All news in category "Incidents and Data Breaches"

Malicious npm, PyPI and RubyGems Packages Use Discord C2

⚠️ Researchers at a software supply chain security firm found multiple malicious packages across npm, PyPI, and RubyGems that use Discord webhooks as a command-and-control channel to exfiltrate developer secrets. Examples include npm packages that siphon config files and a Ruby gem that sends host files like /etc/passwd to a hard-coded webhook. The investigators warn that webhook-based C2 is cheap, fast, and blends into normal traffic, enabling early-stage compromise via install-time hooks and build scripts. The disclosure also links a large North Korean campaign that published hundreds of malicious packages to deliver stealers and backdoors.

Cyberattack Targets German Federal Employment Agency

🔒 In a coordinated operation, eight suspects attempted to hijack unemployment payments by accessing roughly 20,000 accounts of the Federal Employment Agency (BA) between late January and mid‑March. Investigators report about 1,000 accounts were accessed and bank details altered in 150 cases; early intervention limited losses to under €1,000. Searches across several states recovered devices, cash, weapons and narcotics, and two suspects are currently detained.

Researchers Expose TA585 Delivering MonsterV2 RAT via Phishing

🔎 Proofpoint researchers detailed a previously undocumented actor, TA585, observed delivering the off‑the‑shelf malware MonsterV2 through tailored phishing chains. The actor appears to manage its entire operation — infrastructure, delivery, and payload installation — employing web injections, CAPTCHA overlays and ClickFix social engineering to trigger PowerShell or Run commands. MonsterV2 functions as a RAT, stealer and loader with HVNC, keylogging, clipboard clippers and a C++ crypter (SonicCrypt) to evade detection. Proofpoint also links parts of the infrastructure to other stealer campaigns and highlights commercialized pricing and geographic filtering in its monetization.

SimonMed: 1.2M Patients Affected in January Breach

🔒 SimonMed Imaging is notifying more than 1.2 million individuals that attackers accessed its network between January 21 and February 5, 2025. The company says hackers stole data and the Medusa ransomware group claimed a 212 GB exfiltration and published proof files including ID scans, medical reports, payment details and raw scans. SimonMed reset passwords, implemented multifactor authentication, deployed EDR, removed vendor access, restricted traffic, notified law enforcement and is offering affected people free Experian identity monitoring.

Massive Multi-Country Botnet Targets US RDP Services

🔍 Researchers at GreyNoise have identified a large-scale, multi-country botnet that began targeting Remote Desktop Protocol (RDP) services in the United States on October 8. The campaign uses over 100,000 IP addresses and employs two RDP-specific techniques: RD Web Access timing attacks to infer valid usernames and RDP Web Client login enumeration to observe differing server behaviors. Nearly all sources share a common TCP fingerprint, indicating coordinated clusters. Administrators should block attacking IPs, review RDP logs, and avoid exposing remote desktop services to the public internet—use VPNs and enable multi-factor authentication.

SonicWall SSLVPN Accounts Breached With Stolen Credentials

🛡️ Researchers report that threat actors have compromised more than a hundred SonicWall SSLVPN accounts in a large-scale campaign that began on October 4 and persisted through at least October 10. The attackers appear to be using valid, stolen credentials rather than brute-force methods, and many malicious requests originated from IP 202.155.8[.]73. After authenticating, actors conducted reconnaissance and attempted lateral movement to access numerous local Windows accounts; investigators recommend immediate secret rotation, strict access restrictions, and multi-factor authentication for all admin and remote accounts.

Spain Arrests Leader of GXC Team Phishing Operation

🚨 Spanish authorities have arrested a 25-year-old Brazilian national accused of leading the GXC Team, a Crime-as-a-Service operation that sold phishing kits, Android malware and AI-based tools to cybercriminals. The Guardia Civil detained the suspect known as "GoogleXcoder" after a year-long investigation and six coordinated raids across Spain. Investigators seized devices containing source code, client communications and cryptocurrency records, and identified six suspected accomplices. The probe, supported by Group-IB and Brazil's Federal Police, remains ongoing as authorities disable the group's online infrastructure.

Stealit Infostealer Campaign Deploys via Fake VPN Apps

🛡️ FortiGuard Labs has identified a campaign distributing the Stealit infostealer via disguised game and VPN installers shared on file‑hosting sites and platforms like Discord. Attackers use Node.js Single Executable Apps (SEA) and PyInstaller bundles, heavy obfuscation and multiple anti‑analysis techniques to avoid detection. Once executed, Stealit harvests data from browsers, game clients, messaging apps and cryptocurrency wallets, and its operators rotate C2 domains while marketing the toolkit commercially.

Aisuru IoT Botnet Cripples Major US ISPs at 29.6 Tbps

⚠️ Aisuru, an IoT botnet derived from Mirai, generated a nearly 29.6 Tbps DDoS surge on Oct. 8, 2025, briefly disrupting major US ISPs and online gaming platforms. Logs show most attack traffic originated from compromised home routers, IP cameras and DVRs on networks operated by AT&T, Comcast, Verizon, T‑Mobile and Charter. TCPShield reported over 15 Tbps of junk traffic, and researchers warn Aisuru now operates as both a DDoS engine and a residential proxy network.

Botnet Uses 100,000 IPs in Massive RDP Attack Wave

🛡️ GreyNoise researchers uncovered a massive RDP attack wave using more than 100,000 IP addresses across over 100 countries, which analysts link to a single large botnet targeting U.S. Remote Desktop infrastructure. The attackers used two enumeration techniques — an RD Web Access timing attack to infer valid usernames and an RDP Web Client login enumeration to guess credentials — enabling efficient compromise while reducing obvious alerts. GreyNoise published a dynamic blocklist template, microsoft-rdp-botnet-oct-25, and recommends that organizations review logs for unusual RDP access patterns and automatically block associated IPs at the network edge.

Harvard Probes Data Breach Linked to Oracle Zero-Day

🔒 Harvard University is investigating a data breach after the Clop ransomware gang listed the school on its data leak site and attributed the incident to a recently disclosed Oracle E-Business Suite zero-day (CVE-2025-61882). A Harvard IT spokesperson said the issue affected a limited number of parties within a small administrative unit and that a patch from Oracle was applied upon receipt. The university reports no evidence of broader compromise while it continues monitoring.

Researchers Warn RondoDox Botnet Expands Exploitation

🔍 Trend Micro warns that RondoDox botnet campaigns have significantly expanded their targeting, exploiting more than 50 vulnerabilities across over 30 vendors to compromise routers, DVR/NVR systems, CCTV devices, web servers and other networked infrastructure. First observed by Trend Micro on June 15, 2025 via exploitation of CVE-2023-1389, and first documented by Fortinet FortiGuard Labs in July 2025, the threat now leverages a loader-as-a-service model that co-packages RondoDox with Mirai/Morte payloads, accelerating automated, multivector intrusions. The campaign includes 56 tracked flaws—18 without CVEs—spanning major vendors and underscores urgent detection and remediation needs.

FBI and French Police Seize BreachForums Domain Again

🛡️ US and French authorities say they have seized at least one clearweb domain used by the cybercrime forum BreachForums, which has been acting as a leak site linked to recent Salesforce breaches. Screenshots of the site display logos for the FBI, DOJ, BL2C and JUNALCO, although the forum's .onion instance appears still accessible. Reports suggest breachforums[.]hn was disrupted while threat actors such as ShinyHunters claim backups and backend servers were compromised or destroyed. Experts warn the seizure may yield valuable historical data for investigations, but will not immediately stop ongoing extortion of victims.

Millions of Qantas Customers' Data Published Online

🔐 Around three months after an early-July cyberattack, hackers have published online data reportedly belonging to up to 5.7 million Qantas customers. The airline says the information was stolen via a third-party provider's platform and included names, emails, phone numbers, dates of birth and frequent flyer numbers, but not credit card, financial or passport data. Qantas obtained an Australian court injunction prohibiting use of the information; the data appeared on both the dark web and publicly accessible sites.

Astaroth Banking Trojan Uses GitHub to Stay Operational

🔒 Cybersecurity researchers warn of a recent campaign delivering the Astaroth banking trojan that leverages GitHub repositories to host hidden configurations and regain functionality after C2 takedowns. The attack, concentrated in Brazil and across Latin America, begins with a DocuSign-themed phishing message that drops an LNK file which executes obfuscated JavaScript, retrieves an AutoIt loader and ultimately injects a Delphi-based DLL. Astaroth monitors browser activity for banking and cryptocurrency sites, exfiltrates credentials via Ngrok, and employs steganography, anti-analysis checks, and persistent LNK-based startup execution to maintain stealth and resilience.

Rust-Based ChaosBot Backdoor Uses Discord for C2 Operations

🔒 eSentire disclosed a Rust-based backdoor named ChaosBot that leverages Discord channels for command-and-control, allowing operators to perform reconnaissance and execute arbitrary commands on compromised systems. The intrusion, first observed in late September 2025 at a financial services customer, began after attackers used compromised Cisco VPN credentials and an over-privileged Active Directory service account via WMI. Distribution included phishing LNK files that launch PowerShell and display a decoy PDF, while the payload sideloads a malicious DLL through Microsoft Edge to deploy an FRP reverse proxy. ChaosBot supports commands to run shells, capture screenshots, and transfer files, and newer variants employ ETW patching and VM detection to evade analysis.

Fake 'Inflation Refund' Texts Target New Yorkers in NY

🔔 A new smishing campaign impersonates the New York Department of Taxation and Finance, sending texts that urge recipients to submit payment information to process an 'Inflation Refund.' Links lead to a counterfeit site requesting name, address, phone, email and Social Security Number. New Yorkers are reminded the refund is automatic for eligible taxpayers and agencies will not text or call for payment details. Report suspicious messages to the Tax Department or IRS.

Spain Dismantles GXC Team Cybercrime Syndicate, Leader Held

🔒 Spanish Guardia Civil have dismantled the GXC Team cybercrime syndicate and arrested its alleged leader, a 25-year-old Brazilian known as GoogleXcoder. The group operated a crime-as-a-service platform on Telegram and a Russian-speaking forum, selling AI-driven phishing kits, Android malware that intercepted SMS/OTPs, and voice-scam tools. Authorities seized devices, source code, communication logs, and recovered stolen cryptocurrency. Nationwide raids on May 20 led to channel takedowns and the identification of additional suspects; the investigation remains ongoing.

Widespread SonicWall SSL VPN Compromise Hits 100+ Accounts

🔒 Huntress warns of a widespread compromise of SonicWall SSL VPN devices that allowed threat actors to rapidly authenticate into multiple accounts across customer environments. Activity began on October 4, 2025, impacting over 100 VPN accounts across 16 customers, with logins traced to IP 202.155.8[.]73. While some intrusions disconnected quickly, others involved network scanning and attempts to access local Windows accounts. Organizations are urged to reset firewall credentials, restrict WAN management, revoke exposed API keys, monitor logins, and enforce MFA.

Velociraptor Abused in LockBit Ransomware Campaign Wave

🔒 Threat actors are abusing Velociraptor, an open-source DFIR tool, to support ransomware operations attributed to Storm-2603. Attackers exploited on-premises SharePoint ToolShell flaws to deploy an outdated Velociraptor build (0.73.4.0) vulnerable to CVE-2025-6264, enabling privilege escalation and remote command execution. After lateral movement and creation of domain admin accounts, the group tampered with GPOs, disabled real‑time protection, and staged exfiltration before deploying Warlock, LockBit, and Babuk. Vendors caution that legitimate collection and orchestration capabilities can be repurposed by adversaries.