< ciso
brief />
Incidents and Data Breaches Banner

All news in category “Incidents and Data Breaches

3000 articles · page 6 of 150

Operation Endgame disrupts Amadey and StealC malware

🔎 Microsoft, Europol, and international partners executed Operation Endgame to disrupt infrastructure used by the Amadey and StealC malware families. The coordinated takedown targeted servers, domains, and related resources, seizing cryptocurrency and recovering millions of stolen credentials. Private-sector partners including Microsoft, ESET, Proofpoint, and IBM X-Force supported law enforcement actions across several countries. The effort also targeted SocGholish loaders and follows prior phases that disrupted other malware families.
read more →

macOS Gaslight backdoor uses prompt injection tactics

🛡️ SentinelLabs uncovered a North Korea-linked macOS backdoor, tracked as macOS.Gaslight, that embeds 38 fabricated system messages to manipulate AI-assisted malware triage. The Rust implant carries an infostealer and interactive backdoor that exfiltrates browser data, terminal histories and the macOS login keychain, using Telegram Bot API with certificate pinning for command and control. Researchers noted novel tradecraft including runtime staging of a standalone Python interpreter and self-scrubbing of the Telegram bot token from logs. SentinelLabs warned analysts to treat sample contents as adversarial input and to isolate hostile content from LLM-based tools.
read more →

KDDI Breach Exposes Millions of Japanese Email Accounts

📧 KDDI has confirmed an unauthorized intrusion into an email system it provides to several Japanese ISPs, potentially exposing up to 14.22 million email addresses and passwords. The incident, detected on June 17, affected customers across multiple providers, including JCOM, Nifty, Biglobe and others. KDDI said the attacker likely exploited a vulnerability in third-party software and has implemented technical countermeasures. The company is collaborating with affected ISPs and authorities and has urged users to change their passwords.
read more →

Iran-linked MuddyWater Poses as Chaos Ransomware

🔍 Analysis by NCC Group reveals Iran-linked MuddyWater impersonated the Chaos ransomware group to mask espionage operations. The report, published June 24, details how operators used extortion notes, negotiation channels and a leak site listing to simulate a financially motivated attack. Researchers warn that state-backed actors increasingly adopt cybercriminal tradecraft, complicating detection and response.
read more →

Stealthy Mistic backdoor tied to KongTuke broker

🛡️ Symantec and Zscaler have detected a new backdoor named Mistic (tracked as MTLBackdoor) used in financially motivated intrusions since April, linked to the initial access broker KongTuke/Woodgnat. The malware was observed in attacks against insurance, education, IT, and professional services organizations and was sometimes deployed after ModeloRAT via social-engineering on Microsoft Teams. Mistic is designed for long-term stealth, side-loading as version.dll from a legitimate executable and running payloads in memory while offering file management, remote command execution, configurable C2 check intervals, and a self-deletion kill switch.
read more →

DOJ Seizes Cloud Account Linked to HuiOne Group

📰 The U.S. Department of Justice announced the seizure of a cloud computing account used by subsidiaries of Cambodia-based HuiOne Group, as the Treasury sanctioned individuals and entities tied to Prince Group. The account hosted backend infrastructure for illicit marketplaces, including HuiOne Guarantee, which facilitated large-scale crypto fraud, money laundering services, and the sale of crimeware and exploitative tools. Authorities say these platforms enabled conversion of stolen cryptocurrency into the legitimate banking sector and supported human trafficking and violent control measures at scam compounds.
read more →

Meta pauses employee monitoring program after failures

🛑 Meta has frozen its Model Compatibility Initiative (MCI) after employees reportedly bypassed guardrails and accessed sensitive internal data, then did so again after an attempted fix. The program collected inputs like keystrokes, mouse movements, clicks, and screen content to train AI, and employees were initially not allowed to opt out. Meta says it found unauthorized access on June 18 and paused MCI while investigating, asserting no indication yet of improper access beyond what was reported. Analysts criticized inadequate protections and insufficient risk tagging for highly sensitive non-PII telemetry.
read more →

Tata Electronics Confirms Cyberattack, Data Leaked

🔒 Tata Electronics confirmed a cybersecurity incident that affected parts of its IT infrastructure but said operations continued normally and remained unaffected. The company said response protocols were deployed immediately after detection. The disclosure responds to claims by the World Leaks group, which posted directories and documents allegedly containing manufacturing data for Apple products. BleepingComputer has contacted Apple for comment about potential exposure of proprietary data.
read more →

Xsolis data breach compromises 1.4M patient records

🔒 Xsolis, a U.S. healthcare technology provider, detected a targeted phishing attack that led to unauthorized access to parts of its network in January 2026. The company says files containing sensitive customer information—such as names, addresses, dates of birth, insurance details, Social Security numbers, and medical treatment data—were accessed, affecting 1,396,519 individuals. Xsolis contained the breach, engaged external cybersecurity experts, reset user passwords, enhanced monitoring, accelerated employee security training, and is notifying impacted individuals with offered identity monitoring services.
read more →

PowerShell stealer targets Telegram sessions

🛡️ Researchers discovered a PowerShell script masquerading as a Windows telemetry update that steals Telegram for Windows session data. The script collects system info, closes Telegram to access the tdata folder, zips its contents, and sends the archive to an attacker-controlled bot before removing traces. The sample was found on Pastebin and appears to be a prototype, with no confirmed successful exfiltration yet. Users are advised to use robust endpoint security and enable Telegram Two‑Step Verification or passkeys.
read more →

Scattered Spider members plead guilty in TfL hack

🛡️ Two members of the Scattered Spider group, Thalha Jubair (20) and Owen Flowers (18), pleaded guilty to breaching Transport for London systems between August 31 and September 3, 2024. The intrusion disrupted Oyster refund services and forced 28,000 staff to reset passwords, contributing to an estimated £29 million in losses. Both suspects were arrested in 2025 after investigators recovered incriminating evidence and devices linking them to the attack and other intrusions.
read more →

Two Teens Linked to Scattered Spider Plead Guilty

🔒 Two British teenagers have pleaded guilty after hacking Transport for London (TfL) between 31 August and 3 September 2024, the National Crime Agency (NCA) reports. Members of the Scattered Spider collective, Thalha Jubair, 20, and Owen Flowers, 18, caused £29m in losses and disruption to TfL systems, including customer refunds and Oyster photocard services. Flowers was arrested early September 2024 with digital evidence linking him to TfL and US healthcare breaches; Jubair faces broader charges alleging dozens of intrusions and extortion schemes. Both admitted guilt at Woolwich Crown Court on 22 June and will be sentenced on 16 July.
read more →

JaredFromSubway MEV bot suffers $15M crypto theft

🔒 The JaredFromSubway Ethereum MEV bot lost $15 million after an attacker fed it fake pools and tokens to manipulate its opportunity detection and gain ERC-20 approvals. Blockaid detected the drain and JaredFromSubway confirmed the attacker deployed deceptive contracts that tricked the bot into issuing allowances to attacker-controlled helper contracts. The attacker used staged, benign-looking transactions to validate the bot’s routines, later exploiting open approvals via transferFrom to withdraw WETH, USDC, and USDT.
read more →

One intrusion, two attackers: uncovering parallel threats

🔍 Microsoft DART describes a complex multi-stage intrusion where two unrelated threat actors operated simultaneously, blending ransomware tactics with stealthy reconnaissance and persistence. Investigators observed exploitation attempts against on-premises SharePoint, use of legitimate tools like Velociraptor, cloud tunneling, credential misuse, and DLL sideloading to maintain access and evade detection. Coordinated telemetry correlation and threat intelligence enabled containment and targeted remediation guidance.
read more →

North Korean Supply Chain Attack Hits Mastra Packages

🔐 Microsoft attributed a large-scale npm supply chain attack on the open-source Mastra TypeScript project to North Korea’s Sapphire Sleet group. The threat actor abused a compromised npm maintainer account to publish poisoned packages that disabled TLS verification and contacted attacker C2 servers to deploy cross-platform malware. The payload sought cryptocurrency wallet extensions and performed system reconnaissance, posing a significant risk to developers and downstream users. Microsoft advised auditing dependencies, checking for the malicious easy-day-js package and pinning known-good package versions.
read more →

Canada’s Spy Agency Uses Court Warrant to Disrupt Botnets

🛡️ The Federal Court authorized the Canadian Security Intelligence Service to reach into infected servers, SOHO routers, and IoT devices on Canadian soil to neutralize two foreign-run botnets. The public ruling, released June 15, confirms CSIS used its threat reduction warrant powers for the first time to alter, degrade, and destroy botnet data while ensuring the operation targeted devices rather than people. The court found the threat imminent and proportional, but redactions leave the precise foreign actor(s) unidentified.
read more →

AryStinger malware converts legacy routers into relays

🔍 QiAnXin XLab has identified a new malware family named AryStinger that has infected at least 4,300 legacy home routers, turning them into a distributed reconnaissance and proxy network rather than a typical DDoS botnet. The campaign targets routers using Realtek RTL819X chips via old vulnerabilities (CVE-2013-3307, CVE-2016-5681) and favors D-Link DIR-850L units, with infections concentrated in South Korea and China. A second strain targeting QNAP NAS devices via CVE-2025-11837 was also observed; both builds support scanning, tunneling, and remote task execution. Defenders are advised to check for C2 connections, suspicious binaries and processes, retire unsupported devices, and disable remote administration.
read more →

Prinz Eugen ransomware targets recent files first

🛡️ Threatdown and Malwarebytes researchers detail a new hands-on-keyboard ransomware called Prinz Eugen that prioritizes recently modified files for encryption and leaves no ransom note on compromised systems. Initial access is likely via stolen RDP credentials, with attackers manually deploying a payload named servertool.exe and sometimes using legitimate RMM tools like RemotePC for persistence. The Go-based malware encrypts files recursively without exclusions, uses ChaCha20-Poly1305 and Argon2id-derived keys, and self-deletes while overwriting keys to hinder recovery and forensics.
read more →

Large-Scale Credential Attacks Targeting Edge Devices

🔐 Unit 42 observed a large-scale password spraying and credential theft campaign (dubbed “FortiBleed”) targeting Fortinet devices, with additional attempts seen against MSSQL and reports of Sophos targeting. The actors use curated password lists derived from prior breaches and vulnerabilities, then perform configuration extraction and offline cracking to escalate privileges and persist. Unit 42 urges auditing remote access logs, applying hardening guidance, requiring MFA, and keeping systems patched to mitigate risk.
read more →

Klue OAuth breach expands as Icarus claims attack

🔒 Klue confirmed an incident on June 12 in which attackers used a compromised legacy credential to obtain OAuth tokens connecting Klue to third-party platforms, including Salesforce. The company says customer content stored in Klue was not impacted and that the breach was limited to integrations; affected credentials and tokens were revoked and CrowdStrike engaged. Cybersecurity firms ReliaQuest and Huntress reported extensive Salesforce data exfiltration, and the Icarus extortion group has publicly claimed responsibility.
read more →