🇪🇸 A threat actor is claiming to have breached systems associated with the Spanish Space Agency and stolen data tied to the XMM-Newton space telescope infrastructure.
According to the post, the alleged data includes calibration files, astronomical image datasets, internal analysis software, simulation environments, network structure details, and exposed development tools.
The actor also claims access to:
* Internal SSL certificates
* Scientific simulation environments
* Telescope calibration databases
* Network topology and open ports
* Internal usernames and tooling
* Legacy software versions with alleged vulnerabilities
The threat actor is attempting to sell the allegedly stolen data for $10,000 and claims the information could be leveraged for espionage or intelligence purposes targeting European space research activities.
At this stage, the authenticity and impact of the claims have not been independently verified.
#DDW #Intelligence #Spain #DarkWeb
The Invisible Attack: How Russia’s GPS Spoofing Campaign Threatens European Aviation and NATO Security
Robert Lansing Institute
https://t.co/r681ZJO4Nb
Nuevos documentos filtrados evidencian el papel de Rusia en el "vandalismo de falsa bandera" y las campañas de injerencia electoral en Europa
https://t.co/7nZYGjpHFp
Showboat is a modular Linux-based malware campaign tied to China-linked telecom espionage, enabling long-term stealth access, proxying traffic, and C2 communication across multinational telecom targets. https://t.co/h1XCykX3aN
New Chinese surveillance leaves foreigners nowhere to hide
A Chinese cybersecurity expert has revealed to DW details of China's new high-tech policing.
Deutsche Welle
https://t.co/P045LaRExU
@dwnews
🚨DDoS Alert 🇫🇷
NoName claims to have targeted multiple websites in France.
• CIFFCO
• Cartes Bancaires
• Court of Auditors
• The National Commission for the Control of Intelligence Techniques
Inside Moscow's elite Bauman University, a secret department trains the GRU's next-gen hackers, saboteurs, and spies. Leaked documents now expose how its graduates feed the units behind Russia's cyberattacks, election interference, and NATO sabotage. https://t.co/5TTRIaWZj7
The future of espionage isn't a recruited spy in a trench coat, it's an algorithm quietly modeling your entire society from your digital exhaust. https://t.co/Z2GEFSWF5w
A threat actor advertised a 3.5TB “NATO database” for sale on an underground forum, potentially exposing contact data from NATO-affiliated institutions, with researchers cautioning about authenticity and phishing risks. https://t.co/PcAeKmG68S
🇪🇸 A threat actor is advertising an alleged dataset tied to Spain’s Agencia Tributaria electronic platform — the country’s official tax administration portal.
According to the listing, the exposed records allegedly include:
• full names
• DNI/NIE/CIF national identity identifiers
• birth dates
• residential information
• multiple phone numbers
• country/province data
• taxpayer-related metadata
• technical indicators/flags
And if authentic, this is exactly the kind of dataset cybercriminals love most:
high-confidence identity infrastructure.
Why?
Because government-linked identity datasets dramatically increase the effectiveness of:
• financial fraud
• tax scams
• identity theft
• synthetic identity creation
• banking impersonation
• social engineering
• telecom fraud
• SIM swapping
• account recovery abuse
One especially important point:
DNI/NIE identifiers are foundational identity attributes in Spain.
When attackers combine:
• national IDs
• phone numbers
• birth dates
• residence information
they can often build highly convincing fraud profiles.
And modern cybercrime is increasingly about:
identity correlation.
Not just “stealing passwords.”
Another major concern:
tax-related data carries unusually high trust value.
People panic when they receive:
• tax notices
• audit warnings
• refund alerts
• “missing payment” messages
Attackers know this extremely well.
So datasets like these can become fuel for:
• phishing campaigns impersonating tax authorities
• fake refund operations
• identity verification fraud
• malicious e-signature requests
• banking takeover attempts tied to tax filings
And yes…
some phishing emails now have better branding consistency than government portals themselves.
The listing also references:
• electronic certificates
• digital signatures
• taxpayer verification systems
which is particularly notable because trust ecosystems around digital identity infrastructure are now prime targets globally.
Governments increasingly rely on:
• centralized citizen identity systems
• e-government platforms
• electronic signatures
• digital tax workflows
which means compromise impact scales rapidly.
Another trend worth watching:
large citizen identity datasets are becoming strategic underground assets.
They are reused repeatedly across:
• fraud marketplaces
• credential stuffing ecosystems
• KYC bypass operations
• crypto onboarding fraud
• mule recruitment
• financial identity laundering
because verified identity data is now effectively a commodity.
At this stage, the authenticity and scope remain unverified.
However, organizations operating national-scale digital identity infrastructure should continuously monitor for:
• credential exposure
• unauthorized API access
• abnormal taxpayer queries
• identity enumeration activity
• phishing campaigns abusing government branding
• suspicious document verification requests
• e-signature abuse attempts
• underground marketplace activity targeting citizen records
Because once identity infrastructure data enters criminal ecosystems, the downstream effects can persist for years.
🇪🇸 #DDW #Intelligence #CyberSecurity #DarkWeb #Spain #DataLeak #ThreatIntelligence #IdentityTheft #Infosec #Fraud
War on the Rocks shows Salt Typhoon demonstrates China's data-centric espionage—collect widely, analyze fast, and operationalize at scale, challenging the U.S. reliance on traditional, exquisite intelligence. https://t.co/V3qHhcIpOM
🇨🇳 An underground forum post is advertising alleged “fresh secret PLA reports” for sale, referencing documents purportedly connected to Chinese military, defense, and strategic research topics.
The listing includes alleged reports related to:
• UAV and unmanned systems technologies
• cross-domain autonomous operations
• radar systems
• military intelligence analysis
• Taiwan-related strategic planning
• stealth measurement systems
• high-altitude endurance platforms
• defense R&D initiatives
• cross-strait political influence operations
The seller assigns individual prices to specific documents, with some listings allegedly tied to:
• air-surface unmanned coordination
• phased-array radar technologies
• stealth systems
• Taiwanese combat readiness assessments
• military-industrial research planning
The post also references:
• escrow-based transactions
• encrypted communication channels
• underground contact mechanisms including Telegram, Session, Tox, Matrix, and Jabber
At this time:
• the authenticity of the alleged documents has NOT been independently verified
• the source of the material remains unknown
• some documents may be fabricated, recycled, exaggerated, or partially authentic
• no official attribution or confirmation exists
Military-themed underground sales are frequently used for:
• fraud/scams targeting buyers
• influence operations
• disinformation campaigns
• intelligence baiting
• reputational signaling within underground communities
However, genuine defense-related leaks can create significant geopolitical and national security implications if authentic.
The references to:
• UAV coordination systems
• radar upgrades
• stealth technologies
• Taiwan-related military analysis
align with areas of active global strategic and defense interest.
Threat actors and espionage operators increasingly monetize:
• defense procurement data
• military R&D documentation
• contractor information
• strategic assessments
• aerospace research
• classified-adjacent technical materials
rather than relying solely on ransomware or credential theft.
The listing also demonstrates how cybercrime forums continue evolving into:
• intelligence-trading ecosystems
• access-broker marketplaces
• geopolitical leak platforms
• espionage monetization hubs
rather than purely criminal financial ecosystems.
Defense-sector organizations and contractors should remain alert for:
• spearphishing campaigns
• insider recruitment attempts
• credential targeting
• supply-chain compromise
• contractor ecosystem breaches
• document exfiltration operations
The underground use of:
• escrow systems
• decentralized messaging platforms
• pseudonymous communication tools
continues to complicate attribution and disruption efforts.
DDW is continuing to monitor:
• potential validation attempts
• reposts or mirrors of the alleged material
• attribution overlaps
• related espionage discussions
• downstream intelligence-trading activity
#CyberSecurity #ThreatIntelligence #China #PLA #Espionage #MilitaryIntelligence #DarkWeb #CyberCrime #Geopolitics #DDW #Intelligence
Sandworm Activity in Industrial Environments: What the Data Reveals
Nozomi
Sandworm is a Russian state-sponsored group also tracked as APT44, Seashell Blizzard, and Voodoo Bear.
https://t.co/KFf1mYxJAE
@nozominetworks
El "Cloud Soberano" de Marruecos
Marruecos da un golpe sobre la mesa en soberanía digital. Atlas Cloud Services se convierte en el guardián oficial de los datos del Estado, desplazando a los gigantes tecnológicos extranjeros.
https://t.co/a3lWPNvpTe
The Doppelgänger (aka Social Design Agency (SDA)) campaigns are a coordinated series of online influence operations attributed to Russian-linked actors and associated with the technical operator, Structura.
DomainTools Investigations
https://t.co/FMFoPwAyg9
@DomainTools