All news in category "Incidents and Data Breaches"

HOOK Android Trojan Adds Ransomware Overlays, Expands

🔒 Cybersecurity researchers at Zimperium zLabs have identified a new HOOK Android banking trojan variant that deploys full-screen ransomware-style overlays to extort victims. The overlay is remotely triggered via the command "ransome" and displays a warning, wallet address and amount, and can be dismissed by the attacker with "delete_ransome". An offshoot of ERMAC, the latest HOOK builds on banking malware techniques and now supports 107 remote commands, introducing transparent gesture-capture overlays, fake NFC and payment screens, and deceptive unlock prompts to harvest credentials and crypto recovery phrases.

Ransomware Disrupts Operations at Data I/O Manufacturer

🔒 Data I/O, a US-based provider of programming solutions for Flash devices, disclosed a ransomware incident on 16 August that forced it to take platforms offline and deploy mitigations. The company said operations including communications, shipping, manufacturing and support functions were temporarily impacted while it restores systems. Costs for remediation and contractor fees are reasonably likely to affect finances. Major customers include Tesla, Panasonic, Amazon, Google and Microsoft.

UNC6384 Uses Captive Portal Hijacks to Deploy PlugX

🔐 Google’s Threat Intelligence Group (GTIG) detected a March 2025 campaign attributed to UNC6384 that uses captive-portal hijacks to deliver a digitally signed downloader called STATICPLUGIN. The downloader (observed as AdobePlugins.exe) retrieves an MSI and, via DLL sideloading through Canon’s IJ Printer Assistant Tool, stages a PlugX variant tracked as SOGU.SEC entirely in memory. Operators used valid TLS and GlobalSign-signed certificates issued to Chengdu Nuoxin Times Technology Co., Ltd, aiding evasion while targeting diplomats and other entities.

Phishing Campaign Uses UpCrypter to Deploy RATs Globally

📧 Fortinet FortiGuard Labs has observed a phishing campaign using fake voicemail and purchase-order lures to direct victims to convincing landing pages that prompt downloads of JavaScript droppers. The droppers retrieve the UpCrypter loader, which conducts anti-analysis and sandbox checks before fetching final payloads, including various RATs such as PureHVNC, DCRat and Babylon. Attacks since August 2025 have targeted manufacturing, technology, healthcare, construction and retail/hospitality across multiple countries; defenders are urged to block malicious URLs, strengthen email authentication, and monitor anomalous M365 activity.

Deception in Depth: UNC6384 Hijacks Web Traffic Globally

🛡️ In March 2025, Google Threat Intelligence Group identified a complex espionage campaign attributed to the PRC‑nexus actor UNC6384 that targeted diplomats in Southeast Asia and other global entities. The attackers hijacked web traffic via a captive‑portal and AitM redirect to deliver a digitally signed downloader tracked as STATICPLUGIN, which retrieved a disguised MSI and staged an in‑memory deployment of the SOGU.SEC backdoor (PlugX). The operation abused valid code‑signing certificates, DLL side‑loading via a novel launcher CANONSTAGER, and indirect execution techniques to evade detection. Google issued alerts, added IOCs to Safe Browsing, and recommends enabling Enhanced Safe Browsing, applying updates, and enforcing 2‑Step Verification.

Fake macOS Help Sites Spread SHAMOS Infostealer via Ads

🔒 CrowdStrike disrupted a malvertising campaign that redirected users to counterfeit macOS help pages and urged them to run a malicious one-line installation command. Observed between June and August 2025, the operation sought to deliver the SHAMOS variant of the Atomic macOS Stealer (AMOS), a Mach-O binary distributed by MaaS operator Cookie Spider. The installer decoded a Base64 string, executed a Bash script that captured credentials and fetched the payload from icloudservers[.]com.

Chinese Developer Jailed for Deploying Malicious Code

⚖️ A software developer was sentenced to four years in prison after deploying malicious code inside his US employer's network, the Department of Justice said. The defendant, identified as Davis Lu, introduced infinite-loop logic, deleted coworker profile files and implemented a credential-dependent kill-switch that locked out thousands of users in September 2019. The sabotage followed a corporate realignment that reduced his access; investigators found deleted encrypted data and internet searches showing intent to escalate privileges and rapidly delete files while obstructing remediation.

Phishing Campaign Exploits Google Classroom: 115K Emails

📚 Check Point researchers uncovered a large-scale phishing campaign that abused Google Classroom to deliver more than 115,000 malicious emails in five coordinated waves over a single week. Attackers used fake classroom invitations carrying unrelated commercial offers to trick recipients across Europe, North America, the Middle East and Asia. The campaign targeted roughly 13,500 organizations and highlights risks when trusted collaboration tools are weaponized.

Major Corporation Uses '123456' for Critical Access

🔒 McDonald's reportedly configured a major corporate system with the password 123456, illustrating a glaring failure in basic security hygiene. That weak credential makes systems trivially susceptible to brute-force and credential-stuffing attacks and indicates lax oversight of password policies, privileged accounts, and access controls. Immediate remediation should include forcing password rotation, deploying multi-factor authentication, implementing centralized secrets management, and auditing privileged access.

Transparent Tribe Targets Indian Govt with Shortcut Malware

🔒 Transparent Tribe (APT36) has been observed delivering weaponized desktop shortcut files to compromise both Windows and BOSS Linux systems at Indian government organizations. Reports from CYFIRMA, CloudSEK, Hunt.io, and Nextron Systems describe Go-based droppers, hex-encoded ELF payloads, and cron-based persistence. The campaign uses spear-phishing lures and typo-squatted domains with decoy PDFs to harvest credentials and target Kavach two-factor authentication, while deploying backdoors such as Poseidon and MeshAgent to maintain long-term access.

Yemen Cyber Army Hacker Jailed for Massive Data Theft

🔒 A 26-year-old man, Al-Tahery Al-Mashriky, has been jailed after UK National Crime Agency investigators linked him to the Yemen Cyber Army and uncovered evidence of widespread website breaches. Arrested in August 2022 in Rotherham, he defaced and compromised sites across North America, Yemen and Israel, including government and faith organisations. Forensically seized devices contained personal data, account credentials and other files that could facilitate fraud; he pleaded guilty and was sentenced to 20 months in prison.

Malicious Go Module Poses as SSH Brute-Force Tool, Steals

🔒 Researchers identified a malicious Go module that masquerades as an SSH brute-force utility but secretly exfiltrates credentials to a threat actor via a hard-coded Telegram bot. The package, golang-random-ip-ssh-bruteforce, published on June 24, 2022 and still accessible on pkg.go.dev, scans random IPv4 addresses, attempts concurrent logins from a small username/password list, and disables host key verification. On the first successful login it sends the IP, username and password to @sshZXC_bot, which forwards results to @io_ping, allowing the actor to centralize harvested credentials while distributing scanning risk.

Fortinet Supports INTERPOL in Operation Serengeti 2.0

🛡️Fortinet supported INTERPOL’s Operation Serengeti 2.0 by providing preemptive threat intelligence—IOCs, command-and-control data, and forensic insights—that helped plan and execute cross-border takedowns. Conducted June–August 2025 with 18 African nations and nine private partners, the operation led to 1,209 arrests, dismantling of 11,432 malicious infrastructures, and recovery of $97.4 million. Fortinet also contributed investigator training and capacity building to sustain disruption efforts.

Europol: Telegram Post Claiming $50,000 Qilin Bounty Is Fake

🔍 Europol has confirmed that a circulated Telegram post claiming a reward of up to $50,000 for information on senior Qilin ransomware operators is false. The message originated on a newly created channel (@europolcti) rather than on Europol's official accounts and was amplified by security outlets after being copied. The bogus announcement named alleged aliases "Haise" and "XORacle", and the channel poster later boasted about fooling researchers and journalists. Europol stressed that Qilin remains a significant threat, previously linked to an attack on a UK NHS provider with severe consequences.

Chinese Groups Escalate Cloud and Telecom Espionage

🛡️ CrowdStrike warns that China-linked groups Murky Panda, Genesis Panda, and Glacial Panda have intensified cloud and telecommunications espionage, abusing trusted cloud relationships and internet-facing appliances to gain access. The actors exploit N-day and zero-day flaws, deploy web shells, and steal cloud credentials to establish persistence with tools such as CloudedHope. Targets include government, technology, financial, and telecom sectors, with operations tailored to covert intelligence collection and long-term access.

INTERPOL Arrests 1,209 Cybercriminals in Africa Sweep

🔎 INTERPOL coordinated a multi-country crackdown that led to the arrest of 1,209 suspected cybercriminals across 18 African nations, targeting schemes that affected roughly 88,000 victims. The operation, the second phase of Operation Serengeti carried out between June and August 2025, recovered about $97.4 million and dismantled 11,432 malicious infrastructures. Private-sector partners including Group-IB and TRM Labs contributed intelligence on cryptocurrency fraud and ransomware links.

Blue Locker Ransomware Targets Critical Infrastructure

🔒 Pakistan Petroleum Limited (PPL) was struck by the Blue Locker ransomware, detected on 6 August, which appends a .blue extension to encrypted files and has reported deletion of backups and theft of some business and employee data. The incident encrypted servers and disrupted financial operations while recovery work proceeded in a phased manner. Pakistan's NCERT issued a high alert to 39 key ministries and institutions and warned of multiple distribution vectors. Organisations, especially critical infrastructure operators, are urged to verify and isolate backups, implement network segmentation and enhanced monitoring, and engage incident response and forensic teams as needed.

Ex-Developer Jailed for Deploying Kill-Switch Malware

🛑 A former software developer was sentenced to four years in prison after intentionally sabotaging his employer's servers with custom malware that included a kill switch. Davis Lu, 55, abused his access in 2019 to introduce infinite-loop Java code, delete coworker profiles, and deploy a kill switch named 'IsDLEnabledinAD' that locked out users when his Active Directory account was disabled. The DOJ said the incident, reportedly at Eaton Corporation, disrupted thousands of users and caused hundreds of thousands of dollars in losses.

Russian State-Backed Static Tundra Exploits Cisco Devices

🧭 The author opens with a travel anecdote and practical reminders on securing devices while on the road, urging readers to update, back up, and avoid public charging or untrusted Wi‑Fi. The newsletter highlights field-tested precautions including disabling auto-connect, using VPNs or phone hotspots, enabling device tracking, and carrying power banks. It also warns of an active campaign by a Russian state-backed group targeting Cisco devices via CVE-2018-0171, urging immediate patching and hardening.

ClickFix Campaign Delivers CORNFLAKE.V3 Backdoor via Web

🛡️ Mandiant observed a campaign using the ClickFix social‑engineering lure to trick victims into copying and running PowerShell commands via the Windows Run dialog, yielding initial access tracked as UNC5518. That access is monetized and used by other groups to deploy a versatile backdoor, CORNFLAKE.V3, in PHP and JavaScript forms. CORNFLAKE.V3 supports HTTP-based payload execution, Cloudflare-tunneled proxying and registry persistence; researchers recommend disabling Run where possible, tightening PowerShell policies and increasing logging and user training to mitigate the risk.