All news in category “Incidents and Data Breaches”

🔒 ThreatFabric researchers disclosed a new Android banking malware family named Perseus that enables device takeover and financial fraud through dropper apps promoted on phishing and IPTV sideloading sites. Built on code from Cerberus and Phoenix, Perseus leverages Accessibility-based remote sessions to monitor, interact with, and fully control infected devices. It targets users across Turkey, Italy and other European and Middle Eastern markets, and adds note‑scanning to harvest high-value personal data. Operators can issue remote commands, stream screens, run HVNC sessions, and authorize fraudulent transactions via a command-and-control panel.

🔐 Researchers at ThreatFabric have discovered a new Android malware family called Perseus that scans user note-taking apps to steal passwords, recovery phrases, and financial data. Distributed via sideloaded IPTV-themed apps, Perseus abuses Accessibility Services to gain full remote control, capture screenshots, and deploy overlays and keyloggers. The threat uses a dropper capable of bypassing Android 13+ sideloading restrictions and performs extensive anti-analysis checks before exfiltration. Users are advised to avoid sideloading APKs, keep Play Protect enabled, and install apps only from the Google Play Store.

🚨 In mid-November security researcher Paul McCarty flagged a vast spam campaign in the npm registry that injected tens of thousands of useless modules named after Indonesian dishes. The packages — about 86,000 at discovery — often appeared legitimate, used chains of dependencies, and some contained self-replication to publish more modules and even tied into the TEA blockchain to harvest tokens. The campaign created dependency bloat, reputational risk, and the potential for future supply-chain abuse; Kaspersky recommends developer awareness training and container/dependency scanning with tools such as KASAP and specialized runtime protection.

🔐 In Episode 459 Graham Cluley and Paul Ducklin dissect a near-miss account takeover aimed at WordPress co-founder Matt Mullenweg that combined MFA prompt fatigue, authentic Apple alerts, a convincing support call and a phishing page. They draw practical lessons on resisting MFA prompt fatigue and social-engineering support scams. The episode also explores UK Biobank re-identification risks and the ethics of sharing lifetime medical data.

🔒 Aura confirmed an unauthorized party accessed nearly 900,000 records containing names and email addresses after a voice‑phishing attack targeted an employee. The company says the data came from an inherited marketing tool tied to a 2021 acquisition and affected roughly 20,000 current and 15,000 former customers, while noting Social Security numbers, account passwords, and financial data were not exposed. Have I Been Pwned added the leak to its database and observed customer service comments and IP addresses among the files. Aura is conducting an internal review with external experts, has notified law enforcement, and plans to send personalized notifications to affected individuals.

🔒 The Interlock ransomware gang exploited a maximum-severity remote code execution flaw in Cisco Secure Firewall Management Center as a zero-day beginning January 26, 2026. Cisco released a patch for CVE-2026-20131 on March 4, warning it allowed unauthenticated attackers to execute arbitrary Java code as root on unpatched devices. Amazon's threat team reported Interlock had been exploiting the vulnerability for 36 days prior to public disclosure.

⚠️ Amazon Threat Intelligence warns of an active Interlock ransomware campaign exploiting a critical Cisco Secure Firewall Management Center vulnerability tracked as CVE-2026-20131 (CVSS 10.0). The flaw enables insecure deserialization of a user-supplied Java byte stream, allowing unauthenticated remote code execution as root. Amazon telemetry shows zero-day exploitation since January 26, 2026, and the actor's toolkit includes multi-platform backdoors, reconnaissance scripts, and infrastructure-laundering components.

🔒 Marquis, a Texas-based financial services provider, says a ransomware gang stole data for 672,075 people after compromising a SonicWall firewall on August 14, 2025. The attackers exfiltrated names, dates of birth, addresses, phone numbers, Social Security and Taxpayer Identification numbers, and financial account details without security codes. The breach disrupted operations at 74 banks and has prompted lawsuits and numerous consumer class actions.

🔒 Researchers have dismantled the ShieldGuard crypto scam after Okta Threat Intelligence flagged the malicious browser extension in an advisory on March 17. Marketed as a wallet security tool with social promotion and token "airdrop" incentives, the extension instead harvested wallet addresses, scraped full HTML content after logins and tracked users across sessions. It used obfuscation and a custom JavaScript interpreter to evade Chrome protections and supported remote command-and-control execution. Partners removed the extension from the Chrome Web Store, disabled backend infrastructure, took down domains and blocked sign-in functionality; users are advised to limit plugins, verify sources and treat free-token offers with caution.

🔒 Darksword is a newly discovered iOS exploit kit targeting iPhones running iOS 18.4–18.6.2 and used to harvest credentials, photos, messages, and cryptocurrency wallet data. Researchers from Lookout, Google Threat Intelligence Group, and iVerify linked the framework to the actor behind the Coruna chain and say Apple has patched the exploited flaws. Victims should update to iOS 26.3.1 and consider enabling Lockdown Mode if at high risk.

🔒 Google Threat Intelligence Group (GTIG) disclosed a JavaScript full-chain iOS exploit named 'DarkSword,' observed since November 2025, that chains six vulnerabilities to fully compromise devices running iOS 18.4–18.7. Multiple operators — including commercial vendor PARS Defense and suspected state actors (UNC6748, UNC6353) — used DarkSword to deploy implants GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. Apple has issued patches (culminating in iOS 26.3); GTIG recommends updating immediately or enabling Lockdown Mode if updates are not possible.

📧 Customers of upscale retailer Nordstrom received fraudulent emails sent from a legitimate nordstrom@eml.nordstrom.com address that promoted a cryptocurrency doubling scheme disguised as a St Patrick's Day promotion. The messages used official-looking images and branding and pressured recipients with a two-hour deadline. A source told BleepingComputer the incident likely involved an Okta SSO compromise leading to abuse of Salesforce Experience Cloud. Nordstrom warned the messages were unauthorized and advised customers not to send funds.

🛡️ Rapid7 and Microsoft researchers have documented a ClickFix operation that compromised over 250 WordPress sites to distribute fileless infostealers using counterfeit Cloudflare CAPTCHA prompts. The injected JavaScript hides from administrators and coerces visitors into pasting obfuscated commands that launch an in-memory DoubleDonut loader, which injects payloads into legitimate Windows processes. Observed payloads include a new Vidar variant and two previously undocumented stealers—Impure Stealer (.NET) and VodkaStealer (C++)—both using advanced encoding, encryption and sandbox-detection checks. Site owners are urged to restrict public admin access, tighten credentials and apply the published IOCs and YARA rules.

🪲 The GlassWorm supply‑chain campaign has resurfaced, compromising 433 packages, repositories, and extensions across GitHub, npm, and VSCode/OpenVSX. Researchers from Aikido, Socket, Step Security and the OpenSourceMalware community link the activity to a single actor using the same Solana address, identical payloads, and shared infrastructure. Malicious commits employ invisible Unicode to hide obfuscated JavaScript that polls the Solana blockchain for memos and downloads a Node.js runtime to execute an information stealer; developers should search for the marker lzcdrtfxyqiplpd and inspect for persistence artefacts.

🔒 CloudSEK researchers have identified an Android OS-level attack that manipulates the runtime via LSPosed modules to hijack legitimate payment apps without modifying APKs or invalidating app signatures. The campaign, associated with a module dubbed Digital Lutera, intercepts SMS, spoofs device identities, and captures 2FA in real time, effectively bypassing protections like Google Play Protect and persistent integrity checks. Reinstalling apps does not remove the malicious hooks, making detection and remediation difficult.

🔒 LeakNet has begun using ClickFix on compromised websites to trick users into running malicious msiexec commands, according to ReliaQuest. The group pairs this social-engineering tactic with a staged, Deno-based in-memory loader that executes Base64-encoded JavaScript and pulls additional stages directly into memory, minimizing on-disk evidence. Post-compromise behavior is consistent and repeatable, with DLL side-loading, lateral movement via PsExec, S3-backed exfiltration, system fingerprinting (including cmd.exe klist), and eventual ransomware deployment. ReliaQuest warns the approach reduces reliance on brokers, broadens access vectors, and is being seen across varied threat activity.

⚡Eon reports a sharp rise in cyberattacks on its power distribution networks, now seeing several hundred daily probes—a tenfold increase compared with five years ago, board member Thomas König said. The company highlights the security challenges of an increasingly digitized grid. Eon engages external providers to run attack simulations and strengthen defences while operating about one third of Germany's distribution network.

🔒LeakNet has adopted the social-engineering ClickFix lure to gain initial access and now deploys a loader that leverages the legitimate Deno runtime to decode and execute JavaScript in memory. By running signed Deno binaries, operators minimize disk artifacts and evade blocklists, often initiating activity via VBS and PowerShell scripts named like Romeo*.ps1 and Juliet*.vbs. Post-compromise actions include DLL sideloading, PsExec lateral movement, credential discovery, C2 beaconing, and data exfiltration to abused Amazon S3 buckets, offering clear detection opportunities for defenders.

🔐The South Korean National Tax Service inadvertently published the mnemonic recovery phrase for a seized Ledger cold wallet when releasing photos from raids on high‑value tax evaders. The unredacted handwritten note allowed anyone to restore the wallet and transfer assets, and within hours 4 million Pre‑Retogeum (PRTG) tokens—about $4.8 million at the time—were moved out. The incident highlights operational security failures in handling digital evidence and the critical importance of redaction and custody procedures.

⚠️ South Korean firm Genians links a multi-stage intrusion to the North Korean-affiliated Konni group, which used spear-phishing ZIP attachments containing malicious .LNK shortcuts to deploy an AutoIt remote-access trojan, EndRAT. The shortcut fetches a next-stage payload, establishes persistence via scheduled tasks, and displays a PDF decoy while the malware stealthily exfiltrates documents. Investigators found additional AutoIt artifacts for RftRAT and RemcosRAT, and the attacker abused the victim's KakaoTalk desktop to send infected ZIP files to selected contacts, turning compromised systems into propagation hubs.