All news in category “Incidents and Data Breaches”

🛡️ This week's bulletin highlights both legacy and emerging threats, including a published Microsoft Defender privilege escalation exploit (RedSun) and a 17‑year‑old Excel RCE (CVE‑2009‑0238) newly added to CISA's KEV. Incidents range from a Zerion hot-wallet compromise (~$100K stolen through AI‑enabled social engineering) to a fake macOS Ledger app that drained about $9.5M. Researchers also disclosed novel C2 frameworks, a WordPress plugin supply-chain backdoor affecting 180k+ installs, and a surge in SonicWall/FortiGate brute-force probing. The collection underscores the need to patch promptly, validate app-store integrity, rotate credentials, and audit third-party dependencies.

🛡️ A novel social engineering campaign abused the Obsidian note-taking app to deliver a previously undocumented Windows remote access trojan dubbed PHANTOMPULSE. Elastic Security Labs tracked the activity as REF6598, reporting attackers lured financial and cryptocurrency professionals via LinkedIn and Telegram before asking them to open a cloud-hosted Obsidian vault. By convincing victims to enable the Installed community plugins sync, actors leveraged legitimate Shell Commands and Hider plugins to execute malicious JSON-configured payloads and run signed Electron-based loaders that hand off execution. The campaign underscores the risk of trusted applications and targeted social engineering as initial access vectors.

🔒 The ShinyHunters extortion group has published data tied to 13.5 million McGraw Hill user accounts after exploiting a misconfiguration in a Salesforce-hosted webpage. McGraw Hill confirmed unauthorized access to a limited set of data and said its internal systems, courseware and customer databases were not affected. Leaked files — over 100GB by Have I Been Pwned — contain names, email addresses, phone numbers and physical addresses that could be used for targeted spear‑phishing.

🔍 A Taboola tracking pixel approved by a bank silently redirected authenticated users to a Temu tracking endpoint without the bank's knowledge, user consent, or any security control flagging a violation. Reflectiz discovered the chain during a February 2026 audit: an initial GET to sync.taboola.com returned a 302 to a temu.com pixel and included Access-Control-Allow-Credentials: true, enabling credentialed cross-origin requests. Conventional tools missed the behavior because they validate the declared script origin rather than runtime redirect destinations. Organizations should inspect browser runtime behavior, tighten CSPs, and consider sandboxing third-party scripts on authenticated pages.

🔍 Cisco Talos identified an active PowerShell-based botnet dubbed PowMix, operating since at least December 2025 and targeting organizations and job applicants in the Czech Republic. The campaign deploys phishing ZIP archives containing LNK shortcuts that launch an obfuscated PowerShell loader which bypasses AMSI and executes a decrypted payload in memory. Talos observed tactical overlap with ZipLine and published IOCs and detection guidance.

🔒 A new report from Halcyon warns that ransomware has become the fastest-growing and most disruptive cyber threat to the automotive sector, accounting for 44% of attacks on carmakers in 2025 after incidents more than doubled that year. The vendor links the surge to connected vehicle platforms, OTA update mechanisms, cloud services and insecure third-party suppliers. Recommended mitigations include patching edge devices, deploying phishing-resistant MFA, hardening EDR, maintaining immutable offline backups and enforcing supplier security requirements.

🔒 Two U.S. nationals were sentenced to prison for facilitating a scheme that placed North Korean IT workers as faux U.S. employees at more than 100 American companies, including Fortune 500 firms. Between 2021 and October 2024 the pair generated over $5 million for DPRK-linked operations and caused roughly $3 million in corporate losses by using the stolen identities of more than 80 U.S. citizens. They set up shell companies, fake websites, bank accounts, and even hosted company-issued laptops in U.S. homes to mask the remote workers' true locations.

🛡️CERT-UA has disclosed a campaign, dubbed UAC-0247, that between March and April 2026 targeted government and municipal healthcare organizations — primarily clinics and emergency hospitals — to deliver credential-stealing malware. Attacks begin with spear-phishing links leading to compromised or AI-generated sites that drop a Windows Shortcut (LNK) executing an HTA via mshta.exe, which loads multi-stage loaders and payloads such as RAVENSHELL, AGINGFLY, and the PowerShell-based SILENTLOOP. The intrusions enable reconnaissance, lateral movement, and theft of data from Chromium-based browsers and WhatsApp; CERT-UA advises restricting execution of LNK/HTA/JS, limiting use of abused utilities, and blocking suspicious connections.

⚠️ AgingFly is a newly observed C# remote-access malware used in targeted attacks against Ukrainian local governments, hospitals, and potentially Defense Forces that steals authentication data from Chromium-based browsers and WhatsApp for Windows. The campaign begins with phishing emails linking to a compromised site or an AI-generated fake page and delivers an archive with an LNK that launches an HTA; the HTA displays a decoy form while creating a scheduled task to download and run a staged EXE which injects shellcode. The actor uses open-source forensic utilities such as ChromElevator and ZAPiDESK to extract cookies, saved passwords, and WhatsApp databases, and relies on tools like RustScan, Ligolo-ng, and Chisel for reconnaissance and lateral movement. CERT-UA attributes the cluster to UAC-0247 and recommends blocking LNK, HTA, and JS execution to disrupt this attack chain.

🔐 More than 30 plugins in the EssentialPlugin package were found to contain a backdoor that grants unauthorized access to sites. The malicious code was introduced after the project's acquisition in August 2025 but remained dormant until recently, when updates delivered a downloader that injects malware into wp-config.php. The payload selectively displayed spam to Googlebot and used an Ethereum-based C2 for evasion. WordPress.org closed the affected plugins and issued a forced update, though configuration files may still be infected.

🔒 Huntress researchers uncovered a digitally signed adware campaign that deployed SYSTEM‑privilege payloads to disable antivirus protections on thousands of endpoints. The binaries, signed by Dragon Boss Solutions LLC and bundled in browser-like PUPs such as Chromstera and WorldWideWeb, used an Advanced Installer MSI to drop a PowerShell script, ClockRemoval.ps1, which stops services, uninstalls AVs, edits the hosts file and persists via WMI and scheduled tasks. After registering the operator’s unclaimed update domain, Huntress sinkholed infrastructure and observed over 23,500 infected hosts checking in across 124 countries, including hundreds in high-value networks. Administrators are urged to search for specific WMI subscriptions, scheduled tasks, blocked vendor domains in hosts, and processes signed by the publisher.

⚠️ Cisco Talos researchers report that threat actors have abused n8n managed cloud webhooks since October 2025 to deliver malicious payloads and fingerprint devices via email. Attackers embed URLs on the shared *.app.n8n.cloud subdomain so returned HTML executes in recipients' browsers, sometimes prompting a CAPTCHA that triggers JavaScript-initiated downloads. Observed campaigns delivered modified RMM installers for persistence and used invisible tracking pixels to confirm opens, with message volume jumping sharply by March 2026.

⚠️ Huntress has identified a signed adware operation linked to Dragon Boss Solutions LLC that has disabled antivirus products on approximately 23,565 endpoints worldwide. The campaign leverages a legitimate code‑signing certificate and an MSI update mechanism to deploy a PowerShell payload, ClockRemoval.ps1, which systematically kills, uninstalls and blocks reinstallation of AVs. Targets include Malwarebytes, Kaspersky, McAfee and ESET, and persistence is maintained via scheduled tasks and WMI event subscriptions. Researchers sinkholed an unregistered update domain and observed infections across 124 countries, including universities, utilities and government networks.

🔒 Researchers at Socket uncovered 108 malicious Google Chrome extensions that collectively amassed about 20,000 installs and reported to a single command-and-control server. Published under five publisher identities, the add-ons posed as games, Telegram sidebars, and enhancement tools while exfiltrating Google account data, hijacking Telegram Web sessions, opening arbitrary URLs, and injecting ads and scripts. Some source files contained Russian-language comments; attribution remains unconfirmed. Users should remove any identified extensions and log out of Telegram Web sessions immediately.

🔒 Kraken says a criminal group is attempting to extort the exchange by threatening to release videos that show internal support systems containing client data. The company says the incident resulted from an insider threat, with two instances of improper access by support employees and exposure limited to client support data. About 2,000 accounts (0.02% of users) were affected; Kraken says funds were never at risk. The exchange will not pay or negotiate and is working with federal law enforcement.

🔒 Researchers at Socket have discovered more than 100 malicious Chrome extensions in the official Web Store that harvest Google OAuth2 bearer tokens, hijack sessions, deploy backdoors, and conduct ad fraud. The extensions were published under multiple publisher identities and span categories such as Telegram sidebars, games, video enhancers, translation tools, and utilities. Socket links the campaign to a centralized command-and-control backend hosted on a Contabo VPS and notes code comments that suggest a Russian malware-as-a-service operation. Users are urged to check installed extensions against the IDs Socket published and remove any matches immediately.

🔒 McGraw-Hill says unauthorized actors accessed a limited set of data hosted on a Salesforce webpage after a platform misconfiguration. The company emphasized this did not involve unauthorized entry to its Salesforce accounts, customer databases, courseware, or internal systems, and that exposed information was non-sensitive. McGraw-Hill secured the pages, engaged external cybersecurity experts, and is working with Salesforce to strengthen protections amid an extortion claim by ShinyHunters.

🔒 A malicious macOS app impersonating Ledger Live on the Apple App Store drained approximately $9.5 million in cryptocurrency from 50 users after they were tricked into entering their seed/recovery phrases. Blockchain investigator ZachXBT traced funds moved across multiple chains (Bitcoin, Ethereum, Tron, Solana, Ripple) and funneled through more than 150 deposit addresses tied to a centralized mixer called "AudiA6" on KuCoin. Apple removed the fraudulent app after multiple reports, and KuCoin says it has frozen the implicated accounts pending further action. Ledger provides a Mac app on its website but not through the App Store; users are urged to download only from official vendor channels.

🔔 Researchers uncovered 'Pushpaganda', an ad fraud campaign that uses search engine poisoning and AI-generated content to surface deceptive stories in Google Discover and trick Android and Chrome users into enabling persistent browser notifications. Once enabled, the alerts deliver scareware-style legal threats and redirect victims through actor-controlled domains that generate illicit ad revenue and funnel users to financial scams. HUMAN's findings link the operation to hundreds of domains and hundreds of millions of bid requests, and Google has deployed a fix.

🔐 Breakglass Intelligence reports that China-aligned APT41 is deploying an obfuscated Linux ELF backdoor to harvest cloud credentials across AWS, GCP, Azure and Alibaba Cloud. The implant uses a selective SMTP-based C2 over port 25 and typosquatted Alibaba-themed domains hosted in Singapore to exfiltrate tokens and metadata while avoiding scanners. The malware queries instance metadata endpoints (169.254.169.254), sends stolen IAM, service account and managed identity credentials, and emits periodic UDP broadcasts to 255.255.255.255:6006 to coordinate lateral movement. Defenders should monitor SMTP egress, unusual metadata access, unknown ELF binaries, and connections to Alibaba-lookalike domains.