All news in category "Incidents and Data Breaches"

Self-Propagating GlassWorm Targets VS Code Marketplaces

🪲 Researchers at Koi Security have uncovered GlassWorm, a sophisticated self-propagating malware campaign affecting extensions in the OpenVSX and Microsoft VS Code marketplaces. The worm hides executable payloads using Unicode variation selectors, harvests NPM, GitHub and Git credentials, drains 49 cryptocurrency wallets, and deploys SOCKS proxies and hidden VNC servers on developer machines. CISOs are urged to treat this as an immediate incident: inventory VS Code usage, monitor for anomalous outbound connections and long-lived SOCKS/VNC processes, rotate exposed credentials, and block untrusted extension registries.

Russian Star Blizzard shifts to 'Robot' malware families

🔐 The Russian state-backed Star Blizzard group (aka ColdRiver/UNC4057) has shifted to modular, evolving malware families — NOROBOT, YESROBOT, and MAYBEROBOT — delivered through deceptive ClickFix pages that coerce victims into executing a fake "I am not a robot" CAPTCHA. NOROBOT is a malicious DLL executed via rundll32 that establishes persistence through registry changes and scheduled tasks, stages components (including a Windows Python 3.8 install), and, after iteration, primarily delivers a PowerShell backdoor. Google Threat Intelligence Group and Zscaler observed the transition from May through September and reported that ColdRiver abandoned the previously exposed LostKeys tooling shortly after disclosure. GTIG has published IoCs and YARA rules to help defenders detect these campaigns.

Sophisticated Investment Scam Impersonates Singapore Official

🔍 Cybersecurity researchers have uncovered a large-scale investment scam that impersonated Singapore’s top officials, including Prime Minister Lawrence Wong and Minister K Shanmugam, to promote a fraudulent forex platform. The campaign used verified Google Ads, hundreds of fake news domains and deepfake videos, funneling victims through multiple redirects to a Mauritius-registered trading site. Group-IB reported advanced evasion techniques and localized targeting to show scam pages only to Singaporean users, pressuring many to invest and then blocking withdrawals.

UK Contractor Breach Exposes Sensitive RAF and Navy Sites

🔒 A ransomware attack on contractor Dodd Group reportedly allowed Russian-linked attackers to exfiltrate hundreds of sensitive Ministry of Defence documents, including details on RAF Lakenheath, RAF Portreath and RAF Predannack. The company confirmed an incident and said it contained access, while the MoD suspects the Lynx group is behind the intrusion. Leaked files published on the dark web allegedly include site plans and personnel data, and the case is now under investigation amid a wider rise in UK cyber incidents.

John Bolton Charged Over Classified Emails Leak After Hack

🔒Former national security adviser John Bolton has been charged with mishandling classified information after prosecutors say he retained and transmitted sensitive documents via a personal AOL account that was later accessed by suspected Iranian hackers. The intruders allegedly downloaded the materials and sent extortion messages to Bolton. The case highlights questions about password strength, the use of two-step verification, and the risks of sending unencrypted, sensitive information to family members. Bolton has pleaded not guilty.

Coldriver Deploys New 'NoRobot' Malware Suite, 2025

🛡️ Google Threat Intelligence Group (GTIG) has observed the Russian-linked Coldriver group deploying a new, staged malware ecosystem tracked as NoRobot, YesRobot and MaybeRobot. GTIG's October 20, 2025 report shows the campaign replaces the previously disclosed LostKeys strain and begins with a 'ClickFix-style' ColdCopy phishing lure that tricks victims into running a malicious DLL via rundll32.exe. NoRobot functions as a downloader using split-key cryptography and staged payloads; operators briefly used a Python-based backdoor (YesRobot) before switching to a more flexible PowerShell backdoor (MaybeRobot) to reduce detection.

Developers of Lumma Stealer Doxxed in Rival Campaign

🔍Lumma Stealer operations have been disrupted after an underground doxxing campaign exposed personal and operational details of individuals allegedly tied to the malware’s development and administration. Trend Micro links the exposure to rival cybercriminal actors and reports that leaked data—shared on a site called Lumma Rats—included passports, bank details and contact information. The disclosures coincided with reduced C2 activity and the reported compromise of Telegram accounts, prompting many users to seek alternatives such as Vidar and StealC.

Google: Three New COLDRIVER Malware Families Identified

🔍 Google Threat Intelligence Group (GTIG) reports three new malware families — NOROBOT, YESROBOT, and MAYBEROBOT — linked to the Russia-attributed COLDRIVER group following public disclosure of LOSTKEYS. The attacks use ClickFix-style HTML lures and fake CAPTCHA prompts to trick users into running malicious PowerShell via the Windows Run dialog. NOROBOT functions as a loader invoked by rundll32.exe, while YESROBOT acted as a brief HTTPS-based Python backdoor and MAYBEROBOT is a more extensible PowerShell implant targeting high-value victims.

Snappybee, Citrix Flaw Used to Breach European Telecom

🔒 A European telecommunications organization was targeted in the first week of July 2025, according to Darktrace, with a threat actor linked to the China-associated group Salt Typhoon gaining initial access via a vulnerable Citrix NetScaler Gateway. The intruders pivoted to Citrix VDA hosts in an MCS subnet and used SoftEther VPN to mask their origin. They deployed Snappybee (aka Deed RAT) via DLL side-loading alongside legitimate antivirus executables; the backdoor called home to aar.gandhibludtric[.]com. Darktrace says the activity was detected and remediated before significant escalation.

China Alleges NSA Cyberattack on National Time Service

🔍 China’s security authorities publicly accused the US National Security Agency of a covert operation against the National Time Service Center, alleging an SMS-service vulnerability was exploited beginning March 25, 2022 to compromise staff phones and steal data. Experts told CSO the claim is technically plausible but there is no public forensic evidence to confirm it conclusively. The alleged intrusion could affect Beijing Time, potentially disrupting communications, finance, power, transportation and space operations. Security specialists recommend hardening time infrastructure, avoiding SMS-based privileged logins, validating clocks against multiple trusted references, deploying cryptographic attestation for time signals, and following guidance from CISA.

Scattered LAPSUS$ Hunters: Recent Activity and Risks

🚨 Unit 42 observed renewed activity from Scattered LAPSUS$ Hunters in early October 2025, including leaked data claims, a defaced clearnet leak site, and announcements of an extortion-as-a-service offering. The actors set a self-imposed ransom deadline of Oct. 10, 2025 and claimed to have released data allegedly from six victim companies across aviation, energy and retail. Unit 42 recommends organizations prepare EaaS incident playbooks and engage third-party responders.

Muji Halts Japan Online Sales After Supplier Ransomware

🔒 Muji has temporarily taken its Japan online store offline after a ransomware attack disrupted logistics systems at its delivery partner, Askul. The outage affects browsing, purchases, order histories in the Muji app, and some web content; Muji is investigating which shipments and pre-attack orders were impacted and will notify affected customers by email. Askul confirmed a ransomware infection suspended orders, shipping, and several customer services while it investigates potential data exposure; international Muji stores remain operational.

GlassWorm Worm Infects OpenVSX and VS Code Extensions

🛡️ A sophisticated supply-chain campaign called GlassWorm is propagating through OpenVSX and Microsoft VS Code extensions and is estimated to have about 35,800 active installs. The malware conceals malicious scripts using invisible Unicode characters, then steals developer credentials and cryptocurrency wallet data while deploying SOCKS proxies and hidden VNC clients for covert access. Operators rely on the Solana blockchain for resilient C2, with Google Calendar and direct-IP fallbacks.

New Russian COLDRIVER Malware: NOROBOT and ROBOTs Variants

🤖 Google Threat Intelligence Group (GTIG) attributes a rapid malware retooling to the Russia-aligned COLDRIVER group after the May 2025 LOSTKEYS disclosure. The campaign uses a COLDCOPY “ClickFix” lure that coerces users to run a malicious DLL via rundll32; the DLL family is tracked as NOROBOT. Early NOROBOT variants fetched a noisy Python backdoor named YESROBOT, which was quickly replaced by a lighter, extensible PowerShell backdoor called MAYBEROBOT. GTIG published IOCs, YARA rules, and protective measures including Safe Browsing coverage and targeted alerts.

Rhysida Ransomware Group Lists German Manufacturer Geiger

🔒 On October 17, the ransomware group Rhysida posted the German machine manufacturer Geiger on a darknet victims list, claiming to offer data stolen from the company. The attackers set an asking price of 10 BTC (roughly €1 million) and indicated a sale deadline of October 24, 2025, without specifying the scope or types of data. Geiger has not publicly responded to the claim. Security researchers characterize Rhysida as financially motivated and likely operating from Russia or the CIS.

Salt Typhoon Exploits Citrix NetScaler in Global Attacks

🔒In a global intrusion tracked by Darktrace, the China-linked group Salt Typhoon exploited a Citrix NetScaler Gateway vulnerability to gain access and maintain persistence. Attackers employed DLL sideloading to deploy the SNAPPYBEE (Deed RAT) backdoor alongside legitimate antivirus executables, then moved laterally to Citrix Virtual Delivery Agent hosts while obscuring origin via SoftEther VPN infrastructure. C2 channels used HTTP (with Internet Explorer user-agent headers and URIs like "/17ABE7F017ABE7F0") and unidentified TCP protocols; the domain aar.gandhibludtric[.]com has prior links to the group. Darktrace emphasised the need for anomaly-based behavioural detection to surface such stealthy activity early.

Developers leaking secrets via VSCode and OpenVSX extensions

🔒 Researchers at Wiz found that careless developers published Visual Studio extensions to the VSCode Marketplace and OpenVSX containing more than 550 validated secrets across over 500 extensions, including API keys and personal access tokens for providers such as OpenAI, AWS, GitHub, Azure DevOps, and multiple databases. The primary cause was bundled dotfiles (notably .env) and hardcoded credentials in source and config files, with AI-related configs and build manifests also contributing. Microsoft and OpenVSX collaborated with Wiz on coordinated remediation: notifying publishers, adding pre-publication secrets scanning, blocking verified secrets, and prefixing OVSX tokens to reduce abuse.

SIMCARTEL Takedown: Major SIM-Box Supply Network Bust

🔒 Law enforcement dismantled a criminal SIM-card supply network known as 'SIMCARTEL' following coordinated actions across multiple European countries. The now-defunct service operated a commercial SIM-box platform that let customers rent phone numbers from over 80 countries to create and manage an estimated 49 million fake online accounts used in phishing, fraud and other serious offences. Authorities seized five servers, around 1,200 SIM-box devices (operating ~40,000 SIMs), hundreds of thousands of SIM cards, froze more than $500,000 in bank funds and over $330,000 in crypto, and took down two domain services linked to the operation.

131 Chrome Extensions Hijack WhatsApp Web for Spam

🔍 Cybersecurity researchers uncovered a coordinated operation that used 131 rebranded Chrome extensions—about 20,905 active users—to inject automation code into WhatsApp Web and conduct large-scale spam campaigns targeting Brazilian users. Socket found the add-ons share a common codebase, design patterns, and infrastructure and are primarily published under WL Extensão variants. The extensions pose a high spam risk by automating bulk outreach and scheduling to evade WhatsApp rate limits and violate Chrome Web Store policies.

Microsoft Revokes 200+ Fraudulent Code-Signing Certificates

🔒 Microsoft Threat Intelligence has revoked more than 200 code-signing certificates that were fraudulently used to sign counterfeit Microsoft Teams installers delivering a persistent backdoor and ransomware. The campaign, tracked as Vanilla Tempest (also known as Vice Spider/Vice Society), employed SEO poisoning and malvertising to lure users to spoofed download sites hosting fake MSTeamsSetup.exe files that deployed the Oyster backdoor and ultimately Rhysida ransomware. Microsoft says the actor abused Trusted Signing and services such as SSL.com, DigiCert and GlobalSign to sign malicious binaries. A fully enabled Microsoft Defender Antivirus detects and blocks these threats, and Microsoft provides guidance through Microsoft Defender for Endpoint for mitigation and investigation.