A massive, coordinated cyber-attack campaign has struck major international organizations, with threat actors demonstrating unprecedented access to corporate networks. Victims include U.S. defense contractor L3Harris, semiconductor manufacturer TF-AMD, and major healthcare provider Tampa General Hospital.

Analysis of the attacks reveals a clear pattern: threat actors are no longer just looking for an open door. They already have the keys, harvested from enormous, circulating data breaches, and are using them to bypass security at will. The primary actors identified in this wave are the Snatch, Kryptos Ransomware, and Cloak extortion groups.

This is a breakdown of the tactics, techniques, and procedures (TTPs) used against these high-value targets.

The ‘Snatch’ Campaign: A Common Thread of Compromise

The Snatch ransomware group has been the most prolific, claiming responsibility for attacks on Tampa General Hospital (tgh.org), Asia Vital Components (avc.co), McGrath RentCorp (mgrc.com), and Singapore’s DSO National Laboratories (dso.org).

Their method is devastatingly simple: credential stuffing. Attackers are leveraging massive, recently circulated combolists, including a “250M Lines Mixed Database Pack” and a “4.42B Email & Password List,” to find valid employee logins.

• TTP (Initial Access): Credential Stuffing
  • Target: Tampa General Hospital (tgh.org): Multiple employee accounts were found in the 4.42B list. For example, the user [email protected] was exposed with the password panda0827.
  • Target: McGrath RentCorp (mgrc.com): The list contained credentials for numerous employees, such as [email protected] with the password sparrow and [email protected] with carson04.
  • Target: Asia Vital Components (avc.co): The breach exposed global accounts, including [email protected] with the passwords D6ZWYdyb7jkmRxCI and alan1397.
• TTP (Reconnaissance): Infrastructure Mapping
  • Before the attacks, threat actors mapped the victims’ external infrastructure. Both medicine.tgh.org and rent.mgrc.com were identified on deepweb CNAME trackers. This revealed they use Oracle Eloqua marketing software, a common high-value target for phishing campaigns to gain initial access.

Supply Chain and Malware: Sonabhy and TF-AMD

While Snatch used broad credential leaks, the attacks on Burkina Faso’s national oil company, Sonabhy, and Malaysia’s TF-AMD reveal more patient, multi-vector compromises.

• Case 1: Sonabhy (Victim of ‘Cloak’)
  • The Cloak ransomware group, which listed Sonabhy.bf on its darknet blog, appears to have used a two-pronged approach.
  • TTP (Initial Access): Credentials from unrelated breaches were used. The “1win.com Breach” exposed the email [email protected] with the password borisys04. These credentials, and others from the 4.42B list, were likely used for initial access.
  • TTP (Supply Chain Attack): Evidence shows a third-party contractor, “API TECH BURKINA,” was compromised by Redline Stealer malware. Logs from the infected machine show the user accessed a folder C:/Users/API TECH BURKINA/Desktop/FORMATION SONABHY/ containing sensitive training PDFs for Sonabhy, indicating a supply chain vector.
  • Indicators of Compromise (IOCs): IP addresses 196.28.249.141 and 154.66.172.10 were associated with Sonabhy employee accounts in the “1win.com” breach.
• Case 2: TF-AMD (Victim of ‘Snatch’)
  • The attack on TF-AMD (tf-amd.com.my) highlights how threat actors share—and reuse—victims. The company was first listed by LockBit ransomware in February 2024, only to be re-victimized by Snatch in October 2025.
  • TTP (Third-Party Data Leak): The “Owcareers.com Breach” in March 2025 exposed detailed employee profiles of “TF-AMD Penang” staff, including full names and job titles, providing a perfect database for spear-phishing.
  • TTP (Malware & Session Hijacking): The company has been bleeding data for months. Stealc Stealer malware logs from June 2024 contained stolen session cookies for the .tf-amd.com.my domain. This would allow an attacker to bypass passwords and multi-factor authentication entirely using a “pass-the-cookie” attack.

Big Game Hunting: L3Harris in the Crosshairs

The most alarming name on the list is L3Harris, a top-tier U.S. defense contractor, now listed as a victim of Kryptos Ransomware.

While specific breach data is not yet public, deepweb chatter shows threat actors were performing extensive reconnaissance to maximize leverage.

• TTP (Reconnaissance & Leverage):
  • Just days before the ransomware claim, threat actors were discussing L3Harris’s business operations in deepweb forums.
  • One post highlighted a $2.2 million order from L3Harris to a subsidiary of LightPath Technologies, demonstrating attackers are monitoring the victim’s supply chain and financial announcements.
  • Another post identified ITT Exilis (now L3Harris) as the designer of the AN/SLQ-59 electronic warfare system, showing a specific interest in the company’s defense-related intellectual property.

Analyst’s Takeaway

These incidents confirm a major shift in the threat landscape. The primary TTPs are no longer opportunistic scans but targeted campaigns fueled by a mature, interconnected underground economy.

1. Credential Stuffing is the New Brute-Force: Massive combolists (4.42B Email & Password List) are the number one vector for initial access.
2. Supply Chain is the Soft Underbelly: Third-party breaches (like Owcareers.com) and contractor infections (Redline Stealer on “API TECH BURKINA”) are providing attackers with reconnaissance data and direct network access.
3. Cookies are the New Passwords: Stealer malware like Stealc and Redline are being used to harvest session cookies, rendering traditional password-based defenses obsolete.

Organizations must expand their security posture beyond their own perimeter, focusing on supply chain risk and actively monitoring the deep and dark web for credentials, cookies, and chatter related to their infrastructure.