All news in category “Incidents and Data Breaches”

🔒 Ten years after the February 2016 operation that attempted to steal $951 million via fraudulent SWIFT messages, the Bangladesh Bank heist remains a defining case for cyber resiliency. Attackers attributed to the Lazarus Group used spear-phishing, backdoors, keyloggers and printer sabotage to capture credentials and erase audit trails, enabling 35 fraudulent transfer attempts. The incident exposed basic control failures—lack of network segregation, exposed SWIFT systems, and limited endpoint monitoring—and helped drive mandatory measures such as the SWIFT Customer Security Program.

🔍 Canada Goose is investigating after data extortion group ShinyHunters published an archive claiming more than 600,000 customer records tied to past transactions. The 1.67 GB JSON dataset reportedly contains names, emails, phone numbers, billing and shipping addresses, IPs, order histories, and partial payment card data (brands, BINs, last four digits). Canada Goose says it has found no evidence of a breach of its own systems and that no unmasked financial data appears present, while it reviews the dataset to verify accuracy and scope.

⚠️ Microsoft has identified a novel ClickFix social-engineering variant that instructs victims to run an nslookup against an attacker-controlled resolver to retrieve a malicious PowerShell script embedded in the DNS NAME field. The response is parsed and executed via cmd.exe, then pulls a second-stage ZIP containing a Python runtime and scripts that lead to the ModeloRAT remote-access trojan. Organizations should monitor unusual DNS queries to untrusted nameservers and apply endpoint controls to block unauthorized script execution and persistence.

🚨 Threat actors are abusing Pastebin comments to promote a ClickFix-style social engineering campaign that tricks cryptocurrency users into executing JavaScript in their browser, enabling attackers to hijack Bitcoin swap transactions on Swapzone.io. Victims are directed to copy a javascript: snippet from a hosted paste and execute it in the address bar; the injected, obfuscated payload overrides the exchange's swap logic and replaces deposit addresses with attacker-controlled wallets. The code also tampers with displayed rates and offers to simulate successful arbitrage. Because the script runs within the victim's authenticated session, the interface looks legitimate while funds are irreversibly redirected to attackers.

🛡️ GreyNoise telemetry indicates a single IP hosted by PROSPERO OOO is responsible for roughly 83% of active exploitation attempts against Ivanti Endpoint Manager Mobile (EPMM), targeting CVE-2026-21962 and CVE-2026-24061. Between Feb 1–9 researchers observed 417 exploit sessions from eight source IPs, with a sharp spike on Feb 8. Activity appears automated, using OAST-style DNS callbacks consistent with initial access broker behavior; Ivanti has released hotfixes and will issue full patches in Q1.

📬 Cybercriminals are mailing phishing letters impersonating Trezor and Ledger to trick hardware wallet owners into surrendering recovery phrases. The letters pressure recipients with deadlines for an Authentication Check or Transaction Check and instruct them to scan QR codes that lead to cloned setup pages. Those pages prompt entry of 24-, 20- or 12-word seed phrases, which are then sent to attacker-controlled servers, allowing funds to be stolen. Never share your recovery phrase; manufacturers will never ask for it.

⚠️ A new variant of a fake recruiter campaign attributed to North Korean actors is targeting JavaScript and Python developers with cryptocurrency-themed coding tasks. Attackers publish seemingly legitimate job projects and embed malicious dependencies on npm and PyPI that install a remote access trojan reported as Graphalgo. The operation is modular and resilient, with 192 malicious packages identified and tactics such as delayed activation and token‑protected command channels. Affected developers are advised to rotate tokens and passwords and to reinstall compromised systems.

⚠️ Threat actors are abusing public Claude artifacts and manipulated Google Search results to trick macOS users into running malicious Terminal commands. These commands download and execute a loader that installs the MacSync infostealer, which harvests keychain data, browser credentials, and crypto wallets, then exfiltrates the data to a hardcoded command-and-control server. Researchers warn users not to run unverified shell commands and to verify safety before executing them.

🔒 South Korea's Personal Information Protection Commission fined Louis Vuitton, Christian Dior Couture, and Tiffany a combined $25 million after cloud-based customer management systems were compromised, exposing data for more than 5.5 million customers. Investigators found an employee device infected with malware at Louis Vuitton and successful phishing and voice-phishing attacks at Dior and Tiffany that granted attackers access to the SaaS platform. Regulators cited failures to enforce IP-based access controls, deploy strong authentication, restrict bulk downloads, and monitor access logs, and penalized late breach notification. The PIPC emphasized that using a SaaS provider does not relieve companies of responsibility for protecting client data.

⚠️ Google Threat Intelligence Group (GTIG) attributes a previously undocumented actor, likely linked to Russian intelligence, to campaigns using CANFAIL against Ukrainian defense, military, government, and energy organizations. The actor has expanded interest to aerospace, defense-adjacent manufacturing, nuclear and chemical research, and humanitarian groups, often impersonating Ukrainian and Romanian energy firms in phishing. Operators used LLMs to produce reconnaissance and social-engineering lures, embedding Google Drive links to RAR archives that deliver obfuscated JavaScript which spawns PowerShell memory-only droppers. GTIG links this activity to the PhantomCaptcha campaign disclosed by SentinelOne SentinelLABS in October 2025.

🔎 Google Threat Intelligence Group (GTIG) warns that state-sponsored actors from China, Iran, Russia, and North Korea are conducting sustained cyber operations against the defense industrial base (DIB). GTIG highlights four themes: targeting battlefield technologies like drones, exploiting hiring and personnel processes, leveraging edge devices for initial access, and capitalizing on manufacturing supply chain breaches. Observed tactics include bespoke malware families, abuse of secure messaging linking, careful endpoint-evasion techniques, and use of relay networks to complicate detection and attribution.

🔍 Cisco Talos reports that threat actor UAT-9921 has deployed the modular VoidLink framework in campaigns targeting technology and financial organizations. The post-compromise toolkit—built in Zig, C, and Go—supports compile-on-demand plugins, stealthy persistence, and runtime evasion. Operators install SOCKS proxies and use open-source scanners for internal reconnaissance and lateral movement, and evidence suggests a Windows implant and role-based access controls are present.

🛡️ Over 260,000 Google Chrome users downloaded fake AI assistant extensions that delivered malicious functionality capable of harvesting credentials, monitoring Gmail and granting remote access to attackers. Researchers at LayerX identified more than 30 malicious extensions—collectively labeled AiFrame—many of which mimicked ChatGPT, Claude, Grok and Gemini and were even featured in the Chrome Web Store, increasing exposure. The campaign used "extension spraying" and a full‑screen iframe that loads remote content to evade detection and exfiltrate data; although many extensions have been removed, affected users remain at risk.

🔒 Researchers uncovered multiple malicious Chrome extensions that exfiltrate sensitive data from business and social media accounts, including a Meta‑focused add‑on named CL Suite that steals TOTP seeds, one‑time codes and Business Manager exports. Other campaigns detailed include a large‑scale VK Styles hijack of VKontakte accounts and the AiFrame cluster of AI‑themed add‑ons that siphon emails and page content. A Q Continuum study also found hundreds of extensions leaking browsing history to data brokers. Experts recommend strict extension controls, frequent audits, and allowlisting to reduce risk.

🛡️ Huntress researchers report a threat actor abusing employee-monitoring software and an RMM platform to gain persistent access, tamper with defenses, and pursue ransomware and cryptocurrency theft. The attackers combined Net Monitor for Employees Professional and SimpleHelp, leveraging Net Monitor’s reverse connections and masquerading plus SimpleHelp’s lightweight agent and common-port operation. Incidents included an attempted Crazy ransomware deployment and targeted searches for crypto-related data; shared infrastructure and tradecraft suggest a single actor.

🔒Conpet S.A., Romania's national oil pipeline operator, confirmed that the Qilin ransomware gang exfiltrated company data following a breach of its corporate IT environment. The company said operational systems remained unaffected and it is cooperating with the Romanian National Cyber Security Directorate (DNSC) as investigators assess the incident. Qilin claims nearly 1TB of documents and published a proof sample of 16 images containing internal financial records and passport scans; some files are marked confidential and dated as recently as November 2025. Conpet warned that compromised data may be used for fraud and advised potentially impacted individuals to verify any urgent contact using official channels.

⚠️ Koi Security found that an abandoned Outlook add-in, AgreeTo, was hijacked to run phishing kits that captured roughly 4,000 Microsoft account credentials. The attacker claimed an orphaned Vercel subdomain referenced in the add-in’s XML manifest and replaced live content with a fake sign-in page while retaining mailbox permissions. Microsoft had validated and signed the original manifest but does not re-review hosted content fetched at runtime. Users should remove AgreeTo and reset affected passwords immediately.

🔐 Shannon — a fully autonomous AI penetration testing tool from Keygraph — has raised warnings because it requires access to source code, repository layout, and AI API keys, creating substantial exposure risks. Organizations should evaluate scoping, data retention, and whether findings will be used to improve secure development practices or treated as a quick fix. Vendor responses vary, illustrated by recent detection-focused updates from Anthropic, underscoring the need for careful risk assessment before adopting agentic pentesting tools.

🔐 Odido confirmed a cyberattack that compromised its customer contact system and potentially exposed personal information for about 6.2 million customers. The company said attackers were able to download customer records but that passwords, call logs, location data, invoice details, and scans of identification documents were not accessed. Odido detected the incident on the weekend of February 7, blocked unauthorized access, reported the incident to the Dutch Data Protection Authority, and is notifying affected customers while working with external cybersecurity experts to strengthen controls and increase monitoring.

🔴 ReversingLabs attributes a coordinated supply-chain campaign, codenamed graphalgo, to the North Korea–linked Lazarus Group, active since May 2025. Attackers set up a fake recruiting front (Veltrix Capital), staged GitHub coding assessments in Python and JavaScript, and published dozens of malicious dependencies to npm and PyPI to infect candidates. One npm package, bigmathutils, accrued over 10,000 downloads before a malicious update; the payload delivers a token-based RAT that performs reconnaissance and file operations. Researchers also disclosed separate npm threats — duer-js (Bada Stealer) and the extortionist XPACK ATTACK — and urge auditing dependencies and verifying package provenance.