{
	"id": "847be3c9-2086-4235-88e3-1f2a99d0b316",
	"created_at": "2026-04-06T00:21:53.619311Z",
	"updated_at": "2026-04-10T03:31:49.939495Z",
	"deleted_at": null,
	"sha1_hash": "249c26fd265ef866cc2990bcbbac23d2e8eb104e",
	"title": "HTC Global Services confirms cyberattack after data leaked online",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2695589,
	"plain_text": "HTC Global Services confirms cyberattack after data leaked online\r\nBy Lawrence Abrams\r\nPublished: 2023-12-05 · Archived: 2026-04-05 19:39:10 UTC\r\nIT services and business consulting company HTC Global Services has confirmed that they suffered a cyberattack after the\r\nALPHV ransomware gang began leaking screenshots of stolen data.\r\nHTC Global Services is a managed service provider offering technology and business services to the healthcare, automotive,\r\nmanufacturing, and financial industries.\r\nWhile HTC has not posted a statement to the company website, they issued a brief announcement last night on X confirming\r\nthe attack.\r\nhttps://www.bleepingcomputer.com/news/security/htc-global-services-confirms-cyberattack-after-data-leaked-online/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/htc-global-services-confirms-cyberattack-after-data-leaked-online/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n\"HTC has experienced a cybersecurity incident,\" reads a tweet posted to HTC's X account last night.\r\n\"Our team has been actively investigating and addressing the situation to ensure the security and integrity of user data.\"\r\n\"We've enlisted cybersecurity experts and are working to resolve it. Your trust is our priority.\"\r\nThis announcement comes after the ALPHV (BlackCat) ransomware gang listed HTC on their data leak site, along with\r\nscreenshots of allegedly stolen data.\r\nThe leaked data includes passports, contact lists, emails, and confidential documents allegedly stolen during the attack. \r\nHTC Global Services entry on the ALPHV data leak site\r\nWhile little information about the attack on HTC is available, cybersecurity professional Kevin Beaumont believes the\r\ncompany was breached using the Citrix Bleed vulnerability.\r\nAccording to Beaumont, one of HTC's business units, CareTech, operated a vulnerable Citrix Netscaler device, which was\r\nexploited for initial access to the company's network.\r\nhttps://www.bleepingcomputer.com/news/security/htc-global-services-confirms-cyberattack-after-data-leaked-online/\r\nPage 3 of 5\n\nBleepingComputer has contacted HTC Global Services with questions about the attack and whether they were breached\r\nusing Citrix Bleed, but a response was not immediately available.\r\nALPHV is amassing victims\r\nThe ALPHV/BlackCat ransomware operation launched in November 2021, is believed to be a rebrand of the DarkSide and\r\nBlackMatter ransomware operations.\r\nAs DarkSide, the group gained international attention after they breached Colonial Pipeline, leading to intense pressure from\r\nlaw enforcement agencies globally.\r\nAfter rebranding again as BlackMatter in July 2021, their operations abruptly ceased in November 2021 when authorities\r\nseized their servers, and security firm Emsisoft created a decryptor exploiting a ransomware vulnerability.\r\nThis ransomware operation is known for consistently targeting global enterprises and continuously adapting and refining\r\ntheir tactics, and has seen a surge in attacks recently.\r\nThis evolution includes working with English-speaking threat actors, who utilize their encryptors and infrastructure to\r\nlaunch extortion attacks.\r\nIn a recent incident, a group of English-speaking affiliates tracked as Scattered Spider claimed responsibility for the attack\r\non MGM Resorts, saying they encrypted over 100 ESXi hypervisors during the attack.\r\nThis week, one ALPHV affiliate claimed to have stolen data from Tipalti and said they have begun to extort impacted\r\ncompanies individually.\r\nThe threat actors have also recently attacked a publicly owned electricity provider and a hospital network, both classified as\r\ncritical infrastructure in the United States.\r\nThe attacks on critical infrastructure may once again be the tipping point that leads to increased scrutiny by US law\r\nenforcement.\r\nhttps://www.bleepingcomputer.com/news/security/htc-global-services-confirms-cyberattack-after-data-leaked-online/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/htc-global-services-confirms-cyberattack-after-data-leaked-online/\r\nhttps://www.bleepingcomputer.com/news/security/htc-global-services-confirms-cyberattack-after-data-leaked-online/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/htc-global-services-confirms-cyberattack-after-data-leaked-online/"
	],
	"report_names": [
		"htc-global-services-confirms-cyberattack-after-data-leaked-online"
	],
	"threat_actors": [
		{
			"id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8",
			"created_at": "2023-06-23T02:04:34.386651Z",
			"updated_at": "2026-04-10T02:00:04.772256Z",
			"deleted_at": null,
			"main_name": "Muddled Libra",
			"aliases": [
				"0ktapus",
				"Scatter Swine",
				"Scattered Spider"
			],
			"source_name": "ETDA:Muddled Libra",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c",
			"created_at": "2023-11-01T02:01:06.643737Z",
			"updated_at": "2026-04-10T02:00:05.340198Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"Scattered Spider",
				"Roasted 0ktapus",
				"Octo Tempest",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "MITRE:Scattered Spider",
			"tools": [
				"WarzoneRAT",
				"Rclone",
				"LaZagne",
				"Mimikatz",
				"Raccoon Stealer",
				"ngrok",
				"BlackCat",
				"ConnectWise"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0",
			"created_at": "2023-10-03T02:00:08.510742Z",
			"updated_at": "2026-04-10T02:00:03.374705Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"UNC3944",
				"Scattered Swine",
				"Octo Tempest",
				"DEV-0971",
				"Starfraud",
				"Muddled Libra",
				"Oktapus",
				"Scatter Swine",
				"0ktapus",
				"Storm-0971"
			],
			"source_name": "MISPGALAXY:Scattered Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9",
			"created_at": "2023-10-14T02:03:13.99057Z",
			"updated_at": "2026-04-10T02:00:04.531987Z",
			"deleted_at": null,
			"main_name": "Scattered Spider",
			"aliases": [
				"0ktapus",
				"LUCR-3",
				"Muddled Libra",
				"Octo Tempest",
				"Scatter Swine",
				"Scattered Spider",
				"Star Fraud",
				"Storm-0875",
				"UNC3944"
			],
			"source_name": "ETDA:Scattered Spider",
			"tools": [
				"ADRecon",
				"AnyDesk",
				"ConnectWise",
				"DCSync",
				"FiveTran",
				"FleetDeck",
				"Govmomi",
				"Hekatomb",
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"LaZagne",
				"Living off the Land",
				"Lumma Stealer",
				"LummaC2",
				"Mimikatz",
				"Ngrok",
				"PingCastle",
				"ProcDump",
				"PsExec",
				"Pulseway",
				"Pure Storage FlashArray",
				"Pure Storage FlashArray PowerShell SDK",
				"RedLine Stealer",
				"Rsocx",
				"RustDesk",
				"ScreenConnect",
				"SharpHound",
				"Socat",
				"Spidey Bot",
				"Splashtop",
				"Stealc",
				"TacticalRMM",
				"Tailscale",
				"TightVNC",
				"VIDAR",
				"Vidar Stealer",
				"WinRAR",
				"WsTunnel",
				"gosecretsdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824",
			"created_at": "2024-06-19T02:03:08.062614Z",
			"updated_at": "2026-04-10T02:00:03.655475Z",
			"deleted_at": null,
			"main_name": "GOLD HARVEST",
			"aliases": [
				"Octo Tempest ",
				"Roasted 0ktapus ",
				"Scatter Swine ",
				"Scattered Spider ",
				"UNC3944 "
			],
			"source_name": "Secureworks:GOLD HARVEST",
			"tools": [
				"AnyDesk",
				"ConnectWise Control",
				"Logmein"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434913,
	"ts_updated_at": 1775791909,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/249c26fd265ef866cc2990bcbbac23d2e8eb104e.pdf",
		"text": "https://archive.orkl.eu/249c26fd265ef866cc2990bcbbac23d2e8eb104e.txt",
		"img": "https://archive.orkl.eu/249c26fd265ef866cc2990bcbbac23d2e8eb104e.jpg"
	}
}