This week’s RansoMonitor Weekly highlights the threat actors, campaigns, countries, and industries that shaped the latest cyber threat landscape.
More than 1,500 security incidents were reported worldwide from July 5 through July 11, with ransomware leading the activity and government organizations facing the greatest impact.
What happened last week, July 5 - 11, 2026:
Key Statistics
- 1522 security incidents
- 11 campaigns reported
- 1481 new CVEs
Threat Actor Landscape
- There are currently 13 active threat actors, with notable mentions including NoName057(16) and Dark Storm Team.
Geographic Impact
- The United States emerged as the most impacted country, followed by Germany, Thailand, and Argentina, indicating a concerning trend of attacks targeting these regions.
Targeted Industries
- Government Administration was the most targeted industry, with Education and Information Technology Services also significantly impacted.
Dominant Incident Types
- Ransomware incidents were the most prevalent, with numerous attacks reported over the past week, particularly from the Qilin and DeadLock groups.
Threat Actor Campaign Highlights
- The OpGermany campaign by NoName stands out for its aggressive tactics, targeting numerous organizations across various industries with high attack intensity.
- Germany has been the most affected country, with multiple campaigns targeting various sectors, including government and financial services.
- The campaigns have primarily focused on industries such as Government Administration, Financial Services, and Airlines & Aviation, with several campaigns targeting each sector.
- The threat actors most active in these campaigns include Dark Storm Team and NoName057(16), both exhibiting notable persistence and adaptability.
Tune in next week for more #threatintel updates.
#ransomware #CTI #newsletter #CVE
New Ransomware Group
@barricadecyber is now tracking what appears to be a new ransomware operator: "GodDamn ransomwhere"
Email addresses:
God8Damn@hotmail[.]com
god8damn@cyberfear[.]com
Tox ID: qtox:ABAA98879B8184EF769256D5017773C1B027B61B620D81C2F4D2F571A89770145B82007C199F
New Ransomware Group
@barricadecyber is now tracking what appears to be a new ransomware operator: Sector9
DLS: v76bdil3v7hczufr7kwk75eq6oks27d3qwj6v5ajj6v6rubbvwhcq2qd[.]onion
Tox ID: 0CB7BEB4F390737D72070C4DAD8C1516A962C333DE7668ACA379CAA0DD7F1277CB6703B746B4
We will continue to monitor their activity closely and provide updates on our blog
Weekly Cyber Threat Summary (Past 7 Days)
Key Statistics
- Total reported security incidents: 1,428
- Active cyber campaigns: 7
- Newly documented CVEs: 1,826
Threat Actor Landscape:
Ten new threat actors entered the ecosystem this week. The most prominent activity came from NoName057(16) and Z-PENTEST ALLIANCE, with additional notable operations led by http://NXBB.SEC.
Geographic Impact
The United States remained the most heavily targeted country, followed by India, Iran, and France. In Europe, Poland and Ukraine faced particularly intense pressure, with multiple overlapping campaigns striking organizations across various sectors.
Targeted Industries
- Government Administration was the most affected sector.
- Education and Information Technology Services followed closely. Additional concentrated activity was observed in Agriculture, Electrical & Electronic Manufacturing, and Chemical Manufacturing.
Major Active Campaigns Five prominent campaigns dominated the reporting period. The OpPoland campaign, attributed to NoName057(16), stood out for its aggression, delivering high-intensity attacks against numerous organizations in Poland and France.
Dominant Incident Types
Data breaches were by far the most common incident type, accounting for 843 reported cases.
Malware & TTP Highlights
- ClearFake malware family showed extensive activity, primarily delivered via JavaScript exploits and tied to multiple associated domains, demonstrating sustained operational capability.
- SmokeLoader continued to serve as a reliable initial access vector across diverse environments.
- Cobalt Strike remained heavily used for lateral movement and post-exploitation, enabling deeper network access and data exfiltration.
- Kimwolf malware highlighted growing risks to mobile platforms.
Overall Assessment
The threat landscape remains highly dynamic, characterized by cross-platform attacks, evolving malware techniques, and shifting infrastructure for command-and-control. Organizations in government, education, critical manufacturing, and agriculture should maintain heightened vigilance. The rapid pace of new CVEs and the persistence of established actors like NoName057(16) underscore the need for proactive defense, timely patching, and robust monitoring.
Scattered Spider members, Thalha Jubair, 20, from east London, and Owen Flowers, 18, from Walsall, pleaded guilty to Computer Misuse Act offences linked to the major Transport for London cyberattack that began on 31 August 2024.
The attack disrupted TfL’s online services for about three months, affected around 10 million customers, and cost TfL roughly £39 million. Some customer personal information was accessed, online systems went down, and information boards were affected.
Investigators previously linked the intrusion to the cybercriminal group Scattered Spider. Flowers also admitted attempted hacks against Sutter Health and SSM Healthcare Corporation in the US. Both men are due to be sentenced on 15 July.
Source: https://t.co/BwgqwbxePX
If anyone cares what 'NoName' actually does anymore...
Campaign: OpEU by NoName
Description: The group claims to target multiple European countries under the campaign named "OpEU".
Link: https[:]//t[.]me/nnm05716english/2285
Here’s what happened in the past week:
- This week, there were a total of 1253 reported security incidents, alongside 5 ongoing campaigns and 1302 newly identified CVEs.- Eight new threat actors emerged, with several notable players including NoName057(16), EXADOS, and Z-PENTEST ALLIANCE remaining highly active.- The United States faced the highest number of security incidents, followed by France, Thailand, and Indonesia, indicating a concerning trend in these regions.- Government administration emerged as the most targeted industry, with education and financial services also experiencing significant incidents.- Ransomware incidents were particularly prevalent, with a staggering 63 cases reported this week, showcasing an ongoing threat landscape.
- This week, there were a total of 1253 reported security incidents, alongside 5 ongoing campaigns and 1302 newly identified CVEs.
- Eight new threat actors emerged, with several notable players including NoName057(16), EXADOS, and Z-PENTEST ALLIANCE remaining highly active.
- The United States faced the highest number of security incidents, followed by France, Thailand, and Indonesia, indicating a concerning trend in these regions.
- Government administration emerged as the most targeted industry, with education and financial services also experiencing significant incidents.
- Ransomware incidents were particularly prevalent, with a staggering 63 cases reported this week, showcasing an ongoing threat landscape.
Found some more Clearnet servers hosting the FulcrumSec threat actor group's infrastructure.
URL: fulcrum[.]st
IP: 137.184.114[.]170
Host: DigitalOcean
OS: Ubuntu
URL: data-removal[.]com
IP: 104.131.133[.]118
Host: DigitalOcean
OS: Ubuntu
URL: Unknown
IP: 64.23.242[.]23
OS: Ubuntu
Note: This server only supports port 80, port 443 connections are currently rejected
More and more threat actors seem to be migrating their servers to DigitalOcean.
The MorningStar threat actor group is continuing its campaign 'OpUsa by MORNING STAR'.
The group claims to have gained unauthorized access to multiple CCTV surveillance systems in the USA. The post also indicates that the group claims to be targeting the IT sector in the country.
Here’s what happened in the past week:
- This week, a total of 1156 security incidents and 0 campaigns were reported, alongside 1597 new CVEs.- The active threat actor count reached 11, with significant activity from groups like ShinyHunters and The Gentlemen.- The USA emerged as the most impacted country, followed by the UK, Thailand, and Indonesia, indicating a concentrated attack pattern in these regions.- Government administration was the most targeted industry, closely followed by education and IT services.- Ransomware incidents dominated the landscape, with 45 instances recorded in the past week.
- This week, a total of 1156 security incidents and 0 campaigns were reported, alongside 1597 new CVEs.
- The active threat actor count reached 11, with significant activity from groups like ShinyHunters and The Gentlemen.
- The USA emerged as the most impacted country, followed by the UK, Thailand, and Indonesia, indicating a concentrated attack pattern in these regions.
- Government administration was the most targeted industry, closely followed by education and IT services.
- Ransomware incidents dominated the landscape, with 45 instances recorded in the past week.
New Anubis DLS node: anubisyfkh5rixydjpoo3jqucauajz2juybrbtuglcppjj2y3eg3y6ad[.]onion
There are no listings on it yet, so unsure what is going on. Maybe a HA setup, migration to new site, or something else.
#CTI#ransomware#threatactor
The DOJ says two men have been charged in connection with “AudiA6,” a cryptocurrency money laundering service allegedly responsible for laundering more than $389 million in unlawful transactions since 2021.
According to prosecutors, Ruslan Tkachuk and Alexander Ledenev were arrested in Georgia as part of an international takedown targeting AudiA6 infrastructure, linked servers/domains, Telegram accounts, crypto assets, and Dark2Web, a cybercrime forum where the service allegedly advertised. The DOJ says the defendants are presumed innocent unless proven guilty in court.
IOCs:
all24[.]cc
audia6[.]best
audia6[.]cc
audia6[.]online
d2w[.]click
d2web[.]club
dark2web[.]app
dark2web[.]com
dark2web[.]online
Source: https://t.co/kbTr9HkVda
Threat actor 'The Gentlemen' has released a clearnet version.
Outside of "showing off", it is unclear why we are seeing a growing trend in this.
Clearnet: thegentlemen[.]cc
@barricadecyber has identified the emergence of a suspected ransomware group called “BlackX,” which appears to have been active since around May 2025.
🌐 Observed Infrastructure:
Observed infrastructure:
blackxppq2jvqyg4slyg3sbszv7ib2avaaycvhff5qipgdoepqi57xyd(.)onion
172.86.110[.]111:4000
111.110.86.172.static.cloudzy[.]com
#CTI #threatintel #ransomware #threatactor
ShinyHunters has leaked 42 Million records of data from Charter Communications.
DentaQuest has also been relisted after being taken down due to possible negotiations.
It appears that the TA Prinz Eugen might be a pure data exfiltration group. On the single victim claim of Standard Bank Group, the threat actor created a custom cock[.]li email address for communication. Like other pure exfiltration groups, they post the wallet address.
This one is interesting as they show the escalation timeline as a calendar. In each date there are a couple of files being leaked that date, showing a slow release of leaked data.
@barricadecyber is now tracking a new threat actor group:
Name:
Prinz Eugen
DLS:
http://6cudc5cqa2bjpwdhcwm2lj6dbqejjjqzeo6ipwvmbazr6cgu7vfk3dad[.]onion
Scattered LAPSUS$ Hunters onion domain has been seized
http://shinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid[.]onion
Note: Is this just a false flag, as the image mentions 'breachforums'.
We at @barricadecyber have discovered a new threat actor group:
TA: MIGA
DLS: https://t.co/m6RGjTWkG1
Banner: "This is not a ransomware group but a non-profit organization"
A.K.A:
#MakeIsraelGreatAgain