All news in category “Incidents and Data Breaches”

🛡️ A recent phishing campaign delivers malicious virtual hard disks that masquerade as PDF invoices and purchase orders, enabling attackers to install AsyncRAT. The files are hosted on IPFS and mount as local drives on Windows, which can bypass some built-in protections; inside each disk is a Windows Script File disguised as the expected PDF. Malwarebytes Labs, citing Securonix, identified the Dead#Vax campaign and recommends showing file extensions and exercising caution with disk images.

🔒 Cisco Talos researchers disclosed DKnife, a modular Linux-based adversary-in-the-middle (AitM) framework used by China-linked actors since at least 2019. The toolkit deploys seven router-focused implants to perform deep packet inspection, TLS termination, DNS and update hijacking, credential harvesting, and malware delivery via intercepted APKs and binary replacement. Operators used DKnife to push ShadowPad and DarkNimbus variants and to target Chinese-language services and app updates through compromised routers and edge devices.

🔒 Kyle Svara, 26, pleaded guilty in federal court to phishing access codes and hacking nearly 600 Snapchat accounts to steal nude photos that he kept, sold, or traded. Between May 2020 and February 2021 he used social engineering to harvest credentials from roughly 570 victims and accessed at least 59 accounts to download private images. Svara advertised hacking services online, communicated via Kik, and accepted paid jobs including work for former Northeastern coach Steve Waithe. He now faces multiple federal charges, and is scheduled for sentencing on May 18.

🔒 Palo Alto Networks Unit 42 reports an Asia-origin, state-backed actor tracked as TGR-STA-1030 breached at least 70 government and critical-infrastructure organizations across 37 countries and scanned infrastructure tied to 155 countries in late 2025. Active since January 2024, the group used MEGA-hosted phishing ZIPs to deliver a guarded loader, Diaoyu Loader, which requires a zero-byte pic1.png and checks for select AV processes before pulling images from GitHub to stage a Cobalt Strike payload. It also exploited N-day flaws, deployed web shells, tunnelers and an eBPF Linux rootkit ShadowGuard, maintaining prolonged access for intelligence collection.

⚠️Flickr says a vulnerability in a third‑party email service may have exposed member names, email addresses, IP addresses, general location data, Flickr usernames, account types and records of platform activity. The company says it shut off access to the affected system within hours on February 5, 2026, and that passwords and payment card data were not compromised. Flickr urged affected users to review account settings, remain vigilant for phishing, and change reused passwords while it investigates and strengthens monitoring of third‑party providers.

⚠️ Cybersecurity researchers disclosed a supply chain attack that replaced legitimate dYdX packages on npm and PyPI with malicious releases designed to steal wallet credentials and enable remote code execution. Malicious code ran during normal use, exfiltrating seed phrases, device data and calling back to a command-and-control endpoint. dYdX and researchers advise isolating affected hosts, moving funds from clean systems and rotating credentials.

⚠️ Researchers at Sysdig uncovered an attack that fully compromised an AWS environment in under eight minutes by exploiting a cloud misconfiguration and using LLMs to accelerate reconnaissance and exploitation. Attackers reused credentials found in public S3 buckets, modified a Lambda function to escalate privileges, moved laterally across numerous principals, and disabled model-call logging in Amazon Bedrock. Security experts warn that AI-enabled automation compresses attack timelines and reduces defenders' reaction windows.

🔎 Palo Alto Networks has identified a new Asia-based cyberespionage group, tracked as TGR-STA-1030 (UNC6619), that has compromised 70 government and critical-infrastructure organizations across 37 countries over the past year. The actor employs phishing, N-day exploits, and a multifaceted toolset including a custom loader named Diaoyu, Cobalt Strike implants, multiple web shells, and a bespoke eBPF-based Linux rootkit called ShadowGuard. Researchers report the group conducts extensive scanning and targeted reconnaissance tied to regional events, operates on GMT+8 hours, and shows indicators consistent with nation-state activity.

🔒 Spain's Ministry of Science partially shut down several IT systems after reporting a "technical incident" that suspended citizen- and company-facing services. A threat actor using the alias GordonFreeman claims to have exploited an IDOR vulnerability to obtain full-admin credentials and posted samples of personal records, email addresses, enrollment applications and screenshots of official paperwork. The forum post has been taken offline and the leaked data has not been independently verified. The ministry said it will extend affected deadlines while assessing the incident.

🔐 Substack disclosed that a third party exploited an unspecified weakness in its systems in October, exposing user email addresses, phone numbers and other internal metadata. The company identified the issue on February 3, said it has fixed the vulnerability, and is conducting a full investigation. Substack maintains the breach did not include passwords, credit card numbers, or financial data, but has not disclosed the full scope or publicly posted a detailed incident report.

🛡️ Ransomware groups are abusing virtual machines provisioned by ISPsystem to host and deliver malware at scale. Sophos researchers found identical Windows VM hostnames and system identifiers reused from default VMmanager templates, enabling operators such as LockBit, Qilin, Conti, BlackCat/ALPHV and others to hide malicious infrastructure among legitimate hosts. The tactic complicates attribution and slows takedown efforts, and Sophos tied most malicious VMs to a small cluster of poorly reputed hosting providers.

⚖️ A Taiwanese operator, Rui-Siang Lin (alias Pharaoh), ran the Incognito Market from October 2020 to March 2024, facilitating more than $105 million in illicit drug sales through a Tor-accessible marketplace that hosted over 1,800 vendors and served over 400,000 customers. Despite using an in-site crypto payment system called Incognito Bank, Lin made a critical OPSEC error by registering the domain with his real name, phone number and address. After a fentanyl-laced pill sold on the site was linked to a fatal 2022 overdose and Lin abruptly shut the market while stealing user deposits and attempting extortion, he was arrested at JFK in May 2024, pleaded guilty, and has been sentenced to 30 years in federal prison with forfeiture of roughly $105 million.

🛡️Microsoft Defender identified a ClickFix evolution dubbed CrashFix that intentionally crashes victims' browsers and lures users into executing malicious commands. The campaign uses a trojanized Chrome extension impersonating uBlock Origin Lite, delays malicious activity, and reports installation UUIDs to a typosquatted domain to evade attribution. Operators abuse native utilities by copying and renaming finger.exe to ct.exe to retrieve obfuscated PowerShell which drops a portable WinPython package and a Python RAT (ModeloRAT) that establishes persistence and C2 beacons.

🚨 Cloudflare attributed a record hyper‑volumetric HTTP DDoS to the AISURU/Kimwolf botnet that peaked at 31.4 Tbps and lasted 35 seconds in November 2025. The group was also linked to a campaign codenamed The Night Before Christmas, which began on December 19, 2025, and produced averages near 3 Bpps, 4 Tbps and 54 Mrps. Google and Cloudflare disrupted the IPIDEA residential proxy network used to recruit more than 2 million Android devices.

🔒 Rome’s La Sapienza University has taken its IT systems offline after a cyberattack that prompted an immediate shutdown of network systems to protect data integrity. The university, Europe’s largest in‑campus institution with over 112,500 students, said authorities were notified and a technical task force is working on restoration. The campus website remains offline and temporary on‑site infopoints are in place while recovery continues. Italian reporting links the incident to Rorschach (Femwar02) ransomware; backups are reported intact.

🔒 Conpet, Romania's national oil pipeline operator, disclosed a cyberattack that disrupted its corporate IT systems and temporarily took down its public website. The company said operational technologies, including SCADA and telecommunications systems, were not affected and crude oil transport continued normally. The Qilin ransomware group claimed responsibility and alleged nearly 1 TB of data exfiltration, posting sample documents as proof. Conpet is investigating the incident with national cybersecurity authorities and has filed a criminal complaint with DIICOT.

🔒 Substack informed users that an unauthorized third party accessed limited account data in October 2025, including email addresses, phone numbers, and other internal metadata. CEO Chris Best said the company discovered the issue on February 3 and has fixed the vulnerability, stressing that passwords, credit card numbers, and financial information were not accessed. A dataset of 697,313 alleged records was posted to BreachForums, and Substack warned of potential phishing attempts.

🛡️ Huntress reported attackers used a decade-old, signed EnCase kernel driver during an early 2026 intrusion to disable EDRs via a Bring Your Own Vulnerable Driver (BYOVD) technique. The incident began after compromised SonicWall SSL VPN credentials and involved a custom “EDR killer” that decoded and installed a kernel driver (OemHwUpd.sys) to terminate protected processes from kernel mode. Because the driver was timestamped while its certificate was valid, Windows still accepts its signature, allowing attackers to load the driver and repeatedly kill security tooling. Huntress recommends enabling Microsoft’s Vulnerable Driver Blocklist, enforcing MFA on VPNs, and enabling HVCI.

🔍 Attackers abused legitimate SaaS platforms to generate and distribute authentic-looking, phone-based scam lures by misusing native platform functionality. Rather than compromising services or spoofing domains, the campaign leveraged the trust and authentication posture of vendors to send approximately 133,260 phishing emails, impacting 20,049 organizations. This approach increased delivery success and made detection far more difficult for defenders.

🛡️ Hackers linked to the Chinese government trojanized the Notepad++ update supply chain to deliver a backdoor to selected users. The vendor reports the hosting provider's infrastructure remained compromised until September 2, and attackers retained credentials through December 2, enabling continued redirection of chosen update traffic to malicious servers. The threat actor explicitly targeted insufficient update verification controls in older releases and attempted to re-exploit a flaw after it was fixed. Users are advised to run at least version 8.9.1 and verify update integrity.