June 2025 Trend Report on the Deep Web & Dark Web

Notice

 

This trend report on the deep web and dark web of June 2025 is sectioned into Ransomware, Data Breach, Dark Web, Cyberattack, and Threat Actors. We would like to state beforehand that some of the content has yet to be confirmed to be true.

 

 

Main Issue
 

1) Ransomware

 

(1) Overview
 

In June 2025, the ransomware ecosystem showed a new pattern characterized by Qilin’s overwhelming activity and a focus on high-value targets. Analysis of key issues revealed that Qilin posted more victims than any other group, firmly establishing itself as the top ransomware group. This surge is believed to result from a large-scale shift of affiliates following the shutdown of RansomHub’s operations, along with the adoption of new attack tactics.

 

A particularly notable change is the sharp increase in attacks targeting government agencies. Local governments in the US, as well as agencies in Colombia, the United Arab Emirates, and France, were attacked in succession, suggesting motivations that go beyond mere financial gain and point to political or strategic intent. A new targeting strategy has also emerged, focusing on global brand-name companies such as Disneyland Paris and Ticketmaster.

 

There was also a notable increase in new ransomware groups. Many new groups, such as Team XXX, Warlock, Global, W.A., and Kawa4096, have emerged, indicating a rapid restructuring of the RaaS market. Perhaps the most alarming development is the ransomware attack launched by the pro-Iranian hacktivist group APTiran against critical infrastructure in Israel, marking the emergence of a new threat model that fuses geopolitical motives with ransomware tactics. Overall, ransomware attacks are undergoing diversification, expanding from traditional financial motivations to include political and strategic objectives.
 

 

(2) Trends Among Key Ransomware Groups
 

• Qilin

As the most active group in June, Qilin recorded an overwhelming level of activity and outpaced all other ransomware groups. In particular, the group demonstrated a sophisticated strategy of systematically attacking a variety of high-value targets. Successive attacks were carried out against the autonomous Spanish city of Melilla, US healthcare provider Covenant Health, multinational corporations based in the US, UK, and Japan, US auto parts manufacturer Greg Moser Engineering Inc., Singapore oilfield equipment manufacturer RMZ Oilfield Engineering Pte Ltd, and the municipal government of Belvedere City in the US. A defining characteristic is the group’s all-out attack pattern that spans government agencies, healthcare, manufacturing, and the energy sector. This is assessed to be the result of enhanced capabilities following a large-scale migration of affiliates from RansomHub.

 

• Akira

Akira continued to carry out persistent and systematic activity, focusing heavily on high-value manufacturing and energy companies. Japan’s major men’s suit retail chain Haruyama Holdings, US oil and gas company Murex Petroleum Corporation, German manufacturing company Seppeler Gruppe, Swiss financial services firm Access Financial, and US automotive lighting manufacturer North American Lighting were attacked. A strategic approach aimed at key companies in the global supply chain is becoming increasingly evident, with a notable strengthening of attack capabilities in the manufacturing sector.

 

• Lynx

Lynx exhibited a specialized attack pattern by targeting telecommunications insurance firms and petrochemical conglomerates. The group carried out attacks against Telcom Insurance Group, a US telecommunications insurance provider; Siamgas and Petrochemicals Public Co. Ltd., a Thai petrochemical company; and the University of Chile, a national comprehensive university in Chile. Notably, there is a growing trend of attacks targeting energy infrastructure and educational institutions.

 

• Gunra

Gunra demonstrated a clear strategy of targeting government and healthcare institutions. The group attacked Justicia Penal Military Policial, a Colombian government agency, and American Hospital Dubai in the United Arab Emirates, signaling an attempt to expand its regional reach by targeting critical infrastructure in Latin America and the Middle East.

 

• Other Major Groups

RHYSIDA expanded into the nonprofit and energy sectors by attacking Welthungerhilfe, a German development cooperation organization, and the US branch of Chinese energy company CNPC. Anubis targeted Disneyland Paris, a French theme park operator, demonstrating a strategy focused on global brands. Arkana attacked Ticketmaster, a US-based global ticketing distributor, showcasing a new pattern of targeting key infrastructure in the entertainment industry.

 

• New Groups

Kawa4096 emerged with a DLS design similar to Akira, while Team XXX, Warlock, Global, and W.A. appeared in quick succession, indicating a rapid reshaping of the RaaS market. These new groups are actively absorbing the personnel and technology of existing groups to accelerate growth and are showing aggressive efforts to fill the void left by RansomHub.

 

 

(3) Damage Trends by Industry

 

• Goverment and public institutions sector

The most notable change in June was the sharp increase in attacks targeting government agencies. Local government agencies in the United States, such as Taos County, Wyoming County NY, and the City of Macedonia, were attacked in succession. Additional victims included Justicia Penal Military Policial in Colombia, the Ajman Government Portal in the United Arab Emirates, and France’s Ministry of National Education. This concentrated targeting of government entities suggests political and strategic motives beyond mere financial gain. It is being analyzed as a new tactic designed to exert social pressure by disrupting public services.

 

• Manufacturing Sector

Japanese suit manufacturer Haruyama Holdings, US oil and gas exploration company Murex Petroleum Corporation, German manufacturer Seppeler Gruppe, US auto parts manufacturer Greg Moser Engineering Inc., US auto lighting manufacturer North American Lighting, and a Singaporean oilfield equipment manufacturer were attacked. There are ongoing strategic attacks targeting key companies in the global supply chain, with attacks particularly concentrated on automotive-related manufacturers, indicating an intent to disrupt supply chains.

 

• Medical and Healthcare Sectors

US healthcare providers Myrtue Medical Center and Covenant Health, and UAE hospital American Hospital Dubai were attacked. Ongoing attacks on life-critical infrastructure that directly impacts patient care have raised serious concerns about healthcare service continuity and patient safety.

 

• High-Value Brands

A new targeting strategy has emerged, focusing on global brand companies like Disneyland Paris and Ticketmaster. These companies possess high brand value and broad customer bases, making them attractive targets due to the dual pressure of ransom payment demands and potential brand image damage. In particular, the focus on core infrastructure in the entertainment industry suggests an intent to maximize public impact.