Menu
Browse

Cyber Threat Actor: Yousef

Actor Type Location Known Incidents
 Icon
Sensationalist
India
2 incidents
Profile

The threat actor is known by the alias Yousef and is publicly associated with India as its location. This identification comes from the threat actor context provided, which lists the alias and location without further detail on personal background or organizational structure. No additional identifying information such as real name, age, or affiliations is supplied in the source material.

In terms of targeting, the actor has been linked to incidents affecting both private sector data firms and government entities. One incident involved a lead generation firm whose databases were exposed and offered for sale on dark web markets, indicating a focus on commercial data repositories that contain personal and financial records. Another incident targeted the official website of the Argentinian Ministry of Industry, where administrative credentials were compromised, showing an interest in governmental online assets. The strategic objectives evident from these cases differ: the lead generation breach included an attempt to monetize the stolen data through illicit marketplaces, whereas the Argentinian intrusion was described by the attackers as lacking any intention to leak or publish the obtained information, suggesting a motive limited to unauthorized access rather than immediate financial gain.

Regarding tactics, techniques, and procedures, the lead generation intrusion relied on exploiting a publicly accessible Adminer.php script that retained pre‑saved credentials, allowing attackers to gain authenticated entry without needing to bypass additional controls. Once inside, they deployed malicious scripts and web shells across the firm’s infrastructure to maintain persistence and extract data. The Argentinian breach, by contrast, stemmed from an administrator account protected by an easily guessable password, which permitted the actors Kapustkiy and Kasimierz L. to log in, download server files, and access internal documents. No specific malware families or exploit kits are mentioned in the supplied sources; the highlighted TTP themes are the use of weak or default credentials, exposure of administrative interfaces, and the deployment of web‑based shells for post‑exploitation activity. These two episodes represent the most detailed publicly reported operations associated with the actor Yousef, illustrating a pattern of credential‑based initial access followed by data collection and, in one case, an attempt to profit from the stolen information.

Incidents
Attributed incidents available to members
2 incidents
Sources
Sources available to members
1 source