All news in category "Incidents and Data Breaches"

Astaroth Banking Trojan Uses GitHub to Stay Operational

🔒 Cybersecurity researchers warn of a recent campaign delivering the Astaroth banking trojan that leverages GitHub repositories to host hidden configurations and regain functionality after C2 takedowns. The attack, concentrated in Brazil and across Latin America, begins with a DocuSign-themed phishing message that drops an LNK file which executes obfuscated JavaScript, retrieves an AutoIt loader and ultimately injects a Delphi-based DLL. Astaroth monitors browser activity for banking and cryptocurrency sites, exfiltrates credentials via Ngrok, and employs steganography, anti-analysis checks, and persistent LNK-based startup execution to maintain stealth and resilience.

Rust-Based ChaosBot Backdoor Uses Discord for C2 Operations

🔒 eSentire disclosed a Rust-based backdoor named ChaosBot that leverages Discord channels for command-and-control, allowing operators to perform reconnaissance and execute arbitrary commands on compromised systems. The intrusion, first observed in late September 2025 at a financial services customer, began after attackers used compromised Cisco VPN credentials and an over-privileged Active Directory service account via WMI. Distribution included phishing LNK files that launch PowerShell and display a decoy PDF, while the payload sideloads a malicious DLL through Microsoft Edge to deploy an FRP reverse proxy. ChaosBot supports commands to run shells, capture screenshots, and transfer files, and newer variants employ ETW patching and VM detection to evade analysis.

Fake 'Inflation Refund' Texts Target New Yorkers in NY

🔔 A new smishing campaign impersonates the New York Department of Taxation and Finance, sending texts that urge recipients to submit payment information to process an 'Inflation Refund.' Links lead to a counterfeit site requesting name, address, phone, email and Social Security Number. New Yorkers are reminded the refund is automatic for eligible taxpayers and agencies will not text or call for payment details. Report suspicious messages to the Tax Department or IRS.

Spain Dismantles GXC Team Cybercrime Syndicate, Leader Held

🔒 Spanish Guardia Civil have dismantled the GXC Team cybercrime syndicate and arrested its alleged leader, a 25-year-old Brazilian known as GoogleXcoder. The group operated a crime-as-a-service platform on Telegram and a Russian-speaking forum, selling AI-driven phishing kits, Android malware that intercepted SMS/OTPs, and voice-scam tools. Authorities seized devices, source code, communication logs, and recovered stolen cryptocurrency. Nationwide raids on May 20 led to channel takedowns and the identification of additional suspects; the investigation remains ongoing.

Widespread SonicWall SSL VPN Compromise Hits 100+ Accounts

🔒 Huntress warns of a widespread compromise of SonicWall SSL VPN devices that allowed threat actors to rapidly authenticate into multiple accounts across customer environments. Activity began on October 4, 2025, impacting over 100 VPN accounts across 16 customers, with logins traced to IP 202.155.8[.]73. While some intrusions disconnected quickly, others involved network scanning and attempts to access local Windows accounts. Organizations are urged to reset firewall credentials, restrict WAN management, revoke exposed API keys, monitor logins, and enforce MFA.

Velociraptor Abused in LockBit Ransomware Campaign Wave

🔒 Threat actors are abusing Velociraptor, an open-source DFIR tool, to support ransomware operations attributed to Storm-2603. Attackers exploited on-premises SharePoint ToolShell flaws to deploy an outdated Velociraptor build (0.73.4.0) vulnerable to CVE-2025-6264, enabling privilege escalation and remote command execution. After lateral movement and creation of domain admin accounts, the group tampered with GPOs, disabled real‑time protection, and staged exfiltration before deploying Warlock, LockBit, and Babuk. Vendors caution that legitimate collection and orchestration capabilities can be repurposed by adversaries.

Scattered Lapsus$ Hunters: Risks to Retail & Hospitality

🔒 Scattered Lapsus$ Hunters, with core actors such as Bling Libra, claim responsibility for large-scale theft of Salesforce customer data and launched a public data leak site in early October 2025. The group operates an extortion-as-a-service model, recruiting affiliates to send targeted executive extortion messages and taking revenue shares from payments. Recent activity included a Clearnet domain seizure by law enforcement and threatening deadlines for victim disclosures. Retail and hospitality organizations face heightened risks of identity theft, account takeover, returns and loyalty fraud; Unit 42 recommends secrets scanning, zero trust controls, least privilege and participation in industry ISACs.

FBI Seizes BreachForums Servers as Salesforce Deadline Nears

🔒 The FBI, US Department of Justice and French authorities seized the BreachForums domain and parts of its backend on Oct. 9, disrupting infrastructure tied to an alliance of threat actors including ShinyHunters, Scattered Spider and LAPSUS$. The action followed threats to publish alleged Salesforce customer data unless a ransom was paid by Oct. 10. Although the primary forum domain now displays a takedown notice, a separate leak site remains active and the extortion campaign appears to be continuing. Experts advise organizations to audit Salesforce configurations, enable OAuth app governance, and enforce token and session hygiene immediately.

SonicWall: Cloud Backup Data Theft Impacts All Users

🔒 SonicWall has confirmed that threat actors stole backup files configured for the MySonicWall cloud backup service, and that the incident affects all customers using the feature. The company says the files contain encrypted credentials and configuration data, which could raise the risk of targeted attacks despite encryption. SonicWall has published an urgency-classified device list and a detailed admin playbook; customers are urged to check devices and apply updates promptly.

BreachForums Seized; Hackers Promise Salesforce Leak

🚨 Law enforcement in the United States and France have seized domains tied to the BreachForums hacking forum, and the seized site now displays an official takedown banner pointing victims to an IC3 subdomain. Observers caution the action may be largely symbolic because a dark‑web instance remains active and no public arrests of administrators were confirmed. A collective calling itself Scattered LAPSUS$ Hunters says it will still release one billion records allegedly taken from Salesforce customers on 10 October 2025, while Salesforce has reportedly told clients it will not pay a ransom.

Aisuru Botnet Floods U.S. ISPs in Record DDoS Attack

🛰️ Aisuru, now the world’s largest IoT botnet, is drawing the majority of its attack volume from compromised consumer devices hosted by U.S. ISPs such as AT&T, Comcast and Verizon. In early October the botnet briefly generated a near‑30 terabit-per-second traffic flood, underscoring its rapidly expanding scale and destructive reach. The attacks have targeted gaming-focused networks and protection providers, causing widespread collateral congestion and forcing providers to reassess outbound mitigation. Built on Mirai-derived code, Aisuru is also being marketed as a residential proxy service, complicating attribution and remediation.

Stealit Malware Uses Node.js SEA, Electron for Delivery

⚠️ Fortinet FortiGuard Labs has detailed an active campaign dubbed Stealit that uses Node.js Single Executable Application (SEA) packaging—and in some builds, the Electron framework—to deliver credential-stealing and remote-access payloads. Operators distribute counterfeit game and VPN installers via file-hosting sites and messaging platforms, which drop three primary executables that perform browser and messenger data theft, wallet extraction, and persistence with live screen streaming. Installers run anti-analysis checks, write a Base64 authentication key to %temp%\cache.json for C2 authentication, and configure Microsoft Defender exclusions to conceal downloaded components.

Microsoft: 'Payroll Pirates' Hijack HR SaaS Accounts

🔒 Microsoft warns that a financially motivated group tracked as Storm-2657 is hijacking employee accounts to redirect payroll by altering profiles in third-party HR SaaS platforms such as Workday. Attacks rely on AitM phishing, MFA gaps and SSO abuse rather than software vulnerabilities. Observed tactics include creating inbox rules to delete warning notifications and enrolling attacker-controlled phone numbers for persistent access. Microsoft reported compromises at multiple U.S. universities and recommends phishing-resistant, passwordless MFA such as FIDO2 keys, and reviews of MFA devices and mailbox rules to detect takeover.

Stealit Campaign Abuses Node.js Single Executable Packaging

🔍 FortiGuard Labs identified an active Stealit campaign that distributes malware packaged with Node.js Single Executable Application (SEA) technology to create standalone Windows binaries. Operators deliver fake game and VPN installers via file-sharing sites and Discord, using multi-layer obfuscation and in-memory execution. The modular payloads harvest browser data, extension-based crypto wallets, and provide remote access, with persistence via a startup Visual Basic script. Fortinet provides detections and recommends updating protections and user training.

Data Leak at SonicWall Impacts All Cloud Backup Customers

🔓On September 17, security vendor SonicWall disclosed that cybercriminals exfiltrated backup files configured for its MySonicWall cloud backup service. The company initially reported the incident affected 'less than five percent' of customers but has since updated that all Cloud Backup users who used the feature are impacted. Stolen files include encrypted credentials and configuration data, which could enable targeted attacks despite encryption. SonicWall has published an affected-device list and a detailed remediation playbook for administrators.

Velociraptor Abuse Enables Stealthy Ransomware Campaigns

🔒 Researchers report that the open-source DFIR tool Velociraptor was abused by threat actors to maintain stealthy persistent access while deploying multiple ransomware families, including Warlock, LockBit and Babuk. Cisco Talos observed the activity in August 2025 and attributed the multi-vector operation to a China-linked cluster tracked as Storm-2603. Attackers exploited a vulnerable agent (v0.73.4.0) via CVE-2025-6264 to escalate privileges and persist; defenders are urged to verify deployments and update to v0.73.5 or later.

175 Malicious npm Packages Used in Large-Scale Phishing

⚠️ Researchers have identified 175 malicious packages on the npm registry used as infrastructure for a widespread phishing campaign called Beamglea. The packages, collectively downloaded about 26,000 times, host redirect scripts served via unpkg.com that route victims to credential-harvesting pages. Attackers automated package publication and embedded victim-specific emails into generated HTML, pre-filling login fields to increase the likelihood of successful credential capture.

Google: Clop Exfiltrated Data via Oracle E-Business Flaw

🔍 Google Threat Intelligence and Mandiant report the Clop (FIN11) actor likely exfiltrated a significant amount of data from Oracle E-Business Suite environments beginning as early as August 9, 2025. The group sent extortion emails to executives from September 29 and supplied legitimate file listings to substantiate claims. Attackers exploited the zero-day CVE-2025-61882 prior to an emergency patch released on October 4, 2025. Investigators advise urgent patching, hunting for malicious templates, restricting outbound EBS traffic, and performing Java memory forensics.

FBI Seizes BreachForums Portal Used in Salesforce Extortion

🔒 The FBI, in coordination with French authorities, seized BreachForums domains used by the ShinyHunters group as a portal for leaking corporate data and facilitating extortion. Nameservers were updated on October 9 and law enforcement reports they obtained backups and backend servers dating back to 2023, though the actors' dark‑web leak site remains online. ShinyHunters confirmed the takeover via a PGP‑signed Telegram post and warned the Salesforce campaign will continue.

Russia-Aligned Hacktivist Fooled by Water Honeypot

💧Forescout disclosed that a Russia-aligned hacktivist group, TwoNet, was tricked into attacking a honeypot designed to look like a water treatment utility. The actor accessed the HMI with default credentials and created an account named BARLATI to carry out defacement, PLC manipulation, log suppression and process disruption. Forescout said this incident reflects a broader shift from DDoS and defacement toward OT/ICS targeting and provided mitigation guidance.