All news in category "Incidents and Data Breaches"

Chaos Ransomware Evolves: Faster, Smarter, More Destructive

⚠️ Chaos-C++ is a resurfaced C++ ransomware strain identified in 2025 that combines fast AES encryption, deliberate deletion of very large files, and a clipboard-hijacking capability to steal cryptocurrency payments. It employs a stealthy downloader that masquerades as a system optimizer, uses Windows CryptoAPI where available and a weaker XOR fallback otherwise, and appends a .chaos extension to affected files. Victims also see destructive post-infection commands that remove shadow copies and hinder recovery, and ForsGuard detections are available for protection.

Nezha Agent Linked to New Web Application Compromises

🔍 Huntress analysts uncovered a sophisticated campaign beginning in August 2025 that used log poisoning to plant a PHP web shell and then manage compromised servers via AntSword. The operators downloaded a file named 'live.exe' — identified as the open-source Nezha agent — which connected to a command server at c.mid[.]al and enabled remote tasking. Nezha was used to execute PowerShell commands to disable Windows Defender and to deploy 'x.exe', a Ghost RAT variant that persisted as 'SQLlite'. More than 100 systems, primarily in Taiwan, Japan, South Korea and Hong Kong, were observed communicating with the attackers' dashboard.

Threat actors repurpose open-source monitor as beacon

⚠️ Attackers linked to China turned a benign open-source network monitoring agent into a remote access beacon using log poisoning and a tiny web shell. Huntress says they installed the legitimate Nezha RMM via a poisoned phpMyAdmin log and then deployed Ghost RAT for deeper persistence. The intrusion affected more than 100 hosts across Taiwan, Japan, South Korea, and Hong Kong and was contained in August 2025.

LockBit, Qilin and DragonForce Form Ransomware Alliance

🔒 Three major ransomware groups — LockBit, Qilin, and DragonForce — have announced a strategic alliance aimed at sharing techniques, infrastructure, affiliates, and operational resources to amplify extortion campaigns worldwide. The announcement follows LockBit's resurgence and the unveiling of LockBit 5.0, which is advertised to target Windows, Linux, and ESXi systems. Security firms warn the partnership could rebuild affiliate trust, increase attacks on critical infrastructure and diversify threats across multiple industry sectors.

JLR Cyber-Attack Drives 25% Decline in Q2 Volume Sales

🔒 Jaguar Land Rover has reported a 25% drop in volume sales in the three months to 30 September after a cyber incident severely disrupted production and sales. Wholesales in Q2 FY2026 were 66,165 units, down 24.2% year-on-year, while retail sales fell 17.1%. The company began a controlled, phased restart of UK manufacturing from 8 October and launched a supplier financing scheme to ease cashflow during the restart.

Bybit Heist Drives Record $2bn North Korean Crypto Haul

💰 North Korea-linked hackers have stolen more than $2 billion in cryptocurrency so far in 2025, according to blockchain analysis firm Elliptic. The total is the highest annual haul on record and is driven largely by a February $1.46bn theft from exchange Bybit. Elliptic attributes over 30 separate hacks this year and warns attackers are increasingly using social engineering and sophisticated laundering to hide proceeds.

Met Police Arrest Two Teens Over Nursery Ransomware

🔒 Two teenage boys were arrested in Bishop's Stortford on suspicion of computer misuse and blackmail following a ransomware attack on the Kido nursery group, the Metropolitan Police said. Referred to the Met by Action Fraud on 25 September, investigators allege attackers demanded £600,000 in Bitcoin after stealing names, addresses, contact details and photos of around 8,000 children via a Famly account. The group, which called itself "Radiant," reportedly contacted parents directly and posted some images on the dark web before blurring and later claiming deletion; the app provider says its infrastructure was not breached. The Met described the arrests as a significant step while inquiries continue alongside partner agencies.

Salesforce Refuses Ransom After Massive Data Theft

🔒 Salesforce confirmed it will not engage with or pay extortion demands after a large-scale theft of customer data this year. Threat actors calling themselves Scattered Lapsus$ Hunters published a data-leak site to extort 39 companies, claiming nearly one billion records stolen. The breaches stemmed from two campaigns: late-2024 social engineering using malicious OAuth apps and an August 2025 campaign abusing stolen SalesLoft/Drift tokens to exfiltrate CRM and support-ticket data. The leak site appears to have been shut down and its domain redirected to nameservers previously associated with law enforcement seizures.

ShinyHunters Launch Extortion Site Targeting Corporates

🔓 A cybercrime collective known as ShinyHunters has launched a public extortion blog threatening to publish data stolen from dozens of major companies if ransoms are not paid. The group claims to have harvested Salesforce customer records via a May voice-phishing campaign, and also says it exfiltrated terabytes of files from a Red Hat GitLab server and Discord user data tied to a third-party provider. Security firms and affected vendors including Salesforce, Red Hat and Discord are investigating, while Google and other investigators link the activity to several related UNC clusters and warn of additional token thefts tied to Salesloft. Victim shaming, published exploit scripts for an Oracle E-Business Suite zero-day, and malware-laced threats have amplified the incident’s severity.

DraftKings Alerts Customers to Credential Stuffing Breach

🔒 DraftKings has notified customers that attackers accessed some accounts in a wave of credential stuffing attacks. The company says the threat actors used credentials stolen from non‑DraftKings sources to log in and may have viewed limited profile and account data — including name, address, date of birth, email, phone, the last four digits of a payment card, profile photo, transaction history, account balance, and the date the password was last changed. DraftKings said no full financial account numbers or government‑issued identification numbers were accessed. Affected users will be required to reset passwords and are being urged to enable multifactor authentication and monitor their financial and credit records.

Oracle EBS Zero-Day Exploited by Clop Since August

🔒 CrowdStrike reports the Clop ransomware gang has been exploiting an Oracle E-Business Suite zero-day, CVE-2025-61882, since early August to steal sensitive documents. The flaw resides in the BI Publisher Integration of Concurrent Processing and allows unauthenticated remote code execution via a single HTTP request. Oracle issued a patch and warned customers to apply updates immediately as extortion emails tied to stolen EBS data are being circulated.

Qilin Claims Responsibility for Asahi Cyber Attack

🔒 The Qilin ransomware group has claimed responsibility for a cyber-attack on Japan's Asahi Group, asserting it exfiltrated about 27 GB of files containing employee personal data and sensitive business documents. Consumer site Comparitech listed the data on Qilin's leak site on October 7, and Asahi has confirmed an earlier ransomware incident involving an 'unauthorized transfer of data'. The breach disrupted order, shipment and call-centre operations as the brewer implemented manual processes while investigating.

BatShadow Deploys Go-Based Vampire Bot Against Job Seekers

🔎 A Vietnam-linked group tracked as BatShadow is running a social-engineering campaign that lures job seekers and digital marketing professionals with faux job descriptions to deliver a previously undocumented Go-based malware, Vampire Bot. Attackers distribute ZIP archives containing decoy PDFs alongside malicious LNK or executable files that launch an embedded PowerShell script to fetch lure documents and remote-access tooling such as XtraViewer. The lure coerces victims into opening links in Microsoft Edge, triggering an automatic ZIP download that contains a deceptive executable padded to appear as a PDF; once executed, the Go binary profiles the host, exfiltrates data, captures screenshots, and maintains contact with a command-and-control server.

North Korean Hackers Stole Over $2 Billion in Crypto 2025

🔒 North Korean-linked hackers stole an estimated $2 billion in cryptocurrency in 2025, the largest annual total on record and lifting confirmed thefts to over $6 billion. Blockchain firm Elliptic attributes much of the total to the February Bybit breach (~$1.46 billion) and linked 30 crypto-heists to North Korean actors using blockchain analysis and intelligence. Analysts note a shift to social engineering targeting individuals and exchange staff and increasingly complex laundering—mixers, cross-chain transfers, obscure chains and custom tokens—though blockchain transparency still aids tracing.

Avnet Confirms Breach; Stolen EMEA Sales Data Unreadable

🔒 Avnet confirmed unauthorized access to externally hosted cloud storage that supported an internal sales tool used in the EMEA region. The company says most stolen files are not easily readable without access to Avnet's proprietary sales tool, which it says was not impacted, while attackers claim they exfiltrated 1.3TB of compressed (7–12TB raw) data. Avnet detected the activity on September 26, rotated secrets across Azure/Databricks, notified authorities, and will contact affected customers and suppliers; the number of potentially impacted individuals remains unknown.

Qilin Ransomware Disrupts Mecklenburg County Schools

🔒 A Russian-linked ransomware group, Qilin, has claimed responsibility for a September 2, 2025 attack that disrupted Mecklenburg County Public Schools and said it exfiltrated 305 GB of data, including financial records, grant documents, budgets and children’s medical files. The attack forced teachers offline for about a week while internet systems were restored. Superintendent Scott Worner said the district does not currently intend to pay the ransom and is still assessing the scope, urging other districts to review cyber-insurance and preparedness.

Phishers Exploit 1Password Watchtower to Steal Vaults

🔒 Malwarebytes has flagged a phishing campaign that impersonated 1Password’s Watchtower breach alerts, nearly tricking an employee into surrendering their vault credentials. The message used authentic branding, familiar phrasing and urgency cues, and embedded legitimate-seeming support links before redirecting victims via Mandrill to a typosquatted credential‑stealing page. By Oct. 2 multiple vendors had marked the site as phishing and Mandrill blocked the redirect, but earlier clicks may already have exposed entire vaults.

Citizen Lab: AI-Enabled Influence Operation Targets Iran

🔎Citizen Lab reports a coordinated AI-enabled influence operation, dubbed PRISONBREAK, that used more than 50 inauthentic X profiles to push narratives aimed at inciting revolt within Iran. Created in 2023, the network became active mainly from January 2025 and produced bursts of activity synchronized with IDF operations in June 2025. Citizen Lab notes limited organic engagement, though some posts reached tens of thousands of views, and assesses the most consistent attribution is to an Israeli government agency or a closely supervised subcontractor.

Citizen Lab: AI Influence Operation Against Iran Exposed

🛡️ Citizen Lab has identified a coordinated network of more than 50 inauthentic accounts on X, labeled PRISONBREAK, conducting an AI-enabled influence operation aimed at provoking Iranian audiences to revolt against the Islamic Republic. The network was created in 2023, with most observable activity beginning in January 2025 and intensifying around June 2025, partially synchronized with Israeli military actions. Organic engagement was limited overall, though some posts achieved tens of thousands of views after seeding to large public communities and likely paid promotion. After reviewing alternatives, Citizen Lab assesses the most consistent hypothesis is direct involvement by an unidentified Israeli government agency or a closely supervised subcontractor.

Discord Confirms Customer Data Breach via Third-Party

🔒 Discord has disclosed a data breach after a third-party customer support provider was compromised, allowing a ransomware actor to access limited customer information. Potentially exposed data includes names, Discord usernames, contact details, last four digits of payment cards, IP addresses, messages with support agents and a small number of government ID images submitted for age appeals. Discord says no passwords, full card numbers or CVVs were accessed and is contacting affected users and authorities.