‼️🇺🇸 The group ShadowByt3$ claims to have breached the University of Georgia, stealing approximately 3.2 MB of employee data in raw text files. No customer data was reportedly affected.
▪️ Physical Locations: Home addresses (e.g., Columbus, GA) and specific office numbers
▪️ Private Contact Info: Personal cell and home phone numbers
▪️ Employee Info: Full names, contact details, institutional ID photos
▪️ Project Documentation: Internal university project tracking logs and admin data
▪️ Workforce Data: Position numbers, departmental assignments, work schedules
▪️ Technical Details: System maintenance and development notes
▪️ Critical Infrastructure: Active project maps for GEMA (Emergency Management), Georgia Broadband, and GDOT (Transportation) through 2026
▪️ Government Records: Asset forfeiture logs and county-level GIS (Athens-Clarke, Bibb) underpinning 911 dispatch and land taxes
▪️ Leadership Secrets: UGA Office of the President Mail Tracker and Gov360 anonymous executive coaching logs
▪️ SME Map: Identified "Subject Matter Experts" with detailed work hour tracking on specific code projects
▪️ Security Clearances: Differentiation between "Benefited" full-time employees (high-value targets) and "Student Assistants" (low-value entry points)
▪️ Physical Locations: Home addresses (e.g., Columbus, GA) and specific office numbers
▪️ Private Contact Info: Personal cell and home phone numbers
▪️ Employee Info: Full names, contact details, institutional ID photos
▪️ Project Documentation: Internal university project tracking logs and admin data
▪️ Workforce Data: Position numbers, departmental assignments, work schedules
▪️ Technical Details: System maintenance and development notes
▪️ Critical Infrastructure: Active project maps for GEMA (Emergency Management), Georgia Broadband, and GDOT (Transportation) through 2026
▪️ Government Records: Asset forfeiture logs and county-level GIS (Athens-Clarke, Bibb) underpinning 911 dispatch and land taxes
▪️ Leadership Secrets: UGA Office of the President Mail Tracker and Gov360 anonymous executive coaching logs
▪️ SME Map: Identified "Subject Matter Experts" with detailed work hour tracking on specific code projects
▪️ Security Clearances: Differentiation between "Benefited" full-time employees (high-value targets) and "Student Assistants" (low-value entry points)
❤1
‼️🇲🇽 The Mexico dataset of C&A Modas, the international fashion retailer, has allegedly been leaked and made available for download on a popular cybercrime forum.
▪️ Records: 286,094 lines
The sample data shows Mexican customer records with full names, dates of birth, unique customer IDs, phone numbers, and personal email addresses.
▪️ Records: 286,094 lines
The sample data shows Mexican customer records with full names, dates of birth, unique customer IDs, phone numbers, and personal email addresses.
‼️🇲🇽 A database allegedly belonging to the Instituto Tecnológico Superior de Irapuato, a Mexican higher education institution, has been leaked on a popular cybercrime forum.
Exposed fields reportedly include: full name (nombre completo), paternal surname (apellido paterno), maternal surname (apellido materno), phone number, personal Gmail, date of birth, address (domicilio), age, CURP (Mexican national ID number), career/major, disability status, income received (dinero que recibe), and more.
Exposed fields reportedly include: full name (nombre completo), paternal surname (apellido paterno), maternal surname (apellido materno), phone number, personal Gmail, date of birth, address (domicilio), age, CURP (Mexican national ID number), career/major, disability status, income received (dinero que recibe), and more.
🔥1
‼️ The Dutch National Police have issued a press release stating they were targeted of a successful phishing attack, discovered it quickly, and immediately closed access.
https://www.politie.nl/nieuws/2026/maart/25/00-politie-doelwit-van-phishing.html
https://www.politie.nl/nieuws/2026/maart/25/00-politie-doelwit-van-phishing.html
Politie
Politie doelwit van phishing
De politie is doelwit geweest van phishing. Het Security Operations Center van de politie heeft dit zeer snel ontdekt en heeft de toegang direct afgesloten. De impact wordt nog onderzocht maar lijkt beperkt. Gegevens van burgers en onderzoeksinformatie zijn…
Cyberattack News Alert
━━━━━━━━━━━━━━━━━━━━━━━━━
Victim: Omax Autos Limited
Domain:
Country: 🇮🇳 IN
Date: Mar 27th, 2026
Claimed by: Lockbit5 ransomware gang
Summary:
Omax Autos Limited confirmed on March 27, 2026 that it suffered a ransomware attack on its IT infrastructure, following the detection of suspicious anomalies the day before. Although the company reported the incident to the Bombay and Delhi stock exchanges, it specified that its core operations and production chains remain currently intact. Investors reacted with volatility to the news, fluctuating between confidence in the security of critical systems and concerns related to a potential leak of sensitive data.
Source: https://tradebrains.in/omax-autos-reports-ransomware-attack-it-systems-under-investigation-after-cyber-breach/
━━━━━━━━━━━━━━━━━━━━━━━━━
Victim: Omax Autos Limited
Domain:
omaxauto.comCountry: 🇮🇳 IN
Date: Mar 27th, 2026
Claimed by: Lockbit5 ransomware gang
Summary:
Omax Autos Limited confirmed on March 27, 2026 that it suffered a ransomware attack on its IT infrastructure, following the detection of suspicious anomalies the day before. Although the company reported the incident to the Bombay and Delhi stock exchanges, it specified that its core operations and production chains remain currently intact. Investors reacted with volatility to the news, fluctuating between confidence in the security of critical systems and concerns related to a potential leak of sensitive data.
Source: https://tradebrains.in/omax-autos-reports-ransomware-attack-it-systems-under-investigation-after-cyber-breach/
Trade Brains
Omax Autos Reports Ransomware Attack — IT Systems Under Investigation After Cyber Breach
Omax Autos Limited (OMAXAUTO) confirmed a ransomware attack on its IT infrastructure on March 27, 2026. While the company is assessing the impact, it stated that core operations and systems currently remain unaffected.
‼️🇲🇽 A database allegedly containing 318,000 user records from Bienestar.org, a healthcare organization serving the Latino Gay Community with HIV/AIDS treatment, sexual health, mental health, substance abuse counseling, and medication-assisted treatment since 1989, is being sold on a popular cybercrime forum.
▪️ Records: 318,000 users
▪️ Data Fields: First name, last name, mobile phone number, email, date of birth
▪️ Price: $300
Given the nature of the organization, this breach is particularly sensitive as it could potentially expose individuals' sexual orientation and healthcare status. The listing includes both the dataset and access to the platform.
▪️ Records: 318,000 users
▪️ Data Fields: First name, last name, mobile phone number, email, date of birth
▪️ Price: $300
Given the nature of the organization, this breach is particularly sensitive as it could potentially expose individuals' sexual orientation and healthcare status. The listing includes both the dataset and access to the platform.
😭3
‼️🇦🇪 Source code from multiple UAE websites has allegedly been leaked on a popular cybercrime forum, including exposed repositories and projects.
▪️ Country: UAE
▪️ Leak Type: Source code + exposed repositories/projects
▪️ Includes: PHP code samples and GitHub Personal Access Token (PAT)
The post lists multiple affected platforms and includes a PHP code sample as proof.
▪️ Country: UAE
▪️ Leak Type: Source code + exposed repositories/projects
▪️ Includes: PHP code samples and GitHub Personal Access Token (PAT)
The post lists multiple affected platforms and includes a PHP code sample as proof.
‼️A high-ranking forum moderator is publicly seeking to buy any data or access from active or defunct BreachForums clones, claiming the goal is to "put an end to these clones."
▪️ Seeking: Data, server access, database backups, exploits, staff/admin accounts
▪️ Targeted Domains: .sb, .ac, .fi, .bf, .us, etc.
▪️ Offer: "Exceptional amount" for staff or admin access
The post is directed at anyone who is staff, has server access, holds a database backup, or possesses an exploit related to any BreachForums clone operation.
▪️ Seeking: Data, server access, database backups, exploits, staff/admin accounts
▪️ Targeted Domains: .sb, .ac, .fi, .bf, .us, etc.
▪️ Offer: "Exceptional amount" for staff or admin access
The post is directed at anyone who is staff, has server access, holds a database backup, or possesses an exploit related to any BreachForums clone operation.
❤3
🔪 Slice For Life 🔪
This internal script I've been using to find different domains that were just registered. I'm getting closer to releasing it on GitHub... it's fairly simple and brings back results very quick. It is a Python script that scans a base domain across 800+ TLDs…
I don't have much more to add to this tool to be honest. I'm just running some tests and need to create a Readme on GitHub. The only addition since this past update is it will provide a HTML file from the rolling updates you've done for that particular keyword.
Will release this next week on GitHub.
Will release this next week on GitHub.
❤1
⚠️ FBI Watchdog - WHOIS Change ⚠️
🔗 DarkWebInformer.com - Cyber Threat Intelligence
Domain: handala-team.to
Record Type: WHOIS Change
Time Detected: 2026-03-27 17:57:52 UTC
Previous Records:
New Records:
🔗 DarkWebInformer.com - Cyber Threat Intelligence
Domain: handala-team.to
Record Type: WHOIS Change
Time Detected: 2026-03-27 17:57:52 UTC
Previous Records:
status: ['clienttransferprohibited']
New Records:
status: ['clienttransferprohibited'] → ['clienttransferprohibited', 'serverhold', 'serverupdateprohibited']
😭2
‼️Access to over 30 Claro Cloud user websites is allegedly being offered on a popular cybercrime forum, with claims that the telecom giant's cloud platform has severe security flaws allowing malicious code uploads and website infections.
▪️ Target: Claro Cloud (sitios web / website hosting platform)
▪️ Sites Affected: 30+
▪️ Access Level: Full website management panel (build, pages, clipboard, design, options, settings, databases)
▪️ Exposed Data: Advisor names, mobile numbers, emails, zone information
▪️ Backend Access: FTP Administrator, Windows Services, email, metrics, website creators, files, and databases
Screenshots demonstrate full access to the Claro Cloud admin panel, including the ability to edit HTML, manage web apps, view client advisor contact data, and access database management tools.
One screenshot shows a defacement with "HACKED BY WORRYSEC" injected into a live site as proof of exploitation.
▪️ Target: Claro Cloud (sitios web / website hosting platform)
▪️ Sites Affected: 30+
▪️ Access Level: Full website management panel (build, pages, clipboard, design, options, settings, databases)
▪️ Exposed Data: Advisor names, mobile numbers, emails, zone information
▪️ Backend Access: FTP Administrator, Windows Services, email, metrics, website creators, files, and databases
Screenshots demonstrate full access to the Claro Cloud admin panel, including the ability to edit HTML, manage web apps, view client advisor contact data, and access database management tools.
One screenshot shows a defacement with "HACKED BY WORRYSEC" injected into a live site as proof of exploitation.
🔪 Slice For Life 🔪
‼️ Handala Hack claims "Tonight, your sons will deliver a surprise in a joint cyber-missile operation. Do not forget the recitation of Surah al-Fath." What a time to be alive.
We are going to need lots of alcohol sevy, get it ready. 😂
😁2😭2
Just a FYI, you may see duplicate posts on the threat feed for the next 48 hours or so. It will be minimal, it's to provide better screenshots on the feed in the coming days/week. Ignore them unless you see them published on different claim sites.