[May-29-2025] Daily Cybersecurity Threat Report

Posted on

1. Executive Summary

This report provides a high-level, strategic overview of critical cybersecurity incidents and trends observed in the last 24 hours, distilling complex information into actionable intelligence for leadership.

Key Highlights of the Day:

The past 24 hours have seen a diverse array of cyber incidents, predominantly focusing on data breaches and initial access sales across various industries and geographies. Notable incidents include the alleged data breach of ASC MACHINE TOOLS,INC. by Worldleaks, where 173.7 GB of data was claimed to be obtained. There’s also a significant alleged data sale of 9 million insurance records from FWD Vietnam by the threat actor giorggios. Initial access brokers, such as personX, Anon-WMG, Hirosina, razum, and dotdotslash, have been actively selling unauthorized VPN, admin, and shell access to various organizations, including medical insurance companies, large corporations, and a Prestashop installation in France, with one listing noting over 3,000 credit card transactions captured. Defacement attacks were also observed, with Team 1722 targeting Fosil Power and Arabian Ghosts targeting Hezbollah. Furthermore, several large-scale data leaks and sales were reported, including over 100,000 Japanese emails by byyllcrypt, sensitive Indonesian student data from SNPMB by LIUSHEN, and a massive 1.9TB leak of police helicopter surveillance footage from the USA by namolesa. The Israel Ministry of Justice also allegedly suffered a 245GB data leak, also attributed to namolesa. These incidents highlight the pervasive nature of financially motivated cybercrime, the active market for initial access, and the continued use of cyber operations for ideological or disruptive purposes.

Overarching Trends:

A discernible trend indicates a persistent focus on data exfiltration and monetization, whether through direct data sales or extortion. The active market for initial access, particularly VPN and administrative credentials, underscores a key entry point for various malicious activities. The blurring lines between financially motivated actors and hacktivist groups continue to be evident, with some groups engaging in defacement while others focus on large-scale data theft. The targeting of government entities, critical infrastructure, and sensitive personal data remains a significant concern, indicating a broad and persistent threat landscape.

Immediate Call to Action:

Enhanced vigilance, adaptive defense strategies, and robust incident response planning are immediately necessary, particularly for organizations holding sensitive data, operating critical infrastructure, or those whose services could be leveraged for further attacks.

2. Current Threat Landscape Overview

This section provides broader context to the daily incidents, analyzing general patterns, shifts in attack activity, and the evolving nature of cyber threats.

Global Cybercrime Trends:

The ransomware market, while exhibiting a slight slowdown in the number of active groups in Q1 2025 (a 40% decrease compared to 2024), continues to be dominated by highly active and adaptive players like Akira, with a resurgence of groups such as Silent (Luna Moth).1 This suggests a consolidation of power among fewer, more capable Ransomware-as-a-Service (RaaS) operators rather than a decrease in the overall threat. The commoditization of sophisticated ransomware capabilities through RaaS models, exemplified by Lockbit 3.0 and Qilin, continues to lower the barrier to entry for less skilled affiliates, enabling widespread and impactful attacks.2

The observed strategic shift from encryption-based ransomware to pure data extortion for financial gain suggests a calculated adaptation by threat actors to circumvent law enforcement efforts targeting ransomware infrastructure and to simplify their operational model.5 This adaptation indicates a focus on maximizing profit with reduced technical overhead and potential legal risks associated with data destruction, by concentrating solely on the financial leverage of stolen information.

Evolving Hacktivism:

Hacktivism has transformed into a “complex instrument of hybrid warfare,” moving beyond traditional activities like DDoS attacks and website defacements into more sophisticated critical infrastructure and ransomware attacks.7 This evolution signifies a strategic shift where hacktivist motivations are increasingly intertwined with cybercriminal methodologies, making them a more formidable and unpredictable threat. Geopolitical conflicts, particularly the Russian-Ukrainian conflict and broader Middle Eastern unrest, are direct catalysts for increased hacktivist activity, influencing their targets and attack methods.7 Pro-Russian groups, such as NoName057(16), Z-pentest, and Peoples Cyber Army, and pro-Ukrainian groups, including BO Team and C.A.S., are actively engaged in cyber operations mirroring real-world conflicts.8

Nation-State Activity:

State-sponsored Advanced Persistent Threat (APT) groups remain a significant threat, engaging in sophisticated cyber espionage, data theft, and network disruption. These groups are consistently well-resourced and aim for prolonged network intrusions.10 The attribution of attacks to specific nation-states, such as China-linked APT31 and Iran-linked Handala, underscores the geopolitical dimension of cyber warfare and the use of cyber operations to advance national interests.11

Prevalent Attack Vectors and TTPs:

Initial access commonly involves exploiting known vulnerabilities (CVEs), compromised Remote Desktop Protocol (RDP) credentials, phishing campaigns (including spear-phishing with weaponized documents), drive-by compromise, and abuse of valid accounts.13 Lateral movement often leverages legitimate tools and living-off-the-land (LOTL) techniques, such as PowerShell, PsExec, Windows Management Instrumentation (WMI), Cobalt Strike, and Mimikatz, to evade detection and spread within networks.13 Data exfiltration remains a primary objective, often using compression tools like 7zip, and leveraging File Transfer Protocol (FTP) services (e.g., Filezilla) or cloud storage services.13

The widespread use of “living off the land” (LOTL) techniques and legitimate tools across various threat actors, including Lockbit 3.0, OPERA1ER, and Nebulous Mantis 15, indicates a sophisticated strategy to blend in with normal network activity. This makes detection significantly harder for traditional signature-based security solutions and necessitates advanced behavioral analytics and proactive threat hunting to identify subtle anomalies rather than relying on known malicious signatures.

3. Detailed Incident Analysis

This section provides a granular breakdown of recent incidents, offering specific details, in-depth threat actor profiles, and technical insights.

Incident Summary Table

Incident NameAffected Entity/OrganizationPrimary Threat Actor(s)Attack TypeKey ImpactDate Reported
Alleged data breach of ASC MACHINE TOOLS,INC.ASC MACHINE TOOLS,INC.WorldleaksData Breach173.7 GB of data, including 461,802 files, obtainedMay 29, 2025
Alleged sale of unauthorized VPN access to an unidentified medical insurance company in USAUnidentified medical insurance companypersonXInitial AccessUnauthorized VPN access for saleMay 29, 2025
Alleged sale of unauthorized VPN access to an unidentified large corporation in IndonesiaUnidentified large corporationAnon-WMGInitial AccessUnauthorized VPN access for saleMay 29, 2025
Alleged data sale of FWD VietnamFWD VietnamgiorggiosData Breach9 million insurance data for saleMay 29, 2025
Alleged sale of Forti VPN access to an unidentified multiple organizations in USAUnidentified multiple organizationsHirosinaInitial AccessUnauthorized Forti VPN access for saleMay 29, 2025
Team 1722 targets the website of Fosil PowerFosil PowerTeam 1722DefacementWebsite defacedMay 29, 2025
Alleged sale of admin and shell access to an unidentified organization in FranceUnidentified organization (Prestashop 1.7.7.8 installation)razumInitial AccessAdmin and shell access for sale, 3,000+ credit card transactions capturedMay 29, 2025
Arabian Ghosts targets the website of HezbollahHezbollahArabian GhostsDefacementWebsite defacedMay 29, 2025
Alleged database leak of TymapTymapOneERAData BreachDatabase leaked (timestamps, user IDs, hashed passwords, emails, names, permissions)May 29, 2025
Alleged sale of Fortinet VPN access to an unidentified Israeli company.Unidentified Israeli companydotdotslashInitial AccessUnauthorized Fortinet VPN access for saleMay 29, 2025
Alleged leak of Japanese EmailsN/A (Japanese emails)byyllcryptData LeakOver 100,000 Japanese emails leakedMay 29, 2025
Alleged databse leak of SNPMBSNPMBLIUSHENData LeakDatabase leaked (student data: names, IDs, NIK, emails)May 29, 2025
Alleged data breach of VIP dataUnidentified organization (VIP data)USDData BreachOver 12 million sensitive user records leaked (names, emails, usernames, phones, IDs, passwords, addresses, DOB, IPs)May 29, 2025
Alleged data breach of Alliance Healthcare ItaliaAlliance Healthcare ItaliaDATACARRYData BreachDatabase breachedMay 29, 2025
Alleged data sale of Aerial Surveillance FootageAerial Surveillance Footage (Dallas and Atlanta police)namolesaData Breach1.9TB leak of police helicopter surveillance footageMay 29, 2025
Alleged data sale of Israel Ministry of JusticeIsrael Ministry of JusticenamolesaData Breach245GB of data leaked (emails, documents, personal information)May 29, 2025
Alleged data sale of Ministry of Communication and Digital of the Republic of IndonesiaMinistry of Communication and Digital of the Republic of IndonesiaBANDAR INTERNASIONAL INDONESIAData BreachGovernment data leaked (company name, business entity, service type, permit info, address)May 29, 2025

Alleged data breach of ASC MACHINE TOOLS,INC.

Incident Overview:

On May 29, 2025, the threat group Worldleaks claimed to have obtained 173.7 GB of data, including 461,802 files, from ASC MACHINE TOOLS,INC. The incident was reported on a Tor network.

Threat Actor Profile: Worldleaks

  • Identity & Aliases: World Leaks is an extortion platform that emerged in early 2025. It is a new project launched by the operators of the Hunters International ransomware group.5 Hunters International had previously announced the end of their project in November 2024 but remained active, suggesting World Leaks is either a side project or a backup plan.5
  • Motivations & Goals: World Leaks operates as an Extortion-as-a-Service platform, primarily motivated by financial gain through data exfiltration and extortion.5 They have shifted from double extortion with ransomware deployment to extortion-only attacks, likely due to law enforcement pressures and to reduce risk.5 They use psychological leverage by selectively exposing sensitive files to pressure victims.5
  • Tactics, Techniques, and Procedures (TTPs): World Leaks provides affiliates with an exfiltration tool.5 They operate a main data leak site (“trophy wall”), a negotiation site for ransom payments, and an “Insider platform” for journalists to access information about compromised victims 24 hours in advance.5 They initiate conversations with victims online to increase pressure, warning of public data release if ransom is not paid.5 Some victims have reportedly still suffered ransomware deployment despite the stated extortion-only model.5
  • Sophistication & Resources: The platform is an Extortion-as-a-Service model, indicating a degree of organization.5 Their shift to extortion-only suggests adaptation to the threat landscape.5
  • Notable Past Activities & Geographic/Sectoral Focus: Hunters International, the group behind World Leaks, has claimed over 70 victims since their internal note was released.5 A notable attack in December 2024 involved breaching the Fred Hutch Cancer Center and threatening to release sensitive data of over 800,000 cancer patients.6 Ransom demands typically range from hundreds of thousands to multi-million dollars.6

Associated Resources:

Alleged sale of unauthorized VPN access to an unidentified medical insurance company in USA

Incident Overview:

On May 29, 2025, a threat actor identified as “personX” claimed to be selling unauthorized VPN access to an unidentified medical insurance company in the USA. The listing was found on an open web forum.

Threat Actor Profile: personX

  • Identity & Aliases: “personX” is identified as a threat actor. Specific aliases are not available in the provided research.
  • Motivations & Goals: The primary motivation appears to be financial gain through the sale of unauthorized access.
  • Tactics, Techniques, and Procedures (TTPs): The reported TTP involves selling unauthorized VPN access on an open web forum. General threat actor profiling includes understanding TTPs.18
  • Sophistication & Resources: Specific details regarding the sophistication or resources of “personX” are limited in the provided research. Threat actor profiles typically assess the attacker’s skill and knowledge.19
  • Notable Past Activities & Geographic/Sectoral Focus: No specific past activities or detailed geographic/sectoral focus are available for “personX” in the provided research.

Associated Resources:

Alleged sale of unauthorized VPN access to an unidentified large corporation in Indonesia

Incident Overview:

On May 29, 2025, the threat actor “Anon-WMG” offered to sell unauthorized access to a large unidentified Indonesian corporation. The listing was found on an open web forum.

Threat Actor Profile: Anon-WMG

  • Identity & Aliases: The actor is identified as “Anon-WMG”.20 They are a newly registered actor on the Exploit forum.20 While the name “Anonymous” is associated with a decentralized hacktivist collective known for DDoS attacks and anti-censorship activism 21, Anon-WMG appears to be a distinct, newly registered entity focused on selling exploits, with no direct evidence linking them to the broader Anonymous collective.22
  • Motivations & Goals: Anon-WMG’s primary motivation is financial gain, as evidenced by the advertisement of an alleged zero-day vulnerability for USD 6,500.20 Their goal is to monetize vulnerabilities by selling them on underground forums.20
  • Tactics, Techniques, and Procedures (TTPs): Anon-WMG’s reported TTP involves advertising and attempting to sell alleged zero-day exploits. They claimed the vulnerability leverages three unspecified built-in Common Vulnerabilities and Exposures (CVEs) techniques, running on custom payloads that have never been published.20 Despite skepticism from forum users, Anon-WMG offered the use of escrow to facilitate a sale.20
  • Sophistication & Resources: Anon-WMG joined the Exploit forum on April 10, 2025, and had yet to garner significant credibility at the time of the report.20 While claiming a zero-day exploit suggests high technical sophistication, the skepticism from other forum users and the expired PoC link raise questions about their actual capabilities and the authenticity of their claims.20 The attempt to sell zero-days on dark web forums demonstrates an alarming trend of cybercrime groups mimicking legitimate software development practices and market dynamics.
  • Notable Past Activities & Geographic/Sectoral Focus: As a newly registered actor, Anon-WMG has no extensive public history of attacks. Their focus appears to be on the vulnerability market, specifically targeting widely used network security products like Fortinet’s FortiGate.20

Associated Resources:

Alleged data sale of FWD Vietnam

Incident Overview:

On May 29, 2025, the threat actor “giorggios” claimed to be selling 9 million insurance data records from FWD Vietnam. The listing was found on an open web forum.

Threat Actor Profile: giorggios

  • Identity & Aliases: “giorggios” is identified as a threat actor. Specific aliases are not available in the provided research.
  • Motivations & Goals: The primary motivation appears to be financial gain through the sale of stolen data. Cybercrime is broadly defined as illicit activities where information and communication technology play a central role.23
  • Tactics, Techniques, and Procedures (TTPs): The reported TTP involves selling large volumes of stolen data on open web forums.
  • Sophistication & Resources: Specific details regarding the sophistication or resources of “giorggios” are limited in the provided research. Cybercriminals can range from “script kiddies” to “proficient hackers” and “crime syndicates”.24
  • Notable Past Activities & Geographic/Sectoral Focus: No specific past activities or detailed geographic/sectoral focus are available for “giorggios” in the provided research. The research notes discuss the general experience of cybercrime and ransomware.25

Associated Resources:

Alleged sale of Forti VPN access to an unidentified multiple organizations in USA

Incident Overview:

On May 29, 2025, the threat actor “Hirosina” claimed to be selling unauthorized Forti VPN access to multiple unidentified organizations in the USA. The listing was found on an open web forum.

Threat Actor Profile: Hirosina

  • Identity & Aliases: “Hirosina” is identified as a threat actor. Specific aliases are not available in the provided research.
  • Motivations & Goals: The primary motivation appears to be financial gain through the sale of unauthorized VPN access.
  • Tactics, Techniques, and Procedures (TTPs): The reported TTP involves selling Forti VPN access on an open web forum. Threat actor profiles typically detail TTPs.26
  • Sophistication & Resources: Specific details regarding the sophistication or resources of “Hirosina” are limited in the provided research. Threat actor profiles assess advancement based on technical observations and software used.26
  • Notable Past Activities & Geographic/Sectoral Focus: No specific past activities or detailed geographic/sectoral focus are available for “Hirosina” in the provided research. The research notes discuss the Peoples Cyber Army of Russia, a pro-Russian group that targets critical infrastructure and government agencies.9

Associated Resources:

Team 1722 targets the website of Fosil Power

Incident Overview:

On May 29, 2025, the group “Team 1722” claimed to have defaced the website of Fosil Power, an organization in the Agriculture & Farming industry in Turkey. The claim was made on Telegram.

Threat Actor Profile: Team 1722

  • Identity & Aliases: “Team 1722” is identified as an active hacktivist group.8
  • Motivations & Goals: Hacktivist groups like Team 1722 are politically or ideologically motivated, moving beyond traditional defacements to more sophisticated attacks.7 Their actions aim to disrupt and make a statement.
  • Tactics, Techniques, and Procedures (TTPs): Team 1722 engages in website defacement.7 Hacktivists are increasingly adopting sophisticated techniques, including critical infrastructure and ransomware attacks, and combining DDoS, credential leaks, and ICS disruption.7
  • Sophistication & Resources: Team 1722 shows consistent activity.8 The growing sophistication of hacktivist groups is narrowing the gap between nation-state and financially motivated threat actors.7
  • Notable Past Activities & Geographic/Sectoral Focus: Team 1722 has shown consistent activity in Q1 2025.8 Hacktivists in Q1 2025 primarily targeted government and law enforcement, banking and financial services, telecom, and energy and utilities sectors.8 The energy and utilities sector was a dominant target for ICS attacks, reflecting a strategic focus on disrupting infrastructure tied to national resilience.8

Associated Resources:

Alleged sale of admin and shell access to an unidentified organization in France

Incident Overview:

On May 29, 2025, the threat actor “razum” claimed to be selling admin and shell access to a Prestashop 1.7.7.8 installation hosted in France. The listing noted that JS code on the payment page had captured over 3,000 credit card transactions between May 1 and 28. Bidding started at $1,000, with a $2,500 blitz price. The listing was found on an open web forum.

Threat Actor Profile: razum

  • Identity & Aliases: “razum” is identified as a threat actor. Specific aliases are not available in the provided research.
  • Motivations & Goals: The primary motivation appears to be financial gain through the sale of unauthorized access and potentially stolen financial data.
  • Tactics, Techniques, and Procedures (TTPs): The reported TTP involves gaining and selling admin and shell access, and potentially deploying malicious JavaScript to capture credit card data. This aligns with tactics of ransomware groups that exfiltrate data prior to encryption and may “drip” data to increase pressure.27
  • Sophistication & Resources: Specific details regarding the sophistication or resources of “razum” are limited in the provided research. Ransomware groups like Lynx 27 are sophisticated and employ double extortion. The research notes discuss general trends in ransomware activity.1
  • Notable Past Activities & Geographic/Sectoral Focus: No specific past activities or detailed geographic/sectoral focus are available for “razum” in the provided research.

Associated Resources:

Arabian Ghosts targets the website of Hezbollah

Incident Overview:

On May 29, 2025, the group “Arabian Ghosts” claimed to have defaced the website of Hezbollah, a political organization in Lebanon. The claim was made on Telegram.

Threat Actor Profile: Arabian Ghosts

  • Identity & Aliases: “Arabian Ghosts” is identified as a threat actor. Specific aliases are not available in the provided research.
  • Motivations & Goals: The defacement of Hezbollah’s website suggests a politically or ideologically motivated hacktivist group.
  • Tactics, Techniques, and Procedures (TTPs): The reported TTP involves website defacement. Hacktivist groups are known for such activities.7
  • Sophistication & Resources: Specific details regarding the sophistication or resources of “Arabian Ghosts” are limited in the provided research. While the research mentions Iranian-linked groups like Handala 11 and the general nature of hacktivist groups 21, there is no specific profile for “Arabian Ghosts” in the provided snippets.
  • Notable Past Activities & Geographic/Sectoral Focus: No specific past activities or detailed geographic/sectoral focus are available for “Arabian Ghosts” in the provided research.

Associated Resources:

Alleged database leak of Tymap

Incident Overview:

On May 29, 2025, a threat actor identified as “OneERA” claimed to have leaked the database of Tymap, an Estonian logistics tracking website. The compromised data allegedly includes timestamps, user IDs, language codes, login status flags, hashed passwords, email addresses, full names, and serialized JSON data for permissions. The claim was found on an open web forum.

Threat Actor Profile: OneERA

  • Identity & Aliases: “OneERA” is identified as a threat actor. Specific aliases are not available in the provided research.
  • Motivations & Goals: The primary motivation appears to be financial gain or notoriety through data leaks.
  • Tactics, Techniques, and Procedures (TTPs): The reported TTP involves obtaining and leaking databases containing sensitive user records. Threat actors like OPERA1ER 17 use multi-phase intrusion methodologies for initial access, execution, persistence, and data exfiltration.15 Nation-state actors also engage in data theft.10
  • Sophistication & Resources: Specific details regarding the sophistication or resources of “OneERA” are limited in the provided research. The provided snippets discuss general threat actor monitoring and nation-state cyber actors.10
  • Notable Past Activities & Geographic/Sectoral Focus: No specific past activities or detailed geographic/sectoral focus are available for “OneERA” in the provided research.

Associated Resources:

Alleged sale of Fortinet VPN access to an unidentified Israeli company.

Incident Overview:

On May 29, 2025, the threat actor “dotdotslash” offered to sell Fortinet VPN access to an unidentified Israeli company. The listing was found on an open web forum.

Threat Actor Profile: dotdotslash

  • Identity & Aliases: “dotdotslash” is identified as a threat actor. Specific aliases are not available in the provided research.
  • Motivations & Goals: The primary motivation appears to be financial gain through the sale of unauthorized VPN access.
  • Tactics, Techniques, and Procedures (TTPs): The reported TTP involves selling Fortinet VPN access. This could involve exploiting vulnerabilities like path traversal 12 or other initial access vectors.
  • Sophistication & Resources: Specific details regarding the sophistication or resources of “dotdotslash” are limited in the provided research. The provided snippets discuss general web application vulnerabilities and their mitigation.4
  • Notable Past Activities & Geographic/Sectoral Focus: No specific past activities or detailed geographic/sectoral focus are available for “dotdotslash” in the provided research.

Associated Resources:

Alleged leak of Japanese Emails

Incident Overview:

On May 29, 2025, the threat actor “byyllcrypt” claimed to have leaked over 100,000 Japanese emails. The claim was found on an open web forum.

Threat Actor Profile: byyllcrypt

  • Identity & Aliases: “byyllcrypt” is identified as a threat actor. Specific aliases are not available in the provided research.
  • Motivations & Goals: The primary motivation appears to be financial gain or notoriety through data leaks.
  • Tactics, Techniques, and Procedures (TTPs): The reported TTP involves obtaining and leaking large volumes of emails.
  • Sophistication & Resources: Specific details regarding the sophistication or resources of “byyllcrypt” are limited in the provided research.
  • Notable Past Activities & Geographic/Sectoral Focus: No specific past activities or detailed geographic/sectoral focus are available for “byyllcrypt” in the provided research.

Associated Resources:

Alleged database leak of SNPMB

Incident Overview:

On May 29, 2025, the threat actor “LIUSHEN” claimed to have obtained and leaked the database of SNPMB, containing sensitive Indonesian student data such as full names, student IDs (NISN), school IDs (NPSN), national ID numbers (NIK), and emails. The claim was found on an open web forum.

Threat Actor Profile: LIUSHEN

  • Identity & Aliases: “LIUSHEN” is identified as a threat actor. Specific aliases are not available in the provided research.
  • Motivations & Goals: The primary motivation appears to be financial gain or notoriety through data leaks, specifically sensitive student data.
  • Tactics, Techniques, and Procedures (TTPs): The reported TTP involves obtaining and leaking databases. Ransomware groups like Qilin 3 use compromised RDP credentials, phishing, or exploiting vulnerabilities for initial access, and then exfiltrate sensitive files.3 APT groups like APT31 12 engage in cyber espionage and data theft.12
  • Sophistication & Resources: Specific details regarding the sophistication or resources of “LIUSHEN” are limited in the provided research. The provided snippets discuss Qilin ransomware and China-linked APT31.3
  • Notable Past Activities & Geographic/Sectoral Focus: No specific past activities or detailed geographic/sectoral focus are available for “LIUSHEN” in the provided research.

Associated Resources:

Alleged data breach of VIP data

Incident Overview:

On May 29, 2025, the threat actor “USD” claimed to have obtained the database of an unidentified organization, allegedly exposing over 12 million sensitive user records in the “VIP Data 2025” breach. The compromised data includes real names, email addresses, usernames, phone numbers, ID numbers, passwords, physical addresses, dates of birth, IP addresses, and regional information. The claim was found on an open web forum.

Threat Actor Profile: USD

  • Identity & Aliases: “USD” is identified as a threat actor. Specific aliases are not available in the provided research.
  • Motivations & Goals: The primary motivation appears to be financial gain or notoriety through data breaches and sales of sensitive user records.
  • Tactics, Techniques, and Procedures (TTPs): The reported TTP involves breaching databases and selling large volumes of user records.
  • Sophistication & Resources: Specific details regarding the sophistication or resources of “USD” as a threat actor are limited in the provided research. The provided snippets for “USD” refer to a cybersecurity company (usd AG) 29, not a threat actor.
  • Notable Past Activities & Geographic/Sectoral Focus: No specific past activities or detailed geographic/sectoral focus are available for “USD” as a threat actor in the provided research.

Associated Resources:

Alleged data breach of Alliance Healthcare Italia

Incident Overview:

On May 29, 2025, the threat actor “DATACARRY” claimed to have breached the database of Alliance Healthcare Italia. The claim was found on a Tor network.

Threat Actor Profile: DATACARRY

  • Identity & Aliases: “DATACARRY” is identified as a threat actor. Specific aliases are not available in the provided research.
  • Motivations & Goals: The primary motivation appears to be financial gain or notoriety through data breaches.
  • Tactics, Techniques, and Procedures (TTPs): The reported TTP involves breaching databases. Data extortion groups like Karakurt 13 steal data and threaten to auction or release it publicly.13 They use tools like Cobalt Strike and Mimikatz for network enumeration and credential pulling, and compress/exfiltrate data using FTP services or cloud storage.13
  • Sophistication & Resources: Specific details regarding the sophistication or resources of “DATACARRY” are limited in the provided research. The provided snippets discuss Karakurt ransomware and general cybersecurity services.13
  • Notable Past Activities & Geographic/Sectoral Focus: No specific past activities or detailed geographic/sectoral focus are available for “DATACARRY” in the provided research.

Associated Resources:

Alleged data sale of Aerial Surveillance Footage

Incident Overview:

On May 29, 2025, the threat actor “namolesa” claimed a 1.9TB leak revealing over 600 hours of police helicopter surveillance footage from Dallas and Atlanta, showcasing military-grade surveillance technology. The claim was found on an open web forum.

Threat Actor Profile: namolesa

  • Identity & Aliases: “namolesa” is identified as a threat actor. Specific aliases are not available in the provided research.
  • Motivations & Goals: The primary motivation appears to be financial gain through the sale of sensitive surveillance footage.
  • Tactics, Techniques, and Procedures (TTPs): The reported TTP involves obtaining and selling large volumes of sensitive data. Threat actors like Nebulous Mantis 15 use spear-phishing with weaponized documents, hosted on bulletproof hosting services, and employ multi-phase intrusion methodologies for initial access, execution, persistence, and data exfiltration.15 They use legitimate and custom tools for discovery, privilege escalation, defense evasion, credential harvesting, and lateral movement.15
  • Sophistication & Resources: Specific details regarding the sophistication or resources of “namolesa” are limited in the provided research. The provided snippets discuss general threat actor monitoring and Nebulous Mantis.15
  • Notable Past Activities & Geographic/Sectoral Focus: No specific past activities or detailed geographic/sectoral focus are available for “namolesa” in the provided research.

Associated Resources:

Alleged data sale of Israel Ministry of Justice

Incident Overview:

On May 29, 2025, the threat actor “namolesa” claimed to have leaked 245GB of data from Israel’s Ministry of Justice, including emails, documents, and personal information. The claim was found on an open web forum.

Threat Actor Profile: namolesa

  • Identity & Aliases: “namolesa” is identified as a threat actor. Specific aliases are not available in the provided research.
  • Motivations & Goals: The primary motivation appears to be financial gain or potentially politically motivated data sale, given the victim.
  • Tactics, Techniques, and Procedures (TTPs): The reported TTP involves obtaining and selling large volumes of government data. Threat actors like Nebulous Mantis 15 use spear-phishing with weaponized documents, hosted on bulletproof hosting services, and employ multi-phase intrusion methodologies for initial access, execution, persistence, and data exfiltration.15 They use legitimate and custom tools for discovery, privilege escalation, defense evasion, credential harvesting, and lateral movement.15
  • Sophistication & Resources: Specific details regarding the sophistication or resources of “namolesa” are limited in the provided research. The provided snippets discuss general threat actor monitoring and Nebulous Mantis.15
  • Notable Past Activities & Geographic/Sectoral Focus: No specific past activities or detailed geographic/sectoral focus are available for “namolesa” in the provided research.

Associated Resources:

Alleged data sale of Ministry of Communication and Digital of the Republic of Indonesia

Incident Overview:

On May 29, 2025, the group “BANDAR INTERNASIONAL INDONESIA” claimed to be selling data from the Ministry of Communication and Digital of the Republic of Indonesia. The compromised data allegedly includes company name, business entity, service type, permit number, permit date, permit year, permit address, and more. The claim was made on Telegram.

Threat Actor Profile: BANDAR INTERNASIONAL INDONESIA

  • Identity & Aliases: “BANDAR INTERNASIONAL INDONESIA” is identified as the group claiming responsibility for this incident.
  • Motivations & Goals: The primary motivation appears to be financial gain or notoriety through the sale of government data.
  • Tactics, Techniques, and Procedures (TTPs): The reported TTP involves obtaining and selling data from a government ministry. While the JSON attributes this to “BANDAR INTERNASIONAL INDONESIA,” research notes regarding a broader “Indonesia National Data Center Attack” (which may be related or a separate incident) indicate the use of Lockbit 3.0 ransomware, which employs encryption and data exfiltration.32
  • Sophistication & Resources: Specific details regarding the sophistication or resources of “BANDAR INTERNASIONAL INDONESIA” as a distinct threat actor are limited in the provided research.
  • Notable Past Activities & Geographic/Sectoral Focus: No specific past activities or detailed geographic/sectoral focus are available for “BANDAR INTERNASIONAL INDONESIA” as a threat actor in the provided research.

Associated Resources:

4. Emerging Threats & Vulnerabilities

This section discusses significant vulnerabilities or evolving attack techniques that, while not directly tied to the specific incidents detailed above, are critical to the broader threat landscape.

Path Traversal Vulnerabilities:

Path traversal attacks, also known as directory traversal, represent a persistent and critical vulnerability class. These attacks enable adversaries to access files and directories located outside the intended web root folder by manipulating input parameters, typically through “dot-dot-slash (../)” sequences or absolute file paths.4 The potential impact of such vulnerabilities is severe, encompassing unauthorized access to application source code, sensitive configuration files, and critical system files. This can lead to significant data breaches, unauthorized system access, data corruption, or even privilege escalation within the compromised environment.4 An example is CVE-2022-4244 in codeplex-codehaus (Java), which carries a high CVSS score of 7.5.4 The continued presence and high severity of path traversal vulnerabilities underscore a fundamental flaw in secure coding practices and input validation across various applications. Despite being a well-understood vulnerability class for decades, its persistent exploitation indicates that developers and organizations continue to struggle with basic security hygiene, making it a low-cost, high-impact vector for adversaries who can leverage these flaws for significant data exfiltration or system compromise.

AI-Powered Threat Actors:

An emerging concept in the cyber threat landscape is the rise of “Zero-Knowledge Threat Actors” powered by Artificial Intelligence (AI).22 This represents a significant paradigm shift in the cybercrime landscape. It suggests that sophisticated attacks, which previously demanded extensive technical expertise and deep understanding of systems, could become accessible to individuals with minimal skill, effectively democratizing advanced cybercrime. This development will necessitate a fundamental re-evaluation of security education, the development of more adaptive and intelligent automated defense mechanisms, and a proactive approach to threat intelligence to anticipate and counter AI-driven threats that can operate with unprecedented speed and scale.

Bulletproof Hosting and Legitimate Platform Abuse:

Threat actors increasingly rely on bulletproof hosting services, such as LuxHost and Aeza, to maintain resilient command-and-control (C2) infrastructure.15 This practice makes it considerably more challenging for defenders to block malicious activity based on static indicators like IP addresses or domain reputation, as adversaries can quickly shift their infrastructure. Furthermore, there is a growing trend of abusing legitimate online platforms, such as external customer feedback portals, for phishing campaigns.15 This tactic leverages trusted infrastructure to bypass traditional email security filters and gain initial access, exploiting the inherent trust users place in familiar services. The increasing reliance on bulletproof hosting and the abuse of legitimate online services by threat actors demonstrates their adaptability and a sophisticated understanding of network infrastructure and trust relationships. This makes it harder for defenders to block malicious activity based on static indicators, as adversaries can quickly shift infrastructure or hide within trusted legitimate services, requiring more advanced behavioral detection, continuous monitoring of web traffic, and robust content filtering.

5. Recommendations & Mitigation Strategies

To enhance defensive posture, improve incident response capabilities, and effectively integrate threat intelligence, organizations should adopt multi-layered strategies.

Proactive Defense Enhancements:

  • Vulnerability Management & Patching: Prioritize the immediate remediation of known exploited vulnerabilities (CVEs), especially those identified as initial access vectors for prominent groups like Lockbit 3.0 (e.g., Fortinet VPN, GoAnywhere MFT, PaperCut MF/NG).14 Implement robust, automated vulnerability scanning and patch management programs that extend beyond basic compliance requirements.
  • Strong Authentication & Access Control: Enforce phishing-resistant multi-factor authentication (MFA) for all users and services, particularly for remote access protocols like VPN and RDP.14 Implement least privilege access models and restrict administrative interface access to specific trusted IP addresses or VPNs.16
  • Input Validation & Secure Coding: Ensure that all user-provided input is properly validated and sanitized to prevent common web application vulnerabilities such as path traversal and SQL injection.7 Utilize secure, platform-provided functions for file access and enforce strong access control to sensitive files.28
  • Network Segmentation: Implement granular network segmentation to limit lateral movement and contain breaches, thereby restricting the server’s ability to access internal resources.28 This approach isolates critical assets and significantly reduces the blast radius of an attack.
  • Endpoint Detection & Response (EDR) / Extended Detection & Response (XDR): Deploy advanced EDR/XDR solutions capable of detecting “living off the land” (LOTL) techniques, process injection, and behavioral anomalies that bypass traditional signature-based detections.16 Configure these tools to prevent malicious execution and detect shadow copy deletion. The widespread use of LOTL techniques, the continuous evolution of adversary methods, and the increasing professionalization of RaaS groups indicate that traditional signature-based defenses are increasingly insufficient. Adversaries actively try to evade detection by mimicking legitimate activity and constantly evolving their methods, making static indicators less effective. Therefore, organizations must shift their security investments towards behavioral analytics, AI-driven detection, and proactive threat hunting capabilities. This means focusing on detecting anomalous activity patterns, deviations from baseline behavior, and the intent behind actions rather than just known malicious signatures. Security teams need to be equipped with the skills and tools to understand adversary intent and adapt their defenses in real-time, moving from a reactive, indicator-based posture to a truly proactive, intelligence-led defense.

Enhanced Threat Intelligence & Awareness:

  • Cyber Threat Profiling: Develop and maintain comprehensive cyber threat profiles tailored to the organization’s specific industry, geography, and critical assets.18 This includes understanding adversary motivations, capabilities, and Tactics, Techniques, and Procedures (TTPs) to anticipate and prepare for attacks. The proliferation of aliases for a single threat actor 10 highlights the inherent challenge of consistent attribution in cybersecurity. This necessitates a robust threat intelligence framework that can correlate activity across different naming conventions and intelligence reports, ensuring that organizations are tracking the same adversary despite varied public or vendor-specific monikers. This complexity can hinder effective information sharing and defense coordination.
  • Intelligence-Led Security Strategy: Integrate cyber threat intelligence into all aspects of the security program, including vulnerability management, threat modeling, security validation, threat hunting, and red teaming exercises, to create a truly proactive defensive posture.18
  • Employee Training & Awareness: Conduct regular, targeted training to help users recognize and report phishing attempts, social engineering tactics, and suspicious communications.13 Addressing the “human element” as a frequent initial access vector is crucial for promoting a strong culture of security.
  • Dark/Deep Web Monitoring: Proactively monitor dark and deep web forums for compromised accounts, credentials, and discussions related to the organization or industry.20 This serves as a valuable source of early warning threat intelligence.

Robust Incident Response & Recovery:

  • Incident Response Planning: Develop and regularly test comprehensive incident response plans that outline detection, containment, mitigation, and recovery steps.24 This must include specific strategies for dealing with data extortion incidents, even those without encryption.
  • Data Backup & Recovery: Implement robust, isolated, and regularly tested backup and recovery strategies to ensure business continuity and data integrity, even in the event of successful data encryption or destruction.16 Ensure backups are immutable and stored offline or in segmented environments.
  • Post-Incident Forensics: Conduct thorough forensic analysis post-incident to understand the root cause, TTPs used, and the full extent of compromise. This is crucial for informing future defensive measures and preventing recurrence.29

Strategic Considerations:

  • Supply Chain Security: Recognize that threat actors may target third-party vendors or supply chains to gain access to the organization.26 Implement rigorous supplier audits, enforce security requirements, and monitor third-party risk.
  • Geopolitical Awareness: Understand how geopolitical events can directly influence the cyber threat landscape and lead to increased hacktivist or state-sponsored activity targeting specific regions, industries, or organizations perceived as aligned with conflicting parties.7 Cyber operations are now an integral part of modern warfare and geopolitical strategy. They are not merely disruptive but are increasingly used for espionage, influence operations, and direct psychological warfare. This means organizations, even those not directly involved in conflicts, face increased risk due to their geographic location, industry sector, or perceived alignment, as they can become collateral damage or strategic targets in broader cyber campaigns. The language exclusion by Lockbit 3.0 further underscores how even financially motivated groups can have geopolitical “rules of engagement,” shaping their target selection.14

6. Conclusion

The cyber threat landscape continues to demonstrate rapid evolution, driven by persistent geopolitical tensions, technological advancements, and the ongoing professionalization of cybercrime. The incidents observed in the last 24 hours underscore the increasing sophistication, adaptability, and professionalization of cyber adversaries, irrespective of their primary motivation. The lines between cybercrime, hacktivism, and state-sponsored operations are increasingly blurred, leading to more complex and impactful attacks that directly threaten critical infrastructure and public services.

The analysis highlights the critical importance of proactive, intelligence-led defense strategies that prioritize behavioral detection and continuous adaptation. Cybersecurity is no longer solely an IT concern; it is a critical national security and economic resilience imperative. Attacks on government services and critical infrastructure have direct, tangible impacts on citizens’ lives, economic stability, and national morale. This necessitates a whole-of-society approach, including robust public-private partnerships, national cyber awareness campaigns, and significant, sustained investment in government and critical sector cybersecurity capabilities, moving beyond basic compliance to true resilience.

Organizations must adopt a dynamic, intelligence-led security posture, focusing on proactive threat hunting, behavioral detection, and continuous adaptation of defenses to stay ahead of adversaries. The human element remains both a significant vulnerability and a critical line of defense, necessitating ongoing awareness, training, and a strong security culture. Ultimately, collective defense through robust information sharing and collaboration across sectors and international borders will be paramount in countering these increasingly complex and interconnected threats.

Works cited

  1. Threat Actor Activity Q1 2025 – Surefire Cyber, accessed May 29, 2025, https://www.surefirecyber.com/threat-actor-activity-q1-2025/
  2. Indonesia says a cyberattack has compromised its data center but it won’t pay the $8 million ransom | AP News, accessed May 29, 2025, https://apnews.com/article/indonesia-national-data-cyberattack-ransomware-6e510ed5e11fa31964f9f1486b6f65d8
  3. Threat Actor Profile: Qilin Ransomware Group – Cyble, accessed May 29, 2025, https://cyble.com/threat-actor-profiles/qilin-ransomware-group/
  4. CVE-2022-4244 Impact, Exploitability, and Mitigation Steps | Wiz, accessed May 29, 2025, https://www.wiz.io/vulnerability-database/cve/cve-2022-4244
  5. World Leaks: An Extortion Platform – Lexfo’s security blog, accessed May 29, 2025, https://blog.lexfo.fr/world-leaks-an-extortion-platform.html
  6. Hunters International Shuts Down Ransomware Operation, Rebrands as Data Extortion Group ‘World Leaks’ – TrollEye Security, accessed May 29, 2025, https://www.trolleyesecurity.com/articles-news-hunters-international-rebrands-as-world-leaks/
  7. Hacktivists Target Critical Infrastructure, Move Into Ransomware – Cyble, accessed May 29, 2025, https://cyble.com/blog/hacktivists-infrastructure-move-into-ransomware/
  8. Rise in hacktivist threats to critical sector, as pro-Russian groups cause 50% rise in ICS/OT attacks in March – Industrial Cyber, accessed May 29, 2025, https://industrialcyber.co/reports/rise-in-hacktivist-threats-to-critical-sector-as-pro-russian-groups-cause-50-rise-in-ics-ot-attacks-in-march/
  9. Threat Actor Profile: Peoples Cyber Army of Russia – Cyble, accessed May 29, 2025, https://cyble.com/threat-actor-profiles/peoples-cyber-army-of-russia/
  10. Nation-State Cyber Actors | Cybersecurity and Infrastructure Security Agency CISA, accessed May 29, 2025, https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors
  11. Iranian hacker group targets Israeli kindergartens’ PA systems | Iran International, accessed May 29, 2025, https://www.iranintl.com/en/202501265679
  12. Czech Republic Blames China-Linked APT31 Hackers for 2022 Cyberattack, accessed May 29, 2025, https://thehackernews.com/2025/05/czech-republic-blames-china-linked.html
  13. Karakurt Data Extortion Group – CISA, accessed May 29, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-152a
  14. #StopRansomware: LockBit 3.0 | CISA, accessed May 29, 2025, https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
  15. Nebulous Mantis Targets NATO-Linked Entities with Multi-Stage Malware Attacks, accessed May 29, 2025, https://thehackernews.com/2025/04/nebulous-mantis-targets-nato-linked.html
  16. LockBit 3.0 – UltraViolet Cyber, accessed May 29, 2025, https://www.uvcyber.com/hubfs/downloadable-content/product-sheets/UVC-ThreatReport_Lockbit3.pdf
  17. French-speaking gang OPERA1ER APT in Africa | Group-IB Blog, accessed May 29, 2025, https://www.group-ib.com/blog/opera1er-apt/
  18. Cyber Threat Profile | Google Cloud, accessed May 29, 2025, https://cloud.google.com/security/resources/datasheets/cyber-threat-profile
  19. Identifying a Threat Actor Profile, accessed May 29, 2025, https://oasis-open.github.io/cti-documentation/examples/identifying-a-threat-actor-profile.html
  20. The Underground Economist: Volume 5, Issue 8 – ZeroFox, accessed May 29, 2025, https://www.zerofox.com/intelligence-feed/the-underground-economist-volume-5-issue-8/
  21. Anonymous (hacker group) – Wikipedia, accessed May 29, 2025, https://en.wikipedia.org/wiki/Anonymous_(hacker_group)
  22. Anonymous Launches “Largest Attack Ever on Government and Music Industry Sites”, accessed May 29, 2025, https://www.securityweek.com/anonymous-launches-largest-attack-ever-government-and-music-industry-sites/
  23. The Novelty of ‘Cybercrime’An Assessment in Light of Routine Activity Theory, accessed May 29, 2025, https://www.researchgate.net/publication/238433587_The_Novelty_of_’Cybercrime’An_Assessment_in_Light_of_Routine_Activity_Theory
  24. Malevolent Threat Actor Monitoring – OTIFYD, accessed May 29, 2025, https://otifyd.com/services/malevolent-threat-actor-monitoring/
  25. The Experience of Cybercrime in Georgia: Awareness, Victimisation and Reporting – RUSI, accessed May 29, 2025, https://www.rusi.org/explore-our-research/publications/occasional-papers/experience-cybercrime-georgia-awareness-victimisation-and-reporting
  26. The Threat Actor Profile Guide for CTI Analysts.txt – GitHub, accessed May 29, 2025, https://github.com/curated-intel/Threat-Actor-Profile-Guide/blob/main/The%20Threat%20Actor%20Profile%20%20Guide%20for%20CTI%20Analysts.txt
  27. New Threat on the Prowl: Investigating Lynx Ransomware – Darktrace, accessed May 29, 2025, https://www.darktrace.com/blog/new-threat-on-the-prowl-investigating-lynx-ransomware
  28. Bug bounty glossary: common web application vulnerabilities – Intigriti, accessed May 29, 2025, https://www.intigriti.com/blog/business-insights/bug-bounty-glossary-common-web-application-vulnerabilities
  29. Cyber Security – Analysis. Consulting. Audits. – usd AG, accessed May 29, 2025, https://www.usd.de/en/
  30. Cyber Threat Intelligence | University of San Diego Online Degrees, accessed May 29, 2025, https://onlinedegrees.sandiego.edu/classes/cyber-threat-intelligence/
  31. Digitization services – PwC, accessed May 29, 2025, https://www.pwc.com/lv/en/about/services/IT-services.html
  32. Digital attack hit Indonesia’s airport, public services crippled by security breach – YouTube, accessed May 29, 2025, https://www.youtube.com/watch?v=X2GbM2QZ05U
  33. LockBit – Wikipedia, accessed May 29, 2025, https://en.wikipedia.org/wiki/LockBit
  34. THREAT ANALYSIS: Assemble LockBit 3.0 – Cybereason, accessed May 29, 2025, https://www.cybereason.com/blog/threat-analysis-assemble-lockbit-3

Related Posts