All news in category "Incidents and Data Breaches"

Europol Disrupts $55M in Crypto Linked to Piracy Ring

🔎 A coordinated Europol-led operation, Intellectual Property Crime Cyber-Patrol Week, targeted online piracy and IP infringement across Europe. Thirty investigators using advanced OSINT methods identified 69 suspect sites, of which 25 illicit IPTV services were referred to crypto service providers and 44 were added to ongoing probes. Authorities traced roughly $55m in cryptocurrency flows tied to those services. The exercise also tested new technologies and reinforced cross-border collaboration among more than 15 countries and private partners.

Python WhatsApp Worm Spreads Eternidade Stealer Across Brazil

📲 Trustwave SpiderLabs describes a Python-based WhatsApp worm that propagates a Delphi credential stealer named Eternidade Stealer across Brazilian devices. The campaign begins with an obfuscated Visual Basic Script dropper that installs both a Python WPPConnect-based propagator and an MSI/AutoIt installer which injects the stealer into svchost.exe. Operators use IMAP to fetch dynamic C2 addresses and apply Brazilian Portuguese geofencing to limit infections to the target region.

Eternidade Stealer: WhatsApp Worm Targets Brazil's Ecosystem

🔒 Trustwave SpiderLabs has identified Eternidade Stealer, a multi-component banking Trojan that combines a Python-based WhatsApp-propagating worm, a Delphi stealer and an MSI dropper to harvest financial credentials and spread laterally. The campaign uses an obfuscated VBScript to deliver two payloads, dynamically retrieves command-and-control via IMAP and activates only on systems using Brazilian Portuguese. Defenders should watch for unexpected MSI or script executions, suspicious WhatsApp messages and indicators linked to the campaign.

Operation WrtHug Hijacks Thousands of ASUS WRT Routers

🔒 Security researchers have uncovered Operation WrtHug, a global campaign that has hijacked thousands of largely end-of-life ASUS WRT routers by chaining at least six known vulnerabilities. Over roughly six months analysts identified about 50,000 unique infected IPs, predominantly in Taiwan, using a distinctive malicious self-signed AiCloud certificate with a 100-year lifetime as an indicator of compromise. Owners are urged to apply ASUS firmware updates or replace unsupported models and disable remote-access features to mitigate risk.

ShinySp1d3r RaaS Emerges - New Encryptor by ShinyHunters

🕷️ An in-development build of the ShinySp1d3r ransomware-as-a-service has surfaced, revealing a Windows encryptor developed by threat actors linked to ShinyHunters and affiliates. The sample shows ChaCha20 file encryption with RSA-2048 key protection, per-file headers beginning with "SPDR" and ending with "ENDS", and automated propagation methods via SCM, WMI, and GPO. The build includes process-killing, EtwEventWrite hooking, free-space overwriting, shadow-copy deletion, anti-analysis measures, and deploys a ransom note (R3ADME_1Vks5fYe.txt) plus a wallpaper; Linux and ESXi versions are reportedly in progress.

California Man Pleads Guilty in $25M Crypto Laundering

🔒 Kunal Mehta, a 45-year-old from Irvine, has pleaded guilty to laundering at least $25 million connected to a wider $230 million cryptocurrency theft. Court documents say Mehta served as a money launderer for a transnational ring that used social engineering between October 2023 and March 2025 to access victims' crypto accounts. Prosecutors allege he created multiple shell companies in 2024, routed wire transfers into bank accounts designed to appear legitimate, and typically charged a 10% fee for converting stolen crypto to cash. Investigators say the group employed mixers, peel chains, pass-through wallets, VPNs, and conversions to Monero, though operational mistakes helped link laundered funds back to the theft.

Data Breach at Eurofiber France Affects Ticketing Systems

🔐 Eurofiber Group said its French subsidiary, Eurofiber France, experienced a breach after attackers exploited a software vulnerability to access its ticket management system and exfiltrate data. The company stated that sensitive bank details and other critical data were not affected. The incident impacted the ATE cloud portal and regional sub-brands (Eurafibre, FullSave, Netiwan, Avelia). Eurofiber says it closed the vulnerability, strengthened controls and engaged cybersecurity experts to support customers.

PlushDaemon Deploys EdgeStepper AitM Malware Globally

🛡️ A China-aligned group known as PlushDaemon has been observed deploying a previously undocumented network implant, codenamed EdgeStepper, to perform adversary-in-the-middle DNS attacks. ESET researchers found an ELF sample (internally called dns_cheat_v2) that forwards DNS traffic to attacker-controlled nodes, enabling update hijacking. Operators then deploy downloaders LittleDaemon and DaemonLogistics to install espionage backdoors.

Cloudflare Outage Caused by Database Permission Change

⚠️ Cloudflare suffered its worst outage in six years after a database permissions change caused its Bot Management system to generate an oversized configuration feature file containing duplicate entries. The file exceeded a hardcoded 200-feature limit, triggering a Rust panic that crashed core proxy software and produced widespread 5xx errors. Engineers restored service by replacing the problematic file, and full recovery was achieved several hours later.

China-linked WrtHug operation hits thousands of ASUS WRT

🔒 SecurityScorecard's STRIKE team warns that Operation “WrtHug” has already compromised thousands of ASUS WRT routers worldwide by chaining six primarily legacy vulnerabilities to gain elevated privileges and persistence. The campaign abuses the ASUS AiCloud service and OS injection flaws, deploying a common self-signed TLS certificate with a 100-year expiry. SecurityScorecard notes geographic clustering, with up to 50% of victims in Taiwan, and assesses a likely China-affiliated ORB-style operation.

PlushDaemon Hijacks Software Updates in Supply-Chain Attacks

🔒 PlushDaemon operators are hijacking software-update traffic using a new network implant named EdgeStepper, ESET researchers report. Attackers compromise routers via known vulnerabilities or weak credentials, intercept DNS queries, and redirect update requests to malicious infrastructure. Trojanized updates deliver a DLL downloader (LittleDaemon), which stages DaemonicLogistics and ultimately loads the SlowStepper backdoor on Windows systems, targeting manufacturers, universities, and industrial sites across multiple countries.

EdgeStepper Backdoor Reroutes DNS to Hijack Updates

🔒 ESET researchers disclosed a Go-based network backdoor dubbed EdgeStepper, used by the China-aligned actor PlushDaemon to reroute DNS queries and enable adversary-in-the-middle (AitM) attacks. EdgeStepper forces update-related DNS lookups to attacker-controlled nodes, delivering a malicious DLL that stages additional components. The chain targets update mechanisms for Chinese applications including Sogou Pinyin and ultimately fetches the SlowStepper backdoor to exfiltrate data.

Fake CAPTCHA Leads to 42-Day Akira Ransomware Compromise

🔒 An employee clicking a fake CAPTCHA (a ClickFix social-engineering lure) on a compromised car dealership site began a 42-day intrusion by Howling Scorpius that delivered the .NET remote access Trojan SectopRAT and ultimately Akira ransomware. Two enterprise EDRs recorded activity but produced few alerts, enabling lateral movement, privilege escalation and the exfiltration of roughly 1 TB. Unit 42 deployed Cortex XSIAM, rebuilt hardened infrastructure, tightened IAM controls and negotiated about a 68% reduction in the ransom demand.

ShadowRay 2.0 Converts Exposed Ray Clusters to Miners

⚠ A global campaign named ShadowRay 2.0 is exploiting an unpatched code-execution flaw (CVE-2023-48022) in Ray clusters to deploy a self-propagating cryptomining botnet. Researchers at Oligo attribute the activity to an actor tracked as IronErn440, which uses AI-generated payloads submitted to Ray’s unauthenticated Jobs API. The malware deploys XMRig to mine Monero, establishes persistence via cron and systemd, and opens reverse shells for interactive control. Operators also throttle CPU use and conceal miners with deceptive names to evade detection.

French Pajemploi Reports Data Breach Affecting 1.2M

🔒 French social security service Pajemploi disclosed a data breach detected on November 14 that may have exposed personal information for up to 1.2 million registered home-based childcare workers and parents. Potentially exfiltrated data includes full names, place of birth, postal addresses, social security numbers, names of banking institutions, Pajemploi numbers, and accreditation numbers. The agency says IBANs, email addresses, phone numbers, and passwords were not accessed. Pajemploi notified CNIL and ANSSI, will inform affected individuals, and URSSAF warned of increased phishing and social engineering risks.

npm Malware Campaign Redirects Visitors to Fake Crypto Sites

🛡️ Researchers from the Socket Threat Research Team uncovered a new npm malware campaign operated by threat actor dino_reborn, distributed across seven packages that executed immediately and fingerprinted visitors. The packages used Adspect proxying and cloaking to distinguish researchers from victims, delivering branded fake CAPTCHAs and dynamic redirects to malicious crypto sites. Anti-analysis measures disabled developer tools and user interactions to hinder inspection.

AI-Enhanced Tuoni Framework Targets US Real Estate Firm

🔍 Morphisec observed an AI-enhanced intrusion in October 2025 that targeted a major US real estate firm using the modular Tuoni C2 framework. The campaign began with a Microsoft Teams impersonation and a PowerShell one-liner that spawned a hidden process to retrieve a secondary script. That loader downloaded a BMP file and used least significant bit steganography to extract shellcode, executing it entirely in memory and reflectively loading TuoniAgent.dll. Researchers noted AI-generated code patterns and an encoded configuration pointing to two C2 servers; Morphisec's AMTD prevented execution.

DoorDash Confirms October 2025 Customer Data Breach

🔒 DoorDash has confirmed a data breach in October 2025 that exposed customers' names, phone numbers, physical addresses and email addresses. The company said an employee was targeted in a social engineering scam that allowed unauthorized access, but there is currently no indication the data has been misused. DoorDash stated that sensitive identifiers and payment information were not accessed and that it has engaged an external firm, notified law enforcement, rolled out security enhancements and issued additional staff training.

Researchers Detail Tuoni C2's Role in Real-Estate Attack

🔒 Cybersecurity researchers disclosed an attempted intrusion against a major U.S. real-estate firm that leveraged the emerging Tuoni C2 and red-team framework. The campaign, observed in mid-October 2025, used Microsoft Teams impersonation and a PowerShell loader that fetched a BMP-steganographed payload from kupaoquan[.]com and executed shellcode in memory. That sequence spawned TuoniAgent.dll, which contacted a C2 server but ultimately failed to achieve its goals. The incident highlights the risk of freely available red-team tooling and AI-assisted code generation being abused by threat actors.

Stadtwerke Detmold Hit by Hacker Attack, IT Shutdown

🔒 Stadtwerke Detmold has reported a widespread IT outage following an apparent hacker attack that prompted the operator to take all systems offline. Online services are unavailable and the company cannot be reached by phone or email. The utility says the supply of drinking water, electricity, gas and district heating remains assured, and customers can report technical problems via a hotline. Authorities are investigating the incident and, so far, no ransom demand has been reported.