All news in category “Incidents and Data Breaches”

🛡️ FortiGuard Labs details a multi-stage Windows malware campaign that begins with socially engineered archives and a deceptive LNK shortcut to launch a PowerShell loader. The chain uses an obfuscated VBScript to reconstruct final-stage logic in memory, then operationalizes Defendnot to disable Microsoft Defender from a signed process while applying persistent policy-based suppression. Attackers stage components across GitHub and Dropbox, deploy long-term surveillance and persistence, and deliver Amnesia RAT, Hakuna Matata–derived ransomware, and a WinLocker, resulting in widespread file encryption and credential theft.

📩 ReliaQuest researchers uncovered a LinkedIn-based phishing campaign that delivers weaponized WinRAR self-extracting archives to targets. The archive extracts four components: a legitimate open-source PDF reader, a malicious DLL used for DLL sideloading, a portable Python interpreter PE, and a decoy RAR. When the PDF reader is run the rogue DLL is sideloaded, drops the Python interpreter, creates a Windows Run registry key, and executes Base64-encoded open-source shellcode in memory to deploy a remote access trojan. The campaign leverages social media DMs and legitimate tools to evade detection and maintain persistent access.

🔒 Researchers at ReliaQuest uncovered a LinkedIn-based phishing campaign that delivers a Remote Access Trojan by abusing legitimate software. Attackers send role-tailored messages containing a WinRAR self-extracting archive that unpacks a legitimate open-source PDF reader alongside a malicious DLL that uses DLL sideloading. The campaign leverages a real penetration-testing tool to establish persistence, enabling data exfiltration and lateral movement.

⚠️ Trend Micro detailed a campaign using a new information stealer, Evelyn Stealer, that abuses the Visual Studio Code extension ecosystem to harvest developer secrets. Malicious extensions drop a downloader DLL (Lightshot.dll) which launches a staged executable (runtime.exe) and injects the stealer into a legitimate process (grpconv.exe) to run in memory. The malware collects credentials, cookies, crypto wallets, screenshots, Wi‑Fi data and system metadata, then exfiltrates compressed archives to an attacker-controlled FTP server.

🛑 Elliptic reports that Tudou Guarantee, a major marketplace in the Southeast Asia scam economy, is shutting down its Telegram groups after US and UK sanctions tied to the Prince Group. Launched in 2023, the platform is linked to roughly $12bn in crypto transactions and absorbed merchants migrating from Huione Guarantee. While gambling and other non-fraud arms appear to continue, Elliptic notes a sharp drop in central wallet activity after the January 2026 arrest of Prince Group chairman Chen Zhi, and warns displaced actors will likely disperse across other marketplaces.

🔍 Elliptic reports that Tudou Guarantee, a Telegram-based guarantee marketplace, has effectively ceased processing transactions through its public Telegram groups after rapid growth and is estimated to have handled over $12 billion, ranking it among the largest illicit marketplaces. Some operations, notably gambling services, remain active, so Elliptic says this may be a staged shutdown or a strategic pivot. The pause in public activity coincides with law enforcement moves tied to the arrest and extradition of Prince Group CEO Chen Zhi.

🛑 A malvertising campaign deployed a fake ad-blocker extension named NexShield that intentionally crashes Chrome and Edge to stage ClickFix attacks. Researchers at Huntress found the extension creates infinite chrome.runtime port loops that exhaust memory, freezing or crashing browsers. After restart, a deceptive pop-up instructs users to run a clipboard-pasted command that launches an obfuscated PowerShell chain. On domain-joined systems this delivers the Python-based ModeloRAT; home users receive a test payload.

🔐 Researchers discovered a stealthy Windows backdoor named PDFSider during incident response at a Fortune 100 finance firm; the tool has been linked to Qilin ransomware operations and is now observed with multiple ransomware groups. Attackers used spearphishing with a ZIP containing a legitimately signed PDF24 Creator executable and a malicious cryptbase.dll to achieve DLL side-loading and bypass EDRs. The in-memory backdoor uses AES-256-GCM for encrypted C2, exfiltrates system data over DNS, launches commands via anonymous pipes to CMD, and employs anti-analysis checks to maintain long-term covert access.

🚨 The U.K.'s National Cyber Security Centre (NCSC) warns of sustained disruptive DDoS activity from pro‑Russian hacktivists, notably NoName057(16), which operates the crowdsourced DDoSia platform that mobilises volunteers and offers rewards. Despite arrests and server takedowns during Operation Eastwood, the group has re-emerged and continues to target critical infrastructure, local government and OT systems. The NCSC advises strengthening upstream ISP/CDN protections, designing for rapid scaling, rehearsing response plans for graceful degradation, and continuous testing to reduce downtime and recovery costs.

🔓 Nicholas Moore, 24, pleaded guilty to hacking the U.S. Supreme Court's restricted electronic filing system and breaching AmeriCorps and VA accounts. Prosecutors say Moore used stolen credentials to access the Court's system at least 25 times between August and October 2023, sometimes logging in multiple times per day, and posted screenshots and victims' data to an Instagram account, @ihackedthegovernment. He also accessed an AmeriCorps account seven times and a VA My HealtheVet account five times, viewing sensitive personal and health information. Moore admitted to one count of computer fraud.

⚠️ The UK National Cyber Security Centre (NCSC) has issued an alert about ongoing disruptive cyber activity by Russian-aligned hacktivist groups targeting UK organisations, with local government and critical national infrastructure singled out. The campaigns mainly use denial-of-service (DoS/DDoS) attacks to overwhelm websites and online systems, taking services offline. The advisory highlights groups such as NoName05716, their coordination via Telegram and the hosting of tooling on GitHub, and urges organisations to review DoS protections, strengthen resilience and engage with NCSC threat collection.

🔒 Feras Khalil Ahmad Albashiti (known online as "r1z") pleaded guilty to selling access credentials to the networks of at least 50 companies. Extradited from Georgia in July 2024, he admitted selling access to an undercover law enforcement officer for cryptocurrency on May 19, 2023. He faces up to 10 years in prison and fines; sentencing is set for May 11, 2026.

🛡️ Ingram Micro disclosed a ransomware incident detected on July 3, 2025, that resulted in the theft of files affecting more than 42,000 individuals. The company said stolen documents included employment and job applicant records with names, contact details, dates of birth and government-issued ID numbers, including Social Security numbers. The attack caused a significant outage that disrupted internal systems and prompted staff to work remotely. While Ingram Micro has not officially confirmed the actor, the SafePay group has claimed responsibility and posted files to its leak site.

⚡ This week’s roundup highlights active exploitation of a critical Fortinet FortiSIEM vulnerability (CVE-2025-64155) that can lead to full appliance compromise, alongside new malware and supply-chain concerns. Researchers also disclosed a clipboard‑hijacking campaign distributed by RedLineCyber and a Reprompt attack that targeted Microsoft Copilot via P2P prompt injection. Other notable items include a cloud-native Linux framework called VoidLink, disruption of the RedVDS criminal service, and an AWS CodeBuild misconfiguration that raised supply‑chain risks. Defenders should prioritize patching high-severity CVEs, harden CI/CD configurations, and treat AI/chatbot integrations and exposed devices as part of the attack surface.

🔒 Security researchers at Socket have identified a set of malicious Google Chrome extensions that targeted major HR and ERP platforms including Workday, Netsuite and SAP SuccessFactors. The extensions, which masqueraded as productivity tools, stole authentication cookies and session tokens, uploading them to a command-and-control server and revisiting targets every 60 seconds. More than 2,300 users downloaded the extensions from the Chrome Web Store before they were removed. Socket recommends using Chrome Enterprise extension allowlists and monitoring for extensions with similar platform targeting and permission requests.

🔒 A cluster of five malicious Chrome extensions posed as productivity tools but exfiltrated session cookies to attacker-controlled infrastructure, enabling account takeover. Researchers from Socket.dev identified variants such as DataByCloud Access, Data By Cloud 1/2, Software Access and Tool Access 11 targeting HR and ERP platforms like Workday, NetSuite and SuccessFactors. Some extensions stole cookies as often as every 60 seconds and used cookie injection (e.g., chrome.cookies.set()) while others blocked admin security pages, hampering incident response.

🔎 Ukrainian and German law enforcement raided residences in Lviv and Ivano‑Frankivsk on 15 January, seizing digital storage devices and cryptocurrency assets linked to two suspected members of the Black Basta ransomware group. Investigators say the men acted as 'hash crackers,' extracting passwords to escalate access, steal data and deploy ransomware across corporate networks. The operation involved the Ukrainian National Police and Germany's BKA and formed part of a wider international probe coordinated by Europol. Authorities also identified alleged founder Oleg Evgenievich Nefedov, who has been placed on Europol’s EU Most Wanted and Interpol Red Notice lists.

🔎 German federal and Frankfurt internet-crime authorities have issued an arrest warrant for the alleged leader of the Black Basta ransomware group after searching residences in Ukraine and seizing evidence. The gang is accused of compromising networks, stealing sensitive data, encrypting systems and extorting payments from over 100 German victims between March 2022 and February 2025. Authorities say the group obtained more than €20 million in Germany and targeted companies, hospitals and public bodies.

⚠️ Researchers disclosed an active campaign, tracked as KongTuke and codenamed CrashFix, that used a malicious Chrome extension posing as an ad blocker to deliberately crash browsers and coerce victims into running commands. The fake add-on, “NexShield – Advanced Web Guardian,” impersonated uBlock Origin Lite, garnered 5,000+ installs, and implements delayed execution, DoS crash loops, and anti-analysis controls. The lure prompts users to paste a pre-copied command into the Windows Run dialog that abuses finger.exe to fetch a PowerShell chain, ultimately delivering the previously undocumented ModeloRAT. Huntress warns the technique weaponizes user frustration to create a persistent, self-sustaining infection loop that can hand victims off to other threat actors.

🔍 CyberArk researchers disclosed they exploited a cross-site scripting (XSS) vulnerability in the web panel of the StealC infostealer to retrieve active session cookies and operational metadata. Researcher Ari Novick used the weakness to link a StealC customer, dubbed YouTubeTA, to the theft of roughly 390,000 passwords and over 30 million cookies from victims seeking cracked Adobe software on YouTube. Analysis of hardware fingerprints, language settings, time zones and IP addresses indicated the operator used an Apple Pro with an M3 chip, supported English and Russian, operated in an Eastern European time zone and connected via Ukrainian ISP TRK Cable TV, underscoring how weaknesses in criminal tooling can expose both victims and customers to supply-chain risk.