The report details multiple cyber incidents affecting financial organizations, including a 90 GB database leak from an offshore services firm, an 845 GB ransomware claim by D4RK 4RMY against a Japanese financial group, and DDoS-related activity involving hacktivist group Keymous targeting Iraqi banks. It also highlights recommended defensive measures and provides file-hash indicators linked to malware or intrusion activity. #D4RK4RMY #Keymous
Keypoints
- A threat actor (chase461) posted on DarkForums claiming a 90 GB leak of corporate and sensitive client data from the Hong Kong business division of an offshore corporate and fund services firm, affecting records for roughly 2,000 foreign entities.
- The leaked dataset reportedly includes articles of incorporation, shareholder and beneficial owner information, passports and IDs, bank account numbers, financial statements, and invoices, creating cross-jurisdictional legal and privacy risks.
- Ransomware group D4RK 4RMY claimed to have stolen about 845 GB of data from a major Japanese financial holding company and set a ransom deadline, though the group’s leak post was later removed from the site.
- Hacktivist group Keymous claimed involvement around DDoS activity affecting three major Iraqi banks, citing ideological motives and causing availability and reputational risks for cross-border financial services.
- The report emphasizes defensive measures: stronger encryption and access controls, reviewing access privileges and document paths, network segmentation, real-time monitoring for large data transfers, DDoS mitigation, and tested business continuity plans.
- An MD5 list of file hashes is provided as potential indicators linked to malware or intrusion artifacts discovered during investigations.
- Recommendations include regular penetration testing, log monitoring, multi-layered security for core systems, ransomware recovery procedures, and external crisis communication planning.
MITRE Techniques
- [T1530] Data from Information Repositories – Exfiltration of corporate registries, identification documents, financial statements and related files from an offshore corporate management/document system (“…a large amount of customer data…about 90 GB in size and includes 450,000 files…corporate registry…passports, national IDs, and proof of address, and sensitive financial information…”).
- [T1486] Data Encrypted for Impact – Ransomware group D4RK 4RMY claimed theft and extortion of approximately 845 GB of data with a ransom deadline, indicating encryption or data-leak extortion (“…claims to have stolen data amounting to approximately 845 GB and has set the deadline for the ransom payment…”).
- [T1499] Endpoint Denial of Service (DDoS) – Hacktivist activity targeting bank availability and online services via DDoS against multiple Iraqi banks (“…claimed to have successfully prevented DDoS attacks against three major banks…the impact could spread globally…”).
- [T1041] Exfiltration Over C2 Channel – Large data transfers and abnormal traffic detection recommended, implying past use of exfiltration channels for moving large volumes of stolen data (“…establish a real-time monitoring system for detecting large data transfers and abnormal traffic…”).
Indicators of Compromise
- [File Hashes] MD5 hashes linked to observed artifacts or malware samples – 011aaa07056f4a61aed4995436dad63b, 0336ba3c3f7b9a77a2f18a04259ccb3b, and 3 more hashes.
- [Data Volume / Leak Context] Stolen dataset descriptors – ~90 GB corporate/offshore documents (chase461 leak), ~845 GB claimed exfiltration by D4RK 4RMY.
- [Actor Handles / Forum Posts] Threat actor and postings – “chase461” (DarkForums post claiming 90 GB leak), D4RK 4RMY leak post (ransom claim, later removed).
Read more: https://asec.ahnlab.com/en/90110/