CyberSecurity news

FlagThis - #cyberwarfare

@cyberpress.org //
Iranian advanced persistent threat (APT) groups have significantly escalated their cyberattacks against critical U.S. infrastructure, with a notable 133% surge in activity observed during May and June 2025. The transportation and manufacturing sectors have been identified as the primary targets of these intensified operations. This trend aligns with ongoing geopolitical tensions, as well as recent warnings issued by U.S. authorities like CISA and the Department of Homeland Security, which highlighted U.S. entities as prime targets for Iranian cyber actors.

Nozomi Networks Labs reported a total of 28 distinct cyber incidents linked to Iranian APTs during May and June, a substantial increase from the 12 incidents recorded in the preceding two months. Among the most active groups identified are MuddyWater, which targeted at least five U.S. companies primarily in the transportation and manufacturing sectors, and APT33, responsible for attacks on at least three U.S. entities. Other groups such as OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice were also observed conducting attacks against U.S. companies in these critical industries.

The resurfacing of the Iranian-backed Pay2Key ransomware, now operating as Pay2Key.I2P, further highlights the evolving threat landscape. This ransomware-as-a-service operation, linked to the Fox Kitten APT group, is reportedly offering an 80% profit share to affiliates targeting Iran's adversaries, including the U.S. and Israel. This financially motivated scheme has also demonstrated an ideological commitment, with claims of over 51 successful ransom payouts, netting substantial profits. The use of the Invisible Internet Project (I2P) for its infrastructure represents a notable shift in RaaS operations, potentially enhancing its evasiveness.

Recommended read:
References :
  • securityaffairs.com: Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates
  • www.morphisec.com: Reporting on Iranian CyberWarfare
  • newsinterpretation.com: Iranian ransomware gang Pay2Key/I2P returns, offers huge rewards for attacks on U.S. and Israel.
  • Matthew Rosenquist: Iran sponsored Pay2Key Ransomware-as-a-Service (RaaS)
  • securityonline.info: Iranian Ransomware “Pay2Key.I2P†Resurfaces on I2P Network, Offering 80% Profit for Targeting Western Enemies
  • The Hacker News: Iranian-Backed Pay2Key Ransomware Resurfaces with 80% Profit Share for Cybercriminals
  • Industrial Cyber: Nozomi finds 133% surge in Iranian cyberattacks targeting US, as transportation and manufacturing most affected
  • cyberpress.org: CyberPress: Iranian APTs Launch Active Cyberattacks on Transportation and Manufacturing Industries
  • industrialcyber.co: Industrial Cyber: Nozomi finds 133% surge in Iranian cyberattacks targeting US, as transportation and manufacturing most affected
  • gbhackers.com: gbhackers: Iranian APT Hackers Targeting Transportation and Manufacturing Sectors in Active Attacks

@industrialcyber.co //
Iranian advanced persistent threat (APT) groups have significantly escalated their cyberattacks against U.S. infrastructure, with a notable 133% surge reported by Nozomi Networks Labs. This increase in malicious activity, observed during May and June of 2025, directly coincides with heightened geopolitical tensions involving Iran. The primary sectors targeted by these operations are transportation and manufacturing, indicating a strategic focus on critical infrastructure within the United States. U.S. government agencies, including CISA and the Department of Homeland Security, have issued advisories warning of these threats, urging organizations to bolster their cybersecurity postures.

The resurgence of the Pay2Key Ransomware-as-a-Service (RaaS) is a key element in this escalation. This operation, linked to the Fox Kitten APT group, is reportedly offering an increased profit share of 80% to affiliates specifically targeting perceived enemies of Iran, such as the United States and Israel. This financially motivated scheme has already collected substantial extortion payments, underscoring the real-world impact of these cyber operations. Several well-known Iranian APT groups, including MuddyWater, APT33, OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice, have been identified as active participants in these campaigns, employing tactics ranging from sophisticated espionage to disruptive attacks.

In response to this evolving threat landscape, organizations within the transportation and manufacturing sectors are strongly advised to enhance their cyber defenses. This includes vigilant monitoring for Iranian APT activity and reviewing overall security frameworks. The U.S. government’s warnings highlight the strategic intent behind these attacks, which aim to advance foreign policy objectives and potentially disrupt critical services. Security professionals must remain informed about the evolving capabilities and targeting methodologies of these nation-state actors to effectively mitigate the growing cybersecurity risks.

Recommended read:
References :
  • industrialcyber.co: Nozomi Networks Labs reported a 133% spike in cyberattacks linked to well-known Iranian threat groups during May and...
  • cyberpress.org: Iranian APTs Launch Active Cyberattacks on Transportation and Manufacturing Industries
  • gbhackers.com: Iranian APT Hackers Targeting Transportation and Manufacturing Sectors in Active Attacks
  • gbhackers.com: Nozomi Networks Labs cybersecurity researchers have reported a startling 133% increase in cyberattacks linked to well-known Iranian advanced persistent threat (APT) groups in May and June 2025, following current tensions with Iran.

@www.elliptic.co //
Cyber warfare between Israel and Iran has significantly escalated, marked by disruptions to financial systems and critical infrastructure. In response to recent cyberattacks, the Iranian government admitted to shutting down the internet to protect against further Israeli incursions. This near-total internet blackout has severely limited Iranians' access to information about the ongoing conflict and their ability to communicate with loved ones both inside and outside the country. The government cited hacks on Bank Sepah and the cryptocurrency exchange Nobitex as reasons for restricting internet access.

The cyberattacks included a major outage at Bank Sepah, where the attackers, a group called Predatory Sparrow, claimed to have deleted data, exfiltrated internal documents, and destroyed backups. Predatory Sparrow also claimed responsibility for draining over $90 million in cryptocurrency from Nobitex, Iran's largest crypto exchange, rendering the stolen funds inaccessible. The group, which purports to be pro-Israel hacktivists, has previously disrupted key services in Iran, such as gas stations and steel plants.

The U.S. cybersecurity groups have issued advisories warning that Iranian-affiliated threat actors may retaliate globally, targeting American companies in sectors like energy, finance, healthcare, and logistics. These alerts urge CISOs to elevate monitoring and reinforce incident response protocols due to the heightened geopolitical risk. The cyber conflict between Israel and Iran marks a significant turning point, with potential global implications for cybersecurity.

Recommended read:
References :
  • techcrunch.com: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks. I spoke to two Iranians who live abroad and can't communicate with their loved ones back home because of the blackout. "I haven’t heard from them in two days, but someone is supposed to update me. I hope everything is okay," Amir Rashidi told me.
  • SecureWorld News: As kinetic conflict continues to unfold between Israel and Iran, a parallel battle is raging in cyberspace—one that is disrupting financial systems, wiping out crypto holdings, hijacking broadcast channels, and even triggering a near-total internet shutdown. The escalation marks one of the most comprehensive campaigns of cyber warfare in recent memory.
  • securityaffairs.com: Iran experienced a near-total national internet blackout
  • techcrunch.com: Iran’s government says it shut down internet to protect against cyberattacks
  • infosec.exchange: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks. I spoke to two Iranians who live abroad and can't communicate with their loved ones back home because of the blackout.
  • Web3 is Going Just Great: Israeli-linked hackers steal and destroy $90 million from Iranian Nobitex exchange
  • industrialcyber.co: Radware reports hybrid warfare as cyberattacks, disinformation escalate in 2025 Israel-Iran conflict
  • nsfocusglobal.com: The Hacktivist Cyber Attacks in the Iran-Israel Conflict
  • ThreatMon: Iran-Israel Cyber Conflict Analysis of Threat Actors

Matt Burgess@WIRED //
References: techcrunch.com , WIRED , SecureWorld News ...
The Iranian government has admitted to shutting down internet access across the country, citing the need to protect against ongoing Israeli cyberattacks. This drastic measure, implemented in the midst of escalating tensions and kinetic conflict between the two nations, has resulted in a near-total national internet blackout, severely limiting Iranians' access to vital information and their ability to communicate with loved ones both within and outside the country. The government's spokesperson, Fatemeh Mohajerani, stated that the decision was made due to witnessing cyberattacks on critical infrastructure and disruptions in banking systems, also referencing recent hacks on Bank Sepah and the Nobitex cryptocurrency exchange.

The internet shutdown, described as the "worst" in the history of Iran's internet control, began on June 18th and continued into the next day, with monitoring firm NetBlocks reporting a connectivity drop of over 97%. Doug Madory, director of internet analysis at Kentik, noted a 54% drop in connectivity on June 13th, followed by another 49% on June 17th, and a further 90% decrease on Wednesday. This unprecedented defensive maneuver, described as Iran National Internet Infrastructure Throttling: Cyber Defense Strategy to Prevent Attacks Amid Regional Conflict, reflects an attempt to establish a digital choke point and stymie the propagation of rapidly executed cyber intrusions, such as DDoS attacks and malware spread.

The cyber conflict between Israel and Iran has intensified, with a group called Predatory Sparrow claiming responsibility for attacks on Iranian institutions. These attacks included major outages at Bank Sepah and the draining of over $90 million in cryptocurrency from Nobitex. Additionally, reports emerged of Predatory Sparrow infiltrating Iran's state broadcast systems to display protest imagery and anti-regime messages. The internet restrictions are pushing Iranian citizens toward domestic apps, which may not be secure, adding to the dangers faced by civilians amid Israeli bombings and creating a cybersecurity watershed moment with potential global implications.

Recommended read:
References :
  • techcrunch.com: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks.
  • WIRED: Iran’s Internet Blackout Adds New Dangers for Civilians Amid Israeli Bombings | WIRED
  • Rescana: Iran National Internet Infrastructure Throttling: Cyber Defense Strategy to Prevent Attacks Amid Regional Conflict
  • SecureWorld News: As kinetic conflict continues to unfold between Israel and Iran, a parallel battle is raging in cyberspace—one that is disrupting financial systems, wiping out crypto holdings, hijacking broadcast channels, and even triggering a near-total internet shutdown.
  • infosec.exchange: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks.
  • techcrunch.com: Iran’s government says it shut down internet to protect against cyberattacks The government cited the recent hacks on Bank Sepah and cryptocurrency exchange Nobite as reasons to shut down internet access to virtually all Iranians.
  • securityaffairs.com: Iran experienced a near-total internet blackout on Wednesday as tensions with Israel escalated into the first week of conflict.

Nicholas Kitonyi@NFTgators //
Nobitex, Iran's largest cryptocurrency exchange, has been targeted in a politically motivated cyberattack allegedly perpetrated by pro-Israel hackers. The attackers successfully drained over $90 million in cryptocurrency from the platform's wallets, subsequently rendering the assets inaccessible. Blockchain analytics firm Elliptic confirmed the theft, noting that the funds were deliberately destroyed rather than laundered, suggesting the primary intent was disruption and sending a political message linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). The incident is part of an escalating conflict between Israel and Iran in cyberspace, with attacks targeting financial systems and media outlets.

The attack on Nobitex is a component of a broader campaign of cyber warfare between the two nations. In addition to the cryptocurrency theft, Bank Sepah, a major Iranian bank, also suffered significant outages as a result of the actions of pro-Israel hacktivist group Predatory Sparrow, who claimed responsibility for both attacks. The group stated that they deleted data, exfiltrated internal documents, and destroyed backups at Bank Sepah to maximize disruption. This follows previous cyber incidents between the two nations, raising concerns about potential escalations and retaliatory measures.

The severity of the cyberattacks prompted the Iranian government to severely restrict internet access across the country, with connectivity plummeting by over 97%. This action, typically reserved for periods of civil unrest or elections, aimed to hinder further cyber intrusions and potentially control the flow of information. Meanwhile, U.S. cybersecurity groups are issuing advisories, warning of potential retaliatory attacks by Iranian-affiliated actors targeting American companies in sectors such as energy, finance, healthcare, and logistics. This cyber conflict between Israel and Iran is being viewed as a watershed moment, highlighting the growing intersection of geopolitics and cybersecurity with potential global implications.

Recommended read:
References :
  • aboutdfir.com: Israeli-linked hackers seized and burned $90 million from Iran's Nobitex exchange
  • Metacurity: Israeli-linked hackers seized $90 million from Iran's Nobitex exchange
  • www.darknet.org.uk: Israeli-linked hackers seized and destroyed over $90 million from Nobitex, an Iranian crypto exchange.
  • www.elliptic.co: Report detailing the Nobitex hack and the attacker's claims.
  • Web3 is Going Just Great: Israeli-linked hackers steal and destroy $90 million from Iranian Nobitex exchange.

Nicholas Kitonyi@NFTgators //
A pro-Israel hacking group, known as Predatory Sparrow, has claimed responsibility for a cyberattack against Nobitex, Iran’s largest cryptocurrency exchange. The attack resulted in the theft of approximately $90 million in various cryptocurrencies, including Bitcoin and Dogecoin, as well as over 100 other cryptocurrencies. According to blockchain analytics firm Elliptic, the funds were drained from the exchange’s wallets into blockchain addresses containing anti-government messages explicitly referencing Iran's Islamic Revolutionary Guard Corps (IRGC).

The attackers, instead of attempting to profit financially, intentionally destroyed the stolen cryptocurrency in what has been described as a symbolic political statement. The funds were sent to blockchain addresses with the phrase "F***iRGCTerrorists" embedded within them. Experts say that generating addresses with such specific terms requires significant computing power, suggesting the primary goal was to send a message rather than to gain financially. The incident underscores the rising geopolitical tensions between Israel and Iran and the vulnerability of cryptocurrency exchanges to politically motivated cyberattacks.

The cyberattack on Nobitex is part of a broader pattern of cyber warfare between Israel and Iran. While the physical conflict has seen airstrikes and other military actions, the digital realm has become another battleground, with potentially significant repercussions for both countries and the wider global community. This incident also follows reports of internet restrictions within Iran, limiting citizens' access to information and communication amidst escalating tensions. The global cybersecurity community needs to stay prepared for security repercussions for the two combatants and the wider global community as the cyberwarfare portion of the conflict is already spilling over off the battlefield and outside the region.

Recommended read:
References :
  • Zack Whittaker: This article also discusses the attack against Nobitex, noting the financial losses and the involvement of a pro-Israel hacking group.
  • techcrunch.com: This news source provides information about the attack against Nobitex, mentioning the theft and destruction of cryptocurrency.
  • Metacurity: This article reports on the attack against Nobitex by the Predatory Sparrow group, highlighting the financial impact and geopolitical context of the event.
  • NFTgators: This news piece details the financial impact of the attack on Nobitex and the potential geopolitical implications.
  • WIRED: This article covers the same event with additional details about the actions of the attacker group and their motives.
  • aboutdfir.com: Pro-Israel hackers drained $90 million from Iran crypto exchange, analytics firm says
  • fortune.com: Pro-Israel group hacks Iranian crypto exchange for $90 million—but throws away the money
  • SecureWorld News: As kinetic conflict continues to unfold between Israel and Iran, a parallel battle is raging in cyberspace—one that is disrupting financial systems, wiping out crypto holdings, hijacking broadcast channels, and even triggering a near-total internet shutdown.
  • Web3 is Going Just Great: Israeli-linked hackers steal and destroy $90 million from Iranian Nobitex exchange The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.
  • www.elliptic.co: The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.

@x.com //
The ongoing Israel-Iran conflict has expanded into cyberspace, marked by a surge in hacktivist activity and the deployment of new malware campaigns. Pro-Israel and pro-Iranian groups are actively engaging in cyberattacks, including DDoS attacks, website defacements, and data breaches, targeting organizations within each other's territories. This digital warfare mirrors the escalating military tensions between the two nations, turning the internet into a covert combat zone.

Amidst this cyber conflict, a pro-Israel hacktivist group known as Predatory Sparrow has claimed responsibility for hacking Bank Sepah, a major Iranian financial institution. Predatory Sparrow alleges that the bank was used to circumvent international sanctions and finance the Iranian regime's military activities. While independent verification of the attack is pending, reports have emerged of banking disruptions and closed Bank Sepah branches across Iran. The group has targeted Iranian organizations in the past.

The intensification of cyber hostilities between Israel and Iran raises concerns about potential spillover effects, with U.S. companies and critical infrastructure facing increased risks. Cybersecurity experts are urging organizations to brace for potential disruptions and enhance their defenses against cyberattacks. The digital conflict highlights the importance of cybersecurity preparedness in a world where geopolitical tensions increasingly manifest in cyberspace.

Recommended read:
References :
  • thecyberexpress.com: Iran-Israel cyber conflict intensifies with hacktivist attacks and new malware campaigns.
  • SpiderLabs Blog: The Digital Front Line: Israel and Iran Turn the Internet into a Covert Combat Zone
  • aboutdfir.com: U.S. companies brace for Israel-Iran cyber spillover
  • Industrial Cyber: Radware reports hybrid warfare as cyberattacks, disinformation escalate in 2025 Israel-Iran conflict
  • SecureWorld News: Israel–Iran Conflict Escalates in Cyberspace: Banks and Crypto Hit, Internet Cut

Ben Weiss@fortune.com //
A pro-Israel hacktivist group known as Predatory Sparrow has claimed responsibility for a cyberattack on Nobitex, Iran's largest cryptocurrency exchange. The attack resulted in the theft and destruction of approximately $90 million in cryptocurrency. The group stated that Nobitex was targeted for allegedly financing terrorism and evading international sanctions for the Iranian regime. This incident highlights the increasing cyber conflict between Israel and Iran, with hacktivist groups playing a significant role in disruptive operations.

The hackers reportedly sent the stolen funds to inaccessible blockchain addresses, effectively "burning" the cryptocurrency and taking it out of circulation. Blockchain analysis firm Elliptic confirmed the transfer of over $90 million to multiple vanity addresses containing variations of "F--kIRGCterrorists" within their public key. This symbolic act suggests the intention was to send a political message rather than financial gain. It has been noted that Nobitex has over 10 million customers, raising concerns about the potential impact of the breach.

The attack on Nobitex follows a recent claim by Predatory Sparrow of hacking Bank Sepah, another major Iranian financial institution. These cyberattacks come amid escalating tensions and exchanges of airstrikes between Israel and Iran. Cybersecurity experts warn of a growing digital conflict unfolding behind the scenes, with the potential for broader spillover effects. The situation emphasizes the vulnerability of cryptocurrency exchanges to sophisticated cyberattacks and the need for enhanced cybersecurity measures.

Recommended read:
References :
  • infosec.exchange: LorenzoFB post on Infosec Exchange about the group claiming responsibility for Iranian Bank Hack.
  • techcrunch.com: TechCrunch article on pro-Israel hacktivist group claiming responsibility for Iranian bank hack
  • Risky Business Media: Risky Bulletin: Israel-linked hackers claim Iran bank disruption
  • techcrunch.com: Iran’s largest crypto exchange Nobitex said it was hacked and funds drained. Pro-Israel hacking group Predatory Sparrow claimed responsibility for the hack, which saw the group steal and destroy some $90 million in cryptocurrency from the Iranian exchange.
  • CyberScoop: Iran’s financial sector takes another hit as largest crypto exchange is targeted
  • fortune.com: The hackers, who call themselves Predatory Sparrow, sent the funds to likely inaccessible blockchain addresses, burning the cryptocurrency.
  • Zack Whittaker: Iran’s largest crypto exchange Nobitex said it was hacked and funds drained. Pro-Israel hacking group Predatory Sparrow claimed responsibility for the hack, which saw the group steal and destroy some $90 million in cryptocurrency from the Iranian exchange.
  • www.nftgators.com: Pro-Israeli Hacker Group Drains $90M from Iranian Crypto Exchange Nobitex
  • bsky.app: My latest for BBC Persian: 'Predatory Sparrow' hackers stole $90 million from Iranian cryptocurrency company to 'send a message'.
  • WIRED: Israel-Tied Predatory Sparrow Hackers Are Waging Cyberwar on Iran’s Financial System
  • NFTgators: Pro-Israeli Hacker Group Drains $90M from Iranian Crypto Exchange Nobitex.
  • Metacurity: Metacurity reports on the Predatory Sparrow group's activities, including the Nobitex attack and other Iranian targets.
  • Risky Business Media: Tom Uren and Patrick Gray talk about a Minnesota man who used people-search services to locate, stalk and eventually murder political targets. They also discuss purported hacktivist group Predatory Sparrow weighing in on the Iran-Israel conflict. It has attacked Iran’s financial system including a bank associated with the Iranian Revolutionary Guard Corp and also burnt USD$90 million worth of cryptocurrency from an Iranian exchange This episode is also available on Youtube.
  • aboutdfir.com: Pro-Israel hackers drain $90 million from Iran crypto exchange, analytics firm says  Iran’s largest cryptocurrency exchange, Nobitex, was hacked for more than $90 million Wednesday, according to blockchain analytics firm Elliptic.
  • SecureWorld News: Israel–Iran Conflict Escalates in Cyberspace: Banks and Crypto Hit, Internet Cut
  • www.metacurity.com: Israeli-linked hackers seized and burned $90 million from Iran's Nobitex exchange
  • aboutdfir.com: Pro-Israel hackers drain $90 million from Iran crypto exchange, analytics firm says 
  • The Hacker News: Iran's State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
  • CyberScoop: This article reports on the cyberattack claimed by Predatory Sparrow against Iran's Bank Sepah.
  • cyberriskleaders.com: This episode of Risky Business discusses the $90 million crypto hack of the Iranian exchange, Nobitex, and other recent cybersecurity incidents in the context of the Israeli-Iranian conflict. The hosts, Patrick Gray and Adam Boileau, are joined by special guest Chris Krebs to discuss various threat actor tactics and trends.
  • www.elliptic.co: The Israeli-linked Gonjeshke Darande hacking group claimed responsibility for the attack.
  • Industrial Cyber: Radware reports hybrid warfare as cyberattacks, disinformation escalate in 2025 Israel-Iran conflict
  • Web3 is Going Just Great: The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.
  • industrialcyber.co: Radware reports hybrid warfare as cyberattacks, disinformation escalate in 2025 Israel-Iran conflict
  • Risky Business Media: Russian hackers abuse app-specific passwords to bypass multi-factor, the tenth Salt Typhoon victim is identified, Predatory Sparrow destroys $90 million from an Iranian crypto-exchange, and Argentina arrests a Russian disinfo gang.
  • Risky Business Media: Between Two Nerds: The evil genius of Predatory Sparrow

Jacob Finn@Cisco Talos Blog //
References: Cisco Talos Blog , Cisco Talos , bsky.app ...
A new destructive malware, dubbed PathWiper, has been discovered targeting critical infrastructure in Ukraine. Cisco Talos researchers identified the wiper after observing an attack on a Ukrainian entity. The attackers, believed to be a Russia-nexus APT actor, gained access to a legitimate endpoint administration framework and used it to deploy PathWiper across connected endpoints. The malware is designed to overwrite data with random bytes, effectively disrupting the targeted systems. The discovery highlights the continued cyber threat to Ukrainian critical infrastructure amidst the ongoing conflict.

The attack unfolded through a compromised administrative console. Attackers issued commands via the console, which were received by clients running on the endpoints and executed as batch files. These files contained commands to execute a malicious VBScript file named "uacinstall.vbs", which in turn, dropped and executed the PathWiper executable. The filenames and actions used throughout the attack were designed to mimic those of the administrative utility, suggesting the attackers had prior knowledge of the console and its functionality within the targeted environment.

Once executed, PathWiper identifies connected storage media and overwrites crucial file system artifacts with random data. It targets physical drives, volume names, network drive paths, and critical files like the Master Boot Record (MBR). The malware creates a thread for each drive and volume, overwriting the contents with randomly generated bytes, effectively destroying data and disrupting system operations. While PathWiper shares some similarities with HermeticWiper, another wiper used in previous attacks against Ukraine, there are notable differences in their data corruption mechanisms.

Recommended read:
References :
  • Cisco Talos Blog: Newly identified wiper malware “PathWiper†targets critical infrastructure in Ukraine
  • Cisco Talos: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor. Learn how the attack unfolded:
  • securityonline.info: PathWiper: Russia-Linked APT Deploys New Wiper Malware Against Ukrainian Infrastructure
  • bsky.app: Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper called PathWiper
  • securityonline.info: PathWiper: Russia-Linked APT Deploys New Wiper Malware Against Ukrainian Infrastructure
  • The Hacker News: New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack
  • bsky.app: Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper called PathWiper
  • cyberpress.org: New pathWiper Malware Strikes Critical Infrastructure with Admin Tool Deployment
  • securityaffairs.com: Russia-linked threat actors targets Ukraine with PathWiper wiper
  • blog.talosintelligence.com: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor. Learn how the attack unfolded:
  • Cisco Talos: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor.
  • The Register - Security: Destructive malware has been a hallmark of Putin's multi-modal war A new strain of wiper malware targeting Ukrainian infrastructure is being linked to pro-Russian hackers, in the latest sign of Moscow's evolving cyber tactics.
  • RedPacket Security: Fresh strain of pro-Russian wiper flushes Ukrainian critical infrastructure
  • ciso2ciso.com: Fresh strain of pro-Russian wiper flushes Ukrainian critical infrastructure - Source: go.theregister.com
  • BleepingComputer: A new data wiper malware named 'PathWiper' is being used in targeted attacks against critical infrastructure in Ukraine, aimed at disrupting operations in the country.
  • Cisco Talos Blog: In this week's newsletter, Martin emphasizes that awareness, basic cyber hygiene and preparation are essential for everyone, and highlights Talos' discovery of the new PathWiper malware.
  • Security Affairs: Cisco Talos researchers reported that attackers utilized a legitimate endpoint administration tool, indicating they had access to the administrative console, then used it to deploy PathWiper across the victim network.
  • Catalin Cimpanu: Multiple sources indicate the use of PathWiper malware against Ukrainian critical infrastructure.
  • Industrial Cyber: Industrial Cyber article on PathWiper malware targeting Ukrainian critical infrastructure.
  • hackread.com: News article about a new New PathWiper Malware Strikes Ukraine’s Critical Infrastructure
  • industrialcyber.co: Researchers from Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, involving a previously...
  • www.csoonline.com: A destructive new malware, dubbed PathWiper, has struck Ukraine’s critical infrastructure, erasing data and disabling essential systems, according to a recent Cisco Talos report.
  • www.scworld.com: Ukraine's critical infrastructure subjected to novel PathWiper compromise
  • ciso2ciso.com: New PathWiper Malware Strikes Ukraine’s Critical Infrastructure – Source:hackread.com

@cyble.com //
In May 2025, cybersecurity experts reported a significant surge in hacktivist activity targeting Indian digital infrastructure. This wave of attacks followed the terror attack in Pahalgam, located in the Indian state of Jammu and Kashmir on April 22nd, and India’s retaliatory strikes across the border. A coordinated effort by more than 40 hacktivist groups sought to disrupt and deface numerous Indian websites, leading to widespread alarm across media and social networks as many claimed significant breaches of government, educational, and critical infrastructure websites.

However, detailed technical investigations revealed that the actual impact of these attacks on Indian cyber assets was minimal. Claims of major data breaches, such as a supposed 247 GB breach of the National Informatics Centre (NIC), were largely unfounded as the data was publicly available or fabricated. Website defacements and Distributed Denial of Service (DDoS) attacks, while numerous, were short-lived and ineffective.

Despite the relatively low impact, the cyberattacks highlighted the ongoing tensions in cyberspace between India and Pakistan. Technisanct identified 36 pro-Pakistan hacktivist groups involved in the digital assaults, countered by 14 Indian groups retaliating. The escalation in hacktivist activity serves as a reminder of the persistent and evolving cyber threats facing both nations, even amidst military tensions.

Recommended read:
References :
  • cyble.com: More than 40 hacktivist groups conducted coordinated cyberattacks against India following the April 22 terror attack in Pahalgam in the Indian state of Jammu and Kashmir, which in turn prompted India to respond with targeted strikes aimed at alleged terrorist infrastructure across the border and the Pakistan-Occupied Kashmir region (PoK).
  • thecyberexpress.com: Over 40 Hacktivist Groups Target India in Coordinated Cyber Campaign: High Noise, Low Impact
  • Secure Bulletin: Tactical reality behind the India-Pakistan hacktivist surge
  • securebulletin.com: Tactical reality behind the India-Pakistan hacktivist surge
  • www.cysecurity.news: Cyber War Escalates Between Indian and Pakistani Hacktivists After Pahalgam Attack
  • thecyberexpress.com: No Ceasefire in the Cyberspace Between India and Pakistan
  • cyble.com: India Experiences Surge in Hacktivist Group Activity Amid Military Tensions

Pierluigi Paganini@Security Affairs //
Pro-Russia hacktivist group NoName057(16) is actively targeting Dutch organizations with large-scale distributed denial of service (DDoS) attacks. These attacks are causing significant access problems and service disruptions for targeted entities across both the public and private sectors in the Netherlands. The country's National Cyber Security Center (NCSC) has issued a warning about these ongoing cyber activities. The NCSC confirmed that the attacks also affect European organizations alongside Dutch ones.

The attacks are part of a broader campaign of cyber-attacks claimed by the hacktivist group. These persistent DDoS attacks aim to overwhelm the targeted organizations' systems with malicious traffic, rendering them inaccessible to legitimate users. The goal of these attacks appears to be the disruption of services and potentially the undermining of confidence in the targeted organizations. BleepingComputer reported on this campaign, highlighting the severity and widespread impact of these attacks.

The National Cyber Security Center (NCSC), part of the Dutch Ministry of Justice, released a statement acknowledging the situation. The statement mentioned that both public and private entities within the Netherlands are being targeted by these large-scale DDoS attacks. The NCSC continues to monitor the situation and is working to mitigate the impact of these attacks.

Recommended read:
References :
  • bsky.app: Pro-Russia hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • securityaffairs.com: Pro-Russia hacktivist group NoName057(16) is targeting Dutch organizations
  • BleepingComputer: Pro-Russia hacktivists bombard Dutch public orgs with DDoS attacks
  • BleepingComputer: Pro-Russian hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • bsky.app: Russian group NoName launched DDoS attacks and took down the public websites of several Dutch provinces.
  • www.bleepingcomputer.com: Russia-aligned hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • DataBreaches.Net: A large-scale cyberattack hit multiple Dutch municipalities and provinces on Monday morning, rendering the websites of more than twenty local governments inaccessible for several hours.
  • The DefendOps Diaries: Pro-Russian Hacktivists Target Dutch Public Organizations with DDoS Attacks
  • gbhackers.com: Multiple Dutch organizations have experienced significant service disruptions this week due to a series of coordinated Distributed Denial-of-Service (DDoS) attacks.
  • industrialcyber.co: Forescout reports rise of state-sponsored hacktivism, as geopolitics rewrites cyber threat landscape