Cyber Actors Actively Hunting for Credentials Following PH Military Breach
https://iili.io/3dLPOYX.jpg
A sudden surge in credential-hunting activities has been observed in underground Telegram channels, where users are actively searching for login credentials linked to Philippine government agencies, educational institutions, and private companies.
Deep Web Konek’s regular monitoring has identified over 50 chat messages in the past week alone containing queries related to Philippine domains—a sharp increase from the usual 5-10 messages per week.
This spike in activity follows the recent news about data breaches involving the Philippine Army and Navy, where officials confirmed that no hacking occurred but that credential harvesting could be the primary attack vector.
Credential harvesting is a hacking technique where attackers collect login credentials—either through phishing, brute-force attempts, leaked databases, or malware infections—to gain unauthorized access to systems. Unlike traditional hacking that exploits software vulnerabilities, credential harvesting focuses on stealing user credentials to infiltrate networks as legitimate users. This method is one of the most common ways organizations are breached today, yet many still underestimate its impact.
One of the leading causes of credential harvesting is malware infections, particularly infostealers. These malicious programs are designed to silently extract stored usernames, passwords, session cookies, and even autofill data from web browsers and applications. Users often have no idea they’ve been infected, as these malware variants operate in the background, sending stolen credentials to cybercriminals. Infostealers typically spread through malicious email attachments, fake software downloads, or compromised websites, making anyone a potential target.
The Philippine Army and Navy both recently confirmed that their systems had been compromised, but denied that hacking was involved. Instead, credential harvesting could be the primary technique used by attackers to gain unauthorized access. While officials have not disclosed full details, Deep Web Konek’s initial findings suggest that malware infections and previous credential leaks may have played a role in these breaches.
https://iili.io/3dQfips.jpg
(Screenshot of the Mail System of Philippine Army Credentials Compromised since 2023)
https://iili.io/3dQfZQ4.jpg
Many attackers acquire login credentials from past data breaches or malware logs and attempt to reuse them on government and corporate systems. If an employee or official reuses passwords across multiple platforms, a stolen credential from one breach can be leveraged for unauthorized access elsewhere. Additionally, infostealers may have been used to extract login credentials from infected military or government personnel, granting attackers direct access to sensitive systems without needing to bypass security measures manually.
https://iili.io/3dLPj4I.jpg
Deep Web Konek has been actively monitoring underground forums and Telegram channels, where actors frequently exchange stolen credentials. In the past week alone, we have observed over 50 instances of users searching for access credentials related to Philippine domains, compared to the usual 5-10 per week. This increase suggests a growing interest in targeting government and private institutions in the wake of the Army and Navy breaches.
https://iili.io/3dLPN2t.jpg
For example, in one of the Telegram channels we monitor, a user was seen actively searching for login credentials to admin portals of government agencies and university systems. Messages in the screenshots captured by Deep Web Konek include queries for login access to “admin-parps.pnp.gov.ph,” “register.nmp.gov.ph,” and multiple university portals under “upd.edu.ph". The repeated targeting of these domains suggests that cybercriminals are actively seeking entry points for potential data breaches.
This surge in credential hunting highlights the urgent need for stronger security measures across government and private institutions. Organizations must implement multi-factor authentication (MFA), regular password updates, and endpoint protection to detect and block infostealers. Additionally, cybersecurity awareness training is critical to preventing phishing attacks that lead to credential theft.
Credential harvesting is hacking, even if it does not involve direct exploitation of software vulnerabilities. Cybercriminals rely on human error, malware infections, and poor security hygiene to gain access to sensitive systems.
If institutions fail to recognize this threat, another major data breach may be imminent. Deep Web Konek will continue monitoring these underground activities and urging responsible disclosure to mitigate potential cybersecurity threats before they escalate.
