The ransomware landscape is changing. The most exposed actors—LockBit, Hunters International, and Trigona—have paid the price for overexposure, including international operations, infiltrations, deliberate leaks, and operational collapses. After years dominated by quasi-industrial models—affiliate panels, leak sites, public chats, and aggressive marketing—groups are emerging that reject the “LockBit-style” logic and are moving toward a more opaque, minimal, almost “SIGINT operator” approach. Low-profile , technical, almost “professional,” they adopt strategies of operational invisibility . The most recent case is MONOLOCK , a new ransomware group that appeared on DarkForums on October 19, 2025 with a manifesto that seems more like it was written by

In recent days, the alleged data leak by Ernst & Young (EY) has become one of the most discussed topics in the international cybersecurity landscape. I decided to reconstruct the story step by step, starting from the technical evidence shared by Recorded Future and the analysis by Neo Security , to understand not only how the exposure occurred, but also what it can teach us about the control of digital assets in complex cloud environments like EY’s. The file, in .BAK format, was accessible without authentication and may have contained sensitive information , such as API keys, service credentials, and authentication tokens.

A new post on the dark web offers full access to thousands of MySQL servers and databases owned by Italian shared hosting providers. In the last few hours, a new thread appeared on an underground forum with the unequivocal title: “Italian hosting service sites – 9 more 40 servers – 526193 site’s backup – 4631 hosting customer – 6546 MySQL db’s”. Disclaimer: This report includes screenshots and/or text from publicly available sources. The information provided is for threat intelligence and cybersecurity risk awareness purposes only. Red Hot Cyber condemns any unauthorized access, improper dissemination, or misuse of this data. It is currently

On September 20, 2025, at 11:52 PM, a thread titled “FRESH FTP LEAK” appeared on DarkForums , posted by user Hackfut . The material allegedly exposed access to FTP servers distributed across several countries, including Italy , the Netherlands, the Philippines, Peru, Chile, Australia, and Latvia. The targets included companies, schools, hospitality facilities, event sites, e-commerce sites, and media outlets . The dump’s contents consist of hostnames/FTP domains, usernames, and passwords in clear text . Unfortunately, the critical issue for our country is the significant number of Italian domains present within the collection, which is made available free of charge to users

A déjà-vu with new implications. In May 2025, the LockBit ransomware collective suffered a severe blow: the defacement of the affiliate panel of version 4.0 by an unknown actor signing themselves “XOXO from Prague”, accompanied by the leak of an SQL database containing chats, wallets, and affiliate data. At that time, LockBitSupp had even offered a reward for anyone who provided information about the author. Over the past 24 hours, the scene has repeated itself, but with a significant twist: this time, not just a public deface, but an internal compromise of the 5.0 build panel. The leaked screenshots show the Linux

While the West battles ransomware attacks and private companies invest in defensive security, on the other side of the digital front, the war is being played out asymmetrically. On July 28, 2025, Russia’s national airline Aeroflot was hit by a massive cyberattack claimed by pro-Ukrainian groups Silent Crow and Cyberpartisans BY, causing flight cancellations, a direct financial impact on the stock market, and – according to underground sources – the compromise and destruction of over 7,000 internal servers. The attack represents one of the most devastating offensive operations suffered by Russian critical infrastructure since the beginning of the conflict with Ukraine. The

Imagine opening your favorite forum bookmark, like every evening, to find new stealer variants or yet another batch of newly breached credentials. Instead of the usual noticeboard, a banner appears with three prominent logos: the French Brigade for the Fight against Cybercrime, the Ukrainian Cyber Intelligence Department, and Europol. Below, a blunt text: “This domain has been seized.” Thus the curtain fell on XSS.IS, the clandestine auction room that for twelve years brought malware developers, access brokers, and ransomware affiliates together. What follows is not just the story of a dawn raid: it is the The story of a timed investigation that,