²⁶
Cactus Ransomware Gang: This group claimed the Urban One attack in March 2025. Emerging in 2023, they are known for distributing malware through online advertisements.²⁹
Vicioustrap: This Chinese-speaking threat actor compromised approximately 5,300 network edge devices across 84 countries, primarily in Macau. They exploited CVE-2023-20118 in various Cisco routers to conduct adversary-in-the-middle attacks.⁴⁸
UAT-6382: Another Chinese-speaking threat actor, UAT-6382, exploited CVE-2025-0944 in Trimble Cityworks, targeting enterprise networks of local governing bodies in the United States. They deployed various web shells, Cobalt Strike, and a Rust-based loader called Tetraloader.⁴⁸
Silver Fox: This actor is attributed to a malware campaign that uses fake software installers disguised as popular applications like LetsVPN and QQ Browser to deliver the Winos 4.0 framework. The campaign specifically targets Chinese-speaking environments.⁴⁸
Hellhounds: This group has compromised 48 victims in Russia, including IT companies, government entities, space industry firms, and telecom providers, since at least 2021. They utilize the Decoy Dog trojan, a custom variant of the open-source Pupy RAT, which employs DNS tunneling for command-and-control communications.⁴⁹
Secshow: Identified as directly triggering amplifications of queries showing Decoy Dog amplified by the Palo Alto Cortex Xpanse product.⁴⁹
Iranian APT actor: This advanced persistent threat (APT) actor targeted U.S. state websites, including election websites, in mid-October 2020. Their activities included using the Acunetix vulnerability scanner, attempting SQL injection, uploading web shells, and successfully obtaining voter registration data.⁶²
OPERA1ER (Aliases: DESKTOP-GROUP, Common Raven, NXSMS): This financially motivated, French-speaking APT was active between 2018 and 2022, carrying out over 30 successful attacks on banks, financial services, and telecommunications companies primarily located in Africa, stealing at least $11 million. They primarily relied on known “off-the-shelf” tools like Cobalt Strike.⁶³
RedCurl: A corporate espionage threat actor active since late 2018, RedCurl has been observed delivering a custom ransomware family called QWCrypt via a sophisticated multi-stage infection chain.⁴²
FamousSparrow: This Chinese hacking crew targeted a trade group in the United States and a research institute in Mexico, deploying ShadowPad and two new variants of a backdoor known as SparrowDoor.⁴²
Konni: A North Korea-linked threat actor, Konni has been observed using Windows shortcut (LNK) files masquerading as PDF files to trigger a multi-stage infection sequence. They leverage legitimate cloud services like Dropbox and Google Drive to host intermediate payloads and utilize their eponymous Konni RAT for data exfiltration, command execution, and persistence.⁴²

IV. Emerging Trends and Analysis

The analysis of recent incidents and threat actor profiles reveals several critical trends shaping the current cybersecurity landscape.

A. Evolution of Cyber Extortion Models

A significant adaptation in cybercriminal business models is evident in the strategic shift from traditional ransomware, which relies on encryption, to pure data extortion. This evolution, prominently demonstrated by the rebranding of Hunters International to World Leaks ¹, reflects a calculated response to evolving defensive measures. Organizations have increasingly adopted robust backup strategies, making data encryption less impactful as a primary leverage point for ransom. Consequently, threat actors are optimizing for efficiency and reduced risk, focusing on the leverage of sensitive data exposure rather than system disruption. This approach is described as “faster, stealthier, and harder to trace”.¹ The implication for organizations is clear: reliance solely on backups for recovery is insufficient against pure data extortion. The defensive focus must shift to protecting the data itself, not just its availability, by prioritizing data exfiltration detection and prevention.

This strategic pivot is further underscored by the rise of Extortion-as-a-Service (EaaS) models. World Leaks, for instance, provides its affiliates with a “custom-built exfiltration tool” and maintains an “affiliate panel”.¹ This modular approach signifies the industrialization of cybercrime, effectively lowering the barrier to entry for less sophisticated actors and consequently increasing the volume of attacks. This commoditization of cybercrime tools and services means a wider range of actors can launch effective campaigns, expanding the overall threat surface. Defenders must therefore focus on generic TTPs and indicators of compromise (IOCs) that apply across various EaaS operations, rather than solely relying on specific group signatures. This complex web of rebrands and collaborations makes it harder for defenders to track and attribute attacks to specific groups, necessitating a focus on TTPs and shared infrastructure rather than just group names, and highlighting the need for intelligence sharing among security organizations to map these evolving criminal networks.

B. Geopolitical Influence on Cyber Activity

Geopolitical tensions are increasingly manifesting in cyberattacks, particularly through the actions of hacktivist groups. The emergence and activities of INDOHAXSEC, an Indonesian hacktivist collective, exemplify this trend.⁴² Their cyberattacks are explicitly framed as direct retaliation against India’s missile strikes on Pakistan-administered territories, with the group actively encouraging other Indonesian entities to join their campaign.⁴⁴ This directly demonstrates how real-world geopolitical events can trigger immediate and significant cyber responses.

The collaboration between hacktivist groups across national lines, such as INDOHAXSEC’s partnerships with NoName057(16) and the Pakistani group Team Azrael – Angel of Death ⁴², illustrates the formation of cyber alliances driven by shared ideological or political objectives. This amplifies their collective impact, as these groups pool resources and expertise to conduct coordinated campaigns. The use of DDoS and defacement, characteristic of hacktivism, aims for disruption and public messaging rather than covert long-term access.⁶⁴ This makes it harder for targeted entities to predict and defend against attacks, as the threat surface expands beyond a single actor. Organizations with international operations or ties to conflict zones face elevated risks of politically motivated cyberattacks, including DDoS, defacement, and data leaks aimed at propaganda or disruption. This necessitates a broader understanding of geopolitical dynamics and their potential cyber ramifications, along with proactive intelligence sharing among affected nations and industries. The blurring lines between state-sponsored and hacktivist groups, especially when state narratives are echoed, further complicate attribution challenges.

C. Persistent Vulnerabilities and Supply Chain Risks

The continued exploitation of known vulnerabilities and the reliance on social engineering or insider access remain primary initial access vectors for threat actors. The active exploitation of critical RCE vulnerabilities, such as those in Fortinet products (CVE-2022-40684 by Belsen Group) ²⁵ and Gladinet CentreStack & Triofox (CVE-2025-30406) ²⁷, underscores a persistent challenge. These flaws, especially those with high severity scores and “no prerequisites” beyond knowing default keys, represent immediate and widespread dangers.²⁷ This emphasizes that fundamental cybersecurity hygiene, including rigorous patch management, robust identity and access management, and comprehensive security awareness training, remains paramount.

The repeated compromise of sensitive data through third-party vendors, as seen with Alera Group and Jani-King International, Inc. ³⁰, and the alleged leveraging of a domestic government entity’s access (DOGE for NLRB) by a Russian IP address ¹⁹, highlights the pervasive and often underestimated risk posed by supply chain vulnerabilities and insider threats. Organizations are only as secure as their weakest link, which frequently resides within their extended supply chain or trusted internal access points. Attackers actively seek out these less-defended perimeters. Companies must implement rigorous third-party risk management programs, including security assessments of vendors and contractual obligations for cybersecurity. Internal threat detection and prevention, including robust logging, monitoring, and behavioral analytics, are crucial to identify and mitigate risks from compromised credentials or malicious insiders.

D. AI’s Dual Role in Cybersecurity

Generative Artificial Intelligence (AI) is increasingly being leveraged by threat actors to enhance social engineering attacks, making phishing emails more convincing and scalable.⁶¹ This capability allows AI to generate “technically perfect prose in virtually all major world languages” and can be combined with “deepfake technology” to create highly credible impersonation campaigns.⁶¹ This signifies a significant escalation in the sophistication and effectiveness of phishing and impersonation campaigns.

The ability of AI to generate technically perfect prose directly addresses a historical weakness of many cybercriminals, such as language barriers and poor grammar, making their attacks much harder to discern from legitimate communications. Deepfakes add a new dimension of realism to impersonation attempts. The implication is that traditional indicators of phishing, such as bad grammar, are becoming less reliable, necessitating advanced email security solutions and continuous, sophisticated security awareness training that focuses on content and context rather than just superficial cues. Organizations can no longer rely on employees to spot basic grammatical errors in phishing attempts. Security awareness training must evolve to teach users to recognize more subtle cues, verify requests through out-of-band channels, and maintain a high degree of skepticism regarding urgent or unusual communications, especially those involving financial transactions or sensitive data. Technical controls like DMARC, SPF, and DKIM become even more critical in this evolving threat landscape.

V. Recommendations and Mitigation Strategies

Based on the analysis of recent incidents and emerging trends, the following recommendations are crucial for enhancing organizational cybersecurity posture:

Prioritize Vulnerability Management: Implement a rigorous and continuous patch management program, especially for critical Remote Code Execution (RCE) vulnerabilities in internet-facing systems, such as those found in Fortinet products and Gladinet CentreStack/Triofox. Regular vulnerability scanning and penetration testing are essential to identify and remediate weaknesses proactively.²⁵
Enhance Data Exfiltration Detection: Shift the defensive focus from solely preventing encryption to actively detecting and preventing unauthorized data exfiltration. Deploy Data Loss Prevention (DLP) solutions, meticulously monitor network egress points, and conduct behavioral analytics on user and system activity to identify anomalous data movement.¹
Strengthen Identity and Access Management (IAM): Enforce Multi-Factor Authentication (MFA) for all critical systems and accounts. Regularly review and reset potentially exposed credentials. Implement least privilege principles to minimize the impact of compromised accounts.²⁵
Combat Advanced Social Engineering: Update security awareness training programs to educate employees about AI-enhanced phishing, deepfakes, and sophisticated impersonation tactics. Foster a culture of skepticism and verification for unusual or urgent requests, particularly those involving sensitive information or financial transactions.²⁹
Improve Supply Chain Security: Conduct thorough security assessments of all third-party vendors and service providers. Implement contractual clauses for robust data protection and timely incident notification. Continuously monitor vendor security postures to manage extended enterprise risks.³⁰
Invest in Threat Intelligence: Leverage both commercial and open-source threat intelligence feeds to stay informed about emerging threats, TTPs, and known compromises. Prioritize intelligence that offers actionable insights and context relevant to the organization’s specific risk profile.³⁶
Develop Robust Incident Response Plans: Ensure comprehensive incident response plans are in place, regularly tested through simulations, and understood by all relevant personnel. These plans should detail procedures for forensic investigation, containment, eradication, and recovery to minimize business disruption.²⁵
Geopolitical Awareness: For organizations with international operations or dependencies, continuously monitor geopolitical developments and assess potential cyber risks stemming from state-sponsored or hacktivist activities. This proactive stance helps anticipate and mitigate ideologically or politically motivated attacks.

VI. Associated Links

This section provides a comprehensive list of all URLs referenced in this report, categorized for clarity.

A. Publicly Accessible Sources

Fortinet warns of threat actor exploiting vulnerabilities in FortiOS – SDx: https://www.sdxcentral.com/news/fortinet-warns-of-threat-actor-exploiting-vulnerabilities-in-fortios/ ²⁵
THREAT INTELLIGENCE – Cybersecuritycompany.africa: https://cybersecuritycompany.africa/services/threat-intelligence/ ³⁶
Threat Actor Spotlight: Pryx – Morado.io: https://www.morado.io/blog-posts/threat-actor-spotlight-pryx ⁴¹
TrojanDropper:Win32/Pykspa.A threat description – Microsoft Security Intelligence: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper%3AWin32%2FPykspa.A ⁵⁶
Biznet – 1500-988: https://www.biznetnetworks.com/ ⁶⁵
SumutProv-CSIRT: https://csirt.sumutprov.go.id/ ⁶⁶
Weekly Recap: Chrome 0-day – The Hacker News: https://thehackernews.com/2025/03/weekly-recap-chrome-0-day_31.html ⁴²
India-Pakistan Kashmir Escalation on Cyber World – Socradar.io: https://socradar.io/india-pakistan-kashmir-escalation-on-cyber-world/ ⁴⁴
Financially motivated, dangerously activated: OPERA1ER APT in Africa – Group-IB: https://www.group-ib.com/blog/opera1er-apt/ ⁶³
Iranian APT Actor Targeting U.S. State Election Websites – CISA: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-304a ⁶²
Breaking Cyber News From Cyberint: https://cyberint.com/news-feed/ ⁴⁸
Russian Power Companies, IT Firms, and Govt Agencies Hit by Decoy Dog Trojan – The Hacker News: https://thehackernews.com/2024/06/russian-power-companies-it-firms-and.html ⁴⁹
Cyber lethality, multidomain training enhances readiness at Exercise African Lion 2025 – Army.mil: https://www.army.mil/article/285284/cyber_lethality_multidomain_training_enhances_readiness_at_exercise_african_lion_2025 ⁵²
Anonymous, ISIS, and the Future of Cyber Warfare – CGS RS: https://cgsrs.org/publications/35 ⁵³
Cyber SENTRI – Cybersentri.aerospace.org: https://cybersentri.aerospace.org/ ⁶⁷
AeroBlade (Threat Actor) – Malpedia: https://malpedia.caad.fkie.fraunhofer.de/actor/aeroblade ⁵⁰
Stephanie Stearns – IMDb: https://www.imdb.com/name/nm0828007/ ⁵⁷
Generative AI and Social Engineering – IBM: https://www.ibm.com/think/insights/generative-ai-social-engineering ⁶¹
World Leaks: An Extortion Platform – Lexfo.fr: https://blog.lexfo.fr/world-leaks-an-extortion-platform.html ⁴³
Hunters International Shuts Down Ransomware Operation, Rebrands as Data Extortion Group ‘World Leaks’ – Trolleyesecurity.com: https://www.trolleyesecurity.com/articles-news-hunters-international-rebrands-as-world-leaks/ ¹
Information Security Update: No Data Breach Detected – Cayman National: https://www.caymannational.com/about/news/28-notices/204-information-security-update-no-data-breach-detected ¹⁷
Data Hack at Cayman National in the Isle of Man – Cayman National: https://www.caymannational.com/about/news/29-press-release/40-data-hack-at-cayman-national-in-the-isle-of-man ¹⁶
User with Russian IP address tried to log into NLRB systems following DOGE access, whistleblower says – Nextgov/FCW: https://www.nextgov.com/cybersecurity/2025/04/user-russian-ip-address-tried-log-nlrb-systems-following-doge-access-whistleblower-says/404574/ ¹⁹
Ministry of Internal Affairs (Russia) – Wikipedia: https://en.wikipedia.org/wiki/Ministry_of_Internal_Affairs_(Russia ¹⁸
Massive breach at location data seller: “Millions” of users affected – Malwarebytes: https://www.malwarebytes.com/blog/news/2025/01/massive-breach-at-location-data-seller-millions-of-users-affected ²⁸
Crypto Scam Tracker – DFPI.ca.gov: https://dfpi.ca.gov/consumers/crypto/crypto-scam-tracker/ ⁶⁸
Hackers Leaked Sensitive Government Data in Argentina—and Nobody Cares – Lawfare: https://www.lawfaremedia.org/article/hackers-leaked-sensitive-government-data-argentina%E2%80%94and-nobody-cares ²⁰
Argentinian Police Data Leaked by Cybercriminals – Cyble: https://cyble.com/blog/hundreds-of-gigabytes-of-hacked-argentinian-police-data-being-leaked-by-a-group-of-cybercriminals/ ²¹
Personal information of hundreds of Mexican journalists exposed in government data leak – Committee to Protect Journalists: https://cpj.org/2024/02/personal-information-of-hundreds-of-mexican-journalists-exposed-in-government-data-leak/ ²²
San Andrés Cholula: Economy, employment, equity, quality of life, education, health and public safety – Data México: https://www.economia.gob.mx/datamexico/en/profile/geo/san-andres-cholula ⁶⁹
Over what area did the oil and gas spread during the 2010 Deepwater Horizon – TOS.org: https://tos.org/oceanography/article/over-what-area-did-the-oil-and-gas-spread-during-the-2010-deepwater-horizon ³⁴
Here we investigate the benefit of multiple ozone observations from GEMS geostationary satellite – ACP.Copernicus.org: https://acp.copernicus.org/articles/23/3731/2023/ ³⁵
Clinical prediction rule based on NEWS-2 called the COVID-19 Severity Index – SciELO.org.co: http://www.scielo.org.co/pdf/amc/v47n3/0120-2448-amc-47-03-1d.pdf ³⁹
Early warning scores (EWS) are a group of clinical prediction rules based on physiological parameters – Redalyc.org: https://www.redalyc.org/journal/1631/163175158004/movil/ ⁴⁰
Sylvania Group Privacy Policy: https://www.sylvania-group.com/professional/legal-pages/privacy-policy/ ³²
OSRAM SYLVANIA Privacy Policy: https://www.osram.us/cb/privacy-policy/index.jsp ³³
House Bill Aims to Increase Oversight of Federal Retirement Thrift Investment Board – PlanAdviser.com: https://www.planadviser.com/house-bill-aims-increase-oversight-federal-retirement-thrift-investment-board/ ³⁰
2025-676-jani-king-international-inc – Mass.gov: https://www.mass.gov/doc/2025-676-jani-king-international-inc/download ³¹
The Digital Fort Knox: 8 Security Essentials Every Small Business Needs – IT Architeks: https://www.itarchiteks.com/the-digital-fort-knox-8-security-essentials-every-small-business-needs ³⁷
Cybersecurity :: U.S. Army Fort Knox: https://home.army.mil/knox/units-tenants/network-enterprise-center-nec/cybersecurity ³⁸
Hacking group leaks Fortinet users’ details on dark web – Computing UK: https://www.computing.co.uk/news/2025/security/hacking-group-leaks-fortinet-users-details-dark-web ²⁶
Authorities reveal targets of Iranian hacking group behind Trump campaign cybersecurity breach – YouTube: https://www.youtube.com/watch?v=WLMh0BAbeUI ⁷⁰
India Experiences Surge in Hacktivist Group Activity Amid Military Tensions – Cyble: https://cyble.com/blog/india-experience-hacktivist-group-activity/ ⁶⁴
Sandworm (hacker group) – Wikipedia: https://en.wikipedia.org/wiki/Sandworm_(hacker_group ⁷¹
NASKAH AKADEMIK RANCANGAN UNDANG-UNDANG TENTANG KEAMANAN DAN KETAHANAN SIBER – DPR RI: https://berkas.dpr.go.id/akd/dokumen/RJ1-20190617-025848-5506.pdf ⁷²
2025 Indonesian protests – Wikipedia: https://en.wikipedia.org/wiki/2025_Indonesian_protests ⁷³
Dark Web Websites: What They Are And How To Access Them Safely – Onerep: https://onerep.com/blog/dark-web-websites ⁷⁴
MediaWorks Cyberattack Confirmed: NZ Citizens’ Data Exposed – The Cyber Express: https://thecyberexpress.com/mediaworks-cyberattack-confirmed/ ⁴⁶
Media firm Urban One confirms data breach after cybercriminals claim February attack – The Record from Recorded Future News: https://therecord.media/urban-one-data-breach-african-amercian-media ²⁹
MediaWorks New Zealand Data Breach Exposes 2.4 Million – Gridware Cybersecurity: https://www.gridware.com.au/blog/mediaworks-new-zealand-data-breach-exposes-2-4-million/ ⁴⁷
What is Hacktivism? – Xcitium: https://www.xcitium.com/knowledge-base/hacktivism/ ⁵¹
Anonymous (hacker group) – Wikipedia: https://en.wikipedia.org/wiki/Anonymous_(hacker_group ⁵⁴
Stephanie Nogueras – Wikipedia: https://en.wikipedia.org/wiki/Stephanie_Nogueras ⁵⁸
Unfriended: Dark Web – Wikipedia: https://en.wikipedia.org/wiki/Unfriended:_Dark_Web ⁵⁹
CVE-2025-30406 – Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild – Huntress: https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild ²⁷
CYSA Test Review 1 Flashcards – Quizlet: https://quizlet.com/au/595345364/cysa-test-review-1-flash-cards/ ⁶⁰
Data Breach Report: January 2025 Edition – PKWARE®: https://www.pkware.com/blog/data-breach-report-january-2025-edition ²³
January 2025 Data Breaches – Pomerium: https://www.pomerium.com/blog/january-2025-data-breaches-list ²⁴

B. Inaccessible Dark Web / Telegram Sources (for reference, noted as inaccessible)

Details of the alleged sale of admin access to PrestaShop e-commerce website by Fordnox: https://forum.exploit.in/topic/259833/ ²
Details of the alleged sale of documents by Ahpexshop: https://darkforums.st/Thread-Document-Sale-of-documents-of-European-American-Asian-countries ³
Details of the alleged data leak of Arab corporate email list by peeksp: https://darkforums.st/Thread-Selling-Arab-corporate-email-list-275K-fullnames-emails-phone-numbers-mixed-2025 ⁴
Details of the alleged sale of Cayman National Bank and Trust (Isle of Man) server data by elpatron85: https://darkforums.st/Thread-Selling-Sherwood-Copies-of-the-servers-of-the-Cayman-National-Bank-and-Trust-Isle-of-Man ⁵
Details of the alleged data leak of Maksym Igor Popov’s private files by elpatron85: https://darkforums.st/Thread-Selling-Popov-files-Super-private-data ⁶
Details of the alleged database leak of Ministry of Internal Affairs Russia by elpatron85: https://darkforums.st/Thread-Selling-RUSSIAN-INTERIOR-MINISTRY-DATABASE ⁷
Details of the defacement of Brandon McKenzie’s website by SUMATRA UTARA CYBER TEAM: https://t.me/SumatraUtaraCyberTeam/210?single ⁷⁵
Details of the defacement of Next Class website by SUMATRA UTARA CYBER TEAM: https://t.me/SumatraUtaraCyberTeam/209 ⁷⁶
Details of the defacement of The World Watch website by INDOHAXSEC: https://t.me/IndoHaxSec2/6 ⁴⁵
Details of the alleged database leak of Point Trader Group by OneERA: https://darkforums.st/Thread-7k-Forex-Brokerage-Firm-www.pointfxltd-com–11197 ⁸
Details of the defacement of Godavari Enterprises website by INDOHAXSEC: https://t.me/IndoHaxSec2/6 ⁴⁵
Details of the defacement of Omkar Khabar Odisha website by INDOHAXSEC: https://t.me/IndoHaxSec2/6 ⁴⁵
Details of the alleged sale of Podesta Emails by elpatron85: https://darkforums.st/Thread-Selling-PODESTA-EMAILS-SUPER-PRIVATE-DATA ⁹
Details of the alleged database leak of Judiciary of the Province of Catamarca by Cypher404x: https://darkforums.st/Thread-Selling-ARGENTINA-DATABASE-juscatamarca-gob-ar-2K-ROWS ¹⁰
Details of Tunisian Maskers Cyber Force claims to target Cyprus: https://t.me/CyberforceTn/127 ⁵⁵
Details of the alleged database leak of Municipal Government of San Andrés Cholula by aero: https://darkforums.st/Thread-DB-from-Gobierno-Municipal-de-San-Andr%C3%A9s-Cholula-M%C3%A9xico ¹¹
Details of the alleged database leak of OSSE by aero: https://darkforums.st/Thread-OSSE-San-Juan-Full-SQL-DATABASE-Dump ¹²
Details of the alleged sale of RCE Access to Italian Hospital of Buenos Aires by Stephanie: https://darkforums.st/Thread-Selling-RCE-in-hospitalitaliano-org-ar-Healthcare-Sector-Argentina ¹³
Details of the alleged data breach of Sylvania Home by Worldleaks: https://worldleaksartrjm3c6vasllvgacbi5u3mgzkluehrzhk2jz4taufuid.onion/companies/2925674713 ¹⁴
Details of the alleged data breach of A M King by Worldleaks: https://worldleaksartrjm3c6vasllvgacbi5u3mgzkluehrzhk2jz4taufuid.onion/companies/9004380481 ¹⁵

Works cited

Hunters International Shuts Down Ransomware Operation …, accessed May 27, 2025, https://www.trolleyesecurity.com/articles-news-hunters-international-rebrands-as-world-leaks/
accessed January 1, 1970, https://forum.exploit.in/topic/259833/
accessed January 1, 1970, https://darkforums.st/Thread-Document-Sale-of-documents-of-European-American-Asian-countries
accessed January 1, 1970, https://darkforums.st/Thread-Selling-Arab-corporate-email-list-275K-fullnames-emails-phone-numbers-mixed-2025
accessed January 1, 1970, https://darkforums.st/Thread-Selling-Sherwood-Copies-of-the-servers-of-the-Cayman-National-Bank-and-Trust-Isle-of-Man
accessed January 1, 1970, https://darkforums.st/Thread-Selling-Popov-files-Super-private-data
accessed January 1, 1970, https://darkforums.st/Thread-Selling-RUSSIAN-INTERIOR-MINISTRY-DATABASE
accessed January 1, 1970, https://darkforums.st/Thread-7k-Forex-Brokerage-Firm-www-pointfxltd-com–11197
accessed January 1, 1970, https://darkforums.st/Thread-Selling-PODESTA-EMAILS-SUPER-PRIVATE-DATA
accessed January 1, 1970, https://darkforums.st/Thread-Selling-ARGENTINA-DATABASE-juscatamarca-gob-ar-2K-ROWS
accessed January 1, 1970, https://darkforums.st/Thread-DB-from-Gobierno-Municipal-de-San-Andr%C3%A9s-Cholula-M%C3%A9xico
accessed January 1, 1970, https://darkforums.st/Thread-OSSE-San-Juan-Full-SQL-DATABASE-Dump
accessed January 1, 1970, https://darkforums.st/Thread-Selling-RCE-in-hospitalitaliano-org-ar-Healthcare-Sector-Argentina
accessed January 1, 1970, https://worldleaksartrjm3c6vasllvgacbi5u3mgzkluehrzhk2jz4taufuid.onion/companies/2925674713
accessed January 1, 1970, https://worldleaksartrjm3c6vasllvgacbi5u3mgzkluehrzhk2jz4taufuid.onion/companies/9004380481
Data Hack at Cayman National in the Isle of Man – Cayman National, accessed May 27, 2025, https://www.caymannational.com/about/news/29-press-release/40-data-hack-at-cayman-national-in-the-isle-of-man
Information Security Update: No Data Breach Detected – Cayman …, accessed May 27, 2025, https://www.caymannational.com/about/news/28-notices/204-information-security-update-no-data-breach-detected
Ministry of Internal Affairs (Russia) – Wikipedia, accessed May 27, 2025, https://en.wikipedia.org/wiki/Ministry_of_Internal_Affairs_(Russia)
User with Russian IP address tried to log into NLRB systems …, accessed May 27, 2025, https://www.nextgov.com/cybersecurity/2025/04/user-russian-ip-address-tried-log-nlrb-systems-following-doge-access-whistleblower-says/404574/
Hackers Leaked Sensitive Government Data in Argentina—and …, accessed May 27, 2025, https://www.lawfaremedia.org/article/hackers-leaked-sensitive-government-data-argentina%E2%80%94and-nobody-cares
Argentinian Police Data Leaked by Cybercriminals – Cyble, accessed May 27, 2025, https://cyble.com/blog/hundreds-of-gigabytes-of-hacked-argentinian-police-data-being-leaked-by-a-group-of-cybercriminals/
Personal information of hundreds of Mexican journalists exposed in …, accessed May 27, 2025, https://cpj.org/2024/02/personal-information-of-hundreds-of-mexican-journalists-exposed-in-government-data-leak/
Data Breach Report: January 2025 Edition – PKWARE®, accessed May 27, 2025, https://www.pkware.com/blog/data-breach-report-january-2025-edition
January 2025 Data Breaches [LIST] – Pomerium, accessed May 27, 2025, https://www.pomerium.com/blog/january-2025-data-breaches-list
Fortinet warns of threat actor exploiting vulnerabilities in FortiOS – SDx Central, accessed May 27, 2025, https://www.sdxcentral.com/news/fortinet-warns-of-threat-actor-exploiting-vulnerabilities-in-fortios/
Hacking group leaks Fortinet users’ details on dark web – Computing UK, accessed May 27, 2025, https://www.computing.co.uk/news/2025/security/hacking-group-leaks-fortinet-users-details-dark-web
CVE-2025-30406 – Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild | Huntress, accessed May 27, 2025, https://www.huntress.com/blog/cve-2025-30406-critical-gladinet-centrestack-triofox-vulnerability-exploited-in-the-wild
Massive breach at location data seller: “Millions” of users affected – Malwarebytes, accessed May 27, 2025, https://www.malwarebytes.com/blog/news/2025/01/massive-breach-at-location-data-seller-millions-of-users-affected
Media firm Urban One confirms data breach after cybercriminals claim February attack, accessed May 27, 2025, https://therecord.media/urban-one-data-breach-african-amercian-media
House Bill Aims to Increase Oversight of Federal Retirement Thrift Investment Board, accessed May 27, 2025, https://www.planadviser.com/house-bill-aims-increase-oversight-federal-retirement-thrift-investment-board/
<
Privacy Policy – Sylvania Group, accessed May 27, 2025, https://www.sylvania-group.com/professional/legal-pages/privacy-policy/
Privacy Policy | OSRAM SYLVANIA Homepage, accessed May 27, 2025, https://www.osram.us/cb/privacy-policy/index.jsp
Over What Area Did the Oil and Gas Spread During the 2010 Deepwater Horizon Oil Spill?, accessed May 27, 2025, https://tos.org/oceanography/article/over-what-area-did-the-oil-and-gas-spread-during-the-2010-deepwater-horizon
Improving ozone simulations in Asia via multisource data assimilation: results from an observing system simulation experiment with GEMS geostationary satellite observations – ACP – Recent, accessed May 27, 2025, https://acp.copernicus.org/articles/23/3731/2023/
Threat Intelligence – Fort Knox Cyber Secuirty, accessed May 27, 2025, https://cybersecuritycompany.africa/services/threat-intelligence/
The Digital Fort Knox: 8 Security Essentials Every Small Business Needs – IT Architeks, accessed May 27, 2025, https://www.itarchiteks.com/the-digital-fort-knox-8-security-essentials-every-small-business-needs
Cybersecurity :: U.S. Army Fort Knox, accessed May 27, 2025, https://home.army.mil/knox/units-tenants/network-enterprise-center-nec/cybersecurity
Early warning scores to identify the risk of clinical worsening or death in patients hospitalized for COVID-19 – SciELO Colombia, accessed May 27, 2025, http://www.scielo.org.co/pdf/amc/v47n3/0120-2448-amc-47-03-1d.pdf
Early warning scores to identify the risk of clinical worsening or death in patients hospitalized for COVID-19 – Redalyc, accessed May 27, 2025, https://www.redalyc.org/journal/1631/163175158004/movil/
Threat Actor Spotlight: Pryx – Morado Intelligence, accessed May 27, 2025, https://www.morado.io/blog-posts/threat-actor-spotlight-pryx
Weekly Recap: Chrome 0-Day, IngressNightmare, Solar Bugs, DNS …, accessed May 27, 2025, https://thehackernews.com/2025/03/weekly-recap-chrome-0-day_31.html
World Leaks: An Extortion Platform – Lexfo’s security blog, accessed May 27, 2025, https://blog.lexfo.fr/world-leaks-an-extortion-platform.html
Reflections of the India–Pakistan Kashmir Escalation on the Cyber …, accessed May 27, 2025, https://socradar.io/india-pakistan-kashmir-escalation-on-cyber-world/
accessed January 1, 1970, https://t.me/IndoHaxSec2/6
MediaWorks Cyberattack Confirmed: NZ Citizens’ Data Exposed – The Cyber Express, accessed May 27, 2025, https://thecyberexpress.com/mediaworks-cyberattack-confirmed/
MediaWorks New Zealand Data Breach Exposes 2.4 Million – Gridware Cybersecurity, accessed May 27, 2025, https://www.gridware.com.au/blog/mediaworks-new-zealand-data-breach-exposes-2-4-million/
Breaking Cyber News From Cyberint, accessed May 27, 2025, https://cyberint.com/news-feed/
Russian Power Companies, IT Firms, and Govt Agencies Hit by Decoy Dog Trojan, accessed May 27, 2025, https://thehackernews.com/2024/06/russian-power-companies-it-firms-and.html
AeroBlade (Threat Actor) – Malpedia, accessed May 27, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/aeroblade
What is Hacktivism? – Xcitium, accessed May 27, 2025, https://www.xcitium.com/knowledge-base/hacktivism/
Cyber lethality: Multidomain training enhances readiness at exercise African Lion 2025, accessed May 27, 2025, https://www.army.mil/article/285284/cyber_lethality_multidomain_training_enhances_readiness_at_exercise_african_lion_2025
“We are Anonymous”: Can Hacktivism Help in the Fight Against ISIS? | CGSRS, accessed May 27, 2025, https://cgsrs.org/publications/35
Anonymous (hacker group) – Wikipedia, accessed May 27, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
accessed January 1, 1970, https://t.me/CyberforceTn/127
TrojanDropper:Win32/Pykspa.A threat description – Microsoft Security Intelligence, accessed May 27, 2025, https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper%3AWin32%2FPykspa.A
Stephanie Stearns – IMDb, accessed May 27, 2025, https://www.imdb.com/name/nm0828007/
Stephanie Nogueras – Wikipedia, accessed May 27, 2025, https://en.wikipedia.org/wiki/Stephanie_Nogueras
Unfriended: Dark Web – Wikipedia, accessed May 27, 2025, https://en.wikipedia.org/wiki/Unfriended:_Dark_Web
CYSA Test Review 1 Flashcards | Quizlet, accessed May 27, 2025, https://quizlet.com/au/595345364/cysa-test-review-1-flash-cards/
With generative AI, social engineering gets more dangerous—and harder to spot – IBM, accessed May 27, 2025, https://www.ibm.com/think/insights/generative-ai-social-engineering
Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data – CISA, accessed May 27, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-304a
French-speaking gang OPERA1ER APT in Africa | Group-IB Blog, accessed May 27, 2025, https://www.group-ib.com/blog/opera1er-apt/
India Experiences Surge in Hacktivist Group Activity Amid Military Tensions – Cyble, accessed May 27, 2025, https://cyble.com/blog/india-experience-hacktivist-group-activity/
Biznet Networks: Infrastruktur Digital Terintegrasi | Internet, IPTV, Data Center, dan Cloud Computing, accessed May 27, 2025, https://www.biznetnetworks.com/
SumutProv-CSIRT, accessed May 27, 2025, https://csirt.sumutprov.go.id/
Cyber SENTRI – Cyber System Explicit Normalized Threat Risk Insights – The Aerospace Corporation, accessed May 27, 2025, https://cybersentri.aerospace.org/
Crypto Scam Tracker – DFPI – CA.gov, accessed May 27, 2025, https://dfpi.ca.gov/consumers/crypto/crypto-scam-tracker/
San Andrés Cholula: Economy, employment, equity, quality of life, education, health and public safety | Data México, accessed May 27, 2025, https://www.economia.gob.mx/datamexico/en/profile/geo/san-andres-cholula
Authorities reveal targets of Iranian hacking group behind Trump campaign cybersecurity breach – YouTube, accessed May 27, 2025, https://www.youtube.com/watch?v=WLMh0BAbeUI
Sandworm (hacker group) – Wikipedia, accessed May 27, 2025, https://en.wikipedia.org/wiki/Sandworm_(hacker_group)
NASKAH AKADEMIK RANCANGAN UNDANG-UNDANG TENTANG KEAMANAN DAN KETAHANAN SIBER – DPR RI, accessed May 27, 2025, https://berkas.dpr.go.id/akd/dokumen/RJ1-20190617-025848-5506.pdf
2025 Indonesian protests – Wikipedia, accessed May 27, 2025, https://en.wikipedia.org/wiki/2025_Indonesian_protests
Dark Web Websites: What They Are And How To Access Them Safely – Onerep, accessed May 27, 2025, https://onerep.com/blog/dark-web-websites