All news in category "Incidents and Data Breaches"

Google Ads Lead to ChatGPT/Grok Guides Installing AMOS

⚠️ Security researchers warn of a macOS infostealer campaign that uses Google search ads to push users toward publicly shared ChatGPT and Grok conversations containing malicious installation instructions. According to Kaspersky and Huntress, the ClickFix attack spoofs troubleshooting guides and decodes a base64 payload into a bash script that prompts for a password, then uses it to install the AMOS infostealer with root privileges. Users are urged not to execute commands copied from online chats and to verify safety first.

DroidLock Android Malware Locks Devices, Demands Ransom

🔒 Zimperium researchers uncovered a new Android malware family called DroidLock that locks victims’ screens, steals messages and call data, and can remotely control devices via VNC. The threat targets Spanish-speaking users and is distributed through malicious websites that impersonate legitimate apps and deliver a dropper which installs a secondary payload. The payload requests Device Admin and Accessibility privileges to perform actions such as wiping devices, changing lock credentials, recording audio, starting the camera, and placing overlays that capture lock patterns. Operators serve a ransom WebView directing victims to contact a Proton email and threaten permanent file destruction within 24 hours if unpaid.

Malicious Blender 3D Model Files Spread Infostealer

⚠️ Researchers observed threat actors distributing the StealC V2 infostealer hidden inside free .blend files on marketplaces like CGTrader. When Blender’s Auto Run Python Scripts setting is enabled, opening these models executes embedded Python that fetches a loader via Cloudflare Workers and runs a PowerShell chain to deploy payloads. The campaign exfiltrated browser and wallet data and abused a UAC bypass. Disable autorun and restrict unvetted tools.

ClickFix Trick Drives Rise in CastleLoader Python Loaders

🛡️ Blackpoint researchers have uncovered a campaign that leverages ClickFix social engineering to trick users into running a benign-looking command via the Windows Run dialog. That single action launches a hidden conhost.exe process which fetches a small tar archive, unpacks it into AppData and runs a windowless Python interpreter. The bundled interpreter executes compiled Python bytecode that reconstructs and decrypts CastleLoader shellcode in memory, avoiding disk-based artifacts. Observed staging uses a GoogeBot user agent and familiar /service/download/ paths, linking the activity to the CastleLoader family.

Pro-Russia Hacktivists Exploit OT Exposures in US Now

🚨 A joint advisory from CISA, the FBI, the NSA and partners warns of a surge in pro‑Russia hacktivist activity exploiting exposed VNC and other internet-facing OT interfaces to breach systems across US water, food production and energy sectors. Low-skilled groups such as CARR, NoName057(16), Z-Pentest and Sector16 employ port scans, brute-force password guessing and simple reconnaissance tools to capture screenshots, alter parameters, disable alarms and force costly manual recoveries.

Spiderman phishing kit targets dozens of European banks

🕷️Spiderman is a newly observed phishing kit that replicates banking and cryptocurrency login flows to capture credentials, 2FA codes, credit card details, and wallet seed phrases. Researchers at Varonis report it targets customers across five European countries and major brands including Deutsche Bank, ING, CaixaBank, PayPal, and crypto wallets such as Ledger and Metamask. The kit’s modular control panel lets operators filter victims by country or device, intercept PhotoTAN and OTP codes in real time, export harvested data with one click, and redirect non-targeted visitors.

Ukrainian Hacker Charged for Aiding Russian Hacktivists

🔒 U.S. prosecutors arraigned 33-year-old Victoria Dubranova, accusing her of supporting Russian state-linked hacktivist groups in cyberattacks against critical infrastructure, including water systems and election-related targets. Dubranova, known by aliases such as Vika and SovaSonya, was extradited this year and has pleaded not guilty to charges tied to NoName057(16) and CyberArmyofRussia_Reborn (CARR). She faces separate trials in February and April 2026 and potential sentences of up to 27 years and 5 years under the respective indictments.

HSE Offers €750 to Victims of 2021 Ransomware Attack

🔒 The Health Service Executive (HSE) has offered €750 to individuals whose personal data was exposed in the May 2021 Conti ransomware attack, plus an additional €650 toward legal costs. The intrusion began with a malicious Microsoft Excel file that bypassed outdated anti‑malware defenses, forcing a full IT shutdown and widespread disruption to hospital services. A later PwC review criticised the HSE's unpatched systems and frail infrastructure, while the organisation says it has found no evidence of fraud stemming from the breach after more than four years.

01flip: Rust-Based Multi-Platform Ransomware Targeting APAC

🔐 Unit 42 identified 01flip, a new Rust‑based ransomware family observed in June 2025 that targets both Windows and Linux via Rust cross‑compilation. The malware enumerates writable directories, drops RECOVER-YOUR-FILE.TXT ransom notes, renames files with a .01flip extension, and encrypts victims with AES‑128‑CBC while protecting session keys with an embedded RSA‑2048 public key. Observed victims are a limited set in the Asia‑Pacific region, and an alleged data dump appeared on a dark‑web forum after at least one infection.

Shai-Hulud 2.0: Detecting and Defending Supply-Chain Attacks

🛡️ The Shai-Hulud 2.0 campaign is a widescale npm supply-chain compromise that injects malicious preinstall scripts to execute a bundled Bun runtime and harvest cloud credentials. Microsoft Defender observed attackers installing GitHub Actions runners named SHA1HULUD, using TruffleHog to locate secrets, and exfiltrating stolen credentials to public repositories. The guidance outlines detections, hunting queries, and prioritized mitigations for developers, maintainers, and cloud defenders.

North Korea-linked Actors Use React2Shell to Deploy EtherRAT

🛡️ Threat actors tied to North Korea have been observed exploiting the critical React Server Components vulnerability (React2Shell, CVE-2025-55182) to deliver a new remote access trojan named EtherRAT. The implant downloads a Node.js runtime, decrypts and spawns a JavaScript payload, and resolves command-and-control via Ethereum smart contracts using a multi-endpoint consensus method. EtherRAT persists on Linux with five distinct mechanisms and supports self-updating obfuscated payloads, enabling long-term stealthy access and making remediation difficult.

React2Shell Exploits Deploy EtherRAT, Linked to DPRK

🔐 Security researchers at Sysdig report new campaigns exploiting React2Shell (CVE-2025-55182), resulting in a novel implant that delivers EtherRAT and demonstrates advanced persistence and evasion. The exploit targets React v19 and many related frameworks, using a base64 shell command to fetch a downloader that installs Node.js, decrypts an obfuscated JavaScript dropper, and executes a blockchain-based C2-capable payload. Sysdig observed tooling overlaps with North Korea-associated campaigns, though firm attribution remains unconfirmed.

Spain Arrests 19-Year-Old Suspect Over 64M Data Records

🔒 A 19-year-old suspect in Igualada, Barcelona, was arrested after authorities linked him to breaches at nine companies and the theft of 64 million private records. Police say the dataset included full names, home addresses, email addresses, phone numbers, DNI numbers and IBAN codes that the suspect attempted to sell on hacker forums using multiple accounts and pseudonyms. Officers seized computers and cryptocurrency wallets believed to hold proceeds from the sales; the investigation began in June. Separately, Ukrainian police arrested a 22-year-old who used custom malware and a 5,000-account bot farm to compromise and sell social media access.

Malicious VS Code Extensions Steal Credentials via DLL

🛡️ Researchers from Koi Security have uncovered two malicious Visual Studio Code extensions, Bitcoin Black and Codo AI, that delivered a DLL-based infostealer via a disguised Lightshot executable. The campaign used social engineering and evolving technical methods—initially complex PowerShell and passworded ZIPs, later streamlined to hidden batch scripts—to harvest screenshots, clipboard data, Wi‑Fi credentials and browser sessions. One extension posed as a theme while the other offered legitimate AI coding features, helping both evade suspicion on the VS Code Marketplace.

California Man Pleads in $263M Cryptocurrency Theft

🔒 Evan Tangeman, 22, has pleaded guilty to laundering proceeds from a sophisticated criminal network that stole roughly US $263 million in cryptocurrency. Prosecutors say the Social Engineering Enterprise was organised via online gaming connections and used hackers, impersonating 'callers', burglars and money launderers to seize and convert victims' crypto. Tangeman admitted converting about US $3.5 million and faces sentencing on April 24, 2026.

Streamlit Exposes Shadow AI Risks and Data Leaks at Scale

⚠️ UpGuard's analysis of Streamlit-hosted applications uncovered thousands of publicly accessible data apps that expose sensitive business and personal information. In October 2025 scans identified 14,995 unique IPs running Streamlit; after accounting for instances with authentication or errors, over ten thousand apps remained accessible without login. The report documents exposed PII and business intelligence dashboards and recommends practical controls: maintain an inventory of user apps, move sensitive workloads off the Community Cloud, and enable authentication by default.

DeadLock Ransomware Uses BYOVD to Disable Endpoint Defenses

🔒 Cisco Talos detailed a campaign where a financially motivated actor deployed DeadLock ransomware using a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint protections by exploiting a Baidu driver flaw (CVE-2024-51324). A custom loader invoked the vulnerable driver to issue kernel-level commands that killed security processes; PowerShell scripts then escalated privileges, stopped backup and security services, and erased shadow copies. The C++ payload (compiled July 2025) injects into rundll32.exe, uses a custom stream cipher with time-based keys to append ".dlock" and waits roughly 50 seconds to evade sandboxes; communications and ransom negotiations occurred via Session. Organizations should enforce MFA, maintain strong endpoint controls and keep regular offline backups.

North Korean Hackers Exploit React2Shell to Deploy EtherRAT

🔒 Researchers at Sysdig uncovered a new malware implant, EtherRAT, delivered via exploitation of the React2Shell deserialization flaw in Next.js just days after the vulnerability disclosure. The implant bundles a full Node.js runtime, uses an encrypted loader, and employs Ethereum smart contracts for resilient C2 while supporting five Linux persistence mechanisms. Operators can self-update the payload and execute arbitrary JavaScript, complicating detection and response.

IAB Abuses EDR and Windows Utilities for Stealthy Malware

🔐Storm-0249, an initial access broker, is abusing endpoint detection and response (EDR) components and trusted Windows utilities to execute malware stealthily. In one analyzed incident the actor used social engineering to run curl commands that installed a malicious MSI which drops a DLL placed beside the legitimate SentinelAgentWorker.exe, then performs DLL sideloading to run attacker code inside the signed EDR process. Additional payloads are piped into memory via PowerShell from a spoofed domain, avoiding disk-based detection. Researchers recommend behavior-based detection for trusted processes loading unsigned DLLs and stricter controls on curl, PowerShell, and living-off-the-land binaries.

Storm-0249 Shifts to Fileless Execution and DLL Sideloader

🚨 ReliaQuest warns that Storm-0249 appears to be evolving from an initial access broker into an active operator, adopting domain spoofing, DLL side-loading and fileless PowerShell execution to facilitate ransomware intrusions. The actor used a Microsoft-mimicking URL and the Windows Run dialog to fetch and execute a PowerShell script that installed a trojanized SentinelOne DLL via a malicious MSI. This technique leverages living-off-the-land utilities and signed processes to maintain persistence and evade detection.