All news in category “Incidents and Data Breaches”

🔒 Cloud Imperium Games (CIG), developer of Star Citizen and Squadron 42, disclosed a breach discovered on 21 January 2026 in which attackers accessed certain backup systems. The company says unauthorized access affected limited user personal data — primarily account metadata and contact details such as username, name and date of birth. CIG states no credentials or payment information were stored in the affected systems, access was read-only, and it has found no evidence of data modification or public leakage while it continues to monitor and investigate the incident.

🔎 Zscaler ThreatLabz detected a January 2026 campaign by an Iran-nexus actor tracked as Dust Specter that impersonated Iraq’s Ministry of Foreign Affairs and used compromised government infrastructure to host and distribute payloads. The operation deployed previously undocumented tooling — SplitDrop, TwinTask, TwinTalk — and a consolidated .NET RAT called GhostForm. Researchers observed emoji and unicode artifacts in decompiled code that strongly suggest generative AI assisted in development.

🔒 The University of Hawaii Cancer Center confirmed a ransomware breach that exposed data for nearly 1.2 million individuals after attackers accessed systems supporting its Epidemiology Division. Compromised files include names, Social Security numbers, driver's license numbers, and historical research health records collected in the 1990s and 2000s. UH says clinical operations, patient care, and student records were not affected and that it paid the actors for a decryption tool and to secure destruction of the stolen information.

🔒 Microsoft warned on Mar 3, 2026 of phishing campaigns that leverage OAuth redirect URLs to bypass email and browser defenses and deliver malware to government and public-sector targets without directly stealing tokens. Attackers register malicious applications and manipulate identity providers like Entra ID and Google Workspace to craft redirect links sent in emails or embedded in PDFs. The delivery chain uses ZIP -> LNK-triggered PowerShell -> MSI -> DLL sideloading to execute in-memory payloads and contact external C2; some campaigns also used AitM kits such as EvilProxy. Microsoft removed identified malicious apps and recommends limiting consent, auditing app permissions, and removing unused or overprivileged applications.

🛡️Arctic Wolf reports SloppyLemming operated from January 2025 to January 2026, targeting government and critical infrastructure organizations in Pakistan and Bangladesh. The actor used spear‑phishing PDFs and macro‑enabled Excel files to deliver two distinct toolchains: a DLL side‑loading path that deploys an in‑memory backdoor and a Rust‑based keylogger. The side‑loading route leverages ClickOnce manifests to drop a legitimate .NET binary (NGenTask.exe) and a malicious loader (mscorsvc.dll) that decrypts and runs the implant BurrowShell. The keylogger includes port scanning and network enumeration capabilities and the campaign abused Cloudflare Workers domains and Havoc/Cobalt Strike tradecraft.

⚠️ Beginning Feb. 28, 2026, Unit 42 observed a rapid escalation in cyber activity tied to Iran following joint U.S.–Israeli strikes, coinciding with an internal internet outage that reduced connectivity in Iran to 1–4%. That loss likely constrains coordinated state-aligned campaigns from inside Iran while enabling decentralized and geographically dispersed actors to increase disruptive operations. Unit 42 identified a phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert APK and tracked about 60 active hacktivist groups claiming DDoS, wiper, and hack-and-leak operations. Organizations should prioritize multi-layered defenses, offline backups, strict out-of-band verification, patching, monitoring, and incident response preparedness; Palo Alto Networks and Unit 42 offer protections and services to assist.

🔒 A phishing campaign impersonating Google directs victims to a malicious PWA on google-prism[.]com that harvests contacts, clipboard contents, GPS data, and one-time passcodes. The PWA leverages a service worker, Periodic Background Sync, and the WebOTP API while checking an /api/heartbeat endpoint for commands. It can act as an HTTP proxy via a WebSocket relay and uses push notifications to prompt users to reopen the app so it can access data. An optional Android APK escalates access with dozens of permissions and persistence mechanisms.

🔒Microsoft Defender researchers observed phishing campaigns that abused OAuth redirection mechanics to route victims from trusted identity domains to attacker-controlled hosts. Attackers used silent authorization requests (for example prompt=none and intentionally invalid scopes) and embedded target addresses in the state parameter to trigger error redirects that landed users on malicious pages or download hosts without yielding tokens. Microsoft flagged correlated activity across email, identity, and endpoints; Microsoft Entra disabled the identified applications, though related activity persists and requires continued monitoring.

🚨 A 22-year-old Alabama man, Jamarcus Mosley, pleaded guilty to federal extortion, cyberstalking, and computer fraud charges after hijacking social media accounts belonging to hundreds of young women, including minors. Between April 2022 and May 2025 Mosley impersonated friends and used social engineering to obtain account recovery codes and passwords, then threatened to publish private nude images unless victims paid, sent more explicit content, or surrendered access to other accounts. Sentencing is scheduled for May 27.

🔒 A Florida woman was sentenced to 22 months in prison and fined $50,000 for operating a years‑long scheme that trafficked thousands of stolen Microsoft Certificate of Authenticity (COA) labels. Heidi Richards, who ran Trinity Software Distribution, purchased tens of thousands of genuine COAs, had employees extract and transcribe product keys, and sold those keys in bulk to customers worldwide. Prosecutors reported she wired $5,148,181.50 to the supplier between July 2018 and January 2023.

⚠ John Hultquist, chief analyst of Google’s Threat Intelligence Group, warned that Iran will "absolutely" respond to recent US and Israeli air strikes with cyber-attacks targeting a broad array of organisations across the Middle East and beyond. He said the focus will shift from well-defended states like Israel to nations with less mature security, expanding the global attack surface. Hultquist highlighted the blurred lines between state actors, criminal groups and hacktivist fronts, noting the likely use of ransomware and proxy operations by the IRGC to obfuscate attribution. The UK’s NCSC has advised organisations with Middle East ties to urgently review and strengthen their cybersecurity posture.

🌐 A sharp escalation in the Middle East has entered a hybrid phase combining military strikes with large-scale cyber operations following joint Israeli–US strikes on Iran on 28 February 2026. CloudSek reported a sweeping cyber campaign that reduced Iran's internet to roughly 4% of normal capacity, disrupting government services, media and parts of energy and aviation. Security firm Halcyon warns of rising DDoS, hacktivist and ransomware activity and urges organisations to increase monitoring, enforce multi-factor authentication and maintain offline backups against supply-chain and regional spillover risks.

🔍 Akamai links the Russia-linked actor APT28 to exploitation of CVE-2026-21513, a high-severity (CVSS 8.8) MSHTML security feature bypass that Microsoft patched in its February 2026 update. The flaw in ieframe.dll mishandles hyperlink navigation and can be weaponized by malicious HTML or LNK files to invoke ShellExecuteExW and run resources outside the browser sandbox. Akamai identified a sample uploaded to VirusTotal on 30 January 2026 tied to infrastructure associated with APT28, while Microsoft and Google intelligence teams reported real-world exploitation.

🔍 Researchers disclosed a new StegaBin iteration of the Contagious Interview campaign in which North Korean actors uploaded 26 malicious packages to the npm registry. The packages masqueraded as developer tools and used text steganography in Pastebin essays to encode Vercel-based C2 addresses, ultimately delivering a credential stealer and a cross-platform RAT. Install-time scripts fetch multi-stage components that enable persistence, credential harvesting, and exfiltration.

⚠️The QuickLens Chrome extension was removed from the Chrome Web Store after a malicious update (v5.8) was pushed that added info‑stealing and ClickFix attack functionality. Security researchers found the extension stripped security headers, added powerful permissions, and contacted a command‑and‑control server to fetch and run payloads on every page. A fake Google Update prompt led to malware that targeted Windows and attempted to steal browser credentials and cryptocurrency seed phrases. Google has disabled the extension; affected users should remove it, scan devices, reset passwords, and move funds from compromised wallets.

🔓 South Korea’s National Tax Service inadvertently exposed the mnemonic recovery phrase of a seized Ledger hardware wallet in a press release, enabling an attacker to drain approximately $4.8 million in crypto. The assets were confiscated during raids on 124 high-value tax evaders, but photos released by authorities showed a handwritten seed phrase that was not redacted. On-chain analysis shows the attacker deposited ETH for gas and moved 4 million Pre-Retogeum (PRTG) tokens to a new address in three transactions. The NTS removed the press release, and it is unclear whether a formal investigation has been launched.

🔎 This article analyzes public evidence tying the alleged Kimwolf botmaster—known online as Dort and by earlier handles like CPacket and M1ce—to accounts, emails and domain registrations linked to an Ottawa-based Jacob Butler. It reviews GitHub and forum footprints (jay.miner232@gmail.com / MemeClient), ties to SIM Land and LAPSUS$ activity, and allegations that Dort sold disposable-email and CAPTCHA-bypass tools. After KrebsOnSecurity published research in January 2026 that disrupted Kimwolf’s spread, Dort allegedly mounted doxing, DDoS, email-flooding and swatting campaigns against researchers and the author.

⚠️ Truffle Security found nearly 3,000 Google Cloud API keys (prefix "AIza") embedded in client-side code that can now authenticate to Gemini endpoints when a project enables the Generative Language API. Attackers scraping sites can use exposed keys to access uploaded files, cached contents, and make LLM calls that charge victims' accounts. Google says it has implemented measures to detect and block leaked keys and advises rotating and restricting exposed keys.

🛡️ Zscaler researchers uncovered a toolkit named Ruby Jumper used by North Korea–linked APT37 to bridge internet-connected and air-gapped systems via removable drives. The campaign begins with a malicious LNK that launches a PowerShell script, a decoy document, and the RESTLEAF implant, which fetches encrypted shellcode via Zoho WorkDrive and loads the Ruby-based loader SNAKEDROPPER. The threat persists by installing a Ruby runtime masked as usbspeed.exe and weaponizes USB media to relay commands and exfiltrate data.

🔎 Europol-led Operation Compass has resulted in 30 arrests and linked 179 suspects to The Com, a decentralized cybercrime collective that targets children and teenagers. Launched in January 2025 and coordinated with law enforcement from 28 countries, the action identified 62 victims and directly safeguarded four. Investigators mapped multiple subgroups—Offline Com, Cyber Com, and (S)extortion Com—that facilitate violence, intrusions, and sexual exploitation.