All news in category “Incidents and Data Breaches”

🔒 The French Interior Ministry confirmed a cyberattack detected overnight between December 11 and 12 that compromised its e-mail servers and allowed attackers to access a number of document files. Officials say they have reinforced access controls and implemented additional security measures while an investigation is underway. Authorities are exploring motives including foreign interference, activist demonstration, or organized cybercrime.

🛡️ A 49-year-old Malaysian national, Cheoh Hai Beng, has been sentenced in Singapore to five-and-a-half years' imprisonment and fined S$3,608 after admitting he produced detailed video tutorials showing criminals how to deploy the Spymax Android RAT. Between February and May 2023 he is reported to have recorded about 20 step‑by‑step videos demonstrating installation, remote control, credential theft, camera hijack, contact harvesting and GPS tracking. Authorities say these tutorials were circulated on criminal networks and used to facilitate financial fraud against victims who were tricked into installing the malware.

🛡️ Cybersecurity researchers have disclosed Operation MoneyMount-ISO, a phishing campaign that delivers Phantom Stealer via malicious ISO images attached inside ZIP archives targeting Russian finance, accounting, procurement, legal and payroll teams. The ISO, labeled as a bank transfer confirmation, mounts as a virtual CD and executes an embedded DLL named CreativeAI.dll to launch the stealer. Phantom harvests browser-stored crypto wallets, Discord tokens, passwords, cookies, credit cards, and can log keystrokes and monitor the clipboard. Stolen data is exfiltrated over Telegram, Discord webhooks or FTP.

🔓 VolkLocker, a new RaaS from the pro‑Russian group CyberVolk (GLORIAMIST), contains a critical implementation flaw that lets victims recover files without paying. Test samples embed a master key and write it in plaintext to the %TEMP% folder (system_backup.key), while using that same key for AES‑256‑GCM encryption. The Golang-built strain targets Windows and Linux, modifies the registry, deletes shadow copies, and uses Telegram automation for command-and-control and victim management.

⚠️ BleepingComputer warns that attackers are abusing PayPal's Subscriptions feature to send legitimate-looking emails from service@paypal.com that include fake purchase notifications embedded in the Customer Service URL field. The messages pass DKIM/SPF and originate from PayPal mail servers, but include manipulated metadata or API-supplied text and obfuscated Unicode to evade filters. Recipients are advised to ignore the phone number in such emails and verify charges directly in their PayPal account.

🔐 SentinelOne researchers discovered that VolkLocker, a new RaaS from the pro-Russia group CyberVolk, embeds a master encryption key in the binary and also writes it in plaintext to a hidden file (%TEMP%\system_backup.key) on infected systems. The ransomware uses AES-256 in GCM but reuses the same master key for all files and never deletes the backup key, allowing some victims to decrypt files without paying. The public disclosure may help current victims but could prompt operators to fix the flaw.

🔓 A security researcher reported that a Home Depot employee accidentally published a private GitHub access token in early 2024, which granted access to private repositories and cloud infrastructure. When tested, the token allowed write permissions to Home Depot repos and access to order fulfillment and inventory systems. The researcher said multiple disclosure emails went unanswered; the token was removed after TechCrunch contacted the company.

🛡️ Researchers warn that a wave of malicious GitHub repositories are distributing a newly observed JavaScript-based RAT called PyStoreRAT, delivered via minimal Python/JS loader stubs that fetch and execute remote HTA files through mshta.exe. The deceptive projects — marketed as OSINT utilities, DeFi bots, GPT wrappers, and developer tools — often exhibit non-functional or placeholder interfaces designed to build trust. Once executed, the multi-stage implant can run EXE, DLL, PowerShell, MSI, Python, and HTA modules and deploys a follow-on information stealer, Rhadamanthys. The initial stage also checks for security products such as CrowdStrike and Cybereason to reduce visibility and establishes persistence via a scheduled task masquerading as an NVIDIA update.

🔍 Coupang has tied a major data breach exposing 33.7 million customers to a former employee who retained access after leaving the company. The intrusion occurred on June 24, 2025 and was discovered by Coupang on November 18; the company disclosed the incident on December 1 and later said the stolen data had not been published online. Police raided Coupang offices to collect logs, credentials and other records during an independent probe, and the CEO resigned amid the fallout. Authorities warn the firm could face liability if negligence or other violations are found, while the breach has prompted widespread phishing and impersonation reports across South Korea.

🛡️ Bitdefender researchers uncovered a malicious torrent impersonating the new Paul Thomas Anderson film that hides PowerShell loaders inside subtitle files, ultimately delivering the Agent Tesla RAT. A deceptive shortcut (CD.lnk) triggers a PowerShell script embedded between specific subtitle lines to extract AES-encrypted blocks and reconstruct multiple dropper scripts. The complex chain extracts files from included images and the movie file, creates a hidden scheduled task, disables or checks Windows Defender, and loads the final payload in memory, showing a high degree of stealth and persistence.

🔒 In mid-October the Untereisesheim town hall was hit by a cyberattack that encrypted IT systems and led to data theft from servers. Investigations indicate portions of the stolen material, including older personnel files and employee image drives, have appeared on the darknet, while the municipality stresses that sensitive citizen data and central document systems were not affected. No ransom was paid; the town is working with Cybersecurity Agency Baden-Württemberg (CSBW) and the State Criminal Police Office, has rebuilt and secured systems, and informed supervisory and data protection authorities.

🔒 The UK Information Commissioner’s Office has fined LastPass £1.2m after concluding insufficient technical and organisational measures contributed to a major 2022 breach. The ICO said there is no evidence that vault master passwords were decrypted, but around 1.6 million users had personal data exposed, including names, emails, phone numbers and stored URLs. The regulator reiterated that password managers remain recommended but vendors must restrict access and harden internal controls.

🔍 Seoul police raided Coupang’s headquarters after the e‑commerce firm disclosed that a massive data leak impacted 33.7 million users. CEO Park Dae‑jun resigned and was replaced by US‑based interim chief Harold Rogers to lead remediation, strengthen information security and restore customer trust. Authorities have issued a search warrant for a suspected ex‑employee and are investigating potential criminal violations. South Korea’s data regulator has also ordered changes to Coupang’s terms, simplified account cancellation and a specialist task force to limit further harm.

🔒 The anti-piracy coalition Alliance for Creativity and Entertainment (ACE) dismantled the MKVCinemas streaming piracy network and 25 related domains after the sites drew 142.4 million visits between 2024 and 2025. ACE identified the platform operator in Bihar, India, who agreed to cease operations and transfer domain control; all MKVCinemas sites now redirect to ACE's Watch Legally portal. The action also disabled a widely used file-cloning tool that had allowed distribution of pirated media across India and Indonesia.

🔒 The UK Information Commissioner's Office (ICO) fined LastPass £1.2 million after a 2022 breach that exposed account metadata and encrypted vault backups for up to 1.6 million UK users. The attacker first compromised an employee laptop and development credentials, then exploited a vulnerability in a third‑party streaming app on a senior employee's device to deploy malware, capture a master password, and bypass MFA. Those keys enabled access to cloud backups at GoTo containing customer data. The ICO said vaults were not decrypted but warned weak master passwords are at risk and urged stronger passwords and tighter controls.

🔍 Microsoft Incident Response details a real-world intrusion where operatives posed as legitimate remote hires to gain trusted access. Attackers used low-cost PiKVM hardware to create persistent, out-of-band control of employer-issued workstations and bypassed normal EDR and onboarding controls. DART used telemetry from Microsoft Entra ID, Microsoft Defender, and bespoke forensic tools to trace activity to the North Korean group Jasper Sleet, contain the compromise, and restore affected systems. The report emphasizes strengthening vetting, enforcing least privilege, and monitoring for unauthorized IT devices.

🔍 ReversingLabs uncovered a campaign that embedded malware in 19 Visual Studio Code extensions by tampering with bundled dependencies. Attackers replaced the widely used npm package path-is-absolute to execute a JavaScript dropper from a file named "lock" and hid two binaries inside an archive disguised as banner.png. The payloads were launched via cmstp.exe, including a process-terminating component and a Rust-based Trojan; Microsoft has been notified.

📷 South Korean authorities arrested four suspects after roughly 120,000 internet-connected IP cameras in homes and businesses were breached and sexually explicit footage was sold on an overseas adult site. Investigators indicate attackers likely exploited weak or default credentials and unpatched device software. Owners should replace factory passwords, use unique credentials and enable two-factor authentication; consider a reputable password manager such as Kaspersky Password Manager to generate and store strong, random passwords and one-time codes.

🔒 A new variant of the ClickFix social‑engineering technique, called ConsentFix, abuses the Azure CLI OAuth flow to hijack Microsoft accounts without passwords or MFA. Discovered by Push Security, the campaign lures targets via compromised high‑ranking websites and a fake Cloudflare Turnstile CAPTCHA to filter victims. The attack captures an OAuth authorization code returned to a localhost redirect and instructs the user to paste the URL, enabling the attacker to exchange the code for an Azure CLI access token and take control of the account.

🔒 WIRTE (tracked as Ashen Lepus by Palo Alto Networks) has been observed using benign binaries to sideload a malicious DLL named AshenLoader, which drops additional components to deploy the AshTag .NET backdoor. The intrusion chain begins with a decoy PDF and a RAR archive from file-sharing services, leading to in-memory execution of a stager to minimize forensic traces. Targets are primarily government and diplomatic entities in the Middle East, with recent expansion to Oman and Morocco. Operators have been observed staging diplomacy-related documents and exfiltrating them using Rclone.