All news in category “Incidents and Data Breaches”

🛡️ Disc Soft has confirmed that certain Daemon Tools Lite installers were Trojanized and released in a compromised build (version 12.5.1) after unauthorized interference in its build environment. The company released a malware-free update, Version 12.6, within 12 hours of notification and says the incident is contained. Users who installed the impacted release are advised to uninstall the application, run a full system scan with trusted security software, and reinstall only the verified package from the official site.

🛡️ Kaspersky researchers found three malicious PyPI wheel packages — uuid32-utils, colorinal and termncolor — that covertly delivered a new malware family named ZiChatBot to Windows and Linux hosts. The packages drop platform-specific loaders (terminate.dll or terminate.so) that persist via a Registry autorun entry or a crontab and act as droppers for the main payload. ZiChatBot uses public Zulip REST APIs as its command-and-control channel, executes shellcode received from the service, and signals success by sending a heart emoji. The packages were uploaded in July 2025 and have been removed; organizations should audit dependencies, verify build environments, and monitor the published indicators.

🔒 A phishing campaign abused Google sponsored search results to deliver a live adversary-in-the-middle (AitM) proxy that mimics ManageWP's sign-in page, placing the fake result above the legitimate one for the "managewp" query. Any credentials entered are exfiltrated to a Telegram channel and used in real time to bypass 2FA. Guardio Labs infiltrated the attackers' C2, observed an operator-driven phishing framework, and confirmed around 200 unique victims.

🛡️ Hunt.io has uncovered a Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to conscript them into DDoS campaigns. The malware supports 21 flood variants across TCP, UDP, and raw protocols and is offered as a DDoS-for-hire service aimed at game servers and Minecraft hosts. It targets devices with ADB enabled by default—such as Android TV boxes, set-top boxes, smart TVs—and includes multi-architecture binaries for routers and IoT hardware. The bot probes device bandwidth to tier victims and uses a "killer" subsystem to evict competing malware.

🔐 On May 5, 2026, DENIC began publishing incorrect DNSSEC signatures for the .de zone, causing validating resolvers to reject responses and return SERVFAIL—impacting .de domains worldwide and affecting Cloudflare’s 1.1.1.1. Many users were buffered by serve stale behavior, but Cloudflare deployed an override equivalent to a Negative Trust Anchor at 22:17 UTC to bypass validation and restore reachability while DENIC corrected the key rollover.

🕵️ State-aligned Iranian operatives are posing as a ransomware affiliate to conceal espionage and cyber-sabotage, according to research by Rapid7. The group, linked to MuddyWater (aka Seedworm), impersonated the Chaos ransomware-as-a-service brand while using social engineering over Microsoft Teams—including interactive screensharing—to harvest credentials and bypass MFA. Operators used remote management tools like DWAgent for persistence and followed intrusions with extortion messaging and leak-site posts, but prioritized data exfiltration over encryption.

🔒 Disc Soft confirmed a supply-chain compromise that trojanized installers for DAEMON Tools Lite and has released a clean build. The company says it secured its infrastructure and published version 12.6 (May 5) which no longer exhibits malicious behavior. Users who installed the free 12.5.1 build since April 8 should uninstall, run a full antivirus scan, and reinstall the latest release. Kaspersky found backdoors and a two-stage payload deployed to thousands of systems across 100+ countries.

🔐 Microsoft describes an evolving ClickFix campaign targeting macOS users by hosting Base64-encoded instructions on blogs and content platforms to trick victims into running Terminal commands. Those one-line commands leverage native utilities (curl, osascript, Base64/Gzip) to fetch and execute infostealers such as Macsync, SHub, and AMOS largely in memory, bypassing Gatekeeper. The malware harvests Keychain entries, iCloud data, browser credentials, media files, and cryptocurrency wallets, and has in some cases replaced legitimate wallet apps with trojanized versions. Organizations should monitor command-line activity and enable EDR/XDR protections and Defender cloud features.

🔍 The Iranian state-sponsored group MuddyWater disguised a cyber-espionage operation as a Chaos ransomware attack, leveraging Microsoft Teams social engineering to harvest credentials and manipulate MFA. Attackers used fake Quick Assist phishing pages or tricked victims into typing passwords into local files, then moved laterally via AnyDesk, DWAgent, and RDP to establish persistence. Rapid7 links the campaign to MuddyWater with moderate confidence, noting a signed loader (ms_upd.exe) that drops a backdoor (Game.exe) with anti-analysis checks.

🛡️ Rapid7 says an Iranian government-linked APT posed as a Chaos ransomware affiliate to mask espionage and prepositioning in an intrusion in early 2026. The actor, identified as MuddyWater (aka Seedworm/Static Kitten/Mango Sandstorm), used interactive Microsoft Teams social engineering to harvest credentials and manipulate MFA. They established persistence with DWAgent and AnyDesk, exfiltrated data, and initiated extortion negotiations without deploying a ransomware payload.

🔐 Rapid7 attributes a deception-driven intrusion to the Iranian-affiliated actor MuddyWater, which used Microsoft Teams social engineering to harvest credentials and manipulate MFA via live screen-sharing. Once inside, operators leveraged compromised accounts, remote-access tools like DWAgent and AnyDesk, and a trojanized WebView2 binary to maintain persistence and exfiltrate data rather than encrypt files. The campaign appears to have intentionally mimicked RaaS artefacts — including Chaos-related extortion indicators and a signed loader — to obscure state-backed motives and slow incident response.

🔒 Cisco Talos researchers disclosed an intrusion leveraging the CloudZ remote access tool and an undocumented plugin named Pheno to harvest credentials and one‑time passwords. The attackers abused Microsoft's Phone Link PC-to-phone bridge to monitor SMS/OTP data without deploying malware on the mobile device. The campaign, active since at least January 2026, uses a fake ConnectWise ScreenConnect dropper, a .NET loader and modular plugins to establish persistence and encrypted C2 communications.

🐧 Trend Micro researchers revealed a previously undocumented Linux implant named Quasar Linux (QLNX) that targets software developers by compromising development and DevOps environments such as npm, PyPI, GitHub, AWS, Docker, and Kubernetes. QLNX dynamically compiles rootkit and PAM backdoor modules on the host, runs fileless in memory, and employs multiple persistence methods while wiping logs and spoofing process names to remain stealthy. The toolkit includes a 58-command RAT, credential harvesting (SSH keys, cloud configs, and /etc/shadow), kernel eBPF hiding, surveillance, lateral movement, and in-memory injection; Trend Micro provided IoCs but attribution and prevalence remain unclear.

🔒 Instructure says it is investigating a breach after the extortion group ShinyHunters claimed to have stolen 280 million records tied to students, teachers, and staff across 8,809 colleges, school districts, and online education platforms. The actors allege they accessed names, email addresses, private messages and enrollment data by abusing Canvas export features such as DAP queries, provisioning reports and user APIs. Instructure has acknowledged the incident but has not provided detailed public answers; several universities have begun their own inquiries.

⚠️ DAEMON Tools installers hosted on the official site were trojanized beginning April 8, delivering a backdoor to thousands of systems worldwide. Compromised, digitally signed installers (versions 12.5.0.2421–12.5.0.2434) contained malicious code in binaries such as DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. The initial payload is an information stealer used to profile victims; select hosts received a lightweight second-stage backdoor capable of executing commands and loading code in memory. In at least one targeted case researchers observed deployment of a more advanced QUIC RAT, and Kaspersky warns the campaign evaded detection for nearly a month.

🔴 A 23-year-old university student in Taiwan was arrested after allegedly interfering with the country's TETRA-based communications for the Taiwan High Speed Rail (THSR). Authorities say he used SDR equipment and handheld radios to transmit a high-priority 'General Alarm' on April 5, forcing emergency brakes and halting four trains for 48 minutes. Investigators found decoded radio parameters and an accomplice who supplied critical THSR settings. Equipment including 11 radios, an SDR and a laptop were seized; the suspect faces criminal charges and was released on NT$100,000 bail.

🛡️ Kaspersky has identified a supply-chain compromise that trojanized installers for DAEMON Tools, distributed from the vendor’s official site and signed with developer certificates. The affected builds (12.5.0.2421–12.5.0.2434) have been backdoored since April 8, 2026, with three core binaries modified to deploy an implant. The implant contacts an observed C2 domain (env-check.daemontools.cc) to receive shell commands that download and execute follow-on payloads, including a .NET collector and a loader/backdoor pair. Kaspersky observed thousands of initial infection attempts worldwide while more advanced payloads were selectively delivered to a small number of targets in Russia, Belarus, and Thailand; AVB Disc Soft has been notified.

📩 Microsoft Defender Research disclosed a large-scale credential-theft campaign that targeted over 35,000 users at roughly 13,000 organizations using polished fake internal compliance notifications. Running April 15–16, 2026, the messages used enterprise-style HTML templates, organization-specific names and attached PDFs that redirected recipients through a Cloudflare CAPTCHA to staged authentication pages. Attackers employed an adversary-in-the-middle (AiTM) flow to harvest tokens and compromise accounts, primarily impacting US firms but seen in 26 countries. Microsoft recommends enabling passwordless authentication, using authenticator apps for MFA, turning on Safe Links and Safe Attachments, and configuring attack disruption in Microsoft Defender XDR.

🔎 A North Korea-aligned espionage group has trojanized Windows and Android clients on a regional Yanbian gaming site, according to ESET. The campaign, attributed to ScarCruft (APT37), delivered an Android port of the BirdCall backdoor (internally named zhuagou) and a trojanized mono.dll on Windows to deploy RokRAT and BirdCall. The malware harvests contacts, SMS, files, screenshots and audio, and routes command-and-control through cloud storage accounts.

🔐 Cisco Talos attributes a China-nexus APT it tracks as UAT-8302 to sustained attacks on government entities in South America since late 2024 and on agencies in southeastern Europe in 2025. The actor deploys custom backdoors, notably a .NET implant called NetDraft (aka NosyDoor), and leverages tools such as CloudSorcerer, VShell and SNOWLIGHT/SNOWRUST. Talos highlights reuse of malware linked to multiple China-aligned clusters and extensive reconnaissance, lateral movement, and proxy/VPN-based persistence.