All news in category “Incidents and Data Breaches”

🔎 Mandiant and Google GTIG observed an expansion of ShinyHunters-style campaigns using sophisticated vishing and victim-branded credential harvesting sites to steal SSO credentials and MFA codes. Compromised accounts were used to access a broadening set of cloud SaaS applications to locate confidential documents and PII for extortion. Activity attributed to clusters UNC6661, UNC6671, and UNC6240 includes harassment, DDoS, and Limewire-hosted proof samples. Organizations should adopt phishing-resistant MFA such as FIDO2 or passkeys and follow published hardening and detection guidance.

⚠️Researchers discovered a coordinated network of malicious Google Chrome extensions that inject attacker affiliate tags into e-commerce links, scrape product data, and exfiltrate OpenAI ChatGPT authentication tokens. A cluster of 29 add-ons (including Amazon Ads Blocker) targeted Amazon, AliExpress, Best Buy, Shein, Shopify and Walmart. Separate groups intercepted ChatGPT tokens or abused permissions to harvest cookies and clipboard data. Experts warn these behaviors violate Chrome Web Store policies and urge caution when installing extensions requesting broad permissions or combining unrelated features.

🛡️ Bitdefender Labs reports a large-scale Android malware campaign that leveraged Hugging Face's public hosting to deliver a remote access trojan (RAT). The operation begins with a scareware dropper disguised as a security app, TrustBastion, which tricks users via fake infection alerts into downloading a second-stage APK from a Hugging Face dataset. Attackers automated payload generation with thousands of unique APKs and frequent commits to evade signature-based detection. The installed RAT requests high-risk permissions — Accessibility Services, screen recording, casting, and overlay rights — enabling credential harvesting, screen capture, persistent control, and exfiltration; Bitdefender notified Hugging Face and the malicious datasets were removed, though variants resurfaced elsewhere.

🔍 Cisco Talos has uncovered a late-2025 to early-2026 campaign by a China-linked actor tracked as UAT-8099 targeting vulnerable IIS servers across Asia, notably Thailand and Vietnam. The actor uses web shells, PowerShell, and red-team utilities to deploy GotoHTTP and maintain persistence via hidden accounts. Infections deliver the BadIIS SEO-fraud malware family, hijacking crawlers and injecting malicious redirects to manipulate search rankings.

🚨 French cybersecurity firm HarfangLab uncovered a January 2026 campaign dubbed RedKitten that leverages emotionally charged, forged forensic files to deliver a .NET implant called SloppyMIO. The attack begins with a password-protected 7z archive containing malicious Excel spreadsheets that prompt users to enable macros and drop a C# payload. SloppyMIO hijacks a legitimate Windows binary to run stealthily, establishes persistence via scheduled tasks, fetches modules from GitHub and Google Drive, and uses Telegram as its command-and-control channel. Researchers noted multiple traces of LLM-assisted development and assessed the campaign as aligned with Iranian government security interests.

🛡️ ESET researchers describe DynoWiper, a newly identified data-wiping malware used against an energy company in Poland. The report details a three-phase wiper that overwrites files using a single 16-byte random buffer, executes destructive passes with variant-specific behavior, and forces a reboot to complete destruction. ESET attributes the operation to Sandworm with medium confidence and highlights that ESET PROTECT blocked execution and significantly limited impact. The analysis also notes overlaps with the previously observed ZOV wiper.

🛡️ Linwei Ding, a former Google engineer, was convicted by a federal jury on multiple counts of economic espionage and theft of trade secrets after allegedly taking more than 2,000 confidential documents tied to Google's AI infrastructure and chip designs. Prosecutors say the material included details on Google's TPU and GPU architectures, Cluster Management System software, and custom SmartNICs used in AI supercomputers. Authorities allege the theft occurred between May 2022 and April 2023 and that Ding copied files to personal accounts and founded a China-based startup while still employed by Google. He faces significant federal prison terms if sentenced.

📞 Notorious extortion group ShinyHunters released tens of gigabytes of files it claims were stolen from dating services including Hinge, Match, OkCupid and Bumble. Researchers link the disclosures to a broader campaign that combines automated phishing kits with voice-based social engineering to capture credentials and MFA tokens in real time. Security firm Silent Push detected a 'Live Phishing Panel' and infrastructure consistent with SLSH activity targeting more than 100 high-value organizations. Organizations are advised to verify IT support calls through official out-of-band channels and audit OSS logs for suspicious device enrollments and new-IP logins.

🚨Researchers at Bitdefender found an Android campaign using the Hugging Face platform to host and serve thousands of malicious APK variants. A scareware dropper called TrustBastion lures victims with fake Google Play update prompts, redirects to a Hugging Face dataset, and downloads the payload via the platform's CDN. The RAT aggressively abuses Android Accessibility Services to present overlays, capture screens, impersonate login UIs for services such as Alipay and WeChat, block uninstall, and exfiltrate credentials; Hugging Face removed the malicious datasets after notification.

🔒 Google Threat Intelligence Group, working with industry partners, disrupted the IPIDEA residential proxy network by taking down domains, infected-device management systems, and proxy-traffic routing infrastructure. The operation targeted SDKs embedded in at least 600 trojanized Android apps and over 3,000 malicious Windows binaries, which collectively enrolled about 6.7 million devices worldwide. GTIG reported that more than 550 distinct threat groups abused IPIDEA for account takeovers, credential theft, botnet control, and DDoS support; users should avoid untrusted VPNs and apps that pay for bandwidth.

🔒Match Group confirmed a security incident after the ShinyHunters group leaked 1.7 GB of compressed files allegedly containing about 10 million records from Hinge, Match, and OkCupid, along with internal documents. The company says it terminated unauthorized access, is working with external experts, and believes a limited amount of user data was exposed with no indication that login credentials, financial information, or private communications were accessed. Match Group is notifying affected individuals as appropriate and continuing its investigation.

🔒 Marquis Software Solutions says a ransomware attack in August 2025 that disrupted systems serving dozens of U.S. banks and credit unions was enabled by a breach at SonicWall's cloud backup service. Rather than exploiting an unpatched firewall, attackers used configuration data taken from backup files accessed after unauthorized access to the MySonicWall portal, according to Marquis and a third-party investigation. Marquis is evaluating options including seeking recoupment of response costs for itself and affected customers. SonicWall has acknowledged the MySonicWall breach and said a Mandiant probe linked the incident to state-sponsored actors.

🔒 France Travail has been fined €5 million by the CNIL after a March 2024 cyber-attack that potentially exposed personal data for an estimated 43 million jobseekers. The regulator found failures including weak authentication for Cap Emploi advisors, insufficient logging and monitoring, and overly broad access permissions, breaching Article 32 of the GDPR. France Travail must provide evidence of corrective measures on a strict timeline or face a €5,000 daily fine.

🔴 Cloudflare says the Aisuru/Kimwolf botnet launched a record DDoS campaign on December 19 that peaked at 31.4 Tbps and about 200 million requests per second. The attacks, dubbed The Night Before Christmas, targeted telecommunications and IT providers and hit Cloudflare’s dashboard and infrastructure. Sources were identified as compromised Android TVs rather than typical IoT routers, and most bursts lasted one to two minutes. Cloudflare reports the attacks were detected and mitigated automatically without triggering internal alerts.

🔒 Fortinet's FortiGuard Incident Response describes a protracted Interlock intrusion that targeted education organizations, linking MintLoader initial access to NodeSnakeRAT and Interlock RAT implants. The report highlights a novel process-killer, Hotta Killer, that abuses a signed but vulnerable gaming anti-cheat driver (CVE-2025-61155) in a BYOVD technique to terminate security processes. Operators exfiltrated about 250 GB using AZCopy before deploying JavaScript and ELF ransomware across Windows and Nutanix hosts. FortiGuard recommends blocking unnecessary remote-access tools, restricting PowerShell egress, and monitoring anomalous driver installations.

📢 France Travail was fined €5 million by CNIL after a 2024 breach exposed personal data for up to 43 million job seekers. CNIL said attackers used social engineering to hijack CAP EMPLOI advisers' accounts, exposing names, birth dates, national insurance numbers, addresses, emails and phone numbers. The watchdog ordered documented corrective measures and warned of €5,000 daily penalties if the agency fails to comply.

🚨The FBI has seized the dark‑web forum RAMP, replacing its clear‑ and dark‑web sites with law‑enforcement seizure banners and redirecting domains to ns1.fbi.seized.gov and ns2.fbi.seized.gov. The banner, attributed to the FBI, DOJ and the US Attorney’s Office for the Southern District of Florida, mocked the forum’s “ransomware allowed” stance. Forum administrator “Stallman” confirmed the takedown and said he will not rebuild. Analysts say the action disrupts low‑tier actors, may yield valuable intelligence and will have limited impact on top‑tier groups.

🔍 Cisco Talos has identified a UAT-8099 campaign active from August 2025 through early 2026 that targets vulnerable IIS servers across Asia, concentrating on victims in Thailand and Vietnam. The actor uses web shells, PowerShell, and the GotoHTTP remote-control tool to maintain access and deploy region-customized BadIIS variants that hardcode country codes and inject SEO-fraud content. New persistence mechanisms, hidden accounts, and log-wiping utilities support long-term stealth and evasion.

🚨 Google said it disrupted IPIDEA, a large residential proxy service, seizing dozens of domains and rendering the IPIDEA site inaccessible after legal action. The company said the network advertised more than 6.1 million daily updated IPs and 69,000 daily new addresses and had been leveraged by over 550 distinct threat groups for cybercrime, espionage, and APT activity. Google reported about 7,400 Tier Two servers, flagged thousands of trojanized Windows binaries and roughly 600 Android apps tied to the service, and updated Google Play Protect to warn or remove apps containing IPIDEA code.

📱 In episode 452 Graham Cluley and guest Joe Tidy discuss a London-based YouTuber who has won a landmark UK ruling after his phone was compromised by Pegasus spyware, illustrating how a single malicious SMS can enable continuous, covert surveillance. They also investigate dark-web services, including a reported portal offering hitmen, and cover headlines such as Microsoft Patch Tuesday problems, alleged Russian wiper activity against Poland’s grid, and US charges tied to ATM malware.