Linkedin X-twitter
    • October 19, 2025

    A week of chaos: Harvard, Collins, and the Spanish Tax Agency breached

    Returning from a single week of leave, I found the threat landscape in complete disarray, with confirmed ransomware victims now including Harvard University, Colins Aerospace, Spain’s national tax agency, and the University of the Witwatersrand. This flurry of high-profile incidents, orchestrated by multiple threat groups, demonstrates a significant escalation in attacks against academia, critical infrastructure, and government sectors.

    This dispatch is derived from threat intelligence platforms, detailing the technical indicators and adversary tactics observed.

    Clop group leverages zero-day in university campaign

    The Clop ransomware syndicate has re-emerged, claiming responsibility for a devastating campaign targeting major educational institutions. Our systems confirm that Harvard University (harvard.edu) and South Africa’s University of the Witwatersrand (wits.ac.za) were added to Clop’s dark web leak site.

    This attack appears to be a mass exploitation of a zero-day vulnerability (T1190: Exploit Public-Facing Application). The listing for Wits University, which reports revenue of $25 million, includes a torrent magnet link for the public release of exfiltrated data, a common double-extortion TTP for the group.

    • Threat Actor: Clop
    • IOC (Leak Site): santat7kpllt6iyvqbr7q4amdv6dzrh6paatvyrzl7ry3zm72zigf4ad.onion
    • IOC (Wits Data): magnet:?xt=urn:btih:3a52169f71dd03d7f3fd01aaaa20049c393de9d1&dn=wits.ac.za

    Everest and Qilin strike aerospace and government

    Simultaneously, critical infrastructure and government bodies were targeted. The Everest Ransomware Group posted a new entry on its leak site for “Colins Aerospace (50GB+) DataBase”, a clear reference to the major aerospace and defense contractor.

    In a separate incident, the Qilin ransomware group listed Spain’s national tax agency, Agencia Estatal de Administración Tributaria (sede.agenciatributaria.gob.es), on its blog. Intelligence collected prior to this announcement shows extensive browsing of the agency’s tax forms and authentication portals from nodes associated with Lumma Stealer malware, suggesting a potential infostealer-to-ransomware pipeline.

    • Threat Actor (Aerospace): Everest Ransomware Group
    • IOC (Leak Site): ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion
    • Threat Actor (Government): Qilin Ransomware
    • IOC (Leak Site): ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.onion

    Infostealer logs reveal initial access vectors

    Analysis of malware logs from Week 42 provides clear TTPs for at least two other major breaches, revealing a direct pipeline from initial access brokers to ransomware deployment.

    Unimed (Brazil) On October 15, the Sarcoma Group listed Brazilian health insurance giant Unimed (unimed.coop.br) on its leak site. Our platform analysis shows that on October 14, just one day prior, a cache of Redline and Lumma Stealer logs containing dozens of credentials for Unimed’s portals was actively circulating. This indicates threat actors used credentials stolen from infected devices (T1555: Credentials from Password Stores) to gain initial access.

    • Threat Actor: Sarcoma Group
    • IOC (Leak Site): sarcomawmawlhov7o5mdhz4eszxxlkyaoiyiy2b5iwxnds2dmb4jakad.onion
    • IOC (Malware): Redline Stealer, Lumma Stealer
    • IOC (Compromised URLs): https://acesso.unimed.coop.br/, https://agi.unimed.coop.br/administrador/, https://beneficiario.unimed.coop.br/
    • IOC (Sample Credential): URL: https://agi.unimed.coop.br/administrador/index.jsp | Username: gabriela.lopes | Password: Ederlane@2025

    Furuno Electric (Japan) Similarly, the Rhysida ransomware group began auctioning data from Japanese marine electronics manufacturer Furuno (furuno.com) on October 13. Furuno’s US division reports revenue between $20 to $50 million.

    Correlating intelligence shows Furuno employee credentials appeared in multiple recent credential stuffing lists (September 26) and a large 2.2 GB data leak of 7.6 million US businesses (October 8). This data included employee names, job titles, and emails, including those for the IT Director and Network Administrator.

    • Threat Actor: Rhysida
    • IOC (Leak Site): rhysidafohrhyy2aszi7bm32tnjat5xri65fopcxkdfxhi4tidsg7cad.onion
    • IOC (Sample Credentials): [email protected]:RICKROSE!, [email protected]:starship1
    • IOC (Exposed Employee): Bill,Allard,Information Technology Director,[email protected]
    Previous Post
    Next Post
      Categories
      Recent Posts