Pro-Russian DDoS dominates; Lazarus hits Tashkent education

Summary

The day's volume reads as two parallel campaigns rather than one storm. A long tail of pro-Russian DDoS hacktivism -- NoName057(16) alone claimed 14 of the day's listings -- ran alongside a sharper, smaller cluster of actually consequential exposures: a DPRK-linked Lazarus posting against Westminster International University in Tashkent, a France-side breach claim against EssilorLuxottica, a South African government IT-agency claim, and a Russian-academic target that runs in the same week as a tit-for-tat sanctions cycle. On the vulnerability side, two independently exploited CVEs (Drupal Core SQLi, LiteSpeed cPanel) joined CISA's Known Exploited Vulnerabilities catalog while a Laravel-Lang supply-chain compromise and the new "Underminr" trust-domain technique reset the patch-and-isolate priorities for defenders.

Today's developments

The libaisec corpus carried 140 listings, of which 47 were claimed data breaches and 11 data leaks. NoName057(16) led at 14 listings, almost entirely DDoS-pattern targeting; Hax.or followed at 8 and the N2LX listings clustered in financial and identity-data leaks, including a claim of 6,443,648 PII records exfiltrated via the Instagram API and a separate breach of cryptocurrency exchange EgonCoin. Lazarus's four listings on the day include the alleged data leak of Westminster International University in Tashkent, sustaining the group's interest in education-sector targets across Central Asia.

Several specific high-value claims surfaced:

• Mikhel claimed a breach against EssilorLuxottica, listed under the hospital and health-care vertical -- a France-domiciled multinational whose exposure would carry both consumer-PII and B2B implications.
• tbabi posted an alleged breach of Japanese retailer FamilyMart Co., Ltd.
• Nullsec Philippines claimed a breach of the South African State Information Technology Agency (SITA), one of the most consequential government-sector listings of the day.
• Elite Squad posted alleged breaches against Russia's Tyumen State University and India's Himalayan Social Journey, plus a Ukrainian non-profit, Innovaesthetic.
• The BlackH4t MD-Ghost posted a claim against the Venezuelan army.
• FreeCity advertised a 100 GB leak attributed to Kuwait Energy Basra (UEGL) and a separately listed telecom claim.
• mosad posted multiple listings against New York Police document caches.

The day's external vulnerability and supply-chain reporting moved in parallel. The Hacker News reported that a Drupal Core SQL-injection bug had been added to CISA's Known Exploited Vulnerabilities catalog after observed in-the-wild exploitation; in a separate item, CVE-2026-48172 in the LiteSpeed cPanel plugin was being used to run scripts as root on affected hosts. The Laravel-Lang PHP package set was compromised to deliver a cross-platform credential stealer -- the third high-impact PHP supply-chain incident of the quarter, per industry reporting. Security Week's "Underminr" disclosure described a technique that lets attackers hide malicious connections inside trusted domains, complicating network-detection assumptions. The Record reported that CISA will accept third-party researcher submissions to the KEV catalog -- a workflow change that should accelerate downstream patch advisories. Separately, Claude Mythos AI was reported to have identified 10,000 high-severity flaws across widely used software, an industry-side flag on how AI-assisted code review may shift the disclosure pipeline.

Threat landscape signals

Actor concentration favoured volume over impact: the top three claimants (NoName057(16), Hax.or, N2LX) accounted for 29 of 140 listings -- about 21 percent -- but the day's actually damaging exposures came from outside that head, in the Mikhel / tbabi / Nullsec / Lazarus / FreeCity tier. Country distribution shows the United States leading by raw count (26), with Indonesia (18) and France (17) close behind; Indonesia's exposure was disproportionately defacements rather than breaches. Industry distribution clusters in government administration (18), financial services (10) and education (8) -- the same three verticals defender teams will recognise from earlier weeks. The Lazarus presence in education plus the pro-Russian DDoS load against named European and US targets is consistent with a continuing hybrid-pressure pattern; defenders carrying Drupal Core, LiteSpeed cPanel, or Laravel-Lang dependencies should treat today's CISA KEV additions and the supply-chain compromise as immediate-patch items rather than scheduled work.