All news in category "Incidents and Data Breaches"

Google Sues to Dismantle Lighthouse Phishing Platform

⚖️ Google has filed a lawsuit to dismantle the Lighthouse phishing‑as‑a‑service platform accused of enabling global SMS phishing (“smishing”) that impersonates USPS and toll providers. The company says Lighthouse has impacted more than 1 million victims in 120 countries and that similar scams may have exposed up to 115 million U.S. payment cards between July 2023 and October 2024. Google’s complaint invokes federal racketeering, trademark, and computer fraud laws and seeks to seize the infrastructure hosting fraudulent templates that even mimic Google sign‑in screens.

DanaBot Malware Returns Targeting Windows After Disruption

🔁 Zscaler ThreatLabz has observed a new DanaBot variant (v669) returning to Windows systems after a six-month disruption caused by Operation Endgame. The rebuilt command-and-control infrastructure uses Tor .onion domains and 'backconnect' nodes, and operators are collecting stolen funds via multiple cryptocurrency addresses (BTC, ETH, LTC, TRX). Organizations should add Zscaler's IoCs to blocklists, update detection tools, and harden email and web defenses against malspam, SEO poisoning, and malvertising.

Google Sues China-Based Operators of PhaaS 'Lighthouse'

⚖️ Google has filed a civil lawsuit in the U.S. District Court for the Southern District of New York against China-based operators of the PhaaS kit Lighthouse, which Google says has ensnared over one million users across 120 countries. The platform is accused of powering industrial-scale SMS phishing and smishing campaigns that impersonate trusted brands like E-ZPass and USPS to steal financial data. Google alleges the actors illegally used its trademarks on at least 107 spoofed sign-in templates and seeks to dismantle the infrastructure under the RICO, Lanham Act, and the Computer Fraud and Abuse Act. Security firms link Lighthouse to a broader PhaaS ecosystem including Darcula and Lucid, and to a smishing syndicate tracked as Smishing Triad.

GlobalLogic Confirmed as Victim of Cl0p Oracle EBS Exploit

🔒 GlobalLogic has notified 10,471 current and former employees that their data was exposed after a zero-day in Oracle E-Business Suite (EBS) was exploited in early October 2025. The company says it patched the vulnerability after confirming data exfiltration on 9 October. Stolen records reportedly include HR and payroll details such as names, dates of birth, passport numbers, salary, bank account and routing numbers, creating a high risk of follow-on phishing and identity fraud. GlobalLogic did not confirm contact by the extortion group, while security firms link the incident to Cl0p, which has targeted dozens of organizations including Harvard and Envoy Air.

Miniatur Wunderland Hamburg warns of credit card breach

🔒 Miniatur Wunderland Hamburg has notified visitors of a data protection incident after detecting a compromise of its online ticket order page. The museum warns unauthorized parties may have accessed full credit card details, including cardholder name, card number, expiration date and CVV, for purchases between 6 June and 29 October 2025. The implicated server was isolated immediately and the museum says investigations are ongoing, but it has not disclosed further technical details or attacker identity.

Synnovis Notifies NHS of Patient Data Theft After Ransomware

🔒 Synnovis has notified NHS organisations that a June 2024 ransomware incident resulted in the theft of patient data, including names, NHS numbers, dates of birth, and some test results. The company says the exfiltrated files were unstructured and fragmented, requiring specialist analysis to reassemble. Synnovis confirmed no ransom was paid, is coordinating notifications with affected trusts and expects to complete notifications by 21 November 2025. The incident has been linked to the Qilin ransomware operation.

Payroll Pirates Malvertising Hijacks Hundreds of Sites

🏴‍☠️ Since mid‑2023, researchers tracked a financially motivated malvertising network named Payroll Pirates that impersonated payroll portals to harvest credentials and facilitate fraud. The operation used sponsored ads to funnel more than 500,000 visitors to cloned login pages and targeted over 200 interfaces, including payroll systems, credit unions, and trading platforms across the U.S. Its tactics evolved with refined ad placement, credential-harvesting pages, and coordinated infrastructure to maximize theft and evade detection.

Typosquatted npm Package Targets GitHub Actions Builds

⚠️ A malicious npm package, @acitons/artifact, impersonated the legitimate @actions/artifact module and was uploaded on November 7 to specifically target GitHub Actions CI/CD workflows. It included a post-install hook that executed an obfuscated shell-script named "harness," which fetched a JavaScript payload (verify.js) to detect GitHub runners and exfiltrate build tokens. Using those tokens the attacker could publish artifacts and impersonate GitHub; the package accrued over 260,000 downloads across six versions before detection.

Initial Access Broker Pleads Guilty in Yanluowang Case

🔒Aleksey Olegovich Volkov, a 25-year-old Russian accused of acting as an initial access broker, is set to plead guilty in a federal case tied to the Yanluowang ransomware group. Prosecutors say he sold administrator credentials to operators and received over $256,000, while victims paid ransoms up to $1 million. Investigators traced Bitcoin flows to wallets Volkov verified with identity documents, and his plea includes more than $9 million in restitution.

Rhadamanthys infostealer disrupted after server access loss

🔒 The Rhadamanthys infostealer operation has reportedly been disrupted, with multiple customers saying they no longer have SSH access to their web panels. Affected users report servers now require certificate-based logins instead of root passwords, prompting some to wipe and power down infrastructure. Researchers g0njxa and Gi7w0rm observed the outage and noted Tor onion sites for the operation are also offline. The developer and several customers suspect German law enforcement, and some analysts link the event to the broader Operation Endgame disruptions.

Maverick Banking Malware Spreads via WhatsApp Web in Brazil

⚠️ Threat hunters report a .NET banking trojan dubbed Maverick propagating via WhatsApp Web, with analyses noting significant code overlaps with the Coyote family and attribution to the actor known as Water Saci. The campaign uses a self-propagating component named SORVEPOTEL to distribute a ZIP containing an LNK that launches PowerShell/cmd to fetch loaders from zapgrande[.]com. The loader installs modules only after geo/linguistic checks confirm the victim is in Brazil and then deploys banking-targeted credential-stealing and web-injection capabilities.

Bitcoin Queen Sentenced to Nearly 12 Years for £5.5B Scam

🔒 Zhimin Qian, dubbed the "Bitcoin Queen," was sentenced in London to 11 years and eight months after a seven-year Met Police investigation found she laundered proceeds from a £5.5 billion cryptocurrency investment scheme that defrauded more than 128,000 victims in China between 2014 and 2017. Investigators seized 61,000 Bitcoin — now valued at roughly £5.5 billion — marking the largest crypto seizure in UK history. Two associates received prison terms and authorities confiscated additional assets including wallets, encrypted devices, cash, and gold.

KONNI APT Abuses Google Find Hub to Wipe Android Devices

🔐 Genians Security Center (GSC) has attributed a recent destructive campaign to the KONNI APT, which abused Google’s Find Hub service to remotely wipe Android phones and tablets. Threat actors distributed a signed MSI via compromised KakaoTalk accounts, installed an AutoIt loader, and stole Google credentials to trigger remote resets when victims were away. GSC describes this as the first confirmed state-linked misuse of Find Hub and recommends stronger authentication, verification for remote wipes, and enhanced EDR and behavioral monitoring.

Qilin Ransomware Activity Surges, Targeting SMEs in 2025

🔐 Researchers at S-RM report a surge in activity by the Qilin ransomware-as-a-service operation, which leverages unpatched VPNs, single-factor remote access and exposed management interfaces to gain initial access. While some high-profile incidents hit healthcare, most victims are small-to-medium businesses in construction, healthcare and finance. S-RM also observed affiliates from Scattered Spider using Qilin’s platform, and noted new extortion channels including Telegram and public leak sites. The firm urges routine patching, widespread MFA adoption, network segmentation and proactive monitoring.

GootLoader Returns Using Custom Font to Conceal Payload

🔍 Huntress observed the return of GootLoader infections beginning October 27, 2025, with two cases leading to hands-on keyboard intrusions and domain controller compromise within 17 hours. The loader now embeds a custom WOFF2 font using Z85 encoding to substitute glyphs and render obfuscated filenames readable only in the victim browser. Actors deliver XOR-encrypted ZIPs via compromised WordPress comment endpoints and SEO-poisoned search results, and the archive is crafted to appear as benign text to many automated analysis tools while extracting a JavaScript payload on Windows.

GlobalLogic warns 10,000 employees of Oracle data theft

🔒 GlobalLogic is notifying 10,471 current and former employees that personal data was stolen after attackers exploited an Oracle E-Business Suite zero-day. The compromised HR information includes names, contact details, birthdates, passport and tax identifiers, salary and bank account information. The incident aligns with a wider extortion campaign linked to the Clop ransomware group exploiting CVE-2025-61882.

CPU Spike Reveals RansomHub Intrusion Before Ransomware

🔍 Varonis responded after a server CPU spike exposed an active intrusion later attributed to RansomHub affiliates. The attacker gained initial access via a SocGholish JavaScript masquerading as a browser update, then deployed a persistent Python-based SOCKS proxy and automated reconnaissance to hunt credentials and enumerate Active Directory. Within hours the actor obtained Domain Admin privileges and initiated broad discovery and exfiltration; Varonis developed an unpacker, identified IOCs, and coordinated containment and remediation that prevented ransomware with zero downtime.

North Korean Hackers Abuse Google's Find Hub for Wipes

🔒 Genians Security Center (GSC) reports that North Korea–linked KONNI actors abused Google's Android device‑tracing and management service Find Hub to remotely track and wipe victims' phones. Attackers compromised legitimate Google accounts—often via spear‑phishing impersonating South Korea’s National Tax Service—and used Find Hub to confirm location and issue reset commands that silenced alerts. The campaign also spread malware through compromised KakaoTalk contacts sending apps disguised as 'stress-relief' programs.

Malicious npm Package Typosquats GitHub Actions Artifact

🔍 Cybersecurity researchers uncovered a malicious npm package, @acitons/artifact, that typosquats the legitimate @actions/artifact package to target GitHub-owned repositories. Veracode says versions 4.0.12–4.0.17 included a post-install hook that downloaded and executed a payload intended to exfiltrate build tokens and then publish artifacts as GitHub. The actor (npm user blakesdev) removed the offending versions and the last public npm release remains 4.0.10. Recommended actions include removing the malicious versions, auditing dependencies for typosquats, rotating exposed tokens, and hardening CI/CD supply-chain protections.

Fantasy Hub: Android RAT sold on Telegram as MaaS service

🔒 Cybersecurity researchers disclosed a new Android remote access trojan, Fantasy Hub, marketed on Russian-speaking Telegram channels under a Malware-as-a-Service model. The MaaS offers turnkey builders, bot-driven subscriptions, custom trojanized APKs and a C2 panel to manage compromised devices and exfiltrate SMS, contacts, media and call logs. Sellers provide fake Google Play landing pages and instruction to abuse the default SMS handler and deploy overlays to intercept banking 2FA and harvest credentials.