GrayscaleInsight GrayscaleInsight

Exchange Markets Targets Gulf Finance; Fox Tempest Disrupted

Events tracked
137
Critical exposure
47

Summary

Today's threat landscape is defined by a concentrated campaign against Gulf financial institutions and a significant law enforcement disruption of a malware-signing service. The actor Exchange Markets has allegedly claimed breaches at multiple sovereign wealth funds and stock exchanges in Qatar and Kuwait, signaling a targeted intelligence-gathering operation. Separately, Microsoft's takedown of the Fox Tempest platform removes a key enabler for ransomware groups, while defenders must prepare for an imminent critical Drupal patch.

Today's developments

  • Exchange Markets targets Gulf financial sector: The actor Exchange Markets has allegedly claimed data breaches at seven entities in Qatar and Kuwait, including the Qatar Investment Authority, Qatar Stock Exchange, Kuwait Investment Authority, Kuwait Finance House, Boursa Kuwait, and others. These claims, if verified, represent a coordinated campaign against sovereign wealth funds, stock exchanges, and financial regulators in the region. The victims span government administration and financial services, suggesting a focus on high-value economic intelligence. Security teams in Gulf financial institutions should immediately verify whether any of their systems or third-party connections intersect with these named entities.

  • Microsoft disrupts Fox Tempest malware-signing service: Industry researchers report that Microsoft has taken legal and technical action to disrupt Fox Tempest, a service that provided cybercriminals with code-signing tools to bypass security controls. The platform, active since May 2025, enabled ransomware operators and other threat actors to distribute malware disguised as legitimate software. This disruption removes a critical supply-chain enabler for multiple ransomware groups and should reduce the volume of signed malware in the short term. Defenders should monitor for any residual activity from groups that relied on this service.

  • Drupal warns of imminent critical patch: Drupal maintainers have announced a core security release scheduled for May 20, 2026, warning that exploits may be developed within hours or days of disclosure. The vulnerability affects all supported branches and is rated highly critical. Organizations running Drupal should reserve time for emergency patching and prepare to deploy updates immediately upon release.

  • JAX7 targets Indonesian government databases: The actor JAX7 has allegedly claimed data breaches involving two Indonesian government entities -- the SIPGAN Magelang Regency Government and the Kabupaten Tuban population database. These claims follow a pattern of targeting local government administration systems in Indonesia, potentially for population data. Indonesian government agencies should review access controls and monitor for unauthorized data extraction.

  • Other notable incidents: The actor omni777 has allegedly claimed multiple breaches across Latin American and European organizations, including Blue Services Mexico, VitalHub Colombia, and Greek party supplier Partytime.gr. The actor ChimeraZ allegedly claims breaches at two French hospitality firms, Vacances Lagrange and Media Vacances. A threat actor claims to be selling 7.2 million Israeli voter records, though the claim requires verification.

Threat landscape signals

The concentration of claims by Exchange Markets against Gulf financial institutions is the most significant pattern today. This actor appears to be systematically targeting sovereign wealth funds and financial market infrastructure in Qatar and Kuwait, which may indicate a state-aligned intelligence collection effort rather than financially motivated crime. Security teams in Middle Eastern financial services should treat this as a credible threat and review third-party access, supply chain risks, and any shared infrastructure with the named victims.

The broader event set shows continued high activity from NoName057(16) with 12 events, primarily DDoS attacks, and JAX7 with 11 events focused on data breaches against Indonesian targets. The United States remains the most targeted country with 10 events, followed by Indonesia with 8. The data breach category dominates with 41 of 137 total events, indicating that data exfiltration and extortion remain the primary threat vector. The Fox Tempest disruption is a positive development but may temporarily displace rather than eliminate the underlying demand for malware-signing services.

All incidents are reported as alleged claims by threat actors and have not been independently verified by GrayscaleInsight.

Threat intelligence is reported for security awareness purposes only and does not constitute endorsement of any actor, group, or activity.

Recent editions
18 May
Data Leak Surge Targets Government, Telecom, and Healthcare Globally
159 ev 48 crit
17 May
Kazu Actor Strikes Healthcare, Government; NGINX Zero-Day Exploited
140 ev 47 crit
16 May
Major Data Breaches Hit Governments, Telecoms, and Education Worldwide
165 ev 66 crit