< ciso
brief />
Incidents and Data Breaches Banner

All news in category “Incidents and Data Breaches

3000 articles · page 8 of 150

India’s Telegram Ban, BGP Fallout and Workarounds

📰 India blocked Telegram until June 22 after leaked exam materials circulated on the platform, prompting Telegram CEO Pavel Durov to allege BGP hijacking by Reliance that affected users as far as the UAE. The ban, and an additional restriction on message editing, prompted legal challenges and criticism from digital-rights groups calling the move disproportionate. Analysts confirmed a routing leak from AS18101 via FLAG Telecom but dispute claims of deliberate sabotage; MTProto proxies are recommended to restore access.
read more →

Fake Reputation Economy Behind Crypto Clipboard Hijackers

🔍 Check Point Research uncovered a coordinated campaign that built a cross-platform false reputation to push a crypto clipboard hijacker. The actor used WordPress phishing hubs, multiple GitHub and SourceForge projects, AI-narrated YouTube tutorials, and forum posts to manufacture trust and inflate engagement. The campaign targeted Windows and macOS, including a macOS persistence mechanism, and manipulated reputation systems like VirusTotal to make malicious files appear safe.
read more →

Mastra npm packages compromised in supply-chain attack

🛡️ Multiple npm packages under the @mastra/* namespace were mass-published with a malicious dependency on June 16–17, 2026, enabling a supply-chain campaign named easy-day-js. The injected library, easy-day-js, executes an obfuscated postinstall payload that downloads a second-stage trojan from attacker infrastructure and disables TLS validation. Victims should treat any systems that installed the affected versions as potentially compromised, roll back to safe releases, rotate secrets, and audit hosts for signs of the stealer.
read more →

Kodak confirms data breach amid ShinyHunters claim

🔒 Kodak has confirmed an investigation after an unauthorized third party gained temporary access to a limited amount of company data. The company engaged external cybersecurity experts and is working with law enforcement, asserting there is no threat to systems or operations. The ShinyHunters extortion group has claimed responsibility, alleging over 2.2 million records were stolen and threatening to leak the data.
read more →

Malicious JetBrains plugins harvest AI API keys

🛡️ A coordinated campaign on the JetBrains Marketplace used at least 15 malicious IDE plugins to exfiltrate developers' AI provider API keys. Discovered by Aikido Security, the plugins—posing as AI assistants, code-review tools, and Git utilities—sent keys to a hardcoded server when users clicked "Apply" after entering credentials. Published from October 2025 through June 2026, these plugins were installed nearly 70,000 times and remain available on the Marketplace at the time of reporting.
read more →

Rokarolla Android trojan targets 217 financial apps

🛡️ A new Android banking trojan called Rokarolla targets 217 banking and cryptocurrency apps and supports 137 commands. Distributed via malicious sites posing as Chrome or TikTok installers, it requests Accessibility and other sensitive permissions to gain near-complete control of infected devices. Researchers at Zimperium report it harvests SMS, contacts, keystrokes, screenshots, and lock-screen credentials while displaying phishing overlays and disabling protections like Google Play Protect.
read more →

Malicious Steam Workshop wallpapers used to deliver malware

🛡️ Researchers at Kaspersky report threat actors abusing Steam Workshop to distribute malware via the Wallpaper Engine app. Attackers upload malicious application-type wallpapers that execute payloads when installed, leading to account theft, backdoors, miners, and information stealers. Valve removed the identified items, but users are advised to only download from trusted creators and scan Workshop content with up-to-date antivirus.
read more →

ClickFix campaigns expand modular malware delivery

🛡️ Multiple ClickFix campaigns have been linked to three distinct loaders — BabaDeda Loader, Lorem Ipsum Loader, and Potemkin — delivering information stealers, backdoors, RATs, and other payloads against diverse sectors. The attacks rely on social-engineered ClickFix lures that trick victims into running PowerShell or command sequences, then use staged techniques such as hidden PowerShell, DLL side-loading, in-memory shellcode, and external payload storage to evade detection. Researchers from Morphisec, BlueVoyant, and Huntress attribute the campaigns to evolving, modular loader frameworks that separate delivery, storage, execution, and payload deployment for greater stealth.
read more →

FTC: Record $3.5B Lost to Imposter Scams in 2025

📰 The FTC reports Americans lost $3.5 billion to imposter scams in 2025, with these schemes comprising nearly one in three fraud reports. Scammers used texts, calls, emails, social media, and search results, with social platforms driving over $2.1 billion in losses. Business and government impersonators caused the largest harms, and the FTC has pursued enforcement under its Impersonation Rule to seek redress.
read more →

Rokarolla Android trojan isolates victims from banks

🔒 Researchers have detailed Rokarolla, an Android banking trojan that not only steals credentials but effectively seizes control of phones to isolate victims from banks. The malware spreads via fake sites posing as TikTok or Chrome and uses a dropper impersonating Google Play Protect to install a second-stage payload. Rokarolla abuses Android Accessibility Services, makes itself the default call and SMS handler, hides its icon, mutes alerts and captures screenshots and overlays fake login screens to harvest bank and crypto credentials.
read more →

China-linked group exploited REDCap to target research

🔒 Google warns that a China-associated threat actor, UNC6508, ran a prolonged espionage campaign targeting US and Canadian research environments by abusing legacy versions of REDCap. The attackers trojanized upgrade processes with modular malware called INFINITERED to achieve persistence, harvest credentials, and maintain a backdoor. GTIG recommends inspecting REDCap files, validating upgrades, and enforcing stronger authentication and DLP controls.
read more →

DragonForce hid C&C traffic in Microsoft Teams

🔒 Researchers report that DragonForce operators covertly used Microsoft Teams TURN relay servers to mask command-and-control traffic while infiltrating a major US services firm during a 2025 campaign. The attackers deployed a Go-based RAT, named Backdoor.Turn, which obtained anonymous Teams visitor tokens and established QUIC sessions to attacker-controlled servers. They also exploited an undocumented Huawei driver vulnerability and modified system settings to maintain persistence, exfiltrate data and deploy DragonForce ransomware.
read more →

Flock Camera System Misuse Sparks Stalking Concerns

📷 Multiple instances nationwide show police using the Flock surveillance camera system to obsessively and illegally stalk individuals. Reports indicate over a dozen cases where the system has been misapplied, raising privacy and civil rights concerns. The pattern highlights how persistent surveillance technologies can be abused without adequate oversight. Flock deployments and law enforcement practices are facing increased scrutiny.
read more →

Attackers Exploit Multiple Fortinet FortiSandbox Bugs

🔍 Threat intelligence firm Defused Cyber reports active exploitation of three high-severity Fortinet FortiSandbox vulnerabilities observed within 24 hours. The flaws — CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 — are high-severity (CVSS 9.1) issues involving path traversal and OS command injection that can enable unauthenticated attackers to bypass authentication or execute commands. Fortinet issued patches for the first two in April 2026 and fixed the third last week; defenders are cautioned to apply updates promptly.
read more →

Ransomware gang hides C2 traffic via Teams relays

🔒 Symantec warns that DragonForce ransomware used a custom Go-based backdoor, Backdoor.Turn, to hide command-and-control traffic by abusing Microsoft Teams' TURN relay infrastructure. The malware obtains anonymous Teams visitor tokens and tunnels C2 communications through legitimate TURN relays, making malicious traffic appear as normal Teams activity. The campaign, observed in December 2025, also used BYOVD drivers for kernel privileges and extensive post-exploitation tools to exfiltrate data and deploy ransomware.
read more →

Windows SprySOCKS Variants Expand China‑linked Threat

🛡️ ESET researchers uncovered two Windows variants of the previously Linux-only backdoor SprySOCKS, internally tagged as WIN_DRV and WIN_PLUS. Both maintain the original C&C protocol and support TCP, UDP, and WebSocket channels, offering more than 30 commands for reconnaissance and remote control. WIN_DRV uses kernel drivers to hide activity and enable TCP traffic diversion, while WIN_PLUS abuses the Print Spooler to load the backdoor. Artifacts point to deployments between 2023–2024 against government targets in multiple countries, and there are limited indications of a UEFI bootkit being involved.
read more →

Critical FortiSandbox Vulnerabilities Actively Exploited

🛡️ Fortinet's FortiSandbox platform is being actively targeted by attackers exploiting multiple recently patched critical vulnerabilities. The flaws (CVE-2026-39813, CVE-2026-39808, CVE-2026-25089) enable unauthenticated privilege escalation and remote code execution through low-complexity command injection, requiring no user interaction. Administrators are urged to upgrade affected systems to the latest releases to block ongoing attacks and reduce exposure.
read more →

Windows SprySOCKS variants used in gov’t targeting

🔎 ESET researchers report Windows versions of the SprySOCKS malware, linked to the Chinese threat actor Earth Lusca, were used in 2023–2024 attacks against government organizations in Taiwan, Thailand, Pakistan, and Honduras. The Windows family includes WIN_DRV with kernel drivers for rootkit-like stealth and WIN_PLUS, a lighter backdoor. Both support TCP/UDP/WebSocket communications, SOCKS proxying, extensive C2 commands, file and process management, and data collection such as keystrokes and clipboard contents.
read more →

FBI Alerts Public to Courier-Facilitated Crypto Scams

🛡️ The FBI warns that cryptocurrency investment scammers are using in-person couriers to bypass banking controls and collect cash from victims. A July 15 PSA notes that fraudsters instruct victims to withdraw funds for supposed fines or flagged accounts, authenticate couriers with bill serial numbers or passwords, and then repeat the scheme by demanding “taxes” or penalties. Victims are often targeted via social media, unsolicited texts, or fake investment personas.
read more →

ScarCruft uses fake Microsoft alerts to deploy NarwhalRAT

🛡️ Genians Security Center observed North Korea–linked ScarCruft (APT37) sending spear-phishing emails impersonating Microsoft Account security alerts to trick victims into opening ZIP attachments. The archive contains a malicious LNK that triggers a multi-stage chain: batch scripts download a legitimate Python executable, a CAT file, and install NarwhalRAT. Persistence is achieved via scheduled tasks that launch an in-memory payload, enabling keystroke logging, screenshots, audio capture, file exfiltration, and remote command execution.
read more →