All news in category “Incidents and Data Breaches”

🛡️ Zscaler ThreatLabz identified two Pakistan-linked campaigns, codenamed Gopher Strike and Sheet Attack, that targeted Indian government entities in September 2025. Gopher Strike relied on tailored phishing PDFs that display a fake update prompt and selectively deliver an ISO payload only to requests originating from India and Windows User-Agents. Sheet Attack abused legitimate services such as Google Sheets, Firebase, and email for command-and-control. The intrusions deploy Golang tools — GOGITTER, GITSHELLPAD, and GOSHELL — to maintain persistence, execute commands, and stage a Cobalt Strike Beacon.

🔐 A Nebraska federal grand jury indicted 31 additional defendants accused of participating in an ATM jackpotting operation that used Ploutus malware to steal millions from U.S. ATMs. Authorities say many suspects are Venezuelan or Colombian nationals tied to the gang Tren de Aragua, an organization recently designated by OFAC as a Foreign Terrorist Organization. Investigators allege attackers opened ATM housings, swapped or connected drives to load malware, deleted evidence, and forced machines to dispense cash; the stolen proceeds were split and laundered. The Justice Department has charged 87 TdA members in related cases over the past six months.

🔍 PeckBirdy is a previously undocumented, JScript-based command-and-control framework active since 2023 that researchers have linked to China-aligned APT activity across Asia. Trend Micro observed the framework used in multiple roles — watering-hole controller, reverse shell and C2 server — deployed via living-off-the-land binaries and browser-based social engineering. Modular implants such as HOLODONUT and MKDOOR extend capabilities with in-memory execution and attempts to evade Microsoft Defender, complicating detection and response.

⚠️ The Google Threat Intelligence Group (GTIG) has observed widespread exploitation of WinRAR via the critical path traversal vulnerability CVE-2025-8088, which attackers use to drop payloads into the Windows Startup folder by abusing Alternate Data Streams (ADS). Adversaries—from government-backed Russian and Chinese groups to financially motivated operators—craft RAR archives that conceal decoy documents and hidden ADS entries to achieve persistence. Defenders should prioritize installing the WinRAR patch, enable Safe Browsing protections, and hunt for ADS extraction activity and newly created Startup-folder LNK/HTA/BAT artifacts.

🔒 SoundCloud confirmed unauthorized activity in December 2025 after users reported 403 errors and the company said it had activated incident response procedures; it indicated no passwords or financial data were accessed. Have I Been Pwned later disclosed the incident impacted 29.8 million accounts, exposing email addresses, names, usernames, avatars, follower/following counts and, in some cases, country. Sources and updates attribute the intrusion to the ShinyHunters extortion group, which attempted to extort SoundCloud and used email flooding to harass users, employees, and partners.

🔒 Nike has entered incident response after the World Leaks ransomware group posted a claimed 188,000+ files from the company to its leak site, with the countdown expiring last Sunday and the full dump now live. The firm said it is investigating a potential cybersecurity incident and actively assessing the situation. Leaked folders reviewed by reporters include development, tech packs and evaluations, and schematics, indicating design and supply-chain materials may be exposed.

🛡️ Trend Micro researchers uncovered PeckBirdy, a JScript-based command-and-control framework used by China-aligned APTs since 2023 to target gambling sites, government portals, and private organizations across Asia. The flexible framework executes via living-off-the-land binaries (LOLBins) and supports browsers, MSHTA, WScript, Classic ASP, Node.js, and .NET execution paths. Operators relied on watering‑hole injections and fake Google Chrome update pages to deliver staged scripts and deploy modular backdoors such as HOLODONUT and MKDOOR. Detection is complicated by dynamically generated, runtime-injected JavaScript and scarce persistent artifacts.

🔒 A recent campaign blends the ClickFix social-engineering method with a fake CAPTCHA and a signed Microsoft App-V script to deliver the Amatera infostealer. Attackers use the trusted SyncAppvPublishingServer.vbs executed via wscript.exe to proxy PowerShell and evade detection, then fetch configuration from a public Google Calendar. Later stages hide encrypted PowerShell payloads in PNGs via LSB steganography and execute Amatera in memory. Researchers recommend removing unused App-V components, restricting the Run dialog, enabling PowerShell logging, and monitoring outbound connection anomalies.

⚠️ ESET attributes a Dec. 29–30 cyberattack on Poland's electricity grid to Sandworm, a hacking group tied to Russia's GRU. The operation deployed Dynowiper, destructive malware that erases data and left systems at risk of prolonged outage, nearly knocking power out for hundreds of thousands of households. ESET links the incident to a longer campaign of disruptive attacks on Ukrainian energy infrastructure since 2014. Observers say the event highlights growing threats to industrial control systems and the need for stronger defenses and incident response.

🛡️ Morphisec Threat Labs has identified a critical supply-chain compromise of MicroWorld Technologies’ eScan antivirus discovered on 20 January 2026, in which malicious updates were delivered via the vendor's legitimate update infrastructure. The trojanized 32-bit executable, allegedly signed with a compromised certificate, deployed a downloader and a 64-bit backdoor, established persistence and implemented anti-remediation controls to block further updates. Morphisec reported blocking the activity on protected systems and urged immediate investigative and remediation actions for affected organizations.

⚠️ Cloudflare disclosed that a policy misconfiguration on a router caused a 25-minute Border Gateway Protocol (BGP) route leak for IPv6 traffic on January 22, producing congestion, packet loss, and roughly 12 Gbps of dropped traffic. The change removed specific prefix filters and made export rules overly permissive, redistributing internal IPv6 routes externally from Miami. Engineers detected and manually reverted the change, paused automation, and restored normal operations within 25 minutes. Cloudflare says it will add stricter export safeguards, CI/CD policy checks, improved detection, and promote RPKI ASPA adoption.

🧾 Cybersecurity researchers uncovered a phishing campaign impersonating India's Income Tax Department that delivers a multi-stage backdoor to targeted users. The attackers distribute a ZIP containing an executable that sideloads a malicious DLL, performs anti-analysis checks, and fetches further payloads, ultimately deploying a Blackmoon variant alongside a repurposed SyncFuture TSM RMM tool. The operation employs UAC bypass, process masquerading, antivirus exclusion manipulation, and numerous helper scripts to establish persistent, covert access for long-term monitoring and data exfiltration.

🔍 New analysis links the operators of the Badbox 2.0 Android TV botnet to named individuals and companies in China, following a screenshot allegedly obtained by the Kimwolf botmasters that shows authorized accounts. Open-source pivots on qq.com email addresses connect several accounts to developers and domains previously tied to Badbox activity. Google and the FBI are pursuing the operators while researchers warn that Kimwolf’s unauthorized access could let it push malware directly onto millions of infected streaming devices.

⚠️ Koi Security researchers uncovered two malicious Microsoft Visual Studio Code extensions marketed as AI coding assistants that also exfiltrate developer files to China-based servers. The extensions — ChatGPT - 中文版 (whensunset.chatgpt-china, 1,340,869 installs) and ChatGPT - ChatMoss（CodeMoss） (zhukunpeng.chat-moss, 151,751 installs) — function normally while encoding every opened file and edits in Base64 and sending them to aihao123[.]cn. The campaign, dubbed MaliciousCorgi, includes remote-triggered bulk exfiltration and a hidden zero-pixel iframe that loads Chinese analytics SDKs to fingerprint users. Remove suspicious extensions, audit workspaces, and follow supply-chain hardening guidance.

🔐 Microsoft complied with a US search warrant in early 2025 and provided BitLocker recovery keys stored on its servers to investigators probing alleged COVID unemployment fraud in Guam. Because many Windows installations back up recovery keys by default to Microsoft cloud services, those keys were retrievable when legally compelled. Experts stress this is a custody and governance issue rather than a cryptographic failure of BitLocker, and recommend restricting default cloud backups, enforcing strict admin controls, and redirecting keys to on‑premises or enterprise key vaults where possible.

🔍 US law firm Hagens Berman is investigating alleged security failures at Coupang after a June 2025 breach that may have exposed the personal data of 33.7 million customers. The firm says it is probing why it took nearly six months to detect a former employee’s access and alleges inadequate access protocols. Investors are being urged to join a class action by the February 17 lead-plaintiff deadline. South Korean regulators and police have also opened inquiries, and Coupang has faced executive changes and an order to remove a liability disclaimer from its terms.

🔒 ESET has attributed a late-December 2025 wiper attack on Polish energy infrastructure to the Russia-aligned Sandworm APT and identified the malware as DynoWiper. Analysts reported strong overlaps with prior Sandworm wiper activity and assigned a medium-confidence attribution. Polish officials said critical systems were not disrupted and that two CHP plants and a renewable facility were targeted. The government is accelerating a National Cybersecurity System Act to strengthen IT/OT protections.

⚠️ Konni, a North Korea–linked threat actor, has deployed an AI-assisted PowerShell backdoor against blockchain developers in Japan, Australia, and India. The campaign uses spear-phishing ZIP archives hosted on WordPress and Discord CDN that drop LNK files which launch an AutoIt loader and extract a modular PowerShell implant. Check Point observed AI-style code structure and comments in the backdoor while attackers leverage UAC bypass, Defender exclusions, scheduled tasks, and a C2 encryption gate to maintain stealth and persistence.

⚠️ Security researchers attribute a late-December 2025 cyberattack on Poland’s energy systems to the Russian state-sponsored group Sandworm, which attempted to deploy a destructive wiper named DynoWiper. ESET reports detection as Win32/KillFiles.NMO and published a SHA-1 indicator. Polish officials said two combined heat-and-power plants and a renewable power management system were targeted. Technical details and a public sample remain scarce.

🔒 The North Korean-linked Konni group is deploying AI-generated PowerShell malware to specifically target developers and engineers in the blockchain sector. The campaign uses Discord-hosted ZIP lures that contain a PDF, a malicious LNK shortcut, and an embedded DOCX/CAB payload which drops a backdoor, batch files, and a UAC bypass executable. The backdoor is heavily obfuscated, runs an XOR-encrypted script in-memory via an hourly scheduled task masquerading as OneDrive, and bears markers of LLM-assisted development such as structured documentation and placeholder comments like "# <- your permanent project UUID".