UAE Real Estate and French Government Sectors Hit in Multi-Actor Data Breach Wav

Events tracked
159
Critical exposure
56

Summary

Today's threat landscape is defined by a concentrated, multi-actor assault on the United Arab Emirates' real estate and healthcare sectors, alongside a coordinated leak campaign against French government education authorities. The actor Exchange Markets is driving a significant portion of the UAE-focused activity, while the group SUB-ZERO is systematically targeting French regional education bodies. Separately, a critical supply chain compromise of the Jscrambler npm package underscores the persistent risk of software integrity attacks, demanding immediate defensive action.

Today's developments

The most prominent pattern is the alleged targeting of UAE-based organizations by the actor Exchange Markets, who claims to have breached or obtained data from at least six entities. Victims allegedly span the real estate sector (AX CAPITAL, MyBayut, Mubawab.ae), luxury goods (NET-A-PORTER), and healthcare (Emirates Hospitals Group, isahd.ae). This concentration suggests a methodical campaign against high-value consumer-facing industries in the region. Separately, an actor using the handle Anonymous2090 also claims to have breached Emaar Properties, a major UAE real estate developer, reinforcing the sector's vulnerability.

In France, the actor SUB-ZERO is allegedly responsible for data leaks from two regional education authorities: the Nice Regional Education Authority and the Aix-Marseille Regional Education Authority. This follows a pattern of targeting government administration, with another actor, 84City, claiming a breach of PPA Business School. The French Equestrian Federation and the French National Order of Veterinarians are also among today's alleged French victims, indicating a broad interest in French institutional data.

Industry reporting highlights a critical supply chain incident. Security researchers at Socket detected that the jscrambler npm package version 8.14.0 was compromised, embedding a preinstall hook that drops a Rust-based infostealer on Windows, macOS, and Linux systems. This attack, published on July 11, was flagged within six minutes, but any organization that installed this version in that window should treat their environment as potentially compromised.

Additional notable incidents include a claim by ShinyHunters to be selling data from the US education platform ClassDojo, and a breach of Lifeline Australia, a mental health care provider, by an actor named 2019. In Indonesia, DigitalStormSec claims to have breached the Directorate General of Population and Civil Registration, a high-value government database.

Threat landscape signals

The event set shows a clear geographic and sectoral clustering. The UAE and France are the most targeted countries today, each with 14 events, driven by the Exchange Markets and SUB-ZERO campaigns respectively. The real estate and government administration verticals are under the heaviest fire. The actor Sophia01 is also notably active, with five claims, primarily targeting German entities (kulturigo.de, idventure.de, diedrucker.de).

The Qilin ransomware group appears in today's top actors with five events, though specific victim details are not fully enumerated in the summary data. The presence of NoName057(16) with eight events, likely DDoS-related, indicates continued hacktivist pressure, particularly against Iranian and French targets.

Defenders should prioritize three actions: (1) audit any use of jscrambler npm package version 8.14.0 and scan for the Rust infostealer; (2) review exposure of UAE-facing web properties and customer databases, particularly in real estate and healthcare; and (3) verify that French government and education systems have not been compromised by the SUB-ZERO actor, who appears to be methodically leaking regional authority data.

All incidents are reported as alleged claims by threat actors and have not been independently verified by GrayscaleInsight.

Threat intelligence is reported for security awareness purposes only and does not constitute endorsement of any actor, group, or activity.

Recent editions