Weekly Intelligence Report – 17 April 2026

Published On : 2026-04-17

Ransomware In Focus

CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple industries, geography, and technology, that could be relevant to your organization.

Type: Ransomware
Target Technologies: Windows OS, Local file systems, Network shares

Introduction:
CYFIRMA Research and Advisory Team has found NBLOCK Ransomware while monitoring various underground forums as part of our Threat Discovery Process.

NBLOCK Ransomware
NBLock ransomware has been identified as a file-encrypting malware strain designed to restrict access to victim data by encrypting files and appending the “.NBLock” extension, rendering them inaccessible without a decryption key. Upon execution, the malware enumerates local files and network-accessible storage, applying encryption (explicitly referenced as AES-256 in the ransom note) and modifying file states to prevent normal access. It then drops a ransom note named “README_NBLOCK.txt” and may alter the desktop wallpaper to display an infection message, indicating successful compromise. The malware warns victims not to delete or modify a critical file (e.g., key.bin), implying the use of locally stored encryption metadata required for decryption. Communication with attackers is conducted via a Tor-based negotiation portal, indicating anonymized command-and-control interaction. Additionally, the infection may be bundled with or lead to deployment of secondary payloads such as password-stealing trojans, increasing overall impact. Distribution vectors include phishing emails, malicious attachments, cracked software, and exploit-based delivery mechanisms. There is currently no publicly available decryption tool, and payment does not guarantee recovery, as attackers retain full control over the decryption process.

Screenshot: File encrypted by the ransomware (Source: Surface Web)

The ransom note associated with NBLock ransomware, typically delivered as “README_NBLOCK.txt”, informs victims that all files have been encrypted using AES-256 encryption and are inaccessible without a decryptor controlled by the attackers. It explicitly instructs victims not to modify or delete the file key.bin, suggesting that it contains essential cryptographic material required for recovery. The note directs victims to install the Tor Browser and access a designated onion-based negotiation portal, indicating that communications are intended to be anonymous and controlled by the threat actors. The message emphasizes that only the attackers possess the decryption capability and discourages panic while simultaneously reinforcing dependency on their decryptor. Unlike more advanced ransomware families, the note does not strongly emphasize data exfiltration but focuses on encryption-based extortion and controlled negotiation. The overall structure reflects standard ransomware coercion techniques, combining technical instructions (Tor access, key preservation) with warnings designed to prevent independent recovery attempts and ensure victim compliance.

Screenshot: The appearance of NBLOCK ’s Ransom Note (Source: Surface Web)

The following are the TTPs based on the MITRE Attack Framework

Relevancy and Insights:

• Persistence: Establishes persistence via autorun registry keys (e.g., CurrentVersionRun) to ensure execution at system startup.
• Configuration Storage: Utilizes registry paths to store execution state, configuration data, or victim-specific identifiers.
• Defense Evasion: Modifies security-related registry settings (e.g., Internet Settings, policies) to weaken defenses or bypass protections.
• Execution Control: Leverages command processor registry references to facilitate command-line-based execution of malicious activities.
• Process Termination: Uses system utilities like taskkill.exe to terminate processes that may hinder encryption (e.g., security tools, locked applications).
• File Handling Management: Interacts with Restart Manager registry keys to manage file locks and ensure the successful encryption of in-use files.
• Environment Interaction: Modifies Internet cache-related registry entries (e.g., Cookies, History), indicating interaction with user environment artifacts.
• Cleanup / Anti-Forensics: Deletes execution-related registry artifacts (e.g., Restart Manager session keys) to reduce forensic visibility and hinder analysis.

ETLM Assessment:
CYFIRMA’s analytical assessment suggests that NBLock ransomware is likely to evolve within conventional ransomware development trajectories, with future iterations focusing on enhancing operational efficiency and resilience rather than introducing novel capabilities. Given its current implementation of AES-256 encryption, Tor-based negotiation infrastructure, and dependency on local key artifacts (e.g., key.bin), operators may improve encryption speed, expand file targeting logic (including network shares and removable media), and strengthen persistence mechanisms to ensure execution continuity across reboots. There is a realistic possibility of integrating multi-stage infection chains, where initial loaders or trojans deploy NBLock alongside credential-stealing or lateral movement tools, as already suggested by bundled malware behavior. Future variants may also incorporate double extortion mechanisms, such as data exfiltration prior to encryption, although no direct evidence confirms this capability at present. Additionally, attackers may refine delivery techniques through phishing kits, exploit kits, and malicious software bundling to increase infection rates. However, there is currently no evidence of advanced capabilities such as worm-like propagation, zero-day exploitation, or highly targeted intrusion campaigns, indicating that near-term evolution will remain incremental and aligned with opportunistic ransomware operations.

Sigma rule:
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.defense-evasion
– attack.impact
– attack.t1070
– attack.t1490 logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘powershell.exe’
– ‘pwsh.exe’
– ‘wmic.exe’
– ‘vssadmin.exe’
– ‘diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface Web)

IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)

RECOMMENDATIONS

STRATEGIC RECOMMENDATIONS

• Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
• Ensure that backups of critical systems are maintained, which can be used to restore data in case a need arises.

MANAGEMENT RECOMMENDATIONS

• A data breach prevention plan must be developed, considering, (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
• Implement a zero-trust security model alongside multifactor authentication (MFA) to reduce the risk of credential compromise.
• Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.

TACTICAL RECOMMENDATIONS

• Update all applications/software regularly with the latest versions and security patches alike.
• Add the Sigma rule for threat detection and monitoring, which will help to detect anomalies in log events, identify and monitor suspicious activities.
• Establish and implement protective controls by actively monitoring and blocking identified indicators of compromise (IoCs) and reinforcing defensive measures based on the provided tactical intelligence.

Active Malware of the Week

Type: Information Stealer
Objectives: Data Exfiltration
Target Technology: Windows OS
Target Geography: Global

CYFIRMA collects data from various forums, based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.

Active Malware of the week
This week, “AZORult” malware is in focus.

Overview of Operation AZORult Malware
The malware AZORult has been identified as a serious security concern through our internal analysis. It operates in a subtle manner, attempting to blend in with normal system activity and avoid detection. The malware establishes itself without causing any immediate or visible disruption, making it difficult for users to recognize its presence. Its behavior aligns with that of a Trojan, as it performs unauthorized actions silently in the background. Over time, it maintains its presence within the system to ensure continued access. This quiet and persistent operation increases the risk of long-term compromise. Overall, it represents a significant threat due to its ability to function unnoticed while carrying out malicious activities.

Analysis further indicates that AZORult is designed to maintain continued access to the infected system. It achieves this by ensuring it can automatically run each time the system starts, allowing it to remain active over long periods. At the same time, it uses techniques to hide its true nature, making it more difficult for users and security tools to detect its presence. This combination of persistence and concealment highlights a clear intent to remain undetected.

In addition, the malware shows signs of communicating with external servers, which may allow it to send or receive data. This behavior raises concerns about the possible exposure of sensitive information, as well as the risk of further malicious actions being carried out remotely. Overall, the observed activities indicate that AZORult poses a serious risk to both system security and user data.

Attack Method
The attack methodology associated with AZORult is initiated through the execution of a file that appears legitimate, serving as the initial point of compromise. Upon execution, the malware activates and begins operating within the system by leveraging existing system components and external modules. This method enables it to execute its functionality dynamically while maintaining a low profile. In certain instances, it utilizes trusted system utilities to run or generate code, allowing its activity to blend with normal system operations and reducing the likelihood of immediate detection.

Following execution, the malware establishes persistence to ensure continued access to the compromised environment. This is achieved through modifications to key areas of the Windows Registry that control automatic program execution during system startup. In addition, it creates and stores copies of itself within commonly accessed user directories, often under misleading or inconspicuous file names. These actions enable the malware to remain active across system reboots and sustain its presence without requiring further user involvement.

To evade detection, AZORult employs a range of concealment techniques. It may disguise its operations by imitating legitimate processes and, in some cases, inject its code into trusted applications. This allows malicious activities to be carried out under the guise of normal system behavior. Furthermore, the malware incorporates obfuscation mechanisms to hide its internal structure and operational logic, thereby complicating analysis and reducing the effectiveness of traditional detection methods. Once persistence is established, the malware proceeds to communicate with external infrastructure controlled by threat actors. It utilizes standard web-based protocols, often over encrypted channels, to transmit data and receive instructions. Prior to this, it performs system reconnaissance to gather relevant information from the infected machine. The collected data is then exfiltrated to remote servers, potentially exposing sensitive information. This coordinated sequence of actions highlights a well-structured attack flow designed to maintain access, avoid detection, and facilitate unauthorized data extraction.

The following are the TTPs based on the MITRE Attack Framework for Enterprise

INSIGHTS
A notable characteristic of AZORult is its ability to operate without drawing immediate attention. Rather than causing visible disruption or system instability, it functions in a controlled and unobtrusive manner. This approach allows malware to remain active within the environment for extended durations, reducing the likelihood of detection through user observation or routine system monitoring.

Another key observation is its deliberate effort to integrate seamlessly within the host environment. By utilizing familiar directory structures and adopting file names that resemble legitimate applications, the malware minimizes suspicion. This behavior reflects a strategic use of trusted system elements, enabling it to persist without raising immediate concerns and making identification more challenging in the absence of detailed inspection.

Furthermore, the malware’s communication with external infrastructure suggests that it operates as part of a coordinated framework rather than as an isolated instance. Its interaction with remote systems indicates a structured operation, where the infected machine serves a role within a broader malicious network. This interconnected functionality highlights the organized nature of such threats and their reliance on external coordination.

ETLM ASSESSMENT
From an ETLM perspective, threats such as AZORult are expected to increasingly challenge organizational resilience by operating in ways that are less visible yet more persistent. At the executive level, this may translate into heightened business risks related to data exposure and operational trust, even in the absence of obvious disruptions. From a technical standpoint, security teams may face growing difficulty in distinguishing malicious activity from normal system behavior as such threats continue to blend into everyday operations. At the leadership level, there may be an increased need to address employee awareness and accountability, as human interaction remains a key element in the success of such attacks. Overall, the evolving nature of these threats suggests a shift toward more discreet, long-term compromises that impact both organizational security posture and workforce reliability.

IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems.

YARA Rules
rule AZORult_Malware

meta:
description = “Detects AZORult variant using confirmed C2 indicators and hash IOC” author = “CYFIRMA”
date = “2026-04-13”
strings:
/* C2 and behavior indicators */
$c2_domain1 = “gpsindia.biz”
$c2_uri = “/crm/kha/32/index.php”
$api1 = “ip-api.com/json”
$api2 = “dotbit.me”
$mutex = “A5D09762-49414907-AA4894C3-595B189D-330970087”
$path = “AppData\Roaming\ProPlayer”
/* Hash IOC */
$hash_sha256 = “d792d051caa23b98f546ca5eae5200f1714d5953958729f8d841ea37a3618b8e”
condition:
uint16(0) == 0x5A4D and
(2 of ($c2_domain1, $c2_uri, $api1, $api2, $mutex, $path) or $hash_sha256)

Recommendations

Strategic Recommendations
These are high-level, long-term initiatives to strengthen organizational cybersecurity posture:

• Establish a comprehensive threat intelligence capability to continuously monitor emerging malware families such as AZORult and related data-stealing campaigns.
• Strengthen organizational security posture by adopting a layered defense approach that integrates endpoint, network, and identity-based security controls.
• Promote a security first culture across the organization, ensuring that cybersecurity is treated as a core business priority rather than a technical function alone.
• Enhance visibility across digital assets and user environments to better detect stealthy and long-dwelling threats that operate without obvious disruption.
• Invest in continuous security maturity improvement, including regular assessments and alignment with recognized cybersecurity frameworks.

Management Recommendations
These focus on policies, procedures, and governance to ensure proper oversight and risk mitigation:

• Conduct regular employee awareness programs focused on identifying suspicious files, phishing attempts, and unsafe downloads.
• Enforce strict access control policies, ensuring users operate with minimal privileges necessary for their roles.
• Ensure timely patch management and system updates to reduce exposure to vulnerabilities that may be exploited during initial infection.
• Implement incident response procedures and escalation protocols, ensuring teams are prepared to handle malware-related incidents effectively.
• Maintain centralized logging and monitoring practices to support early detection and investigation of suspicious activities.

Tactical Recommendations
These are immediate, actionable steps to prevent, detect, and respond to malware at the operational level:

• Deploy endpoint detection and response (EDR) solutions to monitor process behavior and detect abnormal activity patterns.
• Monitor registry modifications and process creation events for signs of unauthorized persistence mechanisms.
• Inspect outbound network traffic for connections to uncommon or suspicious external services.
• Utilize behavioral analytics to detect deviations from normal system and user activity.
• Maintain updated threat intelligence feeds and integrate them into security tools for real-time detection.
• Implement proactive security controls by monitoring and blocking identified IOCs, leveraging YARA rules for detection, and strengthening defenses based on actionable tactical intelligence.

CYFIRMA’s Weekly Insights

1. Weekly Attack Types and Trends
Key Intelligence Signals:

• Attack Type: Ransomware Attacks, Malware Implant, Vulnerabilities & Exploits, Data Leaks.
• Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
• Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
• Ransomware – Gunra Ransomware, The Gentlemen Ransomware| Malware – AZORult
• Gunra Ransomware – One of the ransomware groups.
• The Gentlemen Ransomware – One of the ransomware groups.
  Please refer to the trending malware advisory for details on the following:
• Malware – AZORult
  Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.

2. Threat Actor in Focus
APT28 (Fancy Bear): A Strategic Cyber Espionage Actor Aligned with Russian Intelligence Objectives

• Threat Actor: APT28 aka Fancy Bear
• Attack Type: Connection Proxy, Credential Dumping, Footprint deletion, Malware Implant, Social Engineering Attack, Timestomping, Exploitation of Vulnerability, DNS Hijacking, Adversary-in-the-Middle (AiTM)
• Objective: Information theft, Espionage, Long-Term Persistence & Stealth
• Suspected Target Technology: Microsoft Outlook, Office Suites Software, Operating System (Windows, Linux Kernel, Android), Web Application, Zimbra Collaboration (ZCS)
• Suspected Target Geography: Afghanistan, Brazil, Cambodia, France, Georgia, Germany, India, Indonesia, Kazakhstan, Malaysia, Moldova, Pakistan, Romania, Russia, South Africa, Syria, Thailand, Turkey, Ukraine, United States, Vietnam, Australia, Mexico
• Suspected Target Industries: Aerospace & Defense, Capital Goods, Critical Infrastructure, Crypto, Defense, Energy, Energy Equipment & Services, Government, Information Technology, Military, NGO, Telecommunications, Utilities, Banking & Investment Services
• Business Impact: Compromised user accounts, Data Theft, Operational Disruption, Reputational Damage, Financial Loss.

About the Threat Actor
Fancy Bear is a Russian state-sponsored advanced persistent threat (APT) group believed to be closely affiliated with the country’s intelligence services. Active since 2007, the group has been linked to multiple cyber operations targeting government and political entities. It is widely assessed that Fancy Bear has conducted campaigns aimed at influencing elections in various countries to support candidates aligned with Russian strategic interests.

Details on Exploited Vulnerabilities

TTPs based on MITRE ATT&CK Framework

Latest Developments Observed
The threat actors are suspected of exploiting network routers to hijack DNS configurations, thereby enabling adversary-in-the-middle (AiTM) attacks and facilitating the theft of credentials, including passwords and authentication tokens. The campaign appears to adopt a broad targeting approach, initially compromising a wide pool of victims and subsequently narrowing the focus to individuals or entities of potential intelligence value at various stages of the exploitation lifecycle.

ETLM Insights
APT28, also known as Fancy Bear, is widely attributed to Russia’s military intelligence agency, the GRU. The group has been active for over a decade and is primarily focused on cyber espionage, information operations, and strategic disruption aligned with Russian geopolitical objectives.

APT28’s digital expansion reflects a deliberate and structured approach:

• Pre-positioning in Networks: Establishing persistent access within target environments ahead of geopolitical or strategic events.
• Supply Chain Exposure: Targeting third-party vendors and service providers to indirectly compromise primary targets.
• Cloud-Centric Operations: Increasing emphasis on SaaS platforms and identity-based attack vectors for stealth and scalability.
• Blended Operations: Integrating cyber espionage with information and influence operations to amplify impact.

Based on observed activities and targeting patterns, APT28 is likely to continue advancing identity-focused intrusion techniques while leveraging distributed and obfuscated infrastructure to support intelligence collection and influence objectives. This evolving tradecraft positions the group as a persistent and high-confidence espionage threat to government and strategic organizations, with ongoing risks to sensitive communications, authentication systems, and the overall integrity of critical information assets.

IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)

YARA Rules
rule Multi_IOC_Threat_Detection_Cluster

meta:
description = “Combined IOC detection rule including domains, IPs, CVEs, and file artifacts”
author = “CYFIRMA” date = “2026-04-14”
version = “1.0”

strings:
/* Domains */
$domain1 = “zimbrasoft.com.ua” nocase
$domain2 = “rdsnets.com” nocase
$domain3 = “remotepx.net” nocase
$domain4 = “secao.org” nocase
$domain5 = “webstp.com” nocase

/* IP Addresses */
$ip1 = “64.233.180.138”
$ip2 = “91.204.161.90”
$ip3 = “172.67.165.62”
$ip4 = “208.91.197.27”
$ip5 = “208.91.197.132”
/* CVEs */
$cve1 = “CVE-2023-50224”
$cve2 = “CVE-2026-21509”
$cve3 = “CVE-2025-66376”
$cve4 = “CVE-2026-23760”
$cve5 = “CVE-2023-38831”
$cve6 = “CVE-2025-52691”

/* File Artifacts */
$file1 = “update.exe” nocase
$file2 = “3833709f-0947-4371-a557-f7a6c0f368d7.exe” nocase
$file3 = “20140702.txt.gz” nocase
$file4 = “win32 exe” nocase

condition:
any of ($domain*) or any of ($ip*) or any of ($file*) or any of ($cve*)

Recommendations

Strategic Recommendations

• Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
• Assess and deploy alternatives for an advanced endpoint protection solution that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
• Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more by identifying such patterns.

Management Recommendations

• Invest in user education and implement standard operating procedures for the handling of financial and sensitive data transactions commonly targeted by impersonation attacks. Reinforce this training with context-aware banners and in-line prompts to help educate users.
• Develop a cyber threat remediation program and encourage employee training to detect anomalies proactively.

Tactical Recommendations

• For better protection coverage against email attacks (like spear phishing, business email compromise, or credential phishing attacks), organizations should augment built-in email security with layers that take a materially different approach to threat detection.
• Protect accounts with multi-factor authentication. Exert caution when opening email attachments or clicking on embedded links supplied via email communications, SMS, or messaging.
• Apply security measures to detect unauthorized activities, protect sensitive production, and process control systems from cyberattacks.
• Add the YARA rules for threat detection and monitoring, which will help to detect anomalies in log events and identify and monitor suspicious activities.

3. Major Geopolitical Developments in Cybersecurity

Cyber Threat Iran Persists During Fragile Ceasefire with Iran
Despite a reported ceasefire between the United States and Iran, security experts and U.S. government agencies are urging organizations to maintain a state of high alert. While the IRGC-linked group “Handala” has announced a temporary pause in targeting the U.S., intelligence reports confirm that Iranian-affiliated Advanced Persistent Threats (APTs) continue to actively compromise critical infrastructure.

As history shows, a formal ceasefire often fails to translate into a reduction of cyber activity. In fact, nation-state actors frequently utilize cyber operations to maintain hostility while enjoying “plausible deniability,” effectively operating just below the threshold of open kinetic warfare. Rather than de-escalating, it is expected that these groups will intensify efforts to infiltrate data centers, defense contractors, and technology firms involved in the conflict.

A joint advisory issued by the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command highlights a sustained campaign targeting Industrial Control Systems (ICS). Iranian threat actors are specifically exploiting vulnerabilities in Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition (SCADA) systems across vital sectors, including water and wastewater systems, energy utilities, and municipal government services.

The attackers are bypassing traditional defenses by manipulating the project files and human-machine interface (HMI) displays of these systems. Their methodology includes actively targeting Rockwell Automation/Allen-Bradley products, specifically CompactLogix and Micro850 devices, while simultaneously probing Siemens S7 PLC systems. The attackers use leased, third-party-hosted infrastructure combined with legitimate configuration software to establish authorized-looking connections to the victim’s PLC.

ETLM Assessment:
The history of Iranian cyberattacks against critical infrastructure began to take a significant turn after 2010, when the sophisticated Stuxnet virus was discovered targeting Iran’s nuclear program; this prompted Tehran to invest heavily in its own offensive cyber capabilities. Since then, Iran has transformed from a regional player into a global threat that uses the digital space as an asymmetric tool of state policy. Its operations have gradually shifted from widespread website defacement to highly complex actions against Industrial Control Systems (ICS) and SCADA technologies, as demonstrated by the 2013 incident targeting a dam in New York or repeated attempts to disrupt energy and water networks in Israel and the U.S. These operations, often carried out through proxy groups, are designed to cause physical damage, instill fear, or secure a strategic advantage within the “gray zone” of conflict, where direct attribution is often difficult.

Chinese supercomputer compromised
A hacker operating under the alias “FlamingChina” has claimed responsibility for a massive data breach involving a Chinese state-run supercomputer. The intruder alleges to have exfiltrated over 10 petabytes of highly sensitive information from the National Supercomputing Center (NSCC) in Tianjin. The stolen archive reportedly contains diverse and critical research data, including advancements in aerospace engineering, military applications, bioinformatics, and fusion simulations. The breach appears to affect several high-profile Chinese entities, such as the Aviation Industry Corporation of China, the Commercial Aircraft Corporation of China, and the National University of Defense Technology. To support these claims, the hacker shared a sample of the data, which security experts suggest is authentic. The entire cache is currently being offered for sale on the dark web for several hundred thousand dollars in cryptocurrency.

ETLM Assessment:
Attributing a cyberattack of this magnitude—especially one targeting Chinese state secrets—is notoriously difficult, and the cybersecurity community remains divided on the identity of “FlamingChina.” Experts generally categorize the potential perpetrators into three main groups: state-sponsored actors (espionage), disgruntled insiders, and cybercriminal syndicates. The consensus among cybersecurity experts and intelligence analysts is that the data allegedly stolen from the National Supercomputing Center (NSCC) in Tianjin is critically sensitive. If the breach is legitimate, the vast treasure of data claimed isn’t just about volume; it is about the nature of the information stored in a facility like the NSCC. This center is not a public server; it is a pillar of China’s “Military-Civil Fusion” strategy.

4. Rise in Malware/Ransomware and Phishing

Gunra Ransomware Impacts Thai Petroleum & Trading Co., Ltd.

• Attack Type: Ransomware
• Target Industry: Energy
• Target Geography: Thailand
• Ransomware: Gunra Ransomware
• Objective: Data Theft, Data Encryption, Financial Gains
• Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
CYFIRMA observed in an underground forum that a company from Thailand, Thai Petroleum & Trading Co., Ltd (https[:]//www[.]tpt[.]co[.]th/th/), was compromised by Gunra Ransomware. Thai Petroleum & Trading Co., Ltd. is a company based in Thailand operating in the petroleum and energy sector. It is involved in the trading, distribution, and supply of petroleum products and related commodities. The company serves industrial and commercial clients within Thailand and potentially across Southeast Asia. It operates within the oil and gas trading industry, contributing to the regional energy supply chain. The ransomware leak indicates exposure of multiple categories of internal corporate data, including structured database files, invoice scan records, and invoice and delivery document systems (DPS), which likely contain financial transactions, billing details, and customer/vendor information. Additionally, technical files were compromised, potentially including system configurations, internal documentation, or IT-related data, along with miscellaneous (“other”) files that may store unclassified or auxiliary business information.

Source: Dark Web

Relevancy & Insights:

• Gunra is a highly sophisticated double-extortion ransomware group that emerged in April 2025, leveraging leaked Conti ransomware code and operating with advanced encryption and evasion capabilities.
• The Gunra Ransomware group primarily targets countries such as Brazil, South Korea, the United States of America, Spain, and Canada.
• The Gunra Ransomware group primarily targets industries, including Professional Goods & Services, Healthcare, Consumer Goods & Services, Manufacturing, and Finance.
• Based on the Gunra Ransomware victims list from 1st April 2025 to 14th April 2026, the top 5 Target Countries are as follows:
  
• The Top 10 Industries most affected by the Gunra Ransomware victims list from 1st April 2025 to 14th April 2026 are as follows:
  

ETLM Assessment:
According to CYFIRMA’s assessment, Gunra Ransomware is a financially motivated ransomware group that emerged in April 2025, rapidly establishing itself as a significant threat within the evolving ransomware landscape. Leveraging a double-extortion model, Gunra encrypts victim data while simultaneously exfiltrating sensitive information to pressure organizations into paying ransom demands.

The Gentlemen Ransomware Impacts Aichi Electric Co., Ltd

• Attack Type: Ransomware
• Target Industry: Manufacturing
• Target Geography: Japan
• Ransomware: The Gentlemen Ransomware
• Objective: Data Theft, Data Encryption, Financial Gains
• Business Impact: Financial Loss, Data Loss, Reputational Damage

Summary:
CYFIRMA observed in an underground forum that a company from Japan, Aichi Electric Co., Ltd(https[:]//www[.]aichidenki[.]jp/), was compromised by the Gentlemen Ransomware. Aichi Electric Co., Ltd., founded in 1942 and headquartered in Kasugai, Aichi Prefecture, Japan, is a publicly listed manufacturer of power equipment and industrial motors. The company produces transformers, distribution switchgear, control systems, and various motors for electric power infrastructure, serving utilities and industries across Japan and internationally. The compromised data includes confidential and sensitive information belonging to the organization.

Source: Dark Web

Relevancy & Insights:

• The Gentlemen is a relatively highly sophisticated ransomware-as-a-service (RaaS) group that emerged in mid-2025.
• The Gentlemen Ransomware group primarily targets countries such as the United States of America, Thailand, France, Brazil, and India.
• The Gentlemen Ransomware group primarily targets industries, including Consumer Goods & Services, Professional Goods & Services, Materials, Manufacturing, and Information Technology.
• Based on the Gentlemen Ransomware victims list from 1st July 2025 to 14th April 2026, the top 5 Target Countries are as follows:
  
• The Top 10 Industries most affected by the Gentlemen Ransomware victims list from 1st July 2025 to 14th April 2026 are as follows:
  

ETLM Assessment:
According to CYFIRMA’s assessment, the Gentlemen Ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, combining data theft with file encryption. The group employs advanced evasion and persistence techniques, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. This combination of capabilities makes it a significant risk to enterprise cybersecurity defenses, particularly for organizations with limited detection and incident-response maturity.

5. Vulnerabilities and Exploits

Vulnerability in Apache ActiveMQ

• Attack Type: Vulnerabilities & Exploits
• Target Technology: Messaging Middleware / Enterprise Application
• Vulnerability: CVE-2026-34197
• CVSS Base Score: 8.8 Source
• Vulnerability Type: Code Injection
• Summary: The vulnerability allows a remote user to execute arbitrary code.

Relevancy & Insights:
The vulnerability exists due to code injection in the Jolokia JMX-HTTP bridge and exposed ActiveMQ MBeans when handling authenticated exec operations with a crafted discovery URI.

Impact: A remote user can invoke BrokerService.addNetworkConnector(String) or BrokerService.addConnector(String) to execute arbitrary code.

The issue is exposed through the web console endpoint at /api/jolokia/, and exploitation causes remote Spring XML application context loading via the VM transport’s brokerConfig parameter before configuration validation completes.

Affected Products:
https[:]//github[.]com/KONDORDEVSECURITYCORP/CVE-2026-34197

Recommendations:
Monitoring and Detection:
Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.

TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment
Vulnerability in Apache ActiveMQ introduces significant risks to enterprise environments that rely on messaging systems for communication between distributed applications and services. As ActiveMQ is widely used in enterprise architectures and integration pipelines, exploitation of this vulnerability could allow attackers to execute arbitrary code and compromise message flow integrity. Organizations leveraging messaging middleware must ensure timely patching and strict input validation mechanisms to prevent unauthorized access and maintain system reliability. Addressing this vulnerability is essential to protecting communication channels and ensuring the stability of enterprise application ecosystems.

6. Latest Cyber-Attacks, Incidents, and Breaches

DragonForce Ransomware attacked and published the data of Vietnam Fortress Tools JSC

• Threat Actor: DragonForce Ransomware
• Attack Type: Ransomware
• Objective: Data Leak, Financial Gains
• Target Technology: Web Applications
• Target Industry: Manufacturing
• Target Geography: Vietnam
• Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage

Summary:
Recently, we observed that DragonForce Ransomware attacked and published the data of Vietnam Fortress Tools JSC (www[.]fortresstools[.]com[.]vn) on its dark web website. Vietnam Fortress Tools JSC, established in 2006, is a leading manufacturer of gardening tools, with over 90% of its products exported to North America and Europe. The company offers a diverse range of gardening tools that meet international standards at competitive prices. The ransomware leak indicates the compromise of a wide range of internal corporate data, including executive and administrative documents (Ban Giam Doc), pricing and quotation files (Don Gia FTVN), and ERP system attachments, which likely contain operational and transactional records. Additionally, bill of materials (BOM) data suggests exposure of product structure and manufacturing details, while HR-related data (employee pictures and records) points to potential leakage of personally identifiable information (PII). Financial records such as accounting data (Ke Toan 2024) and inventory/logistics information (Kho Fortress) were also affected, along with artwork/design files and business-related documents, indicating a comprehensive breach of financial, operational, technical, and employee-sensitive data, posing risks of financial fraud, intellectual property theft, and privacy violations.

Source: Dark Web

Relevancy & Insights:

• DragonForce Ransomware poses a significant threat as a mature Ransomware-as-a-Service (RaaS) operation active since mid-2023, employing sophisticated double-extortion tactics across Windows, Linux, ESXi, and NAS environments.
• The DragonForce Ransomware group primarily targets industries, such as Professional Goods & Services, Consumer Goods & Services, Manufacturing, Real Estate & Construction, and Information Technology.

ETLM Assessment:
According to CYFIRMA’s assessment, DragonForce represents a significant threat in the ransomware landscape due to its advanced operational methods and extensive use of modified ransomware tools. As it continues to target high-profile organizations globally, ongoing vigilance and proactive cybersecurity strategies will be essential for mitigating risks associated with this formidable threat actor. Organizations should remain alert to the evolving tactics employed by groups like DragonForce to protect their sensitive data and maintain operational integrity.

7. Data Leaks

Carwah Data Advertised on a Leak Site

• Attack Type: Data leak
• Target Industry: Transportation and Mobility Services
• Target Geography: Saudi Arabia
• Objective: Financial Gains
• Business Impact: Data Loss, Reputational Damage
• Summary: The CYFIRMA research team identified a post on a dark web forum by a threat actor using the alias “Spirigatito”, claiming to have leaked the database of Carwah, a Saudi Arabia–based digital car rental platform.

The data leak, which was posted by an actor on a cybercrime forum, targets individuals who have used the application to rent vehicles across the Kingdom of Saudi Arabia.

The allegedly compromised data encompasses 26,078 customer profiles and 6,824 driver’s licenses. According to the actor, the exposed information includes:

• Full names
• Genders
• Email addresses
• Phone numbers
• National ID numbers (NID)
• Dates of birth
• Images of driver’s licenses and faces
• Driver’s license expiration dates
• Account statuses and company affiliations

The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.

Source: Underground Forums

Kasikornbank (KBank) Customer Data Advertised on a Leak Site

• Attack Type: Data leak
• Target Industry: Financial Services
• Target Geography: Cambodia, Myanmar, and Laos
• Objective: Data Theft, Financial Gains
• Business Impact: Data Loss, Reputational Damage
• Summary: The CYFIRMA research team identified a post on a dark web forum by a threat actor using the alias “Taomarita”, who is offering for sale a sensitive customer database allegedly linked to Kasikornbank (KBank) operations in Cambodia, Myanmar, and Laos.

According to the post, the dataset contains creditor and customer-related financial and personal information, presented as structured and ready for exploitation. The actor also offers samples and additional details upon request, indicating potential commercialization of the dataset.

Dataset Description
The threat actor claims the dataset includes comprehensive banking and customer records, likely extracted in January 2026, covering multiple regional branches.

The data appears to be highly structured, with predefined fields and consistent formatting, suggesting extraction from an internal database or CRM system.

Dataset Structure Overview

1. Banking & Organizational Data
This section includes internal banking and branch-related information:

• Branch name and location
• Branch codes (B_CODE)
• Staff identifiers (STAFF IDs)
• Internal reference IDs

2. Customer Identification Data
This segment contains personally identifiable information (PII) of customers:

• Full name (including local language variants)
• Customer ID and reference ID
• ID prefix and identification details
• Date of birth
• Nationality
• Customer type classification

3. Contact & Personal Information
Detailed contact and demographic data is included:

• Phone numbers
• Email addresses
• Residential addresses
• Local-language personal details

4. Account & Financial Metadata
This section provides customer financial and account-related attributes:

• Occupation details
• Income codes
• Account status flags
• Start and end dates (account lifecycle)

Sample Evidence
The forum post includes sample records in structured (JSON-like/PHP array) format, demonstrating:

• Realistic data entries
• Mixed-language content (English + local scripts)
• Consistent schema across multiple records

Sale Details

• Offering: KBank customer database (Cambodia, Myanmar, Laos)
• Data Freshness: January 2026 (as claimed)
• Access: Samples available via shared link
• Contact Method: Private message (PM) on the forum
• Transaction Method:
• Escrow services
• Middleman-supported transactions

The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.

Source: Underground Forums

Relevancy & Insights:
Financially motivated cybercriminals are continuously looking for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the stolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.

ETLM Assessment:
The threat actor “Spirigatito” is assessed as an active and capable entity focused on data-leak operations, with credible sources linking them to multiple incidents involving unauthorized system access and the distribution or sale of stolen data on dark web platforms. These activities highlight the evolving cyber threat landscape driven by underground criminal networks and emphasize the need for organizations to strengthen cybersecurity through continuous monitoring, enhanced threat intelligence, and proactive defenses to safeguard sensitive data and critical systems.

Recommendations: Enhance the cybersecurity posture by:

• Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
• Ensure proper database configuration to mitigate the risk of database-related attacks.
• Establish robust password management policies, incorporating multi-factor authentication and role-based access to fortify credential security and prevent unauthorized access.

8. Other Observations

The CYFIRMA research team identified a post on a dark web forum by a threat actor operating under the alias “sexybroker”, claiming to sell a large-scale passport dataset allegedly sourced from a Vietnam-based flight booking system.

The actor advertises the dataset as fresh, exclusive, and non-resold, containing passport images and associated contact information of global travelers. The data is positioned as highly valuable for identity exploitation and fraud-related activities.

Dataset Description
According to the forum post:

• Source: Vietnam Flight Booking System (alleged)
• Data Type: Passport images with contact information
• Total Records: ~1,106,868 passport records
• Coverage: Worldwide passengers

The dataset is described as complete passport scans combined with personal contact details, significantly increasing its exploitation value.

Dataset Structure Overview

1. Passport Data (Highly Sensitive Identity Data)
This segment allegedly contains:

• Full passport images (scanned copies)
• Passport numbers
• Full names
• Nationality
• Date of birth
• Gender
• Passport expiry and issuance details

2. Contact Information

• The dataset reportedly includes linked personal contact details:
• Email addresses
• Phone numbers
• Possibly travel-related booking identifiers

3. Geographic Coverage
The actor claims the dataset spans global travelers, including:

• Asia (China, Japan, Vietnam)
• North America (USA)
• Europe (UK, France, Italy)
• Middle East (Qatar, Kuwait)
• Australia and other regions

Sample Evidence
The post includes multiple external image links (JPEG files) allegedly showing:

• Passport scans
• Contact information samples
• Mixed nationality records

Sale Details

• Price: $0.15 USD per passport record
• Total Dataset Size: ~1.1 million records
• Sales Model: Bulk or selective country-based purchase
• Contact Method: Forum private messaging
• Special Notes:“Fresh 100%” “Not reselling” “Not public”

The authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the threat actor.

Source: Underground Forums

RECOMMENDATIONS

STRATEGIC RECOMMENDATIONS

• Attack Surface Management should be adopted by organisations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
• Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
• Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
• Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, and active network monitoring, through next-generation security solutions and a ready-to-go incident response plan.
• Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.

MANAGEMENT RECOMMENDATIONS

• Take advantage of global Cyber Intelligence, providing valuable insights on threat actor activity, detection, and mitigation techniques.
• Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies, followed by corrective actions, remediations, and lessons learned.
• Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcomings of EDR and SIEM solutions.
• Ensure that detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies should be continuously evolved to keep up with refined ransomware threats.

TACTICAL RECOMMENDATIONS

• Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
• Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
• Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defences based on the tactical intelligence provided.
• Deploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to take appropriate measures.
• Implement a combination of security controls, such as reCAPTCHA (completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
• Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.

Situational Awareness – Cyber News

Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.

For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.

Back to Listing