< ciso
brief />
Incidents and Data Breaches Banner

All news in category “Incidents and Data Breaches

2998 articles · page 3 of 150

Avalon modular malware framework and CrownX ransomware

🛡️ Cybersecurity researchers uncovered a modular malware framework dubbed Avalon that uses a multi-stage phishing chain to bypass traditional defenses and deploy a ransomware component called CrownX. The campaign begins with a spoofed legal-document email pointing victims to a password-protected Proton Drive archive containing an ISO image. Interaction with a malicious Windows Shortcut inside the mounted image triggers an MSBuild-led loader that disables ETW, fetches additional payloads, and ultimately launches Avalon. The framework includes credential harvesting, crypto-wallet theft, lateral movement, data exfiltration, recovery disruption, anti-forensics, and disk tampering capabilities.
read more →

Massive Microsoft 365 password spray attack exposed

🔒 Microsoft users experienced a large-scale automated password spray campaign that targeted accounts indiscriminately, including clients of security firm Huntress. Huntress reported 81 million login attempts against its customers between June 12 and 26, with at least 78 successful compromises. Attack traffic originated from an IPv6 range tied to LSHIY LLC, which has since cut service to the offending customer. The attackers abused the OAuth ROPC flow to replay valid credentials, bypassing protections where MFA was not enforced for all cloud apps or all user groups.
read more →

ARToken PhaaS reveals EvilTokens Microsoft 365 toolkit

🛡️ Cisco Talos uncovered a React-based ARToken management panel exposing 80+ API endpoints and client-side code that reveals expanded phishing capabilities. The platform, tied to the EvilTokens ecosystem, automates Microsoft 365 account compromise by stealing authentication tokens, obtaining persistent Primary Refresh Tokens (PRTs), and accessing Outlook, SharePoint, and OneDrive. ARToken deploys Cloudflare Workers, supports multi-tenant affiliate operations, and includes tools for BEC automation and mailbox monitoring.
read more →

Armored Likho targets governments and utilities

🛡️ Kaspersky attributes a newly documented threat actor, Armored Likho, to espionage and financially motivated campaigns against government agencies and the electric power sector in Russia, Brazil, and Kazakhstan. The group's toolkit includes obfuscated Python stealers (BusySnake), modular RATs, Go2Tunnel for reverse SSH, and droppers delivered via spear-phishing or weaponized LNK files exploiting CVE-2025-9491. The malware emphasizes persistence, credential theft, and dynamic module delivery tailored to victims.
read more →

Qilin Emerges as Dominant Ransomware Operation

🛡️ Check Point and Sophos research shows Qilin has consolidated a large share of the ransomware market after disruption of rival groups. Active since 2022, Qilin lists the most victims and attracts affiliates with high payouts, mature infrastructure and AI-enabled tools. Rival groups like The Gentlemen have resurged, while increased prominence raises the likelihood of law enforcement action.
read more →

Industrialized ransomware through criminal collaboration

🔐 Sophos reports a new collaboration between the Vect ransomware group and TeamPCP, a supply-chain credential theft gang linked to The Com collective. The partnership combines TeamPCP’s large-scale credential harvesting from developer toolchains with Vect’s ransomware-as-a-service operations, raising the risk that compromised accounts could be escalated into ransomware incidents. Sophos and the FBI have both issued warnings and detailed associated malware and tactics, urging organizations to harden developer and supply-chain security.
read more →

FBI and Google Disrupt Major NetNut Proxy Network

🛡️ In a coordinated international action, the FBI and Google's Threat Intelligence Group disrupted NetNut, a large commercial residential proxy network built on the Popa botnet. The operation targeted infrastructure, seized domains and worked with partners like Lumen and the IRS to degrade the service. Google disabled accounts, updated Play Protect and removed compromised apps to reduce the pool of infected devices by millions. The takedown exposed ties between the botnet and reseller programs and prompted debate after some NetNut domains remained temporarily active.
read more →

PamStealer macOS stealer uses fake Maccy sites

🛡️ Cybersecurity researchers have identified PamStealer, a macOS information stealer distributed as a compiled AppleScript masquerading as the open-source clipboard manager Maccy. The dropper fetches a Rust-based Mach-O stealer that harvests browsers, wallet extensions, iCloud Keychain, and clipboard data, then exfiltrates it to attacker infrastructure. The malware also coerces victims into entering their system password and validates it via PAM before capturing it.
read more →

Google Disrupts NetNut Residential Proxy Network

🛡️ Google says its Threat Intelligence Group, working with FBI and industry partners, has degraded NetNut (aka Popa), a large residential proxy network that turns home devices into rented relays. GTIG estimates NetNut controlled at least 2 million devices, including smart TVs and streaming boxes, which can be used to route criminals' traffic through private home connections. NetNut is linked to publicly traded Alarum Technologies, which denies wrongdoing and says its software provides consented bandwidth sharing. Researchers found many apps did not show consent prompts, and Google warns the network is resilient through reseller arrangements and may reappear under different brands.
read more →

Yarbo robot mower backdoor exposes devices

🛠️ Independent researcher Andreas Makris discovered a universal hardcoded root password and permanent remote-access mechanism in Yarbo robotic mowers that allowed him to control thousands of units remotely. He demonstrated the flaw by hijacking a mower in the U.S. from Germany, showing how attackers could steer the machine, access cameras, and extract owner data. Yarbo has issued updates and plans to make remote access opt-in, but owners should install patches and follow basic IoT security hygiene.
read more →

Researcher Publishes Mass Open-Source Exploit Dump

🔍 A pseudonymous researcher published an 'Exploitarium' GitHub repository containing over 30 proof-of-concept exploits for zero-day vulnerabilities in many open-source projects without prior vendor notification. The dump, shared from June 27 onwards, targets projects like libssh2, FFmpeg, 7-Zip, Gitea, PHP and others, and the author claims AI-assisted fuzzing using OpenAI models. The release bypassed coordinated vulnerability disclosure, drew debate across the security community, and has led to some CVEs and patches, while others remain under review.
read more →

Phishing campaign impersonates Interpol to spread ransomware

🛡️ Cybercriminals are impersonating Interpol in a phishing campaign aimed at small businesses across Europe, Asia, the Middle East and North America. The emails claim to be from the 'Cybercrime Investigation Unit' and urge recipients to open a password-protected Proton Drive file supposedly containing evidence. The file leads to an executable disguised as a video that deploys ransomware and instructs victims to contact attackers via Tox rather than listing a ransom.
read more →

Alleged Scattered Spider member extradited to U.S.

🔎 A 19-year-old dual US-Estonian citizen, Peter Stokes, was extradited from Finland to the United States to face charges alleging membership in the Scattered Spider hacking collective. He is accused of participating in multiple intrusions and extortion schemes, including a March 2023 breach and a May 2025 attack on a multibillion-dollar retailer that led to over $2 million in losses. Stokes faces charges of fraud, conspiracy, and computer intrusion and has appeared in federal court in Chicago.
read more →

Teen Allegedly Linked to Scattered Spider Extradited

📰 The US Justice Department announced the arrest and extradition of 19-year-old dual US-Estonian citizen Peter Stokes from Finland in April, with charges unsealed on June 30. He faces conspiracy, computer intrusion and fraud counts tied to alleged membership in the Scattered Spider hacking group. Authorities say the group conducted over 100 intrusions, netting $100m+ in ransoms and causing millions in damages. Stokes is accused of targeting a luxury jeweller and attempting an $8m extortion that resulted in $2m+ losses for the firm.
read more →

FortiBleed ties stolen Fortinet credentials to ransomware

🛡️ SOCRadar links the FortiBleed credential-theft campaign to the INC and Lynx ransomware operations after finding a Windows server used by FortiBleed that contained access to ransomware negotiation panels. Investigators discovered FortiGate configuration files, harvested credentials, and a custom "FortiGate Sniffer" tool that intercepted VPN and authentication data. The operation targeted hundreds of thousands of devices and deployed sniffers on thousands, with ongoing investigation into additional servers, a suspected Nextcloud zero-day, and overlapping victim data.
read more →

Kubota reports month-long network intrusion affecting employees

🔒 Kubota North America disclosed that a threat actor accessed parts of its network from March 16 to April 20, exposing personal data for employees and dependents. The company says exposed information may include names, Social Security numbers, dates of birth, tax IDs, driver’s license numbers, bank account and corporate card details, and limited benefits claims. Notifications were sent starting June 30 with instructions to enroll in Kroll identity protection and guidance to monitor accounts; Kubota has enacted additional security measures and has not reported business disruptions.
read more →

Ousaban banking trojan targets Spain and Portugal

🛡️ Fortinet's FortiGuard Labs uncovered a May 2026 campaign deploying the Brazilian banking trojan Ousaban against Windows users who bank in Spain and Portugal. The attack begins with a deceptive PDF that either prompts victims to click an "Atualizar" button or auto-opens a malicious page; successful targets download a steganographic image that conceals a ZIP containing the malware. Ousaban monitors browser activity for over two dozen Iberian banks and can capture keystrokes, screenshots, tamper with the clipboard, display fake messages, and grant remote control to attackers.
read more →

Aflac Japan Confirms Major Customer Data Breach

🛡️ Aflac Japan disclosed a data breach after an unauthorized third party accessed systems between June 15 and June 25. The company reported that impacted files may include policy and coverage details, personal data, and bank account information, and said US systems were not affected. Some customer services were taken offline while calls and other channels continue to support claims. Authorities have been notified and no misuse has yet been confirmed.
read more →

Scammers Exploit Venezuela Earthquake Registrations

🧭Researchers uncovered 212 domains registered within five days of the Venezuela earthquake, many claiming to offer aid, donations, or rescue services. While some registrations may be legitimate, 93% hid registrant contact details and several solicit Bitcoin with no verifiable accountability. The pattern mirrors past disaster-driven scams; donors are advised to use known charity sites and avoid new or crypto-only donation pages.
read more →

Silent Swap clipper exploits browser extensions

🛡️ McAfee Labs uncovered an active campaign, dubbed Silent Swap, that deploys malicious Chromium extensions masquerading as a 'Google Notes' utility to intercept and replace cryptocurrency wallet addresses copied to the clipboard. The installers, observed in .NET and Golang variants, inject the extension into Chromium-based browsers by modifying protected preferences and recalculating security hashes to bypass store installation. The threat uses an EtherHiding technique to resolve C2 domains via the blockchain and performs dynamic, server-side wallet mappings to redirect funds to attacker-controlled addresses. Telemetry shows global infections, with higher concentration in India.
read more →