All news in category “Incidents and Data Breaches”

🔒 A joint U.S. federal advisory warns that Iranian state-backed hackers have been targeting Rockwell Automation/Allen‑Bradley PLCs since March 2026, extracting project files and manipulating HMI/SCADA displays. Researcher Censys found 5,219 EtherNet/IP hosts exposed online globally, with 3,891 (74.6%) in the United States and a notable share on cellular carrier ASNs. Agencies urge disconnecting or firewalling PLCs, enforcing MFA, applying updates, disabling unused services, and monitoring OT ports and logs for suspicious overseas traffic.

🔍 German authorities have identified the operator of the notorious GandCrab ransomware as Danii Shchukin, who used the aliases UNKN and Unknown and is believed to have led the GandCrab/Revi group. Europol has added Shchukin and an associate, Anatoly Kravchuk, to its most-wanted list amid allegations of organized and commercial extortion dating to 2019. German police say Shchukin is accused in 130 cases, with €1.9 million paid in 25 incidents and total economic damage estimated at €35.4 million; both suspects are believed to be in Russia but could be operating in other countries.

🐛 A new phase of the GlassWorm campaign uses a Zig-compiled native Node addon embedded in a malicious Open VSX extension named specstudio.code-wakatime-activity-tracker, impersonating WakaTime, to gain OS-level access and stealthily install additional payloads. The addon (installed as win.node on Windows and mac.node on macOS) runs outside the JavaScript sandbox, locates IDEs that support VS Code extensions, downloads a malicious VSIX from an attacker-controlled GitHub account, and silently installs it across detected editors. The second-stage extension then reads commands from the Solana blockchain to obtain its C2, exfiltrates sensitive data, and deploys a RAT that ultimately installs an information-stealing Chrome extension; affected users should assume compromise and rotate secrets.

🔐An analysis by Bellingcat found passwords for almost 800 Hungarian government email accounts circulating online, many tied to national-security roles. The exposure affected 12 of 13 government departments and involved weak, easily guessed credentials such as variations of "Password", sequences like "1234567", and simple surnames. The leaks reflect poor email hygiene rather than a sophisticated intrusion, and experts urge stronger credential practices including password managers and passkeys. Security teams are urged to deploy enterprise controls and regular training to prevent similar exposures.

⚠️ Hackers altered an API on the CPUID website and replaced official download links to serve trojanized installers for CPU-Z and HWMonitor, distributing a malicious file labeled HWiNFO_Monitor_Setup. The package launches a Russian installer wrapped with Inno Setup and was delivered via Cloudflare R2, while original signed binaries appear intact. Security researchers report a multi-stage, mostly in-memory loader that uses proxying of NTDLL calls from a .NET assembly to evade EDR/AV detection. CPUID says the secondary API was compromised for roughly six hours (April 9–10) and that the breach has been fixed.

🔒 Microsoft says financially motivated group Storm-2755 is stealing Canadian employees' salary payments by hijacking Microsoft 365 accounts using malicious sign-in pages and AiTM tactics that capture authentication tokens and session cookies. Attackers used malvertising and SEO poisoning to promote fake Microsoft 365 sign-in forms, allowing them to bypass legacy MFA. They create inbox rules to hide payroll messages and either social engineer HR to change direct deposit details or directly update payroll platforms such as Workday using stolen sessions.

🔒 A compromised update for Smart Slider 3 Pro (v3.5.1.35) was delivered through the plugin’s official update channel on April 7, 2026, and remained accessible for roughly six hours before detection. Security firm Patchstack and maintainer Nextend confirmed unauthorized access to Nextend’s update infrastructure and a fully attacker-authored build was distributed. The trojanized update installs a multi-stage backdoor that provides pre-authenticated RCE, hidden administrative accounts, multi-location persistence, and automatic data exfiltration to a command-and-control domain; operators should update to v3.5.1.36 and audit affected sites. The free Smart Slider edition is not impacted.

🛡️ Cisco Talos has identified a new Lua-based backdoor called LucidRook used in October 2025 spear-phishing operations targeting NGOs and universities in Taiwan. Attackers delivered payloads via password-protected archives and deployed either an LNK shortcut chain that dropped a loader named LucidPawn or a fake antivirus EXE. LucidPawn sideloads a malicious DLL (DismCore.dll) and embeds a Lua interpreter to fetch obfuscated bytecode, enabling modular updates while reducing forensic visibility. Collected reconnaissance is RSA-encrypted and exfiltrated via FTP; a related tool, LucidKnight, was observed abusing Gmail GMTP for data exfiltration.

🔒 Abnormal researchers disclosed a targeted phishing-as-a-service called VENOM that has been active since at least last November and focuses on stealing C-suite Microsoft credentials. The campaign uses personalized SharePoint-style emails, injected fake threads, and Unicode QR codes to move victims to mobile-based landing pages while evading scanners. VENOM hides target addresses using double Base64 in URL fragments and filters out researchers before presenting an AiTM proxy or device-code flow that captures passwords, MFA codes, and session tokens. Researchers recommend FIDO2, disabling unused device-code flows, and tighter conditional access to mitigate token abuse.

🔒 Dutch healthcare software vendor ChipSoft has confirmed a ransomware incident that forced it to take its website and patient-facing digital services offline. The provider of the HiX EHR platform warned of "possible unauthorized access" and advised customers to disconnect affected systems while it investigates. The national healthcare CERT, Z-CERT, is coordinating response efforts with ChipSoft and impacted hospitals.

🔍 Cisco Talos attributes a previously undocumented cluster, UAT-10362, to targeted spear‑phishing against Taiwanese NGOs and suspected universities, deploying a new Lua‑based stager named LucidRook. The actor uses RAR/7‑Zip lures and a dropper called LucidPawn, relying on repeated DLL side‑loading to execute payloads. LucidRook embeds an Lua 5.4.8 interpreter and Rust libraries to fetch and run encrypted Lua bytecode, while some variants use a reconnaissance DLL, LucidKnight, to profile targets before staging further activity.

🔒 Smart Slider 3 Pro update infrastructure was hijacked to push a malicious 3.5.1.35 release to WordPress and Joomla sites. The tampered update preserved normal slider functionality while installing multiple backdoors, creating a hidden administrator account, and exfiltrating credentials. The vendor urges immediate upgrade to 3.5.1.36 (or restoring to 3.5.1.34 or earlier) and advises treating affected sites as fully compromised.

🔐 eSentire's Threat Response Unit identified a previously undocumented remote access trojan, STX RAT, after an attempted deployment in a financial services environment in late February 2026. The malware uses multi-stage, script-based delivery and in-memory execution to evade detection, leveraging XXTEA encryption, Zlib compression and reflective PowerShell loaders. It delays credential theft until instructed by an encrypted C2 channel and implements registry autoruns and COM hijacking for persistence. Organizations should strengthen endpoint protections and limit exposure to script-based attack vectors.

🔒 Microsoft Incident Response researchers detail a Storm-2755 campaign that used malvertising and SEO poisoning to phish Canadian users and capture OAuth tokens and credentials via adversary-in-the-middle (AiTM) proxying. The actor replayed tokens (notably using the Axios/1.7.9 user-agent) to hijack authenticated sessions and bypass non-phishing-resistant MFA. Compromised accounts were used to search for payroll and HR data, create hidden inbox rules, and in some cases directly modify Workday payment information, resulting in at least one confirmed payroll diversion. Microsoft urges immediate token revocation, removal of malicious inbox rules, and adoption of phishing-resistant MFA and device-based conditional access.

🔒 Bitcoin Depot detected unauthorized access to parts of its corporate IT environment on March 23, which allowed attackers to use compromised credentials tied to digital asset settlement accounts. Threat actors transferred 50.903 Bitcoin (approximately $3.66m) out of company-controlled wallets before the activity was blocked. The company says customer-facing platforms and customer data were not affected, and operations have not been materially disrupted. External cybersecurity specialists and law enforcement are assisting the ongoing investigation.

🛡️ Researchers at Jamf Threat Labs report a ClickFix campaign that opens Script Editor via the applescript:// URL scheme, preloading a malicious script with a single browser click. This bypasses Terminal paste protections introduced in macOS Tahoe 26.4 and removes a major user decision point. The lightweight script decodes a hidden URL, uses curl to retrieve a payload, and launches a new Atomic Stealer variant. Script Editor behavior can vary by macOS version; recent builds may prompt to save before execution.

🛡️ Jamf Threat Labs has identified a macOS malware campaign delivering the Atomic Stealer (AMOS) infostealer/backdoor using a ClickFix social engineering technique that now leverages Script Editor instead of Terminal. Attackers display fake Apple guidance in a browser window to convince users to paste and run malicious commands, bypassing Terminal paste-scanning warnings added in the macOS 26.4 update. Network defenders are advised to restrict clipboard and run-dialog use, limit execution of untrusted binaries, and block suspicious adverts and sites.

🎟️ Scammers are exploiting BTS's ARIRANG world tour pre-sales by cloning official ticket pages for multiple countries, creating at least 10 fraudulent domains observed in early April. These lookalike sites replicate the purchase flow and pressure fans into instant payments — in Brazil many victims are urged to pay via PIX, sending funds to mule accounts that are difficult to recover. To avoid fraud, fans should use only the official tour page, verify domains, confirm country-specific sales formats, and contact banks immediately if scammed. Enable banking alerts and use security software that blocks phishing sites.

🔒 A spear-phishing campaign targeting Middle Eastern civil society and journalists has been linked to the South Asian threat actor Bitter, according to Access Now and mobile-security firm Lookout. Active from 2023 through 2025, the operation used Android spyware tracked as ProSpy and deceptive staging sites to deliver malicious APKs and harvest credentials. Attackers attempted Apple and Google account takeovers and could exfiltrate files, messages, contacts, geolocation and remotely enable microphones and cameras.

🔎 Access Now, Lookout, and SMEX report a coordinated hack-for-hire campaign that targeted journalists, activists, and officials across the MENA region from 2023–2025. The operation used spear-phishing, OAuth consent-based pages, and messaging-platform lures to harvest credentials and two-factor codes. Observed domains impersonated Apple, Signal, Telegram, and Android services, and infrastructure overlaps link activity to a cluster known as Bitter. One Apple account was compromised while other intrusion attempts were blocked.