All news in category “Incidents and Data Breaches”

⚠ The Shadowserver Foundation reports that more than 900 FreePBX instances remain infected with web shells after exploitation of the CVE-2025-64328 post-auth command injection flaw. The vulnerability (CVSS 8.6) affects versions >=17.0.2.36 and was fixed in 17.0.3; recommended mitigations include restricting access to the Administration Control Panel, updating the filestore module, and applying available updates. Fortinet links active exploitation since December 2025 to the INJ3CTOR3 actor delivering an EncystPHP web shell that enables arbitrary shell execution as the asterisk user and can initiate outbound call activity via compromised PBX instances.

🔒 A malicious Go module, github.com/xinfeisoft/crypto, impersonating the legitimate golang.org/x/crypto mirror, was found to exfiltrate terminal-entered secrets and deliver a Linux backdoor. The injected backdoor hooks ssh/terminal/terminal.go so calls to ReadPassword() capture interactive passwords and send them to a remote endpoint, which responds with a shell script. That script appends an SSH key to /home/ubuntu/.ssh/authorized_keys, relaxes iptables defaults, and downloads two payloads—one that probes connectivity and contacts 154.84.63.184:443, and the other identified as the Rekoobe trojan. The Go security team has blocked the package, but researchers warn this low-effort impersonation pattern will likely be reused against other credential-edge libraries.

🔎 APT37 has launched the 'Ruby Jumper' campaign using removable-media infection tools to compromise air‑gapped systems, researchers at Zscaler ThreatLabz found. The actor abused malicious .LNK shortcuts to run a PowerShell stager that extracts multiple embedded payloads and deploys a new implant, Restleaf, which uses Zoho WorkDrive for C2. Additional undocumented tools—SnakeDropper, ThumbSBD, VirusTask and FootWine—enable in‑memory execution, USB propagation and staged exfiltration.

🔒 In December 2025, Zscaler ThreatLabz exposed the Ruby Jumper campaign linking North Korea's ScarCruft to a novel multi-stage intrusion that abuses cloud storage and removable media. The attack begins with a malicious LNK that launches PowerShell to extract an embedded decoy document and multiple payloads, including the in-memory loader RESTLEAF. RESTLEAF uniquely leverages Zoho WorkDrive for C2 to fetch shellcode and stage follow-on components, while SNAKEDROPPER, THUMBSBD, and VIRUSTASK enable persistence, surveillance, and propagation to air-gapped systems via USB.

🛂 Yurii Nazarenko pleaded guilty to operating OnlyFake, an AI-driven subscription site that generated and sold more than 10,000 counterfeit identification images worldwide. The platform produced realistic digital passports, U.S. driver's licenses for all 50 states, Social Security cards, and IDs for roughly 56 other countries, with options for customization and output as scans or tabletop photos. Only accepting cryptocurrency and offering bulk discounts, the site was used to circumvent Know Your Customer (KYC) checks; undercover FBI agents purchased fake documents in a 2024 sting. Nazarenko was extradited from Romania in September 2025, agreed to forfeit $1.2 million, and faces up to 15 years in prison with sentencing set for June 26, 2026.

⚠️ Researchers report a new phishing campaign in which North Korean hackers pose as company recruiters and lure developer job candidates with seemingly legitimate coding challenges. When victims run the supplied code, it installs malware on their machines, creating a direct avenue for compromise. Reversing Labs analyzed the samples and BleepingComputer provided additional reporting. Candidates and employers should be cautious about running unvetted code and verify recruiter identities.

🧭 Europol's Project Compass has targeted The Com, a transnational online collective linked to extortion, ransomware and violent abuse. Over the past 12 months the operation resulted in 30 arrests and the full or partial identification of 179 alleged members, while several victims were identified and safeguarded. The initiative spans EU states, Norway, Switzerland and all Five Eyes partners and focuses on disrupting recruitment and account-takeover tactics such as phishing, vishing and SIM swapping, as well as the group's links to extremist and Russian cyber-criminal networks.

🎮 Microsoft Threat Intelligence warns that threat actors are distributing trojanized gaming utilities via browsers and chat platforms to deliver a Java-based remote access trojan (RAT). A malicious downloader stages a portable Java runtime and executes a jd-gui.jar, leveraging PowerShell and LOLBins like cmstp.exe for stealth and self-deletion while configuring Microsoft Defender exclusions. Persistence is achieved with a scheduled task and a startup script named world.vbs, and the final payload phones home to 79.110.49[.]15 for command-and-control.

🚨 Cisco Talos reports an ongoing campaign by UAT-10027 using a new backdoor called Dohdoor since December 2025. Dohdoor leverages DNS-over-HTTPS (DoH) for stealthy command-and-control, downloads and executes payloads within legitimate Windows processes, and employs phishing, PowerShell abuse, and DLL sideloading. The campaign targets U.S. education and health care organizations with C2 infrastructure hidden behind reputable services.

🧭 Researchers disclosed a new botnet loader named Aeternum C2 that stores encrypted commands on the public Polygon blockchain, making its C2 infrastructure resistant to conventional takedowns. The native C++ loader (x86/x64) polls Polygon RPC endpoints to retrieve transactions written by a web panel implemented in Next.js. Operators can deploy multiple smart contracts, write immutable encrypted commands, and manage payloads with minimal operational cost while leveraging anti-analysis checks and AV-evasion scanning.

🛠️ ManoMano has notified customers that a security incident tied to a third‑party customer service subcontractor resulted in the unauthorized extraction of personal data for approximately 38 million individuals. Exposed information reportedly varies by interaction and may include full name, email address, phone number, and customer service communications; no account passwords were accessed. Identified in January 2026, ManoMano says it revoked the subcontractor’s access, strengthened controls, informed regulators, and is advising customers to remain vigilant against phishing and social engineering.

⚠️ Olympique de Marseille says it was the target of an attempted cyberattack after a threat actor claimed to have breached some servers and leaked a sample of allegedly stolen information. The actor claims the database includes details on about 400,000 individuals and more than 2,050 Drupal CMS accounts, including staff, contributors, and moderators. The club reports its technical teams and specialized providers quickly contained the situation, that operations continue normally, and that no banking details or passwords have been compromised; it has reported the incident to the CNIL and filed a complaint.

⛓️ A newly discovered loader named Aeternum relocates botnet command-and-control onto the Polygon blockchain, researchers at Qrator Research Lab report. Infected machines retrieve instructions written as on-chain transactions and poll more than 50 RPC endpoints instead of contacting centralized servers or domains. The seller offers native C++ builds and a web dashboard that writes commands to smart contracts, creating a low-cost, resilient C2 channel that complicates traditional takedowns and shifts defensive emphasis to edge filtering and proactive DDoS mitigation.

🔒 Cisco Talos attributes a previously undocumented activity cluster, tracked as UAT-10027, to an ongoing campaign targeting U.S. education and healthcare since December 2025. The actor deploys a novel backdoor called Dohdoor that uses DNS-over-HTTPS (DoH) for stealthy C2 and reflectively loads additional payloads into memory. Initial access is suspected to begin with social-engineering and a PowerShell script that retrieves a staged batch and malicious DLLs (observed as propsys.dll and batmeter.dll), which are launched via DLL side‑loading of legitimate executables. Talos observed the adversary fronting C2 behind Cloudflare to make traffic appear as legitimate HTTPS and unhooking user-mode API hooks in NTDLL.dll to evade EDR; follow-on payloads have been assessed as Cobalt Strike beacons.

🔒 A Moscow resident has been accused of attempting to extort the notorious ransomware group Conti by impersonating an officer of Russia's Federal Security Service (FSB). Russian reports say Ruslan Satuchin contacted a Conti member in September 2022, demanding payment in exchange for influencing law-enforcement actions. Satuchin denies the allegations and is in pre-trial detention amid concerns about witness intimidation; if convicted he faces up to ten years and a fine of one million rubles. The case follows the 2022 leak that dismantled much of Conti and scattered its operators to other ransomware families.

🔒 Google Threat Intelligence Group (GTIG) and partners disrupted UNC2814, a prolific cyber-espionage campaign with suspected links to China that operated since 2017 and targeted governments and telecommunications across multiple continents. Researchers identified a novel backdoor, GridTide, which abused Google Sheets as a covert command-and-control channel to execute shell commands and transfer files. Google terminated attacker-controlled Cloud Projects, disabled accounts, revoked Sheets API access used for C2, and has notified victims while offering remediation support.

🛡️ Google disrupted a China-linked espionage group that repurposed Google Sheets as a covert command-and-control channel to manage a custom backdoor tracked as UNC2814 and named GRIDTIDE. The backdoor abused legitimate Sheets API calls to send commands, retrieve stolen data, poll spreadsheets frequently, and wipe rows to erase traces. Mandiant flagged unusual activity on a CentOS server, leading to discovery of intrusions at 53 organizations across 42 countries focused on telecoms and government systems. Google terminated attacker Cloud projects, revoked API access, sinkholed domains, and published IOCs.

🛡️ Cisco Talos reports an active campaign, observed since December 2025, in which actor UAT-10027 deployed a previously undocumented backdoor called Dohdoor that uses DNS-over-HTTPS (DoH) for covert C2. The multi-stage chain leverages phishing-delivered PowerShell to fetch a batch dropper that sideloads a disguised DLL into legitimate Windows binaries and tunnels C2 through Cloudflare’s edge. Dohdoor decrypts and reflectively executes payloads in memory, unhooks ntdll to evade EDR, and was observed targeting U.S. education and healthcare organizations.

⚠️ A coordinated developer-targeting campaign uses fake Next.js repositories and job-assessment lures to trick engineers into executing attacker-controlled JavaScript at runtime. Microsoft and third-party researchers identified three execution paths — VS Code workspace tasks (runOn: "folderOpen"), dev-server builds, and backend startup — that all fetch loaders from staging services like Vercel. The in-memory payload profiles hosts, polls for an instanceId and executes server-supplied code to maintain persistent C2 while minimizing disk artifacts.

⚠ A malicious NuGet package, StripeApi.Net, was uploaded on February 16, 2026 and impersonated Stripe.net by reusing the official icon, a near-identical README and inflated download counts across hundreds of versions. The package implemented legitimate payment functions but altered key methods to capture and exfiltrate Stripe API tokens while leaving payment processing appearing to work normally. ReversingLabs discovered and reported the package and it was removed from NuGet before wide impact.