All news in category “Incidents and Data Breaches”

🐛 A dormant self‑propagating JavaScript worm that hadn't been active since 2024 was accidentally reawakened by a Wikipedia security engineer, briefly vandalising pages with giant woodpecker images. In a separate case, a contractor entrusted with US Marshals' seized cryptocurrency is accused of stealing about $46 million and allegedly boasted on a recorded Telegram call. Host Graham Cluley and guest Tricia Howard discuss these incidents alongside wider cybercrime takedowns and industry security lessons.

📄 Researchers at Aryaka report a campaign distributing malicious resumés with ISO attachments to HR teams. When mounted, an included .lnk executes obfuscated PowerShell that extracts payloads from steganographic images and sideloads a DLL via a signed app. The malware includes a module called BlackSanta and leverages a BYOVD technique to disable EDR. Organizations should restrict resume formats and harden HR processes.

🏥 Leading medical technology company Stryker is experiencing a severe, global outage after a wiper malware attack claimed by Handala, an Iran-linked hacktivist group. The attackers say they stole 50 TB of data and remotely wiped over 200,000 systems, servers, and mobile devices, forcing shutdowns across 79 countries. Employees report managed Windows and mobile devices were reset, internal services were disrupted, and some sites reverted to pen-and-paper workflows while Stryker works with Microsoft to restore systems.

🔒 Endor Labs identified a new PhantomRaven npm campaign wave that published 88 malicious packages across 50 disposable accounts, many using slopsquatting to mimic popular projects and names suggested by LLMs. The packages use Remote Dynamic Dependencies in package.json so malware is fetched from attacker-hosted URLs at install time, exfiltrating .gitconfig, .npmrc, environment variables and CI/CD tokens to C2 servers. Researchers note consistent EC2-hosted 'artifact' domains without TLS, an almost unchanged payload across waves, and 81 packages still available; developers should verify publishers and avoid unvetted AI suggestions.

🛡️A hacktivist group with reported ties to Iran's intelligence services has claimed responsibility for a large-scale data-wiping incident against Stryker, a global medical technology company. The group, known as Handala, said it erased data from more than 200,000 systems and forced shutdowns across 79 countries while Stryker sent thousands of staff in Ireland home and reported a building emergency at its U.S. headquarters. Reporting and internal sources indicate attackers may have used Microsoft Intune to issue remote wipe commands; some employee devices were reportedly wiped and defaced.

🔒 Rapid7 has identified a widespread campaign that compromises legitimate WordPress websites to infect visitors with infostealer malware. Attackers display a convincing fake Cloudflare CAPTCHA and use the ClickFix social‑engineering trick to prompt victims to paste commands into Windows Run, initiating staged downloads. Observed payloads include Vidar, Impure, Vodka and Double Donut. Site administrators are urged to update components, enable MFA, use strong passwords and avoid executing untrusted code on credential-bearing devices.

🔍 Aryaka Threat Research Lab has identified a campaign that distributes resume-like attachments to target HR and recruiting staff, deploying a component named BlackSanta that attempts to disable endpoint detection and response. The multi-stage infection chain performs system reconnaissance, sandbox and VM checks, and geographic and language filtering before downloading further payloads. Attackers appear Russian-speaking and leverage routine hiring workflows to increase success, while encrypted communications and data exfiltration help maintain persistence.

🚨Meta on Wednesday said it disabled over 150,000 accounts linked to scam centers in Southeast Asia as part of a coordinated, multinational enforcement effort with authorities across Asia, Europe, North America and Oceania. The action follows a December 2025 pilot that removed 59,000 accounts, Pages and Groups and led to six arrest warrants. Meta also announced new protections: suspicious-account warnings on Facebook, WhatsApp device-link alerts for QR-based scams, expanded AI-assisted scam detection on Messenger, and plans to broaden advertiser verification.

⚠️ Salesforce is urging customers to review Experience Cloud guest configurations after a reported campaign tied to the cybercrime group ShinyHunters that claims breaches of hundreds of organizations. Attackers are exploiting overly permissive guest user settings and a modified version of the open-source Aura Inspector to scan the /s/sfsites/aura endpoint and extract data. Salesforce recommends auditing guest profiles, disabling public API access for guest users, restricting object visibility, and enforcing least-privilege.

🔐 Google reports that UNC6426 leveraged keys stolen in the August 2025 compromise of the nx npm package to fully breach a customer's cloud environment in under 72 hours. A trojanized postinstall executed a credential stealer named QUIETVAULT, which harvested a developer's GitHub token and other secrets. The actor abused GitHub-to-AWS OIDC trust to create an Administrator role, exfiltrated S3 data, and performed destructive actions including making internal repos public.

🛡️ Cybersecurity researchers uncovered five malicious Rust crates on crates.io that posed as time utilities while exfiltrating .env files to attacker infrastructure. The packages—chrono_anchor, dnp3times, time_calibrator, time_calibrators, and time-sync—were published in late February and early March 2026 and used a lookalike domain to collect secrets. Affected users should assume possible compromise: rotate keys, audit CI workflows, and limit outbound access from build systems.

🛡️ Researchers at Aryaka uncovered a Russian-speaking threat actor using targeted spear-phishing emails that delivered ISO attachments masquerading as resumes to deploy a new EDR-killing module named BlackSanta. The multi-stage infection leverages a malicious .LNK to launch a PowerShell script that extracts hidden code via steganography and runs payloads in memory. The chain also uses DLL sideloading with a legitimate SumatraPDF executable and a malicious DWrite.dll, and performs extensive fingerprinting and environment checks to evade sandboxes. BlackSanta disables and terminates security tooling, adjusts Microsoft Defender settings and suppresses notifications to minimize user alerts.

🛡️Kaspersky researchers have uncovered BeatBanker, an Android malware campaign that lures victims with fake Starlink app pages and sideloaded APKs. The threat blends banking-trojan capabilities with a modified XMRig Monero miner and, in recent variants, deploys the BTMOB RAT for full device takeover. BeatBanker uses in-memory DEX loading, environment checks, a faux Play Store update prompt, and a near‑inaudible MP3-based persistence mechanism to evade detection.

🔒 Security researchers warn of a campaign abusing FortiGate Next-Generation Firewall appliances to extract service account credentials and network configuration files. Attackers exploited disclosed vulnerabilities (for example, CVE-2025-59718, CVE-2025-59719, CVE-2026-24858) or weak credentials to create persistent admin accounts and loosen firewall policies. Compromised service accounts were used to authenticate to Active Directory, enroll rogue workstations, and enable lateral movement prior to detection.

🛡️ Cybersecurity researchers at Black Lotus Labs have identified a novel malware family, KadNap, that has infected over 14,000 edge devices — primarily Asus routers — since first observed in August 2025. KadNap uses a custom Kademlia-based DHT to conceal its control infrastructure and build a resilient peer-to-peer botnet. Infected devices are being offered as resident proxies by a service named Doppelgänger, complicating attribution and abuse tracking.

🔒 KadNap is a newly observed botnet that compromises primarily ASUS routers and other edge devices to assemble a distributed proxy network. Since August 2025 it has grown to roughly 14,000 nodes and uses a modified Kademlia Distributed Hash Table (DHT) protocol to conceal command-and-control infrastructure and complicate takedowns. Infections begin when a malicious script (aic.sh) is fetched from 212.104.141.140, which installs an ELF binary named kad and establishes persistence via a cron job that runs every 55 minutes. Researchers at Black Lotus Labs link KadNap to the Doppelganger/Faceless proxy service that sells access to infected devices, and Lumen has blocked related traffic on its network while preparing indicators of compromise.

🔒 Ericsson Inc. disclosed a data breach impacting 15,661 employees and customers after a third-party service provider detected suspicious activity and identified possible unauthorized access to stored files. Investigators say files may have been accessed between April 17 and April 22, 2025, and the incident was detected on April 28, 2025; a detailed review completed on February 23 confirmed exposure of personal information. The types of data potentially exposed include names, addresses, Social Security numbers, driver’s licence or government ID numbers, financial and medical information. Ericsson notified the FBI, filed state breach notices, did not name the vendor, and is offering complimentary identity protection services through IDX to affected individuals.

⚠️ JFrog researchers discovered a malicious npm package published as "@openclaw-ai/openclawai" that impersonates an OpenClaw installer and executes a multi-stage infection chain delivering a remote access trojan. During installation a postinstall script places a binary on the PATH, which runs an obfuscated setup that simulates a legitimate CLI installer and prompts for administrator credentials. The second-stage payload, internally named GhostLoader, installs persistently, harvests credentials, browser data, wallets, SSH keys and Apple Keychain entries, and exposes a SOCKS5 proxy for remote operators.

🛰️ ESET researchers say the Russian state‑sponsored group APT28 has deployed two implants, BEARDSHELL and COVENANT, alongside a keylogger dubbed SLIMAGENT to conduct long‑term surveillance of Ukrainian military personnel since April 2024. BEARDSHELL executes PowerShell commands and uses Icedrive for command‑and‑control, while the group’s modified COVENANT has abused Filen for cloud‑based C2 since July 2025. ESET links SLIMAGENT to older XAgent samples and notes shared obfuscation techniques as evidence of APT28 attribution.

🔒 Dutch intelligence has uncovered a large-scale campaign by Russian state actors to hijack Signal and WhatsApp accounts belonging to military, government and other high-value individuals worldwide. The attackers impersonate support bots, request SMS verification codes or PINs, and exploit linked-device QR flows to add devices. Authorities warn these consumer apps, while end-to-end encrypted, are unsuitable for classified material and have issued guidance to detect and remediate account takeovers.