All news in category “Incidents and Data Breaches”

🔒 South Korean police uncovered a criminal network that used a malicious app to steal customer data from massage parlours and extort clients. The group tricked nine business owners into installing software that exfiltrated names, phone numbers, call logs and text messages, then sent threatening messages claiming to have video footage. About 36 victims paid between 1.5M and 47M KRW, with attempted extortion near 200M KRW. Authorities traced activity to January 2022 across Seoul, Gyeonggi and Daegu and made arrests in August 2023.

🔒 A large-scale phishing operation targeted Booking.com partner accounts and hotel staff, using impersonated emails and compromised hotel accounts to lure victims into running malicious commands. Attackers relied on redirection chains and the ClickFix social engineering tactic to execute PowerShell that delivered PureRAT. The remote access trojan enabled credential theft, screenshots and exfiltration, with stolen access sold or used to perpetrate payment fraud against guests.

🛡️ A Russia-aligned cluster tracked as InedibleOchotense impersonated Slovak vendor ESET in May 2025, sending spear-phishing emails and Signal messages to multiple Ukrainian organizations. Recipients were directed to domains such as esetsmart[.]com hosting a trojanized installer that deployed the legitimate ESET AV Remover alongside a C# backdoor dubbed Kalambur (aka SUMBUR). Kalambur leverages the Tor network for command-and-control and can install OpenSSH and enable RDP on port 3389 to facilitate remote access. ESET links the campaign to Sandworm sub-clusters and notes overlaps with activity reported by CERT-UA and EclecticIQ.

🔒 Nikkei disclosed that unauthorized actors used malware to infect an employee’s computer, obtain Slack credentials, and access accounts on the company's Slack workspace. The firm reports that data for possibly more than 17,000 employees and business partners — including names, email addresses and chat logs — may have been stolen. Nikkei discovered the incident in September and implemented password resets and other remediation measures. The company said there's no confirmation that sources or journalistic activities were affected.

🃏 The Department of Justice has indicted 31 people for using altered shuffling machines and other covert devices to rig high-stakes poker games. The modified shuffling machines read every card and relayed which player would win to off-site conspirators, who then communicated via cellphone to a table “Quarterback” who signaled accomplices. Victims lost tens to hundreds of thousands of dollars, and conspirators also used a chip-tray analyzer, an x-ray table, and special contact lenses or eyeglasses to read cards.

🔍 Authorities across three continents executed coordinated raids and arrests in a probe that uncovered an organized fraud network accused of using stolen credit‑card data to create over 19 million fake subscriptions and siphon more than €300 million. Investigators say suspects exploited vulnerabilities at multiple payment service providers, operated hundreds of sham websites offering porn, dating and streaming services, and used small recurring charges with opaque descriptions to avoid detection. The operation, named Operation Chargeback, was halted in 2021 and is the focus of ongoing international legal assistance.

🔒Russian state-backed Sandworm (aka APT44) deployed multiple data-wiping malware families in June and September 2025, targeting Ukrainian education, government, and grain-production organizations. ESET says these wipers — distinct from ransomware — corrupt files, partitions, and boot records to prevent recovery and cause long outages. Some intrusions began with access by UAC-0099, which then handed access to APT44 for destructive payloads.

🔒 Bitdefender researchers report that the threat actor Curly COMrades enabled Windows Hyper-V on compromised hosts to run a lightweight Alpine Linux VM (≈120MB disk, 256MB RAM). The hidden VM hosted custom tooling, notably the C++ reverse shell CurlyShell and the reverse proxy CurlCat. By isolating execution inside a VM the attackers evaded many host-based EDRs and maintained persistent, encrypted command channels.

🔐 SonicWall has confirmed a state-sponsored threat actor was responsible for a September breach that exposed cloud-stored firewall configuration backup files. The company said the unauthorized access used an API call against a specific cloud environment and affected backups for fewer than 5% of customers. SonicWall engaged Google-owned Mandiant, implemented recommended mitigations, and released an Online Analysis Tool and a Credentials Reset Tool. Customers are advised to log in to MySonicWall.com to review devices and reset impacted credentials.

🛡️ Cloudflare has begun redacting and hiding domains tied to the rapidly growing Aisuru botnet after those malicious hostnames repeatedly appeared atop its public domain rankings. The botnet — comprised of hundreds of thousands of compromised IoT devices — recently shifted from querying 8.8.8.8 to 1.1.1.1, flooding Cloudflare’s resolver and skewing popularity metrics. Cloudflare says attackers are likely both manipulating rankings and mounting attacks on its DNS service, and the company is refining its ranking algorithm while removing known malicious entries.

🕒 In episode 442 of Smashing Security, Graham Cluley and guest Dave Bittner examine a state-backed actor that spent two years tunnelling toward a nation's master clock, creating the potential for widespread disruption to time-sensitive systems. They also discuss a disturbing case where ransomware negotiators allegedly turned rogue and carried out their own hacks. The discussion highlights investigative findings, operational impacts, and lessons for defenders tasked with protecting critical infrastructure.

🛡️ Gootloader has resumed operations after a seven-month pause, using SEO poisoning to promote fake legal-document sites that trick users into downloading malicious ZIP archives containing JScript loaders. The campaign now employs novel evasion techniques — a custom web font that renders readable keywords in the browser while the HTML source remains gibberish, and malformed ZIPs that extract a .js in Windows Explorer but a benign .txt for many analysis tools. Infected hosts receive follow-on payloads such as Cobalt Strike, backdoors including the Supper SOCKS5 implant, and bots that provide initial access for ransomware affiliates.

🛡️ Bitdefender researchers describe how the Russia-aligned APT group Curly COMrades enabled Windows Hyper-V to deploy a minimal Alpine Linux VM on compromised Windows 10 hosts, creating a hidden execution environment. The compact VM (≈120MB disk, 256MB RAM) hosted two libcurl-based implants, CurlyShell (reverse shell) and CurlCat (HTTP-to-SSH proxy), enabling C2 and tunneling that evaded many host EDRs. Attackers used DISM and PowerShell to enable and run the VM under the deceptive name "WSL," and also employed PowerShell and Group Policy for credential operations and Kerberos ticket injection. Bitdefender warns that VM isolation can bypass EDR and recommends layered defenses including host network inspection and proactive hardening.

🔐 Hyundai AutoEver America (HAEA) says hackers breached its IT environment, with the intrusion discovered on March 1, 2025. The investigation found unauthorized access dating back to February 22, 2025, and last observed activity on March 2, 2025. Affected data reportedly includes names and, according to the Massachusetts portal, Social Security numbers and driver's licenses. HAEA engaged external cybersecurity experts and law enforcement; the scope and number of individuals impacted remain unclear.

🔒 SonicWall says a Mandiant-led investigation concluded that state-sponsored actors accessed cloud-stored firewall configuration backup files in September. The company reports the activity was isolated to a specific cloud environment and did not affect SonicWall products, firmware, source code, or customer networks. As a precaution, customers were advised to reset account credentials, temporary access codes, VPN passwords, and shared IPSec secrets. SonicWall also stated there is no connection between the breach and separate Akira ransomware activity.

🔍 Operation Chargeback led to coordinated raids and arrests targeting three alleged international fraud and money-laundering networks that exploited stolen payment data from more than 4.3 million cardholders across 193 countries. Authorities executed 60 searches and 18 arrest warrants after nearly five years of investigation, seizing assets and digital evidence. Investigators say the groups generated roughly 19 million fraudulent subscription charges, abused payment-provider systems and used shell companies to launder proceeds while masking low-value recurring fees to avoid detection.

🔒 The University of Pennsylvania confirmed attackers used compromised credentials obtained via a sophisticated social engineering identity impersonation to access systems supporting development and alumni operations. The breach, discovered October 31, allowed exfiltration of approximately 1.71 GB of documents from SharePoint and Box and an alleged copy of a Salesforce donor marketing database of about 1.2 million records. Penn has engaged the FBI and CrowdStrike, revoked access, increased monitoring, and warned its community to be cautious of phishing and suspicious outreach while the investigation continues.

🛡️ Proofpoint has identified a previously unknown cluster it calls UNK_SmudgedSerpent that targeted academics and foreign policy experts between June and August 2025. Attackers initiated benign, topical conversations and used think‑tank impersonation alongside an OnlyOffice‑styled link that led to health-themed domains harvesting credentials and delivering a ZIP with an MSI. The installer deployed remote monitoring and management tooling — notably PDQConnect and later ISL Online — and although email activity paused in early August, related infrastructure later surfaced hosting TA455-linked malware, leaving attribution unresolved.

🔎 International authorities dismantled three large credit card fraud and money‑laundering networks in a coordinated November 4 operation, Operation Chargeback, resulting in 18 arrests and the seizure of assets worth over EUR 35 million. Investigators say the rings exploited four major German payment service providers to process and launder at least EUR 300 million in fraudulent charges that affected more than 4.3 million cardholders worldwide. The schemes generated about 19 million fake online subscriptions by using stolen card data and low, recurring charges to evade detection.

🔍 Proofpoint attributes a previously unseen cluster, UNK_SmudgedSerpent, to targeted attacks on U.S. academics and foreign‑policy experts between June and August 2025. The adversary used tailored political lures and credential‑harvesting landing pages, at times distributing an MSI that deployed legitimate RMM software such as PDQ Connect. Tactics resemble Iranian-linked groups and included impersonation of think‑tank figures to increase credibility.