CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple – industries, geography, and technology – that could be relevant to your organization.
Type: Ransomware
Target Technologies: MS Windows
Introduction
CYFIRMA Research and Advisory Team has found Jett Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Jett Ransomware
Researchers have recently discovered a new ransomware strain called Jett. Once entered into the victim’s network, it encrypts files and appends the victim’s ID, email address, and the “.jett” extension. The ransomware also leaves behind two ransom notes: “info.hta” and “ReadMe.txt”.
The Jett ransomware’s ransom note informs victims that their data has been encrypted using AES-256 and RSA-2048 encryption algorithms. It assures them that the files remain intact and can be restored.
To recover their data, victims are instructed to contact the attackers via email or Telegram. As proof of decryption, the attackers offer to decrypt up to two small, non- sensitive files for free.
The note also warns against any attempts to deceive the attackers, stating that doing so will result in an increased ransom demand.
Following are the TTPs based on the MITRE Attack Framework
| Tactic | ID | Technique |
| Execution | T1047 | Windows Management Instrumentation |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1106 | Native API |
| Persistence | T1542.003 | Pre-OS Boot: Bootkit |
| Persistence | T1543.003 | Create or Modify System Process: Windows Service |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Persistence | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| PrivilegeEscalation | T1055 | Process Injection |
| PrivilegeEscalation | T1543.003 | Create or Modify System Process: Windows Service |
| PrivilegeEscalation | T1547.001 | Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder |
| PrivilegeEscalation | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| Defense Evasion | T1014 | Rootkit |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Defense Evasion | T1036 | Masquerading |
| Defense Evasion | T1055 | Process Injection |
| DefenseEvasion | T1070.004 | Indicator Removal: File Deletion |
| Defense Evasion | T1112 | Modify Registry |
| Defense Evasion | T1202 | Indirect Command Execution |
| Defense Evasion | T1218.005 | System Binary Proxy Execution: Mshta |
| Defense Evasion | T1497 | Virtualization/Sandbox Evasion |
| Defense Evasion | T1542.003 | Pre-OS Boot: Bootkit |
| Defense Evasion | T1562.001 | Impair Defenses: Disable or Modify Tools |
| Defense Evasion | T1564.001 | Hide Artifacts: Hidden Files and Directories |
| Defense Evasion | T1564.003 | Hide Artifacts: Hidden Window |
| Defense Evasion | T1564.004 | NTFS File Attributes |
| Defense Evasion | T1574.002 | Hijack Execution Flow: DLL Side-Loading |
| CredentialAccess | T1003 | OS Credential Dumping |
| CredentialAccess | T1056 | Input Capture |
| Discovery | T1010 | Application Window Discovery |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1087 | Account Discovery |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
| Discovery | T1518.001 | Software Discovery: Security Software Discovery |
| LateralMovement | T1080 | Taint Shared Content |
| Collection | T1005 | Data from Local System |
| Collection | T1056 | Input Capture |
| Collection | T1114 | Email Collection |
| Collection | T1185 | Browser Session Hijacking |
| Command and Control | T1071 | Application Layer Protocol |
| Impact | T1485 | Data Destruction |
| Impact | T1486 | Data Encrypted for Impact |
| Impact | T1489 | Service Stop |
| Impact | T1490 | Inhibit System Recovery |
| Impact | T1496 | Resource Hijacking |
Relevancy and Insights:
ETLM Assessment:
CYFIRMA assesses that Jett ransomware may pose a significant threat across multiple industries and geographies due to its AES-256 and RSA-2048 encryption, multiple ransom notes, and persistent techniques like bootkits and DLL side-loading. Future variants may adopt stronger obfuscation and double extortion tactics, increasing risks for enterprises and critical infrastructure.
Sigma Rule
title: Delete shadow copy via WMIC threatname:
behaviorgroup: 18
classification: 0 mitreattack:
logsource:
category: process_creation product: windows
detection: selection:
CommandLine:
– ‘*wmic*shadowcopy delete*’
condition: selection
level: critical
(Source: Surface web)
IOCs
Kindly refer to the IOCs section to exercise controls on your security systems.
STRATEGIC RECOMMENDATION
MANAGEMENT RECOMMENDATION
TACTICAL RECOMMENDATION
Type: Remote Access Trojan | Objectives: Data theft, Remote Access, Keylogging |Suspected Threat Actor: Desert Dexter | Target Industries: Oil production, Construction, Information Technology, and Agriculture | Target Technologies: Windows, Crypto Wallet Browser Extensions, Crypto Wallet Applications| Target Geographies: Middle East and North Africa
CYFIRMA collects data from various forums based on which the trend is ascertained. We identified a few popular malware that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.
Active Malware of the Week
This week “AsyncRAT” is trending.
AsyncRAT
Researchers discovered a malware campaign, active since September 2024, targeting the Middle East and North Africa, with Egypt, Libya, the UAE, Russia, Saudi Arabia, and Turkey among the most affected countries. The operation has been linked to a threat actor known as Desert Dexter, who uses fake news groups on social media to distribute malicious advertisements. These ads lure victims into clicking links that direct them to a file-sharing service or Telegram channel, ultimately delivering a modified version of AsyncRAT. This version has been enhanced with an offline keylogger, the ability to search for 16 different cryptocurrency wallet extensions and applications, and communication capabilities with a Telegram bot for further operations. Researchers identified around 900 potential victims by analyzing messages from the Telegram bot, including Device IDs and desktop screenshots sent to the attacker. Most of the victims appear to be ordinary users, with some employed in industries such as oil production, construction, information technology, and agriculture.
Attack Method
The attack begins with the creation of temporary accounts and news channels on Facebook. These channels are then used to post advertisements, which serve as bait to lure victims into the campaign. The attackers bypass Facebook’s ad filtering rules, which differ by country, allowing them to run deceptive advertisements without immediate detection.
The ads contain links directing victims to Files.fm or Telegram channels that host a malicious file. A clear pattern emerges in the naming of these channels, as they are designed to mimic legitimate media organizations. Some of the names used include Libya Press, Sky News, Almasar TV, The Libya Observer, The Times of Israel, Alhurra TV, VoiceQatar, Step News Agency, Watan, Al Ain, and UAE Voice. This tactic helps the attackers appear credible, making it more likely for victims to trust and engage with the content.
Technical Analysis
The attack follows a multi-stage infection chain, beginning with victims receiving a RAR archive via Telegram or an ad link. This archive contains either BAT or JavaScript files, which execute a PowerShell script to initiate the second stage. Notably, comments in the JavaScript file are written in Arabic, possibly hinting at the attacker’s origin.
In the next phase, the PowerShell script terminates specific .NET-related processes that might interfere with the malware’s execution. It then removes certain script files from system directories and places new VBS, BAT, and PS1 files to ensure they run sequentially. To maintain persistence, the script modifies registry settings, redirects the user startup folder, and logs a unique identifier for the malware. It also collects system details, captures a screenshot, and sends the information to a Telegram bot. Once the preparatory steps are complete, the malware executes its final payload in memory. It attempts to inject a custom C# reflective loader into aspnet_compiler.exe within the .NET framework directory. If the primary target is unavailable, it falls back to an older .NET version. This structured approach ensures stealth and persistence, allowing the attackers to maintain control over infected systems.
This version of AsyncRAT has been modified to enhance its capabilities, particularly in targeting two-factor authentication and cryptocurrency wallets. It includes a tweaked IdSender module that scans browsers for a two-factor authentication extension and multiple crypto wallet extensions, including:
AsyncRAT also searches for installed crypto wallet applications, including:
In addition to targeting cryptocurrency assets, the malware features a basic offline keylogger. Using the SetWindowsHookEx function, it records keystrokes along with the active process name, storing the logs in %TEMP%\Log.tmp. This combination of credential theft and keylogging allows the attackers to steal sensitive information, potentially compromising both authentication processes and digital assets.
Dexter Link: Uncovering the Attack’s Origins
During analysis, researchers identified that some scripts used in the attack contained logic for system reconnaissance and communication with a Telegram bot. Screenshots from the attacker’s messages also revealed references to Luminosity Link RAT, a well-known remote access tool whose creator was arrested in 2018. While this RAT is no longer actively developed, some versions, including the one used in this campaign, remain accessible on GitHub.
Interestingly, a pattern emerged in the screenshots taken by the malware, which revealed that they were captured on systems named ‘DEXTER’ or ‘DEXTERMSI.’ Further investigation showed that once a chat with the attacker’s Telegram bot starts, victims are redirected to a channel containing ‘dexter’ in its title. The presence of ‘ly’ in the channel name, combined with geolocation data and Arabic comments in the PowerShell script, suggests a possible connection to Libya. The attacker’s channel also appears to promote hacked iOS applications, hinting at broader cybercriminal activities.
INSIGHTS
ETLM ASSESSMENT
From the ETLM perspective, CYFIRMA anticipates that the tactics seen in the AsyncRAT campaign may expand beyond its current scope, targeting a wider range of industries and geographies. As attackers refine their methods, regions with increasing digital adoption and financial activity could become prime targets, especially industries relying on decentralized finance (DeFi) and cryptocurrency transactions. Malware operators may develop techniques to bypass evolving security measures, making detection more challenging. The use of social media and Telegram for distribution may extend to emerging platforms, increasing the difficulty of identifying and mitigating threats. Future campaigns might incorporate AI- generated deepfake content to enhance credibility and evade skepticism. Additionally, the repurposing of older malware with new delivery mechanisms could lead to more persistent infections that bypass traditional security solutions. This evolving landscape suggests that businesses will need to anticipate how cybercriminals adapt, moving beyond conventional defenses to stay ahead of emerging threats.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.
STRATEGIC:
MANAGEMENT:
TACTICAL RECOMMENDATIONS
Key Intelligence Signals:
The Escalating Threat of Blind Eagle: A Latin American Cybercriminal Group Focuses on Colombia
SUMMARY
Blind Eagle, an Advanced Persistent Threat (APT) group, has been actively targeting Colombian institutions and government entities since November 2024. Their recent campaigns are based on malicious .url files that exploit unusual user interactions, similar to the CVE-2024-43451 vulnerability. This vulnerability, which exposes a user’s NTLMv2 hash, allows attackers to authenticate as the user through pass-the-hash or relay attacks. Although Blind Eagle’s malicious files do not directly exploit this vulnerability, they initiate WebDAV requests to notify the attacker when the file is downloaded. Upon clicking the .url file, the malware payload is executed.
Following the release of a Microsoft patch for CVE-2024-43451 on November 12, 2024, Blind Eagle adapted by incorporating this .url file variant within six days. The group targeted Colombian judicial institutions and other high-value organizations, leading to over 1,600 infections during a campaign around December 19, 2024. The malware is typically delivered through legitimate file-sharing services like Google Drive, Dropbox, Bitbucket, and GitHub. The dropped payloads include .NET Remote Access Trojans (RATs) such as Remcos, packed using HeartCrypt for evasion.
The group also relies on social engineering techniques, notably phishing campaigns that impersonate Colombian banks, leading to the collection of sensitive Personally Identifiable Information (PII). The .url files initiate a WebDAV request to trigger the download of a .NET RAT, which communicates with a C&C server to deliver the final stage payload. This attack chain highlights Blind Eagle’s continued use of commodity malware tools and advanced evasion methods.
Despite security measures, Blind Eagle remains a potent threat due to its ability to exploit legitimate services for malware delivery, maintain persistence through underground crimeware, and adapt quickly to changing security landscapes.
Relevancy & Insights:
Blind Eagle has been targeting Colombian institutions since November 2024. In its recent campaign, Blind Eagle exploited unusual user interactions, similar to the CVE-2024-43451 vulnerability, by using malicious .url files to trigger WebDAV requests. These files, once clicked, deliver .NET Remote Access Trojans (RATs) like Remcos. Following the Microsoft patch for CVE-2024-43451 in November 2024, Blind Eagle quickly adapted to deploy this variant, infecting over 1,600 systems, including judicial and high-value Colombian organizations. The group has previously used social engineering and phishing, targeting banks to collect sensitive PII. Their use of legitimate platforms like Google Drive, GitHub, and Dropbox to deliver malware and evade detection aligns with their past tactics, showing continued evolution and persistence in exploiting new vulnerabilities. Organizations must strengthen security defenses to mitigate future attacks.
ETLM Assessment:
Blind Eagle (APT-C-36) is a highly active advanced persistent threat (APT) group engaged in espionage and cybercrime, primarily targeting organizations in Latin America, with a strong focus on Colombia. The group has been active since 2018, mainly targeting government institutions, financial organizations, and critical infrastructure, especially in Colombia’s judicial system and banking sector. It exploits Windows-based systems and uses sophisticated social engineering tactics to distribute malware, often leveraging legitimate file-sharing platforms like Google Drive, GitHub, and Bitbucket. Recently, Blind Eagle adapted to exploit vulnerabilities such as CVE-2024-43451, which exposes NTLMv2 hashes, although it mimics the vulnerability without directly exploiting it. The group has utilized various malware, including commodity RATs like NjRAT, AsyncRAT, and Remcos, while using advanced evasion techniques like packing with tools such as PureCrypter and HeartCrypt. The group’s tactics show constant evolution, with a focus on avoiding detection and refining malware delivery techniques. Moving forward, Blind Eagle is likely to continue evolving its attack vectors, targeting emerging vulnerabilities, and using sophisticated malware tools, making it crucial for organizations, particularly in Latin America, to implement strong security measures, including continuous monitoring, threat intelligence, and rapid patching of vulnerabilities to defend against this persistent and evolving threat.
Strategic Recommendations:
Tactical Recommendations:
s
Operational Recommendations:
| MITRE FRAMEWORK | ||
| Tactic | ID | Technique |
| Execution | T1047 | Windows Management Instrumentation |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1106 | Native API |
| Persistence | T1542.0 03 | Pre-OS Boot: Bootkit |
| Persistence | T1547.0 01 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Persistence | T1574.0 02 | Hijack Execution Flow: DLL Side-Loading |
| Privilege Escalation | T1055 | Process Injection |
| DefenseEvasion | T1014 | Rootkit |
| DefenseEvasion | T1027.0 04 | Obfuscated Files or Information: Compile After Delivery |
| DefenseEvasion | T1036 | Masquerading |
| DefenseEvasion | T1112 | Modify Registry |
| DefenseEvasion | T1202 | Indirect Command Execution |
| DefenseEvasion | T1497 | Virtualization/Sandbox Evasion |
| DefenseEvasion | T1562 | Impair Defenses |
| DefenseEvasion | T1564.0 01 | Hide Artifacts: Hidden Files and Directories |
| CredentialAccess | T1056 | Input Capture |
| Discovery | T1010 | Application Window Discovery |
| Discovery | T1018 | Remote System Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1518.0 01 | Software Discovery: Security Software Discovery |
| Collection | T1560 | Archive Collected Data |
| Command and Control | T1071 | Application Layer Protocol |
| Command and Control | T1095 | Non-Application Layer Protocol |
| Command and Control | T1105 | Ingress Tool Transfer |
| Command and Control | T1571 | Non-Standard Port |
| Command and Control | T1573 | Encrypted Channel |
| Impact | T1496 | Resource Hijacking |
IOCs:
Kindly refer to the IOCs (Indicators of Compromise) Section to exercise controls on your security systems.
Iran is likely targeting UAE’s aviation and satellite industry.
Researchers have published a report on a highly targeted phishing campaign that targeted several aviation and satellite communications organizations in the United Arab Emirates, as well as critical transportation infrastructure. The threat actor, tracked by researchers as “UNK_CraftyCamel,” compromised an Indian electronics company that had a business relationship with the targets and used this access to send spearphishing emails tailored to each targeted entity. The emails were designed to deliver a custom backdoor.
ETLM Assessment:
The campaign used a technique to obfuscate payload content, which is relatively uncommon for espionage-motivated actors and speaks to the desire of the operator to remain undetected. While the campaign has yet not been attributed to any known threat actor, it is noteworthy that the TTPs overlap with previous operations tied to Iran’s Islamic Revolutionary Guard Corps (IRGC).
Silk Typhoon targets the IT supply chain, US indicts Chinese hackers.
Researchers have released a report on the Chinese espionage group Silk Typhoon, revealing that the group now targets common IT tools, such as remote management software and cloud applications, to gain access to systems. Once inside, they use stolen credentials to infiltrate networks and exploit various applications to carry out espionage activities.
Meanwhile the U.S. has charged 12 Chinese nationals, including two public security officials, in a hacker-for-hire scheme targeting American government agencies and others. According to the Justice Department, 10 of the accused led a decade-long hacking campaign for Chinese intelligence and police agencies, selling stolen data to government ministries. A Chinese company, i-Soon, allegedly facilitated these compromised data for $10,000 to $75,000 per email inbox.
The hackers targeted a religious group critical of Beijing, a human rights organization, U.S. media outlets, and foreign ministries in Taiwan, India, South Korea, and Indonesia. Two additional suspects were charged for separate for-profit cyber intrusions, including a hack on the U.S. Treasury Department in late 2024.
Officials said i-Soon had been a major player in China’s cybersecurity operations, employing up to 100 people and projecting $75 million in revenue by 2025. The suspects, believed to be in China, were not arrested. The Chinese embassy dismissed the charges, accusing the U.S. of unfairly targeting China over cybersecurity issues.
ETLM Assessment:
In the 21st century, data flows represent as much a vital lifeline to modern economies as naval shipping does and while privateering disappeared from the oceans, we increasingly see a similar concept being applied to cyber security in recent years. But these information flows on which our digitized economies are ever more dependent on are being raided by criminal groups, which have received “license to hack” from their governments. Indeed, the governments of countries like Pakistan, North Korea, Iran, Russia or China are putting these digital privateers to work on their behalf in times of increased tension in international relations. In times like these we can expect increased institutionalization of digital privateers and their use for de facto undeclared warfare against enemies of the host government.
The Qilin Ransomware Impacts Utsunomiya Central Clinic
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; Utsunomiya Central Clinic(https[:]//ucc[.]or[.]jp/), was compromised by Qilin Ransomware. Utsunomiya Central Clinic (UCC) is a cancer treatment facility in Japan that specializes in diagnostic imaging and breast cancer screening. It offers cutting-edge imaging services, including 3T-MRI, PET-CT, and 3D breast tomosynthesis, for precise and early disease detection. The leaked data includes X-ray images, patient records, medical history, radiology reports, medical examination details, BOD secretary files, ECG and ECG Holter data, specialized medical tests, and various other medical information related to Japanese citizens. The total volume of compromised data is approximately 140 GB.
Relevancy & Insights:
ETLM Assessment:
According to CYFIRMA’s assessment, Qilin ransomware poses a significant threat to organizations of all sizes. Its evolving tactics, including double extortion (data encryption and leak threats), cross-platform capabilities (Windows and Linux, including VMware ESXi), and focus on speed and evasion make it a particularly dangerous actor.
The RansomHub Ransomware Impacts Japan Rebuilt Co., Ltd.
Summary:
From the External Threat Landscape Management (ETLM) Perspective, CYFIRMA observed in an underground forum that a company from Japan; Japan Rebuilt Co., Ltd (https[:]//www[.]japanrebuilt[.]jp/) was compromised by RansomHub Ransomware.
Japan Rebuilt Co., Ltd is a Japanese company specializing in remanufacturing automotive parts. The compromised data exceeds 200GB and originates from JRC’s personal computers, servers, and cloud services. It includes production data, audit records, financial information, payment details, contact lists, order information, customer records, internal documents, and other sensitive data.
Relevancy & Insights:
ETLM Assessment:
According to recent assessments by CYFIRMA, RansomHub ransomware has rapidly emerged as a significant player in the ransomware landscape since its inception in February 2024. This Ransomware-as-a-Service (RaaS) group has gained notoriety for its sophisticated tactics and cross-platform capabilities, targeting a wide range of sectors including healthcare, finance, and critical infrastructure. RansomHub’s success can be attributed to its ability to adapt and evolve, leveraging advanced evasion techniques and exploiting vulnerabilities in enterprise infrastructure.
Vulnerability in Ultimate Member plugin for WordPress
Relevancy & Insights:
The vulnerability exists due to insufficient sanitization of user- supplied data in the “search” parameter. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Impact:
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
Affected Products:
https[:]//www[.]wordfence[.]com/threat- intel/vulnerabilities/wordpress-plugins/ultimate-member/ultimate-member-2100- unauthenticated-sql-injection-via-search-parameter.
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies, due to a range of vulnerabilities. The following are the top 5 most affected technologies.
ETLM Assessment
Vulnerability in the Ultimate Member plugin for WordPress can pose significant threats to user privacy and security. This can impact various industries globally, including technology, finance, healthcare, and beyond. Ensuring the security of the Ultimate Member plugin is crucial for maintaining the integrity and protection of users’ data worldwide. Therefore, addressing these vulnerabilities is essential to safeguarding user profile management, registration, and membership functionalities on WordPress websites across different geographic regions and sectors.
RunSomeWares Ransomware attacked and published the data of Thai Metal Aluminium Co., Ltd
Summary:
Recently, we observed that RunSomeWares Ransomware attacked and published the data of Thai Metal Aluminium Co., Ltd(https[:]//thaimetal[.]com/) on its dark web website. Thai Metal Aluminium Co., Ltd. is a leading aluminium extrusion manufacturer in Thailand. The company offers comprehensive one-stop services, including billet casting, extrusion die design, aluminium extrusion processes, cold drawing, anodizing, color-powder coating, assembly, and precision machining. The data leak, following the ransomware attack, encompasses sensitive and confidential records, originating from the organizational database.
Relevancy & Insights:
RunSomeWares employs a double extortion model, both encrypting data and leaking it to pressure victims into paying ransoms. This approach is consistent with broader trends in the ransomware ecosystem, where groups seek to maximize leverage over their targets.
ETLM Assessment:
CYFIRMA’s assessment indicates that RunSomeWares is a relatively new ransomware group that emerged in February 2025, marking it as one of the latest entrants in the rapidly evolving ransomware landscape. The group’s activities highlight the ongoing trend of ransomware attacks surging globally, particularly in North America, where the number of victims has increased significantly.
Bosowa Berlian Motor (Indonesian Company) Data Advertised on a Leak Site
Summary:
The CYFIRMA Research team observed a data sale related to Bosowa Berlian Motor(https[:]//www[.]bosowa[.]co[.]id/) in an underground forum. PT BOSOWA BERLIAN MOTOR Authorized Dealer of Mitsubishi Motors and FUSO in east Indonesia. Bosowa Berlian Motor is the Biggest Automotive Dealer in East Indonesia. PT BOSOWA BERLIAN MOTOR has more than 30 branches with 3S (Sales, Service, Sparepart) and BC (Body and Painting) Facilities. Service 24 hours a day with car- facilitated workshops and a reliable mechanic. The compromised data includes the website’s database and source code. The database, approximately 3.18 GB in SQL format, is being offered for sale at a price of $3,000. The breach has been linked to a threat actor identified as “LordVoldemort.”
Zendesk (THAILAND)/DEMETER ICT Data Advertised on a Leak Site
Summary:
The CYFIRMA Research team observed a data leak related to the Zendesk (THAILAND)/DEMETER ICT in an underground forum. Zendesk, a global leader in customer service software, has established a significant presence in Thailand through its partnership with DEMETER ICT. DEMETER ICT specializes in business transformation consulting services, focusing on workplace transformation, change management, customer experience management, and digital marketing. As an official partner of Zendesk, DEMETER ICT has successfully served over 4,000 enterprise clients across the Asia-Pacific region, deploying more than 2,500 customer service agents in countries including Thailand, China, Taiwan, Hong Kong, Singapore, Indonesia, Malaysia, and the Philippines. The compromised data includes user IDs, email addresses, phone numbers, personal contacts of company representatives, user audit logs, source code, company financials, and more. The breach has been linked to a threat actor identified as “DayCrypted.”
Relevancy & Insights:
Financially motivated cybercriminals are continuously scouring for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to illicitly gain access and steal valuable data. Subsequently, the pilfered data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
The threat actor claiming the alias “LordVoldemort” is reportedly involved in acquiring and attempting to sell sensitive data on various underground forums. This activity underscores the persistent risks posed by cyber threat actors who exploit vulnerabilities and engage in data theft. To mitigate these risks, organizations should implement robust security measures, including enhanced monitoring, secure data storage, and regular vulnerability assessments to protect against such malicious activities.
Recommendations: Enhance the cybersecurity posture by:
The CYFIRMA Research team observed that A threat actor operating under the alias “JumboJet” has allegedly breached the Indian business automation platform Basiq360, claiming to have exfiltrated a massive database containing sensitive sales, distributor, and payment information. The allegations surfaced on a dark web forum, where the individual posted details of what is purported to be over 3.5 million rows of data extracted from the platform.
According to the post, the alleged breach targeted Basiq360, a cloud-based sales and logistics tool developed by Abacus Desk IT Solutions, a Faridabad-based technology company specializing in QR-code sales tracking, inventory management, and anti-counterfeit solutions. The actor claims that the stolen database, approximately 600 MiB in size, consists of 183 tables, including detailed records of distributor networks, product pricing, order logs, and potentially sensitive payment transactions.
Among the most notable allegedly exposed data sets are:
The individual behind the alleged breach describes the database as a “goldmine” for various forms of cyber exploitation, including fraud, phishing, and supply chain manipulation. The threat actor is reportedly offering the data for sale, with payments being requested in cryptocurrency.
The CYFIRMA Research team observed a data leak related to the Jaguar Land Rover in an underground forum. Jaguar Land Rover (JLR) is a leading global automotive manufacturer, recognized for producing luxury vehicles under the iconic Jaguar and Land Rover brands. The leak includes around 700 internal documents (development logs, tracking data, source codes, etc.) and a compromised employee dataset exposing sensitive information such as username, email, display name, timezone, and more. The breach has been attributed to a threat actor known as “Rey”.
STRATEGIC RECOMMENDATIONS
MANAGEMENT RECOMMENDATIONS
TACTICAL RECOMMENDATIONS
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.
Geography-Wise Graph
Industry-Wise Graph
For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.
