All news in category “Incidents and Data Breaches”

⚠️ Kaspersky researchers discovered a large-scale supply chain attack that trojanized DAEMON Tools installers; the malicious executables are signed with a valid AVB Disc Soft digital signature and have been distributed since April 8, 2026. Once installed the malware runs at startup, collects system and network information, and contacts a command-and-control server that can deliver additional payloads. In some cases attackers deployed a backdoor and a more advanced implant, QUIC RAT, capable of in-memory execution and process injection; users should audit systems and use reliable security solutions.

🔒 Cisco Talos has identified a stealthy campaign using a CloudZ remote access trojan and a custom Pheno plugin to siphon SMS one‑time passwords and other sensitive mobile data mirrored via Microsoft Phone Link on Windows endpoints. Rather than compromising phones, attackers exploit the PC‑to‑phone trust relationship to access the Phone Link SQLite data stored locally. The malware establishes persistence, performs anti‑analysis checks, fetches plugin modules, and monitors active Phone Link processes to capture OTPs and notifications. Talos published detection signatures, hashes, C2 indicators and Snort rules; attribution is unconfirmed.

🚨 DarkSword is a newly identified iOS full-chain exploit that chained multiple zero-day vulnerabilities to achieve full device compromise. Google Threat Intelligence Group (GTIG) links the chain to commercial surveillance vendors and suspected state-sponsored operators active since at least November 2025, with observed targeting in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit supports iOS 18.4–18.7 and installs one of three final-stage payload families—GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER. A version leaked online a week after discovery; ensure devices are patched promptly.

🔒Deniss Zolotarjovs, a Latvian national extradited to the United States, was sentenced to 8.5 years after pleading guilty to conspiracy to commit wire fraud and money laundering for his role as a negotiator in the Karakurt extortion operation. Prosecutors say he handled "cold case" extortions, researching targets and using stolen personal and health data to pressure victims. He is the first Karakurt member sentenced in the U.S.

🔐 A new CloudZ remote access tool (RAT) variant deploys a previously unseen plugin named Pheno that hijacks Microsoft Phone Link on Windows 10 and 11 to extract SMS messages and one‑time passwords from the application’s local SQLite database. Cisco Talos says the intrusion has been active since at least January and can intercept OTPs mirrored to the desktop without compromising the mobile device. The infection chain begins with a fake ScreenConnect update that drops a Rust loader and a .NET loader which installs CloudZ, establishes persistence via a scheduled task, and performs anti-analysis checks.

🔒 Cisco Talos discloses UAT-8302, a China-nexus APT targeting government entities in South America and southeastern Europe since late 2024 into 2025. Post-compromise activity includes reconnaissance, credential theft, and lateral movement using tools like Impacket, plus deployment of multiple custom backdoors such as NetDraft, CloudSorcerer v3, and VSHELL with stagers SNOWLIGHT and SNOWRUST. Talos links these artifacts to other China-nexus clusters and publishes IOCs, ClamAV signatures, and Snort rules to assist defenders.

🔍Cisco Talos disclosed an active campaign since January 2026 in which an unknown actor deployed a modular .NET RAT called CloudZ and a novel plugin, Pheno. Pheno targets the Windows Phone Link feature to detect an active PC-to-phone bridge and stage Phone Link SQLite files, enabling potential interception of mirrored SMS and OTPs without compromising the phone. CloudZ executes core functions dynamically in memory, performs anti-debug and sandbox checks, and supports plugin-based credential exfiltration.

⚠️ ESET reports that the North Korea‑aligned threat group ScarCruft compromised the sqgame[.]net gaming platform in a targeted supply‑chain operation to deploy the BirdCall backdoor to Android and Windows users. The compromise, active since late 2024, trojanized Android APKs for two games and delivered a malicious Windows update DLL that used RokRAT as a loader. BirdCall — an evolution of RokRAT — harvests contacts, SMS, call logs, media, screenshots, keystrokes and ambient audio, and leverages legitimate cloud services for command‑and‑control.

📱 ESET researchers report that North Korean-linked APT37 (ScarCruft) developed an Android variant of the BirdCall backdoor and distributed it through trojanized APKs on the sqgame.net game platform. The Android implant, first seen around October 2024 and produced in at least seven variants, collects contacts, call logs, SMS, device identifiers, location and system metrics, takes periodic screenshots, records audio during evening hours, and exfiltrates targeted files to a C2. The campaign focused on users in the Yanbian region and underscores ScarCruft’s continued use of supply-chain tactics; users are advised to download apps only from official marketplaces and trusted publishers.

🕵️ ESET researchers uncovered a supply‑chain attack by North Korea‑aligned APT ScarCruft that trojanized a Yanbian‑focused gaming platform. The operation used a malicious Windows update to deploy RokRAT and ultimately the sophisticated BirdCall backdoor, while repackaged Android APKs contained a newly identified Android port of BirdCall. The backdoor harvests files, contacts, screenshots and ambient audio for targeted espionage.

🔒 Trellix disclosed on May 4 that threat actors gained unauthorized access to a portion of its source code repository and that it has notified law enforcement while working with leading forensic experts. The company, formed from the merger of McAfee Enterprise and FireEye, said it has found no evidence that its source code release or distribution process was affected or exploited. Trellix sells threat intelligence and AI-powered detection services including NDR and EDR and will share further details once the investigation concludes.

🔒 Microsoft disclosed a large-scale credential-theft phishing campaign that ran April 14–16, 2026, targeting over 35,000 users at more than 13,000 organizations across 26 countries. Attackers used polished, code-of-conduct-themed HTML lures, legitimate email delivery services and PDF attachments to funnel victims through CAPTCHA-gated pages into AiTM sign-in flows that harvested credentials and tokens, bypassing MFA. Most targets were in the U.S., with heavy impacts on healthcare, finance, professional services, and technology. Microsoft linked many endpoints to Tycoon 2FA, with additional activity tied to Kratos and EvilTokens.

🛡️ Securonix warns of an active phishing campaign codenamed VENOMOUS#HELPER that has compromised over 80 organizations, primarily in the U.S., by abusing legitimate Remote Monitoring and Management tools. Attackers deliver a JWrapper-packaged executable via phishing links hosted on a compromised Mexican site to install SimpleHelp RMM with Safe Mode persistence and a self-healing watchdog. Operators elevate to SYSTEM using AdjustTokenPrivileges and deploy ConnectWise ScreenConnect as a fallback, creating redundant remote access for potential ransomware or extortion follow-on activity.

⚠️A malicious PyTorch Lightning package (lightning==2.6.3) published to PyPI contained a hidden execution chain that triggers on import and silently spawns a background process. That process downloads the Bun JavaScript runtime (v1.3.13) and runs an 11.4 MB heavily obfuscated payload detected by Microsoft Defender as ShaiWorm. The payload steals .env files, API keys, GitHub tokens, and credentials from Chrome, Firefox, and Brave, and can query cloud APIs; Lightning AI reverted PyPI to 2.6.1 and urges immediate rotation of secrets.

🔒Trellix disclosed unauthorized access to a portion of its source code repository and says it is working with outside forensic experts to investigate the incident. The company reports it has found no evidence so far that the accessed code was altered, exploited, or that its release and distribution processes were affected, and it has notified law enforcement. Trellix intends to share further details as appropriate once the investigation concludes. Formed from McAfee Enterprise and FireEye, Trellix protects over 200 million endpoints and serves more than 50,000 customers, and this event follows recent breaches at other security vendors.

🔐 Microsoft Defender Research observed a large-scale, multi-stage phishing campaign that used polished code-of-conduct lures, staged CAPTCHAs, and intermediate pages to deliver an adversary-in-the-middle (AiTM) flow that captured authentication tokens. The campaign targeted over 35,000 users across 13,000+ organizations, mainly in the United States, and employed legitimate delivery services and attacker-controlled domains. Recommended defenses include Microsoft Defender for Office 365, Safe Links, Zero-hour auto purge (ZAP), SmartScreen-enabled browsers, and phishing-resistant MFA.

🚨 A China-based cybercrime group known as Silver Fox ran tax-themed phishing campaigns that deployed a newly identified Python backdoor called ABCDoor. The attacks used PDFs linking to ZIP/RAR archives on abc.haijing88[.]com or malicious attachments and relied on a modified RustSL loader to fetch an encrypted ValleyRAT implant, whose plugin installed ABCDoor. Kaspersky and S2W observed over 1,600 phishing emails across waves targeting India, Russia, Indonesia and others. Organizations should treat unsolicited tax correspondence with suspicion, validate attachments out-of-band, and monitor for modified RustSL and HTTPS C2 activity.

🔒 A 19-year-old allegedly tied to Scattered Spider was arrested in Helsinki and is facing U.S. extradition on counts including wire fraud, conspiracy, and computer intrusion. Prosecutors say he participated in multiple social-engineering intrusions from March 2023 through 2025 that used help-desk impersonation to reset MFA and exfiltrate data. Court filings and social-media posts reportedly tied the suspect to luxurious spending and to taunting law enforcement, underscoring how poor operational security and public boasting can accelerate investigations. The case highlights the ongoing threat of phone-based account takeover and the need for stronger, phishing-resistant controls.

⚠ Polymarket, a platform for betting on real-world events, faces serious integrity problems. Participants have attempted to manipulate outcome verification — including threats to a journalist whose reporting served as an adjudicating source and physical tampering with weather sensors (using hair dryers) to rig weather markets. The site also suffers widespread insider trading, creating legal and ethical exposure. These dynamics undermine trust and the reliability of event-based markets.

🔒 A previously unknown actor exploited CVE-2026-41940, a critical authentication-bypass in cPanel/WHM, to target government and military domains in Southeast Asia and a smaller cluster of MSPs and hosting providers worldwide. The activity, observed by Ctrl-Alt-Intel on May 2, 2026, originated from IP 95.111.250[.]175 and used public proof-of-concepts alongside a separate custom exploit chain against an Indonesian defense portal. The attacker abused hard-coded credentials and a CAPTCHA bypass to perform authenticated SQL injection and RCE, then deployed AdapdixC2, OpenVPN, Ligolo and systemd-based persistence to pivot and exfiltrate sensitive documents. Researchers report rapid, widespread weaponization of the vulnerability by multiple third parties, including Mirai variants and a ransomware strain.