Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

SLH Pays Up to $1,000 Per Call to Expand IT Help Desk Vishing Operations

  A cybercrime network known as Scattered LAPSUS$ Hunters, or SLH, is offering financial rewards ranging from $500 to $1,000 per call to rec...

All the recent news you need to know
IoT
AI Cloud Cyber Security Data Data Leak IoT

Two AI Data Breaches Leak Over Billion KYC Records


About the leaks

Two significant data leaks connected to two AI-related apps have been discovered by cybersecurity researchers, exposing the private information and media files of millions of users worldwide. 

The security researchers cautioned that more than a billion records might be exposed in two different studies published by Cybernews, which were initially reported by Forbes. An AI-powered Know Your Customer (KYC) technology utilized by digital identity verification company IDMerit has been blamed for the initial leak. The business offers real-time verification tools to the fintech and financial services industries as part of its AI-powered digital identity verification solutions.

Attack tactic 

When the researchers discovered the unprotected instance on November 11, 2025, they informed the company right away, and they quickly secured the database. The cybersecurity researchers said, "Automated crawlers set up by threat actors constantly prowl the web for exposed instances, downloading them almost instantly once they appear, even though there is currently no evidence of malicious misuse." 

Leaked records

One billion private documents belonging to people in 26 different nations were compromised. With almost 203 million exposed data, the United States was the most impacted, followed by Mexico (124 million) and the Philippines (72 million). Full names, residences, postcodes, dates of birth, national IDs, phone numbers, genders, email addresses, and telecom information were among the "core personal identifiers used for your financial and digital life" that were made public.

According to researchers, account takeovers, targeted phishing, credit fraud, SIM swaps, and long-term privacy losses are some of the downstream hazards associated with this data leak. The Android software "Video AI Art Generator & Maker," which has received over 500,000 downloads on Google Play and has received over 11,000 reviews with a rating of 4.3 stars, is connected to the second leak. Due to a Google Cloud Storage bucket that was improperly configured, allowing anyone to access stored files without authentication, the app was discovered to be leaking user data. According to researchers, the app exposed millions of media assets created by users utilizing AI, as well as more than 1.5 million user photos and 385,000 videos.

The app was created by Codeway Dijital Hizmetler Anonim Sirketi, a company registered in Turkey. Previously, the company's Chat & Ask AI app leaked around 300 million messages associated with over 25 million users.

Read more »
User Security
Crypto Theft Data Breach NTS South Korea User Security

Korean Tax Agency Leaks Seed Phrase, Loses $4.8M in Crypto

 

South Korea's National Tax Service (NTS) turned a major tax evasion crackdown into a $4.8 million cryptocurrency catastrophe by accidentally exposing a seized wallet's seed phrase in a public press release. Hackers drained 4 million Pre-Retogeum (PRTG) tokens from the Ledger hardware wallet within hours of the February 26, 2026, announcement. This blunder exposed profound gaps in government handling of digital assets. 

The NTS raided 124 wealthy tax dodgers, confiscating crypto worth 8.1 billion won ($5.6 million total). Their celebratory photos showed the Ledger device next to an unredacted handwritten 24-word mnemonic—the master key granting full wallet access anywhere, without needing the physical hardware or passwords. By failing to blur this critical information, officials broadcast the equivalent of a bank vault combination nationwide. 

On-chain sleuthing confirmed the rapid heist: an attacker added Ethereum for gas fees, then siphoned the PRTG in three transactions to new addresses. Blockchain experts, including Hansung University's Professor Cho Jae-woo, slammed the NTS for crypto illiteracy, comparing it to "leaving a safe wide open for public plunder." Local reports noted subsequent chaos—one hacker allegedly returned funds, only for another to steal them again, pushing losses toward 6.9 billion won. 

In response, the NTS yanked the images, issued a full apology admitting fault for "careless vividness," and called in police for a cyber probe. Deputy PM Koo Yun-cheol announced multi-agency reviews by the Financial Services Commission to overhaul seizure protocols. This follows prior embarrassments, like police losing 22 BTC ($1.5 million) in a 2021 custody failure.

The incident underscores seed phrases' immense power in crypto security—irreversible access that demands ironclad protection. Governments worldwide must adopt air-gapped storage, expert audits, and redaction training for digital seizures. For users: etch seeds on metal, store offline, never snap photos. Such lapses risk taxpayer funds in the exploding crypto enforcement era.
Read more »
Google security
Cyber Security Google Chrome Google Chrome HTTPS warning Google Chrome security Google Quantum Google security

Google Chrome Introduces Merkle Tree Certificates to Build Quantum-Resistant HTTPS

 

A fresh move inside Google Chrome targets long-term security of HTTPS links against risks tied to quantum machines. Instead of dropping standard X.509 certificates straight into the Chrome Root Store - ones using post-quantum methods - the team leans on an alternate design path. Speed stays high, system growth remains smooth, thanks to this structural twist shaping how protection rolls out online. 

The decision comes from Chrome’s Secure Web and Networking Team: conventional post-quantum X.509 certificates won’t enter the root program right now. Rather than adopt them outright, Google works alongside others on a different path - Merkle Tree Certificates (MTCs). Progress unfolds inside the PLANTS working group, shifting how HTTPS verification could function down the line. 

One way to look at MTCs, according to Cloudflare, is as an updated framework for how online trust systems operate today. Instead of relying on long chains of verification, these models aim to cut down excess - fewer keys, fewer signatures traded when devices connect securely. A key feature involves certification authorities signing just one root structure, known as a Tree Head, which stands in for vast groups of individual certificates. During a web visit, the user's browser gets a small cryptographic note confirming the site’s credentials live inside that larger authenticated structure. Rather than pulling multiple files across networks, only minimal evidence travels each time. 

One way this setup works is by fitting new quantum-resistant codes without needing much extra data flow. Large certificates often grow bulkier when using tougher encryption methods. Instead of linking security directly to file size, these compact certificates help maintain speed during secure browsing. With less information needed at connection start, performance stays high even under upgraded protection levels. 

Testing of MTCs is now happening, using actual internet data flows, alongside a step-by-step introduction schedule that runs until 2027. Right now, the opening stage focuses on checking viability through joint work with Cloudflare, observing how things run when exposed to active TLS environments. Instead of waiting, preparations are shifting ahead - by early 2027, those running Certificate Transparency logs, provided they had at least one accepted by Chrome prior to February 1, 2026, may join efforts to kickstart broader MTC availability. Moving forward, around late 2027, rules for admitting CAs into Google's new quantum-safe root store should be set, a system built only to handle MTC certificates. 

A shift like this one sits at the core of Google's approach to future-proofing online security. Rather than wait, the team is rebuilding trust systems so they handle both emerging risks and current efficiency needs. With updated certificates in place, stronger defenses can spread faster across services. Speed does not take a back seat - performance stays aligned with how people actually use browsers now.
Read more »
Screen Overlay Attack
Accessibility Service Abuse Digital Identity Theft IPTV Malware Campaign malware Mobile Banking Trojan Mobile Cybersecurity Threats Screen Overlay Attack

New Massiv Malware Targets Android Banking Users Through Fake IPTV App


 

As a result of the convenience of mobile streaming, user behavior has quietly been reshaped, normalizing the practice of downloading applications outside of official app marketplaces that have been guarded. In this gray area of digital consumption, a recently discovered Android banking Trojan known as Massiv has begun to circulate, resulting in an alert to security researchers. 

A malware program disguised as an IPTV application and distributed by convincingly crafted third-party websites capitalizes on a routine that many users no longer question as a threat. Instead of providing a shortcut to premium or region-locked entertainment, cybercriminals are now using this shortcut as a conduit for financial intrusion, illustrating how cybercriminals are evolving in concert with changing consumer trends. 

A subsequent technical analysis conducted by the ThreatFabric mobile threat intelligence team revealed that Massiv incorporates a multilayered attack framework designed to bypass contemporary mobile security safeguards. In addition to intercepting user input, the Trojan uses keylogging capabilities to capture authenticating credentials in real time through screen overlay techniques. 

In Portugal, it primarily targets two critical applications, a government service platform and an accompanying digital authentication infrastructure known as Chave Móvel Digital. The Massive product embeds itself within the Accessibility Service and extracts structured interface data, including visible text strings, user interface element identifiers, screen coordinates, and interaction metadata, enabling operators to reconstruct user sessions without relying solely upon traditional screen capture techniques.

According to researchers, this secondary data extraction method is particularly useful against banking and communication applications with screen recording restrictions, effectively neutralizing a common defensive control. 

By collecting credentials and identity information, threat actors can go beyond immediate account compromise with their harvested credentials and identity data. As a result of investigations, fraudulent financial accounts were opened by investigators on behalf of victims across institutions where they had never previously engaged. 

Once these newly established accounts are fully controlled by the attackers, they are integrated into broader financial abuse schemes, facilitating illicit fund transfers, loan applications and structured cash outs.

It is important to note that the effect of the theft extends beyond temporary account access; victims may be exposed to long-term financial responsibilities linked to accounts and debts they did not authorize or recognize, thus illustrating a shift from opportunistic theft to systematic exploitation of people's identities. 

Throughout Massiv's architecture, surveillance, deception, and remote manipulation techniques are combined to achieve sustained control over compromised devices through deliberate convergence. By deploying screen overlays mimicking legitimate login interfaces, the malware attempts to harvest credentials unknowingly, prompting users to provide their authentication information into attacker-controlled forms.

The embedded keylogging functionality allows for the collection of credentials and other sensitive data in real time by capturing typed inputs. Beyond these conventional banking Trojan features, Massiv provides two advanced operating modes that substantially expand its capabilities, including live screen streaming using Android’s MediaProjection API and detailed user interface mapping using Accessibility Services. 

Using the latter mechanism, operators are able to extract structured UI-tree information, such as visible text, interface identifiers, and precise screen coordinates. By using this intelligence, attackers can simulate user interactions remotely, executing clicks, modifying fields, and navigating applications as if they held the device physically. 

According to researchers, this approach effectively circumvents screen-capture restrictions commonly employed by banking and secure messaging applications, thereby undermining a control widely relied upon to prevent session hijacking and visual data leakage. Distributing tactics demonstrate an adaptive approach to user behavior in addition. 

Researchers have observed a sustained increase in malware campaigns packaged within alleged IPTV streaming applications in recent months. Threat actors take advantage of the established pattern of off-store installation, as many of these streaming platforms operate in legal grey areas and can be obtained via sideloaded APK files rather than through official marketplaces. 

It is possible that the IPTV application has been developed entirely, serving primarily as a dropper for Massiv deployment. It is also possible that the application loads an authentic IPTV website within a WebView environment to maintain the appearance of legitimacy, while executing the malicious payload in the background. 

As a result of the geographical focus and scalability of the operation, activities have been largely concentrated in Spain, Portugal, France and Turkey. In the broader context, the implication is that contemporary banking malware has evolved far beyond simple credential interception campaigns, pursuing comprehensive identity takeover campaigns in a mass-scale manner, integrating fraud downstream, remote session control, and digital identity abuse into one operational chain. 

Using state-sponsored authentication systems in concert with banking platforms, attackers are able to increase their financial exposure and potential regulatory repercussions for victims as well as institutions. Mitigation requires the application of disciplined mobile security practices. 

As a precautionary measure, users are advised to download applications from Google Play only, keep Google Play Protect active, and avoid downloading APK files from unverified sources. Careful scrutiny of the application permissions remains important, particularly those that request Accessibility Service or screen recording privileges. 

A comprehensive awareness program at the organizational level should address the growing risk surface associated with mobile identity ecosystems, particularly in environments where state-issued digital credentials are integrated with financial services, demonstrating that mobile devices have become increasingly important vectors for identity-centric cybercriminals. 

As part of the recent surge of IPTV-themed Android malware campaigns over the past six to eight months, the Trojan has been designated "Massive" after a core internal module. ThreatFabric reports that operators have consistently employed streaming applications to spread infection, with the majority of activity occurring in Spain, Portugal, France, and Turkey, according to research by ThreatFabric. 

An IPTV platform has become increasingly popular as a method to normalize installation from unofficial sources due to its plausible user demand and distribution channel. From a technical perspective, Massiv is able to embed itself within the infected device through the incorporation of the necessary mechanisms. 

In addition to being aggressively aggressive with its request for permission to access Accessibility Service, the malware aggressively prompts victims to grant these permissions, a crucial requirement for sustained monitoring and interaction with system and application interfaces. 

Upon installation, customized overlay pages are deployed over selected applications for the collection of credentials. During one documented campaign, the malware impersonated the Portuguese government application gov.pt and solicited victims' phone numbers and PINs under the false pretense of legitimate authentication. Massive supports dual data acquisition methods. 

Using the Android MediaProjection API, it streams screen content directly to a remote operator to mirror user activity in real-time. A structured extraction technique known as UI-tree mode is employed by malware in applications that enforce screen capture protections. 

During this configuration, AccessibilityNodeInfo objects are recursively parsed to create a JSON-formatted representation of interface data, including visible text fields, element attributes, and interaction flags. By using this alternative method, attackers can reconstruct application states and inputs even when conventional screen recording is prevented. 

Research indicates that although Massiv has not yet been formally advertised as malware-as-a-service on underground forums, there are indications that the company is on its way to operational scaling. A review of the command-and-control communication framework reveals that API keys have been implemented, which implies that the architecture was designed to facilitate modular deployment or third-party operator access. 

As the campaign matures, additional capabilities may be integrated as a result of ongoing code refinements, which indicate active development. Having emerged, Massiv symbolizes the convergence of financial fraud, identity exploitation, and system abuse within a single operational framework, which represents a wider turning point in mobile threat evolution.

Mobile devices are increasingly being utilized as gateways to national identity systems and regulated financial ecosystems as attackers refine distribution tactics and invest in modular, scalable infrastructures. 

Rather than reacting to malware attacks, security teams and policymakers must focus on sustained mobile threat intelligence, tighter control over the integration of digital identities, and increased user awareness regarding permission abuse in order to provide a more comprehensive response to threats. 

The ability to maintain resilience in an environment where sideloaded convenience can lead to systemic risk will depend on the alignment of technical safeguards with regulatory oversight and informed user behavior against an adversary model whose capabilities are demonstrably changing in real time.
Read more »
malware
Android backdoor threat Android firmware attack Google Play malware removal Kaspersky security report Keenadu malware

Keenadu Android Malware Found in Device Firmware, Grants Hackers Full Control Over Infected Phones

 

A newly identified and highly advanced Android malware strain named Keenadu has been discovered embedded within firmware across multiple device brands, allowing attackers to infiltrate all installed applications and gain unrestricted access to compromised devices.

In a detailed report by Kaspersky, researchers revealed that Keenadu spreads through several channels. These include tampered over-the-air (OTA) firmware updates, existing backdoors, pre-installed system applications, altered apps from unofficial marketplaces, and even applications distributed via Google Play.

The malware exists in multiple versions, with the firmware-level variant being the most powerful. As of February 2026, Kaspersky confirmed at least 13,000 infected devices worldwide, primarily in Russia, Japan, Germany, Brazil, and the Netherlands.

Security experts likened Keenadu to Triada, a previously uncovered Android malware family identified in counterfeit, low-cost smartphones distributed through questionable supply chains.

Interestingly, the firmware-based version of Keenadu avoids activation if the device language or timezone corresponds to China, a detail that may hint at its origins. It also disables itself on devices lacking Google Play Store and Play Services.

While the operators are currently leveraging the malware for advertising fraud, researchers warn that its capabilities extend far beyond that. Keenadu can conduct extensive data theft and execute high-risk commands on infected devices.

“Keenadu is a fully functional backdoor that provides the attackers with unlimited control over the victim’s device,” Kaspersky told BleepingComputer.

“It can infect every app installed on the device, install any apps from APK files, and give them any available permissions.”

“As a result, all information on the device, including media, messages, banking credentials, location, etc. can be compromised. The malware even monitors search queries that the user inputs into the Chrome browser in incognito mode,” the researchers said.

A separate variant embedded in system applications offers fewer capabilities but still maintains elevated privileges, enabling it to silently install apps without notifying users. Investigators found one instance hidden within a facial recognition system app used for device unlocking and authentication.

Researchers also detected malicious apps hosted on Google Play, including smart home camera applications that accumulated approximately 300,000 downloads before being removed. When launched, these apps secretly opened hidden browser tabs that navigated to background websites — behavior similar to suspicious APK files previously identified by Dr.Web.

Keenadu has also been traced to firmware in Android tablets from various manufacturers. One affected device, the Alldocube iPlay 50 mini Pro (T811M), contained firmware dated August 18, 2023.

Following customer concerns in March 2024 that Alldocube’s OTA infrastructure had been compromised, the company acknowledged “a virus attack through OTA software” but did not disclose further technical specifics.

Kaspersky’s technical analysis explains that Keenadu manipulates the critical Android library libandroid_runtime.so, allowing it to function “within the context of every app on the device.” Because of this deep-level integration, the malware cannot be removed using conventional Android security tools.

Experts advise users to reinstall a verified clean firmware version specific to their device. Alternatively, installing firmware from reputable third-party sources may help, though it carries the risk of rendering the device unusable if compatibility issues arise. In high-risk cases, replacing the affected device with hardware purchased from trusted vendors and authorized distributors is considered the safest approach.

In an update dated February 18, Google confirmed to BleepingComputer that the malicious apps had been taken down from Google Play.

"Android users are automatically protected from known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users and disable apps known to exhibit Keenadu associated behavior, even when those apps come from sources outside of Play. As a best security practice, we recommend users ensure their device is Play Protect certified." - A Google spokesperson
Read more »
zero day attacks
Akira Cybersecurity Data Breach Madison Square Garden Ransomware SSNs zero day attacks

Madison Square Garden Notifies Victims of SSN Data Breach

 



The Madison Square Garden Family of Companies has disclosed that it recently alerted an undisclosed number of individuals about a cybersecurity incident that occurred in August 2025. The company confirmed that the exposed information includes names and Social Security numbers.

According to MSG’s notification letter, attackers exploited a previously unknown vulnerability in Oracle’s E-Business Suite, an enterprise software platform widely used for finance, human resources, and back-office operations. The affected system was hosted and managed by an unnamed third-party vendor, indicating the intrusion occurred through an externally maintained environment rather than MSG’s core internal network.

Oracle informed customers that an undisclosed condition in the application had been abused by an unauthorized party to obtain access to stored data. MSG stated that its investigation, completed in late November 2025, determined that unauthorized access had taken place in August 2025. The gap between compromise and confirmation reflects a common pattern in zero-day attacks, where flaws are exploited before vendors are aware of their existence or able to issue patches.

In November 2025, the ransomware group known as Clop, also stylized as Cl0p, publicly claimed responsibility for the breach. During the same period, the group carried out a broader campaign targeting hundreds of organizations by leveraging the same Oracle vulnerability. MSG has not acknowledged Clop’s claim, and independent verification of the group’s involvement has not been established. The company has not disclosed how many people were notified, whether a ransom demand was made, or whether any payment occurred. A request for further comment remains pending.

MSG is offering eligible individuals one year of complimentary credit monitoring through TransUnion. Affected recipients have 90 days from receiving the notice letter to enroll.

Clop first appeared in 2019 and has become known for exploiting zero-day flaws in enterprise software. Beyond Oracle’s E-Business Suite, the group has targeted Cleo file transfer software and, more recently, vulnerabilities in Gladinet CentreStack file servers. Unlike traditional ransomware operators that focus primarily on encrypting systems, Clop frequently prioritizes data theft. The group exfiltrates information and then threatens to publish or sell it if payment is not made.

In 2025, Clop claimed responsibility for 456 ransomware incidents. Of those, 31 targeted organizations publicly confirmed resulting data breaches, collectively exposing approximately 3.75 million personal records. Institutions reportedly affected by the Oracle zero-day campaign include Harvard University, GlobalLogic, SATO Corporation, and Dartmouth College.

So far in 2026, Clop has claimed another 123 victims, including the French labor union CFDT. Its most recent operations reportedly leverage a newer vulnerability in Gladinet CentreStack servers.

Ransomware activity across the United States remains extensive. In 2025, researchers recorded 646 confirmed ransomware attacks against U.S. organizations, along with 3,193 additional unverified claims made by ransomware groups. Confirmed incidents resulted in nearly 42 million exposed records. One of the largest cases linked to Clop involved exploitation of the Oracle vulnerability at the University of Phoenix, which later notified 3.5 million individuals. In 2026 to date, 17 confirmed attacks and 624 unconfirmed claims are under review.

Other incidents disclosed this week include a December 2024 breach affecting the City of Carthage, Texas, reportedly claimed by Rhysida; a March 2025 breach at Hennessy Advisors impacting 12,643 individuals and attributed to LockBit; an August 2025 breach at KCI Telecommunications linked to Akira; and a December 2025 incident at The Lewis Bear Company affecting 555 individuals and also claimed by Akira.

Ransomware attacks can both disable systems through encryption and involve large-scale data theft. In Clop’s case, data exfiltration appears to be the primary tactic. Organizations that refuse to meet ransom demands may face public disclosure of stolen data, extended operational disruption, and increased fraud risks for affected individuals.

The Madison Square Garden Family of Companies includes Madison Square Garden Sports Corp., Madison Square Garden Entertainment Corp., and Sphere Entertainment Co.. The group owns and operates major venues such as Madison Square Garden, Radio City Music Hall, and the Las Vegas Sphere.



Read more »
Subscribe to: Comments (Atom)

Featured