All news in category "Incidents and Data Breaches"

Protecting Moldova’s 2025 Parliamentary Election Online

🛡️ Cloudflare assisted the Moldovan Central Election Commission (CEC) during the September 28, 2025 parliamentary vote, rapidly onboarding election sites and deploying mitigations under the Athenian Project. On election day Cloudflare mitigated over 898 million malicious requests across multiple DDoS waves, including a peak of 324,333 rps, keeping official result reporting and civic sites online. Automated defenses and coordination with STISC ensured no interruptions to public access and authoritative information.

Malicious npm Packages Steal Developer Credentials

⚠️ Security researchers revealed 10 typosquatted npm packages uploaded on July 4, 2025, that install a cross-platform information stealer targeting Windows, macOS, and Linux. The packages impersonated popular libraries and use a postinstall hook to open a terminal, display a fake CAPTCHA, fingerprint victims, and download a 24MB PyInstaller stealer. The obfuscated JavaScript fetches a data_extracter binary from an attacker server, harvests credentials from browsers, system keyrings, SSH keys and config files, compresses the data into a ZIP, and exfiltrates it to the remote host.

Aisuru Botnet Evolves from DDoS to Residential Proxies

🛡️ Aisuru, first identified in August 2024, has been retooled from launching record DDoS assaults to renting hundreds of thousands of compromised IoT devices as residential proxies. Researchers warn the change powers a massive proxy market that is being used to anonymize large-scale content scraping for AI training and other abuses. The botnet — roughly 700,000 devices strong — previously produced multi‑terabit attacks that disrupted ISPs and damaged router hardware. Industry and law enforcement are sharing blocklists and probing proxy reseller ecosystems tied to the infections.

Dentsu Confirms Data Breach at U.S. Subsidiary Merkle

🔒 Dentsu disclosed a cybersecurity incident at its U.S. subsidiary Merkle, saying attackers accessed and stole files containing client, supplier, and employee information. The company detected abnormal activity, proactively took certain systems offline, and initiated incident response procedures while engaging third‑party responders. A circulated memo indicated exposed payroll and bank details, salary and National Insurance numbers, and personal contact details; impacted individuals are being notified and authorities in affected countries have been informed. Dentsu said Japan-based systems were not impacted and that the full scope and financial impact remain under investigation; no ransomware group has claimed responsibility so far.

Qilin Ransomware Uses WSL to Run Linux Encryptors in Windows

🔐 Qilin ransomware operators have been observed using the Windows Subsystem for Linux (WSL) to execute Linux ELF encryptors on compromised Windows hosts, allowing them to bypass many Windows-focused EDR solutions. Trend Micro and Cisco Talos report attackers enable or install WSL, transfer payloads with WinSCP, and launch the ELF encryptor via Splashtop (SRManager.exe). Affiliates also deploy signed vulnerable drivers and DLL sideloading to disable security tools and escalate privileges, while the encryptor targets VMware ESXi environments.

Herodotus Android Trojan Mimics Humans to Evade Fraud

⚠️ Herodotus, a new Android banking trojan, has been observed conducting device takeover (DTO) attacks in Italy and Brazil and was advertised as a malware‑as‑a‑service supporting Android 9–16. According to ThreatFabric, it abuses accessibility services and overlay screens to steal credentials and SMS 2FA, intercept the screen, and install remote APKs. Uniquely, operators added randomized typing delays (300–3000 ms) to mimic human input and evade behaviour‑based anti‑fraud detections.

Researchers Expose GhostCall and GhostHire Campaigns

🔍 Kaspersky details two tied campaigns, GhostCall and GhostHire, that target Web3 and blockchain professionals worldwide and emphasize macOS-focused infection chains and social-engineering lures. The attacks deploy a range of payloads — DownTroy, CosmicDoor, RooTroy and others — to harvest secrets, escalate access, and persist. Guidance stresses user vigilance, strict dependency vetting, and centralized secrets management. Kaspersky links the activity to the BlueNoroff/Lazarus cluster and notes the actor has increasingly used generative AI to craft imagery and accelerate malware development.

BlueNoroff (Lazarus) GhostCall and GhostHire Campaigns

🛡️ A Kaspersky GReAT analysis describes two BlueNoroff campaigns—GhostCall and GhostHire—linked to the Lazarus threat actor and focused on the cryptocurrency sector. GhostCall targets executives, often on macOS, using investor-themed social engineering and fake meeting portals that prompt malicious updates and downloads. GhostHire lures blockchain developers with job offers and Telegram bots that point to GitHub test tasks or archived files with tight deadlines; performing the tasks leads to infection. The campaigns share a common management infrastructure and multiple infection chains; technical details and indicators of compromise are published on Securelist.

Volvo Third-Party Breach Highlights Forensic Readiness Gaps

🔒 In August 2025 Volvo Group North America disclosed a breach that originated in its third‑party HR provider, Miljödata, and a slow timeline of detection and notification has raised questions about forensic readiness. Reported exposed records included Social Security numbers and sensitive employee identifiers, and Volvo offered 18 months of identity‑protection services. The author provides five practical recommendations to preserve evidentiary integrity: embed forensics from day zero, align IR and forensic priorities, automate collection and triage, contractually manage vendor response, and coordinate legal messaging to reduce litigation and regulatory risk.

Criminal Gangs Deploy Toll and Postal Texts to Steal Cards

💳 Criminal gangs operating from China send deceptive texts about overdue tolls, postal fees, and municipal fines to trick victims into divulging credit-card details. Investigators say the groups exploit an installation trick that provisions stolen card numbers into Google and Apple Wallet accounts in Asia, then share those virtual cards with buyers in the United States. The Department of Homeland Security estimates the scheme has generated over $1 billion in the last three years, enabling purchases of phones, gift cards, apparel and cosmetics by fraud rings that coordinate messaging, remote provisioning, and cross-border purchasing.

Chrome zero-day exploited to deliver LeetAgent spyware

⚠️ Kaspersky reports a patched Google Chrome zero-day (CVE-2025-2783) was exploited to deploy a newly documented spyware called LeetAgent linked to Italian firm Memento Labs. The operation used personalized, short‑lived phishing links to a Primakov Readings lure that triggered a sandbox escape in Chromium browsers and dropped a loader to launch the implant. Targets included media, universities, research centers, government and financial organizations in Russia and Belarus.

SideWinder Adopts ClickOnce and PDF Lures in 2025 Campaign

🛡️ Trellix researchers report that the threat actor SideWinder has evolved its tradecraft in 2025 by adopting a PDF + ClickOnce infection chain alongside previously used Word exploit vectors. Four spear‑phishing waves from March through September targeted a European embassy in New Delhi and organizations in Sri Lanka, Pakistan and Bangladesh, using tailored lures and a signed MagTek executable that side‑loads a malicious DLL. The DLL decrypts and runs a .NET loader (ModuleInstaller) which fetches StealerBot, a .NET implant capable of reverse shells, delivering additional payloads, and collecting screenshots, keystrokes, credentials and files.

Google Refutes False Claims of Massive Gmail Breach

🔒 Google says reports of a massive Gmail data breach are false and that the coverage mischaracterizes a large compilation of exposed credentials. The 183 million-account figure reflects aggregated infostealer databases and credential dumps compiled over years, not a single Gmail compromise. Troy Hunt added the dataset to Have I Been Pwned, which found 91% of entries were previously seen; 16.4 million addresses were newly observed. Users should check their accounts, run antivirus scans, and change any compromised passwords.

Qilin Ransomware: Over 40 Victims Listed Monthly in 2025

🔒 Cisco Talos reports that Qilin ransomware sustained a surge through the second half of 2025, publishing more than 40 victim listings per month on its leak site and peaking at roughly 100 postings in June and August. The group uses a double-extortion model, encrypting systems and threatening to publish stolen data if ransoms are not paid. Operating as a RaaS, Qilin and its affiliates have heavily targeted manufacturing, professional/scientific services and wholesale trade. Investigators observed use of Cyberduck, standard Windows utilities for file viewing, and dual encryptors that spread laterally via PsExec and encrypt multiple network shares.

LeetAgent and Dante: ForumTroll Toolset Revealed Report

🔍 Our GReAT team reconstructed ForumTroll’s infection chain and identified the malware family dubbed LeetAgent, delivered via spear‑phishing and an exploit of CVE-2025-2783 in Google Chrome when recipients were lured with invitations to the Primakov Readings. Further analysis linked the same delivery tools to the commercial spyware Dante (formerly developed by Hacking Team, now Memento Labs), which uses modular plugins, per‑victim encryption keys and a timed self‑destruct mechanism. Initial detections were made by Kaspersky XDR; full technical details and IOCs have been compiled for APT subscribers.

Louvre Apollo Gallery Jewel Heist Reveals Security Gaps

🔍 The theft at the Louvre—where four thieves used an electric ladder, an angle grinder and seven minutes to remove jewels from the Apollo Gallery—exposed stark security lapses. A single outdoor camera pointed away from the balcony left no interior footage, and guards appeared focused on patrons rather than valuables. Arrests have been reported, but the pieces' likely disassembly will greatly reduce their recoverable value.

Ransomware Recovery Failures: Paying Often Doesn't Work

🔐 A Hiscox survey of 1,000 mid-sized firms finds ransomware remains a major risk: 27% of organizations reported attacks in the past year and 80% of victims paid ransom. Yet only 60% of those who paid recovered data fully or partially. Experts cite faulty encryptors, unreliable decryptors, corrupted backups and double/triple extortion as common causes. Industry specialists recommend tested recovery plans, retainers with incident response teams, and robust cyber insurance rather than relying on ransom payments.

Europol Dismantles Network Behind 49 Million Fake Accounts

🔒 Europol, together with police in Estonia, Finland, Latvia and Austria, dismantled a cybercrime-as-a-service network during coordinated raids on October 10. Seven suspects were arrested and authorities seized five servers, some 40,000 active SIM cards, luxury vehicles, bank accounts and crypto wallets. Investigators say the operation created roughly 49 million fake accounts across about 80 countries and used those identities to swindle millions of euros.

Weekly Cyber Recap: WSUS Exploited and LockBit 5.0 Surge

⚠️ Microsoft released an out-of-band patch for a critical WSUS remote code execution (CVE-2025-59287) after researchers observed active exploitation that drops a .NET executable and Base64 PowerShell payloads. LockBit has resurfaced with a new multi-platform 5.0 variant claiming victims, while a modified Telegram Android app distributing the Baohuo backdoor has infected tens of thousands of devices. Reporting also shows the F5 breach began in late 2023 and has since widened, underscoring the need for urgent patching and threat hunting.

TCS Rejects Claims It Lost M&S Service Desk Contract

📰 Tata Consultancy Services has denied reports that it lost a service desk contract with Marks & Spencer following the retailer’s April cyber-attack. In an October 26 regulatory filing to Indian stock exchanges, TCS described a Telegraph article as "misleading" and pointed to "factual inaccuracies", saying the RFP to evaluate suppliers began in January 2025 and concluded before the incident. TCS said it continues to hold other active contracts with M&S, that a June investigation found no vulnerabilities originating in TCS networks, and that it does not provide cybersecurity services to the retailer.