In June 2025, Scania, a Swedish manufacturer of heavy trucks, industrial and marine engines, confirmed that they have been a subject of an cyberattack. According to the company their systems were breached on 28th May 2025, where a threat actor used leaked credentials from an infostealer infection to gain the foothold. The company has confirmed the attack and its details to the Bleeping Computer:

“We can confirm there has been a security related incident in the application “insurance.scania.com”, the application is provided by an external IT partner,” stated a Scania spokesperson.

“On the 28th and 29th of May, a perpetrator used credentials for a legitimate external user to gain access to a system used for insurance purposes; our current assumption is that the credentials used by the perpetrator were leaked by a password stealer malware.”

“Using the compromised account, documents related to insurance claims were downloaded.”

In addition, in June 2025 a user on ExploitIn and XSS forums made a post selling files stolen from the ‘insurance.scania.com’.

I guess, the sales attempt was unsuccessful. On 3 August 2025, an extortion group named ‘Team XXX’ has named Scania as their victim on the group’s data leak site: http[://]tp5cwh6d2b5hekcg6jlhoe6mawa7dlwiv47epvnfmzuaaur2dnaa3uid[.]onion/.

Screenshot from the Team XXX darkweb site listing Scania as a victim

If your fingers would be restless and click on “Download The Files” you would see a directory listing as in the screenshot below:

Now, one more step, click on the directory and you’ll be greeted by listing of files. Note the dates of files, which is consistent with the Scania’s claims about the timeline.

Screenshot from the Team XXX darkweb site listing stolen files

I have copy pasted the file listing, which can be accessed by following this link (and hopefully, this is of some use to someone): https[://]cryptpad[.]fr/file/#/2/file/HagrX9hS4pA-XlKmFTXCbaou/