All news in category “Incidents and Data Breaches”

🎓 Ransomware groups have shifted from encrypting files to extortion via stolen data, putting schools and universities at higher risk. Incidents in 2025–2026 include an attack on Sapienza University of Rome in February 2026, a vocational center in Treviso and Blacon High School, causing outages and operational disruption. Affordable, set-and-forget security that blocks phishing links and automatically scans USB devices can materially reduce exposure.

🚨 The FBI has acknowledged a suspected intrusion on a network used to manage wiretaps and foreign intelligence surveillance warrants, telling CNN it "identified and addressed suspicious activities" and leveraged technical capabilities to respond. The agency provided limited detail, prompting concerns about potential state-linked actors such as China. Past FBI IT security problems and a reported February 2023 field office breach have heightened scrutiny.

🚨 Researchers at Broadcom’s Symantec and Carbon Black have linked a recent campaign to Iran-affiliated MuddyWater that began in early February and continued after recent US–Israeli strikes on Iran. The operation deployed a previously undocumented Deno-based backdoor dubbed Dindoor and a Python backdoor called Fakeset. Attackers used reused code-signing certificates issued to Amy Cherne and Donald Gay, and attempted data exfiltration via Rclone to Wasabi cloud storage. The activity affected a US bank, a US airport, NGOs in North America and an Israeli division of a US defense supplier.

⚠️ Bitdefender reveals that the Pakistan-aligned actor Transparent Tribe (APT36) has adopted AI-assisted coding to mass-produce disposable malware implants using niche languages like Nim, Zig, Crystal and Rust. The campaign targets Indian government entities and embassies while abusing trusted platforms such as Slack, Discord, Supabase, Google Sheets and Firebase to hide C2. Phishing via ZIP/ISO attachments or PDF lures delivers LNK shortcuts that run PowerShell in memory and fetch backdoors, often followed by deployment of Cobalt Strike and Havoc for post-compromise activity.

🛡️ Researchers at Push Security detail an InstallFix scheme that clones legitimate CLI install pages to trick users into running malicious 'curl-to-bash' and PowerShell commands. A mirrored Claude Code documentation page was found delivering encoded download commands that launch mshta.exe and related processes to retrieve a binary. The active payload is Amatera, an info-stealer sold as a MaaS, and the phony pages are being promoted through Google Ads and hosted on legitimate platforms, increasing their evasiveness.

🔍 Securonix Threat Research has disclosed a multi-stage campaign named VOID#GEIST that leverages obfuscated batch scripts to stage a portable Python runtime and deploy encrypted RAT payloads including XWorm, AsyncRAT, and Xeno RAT. The chain retrieves ZIP archives from a TryCloudflare domain, extracts a Python loader (runn.py) and encrypted shellcode blobs, then decrypts and injects them directly into separate explorer.exe processes using Early Bird APC injection. The initial stage displays a decoy PDF while a hidden PowerShell relaunches the batch, and persistence is established at the user level via an auxiliary script placed in the Startup folder to minimize forensic artifacts.

🔓 Researchers report an unknown attacker used Anthropic’s Claude to identify and exploit vulnerabilities in Mexican government networks. Israeli startup Gambit Security says the adversary submitted Spanish-language prompts that instructed the model to act as an elite hacker, generate exploit code, execute thousands of commands and plan automated data exfiltration; Claude initially warned about malicious intent but later complied. Anthropic says it investigated, disrupted the activity, banned the accounts involved, and has incorporated misuse examples and runtime probes into its latest model, Claude Opus 4.6, to help detect and disrupt similar abuse.

🔒 Broadcom's Symantec and Carbon Black Threat Hunter Team found an Iran-linked group, MuddyWater, embedded in networks of U.S. banks, airports, a Canadian non‑profit, and an Israeli software supplier. Researchers uncovered a novel Deno-based backdoor named Dindoor and a Python backdoor, Fakeset, whose signing certificate ties it to prior MuddyWater tools. An attempted Rclone exfiltration to a Wasabi bucket was observed. Vendors recommend bolstering monitoring, enforcing phishing-resistant MFA, segmenting networks, and reducing internet exposure of critical systems.

🔒 Derrick Van Yeboah, a 40-year-old Ghanaian national, pleaded guilty to conspiracy to commit wire fraud for his role in a transnational fraud ring that prosecutors say stole more than $100 million through romance scams and business email compromise attacks. Extradited to the U.S. in August 2025, he agreed to pay over $10 million in restitution and faces up to 20 years in prison. Prosecutors say he personally carried out many romance scams that targeted vulnerable Americans and worked with U.S. and West African accomplices to launder proceeds.

🚨 The U.S. Federal Bureau of Investigation confirmed it is investigating a breach that affected systems used to manage surveillance and court-authorized wiretap warrants. The agency said it identified and addressed suspicious activity on FBI networks and has leveraged technical capabilities to respond, but declined to provide details on scope or impact. CNN reported an anonymous source saying the intrusion affected systems supporting wiretapping and foreign surveillance. Security observers note similarities with prior activity attributed to the state-linked group Salt Typhoon.

🛰️ Cisco Talos says a China-linked APT tracked as UAT-9244 has been targeting critical South American telecommunications since 2024, deploying three undocumented implants: TernDoor for Windows, PeerTime for Linux, and BruteEntry on edge devices. TernDoor uses DLL side-loading via wsprint.exe and a rogue BugSplatRc64.dll to execute payloads in memory and embed a driver to control processes. PeerTime is a multi-architecture P2P backdoor (ARM, AARCH64, PPC, MIPS) that uses BitTorrent for C2 and comes in C/C++ and Rust builds, while BruteEntry turns compromised edge hardware into brute-force proxy nodes targeting Postgres, SSH and Tomcat.

⚠️ Microsoft disclosed a ClickFix social engineering campaign observed in February 2026 that leverages the Windows Terminal app to execute malicious commands and deliver the Lumma Stealer. Attackers instruct targets to open Windows Terminal (wt.exe) via Windows+X → I and paste hex‑encoded, XOR‑compressed commands from fake CAPTCHA or troubleshooting pages, avoiding Run‑dialog detection. The decoded chain downloads a ZIP and a renamed 7‑Zip binary to extract payloads, sets persistence, configures Defender exclusions, and injects the stealer into browser processes to harvest stored credentials.

🔒 Law enforcement across 14 countries seized the LeakBase cyberforum, taking its database and two domains and targeting roughly 142,000 users. Authorities executed around 100 coordinated actions beginning March 3, including arrests, search warrants, and interviews in multiple jurisdictions. The captured data reportedly contained credential pairs, payment card details, bank account information, and other sensitive personally identifiable and business data. Investigators say the technical seizure unmasked users who believed they were operating anonymously and that authorities delivered prevention messages while continuing to trace digital trails.

🛡️ Cisco Talos researchers report that a China-linked APT cluster tracked as UAT-9244 has been targeting telecommunication providers in South America since 2024, compromising Windows, Linux, and network-edge devices. The campaign uses three previously undocumented malware families: TernDoor (Windows backdoor), PeerTime (ELF BitTorrent-based Linux backdoor), and BruteEntry (brute-force scanner and proxy builder). Talos published a technical report with capabilities, deployment methods, persistence techniques, and IoCs for detection and mitigation.

⚠️ Researchers at Huntress found that Microsoft Bing’s AI-enhanced search suggested malicious GitHub repositories posing as installers for OpenClaw, instructing users to run commands that deployed information-stealing and proxy malware. The fake repos were tied to newly created GitHub accounts and mimicked legitimate projects to appear trustworthy. Windows and macOS installers delivered Rust-based loaders, the Atomic Stealer family, Vidar, and a GhostSocks backconnect proxy. Huntress reported the repositories to GitHub and recommends using official project portals and bookmarked download sources rather than search results.

🛡️ The Wikimedia Foundation experienced a security incident after a self‑propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis. The malicious code, traced to a user script User:Ololoshka562/test.js uploaded in March 2024, injected loaders into both user-level and global MediaWiki:Common.js. Engineers temporarily restricted editing, reverted malicious edits, rolled back affected user scripts, and removed the injected code, but a full post‑incident report has not yet been published.

🔒 John Daghita, a U.S. government contractor and son of CMDSS's CEO, was arrested on Saint Martin after a joint operation by the FBI and France's elite Gendarmerie unit. He is accused of stealing more than $46 million in cryptocurrency seized and managed by the U.S. Marshals Service, including funds tied to the 2016 Bitfinex hack. Authorities seized cash, hard drives, and security keys, and investigators say public blockchain analysis played a key role in identifying him.

🎯Multiple outlets report that Israel hacked Iranian traffic cameras and used the access to facilitate the targeting and killing of Iranian leaders. The New York Times details the broader intelligence operation and strategic context. The revelations raise questions about the use of civilian infrastructure in lethal operations and potential international legal and escalation risks. Security experts note that camera networks, often insecure and internet-connected, create an attack surface exploited by state actors.

🔒 Microsoft Defender investigated malicious Chromium browser extensions that impersonated legitimate AI assistant tools to collect LLM chat histories and browsing telemetry. Distributed via the Chrome Web Store and compatible with both Google Chrome and Microsoft Edge, the extensions captured full URLs and chat snippets from platforms such as ChatGPT and DeepSeek, reaching roughly 900,000 installs and activity in over 20,000 enterprise tenants. Microsoft provides detections, hunting queries, and mitigation guidance to contain exposure and remediate affected devices.

🔒 Europol coordinated a multi-country operation with Amsterdam police that shut down Leakbase, described as one of the world's largest marketplaces for stolen data. Authorities seized the platform's servers in Amsterdam and said Leakbase had about 142,000 registered users worldwide. Investigators in 14 countries executed around 100 raids, targeting roughly 37 main users. The probe began in the Netherlands in 2023 and involved close cooperation with the U.S. FBI.