All news in category “Incidents and Data Breaches”

🔒Drift Protocol lost at least $280 million after an attacker seized administrative control of its Security Council and drained protocol funds. Blockchain intelligence firms Elliptic and TRM Labs linked the operation to North Korean actors, citing on-chain tradecraft such as Tornado Cash use, CarbonVote timing, cross-chain bridging, and rapid laundering. Drift says no smart contract bugs or seed phrases were compromised; core functions are frozen while investigations continue.

🔒 The Drift Protocol lost approximately $280 million after an attacker obtained administrative control of its Security Council by leveraging durable nonce accounts and pre-signed transactions to delay execution and strike at a chosen time. Drift stresses that no programs or smart contracts were exploited and no seed phrases were compromised. Protocol functions are largely frozen while the team coordinates with security firms, exchanges, and law enforcement.

🔔 The UK's National Cyber Security Centre (NCSC) has warned of an increase in targeted attacks against users of messaging apps including WhatsApp, Facebook Messenger and Signal, attributing activity to Russia-based actors and noting similar prior activity by APT31 and IRGC-linked hackers. Attackers use malicious links, QR codes, account takeovers, group infiltration and impersonation to steal credentials or deliver malware. The NCSC advises high-risk users to enable multi-factor authentication, avoid sharing verification codes, regularly review linked devices and use corporately managed messaging services for work.

🔐 Stryker says it is fully operational three weeks after a March 11 cyberattack in which the Handala group claimed to have stolen roughly 50 TB of data and wiped nearly 80,000 devices. Investigators say attackers created a new Global Administrator account after compromising a Windows domain admin and used a malicious file to conceal activity. Stryker prioritized restoring systems for ordering, shipping and production and is working with third‑party cybersecurity experts and government agencies as the investigation continues.

🔒 A multi-stage malware campaign leveraging GitHub as a covert C2 channel has been observed targeting users in South Korea, according to an advisory from Fortinet. Attackers distribute malicious .LNK shortcut files that drop decoy PDFs while executing obfuscated PowerShell and VBScript payloads silently in the background. Recent variants embed decoding routines directly within LNK arguments, remove identifying metadata, and exfiltrate system information and logs to GitHub repositories using hardcoded tokens. The campaign exemplifies modern living-off-the-land tactics that abuse legitimate Windows utilities and developer infrastructure to evade detection.

🔒 FortiGuard Labs identified a multi-stage campaign using malicious LNK shortcut files that target Microsoft Windows users in South Korea. The attacker embeds decoding routines inside LNK arguments to drop a decoy PDF while executing hidden PowerShell payloads. Those scripts perform anti-analysis checks, establish persistence via Scheduled Tasks and VBScript, and use GitHub API calls as a covert C2 and exfiltration channel. Fortinet signatures detect these components and block the activity.

⚠️ Sekoia researchers uncovered a phishing-as-a-service toolkit named EvilTokens that abuses Microsoft's device code authentication flow to capture valid access tokens by tricking victims into entering device codes on official Microsoft login pages. The kit bundles phishing lures, AI-driven automation, inbox harvesting and post-compromise modules to weaponize access. Operators distribute the service through Telegram bots and channels, and Sekoia observed activity since at least mid-February targeting countries including the US, Australia, Canada, France, India, Switzerland and the UAE.

🔍Elastic Security Labs researchers documented a financially motivated operation, REF1695, active since November 2023 that uses fake ISO installers to deliver remote access trojans and cryptocurrency miners. Recent samples drop a .NET implant called CNB Bot via a .NET Reactor-protected loader and include explicit instructions to bypass Microsoft Defender SmartScreen. The loader invokes PowerShell to add broad Defender exclusions, launches CNB Bot in the background and displays a benign error message while facilitating further payload downloads. The actor hosts staged binaries on GitHub and abuses a signed vulnerable driver (WinRing0x64.sys) to tune CPU settings and boost mining performance.

🔓 Google researchers released a report describing Coruna, a sophisticated iPhone exploitation toolkit that chains 23 distinct iOS vulnerabilities into five full exploit techniques capable of bypassing device defenses and silently installing malware when a user visits a crafted website. Analysts note the code’s professional, English-language provenance and say it bears hallmarks of previously attributed US government modules. Reporting from TechCrunch cites former L3Harris employees who say the company’s Trenchant surveillance division helped develop parts of the toolkit and that an insider may have sold components to foreign actors, raising urgent questions about loss of control over offensive cyber capabilities.

🔍 Cisco Talos details a widespread automated credential-harvesting campaign by cluster UAT-10608 that exploited a pre-authentication RCE in React Server Components impacting Next.js applications. Post-exploit scripts collected environment secrets, SSH keys, cloud tokens and container data, exfiltrating results to a web-based C2 called NEXUS Listener. Talos observed at least 766 compromised hosts and over 10,000 files harvested within 24 hours, and found exposed frontends that revealed aggregated victim data.

⚠️ Meta-owned WhatsApp said it alerted about 200 users, largely in Italy, who were fooled into installing a counterfeit iOS app infected with spyware. The company logged affected accounts out, advised victims to uninstall the malicious app and reinstall the official WhatsApp client, and said it is taking action against Italian firm Asigint, an alleged SIO subsidiary. The alert follows earlier campaigns targeting users with Graphite and chained zero-day exploits in 2025, highlighting persistent misuse of surveillance tools in Europe.

🎣 In episode 461 of Smashing Security, host Graham Cluley and guest Danny Palmer discuss a remarkable Bitcoin mystery: an Irishman who converted drug proceeds into BTC in 2011 now allegedly controls $400 million, but the access codes were hidden in a fishing-rod case that disappeared — until one frozen wallet unexpectedly moved $35 million. The episode also covers a major data breach at Ajax Football Club that may have exposed the personal details of around 300,000 supporters, enabling ticket theft and manipulation of stadium ban lists. Additional topics include an Iran-linked compromise of the FBI director’s personal email, reliability differences between Windows and macOS, and a UK court case in which CCTV footage was used in a crypto theft claim.

⚠️ Check Point researchers report attackers exploited a TrueConf zero-day (CVE-2026-3502) to replace legitimate updates with malicious executables delivered from compromised on-premises servers. The vulnerability stems from a missing integrity check in the update mechanism and affected versions 8.1.0 through 8.5.2; TrueConf released a patch in 8.5.3 (March 2026). The campaign, tracked as TrueChaos, targeted government entities in Southeast Asia and likely leveraged Havoc C2, DLL sideloading, and a UAC bypass.

⚠️ On March 31, 2026 Microsoft identified two malicious npm releases of Axios (1.14.1 and 0.30.4) that introduced a trojan via a fake dependency plain-crypto-js@4.2.1 executing in a post-install hook to fetch platform-specific RAT payloads. Microsoft attributes the infrastructure and compromise to Sapphire Sleet. Immediate controls include reverting to safe Axios versions, pinning dependencies, rotating secrets, and using Microsoft Defender protections.

⚠️ EvilTokens is a commercially sold phishing kit that abuses the device code authorization flow to hijack Microsoft accounts and enable advanced BEC operations. Distributed via Telegram, campaigns deliver document lures with QR codes or links to phishing templates impersonating trusted services and workflows. Victims are prompted to authenticate on the real Microsoft device login, producing short-lived access tokens and refresh tokens that give attackers immediate and persistent access. Sekoia reported global campaigns and published IoCs and YARA rules; the author says support for Gmail and Okta is planned.

⚠ A compromised npm maintainer account led to malicious Axios releases (v1.14.1 and v0.30.4) that introduced a hidden dependency, plain-crypto-js@4.2.1, which deployed a cross-platform remote access trojan (RAT). The postinstall lifecycle script executed a heavily obfuscated Node.js dropper that retrieved platform-specific payloads from a C2 at sfrclak[.]com:8000. Payloads for macOS, Windows and Linux implement a unified RAT protocol with 60-second beacons and capabilities to run commands, inject binaries and remove themselves. Unit 42 recommends immediate isolation, rebuilds from known-good images, credential rotation, dependency pinning and network egress blocking to the C2.

📱 Researchers at McAfee uncovered NoVoice, an Android rootkit hidden in more than 50 Google Play apps that were downloaded at least 2.3 million times. The apps requested no suspicious permissions and used steganography to hide an encrypted APK payload that exploits historically patched kernel and driver vulnerabilities to gain root. Once rooted, the implant replaces system libraries, disables SELinux, and installs persistent recovery scripts and a watchdog so the rootkit survives factory resets. McAfee reported the apps and Google removed them, but previously infected devices should be considered compromised.

📢 CERT-UA disclosed a phishing campaign in which attackers impersonated the agency to distribute a remote access trojan, AGEWHEEZE, via a password-protected ZIP hosted on Files.fm sent March 26–27, 2026. Emails, some originating from incidents@cert-ua.tech, targeted state bodies, medical centers, security firms, educational institutions, financial organizations and developers, urging installation of a purported "protection tool." The Go-based RAT communicates with 54.36.237.92 over WebSockets, supports extensive remote commands and persistence mechanisms, but CERT-UA reports only a handful of personal device infections and provided remediation assistance.

🛡️ A coordinated phishing campaign attributed to Brazilian operators known as Augmented Marauder and Water Saci is targeting Spanish-speaking users across Latin America and Europe to deliver Windows banking trojans, notably Casbaneiro, using a secondary spreader named Horabot. The attack begins with court-summons-themed emails containing password‑protected PDFs that link to ZIP archives which deploy HTA, VBS, and AutoIt loaders to unpack encrypted payloads. Researchers at BlueVoyant say the threat actor combines WhatsApp automation, ClickFix social engineering, and an email‑hijacking engine that forges bespoke PDFs via a remote API and abuses compromised Outlook accounts to forward tailored phishing messages.

🐼 Proofpoint researchers reported a renewed wave of cyber espionage by Chinese state-backed group TA416 against EU and NATO diplomatic missions from mid‑2025 into early 2026, later extending into the Middle East. The actor repeatedly changed its initial infection chains—abusing Cloudflare Turnstile challenge pages, leveraging Microsoft Entra ID redirects and using malicious C# project files—while persistently delivering a custom PlugX backdoor via DLL sideloading triads. Campaigns used freemail accounts, compromised diplomatic mailboxes and cloud storage (Azure Blob, Google Drive, SharePoint) to host malicious archives. Proofpoint links TA416 to the broader Mustang Panda cluster and documents use of re-registered domains, VPS providers and Cloudflare CDN to evade detection.