All news with #credential access tag

🛡️ Cybercriminals are exploiting demand for live sports streaming by distributing fake Android IPTV apps that hide malware. These malicious APKs often mimic legitimate services and load real sites in a built-in browser to avoid suspicion while performing background theft. Researchers observed strains like Massiv and the more advanced Perseus, which abuse Android Accessibility Services to steal banking and crypto credentials. Users in Portugal, Spain, France and Türkiye have been targeted; avoid third-party APKs and keep devices updated.

🛳️ Carnival Corporation confirmed a data breach affecting nearly 6 million customers after attackers used social engineering to access an employee account on April 10, 2026. The company began notifying 5,995,277 individuals and engaged third-party security experts while blocking the unauthorized activity. Analysis of leaked data indicates exposed names, dates of birth, emails, genders, locations, and loyalty program details tied to Holland America’s Mariner Society.

🛡️ The FBI warns of a gang dubbed the Silent Ransom Group (SRG) that has shifted from phishing and remote access scams to in-person impersonation of IT support, gaining physical access to devices to install malware or exfiltrate data. The group, active since at least 2022, typically steals data to extort victims without using ransomware encryption. Indicators include unauthorized installs of remote-access tools, new USB or external drive activity, and unexpected data uploads to services like OneDrive or Google Drive.

🛡️ Google researchers report a rapid rise in Chinese phishing-as-a-service (PhaaS) operations that have shifted from static password harvesting to real-time credential interception and tokenization. These services use encrypted messaging protocols like RCS and iMessage to deliver convincing lures and employ live admin panels to capture OTPs and bypass MFA. Platforms also monetize stolen payment details via digital wallet provisioning and increasingly leverage AI to generate unique phishing pages and evade detection.

🛡️ FortiGuard Labs uncovered a phishing campaign using purchase-order-themed emails to deliver a RAR attachment containing an obfuscated JavaScript file that drops and executes a PowerShell script. The PowerShell payload employs fileless techniques and process hollowing to load .NET modules into a suspended MsBuild.exe process, which then extracts and runs a downloader module. The downloader retrieves a fileless PureLogs plugin from a C2 server to harvest credentials, browser data, Discord tokens, and cryptocurrency wallet information before encrypting and exfiltrating it.

🛡️ Google Threat Intelligence Group analyzed a growing Chinese‑language phishing‑as‑a‑service (PhaaS) ecosystem, finding mature, professional offerings that facilitate real‑time credential and OTP interception and the tokenization of payment data. These services use encrypted channels like RCS and iMessage, provide extensive localization tools and ancillary criminal services, and often operate openly on Telegram. GTIG highlights the shift from simple password harvesting to financial account takeover and recommends stronger technical defenses such as FIDO2/WebAuthn and risk‑based verification.

🔐 Modern breaches increasingly exploit identities rather than perimeter flaws. Cloud, SaaS, and hybrid work have dissolved traditional network borders so attackers favor stolen credentials, session token replay and OAuth consent phishing. MFA and perimeter controls remain important but can be bypassed through social engineering, proxying and misconfigured privileges. Organizations must elevate identity monitoring, enforce least privilege and realign investments toward identity governance and contextual access controls.

🔍 Flare researchers analyzed ~700 underground posts on the "Lucifer DaaS" between Jan 2025 and early 2026 to reveal how modern crypto drainers evolved into professionalized, service-like platforms. The study highlights affiliate-driven distribution, automation, website cloning, Permit2 abuse, and multichain support, showing how DaaS lowers technical barriers and increases resilience. It also lists practical indicators to help users avoid wallet-draining scams.

⚠ GitHub confirmed attackers exfiltrated code from roughly 3,800 internal repositories after a compromised employee device and a poisoned VS Code extension were used to gain access. The company detected and contained the compromise on May 19, removed the malicious extension, isolated the endpoint, and began incident response. A threat actor calling itself TeamPCP posted lists of stolen repos and claimed responsibility, threatening to leak the data if not sold. GitHub is rotating secrets, analyzing logs, and said it will publish a full incident report when investigations conclude.

🔐 Microsoft reports that a threat actor tracked as Storm-2949 is abusing Self-Service Password Reset (SSPR) and social engineering to steal Microsoft Entra ID credentials and bypass MFA for privileged users. The attackers trick targets into approving authentication prompts, reset passwords, remove MFA, and enroll Microsoft Authenticator on attacker devices. Using Microsoft Graph and custom scripts they enumerate tenants, exfiltrate files from OneDrive and SharePoint, and pivot into Azure to harvest secrets from Key Vaults, storage accounts, and SQL databases. Microsoft recommends least privilege, conditional access, phishing-resistant MFA for admins, limiting RBAC, and extended Key Vault logging to mitigate these attacks.

⚠️ The Shai-Hulud campaign rapidly published more than 600 malicious npm package versions across 323 unique packages, primarily targeting the @antv ecosystem but also compromising other widely used libraries. The injected, obfuscated payloads harvest developer and CI/CD secrets and exfiltrate data via the Session P2P network, with GitHub used as a fallback repository to publish stolen artifacts. Researchers from Socket and Endor Labs report the attack includes self-propagation, token reuse, and abuse of CI OIDC tokens, allowing malicious packages to appear legitimately signed. Developers should uninstall affected packages and rotate any exposed credentials immediately.

🔒 Researchers at Sublime Security reported that the FlowerStorm phishing-as-a-service campaign has begun using KrakVM, an open-source browser-based JavaScript virtual machine, to conceal credential-stealing code inside HTML attachments. When victims open the attachments in a browser, encrypted bytecode is executed by the VM and launches a dynamic credential- and MFA-harvesting workflow. The kit supports real-time AiTM interception and adapts phishing pages to the victim’s provider and branding, complicating static analysis and many email defenses.

🔍 Microsoft Incident Response details a stealthy intrusion in which a compromised third‑party IT services provider abused trusted operational tooling to gain durable access. The actor executed VBScripts and web shells via HPE Operations Agent and HPOM, enabling credential theft, lateral movement, and persistent footholds while blending into normal administration. Malicious modules (mslogon.dll, passms.dll, msupdate.dll) captured and staged credentials for exfiltration over SMB and SMTP. The report outlines timeline, analysis, and Microsoft Defender detection and mitigation guidance.

🔒 ThreatFabric uncovered a new TrickMo Android banker variant that communicates with operators via The Open Network (TON) using .adnl identities and an embedded local TON proxy on infected devices. Disguised as TikTok or streaming apps, it targets banking and crypto wallets in France, Italy, and Austria. The modular malware adds several remote networking commands and proxying capabilities. Android users should restrict app sources and enable Play Protect.

🔒 Trend Micro researchers disclosed a previously undocumented Linux implant dubbed Quasar Linux RAT (QLNX) that targets developers and DevOps credentials to establish a stealthy foothold. The fileless loader masquerades as kernel threads, erases logs, and persists via seven or more mechanisms such as systemd, crontab and .bashrc injection. Its credential harvester extracts secrets from high-value files including .npmrc, .pypirc, .git-credentials, .aws/credentials, .kube/config, .docker/config.json and .env, enabling registry poisoning, cloud access or CI/CD pivoting. QLNX also installs PAM inline-hook backdoors, a userland LD_PRELOAD rootkit and an eBPF kernel component to hide artifacts while supporting 58 remote commands and data exfiltration.

🔒 SentinelOne researchers led by Alex Delamotte disclosed PCPJack, a modular credential-theft framework that targets exposed cloud, container, developer, productivity, and financial services while actively removing artifacts tied to TeamPCP. The campaign boots via a shell script that prepares the host, installs Python, fetches six purpose-built Python payloads, and launches an orchestrator that exploits known CVEs and propagates in a worm-like fashion. Stolen credentials are encrypted and exfiltrated to attacker-controlled Telegram channels, and a secondary script harvests service keys from IMDS, Kubernetes service accounts, and Docker instances for a wide range of services including OpenAI and 1Password.

🔐 The World Password Day 2026 post contends that conventional password guidance is now inadequate: a 16-character secret can be lifted by infostealer malware from browser caches or exposed when employees paste credentials into unmanaged AI chatbots. It exposes a global, commoditized underground on platforms like Telegram where harvested credentials are bought and sold. The article warns organizations that passwords alone cannot prevent account takeover and urges layered technical and policy controls.

🔍 The Iranian state-sponsored group MuddyWater disguised a cyber-espionage operation as a Chaos ransomware attack, leveraging Microsoft Teams social engineering to harvest credentials and manipulate MFA. Attackers used fake Quick Assist phishing pages or tricked victims into typing passwords into local files, then moved laterally via AnyDesk, DWAgent, and RDP to establish persistence. Rapid7 links the campaign to MuddyWater with moderate confidence, noting a signed loader (ms_upd.exe) that drops a backdoor (Game.exe) with anti-analysis checks.

🔒 A Cifas survey of 2,000 UK employees at firms with 1,000+ staff found 13% admitted to selling corporate logins in the past year or knew someone who had. The report highlights even higher tolerance among senior managers and executives, with justification rates rising to 32-43% and 81% for business owners. Cifas urges organisations to build fraud-aware cultures and deliver counter-fraud training to curb insider risk.

🔒 Cisco Talos researchers disclosed an intrusion leveraging the CloudZ remote access tool and an undocumented plugin named Pheno to harvest credentials and one‑time passwords. The attackers abused Microsoft's Phone Link PC-to-phone bridge to monitor SMS/OTP data without deploying malware on the mobile device. The campaign, active since at least January 2026, uses a fake ConnectWise ScreenConnect dropper, a .NET loader and modular plugins to establish persistence and encrypted C2 communications.