All news in category “Incidents and Data Breaches”

🔒 Check Point researchers say attackers rapidly weaponized CVE-2025-8088, a path traversal flaw in the Microsoft Windows version of WinRAR, to deliver crafted archives that execute arbitrary code and maintain persistence. The campaign used the open-source Havoc Framework and targeted government and law-enforcement organisations in Southeast Asia. Check Point attributes the activity to a group dubbed Amaranth-Dragon, whose tools and tactics resemble APT41. Organisations are advised to prioritise patching and monitor for suspicious archive files.

🔐 The Akira ransomware group claims it breached Bremen-based steel trader Buhlmann Group and exfiltrated roughly 55 gigabytes of sensitive data, according to a darknet post. Buhlmann has not issued an official corporate statement; a company spokeswoman told local outlet buten un binnen that a U.S. subsidiary's IT system was compromised. The company says its German and EU operations are not affected.

🔒 Betterment disclosed a January incident in which threat actors accessed systems and stole contact and personal data from an estimated 1,435,174 accounts, including names, email addresses and location details. The attackers also sent fraudulent promotional emails promoting a cryptocurrency reward scam; Betterment says clicking the message did not compromise accounts. A forensic review with CrowdStrike found no evidence of customer account, password, or login credential theft, and the company reports the unauthorized access has been removed.

🔍 Cisco Talos disclosed DKnife, a modular Linux-based gateway monitoring and adversary-in-the-middle (AitM) framework that inspects, manipulates, and redirects network traffic on edge devices and routers. It comprises seven ELF components that hijack DNS, Android app updates, and Windows binary downloads to deliver ShadowPad, DarkNimbus, and other backdoors while harvesting credentials and disrupting security-product traffic. Artifacts and Simplified Chinese strings strongly indicate China-nexus operators; Talos observed active C2 infrastructure as of January 2026.

🔎 Unit 42 details a newly tracked, state-aligned cyberespionage group labeled TGR-STA-1030 that has targeted government and critical infrastructure across 37 countries. The report documents coordinated phishing using a Diaoyu loader, exploitation of known N-day vulnerabilities, and a transition from Cobalt Strike to Go-based C2 frameworks. It also describes a bespoke Linux eBPF rootkit, ShadowGuard, and provides actionable IoCs (IPs, domains, hashes) to support defenders.

🔍 SafeBreach reported that the Iranian-linked threat group Infy resumed operations on January 26, 2026, deploying new command-and-control (C2) servers and replacing infrastructure for its Foudre and Tonnerre tool families. The actor introduced Tornado v51, which supports both HTTP and Telegram-based C2 and uses a hybrid domain-generation approach combining a new DGA and blockchain-derived fixed names. Researchers observed signs the group exploited a disclosed WinRAR extraction flaw to deliver a self-extracting archive that drops a Tornado DLL and an installer that checks for Avast before establishing persistence. SafeBreach also recovered Telegram artifacts, a ZZ Stealer chain, and a malicious PyPI package used for targeted deployments.

📧 A fresh global spam wave is again exploiting unsecured Zendesk support portals to send automated 'Activate account' and other confirmation emails to large numbers of recipients. Messages appear to originate from legitimate company Zendesk instances and arrive in rapid bursts, sometimes hundreds per inbox, bypassing conventional filters. The activity mirrors a January campaign and suggests exposed ticket forms remain vulnerable.

🛡️ Italy says it repelled multiple cyberattacks of Russian origin days before the Winter Olympic Games in Milan and Cortina d'Ampezzo. Targets included sites connected to the Games and several hotels in Cortina; facilities of the Foreign Ministry were also affected. Foreign Minister Antonio Tajani thanked security teams and said authorities coordinated defenses with event organizers.

🔒 Datadog Security Labs disclosed an active web-traffic hijacking campaign that leverages the critical React2Shell vulnerability (CVE-2025-55182, CVSS 10.0) to inject malicious nginx configurations. Attackers use multi-stage shell scripts to create proxy_pass rules that route requests to attacker-controlled backends, focusing on Asian and government/education TLDs and Baota management panels. GreyNoise telemetry links the activity to two dominant IPs and over 1,000 unique sources.

🔁 Researchers at DataDog Security Labs uncovered a campaign in which threat actors compromise NGINX servers and Baota-managed hosting panels to inject malicious 'location' blocks into configuration files, rerouting user requests through attacker-controlled backends. The attackers preserve headers like Host, X-Real-IP, User-Agent, and Referer to blend traffic with legitimate requests. The injection toolkit runs in five scripted stages and exfiltrates a map of hijacked domains to a C2 at 158.94.210[.]227.

⚠️ Researchers at Datadog Security Labs report that threat actors are exploiting the React2Shell vulnerability to compromise servers running NGINX managed via Boato Panel and to hijack web traffic. Attackers deploy multi-stage scripts that discover targets, establish persistence, and generate malicious configuration files to redirect users or deliver malware. The campaign targets primarily Asian domains and Chinese hosting infrastructure, and unpatched React server components remain at high risk.

🔒 A newly disclosed campaign dubbed DEAD#VAX leverages IPFS-hosted VHD lures and extreme script obfuscation to mount a virtual drive disguised as a PDF and load an encrypted AsyncRAT payload entirely in memory. Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee describe a multi-stage chain using WSF, obscured batch scripts, and self-parsing PowerShell to decrypt and inject x64 shellcode into trusted, Microsoft-signed processes. The attack avoids writing a recognizable executable to disk, establishes persistence via scheduled tasks, and throttles activity to reduce detection and forensic footprint.

🔍 Group-IB researchers have linked dozens of servers to the ShadowSyndicate cybercrime cluster through reused OpenSSH fingerprints and recurring access keys, exposing a larger, consistently managed malicious infrastructure. The cluster, first documented in 2023, continues to deploy and transfer servers between internal clusters while retaining overlapping keys that enable attribution. Analysts identified at least 20 command-and-control nodes supporting commercial red-team frameworks and open-source post-exploitation tools and observed ties to multiple ransomware affiliates. Group-IB recommends ingesting indicators of compromise, monitoring repeated MFA failures and unusual login activity, and tracking activity in frequently used autonomous systems.

🔒 A custom EDR killer discovered by Huntress abused a long-revoked EnCase kernel driver to gain kernel-level access and repeatedly terminate security processes. The 64-bit tool leverages EnPortv.sys, registers as a fake OEM service for reboot persistence, and uses a kernel IOCTL kill loop to disable 59 EDR/AV processes every second. Huntress links the activity to ransomware and recommends MFA, HVCI/Memory Integrity, WDAC, and monitoring for OEM-masquerading kernel services.

🔍 Check Point Research identified a China-linked cluster named Amaranth-Dragon that conducted narrowly focused cyber espionage across Southeast Asia throughout 2025, primarily targeting government and law enforcement entities. Attacks exploited CVE-2025-8088 in WinRAR and used DLL side-loading to deploy an Amaranth Loader and the Havoc C2, while variants like TGAmaranth RAT leveraged a hard-coded Telegram bot. The operators limited exposure by geo-restricting Cloudflare-protected C2s and exhibited tooling and operational overlaps with the APT41 ecosystem.

🔐 A new espionage actor dubbed Amaranth Dragon, linked to APT41, has exploited the CVE-2025-8088 vulnerability in WinRAR to target government and law enforcement organizations across Southeast Asia. Attackers abused Windows Alternate Data Streams and delivered ZIP archives with .LNK and .BAT stagers to drop a loader, then used DLL sideloading of a digitally signed executable for persistence via the Startup folder and Registry Run keys. The custom Amaranth Loader retrieves AES-encrypted payloads from Cloudflare-hosted C2 servers geofenced to accept traffic only from targeted regions, frequently delivering the Havoc post-exploitation framework or a new TGAmaranth RAT that uses a Telegram bot for command-and-control. Check Point published IoCs and YARA rules; organizations are advised to update WinRAR to 7.13 or later (7.20 available).

🛡️ Security researchers at ZScaler ThreatLabz observed Operation Neusploit in January 2026, days after Microsoft patched CVE-2026-21509. The campaign used weaponized RTF attachments to trigger a critical Microsoft Office vulnerability and fetch dropper DLLs that branched into two distinct infection paths. One path deployed MiniDoor to harvest Outlook email and weaken registry protections, while the other used PixyNetLoader to install a Covenant Grunt implant for persistent .NET-based C2. ZScaler urged immediate patching and published IOCs and analysis to aid detection.

🔍 Check Point Research disclosed highly targeted cyber espionage campaigns across ASEAN in 2025 attributed to Amaranth-Dragon, a newly identified actor tied to the APT 41 ecosystem. The group rapidly weaponized newly disclosed vulnerabilities, notably a critical WinRAR flaw, and used realistic lures linked to political and security events. Operators favored country-restricted infrastructure, reputable cloud services, and stealthy tooling to quietly collect intelligence from government and law enforcement targets.

⚖️ A U.S. federal judge sentenced 24-year-old Rui‑Siang Lin to 30 years in prison for operating Incognito Market, a darknet narcotics marketplace that sold more than $105 million in illegal drugs worldwide. Lin pleaded guilty to money laundering, narcotics distribution conspiracy, and selling misbranded medication after his May 2024 arrest. The market hosted over 1,800 vendors and 400,000 customer accounts, processing more than 640,000 transactions and using a cryptocurrency payment platform called Incognito Bank. Judge Colleen McMahon described the operation as the most serious drug crime she had encountered in her career.

⚠️ Romina Mineralbrunnen, producer of Eiszeitquell and Silberbrunnen, is facing a cyberattack that has brought production at its Reutlingen-Rommelsbach bottling sites to a standstill. The company reports that phones and email are currently unreachable, and local reporting indicates production has stopped. Reutlingen police have opened an investigation, but the method of attack and whether data was exfiltrated remain unknown. Operations and deliveries are impacted while the company assesses the situation.