All news in category “Incidents and Data Breaches”

🔒 A sophisticated phishing campaign impersonating cryptocurrency broker Bitpanda has been uncovered by Cofense, employing a near-perfect fake login to steal credentials. Victims are guided through a staged MFA flow that requests names, phone numbers, addresses and dates of birth, enabling account takeover and identity abuse. The fraudulent landing page uses deceptive domains and urgent messaging before redirecting users to the real login page. Users should verify sender addresses, hover over links and access platforms via bookmarks rather than email links.

🔐 Symantec and Carbon Black researchers linked a new wave of Medusa ransomware activity to North Korean state-backed actors within the broader Lazarus umbrella, noting deployments against a Middle East target and attempted intrusions into US healthcare. Medusa, a 2023 ransomware-as-a-service operated by Spearwing, has been tied to more than 366 incidents and recent listings of US healthcare and non-profit victims with average demands near $260,000. Analysts observed a toolkit—including Comebacker, Blindingcan, ChromeStealer and Mimikatz—that resembles previous Stonefly operations but cautioned the components are not exclusive to a single sub-group.

🔒 A Russia-aligned cybercrime cluster tracked as UAC-0050 (also known as DaVinci Group and labeled Mercenary Akula by BlueVoyant) carried out a spear-phishing operation this month against a European financial institution involved in regional development and reconstruction. The campaign spoofed a Ukrainian judicial domain and lured a senior legal and policy advisor to download an archive hosted on PixelDrain, which unpacked into a password-protected chain culminating in an executable disguised as a PDF. Execution led to installation of an MSI that deployed RMS remote desktop software, providing persistent remote control and file-transfer capabilities, consistent with the group’s prior use of remote-access tools to evade detection and maintain stealthy access.

🔒 Broadcom's Symantec and Carbon Black Threat Hunter Team reports the North Korea-linked Lazarus Group used Medusa ransomware in an attack against an unnamed Middle East entity and mounted an unsuccessful attempt against a U.S. healthcare organization. Medusa is a RaaS launched by Spearwing in 2023 and has been tied to hundreds of incidents. Analysts say this reflects a tactical shift toward off-the-shelf ransomware and affiliate operations, with the campaign leveraging tools such as RP_Proxy, Mimikatz, Comebacker, InfoHook, BLINDINGCAN, and ChromeStealer.

🐛 Socket researchers disclosed an active npm supply-chain campaign dubbed SANDWORM_MODE that leverages typosquatted packages to infiltrate developer machines, CI pipelines, and AI coding assistants. The malicious packages (at least 19 observed) harvest npm and GitHub tokens, environment secrets, and cloud keys, then use stolen credentials to modify repositories and amplify via weaponized GitHub Actions. The campaign also injects a malicious MCP server into AI tool configs to enable prompt-injection exfiltration, includes a dormant polymorphic engine, and implements a configurable 'dead switch' that can wipe home directories.

🔒 The ShinyHunters extortion gang claims it stole millions of user records from Dutch telecom Odido, adding the company to its dark‑web leak site and asserting nearly 21 million records were taken. Odido disclosed the incident on February 12, reporting that attackers accessed its customer contact system on February 7 and that exposed fields vary by customer. The carrier said no Mijn Odido passwords, call records, location data, billing data, or identity scans were exposed; ShinyHunters, however, alleges internal corporate data and plaintext passwords were also taken. Odido reported the breach to the Dutch Data Protection Authority, blocked the attackers' access, and engaged external cybersecurity specialists while investigations continue.

🔒 Symantec says a North Korean Lazarus subgroup is using Medusa ransomware to extort U.S. healthcare organizations, marking the first public linkage between Lazarus and Medusa. The attacks combine commodity utilities with custom tools — Comebacker, Blindingcan, ChromeStealer, Infohook, Mimikatz and RP_Proxy — and have hit multiple healthcare and non-profit victims. Symantec published IoCs and warns demands can reach $15 million.

🔒 Positive Technologies reports that the UnsolicitedBooker cluster has shifted from Saudi targets to telecommunications firms in Kyrgyzstan and Tajikistan, deploying two backdoors named LuciDoor and MarsSnake. The intrusions relied on phishing with malicious Microsoft Office documents that prompt users to enable macros, dropping C++ loaders (LuciLoad and MarsSnakeLoader) to deploy the payloads. In some cases attackers used LNK-based chains, hacked routers for C2, and infrastructure mimicking Russian systems while leveraging rare tools of Chinese origin.

⚖️ The trial in Leipzig has begun against the alleged ringleader of the illegal streaming portal movie2k.to, who is principally charged with commercial money laundering tied to extensive piracy operations. Prosecutors allege the site converted advertising revenues into bitcoin; nearly 50,000 BTC were recovered after the 2023 arrest, later sold for about €2.64 billion now held by the state treasury. Defense objections to parts of the indictment were dismissed, and copyright infringement claims are time-barred and not included in the proceedings.

🤖 Amazon Threat Intelligence says a Russian-speaking actor used commercial generative AI services to compromise hundreds of FortiGate firewalls by exploiting exposed management interfaces and weak, single-factor credentials. Between Jan. 11 and Feb. 18 the group breached over 600 devices across 55+ countries, then accessed Active Directory, extracted credential databases, and targeted backups. Amazon recommends fundamental controls — restrict management access, enforce MFA, patch perimeter devices, improve segmentation, and enhance detection — noting the attacker’s toolkit and operational plans were largely AI-generated and publicly left on infrastructure used in the campaign.

🔒 Spanish authorities arrested four alleged members of the hacktivist group Anonymous Fénix for a series of distributed denial-of-service (DDoS) attacks that targeted government ministries, political parties, and public institutions. The Spanish Civil Guard said the group first struck in April 2023 and intensified activity after severe floods in Valencia in late October 2024, using X and Telegram for recruitment and propaganda. Courts ordered seizure of the group's X and YouTube accounts and closure of its Telegram channel following the arrests.

🔎 S2 Grupo's LAB52 attributes a campaign codenamed Operation MacroMaze to the Russia-linked APT28, active from September 2025 through January 2026. The attackers used spear-phishing documents containing an INCLUDEPICTURE field that points to webhook[.]site URLs to confirm document opens and deploy macros that run VBScript and batch files. Payloads render Base64 HTML in Microsoft Edge, using headless or off-screen browsers to retrieve commands and exfiltrate output to webhook endpoints. LAB52 emphasizes the campaign's operational simplicity and reliance on legitimate services to reduce detection.

📢 Optimizely has confirmed a data breach after attackers used a sophisticated voice‑phishing (vishing) campaign to gain access to some internal systems on or before February 11. The company says the intruders accessed certain CRM records, internal back‑office documents, and basic business contact information but could not escalate privileges, install software, or create backdoors. Optimizely reports no evidence of access to sensitive customer data or personal information beyond business contacts, and business operations remain uninterrupted. It is warning customers to be vigilant for follow‑on phishing attempts leveraging the exposed contact details.

🛡️ Trellix researchers describe a wormable cryptojacking campaign that lures victims with pirated software bundles to deploy a custom XMRig miner and a modular dropper that acts as installer, watchdog, payload manager, and cleaner. The binary uses command-line mode switching to install, restart, monitor, or self-destruct and contains a time-based logic bomb that triggers decommissioning after December 23, 2025. The actors abuse a flawed driver, WinRing0x64.sys (CVE-2020-14979), in a BYOVD chain to escalate privileges and boost RandomX hashrate by an estimated 15–50%. Responders advise blocking vulnerable drivers, scanning for artifacts, restricting removable media execution, enforcing least privilege, and applying relevant patches.

🔒 Socket's Threat Research Team discovered a supply chain worm, tracked as SANDWORM_MODE, spreading via typosquatted npm packages and compromised GitHub accounts while also manipulating local AI coding assistants. The malware harvested developer and CI credentials, injected rogue MCP servers into tools like Claude Desktop and VS Code Continue, and exfiltrated API keys for multiple large language model providers. Affected packages were removed and infrastructure disabled; developers should rotate credentials and audit CI workflows and local AI configurations.

🔍 A fraud investigation by the Secuinfra Falcon Team uncovered a layered, Python-based malware deployment that led to unauthorised PayPal transfers and visible command output on the victim's desktop. Investigators found hidden PowerShell activity retrieving a PyInstaller-packed executable named svchoss.exe from an IP hosted in Tencent-associated networks, alongside startup scripts and a concealed Python runtime. Memory forensics with Volatility 3 and string extraction exposed heavy obfuscation, references to Cobalt Strike, XWorm RAT, HTran and attempts to harvest browser autofill and wallet data. Although the system was judged fully compromised, the initial infection vector remains unconfirmed, with social engineering and malicious downloads considered likely.

🔍 Amazon Web Services reported a low-skilled, Russian-speaking actor used commercial GenAI services to run an opportunistic campaign that compromised over 600 FortiGate devices across more than 55 countries between 11 January and 18 February 2026. The attacker scanned internet-exposed management interfaces, attempted commonly reused credentials and relied on AI-assisted scripts to parse stolen configurations and automate VPN access. AWS noted no exploitation of FortiGate vulnerabilities and that AWS infrastructure was not involved. Defenders are urged to prioritize patching, credential hygiene and post-exploitation detection.

🔒 A threat actor calling themselves LuneBF is claiming to have stolen data belonging to more than 27,000 employees of the RTL Group and its subsidiaries, including Fremantle and M6. The attacker posted a 100-record sample allegedly taken from RTL’s intranet that contains names, emails, postal addresses and phone numbers. RTL has confirmed the incident and said it is investigating; it believes customer data is unlikely to be affected. Security experts warn the exposed contact details could enable targeted phishing, social engineering and pose particular risks to investigative journalists.

🔒 Advantest Corporation, the Tokyo-based maker of semiconductor test equipment, disclosed on 19 February that it is responding to a cybersecurity incident involving ransomware after detecting unusual activity in its IT environment on 15 February. The company says it isolated affected systems and engaged third-party cybersecurity experts to investigate and contain the event; preliminary findings indicate unauthorized access and possible ransomware deployment. As of 23 February no data breach has been confirmed, and Advantest says it will notify impacted customers or employees if exposure is found.

🛡️ The FBI reports over 700 ATM jackpotting incidents in 2025 that cost banks more than $20 million, and notes nearly 40% of US attacks since 2020 occurred last year. Attackers commonly deploy malware such as Ploutus to exploit the XFS API, allowing direct hardware commands to dispense cash and bypass bank authorization. The agency details physical intrusion techniques—generic keys, hard-drive removal or replacement with preloaded devices—and urges layered defenses including improved physical locks and sensors, hardware whitelisting, robust logging, IP whitelisting and endpoint detection to detect and prevent rapid cash-outs.