All news in category “Incidents and Data Breaches”

⚠️ Researchers at LayerX uncovered a campaign of 30 malicious Chrome extensions, installed by more than 300,000 users, that masquerade as AI assistants while exfiltrating credentials, email content, and browsing data. The add-ons render remote content in full-screen iframes from a single domain (tapnetic.pro), letting operators change behavior without store updates. Fifteen extensions specifically inject into Gmail, reading visible thread text (including drafts) and sending it off-device, and several implement voice transcription via the Web Speech API. Users should review LayerX indicators of compromise and reset passwords if they suspect exposure.

🔐 Accenture has uncovered a novel malware named RustyRocket deployed by the World Leaks extortion group to maintain stealthy persistence and proxy exfiltration across Windows and Linux environments. Written in Rust, the tool uses multi-layer encrypted tunnels, heavy obfuscation and a pre-encrypted runtime configuration guardrail that makes activity difficult to detect and monitor. Accenture advises monitoring anomalous outbound transfers and enforcing network segmentation to limit lateral movement.

🔒 Fortinet researchers disclosed a phishing campaign that chains a legacy Microsoft Office vulnerability (CVE-2018-0802) with fileless execution to deliver the commercially available XWorm RAT. The attack begins with business-themed lures and a malicious Excel add-in, then pivots into HTA and PowerShell stages to keep most activity off disk. A memory-resident .NET stage is hollowed into msbuild.exe, and XWorm communicates with AES-encrypted C2 while supporting modular plugins that enable credential theft, data exfiltration, and other operator actions.

🔒 Data leak sites (DLSs) have become the backbone of modern ransomware's double‑extortion strategy, combining data theft with public blackmail to force payment. Attackers publish carefully curated samples, use timers and deadlines, and exploit urgency to magnify reputational, regulatory, and financial harm. Law enforcement agencies and security teams warn that DLS content fuels follow‑on crimes like phishing and identity fraud. Organizations are urged to adopt EDR/XDR, Zero Trust, patched systems, resilient air‑gapped backups, and targeted user training.

🔒 Poland's Central Cybercrime Bureau charged a 29-year-old man over the 2018 Morele.net breach that exposed about 2.5 million customers' personal details. Investigators say they reconstructed the attack vector, traced digital breadcrumbs and obtained an admission of responsibility. The incident leaked names, emails, phone numbers, home addresses and md5crypt-hashed passwords, and around 35,000 records contained highly sensitive personal data. Fraudsters quickly weaponised the published database, using SMS and phishing to steal banking credentials.

⚠️ OpenClaw is a rapidly adopted local agent orchestration tool (formerly Clawdbot/Moltbot) that integrates with chat apps, operating systems, smart-home devices, browsers and productivity platforms and can be configured to use any LLM backend. Its GitHub repo and the Moltbook social layer saw millions of visits and hundreds of thousands of agents and downloads in recent weeks. Security researchers warn the tool is insecure-by-default: exposed instances, authentication bypasses, plaintext credentials and malicious third-party skills create serious enterprise risk. Organizations are advised to block traffic, rotate credentials and restrict experimentation to isolated, managed environments.

🔐 Researchers at Flare Systems uncovered a botnet, dubbed SSHStalker, that brute-forces weak SSH passwords and had compromised an estimated 7,000 Linux servers by the end of January, with roughly half located in the United States. The toolkit combines fileless malware, rootkits, log cleaners and a library of kernel exploits — some dating to 2009 — and can harvest AWS credentials. Flare characterizes it as a "scale-first" operation focused on persistence; observed capabilities include DDoS and cryptomining, though monetization has not yet been seen. Immediate mitigations include disabling SSH password authentication, switching to key-based or short-lived credentials, and restricting and rate-limiting SSH access.

🔒 Unit 42 identified that between June and December 2025 the state-sponsored group Lotus Blossom hijacked the Notepad++ update infrastructure by compromising a shared hosting provider and intercepting WinGUp traffic. Attackers delivered malicious NSIS installers that launched either a Lua-script chain loading Cobalt Strike Beacon or a DLL sideload that deployed the Chrysalis backdoor. Notepad++ released patches, moved hosting, implemented XML signature verification, and Unit 42 published IOCs and hunting guidance for defenders.

🔒 The AgreeTo Outlook add-in was hijacked and turned into a full phishing kit that stole more than 4,000 Microsoft account credentials, researchers at Koi Security report. The module, listed on the Microsoft Office Add-in Store since December 2022, relied on an abandoned Vercel-hosted URL that an attacker claimed and used to serve a fake Microsoft sign-in page inside Outlook’s sidebar. Credentials, credit card details and banking security answers were exfiltrated via a Telegram bot API before victims were redirected to the real login page. Microsoft removed the add-in after the disclosure; users should uninstall AgreeTo and reset affected passwords.

🛡️ Researchers at Huntress found the Crazy ransomware gang abusing legitimate employee-monitoring software alongside the SimpleHelp remote support tool to maintain persistence, evade detection, and prepare ransomware deployment. Attackers installed Net Monitor for Employees Professional via msiexec.exe to view desktops, transfer files, and execute commands, then added SimpleHelp for redundant access. Huntress warns organizations to enforce MFA and monitor for unauthorized remote-management tools.

🔒 The Netherlands Police arrested a 21-year-old man from Dordrecht accused of selling access to the JokerOTP phishing-as-a-service platform that captures one-time passwords to enable account takeover. Investigators say this is the third arrest after a three-year probe that dismantled the operation in April 2025 and previously identified a developer and a co-developer. The seller advertised license keys on Telegram, allowing subscribers to automate calls that tricked victims into revealing OTPs, PINs, and card data, leading to fraud and unauthorized transfers.

🔍 Cybersecurity researchers at Koi Security disclosed the first known malicious Microsoft Outlook add-in, codenamed AgreeToSteal. The attacker claimed an abandoned add-in's domain and used the manifest URL (outlook-one.vercel[.]app) to serve a fake Microsoft sign-in page, harvesting more than 4,000 credentials and exfiltrating them via the Telegram Bot API. The affected add-in, AgreeTo, a calendar/availability tool last updated in December 2022, had requested ReadWriteItem permissions that could have allowed covert mailbox access. Koi recommends domain verification, re-review triggers, delisting stale add-ins, and visible install counts to reduce similar supply-chain abuse.

🛡️ Mandiant attributes a targeted campaign to North Korean financially motivated group UNC1069, which combines social engineering, deepfake video and macOS malware to steal cryptocurrency and credentials. The attackers hijacked a cryptocurrency executive’s Telegram account to build trust, then sent a calendar invite to a faux Zoom meeting hosted on attacker infrastructure. During the call a purported deepfake of the executive appeared and a ClickFix ruse persuaded victims to run commands, enabling deployment of backdoors and information-stealers.

🛡️ The massive Kimwolf IoT botnet has been disrupting the I2P anonymity network after thousands of infected devices attempted to join as nodes, overwhelming relays and degrading connectivity. Users reported a rapid influx of new routers and widespread connection failures starting around Feb. 3, and developers linked the outages to a Sybil-style flood. Kimwolf operators later admitted they tried to register roughly 700,000 bots on I2P, and the network is currently running at reduced capacity while a stability update is rolled out.

🔐 Pakistan-aligned clusters APT36 and SideCopy are targeting Indian defense and government organizations to deploy cross-platform remote access trojans on Windows and Linux. Attack chains use phishing lures that deliver malicious LNK/HTA files, ELF binaries, and PowerPoint Add-In payloads to initiate multi-stage deployments. Observed malware — Geta RAT, Ares RAT, and DeskRAT — enables persistence, reconnaissance, data theft, and remote command execution while leveraging decoys and memory-resident techniques to evade detection.

🔐UNC1069-linked actors used a ClickFix-style social engineering chain to compromise a macOS user at a cryptocurrency/DeFi company. Attackers hijacked a Telegram account, staged a fake Zoom meeting (reportedly using AI-generated video), and instructed the victim to paste curl | zsh commands into Terminal. The resulting infection deployed a multi-stage macOS toolkit—WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, and CHROMEPUSH—enabling remote access and data theft. Mandiant provided IOCs and YARA rules to aid detection.

🔒 A California court has sentenced Daren Li, a 42-year-old dual China and St. Kitts and Nevis national, to 20 years in prison in absentia for his role in a global crypto-investment fraud that siphoned at least $73.6m from victims. Li admitted directing co-conspirators to open US bank accounts under sham companies to launder proceeds, with an estimated $59.8m routed through US shell entities. The operation used romance-baiting and tech-support ruses to coerce transfers and convert funds to cryptocurrency.

🔓 Pentera Labs identified nearly 2,000 intentionally vulnerable training and demo applications exposed on public cloud infrastructure, many linked to active cloud identities and overly permissive roles. Tools such as OWASP Juice Shop and DVWA were frequently deployed with default settings and minimal isolation, allowing attackers to install crypto-miners, webshells, and persistence tooling. The findings warn that labeling environments as training does not remove their real-world risk when they are publicly accessible and integrated with privileged cloud accounts.

🛡️ Flare researchers describe SSHStalker, an IRC-controlled botnet that automates mass compromise of Linux systems by combining SSH scanning with a back-catalog of legacy kernel exploits. The operation drops C-based bots, Perl IRC bots that connect to UnrealIRCd, rootkit components, log-cleaning utilities and a keep-alive to maintain persistence. A Golang scanner enumerates SSH hosts and the toolkit includes automated erasure of SSH connection logs; unlike typical botnets, many infections remain dormant after access is obtained, suggesting staging or long-term retention.

🛡️ UNC1069, a North Korea-linked threat actor, has used AI-generated video lures and compromised Telegram accounts to target cryptocurrency firms and personnel. According to Google Mandiant, attackers staged fake Zoom meetings via Calendly invites and delivered a ClickFix-style troubleshooting vector that dropped multiple payloads on Windows and macOS. The intrusion employed at least seven malware families — including WAVESHAPER, HYPERCALL, HIDDENCALL, DEEPBREATH, CHROMEPUSH and SILENCELIFT — to harvest credentials, browser data and session tokens to facilitate financial theft.