CyberSecurityBoard
Sponsor Register Login

Threat Actor Leaked Data from Major Bulletproof Hosting Medialand

A significant data breach occurred when an unidentified threat actor leaked internal data from Medialand, a major bulletproof hosting (BPH) provider with extensive ties to cybercriminal operations worldwide. ????️ On March 28, 2025, a threat actor leaked internal data from Medialand, a major bulletproof hosting (BPH) provider long linked to Yalishanda (LARVA-34). The leaked information exposes the infrastructure that has been enabling a wide spectrum of malicious activities, including ransomware deployment, phishing campaigns, and data exfiltration operations. The leaked data allows for pattern analysis that may reveal operational signatures unique to specific threat actors, enhancing the cybersecurity community’s ability to identify and track malicious campaigns even as actors attempt to change their techniques. PRODAFT researchers identified a pattern of preparatory activities preceding the leak, noting that the threat actor created a dedicated Telegram channel on February 23, 2025, likely in preparation for the eventual data release. The hosting service has been instrumental in maintaining servers for various cybercriminal enterprises, including code-signing systems, phishing kits, data exfiltration panels, and ransomware infrastructure associated with groups like BlackBasta. Medialand has long been linked to the notorious threat actor known as Yalishanda (also tracked as LARVA-34), providing critical infrastructure for advanced threat operations. The implications extend beyond immediate operational disruption, potentially enabling law enforcement and security researchers to establish connections between previously unlinked campaigns and threat actors based on shared infrastructure. Security analysts can now correlate indicators of compromise (IOCs) across seemingly disparate campaigns, potentially leading to the partial or complete de-anonymization of threat actors who believed their operations were secure. The exposed data encompasses records up until February 2025 and contains detailed information about server purchases, payment records (including cryptocurrency transactions), and potentially personally identifiable information of Medialand’s clients. The timeline suggests careful planning, with the leak following a February 11 BlackBasta data exposure and a March 14 update from Yalishanda on a known underground forum.

This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Apr 2025 11:45:18 +0000


Cyber News related to Threat Actor Leaked Data from Major Bulletproof Hosting Medialand

Threat Actor Leaked Data from Major Bulletproof Hosting Medialand - A significant data breach occurred when an unidentified threat actor leaked internal data from Medialand, a major bulletproof hosting (BPH) provider with extensive ties to cybercriminal operations worldwide. ????️ On March 28, 2025, a threat actor ...
8 months ago Cybersecuritynews.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
1 year ago Aws.amazon.com
Russian bulletproof hosting service Aeza Group sanctioned by US for ransomware work | The Record from Recorded Future News - Aeza Group is a bulletproof hosting (BPH) services provider, the department said, that allows cybercriminals to avoid law enforcement while renting IP addresses, servers and domains used for disseminating malware, supporting darknet markets and ...
5 months ago Therecord.media LockBit
BulletProof Hosting Provider Qwins Ltd Fueling Global Malware Campaigns - This systematic approach to network utilization demonstrates the sophisticated nature of modern bulletproof hosting operations and their critical role in enabling large-scale cybercriminal campaigns across multiple malware families and attack ...
4 months ago Cybersecuritynews.com
TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 - As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. The following section of this report focuses on the activities of one of these threat ...
2 years ago Feeds.fortinet.com CVE-2023-42793 APT29
25 Best Managed Security Service Providers (MSSP) - 2025 - Pros & Cons: ProsConsStrong threat intelligence & expert SOCs.High pricing for SMBs.24/7 monitoring & rapid incident response.Complex UI and steep learning curve.Flexible, scalable, hybrid deployments.Limited visibility into endpoint ...
5 months ago Cybersecuritynews.com
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor's Activity - By analyzing tools, logs and artifacts left open to the internet, we were able to profile the threat actor and their victims. After analyzing the artifacts we can conclude with moderate confidence that the majority of the threat actor activity ...
2 years ago Thedfirreport.com
Meet Ika & Sal: The Bulletproof Hosting Duo from Hell - In 2020, the United States brought charges against four men accused of building a bulletproof hosting empire that once dominated the Russian cybercrime industry and supported multiple organized cybercrime groups. The Spamdot admins went by the ...
1 year ago Krebsonsecurity.com
Windows Incident Response: Human Behavior In Digital Forensics, pt III - Digital forensics can provide us insight into a threat actor's sophistication and situational awareness, which can, in turn, help us understand their intent. Observing the threat actor's actions helps us understand not just their intent, but what ...
1 year ago Windowsir.blogspot.com
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol host, leading to data exfiltration and the deployment of Trigona ransomware. On Christmas Eve, within just three hours of gaining initial access, ...
1 year ago Thedfirreport.com Trigona
New Tool Set Found Used Against Organizations in the Middle East, Africa and the US - Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. We will discuss a set of tools used in the course of the attacks that reveal clues about the threat actors' activity. We ...
2 years ago Unit42.paloaltonetworks.com
Russian Hackers Using Russia-Based Bulletproof Network to Switch Network Infrastructure - Russian-aligned hacking groups UAC-0050 and UAC-0006 have been observed switching their network infrastructure through bulletproof hosting providers, enabling persistent campaigns against Ukrainian entities and their international allies. The complex ...
8 months ago Cybersecuritynews.com
Qilin Ransomware Gang Uses Ghost Bulletproof Hosting to Evade Takedowns - The Qilin ransomware group has adopted advanced evasion techniques by leveraging ghost bulletproof hosting services to maintain their malicious infrastructure. These hosting providers are notorious for ignoring abuse complaints, allowing ransomware ...
2 months ago Cybersecuritynews.com Qilin ransomware group
Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
2 years ago Microsoft.com
Bulletproof Hosting Provider Aeza Group Shifting Their Infrastructure to New Autonomous System - Following U.S. Treasury sanctions imposed on July 1, 2025, the notorious bulletproof hosting provider Aeza Group has rapidly migrated its infrastructure to a new autonomous system in an apparent attempt to evade enforcement measures. The U.S. ...
5 months ago Cybersecuritynews.com
Hacker leaks millions of new 23andMe genetic data profiles - A hacker has leaked an additional 4.1 million stolen 23andMe genetic data profiles for people in Great Britain and Germany on a hacking forum. Earlier this month, a threat actor leaked the stolen data of 1 million Ashkenazi Jews who used 23andMe ...
2 years ago Bleepingcomputer.com Rocke Hunters
APT trends report Q1 2024 - Careto is a highly sophisticated threat actor that has been seen targeting various high-profile organizations since at least 2007. The last operations conducted by this threat actor were observed in 2013. Our private report provided a detailed ...
1 year ago Securelist.com OilRig Sidewinder
Staying ahead of threat actors in the age of AI - At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified ...
1 year ago Microsoft.com Kimsuky
Credentials are Still King: Leaked Credentials, Data Breaches and Dark Web Markets - Infostealers infect computers, steal all of the credentials saved in the browser along with active session cookies and other data, then export it back to command and control infrastructure before, in some cases, self-terminating. This article will ...
1 year ago Bleepingcomputer.com
Bulletproof Host Stark Industries Evades EU Sanctions - The article discusses how the bulletproof hosting provider Stark Industries has been evading European Union sanctions. Bulletproof hosting services are notorious for providing cybercriminals with infrastructure that resists takedown efforts by law ...
3 months ago Krebsonsecurity.com
Aeza Group sanctioned for hosting ransomware, infostealer servers - The U.S. Department of the Treasury has sanctioned Russian hosting company Aeza Group and four operators for allegedly acting as a bulletproof hosting company for ransomware gangs, infostealer operations, darknet drug markets, and Russian ...
5 months ago Bleepingcomputer.com LockBit BianLian
Cyberattack on Russian independent media had links to US-sanctioned institute, researchers find | The Record from Recorded Future News - In a report last week, U.S. cybersecurity firm Trustwave revealed that the threat actor known as Blind Eagle used the Russian bulletproof hosting service Proton66 to host various types of malicious content, including phishing pages. The hosting ...
5 months ago Therecord.media LockBit
Proofpoint Exposes Sophisticated Social Engineering Attack on Recruiters That Infects Their Computers With Malware - Recruiters and anyone else involved in hiring processes should be knowledgeable about this social engineering attack threat. A new report from U.S.-based cybersecurity company Proofpoint exposes a new attack campaign operated by a ...
2 years ago Techrepublic.com
Threat Intelligence Feeds Flood Analysts With Data, But Context Still Lacking - By combining external threat data with internal risk assessments, contextual threat intelligence helps organizations measure the risk level of alerts or vulnerabilities in relation to their business and technical assets, ensuring that the most ...
8 months ago Cybersecuritynews.com
Dutch Police seizes 127 XHost servers, dismantles bulletproof hoster - Earlier this week, the authorities in the United States, Australia, and the United Kingdom, announced sanctions against the same bulletproof hosting provider for its involvement in cybercrime operations. The servers were located in the Paul van ...
10 months ago Bleepingcomputer.com LockBit

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)