All news in category "Incidents and Data Breaches"

Chinese Hackers Exploit Hard-to-Patch Windows Shortcut Flaw

🛡️Arctic Wolf reports that Chinese government-linked actors, tracked as UNC6384 and linked to the longer-running Mustang Panda cluster, conducted spear-phishing campaigns in September and October targeting diplomats in Hungary, Belgium, Serbia, Italy and the Netherlands by abusing a long-known Windows .LNK shortcut parsing flaw. The vulnerability allows command-line instructions to be concealed in .LNK whitespace so attackers can display decoy PDFs—such as an agenda for a European Commission meeting—while executing payloads that deploy the PlugX remote-access Trojan. Trend Micro and ZDI previously documented the issue (i.e., ZDI-CAN-25373, later CVE-2025-9491), but Microsoft has so far declined to fully patch it; Arctic Wolf advises blocking or disabling .LNK execution, monitoring for related binaries like cnmpaui.exe, and blocking C2 domains as interim mitigations.

Offensive 'We got hacked' emails sent from Penn addresses

📧 The University of Pennsylvania distributed a series of offensive emails to students and alumni claiming data was stolen in a breach and urging action. The messages, with the subject line "We got hacked (Action Required)", were sent from multiple Penn addresses, including the Graduate School of Education, via the connect.upenn.edu mailing-list platform hosted on Salesforce Marketing Cloud. Penn's Office of Information Security said the messages are fraudulent, its Incident Response team is investigating, and the university has placed a website banner advising recipients to disregard or delete the emails.

Nation-State Airstalk Malware Uses AirWatch via API

🛡️ Palo Alto Networks Unit 42 linked a suspected nation-state cluster (CL-STA-1009) to a new backdoor named Airstalk that abuses the AirWatch API (now Workspace ONE Unified Endpoint Management) as a covert command-and-control channel. The malware appears in PowerShell and more capable .NET variants and can capture screenshots, harvest browser cookies, history and bookmarks, and enumerate user files. Airstalk misuses MDM custom attributes as a dead-drop resolver and leverages the API blobs feature to exfiltrate large artifacts; some .NET samples were signed with a likely stolen certificate.

Australia warns of BadCandy infections on Cisco devices

⚠️ The Australian Signals Directorate warns of ongoing attacks against unpatched Cisco IOS XE devices being backdoored with the Lua-based BadCandy webshell. The exploited flaw, CVE-2023-20198, allows unauthenticated actors to create local admin accounts via the web UI and execute commands with root privileges. Cisco issued a patch in October 2023, but many internet-exposed devices remain vulnerable and have been repeatedly re-infected.

Conduent Breach Exposes Data of Over 10.5 Million People

🔒 Conduent has confirmed a breach affecting more than 10.5 million individuals, with customer notices sent in October 2025 after the incident was discovered on 13 January 2025. Unauthorized access reportedly began on 21 October 2024 and persisted for nearly three months. The criminal group SafePay claimed responsibility and said it exfiltrated large volumes of data, potentially including names, Social Security numbers, dates of birth, and medical and insurance information.

China-Linked UNC6384 Exploits Windows LNK Vulnerability

🔒 A China-affiliated group tracked as UNC6384 exploited an unpatched Windows shortcut flaw (ZDI-CAN-25373, CVE-2025-9491) to target diplomatic and government entities in Europe between September and October 2025. According to Arctic Wolf, the campaign used spear-phishing links to deliver malicious LNK files that launch a PowerShell stager, sideload a CanonStager DLL, and deploy the PlugX remote access trojan. Microsoft says Defender detections and Smart App Control can help block this activity.

Russian Police Arrest Suspected Meduza Stealer Operators

🔒 Russian authorities have arrested three individuals in Moscow accused of creating and operating the Meduza information‑stealing malware. Announced on Telegram by police general Irina Volk, investigators say the group developed and distributed Meduza via hacker forums around two years ago and offered it as a subscription-based service. The tool steals browser-stored credentials and cryptocurrency data and, since December 2023, can resurrect expired Chrome authentication cookies to facilitate account takeover. Authorities opened a criminal case after operators targeted an Astrakhan institution and seized confidential server data.

China-linked Tick exploits Lanscope flaw to deploy backdoor

⚠️ Sophos and JPCERT/CC have linked active exploitation of a critical Motex Lanscope Endpoint Manager vulnerability (CVE-2025-61932, CVSS 9.3) to the China-aligned Tick group. Attackers leveraged the flaw to execute SYSTEM-level commands and drop a Gokcpdoor backdoor, observed in both server and client variants that create covert C2 channels. The campaign used DLL side-loading to run an OAED Loader, deployed the Havoc post-exploitation framework on select hosts, and used tools like goddi and tunneled Remote Desktop for lateral movement. Organizations are advised to upgrade or isolate internet-facing LANSCOPE servers and review deployments of the MR and DA agents.

Chinese-Linked Hackers Exploit Windows Shortcut Flaw

🔎 Researchers at Arctic Wolf Labs uncovered a September–October 2025 cyber-espionage campaign that used a Windows shortcut vulnerability to target Belgian and Hungarian diplomatic entities. The operation, attributed to UNC6384 and likely tied to Mustang Panda (TEMP.Hex), combined spear phishing with malicious .LNK files exploiting ZDI-CAN-25373 and deployed a multi-stage chain ending in the PlugX RAT. Attackers used DLL side-loading, signed Canon utilities and obfuscated PowerShell to extract and execute an encrypted payload while displaying decoy diplomatic PDFs.

Chinese Hackers Exploit Windows LNK Zero-Day to Spy

🔒 A China-linked threat group is exploiting a high-severity Windows .LNK zero-day (CVE-2025-9491) to deploy the PlugX remote-access trojan against European diplomatic targets. The campaign begins with spearphishing that delivers malicious shortcut files themed around NATO and European Commission events. Researchers at Arctic Wolf Labs and StrikeReady attribute the activity to UNC6384 (Mustang Panda) and report the operation has expanded beyond Hungary and Belgium to other EU states. With no official patch available, defenders are urged to restrict .LNK usage and block identified C2 infrastructure.

Ukrainian Extradited from Ireland on Conti Ransomware Charges

🔒 A 43-year-old Ukrainian national, Oleksii Lytvynenko, has been extradited from Ireland to the United States on charges tied to the Conti ransomware operation. U.S. authorities allege he controlled stolen data and participated in sending ransom notes during double-extortion attacks between 2020 and June 2022. Arrested by An Garda Síochána in July 2023, Lytvynenko could face up to 25 years in prison if convicted. Prosecutors say the conspiracy extorted cryptocurrency and targeted victims across multiple jurisdictions.

Eclipse Foundation Revokes Leaked Open VSX Tokens Promptly

🔒 The Eclipse Foundation said it revoked a small number of Open VSX access tokens after Wiz reported several VS Code extensions had inadvertently exposed credentials in public repositories. The exposures were attributed to developer error, not an Open VSX infrastructure compromise. Open VSX introduced an ovsxp_ token prefix, removed flagged extensions, reduced default token lifetimes, and plans automated scans to bolster supply‑chain defenses.

Malicious npm Packages Use Invisible URL Dependencies

🔍 Researchers at Koi Security uncovered a campaign, PhantomRaven, that has contaminated 126 packages in Microsoft's npm repository by embedding invisible HTTP URL dependencies. These remote links are not fetched or analyzed by typical dependency scanners or npmjs.com, making packages appear to have 0 Dependencies while fetching malicious code at install time. The attackers aim to exfiltrate developer credentials and environment details, and they also exploit AI hallucinations to create plausible package names.

Nation-state Hackers Breach Ribbon Communications' Network

🔒 In a filing with the SEC, Ribbon Communications disclosed that unauthorized actors, reportedly tied to a nation-state, had access to its IT network, with initial intrusion activity traced as far back as December 2024. The company detected the breach in September 2025, has worked to terminate access, and is collaborating with third-party cybersecurity experts and federal law enforcement. Ribbon says it has not yet found evidence of material corporate data theft, although attackers accessed customer files on two laptops outside the main network.

Conduent Confirms Data Breach Affects 10.5 Million People

🔒 Conduent has confirmed a 2024 data breach that state attorney general notifications indicate affected more than 10.5 million people. Reported exposed data includes names, Social Security numbers, full dates of birth, health insurance policy or ID numbers, and medical information. Conduent says the environment was first compromised on October 21, 2024 and discovered in January 2025; as of October 24, 2025 it reports no evidence the stolen data has been misused. Affected individuals are advised to obtain credit reports and consider fraud alerts or a security freeze; the company did not offer identity monitoring services.

Ex-L3Harris Executive Pleads Guilty to Selling Exploits

🔒 Peter Williams, a former general manager at L3Harris Trenchant, pleaded guilty in U.S. court to stealing and selling protected cyber-exploit components between 2022 and 2025. Prosecutors say he removed at least eight sensitive trade-secret exploit components intended for exclusive government use and sold them to a broker that works with the Russian government for $1.3 million in cryptocurrency. He now faces up to 10 years in prison and significant fines.

Russian Ransomware Gangs Adopt Open-Source AdaptixC2

🔒 AdaptixC2, an open-source command-and-control framework, has been adopted by multiple threat actors, including groups tied to Russian ransomware operations, prompting warnings about its dual-use nature. The tool offers encrypted communications, credential and screenshot managers, remote terminal capabilities, a Golang server, and a cross-platform C++ QT GUI client. Security firms Palo Alto Networks Unit 42 and Silent Push have analyzed its modular capabilities and traced marketing activity to a developer using the handle RalfHacker. Observed abuse includes fake Microsoft Teams help-desk scams and an AI-generated PowerShell loader used to deliver post-exploitation payloads.

Human Cost of UK Government's Afghan Data Leak Exposed

🔓 A leaked Ministry of Defence spreadsheet in February 2022 exposed thousands of Afghan nationals who assisted UK forces, and research from the charity Refugee Legal Support shows the fallout continues. Survivors report murder, torture, repeated home searches and persistent Taliban threats; 49 people are reported to have lost relatives or colleagues. Only a minority were offered relocation to the UK, underscoring how data leaks and inadequate responses can cause real, ongoing harm.

AdaptixC2 Abused by Ransomware Operators Worldwide

⚠️ Silent Push reports a surge in malicious use of AdaptixC2, an open-source adversarial emulation framework that researchers say is now being delivered by the CountLoader malware as part of active ransomware operations. Deployments accelerated after new detection signatures were released, and public incident reports show increased sightings across multiple intrusions. Analysts flagged the developer alias RalfHacker and issued indicators covering Golang C2 traffic and unknown C++/QT executables.

LinkedIn Phishing Targets Finance Executives With Fake Board

🔒 Hackers are exploiting LinkedIn direct messages to phish finance executives with messages claiming to invite recipients to an executive board and leading to credential-harvesting pages. Push Security says victims are redirected — including via a Google open redirect — to a Firebase-hosted 'LinkedIn Cloud Share' page that urges users to click a 'View with Microsoft' button. That flow then presents a Cloudflare Turnstile and a fake Microsoft sign-in used as an adversary-in-the-middle to capture credentials and session cookies; organizations should verify senders, avoid unsolicited links, and enforce MFA and conditional access.