Lazarus, Keymous Plus Lead Data Leak Surge; Ollama Flaw Exposes 300K Servers
Summary
Today's threat landscape is dominated by a high volume of alleged data leaks and breaches, with a notable shift toward targeting government and critical infrastructure entities across Southeast Asia and the Middle East. The Lazarus group, typically associated with financial cybercrime, is claiming multiple data leaks against US and Chinese targets, while hacktivist groups like Keymous Plus are focusing on Egyptian government ministries. Separately, a critical vulnerability in the widely deployed Ollama AI platform (CVE-2026-7482) poses a significant supply-chain risk for organizations using the software, with over 300,000 potentially exposed servers.
Today's developments
The day's most significant activity centers on a wave of alleged data breaches and leaks targeting government and enterprise victims. Multiple threat actors are claiming responsibility for incidents across several continents.
Lazarus Group claims to have leaked databases associated with US entities and Chinese/Hong Kong passport data. While the group's typical focus is financial theft, these claims suggest a potential pivot or expansion into data extortion and hacktivism. The veracity of these claims remains unverified, but the targeting of US and Chinese data is notable.
Keymous Plus and Keymous are allegedly responsible for breaches of the Egyptian Ministry of Civil Aviation and the Morocco Embassy in Egypt. This indicates a sustained campaign against Egyptian government and diplomatic targets by this actor.
Indonesia remains a primary target, with multiple actors (Mr. Hanz Xploit, Xyph0rix, JAX7, saref43135, JunedXsec) claiming breaches of government agencies (Kementerian Perhubungan, Pemerintah Kota Gunungsitoli, Bappeda Sulawesi Utara) and private sector entities (FAVO Indonesia). This suggests a broad, opportunistic targeting of Indonesian digital infrastructure.
United States victims include a claimed breach of DARPA (Defense Advanced Research Projects Agency) by actor "mosad," and a breach of Pitney Bowes Inc. by actor "Tanaka." Additionally, Leak Bazaar claims to have breached Wayne Brothers Companies (construction). These incidents underscore persistent targeting of US defense, logistics, and industrial sectors.
United Kingdom engineering and consulting firm Arup is allegedly breached by FulcrumSec, with two separate listings for the same victim, suggesting either a duplicate report or a multi-phase data release.
Vietnam is targeted with an alleged leak of Vietnam Government Police data by Xyph0rix and a breach of entertainment company Hakara by xorcat.
Other notable incidents include an alleged breach of InnStar (India, real estate) by int3lzO, and a breach of the Ukrainian School of Mining Engineering by 404 CREW CYBER TEAM.
In parallel, a critical vulnerability has been disclosed in the Ollama AI platform. Tracked as CVE-2026-7482 (CVSS 9.1), the out-of-bounds read flaw, dubbed "Bleeding Llama," allows a remote, unauthenticated attacker to leak the entire process memory of an Ollama server. Industry researchers note that over 300,000 servers are likely exposed. This vulnerability is particularly dangerous for organizations running Ollama in production environments, as it could expose sensitive AI model data, API keys, or user information.
Threat landscape signals
The data reveals several actionable patterns for defenders. First, there is a pronounced concentration of activity against Indonesian government and e-commerce targets, with at least five distinct actors claiming breaches. This suggests a coordinated or opportunistic campaign, and Indonesian SOCs should prioritize monitoring for indicators related to these actors.
Second, the Lazarus group's claims of data leaks, if substantiated, represent a tactical shift from their traditional financial-motivation model. Security teams should not dismiss Lazarus activity as solely targeting cryptocurrency exchanges; they may now be engaging in data extortion against a wider range of victims.
Third, the Ollama vulnerability (CVE-2026-7482) is a high-priority patching item. Given the widespread deployment of Ollama for local AI inference, organizations should immediately inventory their exposure, apply patches, and ensure the service is not exposed to the internet without proper authentication and network segmentation.
Finally, the high volume of defacement events (86) relative to other categories suggests ongoing hacktivist activity, likely tied to geopolitical tensions. While defacements are often low-impact, they can signal the presence of more capable threat actors probing for weaknesses. The concentration of victims in the Philippines (16 events) and Morocco (9 events) warrants attention from regional security teams.