Georgia Superior Court Clerks’ Cooperative Authority
November 8, 2025
•[ ransomware, data exfiltration, cyber threat ]
The Devman ransomware group attacked the Georgia Superior Court Clerks Cooperative Authority beginning November 8, 2025. GSCCCA voluntarily restricted access to its systems while investigating a credible cyber threat. Devman claimed to have exfiltrated 500 GB of organizational data from GSCCCAs application servers and demanded a $400,000 ransom by November 27.
At least one Belgian diplomat
October 31, 2025
•[ cyber-espionage, spear-phishing, vulnerability ]
Arctic Wolf Labs and other researchers detailed a Chinese state-aligned cyber-espionage campaign in which UNC6384 targeted European diplomatic entities, notably in Hungary and Belgium, between September and October 2025. The group sent spear-phishing emails referencing real EU and NATO events that carried malicious Windows shortcut (.LNK) files exploiting the ZDI-CAN-25373 (CVE-2025-9491) vulnerability to execute obfuscated PowerShell, unpack a signed Canon utility and side-load a PlugX remote access trojan. The resulting implants, communicating over HTTPS to attacker-controlled domains, provide long-term access for reconnaissance, keylogging, command execution and collection of sensitive diplomatic documents and credentials aligned with PRC strategic intelligence priorities.
FullBeauty Brands, Inc.
October 18, 2025
•[ ransomware, data leak, unauthorized access ]
Unauthorized actors accessed FullBeauty Brands systems over several weeks in late 2025 and exfiltrated internal company data, later claimed by the Everest ransomware group, with no confirmed operational disruption publicly disclosed.
Fairfield City Council
October 16, 2025
•[ unauthorized access, data exfiltration, system disruption ]
Fairfield City Council said threat actors illegally accessed a portion of its IT environment in October 2025, disrupted systems, and exfiltrated sensitive staff and resident information while most council services continued operating with temporary workarounds.
Arizona Federal Public Defender’s Office
September 24, 2025
•[ ransomware, data exfiltration, backup deletion ]
Ransomware detected Sept 24 2025 crippled Arizonas Federal Public Defender Office, encrypting decades of case files and deleting backups. Investigators suspectbut have not confirmeddata exfiltration. No threat group has claimed responsibility.
Undisclosed Southeast Asian conglomerate
July 1, 2025
•[ intrusion, data exfiltration, corporate data ]
The Osiris threat group conducted a prolonged intrusion against an undisclosed Southeast Asian conglomerate beginning in mid-2025, resulting in the exfiltration of large volumes of sensitive corporate and financial data. The incident is documented through security research and attacker leak site claims, without confirmation of ransomware encryption.
Ontario Health atHome
April 13, 2025
•[ ransomware, data exfiltration, healthcare ]
Ontario Medical Supply (OMS), a vendor supporting Ontario Health atHomes home care supply operations, experienced a ransomware incident in 2025. Reporting described earliest observed access on March 17, 2025, followed by ransomware payload execution on April 13, 2025, after which OMS systems failed and the organization was locked out of a significant portion of servers. Internal reporting referenced impacts to roughly 200,000 patients and indicated breached data included names, contact information, and medical supplies/equipment ordered. OMS later stated only a limited amount of incomplete data was exfiltrated and said it found no evidence of misuse at the time of its statement.
Undisclosed Ukrainian critical infrastructure organization
April 1, 2025
•[ malware, data exfiltration, wiper ]
The FSBs 18th Center for Information Security (Gamaredon) deployed PathWiper malware against an undisclosed Ukrainian critical-infrastructure operator in early April 2025, exfiltrating large volumes of operational data before executing a destructive wiper that caused temporary service degradation.
Sam’s Club
March 28, 2025
•[ ransomware, data leak, cybersecurity investigation ]
Sams Club, a U.S. warehouse retail chain owned by Walmart Inc., is investigating claims by the ransomware group Clop that it breached the companys systems. Clop added Sams Club to its dark-web leak site but so far has not provided any proof of data exfiltration. Sams Club acknowledged awareness of the potential incident and emphasized protecting member information is a priority while its internal investigation continues.
Undisclosed software and services company (South Asia)
February 12, 2025
•[ data exfiltration, vulnerability, APT ]
A China-linked group known as Emperor Dragonfly exploited a Palo Alto PAN-OS vulnerability (CVE-2024-0012) to compromise an undisclosed medium-sized software and services company in South Asia. The attackers exfiltrated d
Virginia Attorney General’s Office
February 11, 2025
•[ cyber intrusion, data leak, data exfiltration ]
In February 2025, the Virginia Attorney Generals Office voluntarily shut down nearly all internal systems after detecting a sophisticated cyber intrusion. The criminal group Cloak later claimed responsibility, asserting it had stolen 134 GB of internal documents and posted samples to its leak site. Officials confirmed system shutdowns for containment but did not verify any file encryption or ransom demand, indicating an exfiltration-only intrusion rather than an active ransomware lockout.
Claim Expert
January 1, 2025
•[ data leak, data exfiltration ]
Data exfiltration and exposure of Pick n Pay customer information (~105 k records) from Claim Experts system by Bashe group; no encryption or operational disruption reported
Undisclosed cryptocurrency market-making firm
October 20, 2024
•[ data exfiltration, cryptocurrency, state-sponsored attack ]
Recorded Future observed C2 reconnaissance followed by FTP exfiltration from a market-making firm in the UAE during the Contagious Interview campaign (OctNov 2024). Attributed to the NGB 3rd Technical Surveillance Bureau (North Korea).
Undisclosed online casino operator
October 20, 2024
•[ Data exfiltration, State-sponsored attack, Reconnaissance ]
Recorded Future analysis identified reconnaissance and FTP exfiltration traffic from a Costa Rican online casino targeted in the Contagious Interview campaign (OctNov 2024), attributed to the NGB 3rd Technical Surveillance Bureau (North Korea).
