All news in category “Incidents and Data Breaches”

🛰️ Aisuru, now the world’s largest IoT botnet, is drawing the majority of its attack volume from compromised consumer devices hosted by U.S. ISPs such as AT&T, Comcast and Verizon. In early October the botnet briefly generated a near‑30 terabit-per-second traffic flood, underscoring its rapidly expanding scale and destructive reach. The attacks have targeted gaming-focused networks and protection providers, causing widespread collateral congestion and forcing providers to reassess outbound mitigation. Built on Mirai-derived code, Aisuru is also being marketed as a residential proxy service, complicating attribution and remediation.

⚠️ Fortinet FortiGuard Labs has detailed an active campaign dubbed Stealit that uses Node.js Single Executable Application (SEA) packaging—and in some builds, the Electron framework—to deliver credential-stealing and remote-access payloads. Operators distribute counterfeit game and VPN installers via file-hosting sites and messaging platforms, which drop three primary executables that perform browser and messenger data theft, wallet extraction, and persistence with live screen streaming. Installers run anti-analysis checks, write a Base64 authentication key to %temp%\cache.json for C2 authentication, and configure Microsoft Defender exclusions to conceal downloaded components.

🔒 Microsoft warns that a financially motivated group tracked as Storm-2657 is hijacking employee accounts to redirect payroll by altering profiles in third-party HR SaaS platforms such as Workday. Attacks rely on AitM phishing, MFA gaps and SSO abuse rather than software vulnerabilities. Observed tactics include creating inbox rules to delete warning notifications and enrolling attacker-controlled phone numbers for persistent access. Microsoft reported compromises at multiple U.S. universities and recommends phishing-resistant, passwordless MFA such as FIDO2 keys, and reviews of MFA devices and mailbox rules to detect takeover.

🔍 FortiGuard Labs identified an active Stealit campaign that distributes malware packaged with Node.js Single Executable Application (SEA) technology to create standalone Windows binaries. Operators deliver fake game and VPN installers via file-sharing sites and Discord, using multi-layer obfuscation and in-memory execution. The modular payloads harvest browser data, extension-based crypto wallets, and provide remote access, with persistence via a startup Visual Basic script. Fortinet provides detections and recommends updating protections and user training.

🔓On September 17, security vendor SonicWall disclosed that cybercriminals exfiltrated backup files configured for its MySonicWall cloud backup service. The company initially reported the incident affected 'less than five percent' of customers but has since updated that all Cloud Backup users who used the feature are impacted. Stolen files include encrypted credentials and configuration data, which could enable targeted attacks despite encryption. SonicWall has published an affected-device list and a detailed remediation playbook for administrators.

🔒 Researchers report that the open-source DFIR tool Velociraptor was abused by threat actors to maintain stealthy persistent access while deploying multiple ransomware families, including Warlock, LockBit and Babuk. Cisco Talos observed the activity in August 2025 and attributed the multi-vector operation to a China-linked cluster tracked as Storm-2603. Attackers exploited a vulnerable agent (v0.73.4.0) via CVE-2025-6264 to escalate privileges and persist; defenders are urged to verify deployments and update to v0.73.5 or later.

⚠️ Researchers have identified 175 malicious packages on the npm registry used as infrastructure for a widespread phishing campaign called Beamglea. The packages, collectively downloaded about 26,000 times, host redirect scripts served via unpkg.com that route victims to credential-harvesting pages. Attackers automated package publication and embedded victim-specific emails into generated HTML, pre-filling login fields to increase the likelihood of successful credential capture.

🔍 Google Threat Intelligence and Mandiant report the Clop (FIN11) actor likely exfiltrated a significant amount of data from Oracle E-Business Suite environments beginning as early as August 9, 2025. The group sent extortion emails to executives from September 29 and supplied legitimate file listings to substantiate claims. Attackers exploited the zero-day CVE-2025-61882 prior to an emergency patch released on October 4, 2025. Investigators advise urgent patching, hunting for malicious templates, restricting outbound EBS traffic, and performing Java memory forensics.

🔒 The FBI, in coordination with French authorities, seized BreachForums domains used by the ShinyHunters group as a portal for leaking corporate data and facilitating extortion. Nameservers were updated on October 9 and law enforcement reports they obtained backups and backend servers dating back to 2023, though the actors' dark‑web leak site remains online. ShinyHunters confirmed the takeover via a PGP‑signed Telegram post and warned the Salesforce campaign will continue.

💧Forescout disclosed that a Russia-aligned hacktivist group, TwoNet, was tricked into attacking a honeypot designed to look like a water treatment utility. The actor accessed the HMI with default credentials and created an account named BARLATI to carry out defacement, PLC manipulation, log suppression and process disruption. Forescout said this incident reflects a broader shift from DDoS and defacement toward OT/ICS targeting and provided mitigation guidance.

⚖️ A German consumer association has launched a model declaratory action against Meta after data from more than 530 million Facebook users was posted on the dark web in April 2021. The Federation of German Consumer Organisations argues Meta failed to protect user data and to inform affected people adequately. Plaintiffs seek tiered compensation of €100–€600 and the Hanseatic Higher Regional Court will first address jurisdictional and formal matters in the hearing.

🔔 Google Threat Intelligence Group and Mandiant report a multi-stage zero-day campaign exploiting Oracle E-Business Suite (tracked as CVE-2025-61882, CVSS 9.8) that has impacted dozens of organizations since August 2025. The attackers combined SSRF, CRLF injection, authentication bypass and XSL template injection to achieve remote code execution and deploy multi-stage Java loaders. Observed payloads include GOLDVEIN.JAVA and a SAGEGIFT/SAGELEAF/SAGEWAVE chain; orchestration and extortion messaging bear the Cl0p signature. Oracle has released patches and investigations by GTIG and Mandiant are ongoing.

📱 A new Android spyware campaign called ClayRat is tricking users by posing as well-known apps and services such as WhatsApp, Google Photos, TikTok, and YouTube and distributing APKs via Telegram channels and fraudulent websites. Researchers at Zimperium say they documented over 600 samples and 50 distinct droppers in three months, noting that some use a session-based installation and encrypted payloads to bypass Android defenses. Once installed, ClayRat can assume the default SMS handler, exfiltrate SMS and call logs, capture notifications and front-camera photos, make calls, send mass SMS for propagation, and communicate with C2 servers (recent versions use AES-GCM); Play Protect now blocks known variants.

🔐 Microsoft says the Storm-2657 gang has been targeting U.S. university HR employees since March 2025 in “payroll pirate” attacks that aim to hijack salary payments by compromising Workday accounts and Exchange Online mailboxes. Attackers use tailored phishing themes—campus illness, faculty misconduct, executive impersonation—and adversary‑in‑the‑middle (AITM) links to steal MFA codes and gain access. They then set inbox rules to hide warnings, adjust payroll SSO settings, and sometimes enroll attacker phone numbers as MFA devices; Microsoft urges deployment of phishing‑resistant MFA and offers investigative guidance.

⚠️Researchers have observed threat actors leveraging the open-source DFIR tool Velociraptor to maintain persistent remote access and deploy ransomware families including LockBit and Babuk. Cisco Talos links the campaigns to a China-based group tracked as Storm-2603 and notes use of an outdated Velociraptor build vulnerable to CVE-2025-6264. Attackers synchronized local admin accounts to Entra ID, accessed vSphere consoles, disabled Defender via AD GPOs, and used fileless PowerShell encryptors with per-run AES keys and staged exfiltration prior to encryption.

🔎 Volexity attributes a series of tailored spear‑phishing campaigns to a China‑aligned actor tracked as UTA0388, which delivers a Go-based implant named GOVERSHELL. The waves used multilingual, persona-driven lures and legitimate cloud hosting (Netlify, Sync, OneDrive) to stage ZIP/RAR archives that deploy DLL side‑loading and a persistent backdoor. As many as five GOVERSHELL variants emerged between April and September 2025, succeeding an earlier C++ family called HealthKick. Volexity also observed the actor abusing LLMs such as ChatGPT to craft phishing content and automate workflows.

⚠️ RondoDox is a large-scale botnet actively exploiting 56 n-day vulnerabilities across more than 30 device types, including DVRs, NVRs, CCTV systems, routers, and web servers. Trend Micro researchers describe the campaign as using an exploit shotgun strategy, firing numerous exploits simultaneously to maximize infection despite generating noisy activity. The actor has weaponized flaws disclosed at events such as Pwn2Own and continues to expand its arsenal, including both recent CVEs and older end-of-life vulnerabilities. Recommended defenses include applying firmware updates, replacing EoL devices, segmenting networks, and removing default credentials.

🔍 Microsoft Threat Intelligence observed a financially motivated actor tracked as Storm-2657 conducting targeted 'payroll pirate' intrusions against US universities to divert salary payments. The actor used realistic phishing and adversary-in-the-middle (AiTM) links to harvest credentials and MFA codes, gained access to Exchange Online, abused SSO to reach Workday profiles, and created inbox rules to hide payroll notifications. Microsoft recommends adopting phishing-resistant, passwordless MFA and provides detections and remediation guidance.

🔒 SonicWall confirmed that unauthorized actors accessed firewall configuration backup files stored in its cloud backup portal, impacting all customers who used the service. The exposed .EXP files contain AES-256-encrypted credentials and other configuration data. Customers should log into MySonicWall to check impacted devices and follow the vendor's Essential Credential Reset checklist, prioritizing internet-facing firewalls.

⚠️ GTIG and Mandiant tracked a large-scale extortion campaign beginning Sept. 29, 2025, in which actors claiming affiliation with the CL0P brand alleged theft from Oracle E‑Business Suite (EBS) environments. Analysis indicates exploitation of a zero-day (CVE-2025-61882) as early as Aug. 9, 2025, with suspicious activity dating back to July 10. Attackers abused UiServlet and SyncServlet flows, embedding Java payloads via XSL templates to achieve unauthenticated RCE and deploy in-memory implants. Organizations are urged to apply Oracle emergency patches, hunt for malicious templates in XDO_TEMPLATES_B/XDO_LOBS, and restrict outbound traffic to disrupt C2.