Introduction 

The weekly Cybersecurity Bulletin report has been prepared by the ECHO team to summarize and inform about cybersecurity incidents that have occurred in recent weeks.

---

Executive Summary

Bu bültende:

• Up-to-date information on cyber threats such as attacks, data leaks, malware, ransomware and critical security vulnerabilities is provided.
• Our security team analyzes these threats and prepares the weekly bulletin to minimize possible risks.

---

Malware of the Week: Vo1d Botnet Is a New Threat That Infected 1.6 Million Android TV Devices

Description

A new variant of the Vo1d botnet has infected 1.6 million Android TV devices worldwide.
Vo1d’s advanced encryption techniques, centralized control infrastructure (C2) and large-scale distribution network make it difficult to detect.

This botnet provides threat actors with the following opportunities by taking control of devices managed over the internet with malware:

• Organizing large-scale cyberattacks
• Committing ad fraud
• Creating proxy networks

Vo1d is similar to the Bigpanzi botnet discovered in 2024 and is likely an updated version by the same developers.

The biggest threat of this botnet is its potential to hijack commonly used devices such as televisions to steal users’ information, manipulate media and organize denial of service attacks (DDoS).

---

Background

The Vo1d botnet was first detected in 2024.

• In November 2024, an unknown ELF file “jddx” was analyzed and discovered to be a downloader associated with the Bigpanzi botnet.
• Subsequent analysis showed that Vo1d was a completely new variant** derived from Bigpanzi.

---

Scale and Impact

The Vo1d botnet has spread to over 200 countries and has infected 1.6 million Android TV devices.
Here is an example of the surface it can affect:

• In 2024, a 5.6 Tbps DDoS attack on Cloudflare was carried out using only 15,000 devices.
  Vo1d has a botnet 100 times the size of that.
• In 2016 the Mirai botnet took down the internet on the US East Coast. However, Vo1d’s capacity is even greater than Mirai.

Highlights:

• New attack samples: 89 different malware samples were caught.
• Control infrastructure: 21 C2 domains, 258 DGA (Domain Generation Algorithm) structures, and over 100,000 dynamic domains were detected.
• Daily active IP count: 800,000 on average, 1,590,299 devices were actively used at the peak.
• Advanced security measures:
• RSA encryption
• Special routing infrastructure
• XXTEA encryption techniques

---

Detection and Analysis Results

As of late 2024, 89 different malicious samples belonging to the Vo1d botnet have been caught.
On January 14, 2025, 1,590,299 devices were determined to be active.
RSA-based encryption provides strong protection against analysis.
Continues its malicious activities by establishing proxy and ad fraud networks.

TECHNICAL ANALYSIS

Part 1: Downloader “s63”

MD5: 9e116f9ad2ff072f02aa2ebd671582a5 
Magic: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, BuildID[sha1]=70672a8ccee11976077ff4f3dc16966bbf67e965, stripped

“s63” is the core downloading component of the Vo1d botnet.
Its purpose is to download and run the script or payload that performs malicious operations on the devices.

1.1 Encrypting the Configuration

• Downloader stores the configuration data in the .data section.

• decstring function encrypts this data when called.

• The encryption method is based on the XOR operation.

When the decstring function is examined in detail, it was discovered that the ciphertext consists of two parts. A header and a body. The header is 3 bytes long and the XOR value of these bytes determines the length of the body. The first and second bytes of the header are used to decrypt the body with XOR. Below is an equivalent Python implementation of this decryption function

def decbuf(buf):
leng = buf[0] ^ buf[1] ^ buf[2]
out = ''
for i in range(3, leng + 3):
tmp = ((buf[i] ^ buf[1]) - buf[1]) & 0xff
out += chr((tmp ^ buf[0]))
return out

Decrypted configuration data:

• C2 server address: 38.46.218.36:9999
• File name to download: ts01

1.2 Network Communication

Downloader connects to Vo1d’s central server to download additional files.

Communication format with server: length:cmd:body
Commands:

• 0x10: Requests alternative download servers.
• 0x11: Downloads the main payload.

---

1.3 Traffic Encryption

• Vo1d botnet encrypts data traffic using RSA + XXTEA combination.
• In response to 0x11 command:
• First 256 bytes are encrypted with RSA.
• The rest is the main payload file encrypted with XXTEA.
• However, Vo1d botnet uses a modified version of the classic XXTEA here.
• Vo1d has replaced the XXTEA encryption algorithm with the ASR (Arithmetic Shift Right) operator.

---

Part 2: Payload “ts01”

This component allows Vo1d botnet to gain full control over the system.

Main components included:

1. install.sh:

   • Uninstalls old Vo1d versions.
   • Installs and runs new components.

2. cv Component:

   • Used to run Vo1d components.
   • Removes previously installed fake Google Play Services with the command pm uninstall com.google.android.services.
   • Increases persistence by loading the x.apk file.

3. vo1d Component:

   • This component is used to provide a backdoor and proxy service.

   • Contains a payload with XXTEA encryption.

   • When decrypted, it connects to the C2 servers of the Vo1d botnet.

   • The following is done for decryption:

   • Decrypted with the ASR XXTEA algorithm.

   • The init function is loaded into memory and executed.

4. x.apk Component

   • This APK is a malware that imitates Google Play Services.
   • It is automatically started when the device is turned on by listening for the BOOT_COMPLETED event.
   • Uses the excludeFromRecents=”true” flag to make itself invisible.

---

Part 3: Operational Analysis

3.1 DexLoader

• Vo1d botnet stores malware as DEX files.

• DexLoader executes these **encrypted DEX files by loading them into memory.

3.2 Mzmess Introduction

• Shows that Vo1d botnet is a modular malware platform.

• Mzmess is a plugin system used to provide ad fraud and proxy services.

3.3 Mzmess SDK

• SDK can update core components of Vo1d.

• Vo1d downloads updates using fake Google services.

3.4 Mzmess Plugins

Mzmess plugins and their functions used by Vo1d botnet:

• popa → Provides proxy services.
• jaguar → Redirects fake traffic through proxy network.
• lxhwdg → Provides remote access.
• spirit → Commits ad fraud.

Example: Request Used by “spirit” Plugin for Traffic Fraud

POST http://task.moyu88.xyz/cpc/api/task
Content-Type: application/json
Body: {"orderId":-1774990216,"tasks":[{"productId":0, ...

This generates fake clicks and ad impressions.

YARA and Sigma Rules

Yara Rule:

rule Vo1d_Malware_Detection
{
meta:
description = "Detects Vo1d malware based on known hashes, domains, and IP addresses"
malware_family = "Vo1d"

strings:
$hash_1 = "01a692df9deb5e8db620e4fb7e687836"
$hash_2 = "de8f69efdb29cdf5fd12dd7b74584696"
$hash_3 = "456e14aa644bd31d85e0fe6f78d8fc15"
$hash_4 = "6bb3258b688f81dfd03128bccf18823b"
$hash_5 = "0c454831bdb679bdd083c5a7cc785733"

$c2_1 = "ssl8rrs2.com"
$c2_2 = "ttekf42.com"
$c2_3 = "ttss442.com"
$c2_4 = "works883.com"
$c2_5 = "dcsdk.100ulife.com"

$ip_1 = "38.46.218.36"
$ip_2 = "38.46.218.37"
$ip_3 = "38.61.8.14"
$ip_4 = "69.28.62.49"

condition:
any of ($hash_*) or any of ($c2_*) or any of ($ip_*)
}

Sigma Rule:

title: Detect Vo1d Malware C2 and Downloader Traffic
id: c2d8f1e2-4b3f-4a6a-9d72-acebd3b1e214
status: experimental
description: Detects network communication related to Vo1d malware C2 and downloader activity
author: ECHO
logsource:
category: network_traffic
product: windows
detection:
selection:
DestinationIp:
- "38.46.218.36"
- "38.46.218.37"
- "38.61.8.14"
- "69.28.62.49"
- "156.236.118.48"
Request_URL|contains:
- "ssl8rrs2.com"
- "ttekf42.com"
- "ttss442.com"
- "works883.com"
- "dcsdk.100ulife.com"
- "gmslb.net"
- "phonemesh.org"
- "linkmob.org"
- "update.ad3g.com"
- "spiritlib.cyou"
condition: selection
falsepositives:
- Legitimate connections to cloud-based services
level: high
tags:
- attack.command_and_control
- attack.t1071.001
- attack.exfiltration

MITRE ATT&CK Tactics and Techniques

TACTICAL	ID	TECHNICAL
Execution	T1204.002	User Execution: Malicious File
Execution	T1059	Command and Scripting Interpreter
Execution	T1059.001	Command and Scripting Interpreter: PowerShell
Persistence	T1547.001	Registry Run Keys / Startup Folder
Privilege Escalation	T1068	Exploitation for Privilege Escalation
Defense Evasion	T1218	Signed Binary Proxy Execution
Credential Access	T1555.003	Credentials from Web Browsers
Discovery	T1083	File and Directory Discovery
Discovery	T1018	Remote System Discovery
Discovery	T1057	Process Discovery
Collection	T1005	Data from Local System
Exfiltration	T1041	Exfiltration Over C2 Channel
Command and Control	T1071.001	Application Layer Protocol: Web Protocols
Command and Control	T1090	Proxy
Impact	T1486	Data Encrypted for Impact

Ransomware Malware of the Week: EncryptHub: Ransomware and Information Theft via Trojan Horse Apps, PPI Services, and Phishing

Description and Overview

A threat actor called EncryptHub, with the aim of financial gain, is distributing ransomware and uses new methods to exfiltrate data. After infiltrating weak systems, attackers encrypt critical files and simultaneously transfer this data to external servers, thus forcing victims to pay higher ransoms.

EncryptHub distributes information stealing software and ransomware by conducting advanced phishing campaigns,

It is also developing a new malware called EncryptRAT.

---

Malware Details and MITRE ATT&CK

Type: Ransomware and data exfiltration tools

• Target Systems: Windows-based systems and corporate networks with inadequate segmentation
• Attack Methods:
• Phishing
• RDP brute-force attacks
• Network penetration through vulnerable VPN components

MITRE ATT&CK

Technical	Description
T1486	Data Encrypted for Impact – The act of encrypting files
T1027	Obfuscated Files or Information – Code obfuscation of malicious components
T1567	Exfiltration Over Web Service – Using web services for data exfiltration

---

Technical Details

Attack Methods

1. Trojan Horse Applications:

   • Fake versions of popular applications such as QQ Talk, WeChat, DingTalk, Google Meet and Microsoft Visual Studio 2022 are distributed to target users.
   • When these applications are installed, malware such as Kematian Stealer infiltrates the system and steals data.

2. PPI Services (Pay-Per-Install):

   • Third-party PPI services such as LabInstalls are used to deliver malware to a wide audience.
   • Malware is loaded onto devices in bulk for a certain fee.

3. Phishing Attacks (Phishing):

   • Users are directed to fake websites and their credentials are captured.
   • Especially VPN credentials are targeted, and ransomware and information-stealing malware are loaded over the compromised accounts.**

---

Effects of the Malware

Double Extortion

• The victim’s critical files are both encrypted and transferred to the attacker’s servers
• Thus, the victim faces the risk of having their data leaked even if they do not pay the ransom.

Critical System Control

• Windows machines and domain controllers are infiltrated and extensive permissions are gained over the system..

Lateral Movement in the Network

• Attackers can infect more systems by detecting new targets during the discovery phase*

---

Functions of the Malware

• Encryption Mechanism:

• Standard algorithms such as AES or RSA are used.

• Both ransomware and data leakage** methods are applied together.

• Automatic Data Leakage:

• Data backup to the attacker’s cloud or private FTP/HTTP servers.

• Code obfuscation to bypass logs (obfuscated)on) techniques are applied.

• Persistence Mechanisms:

• Anti-forensic techniques are used to remain undetected in the system for as long as possible.

• Methods such as log cleaning and trace deletion are being implemented.

Phishing Campaign of the Week: Phishing Campaign Performed with ClickFix Social Engineering Technique

Description, General Summary

A phishing campaign that started in December 2024 and is still ongoing, Booking.com is imitated and specifically targets accommodation organizations. These attacks use a social engineering technique called ClickFix to trick users into downloading malware. Microsoft tracks these attacks as Storm-1865.

---

Attack Method: ClickFix Technique

ClickFix is ​​a social engineering technique that tricks users into copying and running certain commands by tricking them with fake error messages or verification requests. It exploits users’ problem-solving abilities to enable malware to be downloaded.

---

Technical Details

Attack Chain

1. Spoofed Emails:

   • Attackers send emails that appear to come from Booking.com.
   • Emails; Includes negative customer reviews, account verification requests, or fake reservation requests.

2. Fake CAPTCHA Page:

   • Users who click on the link in the email are redirected to a legitimate-looking fake CAPTCHA page.
   • The user starts a malicious process by assuming they are authenticating.

3. Downloading Malware with ClickFix:

   • The user is directed to copy and execute a specific command to bypass the CAPTCHA.
   • The command downloads and executes the malware using legitimate Windows components such as mshta.exe.

---

Distributed Malware

The malware detected in this phishing campaign is as follows:

• XWorm: Remote access trojan (RAT).
• Lumma Stealer: Information stealing software.
• VenomRAT: Provides remote access and control.
• AsyncRAT: Can be used for remote administration.
• Danabot: Trojan targeting banking information.
• NetSupport RAT: Provides remote desktop control.

These malware are used for financial fraud and data theft by stealing user credentials.

---

Featured Vulnerabilities of the Week

Critical Vulnerability in FreeType Library (CVE-2025-27363)

A critical vulnerability has been discovered in the open source font rendering library FreeType. This vulnerability, identified as CVE-2025-27363, is reported to be actively exploited. This vulnerability has a CVSS score of 8.1 and is rated as high severity.

---

Vulnerability Details

This vulnerability is caused by an out-of-bounds write error that occurs when FreeType 2.13.0 and earlier handles subglyph structures related to TrueType GX and variable fonts. Specifically, when a signed short value is assigned to an unsigned long value and then a static value is added, this causes a memory allocation overflow, allocating a small amount of memory on the heap. Six signed long integers are then written outside of this memory area, which can lead to arbitrary code execution.

• Causes:
• A signed short value is assigned to an unsigned long value
• A memory allocation overflow occurs when a static value is added
• A small memory area is allocated on the stack, causing the overflow to write six signed long integers
• As a result, arbitrary code execution

---

Technical Details

Impact of the Vulnerability

This vulnerability allows remote code execution during processing of specially crafted font files.
Attackers can execute arbitrary code on the target systems and gain complete control.

Codes and Functions of the Vulnerability

The vulnerability occurs when the FreeType library processes subglyph structures related to TrueType GX and variable fonts. Assigning a signed short value to an unsigned long value and then adding a static value will cause a memory allocation overflow, which will allocate a small amount of memory on the stack. This memory space will then beSix signed long integers are written outside of the ., which can lead to arbitrary code execution.

---

Workaround

Users and system administrators are strongly advised to update the FreeType library to the latest version 2.13.3.

The following Linux distributions are particularly vulnerable to this vulnerability because they use older versions:

• AlmaLinux
• Alpine Linux
• Amazon Linux 2
• Debian stable / Devuan
• RHEL / CentOS Stream / AlmaLinux (8 and 9)
• GNU Guix
• Mageia
• OpenMandriva
• openSUSE Leap
• Slackware
• Ubuntu 22.04

System administrators using these distributions should immediately update to protect their systems.

Critical Vulnerabilities in Ruby-SAML Library: Authentication Bypass and Account Hijacking Risk

Description, Overview

GitHub has released a vulnerability in the ruby-saml library that allows attackers to bypass Security Assertion Markup Language (SAML) authentication mechanisms. Two high severity vulnerabilities have been identified. These vulnerabilities are tracked as CVE-2025-25291 and CVE-2025-25292 and have a CVSS score of 8.8/10.

---

Vulnerability Details

• CVE Codes: CVE-2025-25291, CVE-2025-25292
• CVSS Score: 8.8 / 10
• Affected Versions:
• Versions prior to 1.12.4
• Versions 1.13.0 through 1.18.0

These vulnerabilities are caused by the way that XML parsers such as REXML and Nokogiri handle XML data differently. This difference allows attackers to perform Signature Wrapping attacks and bypass authentication processes.

---

Technical Details

Impact of Vulnerability

Once attackers have a valid signature, they can use it to create their own SAML declarations and log into the system as any other user. This poses a serious threat to the security of the systems and can lead to unauthorized access.

Source of Vulnerability

XML parsers REXML and Nokogiri process the same XML input differently. This difference causes document structures to change and allows attackers to perform Signature Wrapping attacks.

Companies Hit by Ransomware

Veristat

• Group Name: Akira
• **Victim Attacked:**https://www.veristat.com
• Industry: Healthcare
• Impact: Over 63GB of key corporate documents leaked

Veristat is a science-driven pharmaceutical and biologics CRO (Contract Research Organization) and consulting firm that rapidly advances innovative therapies by integrating strategic planning, regulatory expertise, and clinical trial execution.

Types of Data Leaked:

• HR documents
• Employee and customer contact information (phone numbers, email addresses)
• Medicare documents
• Customer medical documents
• Confidential licenses, agreements, and contracts
• Financial data (audits, payment information, reports)

Yara Rule:

/*
Akira ransomware
*/

rule Akira
{
meta:
author = "rivitna"
family = "ransomware.akira.windows"
description = "Akira ransomware Windows payload"
severity = 10
score = 100

strings:
$s0 = "\x00--encryption_path\x00" ascii wide
$s1 = "\x00--share_file\x00" ascii wide
$s2 = "\x00--encryption_percent\x00" ascii wide
$s3 = "\x00-fork\x00" ascii
$s4 = "\x00-localonly\x00" ascii wide
$s5 = "\x00Failed to read share files\x00" ascii wide
$s6 = ":\\akira\\asio\\include\\" ascii
$s7 = "\x00write_encrypt_info error: \x00" ascii
$s8 = "\x00encrypt_part error: \x00" ascii
$s9 = "\x00Detected number of cpus = \x00" ascii
$s10 = "\x00No path to encrypt\x00" ascii
$s11 = "Paste this link - https://akira" ascii
$s12 = "\x00Trend Micro\x00" wide
$s13 = "Failed to make full encrypt" ascii wide
$s14 = "Failed to make spot encrypt" ascii wide
$s15 = "Failed to make part encrypt" ascii wide
$s16 = "Failed to write header" ascii wide
$s17 = "file rename failed. System error:" ascii wide
$s18 = "Number of thread to folder parsers = \x00" ascii
$s19 = "Number of threads to encrypt = \x00" ascii
$s20 = "Number of thread to root folder parsers = \x00" ascii
$s21 = "Failed to read share files!\x00" ascii

$h0 = { 41 BA 05 00 00 00 41 80 FB 32 44 0F 42 D0 33 D2 48 8B C?
49 F7 F2 4C 8B C8
( B? 02 00 00 00 [0-4] 41 B? 04 00 00 00 |
41 B? 04 00 00 00 [0-4] B? 02 00 00 00 )
41 80 FB 32 44 0F 42 C? 41 8B C8 4? 0F AF C? 48 2B F9 33 D2
48 8B C7 49 F7 F2 }
$h1 = { C7 45 ?? 03 00 00 00 80 7D ?? 31 76 07 C7 45 ?? 05 00 00 00
0F B6 45 ?? 48 0F AF 45 ?? 48 C1 E8 02
48 B? C3 F5 28 5C 8F C2 F5 28 48 F7 E? 48 89 ?? 48 C1 E8 02 }

condition:
(((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or
(uint32(0) == 0x464C457F)) and
(
(7 of ($s*)) or
(1 of ($h*))
)
}

Thermoid.com

• Group Name: Cactus
• **Victim Attacked:**https://www.thermoid.com
• Sector: Manufacturing / Industrial
• Impact: Leaking of personally identifiable information and confidential corporate data

Founded in 1883 and headquartered in Dublin, Ohio, HBD Thermoid is a leading global, automotive, aerospace, mass is a company that manufactures industrial rubber products including transfer, chemical, marine, water, welding and multi-purpose industrial hoses, industrial ducts and conveyor belts.

Types of Data Leaked:

• Personally identifiable information
• Engineering data
• Customer and partner information
• Financial documents
• Corporate correspondence

Yara Rule:

rule CactusRule
{
strings:
$cactusStr = “CaCtUs.ReAdMe.txt”
$cactusHex = { 43 61 43 74 55 73 2e 52 65 41 64 4d 65 2e 74 78 74 }
condition:
$cactusStr or $cactusHex
}

rule CactusRansomware {
meta:
description = "rule to detect Cactus Ransomware"
author = "ShadowStackRe.com"
date = "2024-01-18"
Rule_Version = "v1"
malware_type = "ransomware"
malware_family = "Cactus"
License = "MIT License, https://opensource.org/license/mit/"
Hash = "9ec6d3bc07743d96b723174379620dd56c167c58a1e04dbfb7a392319647441a,c49b4faa6ac7b5c207410ed1e86d0f21c00f47a78c531a0a736266c436cc1c0a"
strings:
$strReadMe = "cAcTuS.readme.txt" wide
$strLockExt = ".cts" wide
$strTskName = "Updates Check Task" wide
$strTskName2 = "Google Service Update"
$strNTUSer = "ntuser.dat" wide
$strNTUSer2 = "ntuser.log" wide
$strBuilderName = "cactusbuilder"
condition:
uint16(0) == 0x5A4D and ($strReadMe and $strLockExt) and (1 of ($strTskName*)) and (1 of ($strNTUSer*)) or ($strBuilderName)
}

Swift Haulage Berhad

• Group Name: Akira
• **Victim Attacked:**Swift Haulage Berhad
• Sector: Logistics / Transportation
• Impact: Over 84GB of key corporate documents and financial company information leaked

Swift Haulage Berhad, Malaysia’s largest is one of the fastest growing fully integrated logistics providers. It is among the top carriers in all major ports in Peninsular Malaysia in terms of twenty-foot equivalent unit (TEU) volume.

Types of Data Leaked:

• Basic corporate documents
• Financial company information

Yara Rule:

/*
Akira ransomware
*/

rule Akira
{
meta:
author = "rivitna"
family = "ransomware.akira.windows"
description = "Akira ransomware Windows payload"
severity = 10
score = 100

strings:
$s0 = "\x00--encryption_path\x00" ascii wide
$s1 = "\x00--share_file\x00" ascii wide
$s2 = "\x00--encryption_percent\x00" ascii wide
$s3 = "\x00-fork\x00" ascii
$s4 = "\x00-localonly\x00" ascii wide
$s5 = "\x00Failed to read share files\x00" ascii wide
$s6 = ":\\akira\\asio\\include\\" ascii
$s7 = "\x00write_encrypt_info error: \x00" ascii
$s8 = "\x00encrypt_part error: \x00" ascii
$s9 = "\x00Detected number of cpus = \x00" ascii
$s10 = "\x00No path to encrypt\x00" ascii
$s11 = "Paste this link - https://akira" ascii
$s12 = "\x00Trend Micro\x00" wide
$s13 = "Failed to make full encrypt" ascii wide
$s14 = "Failed to make spot encrypt" ascii wide
$s15 = "Failed to make part encrypt" ascii wide
$s16 = "Failed to write header" ascii wide
$s17 = "file rename failed. System error:" ascii wide
$s18 = "Number of thread to folder parsers = \x00" ascii
$s19 = "Number of threads to encrypt = \x00" ascii
$s20 = "Number of thread to root folder parsers = \x00" ascii
$s21 = "Failed to read share files!\x00" ascii

$h0 = { 41 BA 05 00 00 00 41 80 FB 32 44 0F 42 D0 33 D2 48 8B C?
49 F7 F2 4C 8B C8
( B? 02 00 00 00 [0-4] 41 B? 04 00 00 00 |
41 B? 04 00 00 00 [0-4] B? 02 00 00 00 )
41 80 FB 32 44 0F 42 C? 41 8B C8 4? 0F AF C? 48 2B F9 33 D2
48 8B C7 49 F7 F2 }
$h1 = { C7 45 ?? 03 00 00 00 80 7D ?? 31 76 07 C7 45 ?? 05 00 00 00
0F B6 45 ?? 48 0F AF 45 ?? 48 C1 E8 02
48 B? C3 F5 28 5C 8F C2 F5 28 48 F7 E? 48 89 ?? 48 C1 E8 02 }

condition:
(((uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550)) or
(uint32(0) == 0x464C457F)) and
(
(7 of ($s*)) or
(1 of ($h*))
)
}

 

What’s Happening in the Hacker Forum World

---

Fivem.net 13.8M Unique Line Scraped & Dumped – Database, Leaked!

• Date: March 11, 2025
• Threat Actor: CountySorter
• Forum: BreachForums
• Share:

In March 2025, a major data breach occurred on the Fivem.net platform, popular in the game modding and roleplaying community. The threat actor shared a 2.5 GB dataset containing approximately 13.89 million unique rows on the forum.

Breach Details:

• 13,890,915 unique records
• Usernames and Steam IDs
• License keys and Xbox Live data
• Discord IDs and FiveM information

The leaked dataset is 611MB compressed and 2.5GB uncompressed.

Dominican Republic, 8M+ ID Cards Leaked – Database for Sale!

• Date: March 13, 2025
• Threat Actor: kirsis
• Forum: BreachForums
• Share:

March In 2025, Over 8 million ID card data belonging to the Dominican Republic was leaked. The threat actor offered this data for sale in various formats.

Breach Details:

• Over 8 million ID records (dated 2024/2025)
• Content:
• Names
• Addresses
• Dates of birth
• Face photos
• Passport information (those entering in 2022)
• Data formats: PDF, XLSX, SQL
• Sale price: 40.76627 BTC

The leaked data is being sold with a special web system for politicians, companies and universities.

Ontario Government Employee Database Leak

• Date: March 13, 2025
• Threat Actor: fesome
• Forum: BreachForums
• Share: