All news in category "Incidents and Data Breaches"

Lazarus Operation DreamJob Targets European Defense

🔍 North Korean-linked Lazarus actors ran an Operation DreamJob campaign in late March that targeted three European defense companies involved in UAV technology. Using fake recruitment lures, victims were tricked into installing trojanized open-source applications and plugins which loaded malicious payloads via DLL sideloading. Final-stage malware included the ScoringMathTea RAT, while an alternate chain used the BinMergeLoader (MISTPEN) to abuse Microsoft Graph API tokens. ESET published extensive IoCs to aid detection.

YouTube Ghost Network: Disrupting a Massive Malware Campaign

🛡️ Check Point Research uncovered the YouTube Ghost Network, a large-scale operation that used fake and compromised accounts to distribute infostealers like Rhadamanthys and Lumma. More than 3,000 malicious videos — often disguised as cracked software or game hacks — were reported and removed after being linked to password-protected archives that carried the malware. Compromised accounts, coordinated comment manipulation, and false endorsements were used to build trust and drive downloads.

Serious F5 Breach: Build System and BIG-IP Code Compromised

⚠️ F5 disclosed a major intrusion in which a sophisticated, likely nation-state threat actor maintained long-term access to its internal network. During the compromise the attackers gained control of the build and distribution environment for BIG-IP updates and exfiltrated proprietary source code, documentation of unpatched vulnerabilities, and customer configuration files. F5 warned this data could enable widespread supply-chain and targeted attacks against many sensitive networks.

'Jingle Thief' Exploits Cloud to Steal Gift Cards at Scale

🔒Researchers detail a threat cluster called Jingle Thief that leverages phishing and smishing to harvest credentials and compromise cloud environments of retailers and consumer services to issue unauthorized gift cards. Palo Alto Networks Unit 42 links the activity to financially motivated actors and notes coordinated campaigns in April-May 2025. The attackers favor identity misuse over malware, persistently mapping tenants, abusing Microsoft 365 services, and minimizing logs to sustain large-scale fraud.

Jaguar Land Rover Cyberattack: Costliest in UK History

🔒 The cyberattack on Jaguar Land Rover in late August forced a global shutdown of IT systems and halted production across its factories. According to the Cyber Monitoring Centre, the weeks-long outage inflicted an estimated £1.9 billion in losses and affected more than 5,000 organizations, including suppliers and dealers. The UK government intervened with guarantees and up to £1.5 billion in support to secure the supply chain as production is gradually resumed.

Over 250 Magento Stores Targeted Using SessionReaper Bug

⚠️ Sansec warns that threat actors have begun exploiting CVE-2025-54236 (SessionReaper) in Adobe Commerce and Magento Open Source, with over 250 attack attempts recorded in 24 hours. The critical (CVSS 9.1) improper input validation flaw can enable customer account takeover via the Commerce REST API, and Adobe released a patch last month. Sansec cautions that 62% of Magento stores remain unpatched six weeks after disclosure, and observed activity includes dropping PHP webshells via '/customer/address_file/upload' and probing phpinfo from several attacker IPs.

Lazarus Targets UAV Sector with Operation DreamJob

🛩️ ESET researchers observed a renewed Operation DreamJob campaign that targeted European defense and UAV-related companies and has been linked to the North Korea-aligned Lazarus group. Attackers used social-engineering lures and trojanized open-source projects on GitHub to deliver loaders and the ScoringMathTea RAT. Techniques included DLL side-loading, reflective in-memory loading and encrypted C2 channels. The apparent objective was theft of proprietary UAV designs and manufacturing know-how.

Prison kiosk hack and new PCI DSS limits on Magecart

🔐 In episode 440 Graham Cluley and guest Scott Helme examine an unusual insider exploitation where Romanian prison self‑service web kiosks let inmates access and alter records. They also explore the growing threat of third‑party JavaScript on checkout pages and how the updated PCI DSS aims to curb Magecart‑style skimmers. Plus, the hosts cover automation with Keyboard Maestro and video creation using Screen Studio.

Iranian MuddyWater Targets 100+ Governments with Phoenix

⚠ State-sponsored Iranian group MuddyWater deployed version 4 of the Phoenix backdoor against more than 100 government and diplomatic entities across the Middle East and North Africa. The campaign began on August 19 with phishing sent from a NordVPN-compromised account and used malicious Word macros to drop a FakeUpdate loader that writes C:\ProgramData\sysprocupdate.exe. Researchers observed Phoenix v4 using AES-encrypted embedded payloads, COM-based persistence, WinHTTP C2 communications and an accompanying Chrome infostealer, while server-side C2 was taken offline on August 24, suggesting a shift in operational tooling.

Iran-Linked MuddyWater Targets 100+ Organisations Globally

🔒 Group-IB links a broad espionage campaign to Iran-aligned MuddyWater that leveraged a compromised email account accessed via NordVPN to send convincing phishing messages. The actor distributed weaponized Microsoft Word documents that coax recipients to enable macros, which execute VBA droppers that write and decode a FakeUpdate loader. FakeUpdate installs an AES-encrypted payload that launches the Phoenix v4 backdoor. Targets exceeded 100 organisations across the MENA region, predominantly diplomatic and government entities.

PhantomCaptcha Phishing Targets Ukraine Aid Groups

🕵️ SentinelOne describes a coordinated spear-phishing campaign named PhantomCaptcha that used booby-trapped PDFs and a fake Zoom site to deliver a WebSocket-based remote access trojan (RAT). The October 8, 2025 operation targeted members of humanitarian and government organizations connected to Ukraine, including Red Cross, UNICEF Ukraine, and several regional administrations. Victims were lured to a ClickFix-style fake Cloudflare CAPTCHA that prompted a malicious PowerShell command, which fetched an obfuscated downloader and a second-stage payload. The final WebSocket RAT connects to wss://bsnowcommunications[.]com:80 and enables remote command execution, data exfiltration, and further malware deployment.

PhantomCaptcha campaign targets Ukraine relief organisations

🛡️Researchers uncovered the 'PhantomCaptcha' phishing campaign that impersonated the Ukrainian President's Office to target humanitarian and government organisations supporting Ukraine relief efforts. Beginning 8 October 2025, malicious PDFs directed recipients to a fake Zoom site and a Cloudflare-like verification page that tricked users into executing PowerShell via a 'Paste and Run' technique. The multi-stage malware included a large obfuscated downloader, a reconnaissance module and a WebSocket-based RAT. SentinelLABS and the Digital Security Lab of Ukraine advise monitoring PowerShell, enforcing execution policies and tracking suspicious WebSocket connections.

FinWise Breach Highlights Encryption and Insider Risk

🔒 The FinWise data breach involved a former employee who retained credentials and accessed systems on May 31, 2024, exposing personal records for 689,000 American First Finance customers. The intrusion remained undetected until June 18, 2025, prompting lawsuits alleging inadequate encryption and weak security governance. Experts say robust protection requires not only encryption but effective key management, strict access controls, and proactive monitoring. Vendor solutions such as D.AMO are presented as integrated platforms combining encryption, an isolated KMS, and centralized control to mitigate insider risk.

MuddyWater Exploits Compromised Mailboxes in Global Phishing

🔒 Researchers have uncovered a global phishing campaign that used compromised mailboxes to deliver malicious Microsoft Word attachments, attributed with high confidence to the Iran-linked actor MuddyWater by Group-IB. The operation abused a NordVPN-accessed mailbox to send trusted-looking messages that prompted users to enable macros, which then installed the Phoenix v4 backdoor. Investigators also found RMM tools (PDQ, Action1, ScreenConnect) and a Chromium_Stealer credential stealer, while infrastructure traced to the domain screenai[.]online and an IP tied to NameCheap-hosted services.

PhantomCaptcha ClickFix Attack Targets Ukraine Relief Orgs

🛡️ A one-day spearphishing campaign named PhantomCaptcha targeted Ukrainian regional government officials and multiple war-relief organizations on October 8, using malicious PDFs that linked to a fake Zoom domain and impersonated the President’s Office. According to SentinelLABS, the operation used a fake Cloudflare CAPTCHA to trick victims into copying and pasting a token into the Windows Command Prompt, which executed a PowerShell downloader and deployed a WebSocket RAT. The lightweight RAT provided remote command execution and data exfiltration capabilities, and researchers found follow-on activity delivering spyware-laced Android APKs to users in Lviv.

Chinese Groups Exploit ToolShell SharePoint Flaw Widespread

🔒 Symantec reports that China-linked threat actors exploited the ToolShell vulnerability in Microsoft SharePoint (CVE-2025-53770) weeks after Microsoft issued a July 2025 patch, compromising a Middle Eastern telecom and multiple government and corporate targets across regions. Attackers used loaders and backdoors such as KrustyLoader, ShadowPad and Zingdoor, and in several incidents employed DLL side-loading and privilege escalation via CVE-2021-36942. Symantec notes the operations aimed at credential theft, stealthy persistence, and likely espionage, with activity linked to groups including Linen Typhoon, Violet Typhoon, Storm-2603 and Salt Typhoon.

Google Careers Phishing Targets Job Seekers' Credentials

🔒 Scammers are impersonating Google’s Careers recruiting outreach to trick job seekers into a fake booking flow that ends on a spoofed Google login page, harvesting account credentials and cloud data. Researchers at Sublime Security documented HTML evasion techniques, abused delivery services, dynamic phishing kits and C2 servers. Organizations should enforce strong MFA, monitor anomalous logins, and train employees to treat unsolicited recruiter invitations with skepticism.

Russian ColdRiver Hackers Use Fake CAPTCHA to Deploy Malware

⚠️ Google Cloud’s Threat Intelligence Group attributes a new campaign to Russian state-linked ColdRiver actors who are using fake “I am not a robot” CAPTCHA pages to deliver espionage malware, including NOROBOT, YESROBOT, and MAYBEROBOT. The attackers use a ClickFix social-engineering chain and multi-stage, encrypted payloads with split cryptographic keys to evade detection and rebuild tooling rapidly after exposure. Organizations are urged to emphasize behavioral monitoring, EDR/NDR telemetry, and simulated interactive-phishing tests to detect these user-assisted intrusions.

JLR Hack Deemed UK’s Costliest Cyber Incident at £1.9bn

🔒The Cyber Monitoring Centre (CMC) concluded that the August 2025 cyber-attack on Jaguar Land Rover (JLR) produced an estimated UK financial impact of £1.9bn ($2.55bn) and affected more than 5,000 organisations. The CMC said the vast majority of the cost derived from halted manufacturing after an IT shutdown that stopped production at major UK plants and disrupted suppliers and dealer systems. Analysts ranked the incident a Category 3 systemic event and warned costs could rise if operational technology or intellectual property were compromised. Industry experts called for stronger governmental oversight and for boards to treat cybersecurity as a strategic risk.

Typosquatted Nethereum NuGet Package Steals Wallet Keys

🔒Security researchers uncovered a NuGet typosquat, Netherеum.All, created to harvest cryptocurrency wallet secrets and exfiltrate them to a hidden command-and-control server. Uploaded on October 16, 2025 by user "nethereumgroup" and removed four days later, the package uses a Cyrillic 'e' homoglyph to impersonate Nethereum and falsely claims 11.7 million downloads to appear legitimate. Socket analysts found an XOR-decoded C2 endpoint (solananetworkinstance[.]info/api/gads) and a payload in EIP70221TransactionService.Shuffle that steals mnemonics, private keys, and keystore files. Developers are advised to verify publisher identity, watch for sudden download surges, and monitor anomalous network traffic before adding dependencies.