All news in category “Incidents and Data Breaches”

👁 Flock’s exposed livestreams show that its AI-enabled Condor pan-tilt-zoom (PTZ) cameras can automatically zoom in on and track people in public spaces. Reporters observed high-resolution footage capturing individuals on bike paths, in parking lots, at playgrounds, and at stoplights, with cameras following faces and recording close-up detail. These exposures underscore privacy and security risks from networked AI surveillance and inadequate access controls.

📧 Check Point disclosed a large-scale phishing campaign that abused Google Cloud Application Integration to send authentic-looking messages from noreply-application-integration@google[.]com, enabling attackers to bypass SPF and DMARC protections. The emails mimicked routine enterprise notifications to prompt clicks and redirected victims through Google Cloud storage to a fake CAPTCHA and a counterfeit Microsoft login page. Google has blocked the abuse and is implementing further mitigations.

🔍 The ThreatsDay bulletin opens 2026 with a cross-section of active campaigns and emerging tactics that emphasize stealth, precision, and financial motive. Highlights include the GhostAd Android adware drain, macOS supply-chain trojans tied to Open VSX extensions, a large non-KYC proxy network (IPCola), and multiple cloud and contract-exploit incidents. The roundup also details arrests, regulatory action, and evolving Magecart and click-fraud toolkits that collectively signal a shift toward low-noise, high-return operations.

🚨 The fourth wave of the GlassWorm campaign is targeting macOS developers by distributing malicious VS Code/OpenVSX extensions that deliver trojanized cryptocurrency wallet applications. The extensions embed an AES-256-CBC-encrypted payload in compiled JavaScript, execute after a 15-minute delay using AppleScript, and persist via LaunchAgents. The malware harvests developer credentials, browser and Keychain data, supports VNC and SOCKS proxying, and includes a mechanism to replace Ledger Live and Trezor Suite with trojanized versions. Users should remove the identified extensions, reset credentials, revoke tokens, and inspect or reinstall affected macOS systems.

🔒 CloudSEK researchers disclosed a nine‑month campaign that has recruited IoT devices and web servers into the RondoDox botnet by exploiting the critical React2Shell flaw (CVE‑2025‑55182). Actors moved from manual scanning to hourly automated deployments, dropping cryptocurrency miners, a loader/health checker and a Mirai variant. The loader (/nuts/bolts) kills competing malware, enforces persistence and fetches the main bot. Organizations should patch Next.js, segment IoT, deploy WAFs and monitor for suspicious processes.

🔒 Trust Wallet disclosed that a second wave of the Shai‑Hulud supply chain attack exposed developer GitHub secrets, including a Chrome Web Store API key, enabling attackers to upload a trojanized extension build directly. The malicious update (v2.68) pushed a backdoor that harvested wallet mnemonic phrases to a domain registered as metrics-trustwallet[.]com, leading to the theft of about $8.5 million from 2,520 addresses. Trust Wallet urged users to update to v2.69, launched a reimbursement claim process, and said it has implemented additional monitoring and controls to strengthen its release procedures.

🔍 Koi Security links three coordinated browser-extension campaigns — ShadyPanda, GhostPoster, and DarkSpectre — to a Chinese threat actor that collectively compromised millions of users across Chrome, Edge, Opera, and Firefox. The attacks combine affiliate-link hijacking, ad and click fraud, time-delayed logic bombs, and a targeted Zoom Stealer component that exfiltrates meeting links, credentials, and participant data. Many add-ons behaved legitimately for years before being weaponized via malicious updates.

🔓 The decentralized IP platform Unleash Protocol suffered an unauthorized contract upgrade after an external address gained administrative signing power in its multisig governance, enabling withdrawals. The attacker drained roughly $3.9 million in WIP, USDC, WETH, stIP, and vIP, then bridged funds and deposited 1,337 ETH into Tornado Cash. Unleash has paused operations and engaged external security experts; users should avoid interacting with contracts until the team confirms it is safe.

🔥 The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to compromise vulnerable Next.js servers and deploy malware, including coinminers and Mirai-like components. CloudSEK reports scanning began on December 8 with active deployments starting December 11, and Shadowserver counts over 94,000 exposed assets. The botnet also conducts hourly IoT exploitation waves to enroll routers and uses loaders that remove competing malware and enforce persistence.

🔎 Cybersecurity researchers have identified a modified strain of the Shai Hulud npm worm inside the package "@vietmoney/react-big-calendar," updated on December 28, 2025. Aikido and researcher Charlie Eriksen say the code appears obfuscated and likely derived from the original worm source rather than a simple copy. The variant changes filenames and GitHub leakage descriptors, improves error handling and OS-aware publishing, and so far shows limited spread, suggesting the payload may be in testing.

🔒 The European Space Agency (ESA) confirmed a cybersecurity incident affecting a small number of servers located outside its corporate network that supported unclassified collaborative engineering activities. Threat actors claim they accessed JIRA and Bitbucket instances for about a week and exfiltrated over 200GB of data, including source code, CI/CD pipelines, tokens, and configuration files. ESA has initiated forensic analysis, notified relevant stakeholders, and implemented measures to secure potentially affected devices while the investigation continues.

🔍 Koi Security researchers uncovered a campaign named Zoom Stealer that abused 18 Chrome, Firefox, and Edge extensions installed by about 2.2 million users to harvest meeting-related data. The extensions — often offering legitimate features like audio capture or video download — collected meeting URLs, IDs, topics, participant details, and embedded passwords. Collected data was streamed via WebSockets in real time and could enable corporate espionage or sales intelligence.

🔒 Two former employees of cybersecurity firms have pleaded guilty to conducting BlackCat (ALPHV) ransomware attacks against multiple U.S. companies in 2023, admitting to conspiracy to obstruct commerce by extortion. The defendants, Ryan Clifford Goldberg and Kevin Tyler Martin, formerly worked at Sygnia and DigitalMint respectively and face up to 20 years in prison with sentencing set for March 12, 2026. Prosecutors allege the pair, together with a third accomplice, breached networks across sectors including healthcare and manufacturing and received ransom proceeds after encrypting victims' servers.

📧 Silver Fox is targeting Indian users with income tax-themed phishing emails that deliver the modular remote-access trojan ValleyRAT. The campaign uses decoy PDFs that redirect victims to a domain hosting a ZIP archive containing an NSIS installer which sideloads a rogue libexpat.dll alongside a legitimate thunder.exe. The loader disables Windows Update, performs anti-analysis checks, and injects the RAT into explorer.exe to establish persistent, low-noise access.

🔒 Kaspersky observed Mustang Panda leveraging a signed, previously undocumented kernel‑mode rootkit driver to deliver a new TONESHELL backdoor in mid‑2025 against targets in Asia. The driver, tracked as ProjectConfiguration.sys, uses an old certificate issued to Guangzhou Kingteller Technology Co., Ltd., likely leaked or stolen, and registers as a high‑altitude minifilter to intercept I/O. It spawns an injected svchost.exe and loads a memory‑only TONESHELL implant that communicates with C2 servers and resists disk‑based detection.

⚠️ A new ToneShell backdoor sample attributed to the Mustang Panda group was delivered via a kernel‑mode mini‑filter driver, ProjectConfiguration.sys, in attacks against government organizations in Asia. The signed driver operates as a rootkit: it injects two user‑mode payloads, blocks deletion and renaming, protects service registry keys, and alters WdFilter to interfere with Microsoft Defender. Kaspersky notes this is the first observed kernel‑mode loader for ToneShell and recommends memory forensics and provided IoCs to detect infections. The actor also updated network stealth, moving to a 4‑byte host ID and fake TLS headers.

🔔 Coupang announced it will distribute ₩1.685 trillion (about $1.17 billion) in compensation to 33.7 million customers affected by a data breach, with payments beginning January 15, 2026. The company said each customer will receive four single-use vouchers totaling 50,000 won for various Coupang services and products. Coupang reported the breach occurred on June 24, was discovered in mid-November, and has prompted a police investigation into a former IT employee.

🚨 South Korean authorities arrested a 29-year-old Lithuanian accused of distributing a clipboard-stealing clipper embedded in a trojanized KMSAuto activation tool that was downloaded 2.8 million times worldwide. The suspect was extradited from Georgia after investigators traced about KRW 1.7 billion (~$1.2M) diverted in 8,400 transactions. Devices seized in a December 2024 raid yielded evidence leading to the April 2025 arrest. Officials warn against using unofficial activators and unsigned executables.

🔒 Trust Wallet says attackers who pushed a malicious Chrome extension release on Dec 24 exfiltrated sensitive data and drained roughly $7 million from 2,596 wallet addresses. The compromise involved a malicious JavaScript added to v2.68.0 that bypassed internal release controls; users were urged to update to v2.69. Trust Wallet has begun reimbursing verified victims and strongly warned users not to share seed phrases or private keys.

🔒 Oltenia Energy Complex, Romania's largest coal-based energy producer, suffered a ransomware attack on the second day of Christmas that disrupted its IT infrastructure. Some documents were encrypted and key applications — including ERP, document management, email, and the corporate website — became temporarily unavailable. The company said operations were only partially affected and the National Energy System was not jeopardized while teams rebuild systems from backups and cooperate with authorities.