WhiteHat NG is Nigeria's leading CERT-style Information Sharing and Analysis Center (ISAC). Founded in 2019, it serves as a people's Computer Emergency Response Team, providing cybersecurity advisories, vulnerability disclosure services, and threat intelligence to protect Nigerian cyberspace. WhiteHat NG publishes security advisories about vulnerabilities and threats affecting Nigerian organizations and citizens.

How do I report a security vulnerability to WhiteHat NG?

You can report security vulnerabilities through WhiteHat NG's Vulnerability Disclosure Program (VDP) at whitehat.ng/vdp/report. The platform accepts reports about vulnerabilities in Nigerian digital infrastructure, government systems, and private sector applications. All reports are handled confidentially by trained security professionals who coordinate responsible disclosure with affected organizations.

What types of security advisories does WhiteHat NG publish?

WhiteHat NG publishes four severity levels of security advisories: Critical (immediate action required), High (significant risk), Medium (moderate risk), and Low (minimal risk). Advisories cover topics including software vulnerabilities, malware campaigns, phishing attacks, data breaches, and emerging cyber threats affecting Nigeria. All advisories are available via web and RSS feed at whitehat.ng/advisories.

Is WhiteHat NG affiliated with the Nigerian government?

WhiteHat NG operates as an independent, community-driven cybersecurity organization. While it collaborates with government agencies and private sector partners on security matters, it maintains independence to serve as a trusted neutral party for vulnerability disclosure and security coordination. This independence allows WhiteHat NG to advocate for both security researchers and affected organizations.

How can organizations partner with WhiteHat NG?

Organizations can partner with WhiteHat NG through several programs: becoming an information sharing partner for threat intelligence, participating in the Vulnerability Disclosure Program as a receiving organization, sponsoring cybersecurity awareness initiatives, or contributing to advisory development. Contact partnerships@whitehat.ng or visit the About page for more information on collaboration opportunities.

Nigeria BreachGATE Update

1. Executive Summary

This report details the recent surge in targeted cyber activity, analyzing the infrastructure used by primary threat actors and the secondary influence of hacktivist groups. It outlines the behavioral patterns of the attackers, the proactive response from private and national regulators (ngCERT, NITDA CERRT.ng), and provides actionable recommendations for ecosystem-wide resilience.

2. Technical Infrastructure and Behavioral Analysis

We have identified and catalogued multiple Indicators of Compromise (IoCs) related to the attacker’s infrastructure. These indicators cover systems used during the active intrusion phase and platforms utilized to host exfiltrated data. These artifacts were extracted from 6 waves of campaigns from 27th March 2026 to 27th April 2026.

2.1 Behavioural Patterns

The attacker frequently migrates infrastructure to evade takedown efforts. Despite these shifts, the systems consistently exhibit a distinct behavioral signature. Key characteristics include the use of VPS and the following open ports/services and operational tools outside and within the victim environment:

Command & Control (C2): Ports 1337 and 31337 (Sliver C2).
Vulnerability Scanning: Port 8834 (Nessus).
Remote Management: Standard ports 22 (SSH), xfreeRDP, VNC and 21 (FTP).
Data Hosting: Ports 443 and 80 (self-hosted OwnCloud), MeshCentral, Python Simple HTTP Server, sync.com, Google Drive, One Drive, Dark web (Darkforum, Dread, etc.).
Certificate: Let’s Encrypt.
Other Tools: DBeaver, Metasploit Framework, Python - Custom Script, Burp Suite Professional / Burp Intruder, Mozilla VPN, Postman, GitLeaks, TruffleHog, and Trivy, S3 Browser, Ligolo for Tunneling, Bloodhound, VS Code Chat, Claude, NetExec Modules*.
CVEs: Leverage RCE capable CVEs such as CVE-2025-55182 (react2shell), CVE-2022-29464 (arbitrary file upload to RCE), CVE-2021-21972 (Unauthenticated OVA file upload to RCE), chained web shell upload to web server and enabled RCE foothold on server.
Ransomware: A self-built ransomware targeting storage facilities in domain-controlled environments.
Related Avatar, Name & Contact: Loic Philippe Matrier, Loic Moshe Matrier, ByteToBreach@tuta[.]com, pentesting ltd, cansuhar32@gmail[.]com, Nadezhda Kulagina, dodkhloyka@outlook[.]com, https://x.[]com/ggsfafagas, Bytetobreach33, Bytetobreach.33, Jesus is King, Mr Loic Matrier, session (05c2db4775cb46350f16814dfe3bfa856664f315585653e4c368af08ce50b0c31b), richochet (vgrps2kcrwdlxr5zpnozdwtgnjgpxisftbomw5fiajtiom7tergp2kyd).

2.2 Network Indicators

IP Addresses: 67.213.210[.]24, 38.29.212[.]164, 206.217.216[.]145, 152.32.180[.]243*, 172.241.228[.]78, 38.29.212[.]164, 23.247.253[.]245, 51.178.174[.]66, 51.68.252[.]178, 178.249.211[.]94*.
Domains: bytetobreach[.]com, bytetobreach[.]online, bytetobreach[.]xyz.
Infrastructure Providers Leveraged: Namecheap (Domain Registration), Cloudflare (conceal IP behind Domains), VPS provider - Ingenuity Cloud Services, Leaseweb USA, Serv3r.net (Hebergement), OVHCloud (OVH SAS & BE).

3. Threat Actor Profile and Motivation

The primary threat actor is motivated by publicity and ego alongside financial objectives, demonstrating a desire to maintain the perceived impact of his operations.

Extortion Tactics: Behavioral indicators reveal a pattern of contacting compromised organizations via X (formerly Twitter) Direct Messages to demand monetary payment.
Unreliability: Historically, this actor is notorious for leaking stolen data even after receiving payment.
Negotiation Risks: Based on the inconsistencies found in his communications across various attacks, we strongly advise organizations against any form of financial engagement.

4. Secondary Threats and Vulnerabilities

4.1 Hacktivist Activity

During this period, a surge in secondary activity was noted from hacktivist groups targeting university and government portals. Analysis suggests these "copycat" attacks often involve:

Stale Data: Reposting information from previous years to create a false sense of current impact.
SQL Injection: Focusing on SQLi to extract configuration files and PII.
Attribution: Cybersecurity enthusiasts grouping up as NullSec Nigeria working with NullSec Philippine.

4.2 Responsible Disclosure

The recent wave of hacktivism was met with proactive engagement from the security research community. Vulnerability coordination between researchers, regulators, and the sectoral CERT proved vital in mitigating risks.

4.3 Exploitation of API’s Endpoint

The attacker continues to exploit vulnerabilities like unauthenticated API endpoints to sow social distrust. By leveraging these flaws, the actor distributes misinformation while impersonating legitimate organizations within our ecosystem to undermine institutional credibility.

5. Ecosystem Response and Regulatory Oversight

5.1 National Coordination

National, sectoral (ngCERT and NITDA CERRT.ng), and private CERTs have been actively coordinating with affected organizations to accelerate recovery and share real-time threat intelligence.

5.2 Regulatory Actions

Data Protection Commission (NDPC): Initiated investigations to assess impact on data subjects on all incidents and issued advisories for organizational compliance.
CBN CSAT Framework: Regulator issued directives requiring the completion of the Cybersecurity Self-Assessment Tool (CSAT) to ensure players' programs are up to par.
Governance: A ministerial call led to the birth of the constitution of an Advisory Council for the coordination of cybersecurity in the digital economy, and inaugural stakeholder engagement took place, of which Whitehat.NG was a part.

6. Strategic Recommendations

6.1 Media and Public Communication

We urge media outlets and citizen journalists to exercise rigorous due diligence. Attackers use public narratives to pressure victims. Journalists should validate claims with cybersecurity professionals to avoid promoting misinformation.

6.2 Security Research and Disclosure

The wave of hacktivism was met with proactive engagement from security researchers. Strengthening the framework around Responsible Disclosure will further encourage researchers to report vulnerabilities ethically rather than through public exposure.

6.3 Infrastructure Monitoring

Ongoing, continuous monitoring of all digital infrastructure - specifically servers, web environments, and APIs - is mandatory. Organizations are urged to share identified IoCs with the relevant CERT to bolster collective detection and defense.