All news in category “Incidents and Data Breaches”

🚆 Eurail says attackers stole personal information for over 300,000 customers after an unauthorized transfer of files from its network on December 26, 2025. The company disclosed the incident publicly in February and notified affected individuals by letter on March 27, reporting that records contained names, passport numbers and other sensitive identifiers. A sample of the stolen data was posted on Telegram and put up for sale on the dark web; Eurail advises customers to update Rail Planner passwords, reset reused passwords elsewhere, monitor bank accounts, and watch for phishing and suspicious transactions.

🔒 Google Threat Intelligence Group warns that UNC6783, a financially motivated cluster possibly tied to the 'Raccoon' persona, is targeting business process outsourcers (BPOs) and large enterprises via live chat social engineering. The campaign directs employees to spoofed Okta login pages hosted on Zendesk-like domains such as [.]zendesk-support[.]com and uses a phishing kit that steals clipboard contents to bypass MFA and enroll attacker devices for persistence. GTIG also observed fake security updates delivering remote access malware and the use of Proton Mail to deliver ransom notes. Organizations should deploy phishing-resistant MFA like FIDO2 keys, monitor live chat, block unauthorized domains and audit new MFA enrollments.

🪙 Bitcoin Depot confirmed on March 23, 2026 that an unauthorized actor accessed portions of its corporate IT environment and transferred approximately 50.903 BTC (about $3.665 million) from company-controlled wallets. The operator of more than 25,000 Bitcoin ATMs said it promptly activated incident response protocols, engaged external cybersecurity experts, and notified law enforcement while believing customer platforms and systems were not affected. On April 6, the company declared the incident material and warned that its cyber insurance may not cover all losses as the investigation continues.

🔍 A German privacy group, Fairlinked, reports that LinkedIn injects a large JavaScript payload into Chrome-based browsers that scans for over 6,000 installed extensions and collects device signals on many interaction events. The code allegedly harvests extension presence, CPU/memory/screen and other metadata and ties those fingerprints to logged-in identities. LinkedIn disputes the characterisation, saying the checks target scraping and policy-violating extensions. Users are advised to consider non-Chrome browsers and reduce extension exposure to limit profiling.

🔍 Sansec researchers uncovered a campaign that embeds a credit-card skimmer into Magento storefronts by hiding it inside a 1×1-pixel SVG element with an onload handler. The handler stores the entire payload as a base64 string decoded via atob() and executed inline to avoid external script detection. When shoppers click checkout a fake Secure Checkout overlay validates card and billing fields in real time and exfiltrates data in XOR-encrypted, base64-obfuscated JSON; Sansec identified six exfiltration domains and published actionable mitigations.

🔐 Google warns that UNC6783 is compromising business process outsourcing (BPO) providers to steal corporate support tickets and other sensitive data for extortion. Attackers use social engineering, live-chat phishing, and spoofed Zendesk-style domains plus fake Okta login pages; observed phishing kits can exfiltrate clipboard contents to bypass MFA and register devices. The group also distributes fake security updates to deliver remote access malware and then contacts victims via ProtonMail; Google recommends deploying FIDO2 keys, monitoring live chat, blocking spoofed domains, and auditing MFA enrollments.

⚠️ Researchers at Jamf observed a ClickFix variation that uses the built-in Script Editor and the applescript:// URL scheme to deliver the Atomic Stealer (AMOS) to macOS users. Victims are lured to fake Apple-themed pages that launch Script Editor with prefilled AppleScript executing an obfuscated "curl | zsh" chain, avoiding the need to open Terminal. The delivered code decodes a base64+gzip payload, writes a Mach-O binary to /tmp/helper, strips extended attributes with "xattr -c", makes it executable, and runs it. Treat Script Editor prompts as high risk and follow official Apple troubleshooting guidance rather than third-party guides.

🔍 Cybersecurity firm Darktrace has identified a new variant of the Chaos botnet that targets misconfigured cloud deployments, expanding the malware's focus beyond routers and edge devices. The 64-bit ELF binary was delivered to a deliberately misconfigured Hadoop honeypot via an HTTP request that created an application embedding shell commands to fetch and execute the payload from pan.tenire[.]com. The updated sample removes SSH- and router-based spread features and instead implements a SOCKS proxy, enabling compromised hosts to relay attacker traffic and broadening the botnet's monetization and evasion capabilities.

🛡️Masjesu, also tracked as XorBot, is a stealthy DDoS-for-hire botnet that targets diverse IoT devices including routers, gateways, cameras, DVRs and NVRs. First observed in 2023 and updated through 2024, it uses XOR-based obfuscation, avoids blocklisted ranges (including DoD IPs), and emphasizes persistence and low visibility. After binding a hard-coded TCP port (55988) the malware establishes persistence, disables common tools like wget and curl, and connects to remote controllers to receive flood commands. Its traffic is concentrated in Vietnam, Ukraine, Iran, Brazil, Kenya and India, with Vietnam accounting for nearly half of observed activity.

🔍 Trend Micro links a targeted spear-phishing campaign to APT28 that delivers a previously undocumented malware suite called PRISMEX, active since at least September 2025. The operation blends steganography, COM DLL hijacking, and abuse of legitimate cloud services to retrieve and execute in-memory payloads. Researchers observed rapid weaponization of CVE-2026-21509 and CVE-2026-21513, with overlapping infrastructure such as "wellnesscaremed[.]com". The toolkit includes PrismexSheet, PrismexDrop, PrismexLoader and a COVENANT-based stager that has been associated with both espionage and destructive wiper activity.

⚠️Six US agencies warn an Iranian-affiliated group has compromised internet-exposed programmable logic controllers at water, energy, and government facilities since at least March 2026. The actors used leased overseas infrastructure and legitimate Rockwell Automation configuration tools to access CompactLogix and Micro850 controllers. Victims suffered operational disruption, project file theft, altered SCADA/HMI data, and persistent remote access.

🔒 Forest Blizzard, tracked as APT28, is compromising home and small-office routers to redirect traffic through attacker-controlled DNS servers and enable post-compromise adversary-in-the-middle (AiTM) attacks. Microsoft observed the actor likely using dnsmasq to answer DNS queries on port 53 and selectively spoof DNS responses to redirect users to malicious infrastructure. Targeted domains included Outlook on the web, where attackers presented invalid TLS certificates to intercept plaintext if users bypassed warnings. Microsoft reports more than 200 organizations and 5,000 consumer devices affected, with government, IT, telecom and energy sectors prioritized.

⚠️ TrueSec reports a malicious supply-chain compromise in the Python Package Index package litellm version 1.82.8. The published wheel contains a malicious .pth file named litellm_init.pth (34,628 bytes) that the Python interpreter executes automatically on every startup, without requiring any explicit import of the module. This behavior enables silent, persistent code execution on affected systems and increases the risk to downstream projects and production environments. The incident underscores the urgent need for SBOMs, SLSA, and SigStore adoption to harden supply-chain defenses.

🛡️ The US Department of Justice and FBI led a court-authorized operation to neutralize a DNS hijacking network run by Russian APT28 that had compromised SOHO routers across 23 US states. Dubbed Operation Masquerade, the effort sent commands to affected routers to collect evidence and reset malicious DNS resolvers to legitimate ISP settings. Agencies say the remediation did not harm router functionality and can be reversed by users via factory reset or web management pages. Authorities urged owners to update firmware, verify DNS settings and replace end-of-life devices.

🛡️ Cisco Talos disclosed a targeted spear‑phishing campaign delivering LucidRook, a Lua‑based stager that embeds a Lua 5.4 interpreter and Rust‑compiled libraries inside a DLL to fetch and run staged Lua bytecode. The threat actor delivered payloads via password‑protected archives and used decoy documents to distract victims while the dropper executed. Two delivery chains were observed — an LNK dropper LucidPawn and a .NET EXE masquerading as antivirus — both abusing public FTP services and OAST domains. Execution is gated to Traditional Chinese locales linked to Taiwan.

⚠ Iranian-affiliated threat actors have been exploiting internet-facing operational technology (OT) assets to target US critical national infrastructure (CNI) providers since late March, according to a CISA advisory. Attackers used vendor configuration tools such as Rockwell Automation's Studio 5000 Logix Designer to create accepted connections to PLCs and manipulated HMI/SCADA displays. Observed inbound traffic used ports 44818, 2222, 102, 22 and 502 and included deployment of Dropbear SSH for remote access. Agencies urge immediate log review, segmentation, and removal of direct internet exposure for PLCs.

🔒 Socket Security researchers say the North Korea-linked campaign known as Contagious Interview has published more than 1,700 malicious packages across npm, PyPI, Go, Rust and Packagist. The packages impersonate legitimate developer tooling and act as loaders that fetch platform-specific malware with infostealer and RAT capabilities. A Windows variant delivered through license-utils-kit behaves as a full implant, enabling command execution, keystroke logging, browser and wallet theft, file exfiltration and remote access via AnyDesk.

🔒 Iran-affiliated cyber actors are targeting internet-facing operational technology (OT) devices across U.S. critical infrastructure, including energy, water and government facilities. U.S. agencies warn attackers used third-party hosted infrastructure and Rockwell Automation tools to connect to CompactLogix and Micro850 PLCs, deploy Dropbear SSH, extract project files, and manipulate HMI/SCADA displays, causing degraded functionality and disruption. Organizations are advised to remove internet exposure, enforce multi-factor authentication, place firewalls or proxies in front of PLCs, disable unused features, keep devices up to date, and monitor for anomalous traffic.

🔐 Over a dozen companies experienced data theft after attackers used stolen authentication tokens from a breached SaaS integrator to access cloud accounts. The majority of observed incidents targeted Snowflake, which reported "unusual activity" and said a small number of customer accounts were impacted. Snowflake emphasized that its systems were not compromised and that it locked down potentially affected accounts and notified customers. BleepingComputer sources point to an alleged breach at Anodot, and the extortion gang ShinyHunters claims responsibility.

⚠️ U.S. agencies warn that Iranian-affiliated APT actors are actively targeting Internet-exposed Rockwell/Allen-Bradley and other PLCs on networks supporting critical infrastructure sectors such as Water, Energy, and Government Services. The joint advisory from the FBI, CISA, NSA, DOE, EPA, and U.S. Cyber Command states intrusions since March 2026 have caused operational disruption, extraction of device project files, and manipulation of HMI/SCADA displays. Organizations are advised to disconnect PLCs from the Internet or protect them behind firewalls, apply the latest firmware, enable multifactor authentication for OT access, disable unused services and default keys, and monitor OT ports and logs for the advisory's indicators of compromise.