Hacktivists Escalate Critical Infrastructure Attacks In 2025 Hacktivists escalated attacks in 2025, moving beyond DDoS to ICS intrusions, ransomware, and state-aligned campaigns targeting critical infrastructure.

Hacktivist attacks against critical infrastructure escalated in 2025, with politically motivated groups increasingly targeting operational technology and essential services. This report analyses those trends, attack patterns and affected sectors, drawing on research I contributed to.

Hacktivists Attacks On Critical Infrastructure Surge In 2025 Hacktivists are escalating attacks on critical infrastructure in 2025. Discover top threat actors, sectors at risk, and strategies to defend ICS environments.

Fresh one: cyble.com/blog/hacktiv...

Israel-Iran Conflict Sparks Wider Cyber Conflict, New Malware The Israel-Iran conflict that began with Israeli attacks on Iranian nuclear and military targets on June 13 has sparked a

thecyberexpress.com/israel-iran-...

Guys, We’re looking for two new teammates to join our Threat Intelligence crew:

1.English + Chinese — focus on China & Southeast Asia
2.English + Spanish/Portuguese — focus on Latin America
Background in OSINT, cybersecurity & TI required.

DM me if you’re interested!

Hacktivists Target France Over Diplomatic Moves Pro-Russian and pro-Palestinian hacktivist groups share a common adversary in France, leading to coordinated cyberattacks against the country.

cyble.com/blog/hacktiv... - New article on Hacktivists targeting France. Enjoy

Attack on Bybit was performed by the North Koren LAZARUS GROUP investigators say. That’s the biggest catxh the group ever had.

Bybit hit with $1.4 billion hack. Attackers used social engineering to bypass bybit's defenses, manipulating smart contracts for massive theft.

U.S. CISA adds Craft CMS and Palo Alto Networks PAN-OS flaws to its Known Exploited Vulnerabilities catalog U.S. CISA adds Craft CMS and Palo Alto Networks PAN-OS vulnerabilities to its Known Exploited Vulnerabilities catalog.

U.S. CISA adds Craft CMS and Palo Alto Networks PAN-OS flaws to its Known Exploited Vulnerabilities catalog

Pro Russian hacktivists NoName057(16) are banned again on Telegram. Both group's account and DDoSia project. its their third ban since the beginning of the year and they are loosing audience.

The OSINTukraine archive #telegram data from 90+ Russian Telegram channels. Help us continue preserving this data:

DorkTerm

A free online tool to research a target domain using Google Dorks. Search for login pages, admin panels, SQl files, log files and more.

yogsec.github.io/DorkTerm/

Creator twitter.com/yogsec

#osint #googledorks

Grep Back URLs

#go tool for gathering info about target domain:

1. Find subdomains with Subfinder
2. Get list or URLs from archive org with waybackurls
3. Find juicy info with grep: databases, configs, API keys, documents and more.

github.com/gigachad80/g...

#osint

That’s huge

“Trump pardons dark web marketplace creator Ross Ulbricht”
Who’s next?

Anyone here collects or has a knowledge of military patches? I am looking for patches related to OSINT and Cybersecurity.

Federal Service for State Registration, Cadastre and Cartography of Russia was breached by Ukraine-sympathizing group ‘SilentCrow’. Approximate size of the leak - 1TB.

We need to do away with social media and return to hyper specific community forums, the way God intended

The Holy League continues DDos attacks on EU member states. Italy and Germany are targets now.
It seems that the Italian prime minister finally disappointed the Russian government.

The Good, the Bad and the Ugly in Cybersecurity – Week 50 The Good | Ragnarok Ransomware Operators & DDoS-For-Hire Servers Disrupted by LEAs Law enforcement agencies this week took decisive action to disrupt a Chinese firm for its involvement in a series of Ragnarok ransomware attacks and 27 DDoS-for-fire servers used by cybercriminals to launch attacks on targets of their choosing. The U.S. Treasury Department has placed sanctions on Sichuan Silence, a Chengdu-based cybersecurity contractor and employee Guan Tianfeng for their role in a Ragnarok ransomware campaign from April 2020. Specializing in network exploitation, brute-force attacks , and email monitoring, Sichuan Silence targeted U.S. critical infrastructure in association with China’s intelligence services. Guan’s role in the attacks involved leveraging an SQL injection vulnerability tracked as CVE-2020-12271 , leading to 81,000 infected devices worldwide, 23,000 of which were based in the U.S. The sanctions prohibit U.S. organizations from engaging in transactions with the malicious firm and Guan and a reward offer of $10 million from the DoJ and State Department stands for information on either. Source: U.S. State Department 27 DDoS-for-hire servers ( aka “booters” or “stressors”) met their demise as part of Operation PowerOFF – an collaborative effort across 15 countries to combat distributed denial-of-service (DDoS) attacks . Booter platforms work by setting botnets on compromised devices to launch targeted attacks on behalf of their paying customers, causing major business disruption and service outages. The global crackdown identified 300 customers of the services and resulted in the arrest of three administrators, one of which was linked to over 4,100 DDoS attacks alone . Another 200 suspects were all issued warnings or face prosecution based on the level of their engagement with the services. Operation PowerOFF combined analytics, crypto-tracing tools, and forensic investigations by various Joint Cybercrime Action Taskforce (J-CAT) specialists. The Bad | Critical “AuthQuake” Flaw in Microsoft Systems Allowed MFA Bypass Security researchers have flagged a critical vulnerability in Microsoft’s multi-factor authentication (MFA) system, dubbed “AuthQuake”, that could allow attackers to bypass protections and gain unauthorized account access . Their report details how the flaw required no user interaction, did not generate alerts, and took less than an hour to execute. While multi-factor authentication (MFA) is a solid security mechanism, such flaws make it a double-edged sword due to the nature of the user’s reliance on and interaction with it. The vulnerability affects one of several ways Microsoft authenticates users, specifically, the method that involves entering a six-digit, one-time code from an authenticator app. These codes are typically active for only 30 seconds before they are rotated. Researchers found that the flaw allowed codes to remain valid for up to three minutes due to a lack of rate limiting, thus enabling an attacker to brute-force all possible code combinations and start new login sessions without notifying the victim. Though Microsoft has addressed the issue by implementing stricter rate limits and now locks accounts after a number of failed login attempts, researchers warn that effective MFA requires additional safeguards, such as immediate user notifications for failed logins and robust rate-limiting mechanisms . MFA is an essential part of cybersecurity best practices, but its efficacy is tied to proper configuration in order to trigger rapid responses to suspicious activity. Discovering Authquake underscores how important thorough security policies surrounding authentication systems are and that even widely-used measures like MFA must be properly implemented, tested, and updated to ensure organizations and users are protected against threat actors skimming for low hanging fruits in the form of vulnerabilities . The Ugly | Large IT Firms Targeted Through Visual Studio Code & Microsoft Azure Abuse According to a new report from SentinelLabs , a suspected China-nexus threat actor has been targeting IT service providers across Southern Europe . The actor exploited Visual Studio Code (VSCode) and Microsoft Azure infrastructures for command and control (C2) purposes to maintain remote access in a campaign dubbed “Operation Digital Eye”. Since VSCode tunnels are part of Microsoft’s Remote Development feature and give full endpoint access, the technique grants actors the ability to execute arbitrary commands and manipulate files. This method of abuse also involves executables signed by Microsoft and Microsoft Azure, both of which are commonly allowed by firewalls and application controls. The campaign was observed in intrusions in June and July this year. The attackers gained initial access through SQL injection before a PHP webshell was deployed for remote command execution and to introduce additional payloads. Moving laterally , the actors employed RDP connections and pass-the-hash techniques with a modified version of Mimikatz . The actors then installed a version of VSCode, running it as a persistent Windows service. By setting up VSCode with tunnel parameters, they enabled remote access via a web browser, authenticated through GitHub or Microsoft accounts to avoid triggering security alerts. PHPsert implementation Abusing Visual Studio Code for C2 purposes is not a new tactic, but considered rare in the wild. Though the activities were interupted in their initial phases, the intrusions – if successful – would have allowed the actor to establish strategic footholds in the large digital supply chain in Europe and given them access to more downstream entities . Popular technologies freely used without much scrutiny continue to pose challenges for defenders. Security teams are advised to monitor for unauthorized code launches, restrict remote tunnels to approved users only, and invest in robust and real-time detection solutions to combat malicious activity that appears legitimate.

The Good, the Bad and the Ugly in Cybersecurity – Week 50

Cyber protection made intuitive and affordable How Cynet delivered 100 percent Protection and 100 percent Detection Visibility in 2024 MITRE ATT&CK Evaluation

Cyber protection made intuitive and affordable

Hacktivist-Alliances-Target-France Cyble analyzes the role of Hacktivist Alliances targeted France to sow and benefit from the current political instability.

Our new piece on hackitivism: Both pro-Russian and pro-Islamic hacktivists target France in a consolidated attack: cyble.com/blog/hacktiv...

It appears that not only NoName057(16) was banned last night. People’s Cyber Army and Z-pentest were also banned. They have already announced new tg-channels, but do not feel that secure

Most renowned Russian DDos hacktivist collective NoName057(16) now is banned from telegram. They use backup channels to restore activity

Today Official statement from the team (ANONYMOUS PALESTINE) was posted reporting that
Abdul Rahman, known as The Arab Ghost, and the leader of the collective was killed in Syria.

The strange case of disappearing Russian servers - SANS Internet Storm Center The strange case of disappearing Russian servers, Author: Jan Kopriva

isc.sans.edu/diary/rss/31...

8Base ransomware group’s Telegram channel resurfaces. First message since January drops, signaling resurgence in activity.

Seeing Tord Gustavsen Trio · Album · 2024 · 10 songs

Album of the day: open.spotify.com/album/7yEK8o...

Any chance someone has put together a collection of good accounts to follow on Syria here?

We Are the People - Single Edit Work Money Death · We Are the People (Single Edit) · Song · 2024

Album of the day: open.spotify.com/track/78uBGV...

The Role of Telegram in the Modern Cybercrime Economy Telegram, once a messaging app celebrated for its encryption and user-friendly features, has inadvertently become a hub for cybercriminal…

The Role of Telegram in the Modern Cybercrime Economy