All news in category “Incidents and Data Breaches”

📄 Malwarebytes warned of a phishing campaign that disguises malware as ordinary PDF files to increase the likelihood that employees will open them. Attackers host a virtual hard disk on IPFS that mounts locally and contains a Windows Script File (WSF) masquerading as a PDF; opening it executes AsyncRAT and grants remote access. Organizations should configure Windows to show file extensions and treat gateway-hosted files with caution.

🛡️ Cisco Talos describes VoidLink as a modular implant management framework focused on Linux, providing advanced persistence, evasion, and plugin-based extensibility. The framework implements RBAC, mesh P2P communications, compile-on-demand plugins, and kernel-level components to hide implants and C2 infrastructure. Talos attributes VoidLink use to an actor tracked as UAT-9921, notes rapid AI-assisted development, and highlights cloud-aware scanning and broad targeting.

🛡️ A newly documented Linux botnet named SSHStalker uses the legacy IRC protocol for command-and-control while relying on noisy SSH scanning and brute forcing for initial access. Researchers at Flare say it deploys a Go binary masquerading as nmap, compiles C-based IRC bots on hosts, and persists via cron jobs that run every 60 seconds. The kit favors scale and reliability over stealth, reuses a back-catalog of decade-plus-old CVEs for privilege escalation, and includes AWS key harvesting, cryptomining, and dormant DDoS code.

🔐 Unit 42 recovered a rogue VM created by Muddled Libra (aka Scattered Spider, UNC3944) during a September 2025 incident, revealing an operational playbook of reconnaissance, credential theft, lateral movement and data access. The actors abused legitimate tools and stolen certificates, persisted via an SSH tunnel (Chisel), and copied NTDS.dit and SYSTEM hives. Unit 42 recommends strengthening identity controls and adopting Advanced WildFire and Cortex defenses.

🔒 North Korean-linked UNC1069 ran tailored campaigns using AI-generated deepfake video and a ClickFix-style pretext to deliver macOS and Windows malware against cryptocurrency targets. During a Mandiant response to a fintech compromise, attackers used a compromised Telegram account and a spoofed Calendly/Zoom meeting to coerce the victim into executing troubleshooting commands that launched AppleScript and malicious Mach-O binaries. Mandiant identified seven distinct macOS families—WAVESHAPER, HYPERCALL, HIDDENCALL, SILENCELIFT, DEEPBREATH, SUGARLOADER, and CHROMEPUSH—deployed to steal credentials, browser and Telegram data, and to enable future social-engineering operations.

🔒 A fake 7-Zip website (7zip[.]com) distributes a trojanized installer that installs the legitimate archiver along with proxyware that enrolls infected hosts as residential proxy nodes. The installer drops Uphero.exe, hero.exe and hero.dll, creates a SYSTEM service and modifies firewall rules. Malwarebytes found C2 domains using Cloudflare, TLS and DoH, and recommends obtaining software from official sites instead of following links from videos or search ads.

🔍 DPRK-linked IT operatives are escalating a long-running fraud by applying to remote positions using genuine LinkedIn profiles they impersonate, often including verified workplace emails and identity badges. Security Alliance and other researchers warn this helps attackers bypass basic vetting and gain administrative access to sensitive codebases. Parallel social engineering

🔓 Volvo Group North America disclosed an indirect data breach after IT systems at Conduent, a major business services provider, were compromised between October 21, 2024 and January 13, 2025. Nearly 17,000 customers and staff had personal details exposed, including full names, Social Security Numbers, dates of birth, insurance IDs and medical information. Conduent is notifying affected parties and offering at least a year of identity, credit and dark web monitoring plus identity restoration; notification recipients are also advised to consider fraud alerts or a security freeze. The incident adds to other third-party supplier breaches that have recently affected Volvo entities.

📎 Forcepoint observed a high-volume phishing campaign using the subject "Your Document" that delivers weaponised Windows shortcut (.lnk) attachments to initiate a multi-stage Phorpiex infection. The .lnk files exploit hidden extensions and copied Windows icons to turn a single click into silent execution: the shortcut launches cmd.exe, which invokes PowerShell to download and run a second-stage binary saved as windrv.exe. The retrieved payload is linked to the long-running Phorpiex MaaS botnet and, in these incidents, deployed Global Group ransomware that encrypts files and alters the desktop without contacting a C2 server.

🔒 Researchers have identified a Reynolds ransomware campaign that embeds a vulnerable NsecSoft NSecKrnl driver as a built‑in BYOVD component to terminate EDR and antivirus processes from vendors such as CrowdStrike, Symantec, Palo Alto, Sophos and Avast. Unlike typical attacks that deploy BYOVD separately, Reynolds bundles the signed but flawed driver inside the ransomware payload to quietly disable defenses. The intrusion also involved a suspicious side‑loaded loader before deployment and a subsequent GotoHTTP remote access tool, suggesting persistence and further post‑compromise activity.

🔒 The European Commission disclosed a late-January cyberattack that targeted its mobile device management (MDM) platform. Attackers may have accessed names and phone numbers of some staff, though the Commission says there is no evidence that mobile devices themselves were compromised; the incident was contained and the system cleaned within nine hours. Investigators say the breach could be linked to actively exploited vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), with public exploit code and high-severity CVEs reported.

📱 ZeroDayRAT is a newly documented cross-platform mobile spyware operation targeting Android and iOS, according to iVerify. The toolkit grants persistent access to messages, precise GPS history, notifications, camera, microphone and keystroke capture, and exposes a dedicated web dashboard for rapid device profiling. Infections are commonly initiated via smishing, counterfeit app stores, phishing emails and links shared through messaging apps.

🔐 ZeroDayRAT is a commercial mobile spyware being sold on Telegram that grants attackers comprehensive remote control over Android (5–16) and iOS (up to 26) devices. The toolkit provides a management panel displaying device metadata and supports data theft, live audio/video capture, location tracking, SMS interception for OTPs, keylogging, and modules targeting cryptocurrency wallets and banking apps. iVerify warns it can enable enterprise breaches if employee devices are compromised and advises installing apps only from official stores and enabling protections such as Lockdown Mode on iOS and Advanced Protection on Android.

🔒 Singapore’s Cyber Security Agency disclosed that Operation Cyber Guardian disrupted attacks by Chinese-linked APT UNC3886 targeting the nation’s four major telcos between summer 2025 and early 2026. The response involved over 100 cyber defenders across six agencies and identified use of a zero-day and rootkits to maintain persistent access. CSA reported no evidence of service disruption or sensitive personal data exfiltration and implemented remediation and enhanced monitoring. Telcos have been urged to continue strengthening systems and vigilance against re-entry attempts.

⚠️ A cyber actor compromised OT and ICS in Poland's energy sector in December 2025, affecting renewable plants, a combined heat and power facility, and a manufacturing company. Attackers gained access via vulnerable internet-facing edge devices, deployed wiper malware, destroyed HMI data, corrupted firmware, and damaged RTUs, causing loss of view and control. Production continued at some sites, but operators could not monitor or control systems as designed. Stakeholders are urged to enable firmware verification, change default credentials, and replace end-of-support edge devices.

📄 Forcepoint X‑Labs researchers have uncovered a Phorpiex‑backed phishing campaign that weaponizes Windows shortcut (.lnk) files to deploy Global Group ransomware. Attackers send messages with the subject "Your Document" and attachments like "Document.doc.lnk", exploiting hidden file extensions and a Word‑style icon to trick recipients. The .lnk uses built‑in utilities (cms.exe and PowerShell) and heavily obfuscated commands to fetch and run a second‑stage payload, leveraging Living‑off‑the‑Land techniques so the ransomware executes locally without external C2 communication.

🔒 SmarterTools confirmed a network breach by the Warlock (aka Storm-2603) ransomware group after attackers exploited an unpatched SmarterMail instance on January 29, 2026. A single, unpatched VM allowed lateral movement to about a dozen Windows servers across the office network and a secondary QC data center, with hosted SmarterTrack customers most affected. Operators staged tools including Velociraptor and deployed a locker after gaining Active Directory control. SmarterTools urges immediate upgrade to Build 9526 and isolation of mail servers to limit further ransomware deployment.

🔒 Several European government bodies reported breaches tied to a coordinated exploitation of Ivanti EPMM zero-day vulnerabilities disclosed on 29 January. Affected organizations include the European Commission, Finnish central agencies and at least two Dutch bodies, with as many as 50,000 Finnish staff details potentially exposed. Compromised data appears limited to names, work emails, phone numbers and device metadata; no device-level data has been confirmed. Authorities contained the incidents quickly, but security teams warn of elevated follow-on risks such as spearphishing, credential misuse and malicious configuration changes, and advise reassessing administrative credentials, keys and certificates.

🔒 Dutch authorities confirmed the Dutch Data Protection Authority (AP) and the Council for the Judiciary reported system intrusions tied to vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Investigators say unauthorized actors accessed work-related data such as names, business email addresses, phone numbers and device details. The European Commission and Finland's Valtori also reported traces or breaches, with Valtori estimating up to 50,000 government employees affected.

🏛️ A dual Chinese and St. Kitts and Nevis national, Daren Li, was sentenced in absentia to 20 years in U.S. federal prison for his role in an international cryptocurrency investment fraud commonly called pig butchering or romance baiting. Li pleaded guilty to conspiracy to launder proceeds after his 2024 arrest and later fled in 2025 by cutting off his ankle monitor. The sentence includes three years of supervised release and reflects losses exceeding $73 million.