All news in category “Incidents and Data Breaches”

🔒 Cybercriminals are using TikTok videos disguised as free activation guides for software such as Windows, Adobe, Spotify, and Discord to distribute info‑stealing malware via a ClickFix technique. The videos instruct users to run a short PowerShell command that fetches a script from slmgr.win, which then downloads a variant of Aura Stealer and an additional payload from Cloudflare Pages. Victims should assume credentials are compromised, reset passwords, and avoid running copied commands in shells or terminal windows.

🚨 Europol announced the disruption of a sophisticated cybercrime-as-a-service SIM farm in Operation SIMCARTEL, resulting in seven arrests and 26 searches across multiple countries. Authorities seized 1,200 SIM box devices containing about 40,000 active SIM cards, dismantled five servers and took over two websites, and froze significant cash and cryptocurrency assets. The platform supplied numbers from over 80 countries and is tied to the creation of more than 49 million online accounts used in phishing, smishing, investment fraud and other serious offences.

🚨 Researchers uncovered a malvertising campaign that uses Google Ads to surface convincing fake Homebrew, LogMeIn, and TradingView download sites targeting macOS developers. The pages prompt victims to copy a curl command into Terminal, but the clipboard often contains a base64-encoded installer that decodes and runs an install.sh payload. That script removes quarantine flags, bypasses Gatekeeper, and delivers infostealers that check for analysis environments before executing. Operators deploy AMOS and Odyssey, which harvest browsers, wallets, and credentials; users are urged not to paste unknown commands into Terminal.

🔒 Seqrite Labs uncovered a new .NET implant named CAPI Backdoor linked to a phishing campaign targeting Russian automobile and e-commerce organizations. The attack leverages a ZIP archive containing a decoy Russian tax notice and a Windows LNK that loads a malicious adobe.dll via the legitimate rundll32.exe. The backdoor gathers system and browser data, takes screenshots, and communicates with a remote C2 for commands and exfiltration. Persistence is achieved through scheduled tasks and a Startup LNK.

🔎 Silver Fox operators have expanded the Winos 4.0 (ValleyRAT) campaign from China and Taiwan to target Japan and Malaysia, and are also deploying a secondary RAT tracked as HoldingHands. The actors use phishing emails with booby‑trapped PDFs, SEO‑poisoned pages and targeted .LNK résumé lures to deliver multiple payloads, including Winos modules and HoldingHands. Observed techniques include DLL sideloading, Task Scheduler recovery abuse, anti‑VM checks and AV termination to maintain persistence and evade detection.

🔐 British officials briefly considered physically destroying a government data hub after uncovering a decade-long intrusion attributed to China-aligned actors. The breach reportedly exposed official-sensitive and secret material on government servers, though no top secret data was taken. Rather than demolish the facility, the government implemented alternative protections and commissioned a classified review. Cybersecurity experts say the episode underscores the critical need to secure supply chains and hunt long-term APT presence.

🔒 Envoy Air confirmed that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its leak site. The carrier said it immediately launched an investigation, contacted law enforcement, and determined that no sensitive or customer data were affected, though limited business information and commercial contact details may have been exposed. The incident is tied to an August campaign by Clop, which exploited an E-Business Suite zero‑day (CVE‑2025‑61882) and is now publishing claimed stolen files.

🔍 Europol, together with national police units and the Shadowserver Foundation, dismantled an illegal SIM‑box service codenamed SIMCARTEL that rented phone numbers to criminals for creating fraudulent online accounts. The service operated about 1,200 SIM‑box devices with roughly 40,000 active SIM cards and offered numbers tied to individuals in more than 80 countries via seized sites gogetsms.com and apisim.com. Authorities linked the infrastructure to thousands of fraud cases and at least EUR 4.5 million in losses in Austria and EUR 420,000 in Latvia.

🧑‍💻 Three 17-year-olds in the Netherlands are suspected of providing services to a foreign power after one was found communicating with an unnamed Russian-government-affiliated hacking group. Prosecutors say the linked suspect directed the others to repeatedly map Wi‑Fi networks in The Hague and then sold the collected data to the client's contact for a fee. The investigation, opened after a report from the Military Intelligence and Security Service, led to two arrests on 22 September and seizure of devices from a third minor. An updated Criminal Code effective 15 May 2025 now criminalizes digital espionage, carrying up to eight years' imprisonment (or up to 12 years in the most serious cases).

🔐 Cisco Talos reports that a North Korean-linked threat cluster has blended features of its BeaverTail and OtterCookie JavaScript malware families, with recent OtterCookie variants adding keylogging, screenshot capture, and clipboard monitoring. The intrusion chain observed involved a trojanized Node.js application called Chessfi and a malicious npm dependency published on August 20, 2025 that executed postinstall hooks to launch multi-stage payloads. Talos tied the activity to the Contagious Interview recruitment scam and highlighted continued modularization and abuse of legitimate open-source packages and public Git hosting to distribute malicious code.

⚠️ Google Threat Intelligence Group has linked a North Korean threat actor to EtherHiding, a technique that embeds malicious JavaScript inside smart contracts so the blockchain functions as a resilient command-and-control server. Tracked as UNC5342, the actor used EtherHiding within an elaborate social-engineering campaign to deliver JADESNOW and a JavaScript variant of INVISIBLEFERRET, leading to multiple cryptocurrency heists. The campaign targets developers via fake recruiters and deceptive coding tests on Telegram and Discord.

⚠️ Shadowserver Foundation reports 266,978 internet-exposed F5 BIG-IP instances after F5 disclosed a breach in which nation-state actors stole source code and information on undisclosed BIG-IP flaws. F5 issued patches addressing 44 vulnerabilities and urged immediate updates for BIG-IP, F5OS, BIG-IQ, and related products. CISA issued an emergency directive requiring federal agencies to patch or mitigate affected devices by set deadlines. Nearly half of the detected instances are in the United States, with most others across Europe and Asia.

⚠️Threat actors exploited a Cisco SNMP vulnerability (CVE-2025-20352) to achieve remote code execution on legacy IOS XE switches and install custom, largely fileless Linux rootkits that hook into the IOSd memory space, set universal passwords (including one containing 'Disco'), and hide processes and network activity. The rootkits spawn a UDP-based controller to toggle or zero logs, bypass access controls, and reset running-config timestamps to mask changes. Trend Micro also observed spoofed IP/MAC addresses and attempts to combine a retooled Telnet memory-access exploit to deepen persistence.

📧 Cybercriminals abused a lack of authentication in the customer-service platform Zendesk to trigger mass ticket-creation notifications that appeared to come from hundreds of legitimate customer domains. KrebsOnSecurity received thousands of messages in rapid succession from brands including The Washington Post, Discord, NordVPN and more, with subjects ranging from alleged law-enforcement warnings to insults. Because some customers allow anonymous ticket creation and enable auto-responder triggers, replies and notifications were sent from those customers' domains, amplifying brand and inbox impact. Zendesk says it is investigating and recommends customers require verified ticket submission.

🔒 The Hohen Neuendorf city administration reported a cyberattack detected on October 7 that forced an immediate shutdown of its IT systems and left municipal operations running in a limited capacity. Contracted cybersecurity experts found indications attackers temporarily accessed and encrypted parts of the city's data holdings, preventing immediate inspection. Authorities say it cannot yet be confirmed whether personal data were stolen and that the city will notify affected individuals under GDPR if a data outflow is verified. Preliminary investigation points to security gaps at an external IT service provider that allegedly failed to report vulnerabilities as contractually required.

🔒 Prosper has confirmed a data breach that may have exposed personal information for approximately 17.6 million customers. The company said unauthorized queries were made against customer and applicant databases and that the activity was shut down and access revoked on September 2. Prosper reported no operational disruptions or evidence of unauthorized account access or fund theft, has notified US law enforcement, and will offer affected customers credit monitoring once the scope is confirmed.

🔒An external marketing service provider detected unauthorized access to customer personal data for the Spanish fashion company Mango. The attackers obtained first name, country, postal code, email address and telephone number for some customers, while last names, bank details and passwords were not accessed. Mango says its own systems remain secure and has notified the Spanish data protection authority (AEPD). Customers are urged to remain vigilant for phishing attempts via email, SMS or phone.

🔒 Microsoft disclosed it revoked more than 200 certificates after a threat actor tracked as Vanilla Tempest used them to fraudulently sign malicious binaries, including fake Microsoft Teams installers that delivered the Oyster backdoor and led to Rhysida ransomware deployments. The activity was detected in late September 2025 and disrupted earlier this month, and Microsoft has updated security solutions to flag the associated signatures. The actor abused SEO poisoning and bogus download domains impersonating Teams to distribute trojanized installers. Users are advised to download software only from verified sources and to avoid suspicious links or ads.

🔒 On Oct. 15, 2025, F5 disclosed a nation-state compromise that exfiltrated source code and undisclosed vulnerability information from the BIG-IP product development and engineering knowledge platforms. F5 reports no evidence of modification to its software supply chain or access to CRM, financial, support case management, iHealth, NGINX or distributed cloud products. Unit 42 warns the theft could accelerate exploit development and recommends immediate patching, hardening, and targeted threat hunting for anomalous admin activity and configuration changes.

🔒 Sotheby's has notified customers that an intrusion detected on July 24 resulted in removal of sensitive data from its systems. After a two-month investigation the company determined exposed information includes full names, Social Security numbers and financial account details. Impacted individuals are being offered 12 months of free identity protection and credit monitoring through TransUnion while Sotheby's continues to assess the scope.