All news in category “Incidents and Data Breaches”

🔒 Microsoft’s Detection and Response Team (DART) detailed a novel .NET backdoor called SesameOp that leverages the OpenAI Assistants API as a covert command-and-control channel. Discovered in July 2025 during a prolonged intrusion, the implant uses a loader (Netapi64.dll) and an OpenAIAgent.Netapi64 component to fetch encrypted commands and return execution results via the API. The DLL is heavily obfuscated with Eazfuscator.NET and is injected at runtime using .NET AppDomainManager injection for stealth and persistence.

🚨 Balancer announced an exploit of its V2 Compostable Stable Pools on Ethereum at 07:48 UTC that resulted in reported losses exceeding $128 million. Initial analysis from GoPlus Security points to a precision rounding error in the Vault’s swap calculations that an attacker chained via batchSwap, while other researchers suggest improper authorization and callback handling in V2 vaults. Balancer says the issue is isolated to V2 Compostable Stable Pools, with V3 and other pools unaffected, and the team is working with security researchers on a full post‑mortem. Users are warned to remain vigilant for scams and phishing attempts following the incident.

🛡️ A remote-access trojan named SleepyDuck, disguised as a Solidity extension on Open VSX, uses an Ethereum smart contract to deliver command-and-control instructions. The malicious package, downloaded over 53,000 times, activates on editor startup, when a Solidity file is opened, or when the compile command is run. On activation it collects system identifiers, creates a lock file for persistence, and polls an on-chain contract to update or replace its C2 endpoint. Open VSX has flagged the package and implemented security controls; developers should rely only on reputable publishers and official repositories.

🦆 Researchers at Secure Annex warned of a malicious Open VSX extension, juan-bianco.solidity-vlang, that delivers a remote access trojan dubbed SleepyDuck. Originally published as a benign library on October 31, 2025, it was updated to a malicious release after reaching about 14,000 downloads. The extension triggers on opening a code editor window or selecting a .sol file, harvesting host details and polling an Ethereum-based contract to obtain and update its command server. It also contains fallback logic using multiple Ethereum RPC providers to recover C2 information if the domain is taken down; users should only install extensions from trusted publishers and follow vendor guidance.

🔒 Three former incident response employees from DigitalMint and Sygnia have been indicted for allegedly carrying out ALPHV/BlackCat ransomware attacks on five U.S. companies between May and November 2023. Prosecutors say the defendants accessed networks, exfiltrated data, deployed encryption malware, and demanded ransoms ranging from $300,000 to $10 million, with one victim paying $1.27 million. Two named defendants face federal extortion and computer-damage charges that carry up to 20 and 10 years in prison respectively.

🛡️ Microsoft DART researchers uncovered SesameOp, a novel .NET backdoor that leverages the OpenAI Assistants API as a covert command-and-control (C2) channel instead of traditional infrastructure. The implant includes a heavily obfuscated loader (Netapi64.dll) and a backdoor (OpenAIAgent.Netapi64) that persist via .NET AppDomainManager injection, using layered RSA/AES encryption and GZIP compression to fetch, execute, and exfiltrate commands. Microsoft and OpenAI investigated jointly and disabled the suspected API key; detections and mitigation guidance are provided for defenders.

🚨 Threat actors are targeting freight brokers and carriers with malicious emails and compromised load-board posts to deliver remote monitoring and management tools (RMM) such as ScreenConnect, NetSupport, and PDQ Connect. Once installed, attackers gain remote control to alter bookings, block notifications, harvest credentials, and impersonate carriers to reroute and physically steal high-value shipments. Proofpoint tracked dozens of campaigns since January, primarily in North America, exploiting social engineering and legitimate RMM functionality.

🚚 Proofpoint researchers report that cybercriminals are compromising transportation firms to facilitate physical cargo theft by abusing remote management and access tools. Attackers use social engineering — including fake load-board listings, email thread hijacking and targeted phishing — to deliver installers that deploy RMM and RAS utilities. Once inside, they perform reconnaissance, harvest credentials with tools such as WebBrowserPassView, and expand access, enabling organized-crime partners to bid on and steal shipments.

🚚 Proofpoint warns that cybercriminals are increasingly deploying legitimate remote monitoring and management tools to compromise trucking and logistics firms, enabling cargo theft and financial gain. Working with organized crime, they target asset-based carriers, brokers and integrated providers—especially food and beverage shipments—using compromised emails, fraudulent load-board listings and booby-trapped MSI/EXE installers to deliver ScreenConnect, SimpleHelp and other RMMs. Once inside, attackers conduct reconnaissance, harvest credentials with tools like WebBrowserPassView, delete bookings, block dispatcher alerts and reassign loads to facilitate physical theft, often selling stolen cargo online or overseas.

🛡️ Rhysida ransomware operators have shifted to malvertising and the abuse of Microsoft Trusted Signing certificates to slip malware past defenses. By buying Bing search ads that point to convincing fake download pages for Microsoft Teams, PuTTY and Zoom, they deliver initial access tools such as OysterLoader (formerly Broomstick/CleanUpLoader) and Latrodectus. Signed, packaged binaries evade static detection and often run without scrutiny on Windows endpoints.

🔒 Security researchers at Gen Digital disclosed a targeted Kimsuky campaign that delivered a previously undocumented backdoor called HttpTroy, hidden inside a ZIP attachment masquerading as a VPN invoice. The multi-stage chain used a Golang dropper, a loader dubbed MemLoad and a DLL backdoor executed via a scheduled task named "AhnlabUpdate" to achieve persistence. HttpTroy provides extensive remote-control capabilities and communicates with a C2 server over HTTP, while employing layered obfuscation to hinder analysis and detection.

🔒 A Ukrainian national extradited from Ireland has appeared in a US court, accused of conspiring to deploy Conti ransomware and manage stolen data and ransom notes. Authorities allege Oleksii Lytvynenko participated in attacks between 2020 and July 2022 that resulted in more than $500,000 in cryptocurrency extorted from victims in the Tennessee district and the publication of additional stolen data. He faces computer fraud and wire fraud conspiracy charges and could receive up to 25 years in prison if convicted.

🔐 A threat actor claims to have compromised University of Pennsylvania systems and exfiltrated data for roughly 1.2 million students, alumni, and donors, including names, dates of birth, contact details, estimated net worth, donation histories, and sensitive demographic data. The attacker said they gained access via a compromised PennKey SSO account and accessed VPN, Salesforce Marketing Cloud, Qlik, SAP, SharePoint, and Box. After access was revoked on October 31 the actor used Marketing Cloud to send offensive emails to about 700,000 recipients and published a 1.7-GB archive of files. Penn says it is investigating; donors should watch for targeted phishing and verify solicitations directly with the university.

🔒 A Ukrainian man long accused of building and operating components of the Jabber Zeus banking trojan has been arrested in Italy and is now in U.S. custody. Prosecutors say 41-year-old Yuriy Igorevich Rybtsov, previously identified only by the handle MrICQ, was charged in a 2012 Nebraska indictment as a developer and notification handler for the group. Investigators allege Jabber Zeus used a custom ZeuS variant and a Leprechaun component to intercept credentials and bypass multi-factor protections, enabling large payroll thefts via recruited money mules.

🔒 Open VSX rotated access tokens after developers accidentally leaked credentials in public repositories, a lapse that allowed attackers to publish malicious VS Code–compatible extensions in a supply‑chain campaign. The Eclipse Foundation says the threat, linked to a campaign dubbed GlassWorm, was contained by Oct 21 after malicious extensions were removed and tokens revoked. The registry plans shorter token lifetimes, faster revocation workflows, automated publication scans, and increased collaboration with other marketplaces to reduce future risk.

🔒 Sophos researchers discovered China-linked espionage group Bronze Butler exploiting a zero-day in Motex Lanscope Endpoint Manager (CVE-2025-61932) to deploy an updated Gokcpdoor backdoor. The flaw enabled unauthenticated remote code execution as SYSTEM on affected versions (<=9.4.7.2), and attackers used OAED Loader, DLL sideloading, and multiplexed C2 channels to evade detection. Motex released patches on October 20, 2025, and CISA added the vulnerability to its KEV list; organizations are advised to upgrade immediately since no mitigations exist.

🛡️Arctic Wolf reports that Chinese government-linked actors, tracked as UNC6384 and linked to the longer-running Mustang Panda cluster, conducted spear-phishing campaigns in September and October targeting diplomats in Hungary, Belgium, Serbia, Italy and the Netherlands by abusing a long-known Windows .LNK shortcut parsing flaw. The vulnerability allows command-line instructions to be concealed in .LNK whitespace so attackers can display decoy PDFs—such as an agenda for a European Commission meeting—while executing payloads that deploy the PlugX remote-access Trojan. Trend Micro and ZDI previously documented the issue (i.e., ZDI-CAN-25373, later CVE-2025-9491), but Microsoft has so far declined to fully patch it; Arctic Wolf advises blocking or disabling .LNK execution, monitoring for related binaries like cnmpaui.exe, and blocking C2 domains as interim mitigations.

📧 The University of Pennsylvania distributed a series of offensive emails to students and alumni claiming data was stolen in a breach and urging action. The messages, with the subject line "We got hacked (Action Required)", were sent from multiple Penn addresses, including the Graduate School of Education, via the connect.upenn.edu mailing-list platform hosted on Salesforce Marketing Cloud. Penn's Office of Information Security said the messages are fraudulent, its Incident Response team is investigating, and the university has placed a website banner advising recipients to disregard or delete the emails.

🛡️ Palo Alto Networks Unit 42 linked a suspected nation-state cluster (CL-STA-1009) to a new backdoor named Airstalk that abuses the AirWatch API (now Workspace ONE Unified Endpoint Management) as a covert command-and-control channel. The malware appears in PowerShell and more capable .NET variants and can capture screenshots, harvest browser cookies, history and bookmarks, and enumerate user files. Airstalk misuses MDM custom attributes as a dead-drop resolver and leverages the API blobs feature to exfiltrate large artifacts; some .NET samples were signed with a likely stolen certificate.

⚠️ The Australian Signals Directorate warns of ongoing attacks against unpatched Cisco IOS XE devices being backdoored with the Lua-based BadCandy webshell. The exploited flaw, CVE-2023-20198, allows unauthenticated actors to create local admin accounts via the web UI and execute commands with root privileges. Cisco issued a patch in October 2023, but many internet-exposed devices remain vulnerable and have been repeatedly re-infected.