Hacktivists Escalate Critical Infrastructure Attacks In 2025
Hacktivists escalated attacks in 2025, moving beyond DDoS to ICS intrusions, ransomware, and state-aligned campaigns targeting critical infrastructure.
Hacktivist attacks against critical infrastructure escalated in 2025, with politically motivated groups increasingly targeting operational technology and essential services. This report analyses those trends, attack patterns and affected sectors, drawing on research I contributed to.
21.01.2026 16:58
π 0
π 0
π¬ 0
π 0
Guys, Weβre looking for two new teammates to join our Threat Intelligence crew:
1.English + Chinese β focus on China & Southeast Asia
2.English + Spanish/Portuguese β focus on Latin America
Background in OSINT, cybersecurity & TI required.
DM me if youβre interested!
02.05.2025 13:58
π 0
π 0
π¬ 0
π 0
Attack on Bybit was performed by the North Koren LAZARUS GROUP investigators say. Thatβs the biggest catxh the group ever had.
22.02.2025 07:38
π 1
π 0
π¬ 0
π 0
Bybit hit with $1.4 billion hack. Attackers used social engineering to bypass bybit's defenses, manipulating smart contracts for massive theft.
21.02.2025 19:36
π 1
π 0
π¬ 0
π 0
Pro Russian hacktivists NoName057(16) are banned again on Telegram. Both group's account and DDoSia project. its their third ban since the beginning of the year and they are loosing audience.
21.02.2025 11:53
π 0
π 0
π¬ 0
π 0
Telegram Archive
the Telegram Archive with Video and media files on the open web
The OSINTukraine archive #telegram data from 90+ Russian Telegram channels. Help us continue preserving this data:
20.02.2025 13:20
π 3
π 1
π¬ 0
π 0
DorkTerm
A free online tool to research a target domain using Google Dorks. Search for login pages, admin panels, SQl files, log files and more.
yogsec.github.io/DorkTerm/
Creator twitter.com/yogsec
#osint #googledorks
20.02.2025 00:58
π 17
π 1
π¬ 1
π 0
Grep Back URLs
#go tool for gathering info about target domain:
1. Find subdomains with Subfinder
2. Get list or URLs from archive org with waybackurls
3. Find juicy info with grep: databases, configs, API keys, documents and more.
github.com/gigachad80/g...
#osint
20.02.2025 22:20
π 10
π 1
π¬ 0
π 0
Thatβs huge
07.02.2025 20:39
π 0
π 0
π¬ 0
π 0
βTrump pardons dark web marketplace creator Ross Ulbrichtβ
Whoβs next?
22.01.2025 07:26
π 1
π 0
π¬ 0
π 0
Anyone here collects or has a knowledge of military patches? I am looking for patches related to OSINT and Cybersecurity.
08.01.2025 17:18
π 2
π 0
π¬ 0
π 0
Federal Service for State Registration, Cadastre and Cartography of Russia was breached by Ukraine-sympathizing group βSilentCrowβ. Approximate size of the leak - 1TB.
07.01.2025 20:29
π 2
π 0
π¬ 0
π 0
We need to do away with social media and return to hyper specific community forums, the way God intended
15.12.2024 10:48
π 48
π 8
π¬ 4
π 1
The Holy League continues DDos attacks on EU member states. Italy and Germany are targets now.
It seems that the Italian prime minister finally disappointed the Russian government.
15.12.2024 10:36
π 0
π 0
π¬ 0
π 0
The Good, the Bad and the Ugly in Cybersecurity β Week 50
The Good | Ragnarok Ransomware Operators & DDoS-For-Hire Servers Disrupted by LEAs
Law enforcement agencies this week took decisive action to disrupt a Chinese firm for its involvement in a series of Ragnarok ransomware attacks and 27 DDoS-for-fire servers used by cybercriminals to launch attacks on targets of their choosing.
The U.S. Treasury Department has placed sanctions on Sichuan Silence, a Chengdu-based cybersecurity contractor and employee Guan Tianfeng for their role in a Ragnarok ransomware campaign from April 2020. Specializing in network exploitation, brute-force attacks , and email monitoring, Sichuan Silence targeted U.S. critical infrastructure in association with Chinaβs intelligence services. Guanβs role in the attacks involved leveraging an SQL injection vulnerability tracked as CVE-2020-12271 , leading to 81,000 infected devices worldwide, 23,000 of which were based in the U.S. The sanctions prohibit U.S. organizations from engaging in transactions with the malicious firm and Guan and a reward offer of $10 million from the DoJ and State Department stands for information on either.
Source: U.S. State Department
27 DDoS-for-hire servers ( aka βbootersβ or βstressorsβ) met their demise as part of Operation PowerOFF β an collaborative effort across 15 countries to combat distributed denial-of-service (DDoS) attacks . Booter platforms work by setting botnets on compromised devices to launch targeted attacks on behalf of their paying customers, causing major business disruption and service outages.
The global crackdown identified 300 customers of the services and resulted in the arrest of three administrators, one of which was linked to over 4,100 DDoS attacks alone . Another 200 suspects were all issued warnings or face prosecution based on the level of their engagement with the services. Operation PowerOFF combined analytics, crypto-tracing tools, and forensic investigations by various Joint Cybercrime Action Taskforce (J-CAT) specialists.
The Bad | Critical βAuthQuakeβ Flaw in Microsoft Systems Allowed MFA Bypass
Security researchers have flagged a critical vulnerability in Microsoftβs multi-factor authentication (MFA) system, dubbed βAuthQuakeβ, that could allow attackers to bypass protections and gain unauthorized account access . Their report details how the flaw required no user interaction, did not generate alerts, and took less than an hour to execute. While multi-factor authentication (MFA) is a solid security mechanism, such flaws make it a double-edged sword due to the nature of the userβs reliance on and interaction with it.
The vulnerability affects one of several ways Microsoft authenticates users, specifically, the method that involves entering a six-digit, one-time code from an authenticator app. These codes are typically active for only 30 seconds before they are rotated. Researchers found that the flaw allowed codes to remain valid for up to three minutes due to a lack of rate limiting, thus enabling an attacker to brute-force all possible code combinations and start new login sessions without notifying the victim.
Though Microsoft has addressed the issue by implementing stricter rate limits and now locks accounts after a number of failed login attempts, researchers warn that effective MFA requires additional safeguards, such as immediate user notifications for failed logins and robust rate-limiting mechanisms . MFA is an essential part of cybersecurity best practices, but its efficacy is tied to proper configuration in order to trigger rapid responses to suspicious activity.
Discovering Authquake underscores how important thorough security policies surrounding authentication systems are and that even widely-used measures like MFA must be properly implemented, tested, and updated to ensure organizations and users are protected against threat actors skimming for low hanging fruits in the form of vulnerabilities .
The Ugly | Large IT Firms Targeted Through Visual Studio Code & Microsoft Azure Abuse
According to a new report from SentinelLabs , a suspected China-nexus threat actor has been targeting IT service providers across Southern Europe . The actor exploited Visual Studio Code (VSCode) and Microsoft Azure infrastructures for command and control (C2) purposes to maintain remote access in a campaign dubbed βOperation Digital Eyeβ.
Since VSCode tunnels are part of Microsoftβs Remote Development feature and give full endpoint access, the technique grants actors the ability to execute arbitrary commands and manipulate files. This method of abuse also involves executables signed by Microsoft and Microsoft Azure, both of which are commonly allowed by firewalls and application controls.
The campaign was observed in intrusions in June and July this year. The attackers gained initial access through SQL injection before a PHP webshell was deployed for remote command execution and to introduce additional payloads. Moving laterally , the actors employed RDP connections and pass-the-hash techniques with a modified version of Mimikatz . The actors then installed a version of VSCode, running it as a persistent Windows service. By setting up VSCode with tunnel parameters, they enabled remote access via a web browser, authenticated through GitHub or Microsoft accounts to avoid triggering security alerts.
PHPsert implementation
Abusing Visual Studio Code for C2 purposes is not a new tactic, but considered rare in the wild. Though the activities were interupted in their initial phases, the intrusions β if successful β would have allowed the actor to establish strategic footholds in the large digital supply chain in Europe and given them access to more downstream entities .
Popular technologies freely used without much scrutiny continue to pose challenges for defenders. Security teams are advised to monitor for unauthorized code launches, restrict remote tunnels to approved users only, and invest in robust and real-time detection solutions to combat malicious activity that appears legitimate.
The Good, the Bad and the Ugly in Cybersecurity β Week 50
13.12.2024 14:55
π 3
π 2
π¬ 0
π 0
It appears that not only NoName057(16) was banned last night. Peopleβs Cyber Army and Z-pentest were also banned. They have already announced new tg-channels, but do not feel that secure
05.12.2024 11:50
π 1
π 0
π¬ 0
π 0
Most renowned Russian DDos hacktivist collective NoName057(16) now is banned from telegram. They use backup channels to restore activity
04.12.2024 20:50
π 1
π 0
π¬ 0
π 0
Today Official statement from the team (ANONYMOUS PALESTINE) was posted reporting that
Abdul Rahman, known as The Arab Ghost, and the leader of the collective was killed in Syria.
04.12.2024 08:22
π 1
π 1
π¬ 0
π 0
8Base ransomware groupβs Telegram channel resurfaces. First message since January drops, signaling resurgence in activity.
02.12.2024 16:54
π 1
π 0
π¬ 0
π 0
Any chance someone has put together a collection of good accounts to follow on Syria here?
29.11.2024 09:29
π 192
π 43
π¬ 28
π 4
