Undisclosed organization
December 1, 2025
•[ email bombing, Microsoft Teams impersonation, Snow malware ]
UNC6692 used email bombing and Microsoft Teams helpdesk impersonation to deliver the Snow malware suite, moved laterally through the victim environment, reached domain controllers, extracted the Active Directory database and registry hives with FTK Imager, and exfiltrated the files using LimeWire.
Center for Life Resources
November 14, 2025
•[ unauthorized access, network intrusion, data breach ]
Center for Life Resources identified unauthorized access to its network in mid-November 2025 and determined that files containing sensitive personal and protected health information may have been accessed or copied, which was later disclosed in regulatory notifications.
Georgia Superior Court Clerks’ Cooperative Authority
November 8, 2025
•[ ransomware, data exfiltration, cyber threat ]
The Devman ransomware group attacked the Georgia Superior Court Clerks Cooperative Authority beginning November 8, 2025. GSCCCA voluntarily restricted access to its systems while investigating a credible cyber threat. Devman claimed to have exfiltrated 500 GB of organizational data from GSCCCAs application servers and demanded a $400,000 ransom by November 27.
At least one Belgian diplomat
October 31, 2025
•[ cyber-espionage, spear-phishing, vulnerability ]
Arctic Wolf Labs and other researchers detailed a Chinese state-aligned cyber-espionage campaign in which UNC6384 targeted European diplomatic entities, notably in Hungary and Belgium, between September and October 2025. The group sent spear-phishing emails referencing real EU and NATO events that carried malicious Windows shortcut (.LNK) files exploiting the ZDI-CAN-25373 (CVE-2025-9491) vulnerability to execute obfuscated PowerShell, unpack a signed Canon utility and side-load a PlugX remote access trojan. The resulting implants, communicating over HTTPS to attacker-controlled domains, provide long-term access for reconnaissance, keylogging, command execution and collection of sensitive diplomatic documents and credentials aligned with PRC strategic intelligence priorities.
FullBeauty Brands, Inc.
October 18, 2025
•[ ransomware, data leak, unauthorized access ]
Unauthorized actors accessed FullBeauty Brands systems over several weeks in late 2025 and exfiltrated internal company data, later claimed by the Everest ransomware group, with no confirmed operational disruption publicly disclosed.
Fairfield City Council
October 16, 2025
•[ unauthorized access, data exfiltration, system disruption ]
Fairfield City Council said threat actors illegally accessed a portion of its IT environment in October 2025, disrupted systems, and exfiltrated sensitive staff and resident information while most council services continued operating with temporary workarounds.
North Texas Behavioral Health Authority
October 13, 2025
•[ network intrusion, data exfiltration, Social Security numbers ]
North Texas Behavioral Health Authority detected a network intrusion in October 2025; investigators found that unauthorized individuals accessed and exfiltrated files containing personal information, including Social Security numbers, affecting 285,000 individuals.
Arizona Federal Public Defender’s Office
September 24, 2025
•[ ransomware, data exfiltration, backup deletion ]
Ransomware detected Sept 24 2025 crippled Arizonas Federal Public Defender Office, encrypting decades of case files and deleting backups. Investigators suspectbut have not confirmeddata exfiltration. No threat group has claimed responsibility.
Jordan Civil Aviation Commission
September 1, 2025
•[ APT35, Charming Kitten, data exfiltration ]
KittenBusters/CloudSEK reporting described APT35 activity in which files from Jordans Civil Aviation Commission were silently exfiltrated before Irans February 2026 regional missile and drone campaign; the reporting linked APT35/Charming Kitten to Irans IRGC Intelligence Organization.
At least one Russian government agency or aviation company
September 1, 2025
•[ phishing, malicious advertising, malware ]
HeartlessSoul has targeted Russian government agencies, aerospace firms, aviation companies, and drone operators since at least September 2025 using phishing emails with infected attachments, malicious advertising, fake aviation-software download sites, fake SourceForge projects, and malware disguised as legitimate software. Public reporting indicates the campaign was successful against one or more victims and resulted in the exfiltration of GIS, satellite, GPS, terrain, digital geographic relief, and other proprietary geospatial data.
South Alabama Regional Planning Commission
August 6, 2025
•[ hacking, unauthorized access, protected health information ]
South Alabama Regional Planning Commission reported a hacking/IT incident involving unauthorized access to protected health information. Public reporting states that the substitute breach notice did not identify when access was detected or when unauthorized access occurred, but the investigation determined on August 6, 2025 that certain files had been copied from its systems. The incident affected 3,043 individuals.
Radiology Associates of Richmond
July 25, 2025
•[ data breach, unauthorized access, protected health information (PHI) ]
An unauthorized actor accessed Radiology Associates of Richmond's network environment on or about July 25, 2025, and files containing protected health information were acquired. RAR began notifying affected individuals on May 21, 2026; filings reported 266,183 affected individuals.
Undisclosed Southeast Asian conglomerate
July 1, 2025
•[ intrusion, data exfiltration, corporate data ]
The Osiris threat group conducted a prolonged intrusion against an undisclosed Southeast Asian conglomerate beginning in mid-2025, resulting in the exfiltration of large volumes of sensitive corporate and financial data. The incident is documented through security research and attacker leak site claims, without confirmation of ransomware encryption.
Ontario Health atHome
April 13, 2025
•[ ransomware, data exfiltration, healthcare ]
Ontario Medical Supply (OMS), a vendor supporting Ontario Health atHomes home care supply operations, experienced a ransomware incident in 2025. Reporting described earliest observed access on March 17, 2025, followed by ransomware payload execution on April 13, 2025, after which OMS systems failed and the organization was locked out of a significant portion of servers. Internal reporting referenced impacts to roughly 200,000 patients and indicated breached data included names, contact information, and medical supplies/equipment ordered. OMS later stated only a limited amount of incomplete data was exfiltrated and said it found no evidence of misuse at the time of its statement.
Undisclosed Ukrainian critical infrastructure organization
April 1, 2025
•[ malware, data exfiltration, wiper ]
The FSBs 18th Center for Information Security (Gamaredon) deployed PathWiper malware against an undisclosed Ukrainian critical-infrastructure operator in early April 2025, exfiltrating large volumes of operational data before executing a destructive wiper that caused temporary service degradation.
Sam’s Club
March 28, 2025
•[ ransomware, data leak, cybersecurity investigation ]
Sams Club, a U.S. warehouse retail chain owned by Walmart Inc., is investigating claims by the ransomware group Clop that it breached the companys systems. Clop added Sams Club to its dark-web leak site but so far has not provided any proof of data exfiltration. Sams Club acknowledged awareness of the potential incident and emphasized protecting member information is a priority while its internal investigation continues.
Undisclosed software and services company (South Asia)
February 12, 2025
•[ data exfiltration, vulnerability, APT ]
A China-linked group known as Emperor Dragonfly exploited a Palo Alto PAN-OS vulnerability (CVE-2024-0012) to compromise an undisclosed medium-sized software and services company in South Asia. The attackers exfiltrated d
Virginia Attorney General’s Office
February 11, 2025
•[ cyber intrusion, data leak, data exfiltration ]
In February 2025, the Virginia Attorney Generals Office voluntarily shut down nearly all internal systems after detecting a sophisticated cyber intrusion. The criminal group Cloak later claimed responsibility, asserting it had stolen 134 GB of internal documents and posted samples to its leak site. Officials confirmed system shutdowns for containment but did not verify any file encryption or ransom demand, indicating an exfiltration-only intrusion rather than an active ransomware lockout.
Claim Expert
January 1, 2025
•[ data leak, data exfiltration ]
Data exfiltration and exposure of Pick n Pay customer information (~105 k records) from Claim Experts system by Bashe group; no encryption or operational disruption reported
