Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Latest News

Helix Data Extortion Group Targets Microsoft SharePoint Using Vishing and MFA Abuse

  Cybersecurity researchers have discovered a new data extortion group called Helix that has been targeting companies by using user credenti...

All the recent news you need to know

Hidden Wi‑Fi Killers: Everyday Things Quietly Ruining Your Home Internet

 

Many everyday objects can quietly wreck your Wi‑Fi, and understanding them is the first step to a more stable home network. From kitchen gadgets to building materials, the invisible radio waves carrying your data are constantly competing with physical and electronic obstacles around you. 

One of the strangest culprits is food and water, including items like fish tanks and even our own bodies. Wi‑Fi uses radio waves that don’t travel well through water, so a large aquarium, a fridge full of liquids, or someone standing between your router and laptop can noticeably weaken the signal. In small apartments, simply shifting a water‑filled appliance or changing where people usually sit while streaming can reduce interference and improve speeds. 

Household electronics add another layer of complexity, especially devices that share similar frequencies with Wi‑Fi. Older microwave ovens, baby monitors, cordless phones, Bluetooth gadgets and even Christmas lights can create electromagnetic noise that clashes with the 2.4 GHz band many routers still use. If you experience drops in connection whenever someone heats lunch or turns on festive lighting, moving the router away from these devices or switching to a dual‑band or Wi‑Fi 6 router can help. 

The materials in your home can be just as problematic as gadgets and appliances. Thick stone or concrete walls, metal structures, mirrors, reinforced floors and dense furniture all absorb or reflect wireless signals, turning parts of your house into dead zones. Positioning your router centrally and elevated, rather than hiding it behind a television or inside a cabinet, makes it easier for the signal to travel through rooms without being blocked. 

Finally, neighbouring networks are an invisible but powerful source of interference, especially in crowded apartments. Dozens of routers broadcasting on overlapping channels can create “Wi‑Fi traffic jams” that slow everyone down, even when your own setup is optimal. Using a Wi‑Fi analyser app to find a less congested channel, upgrading to newer standards, and combining wired connections with smart router placement can turn a frustrating, glitchy connection into a much smoother online experience.

Microsoft-Signed Driver Used to Disable Security Software in GodDamn Ransomware Attacks

 


A ransomware group known as Hyadina has been observed using a Microsoft-signed Windows kernel driver to disable endpoint security software before deploying its latest ransomware variant, GodDamn, according to researchers at Symantec. The campaign combines trusted administrative software, publicly available offensive security tools and a signed kernel driver to establish control over victim environments before encrypting systems.

Hyadina has operated as a ransomware-as-a-service (RaaS) group for approximately four years, evolving its malware from earlier variants known as Beast and Monster to its current GodDamn locker. The group primarily targets organizations in the United States while reportedly avoiding victims in former Soviet countries. Previous attacks have affected organizations across healthcare, manufacturing, education and several other industries.

Symantec was unable to determine how the attackers initially gained access to the compromised environment. The first confirmed activity appeared on May 29, when an unauthorized copy of AnyDesk was discovered inside the Music folder of an infected system. Although AnyDesk is legitimate remote access software widely used for IT support, threat actors frequently abuse remote monitoring and management applications because they provide persistent access while blending into normal administrative activity.

The following day, the attackers deployed an executable named symantec.exe, which installed a kernel-mode driver called PoisonX. Running in the Windows kernel gives a driver the highest level of system privileges, allowing it to interact directly with core operating system functions. According to Symantec, PoisonX carried a valid Microsoft Hardware Compatibility signature, enabling Windows to load the driver as trusted.

Once active, PoisonX terminated security-related processes and removed user-mode API hooks commonly used by endpoint detection and response (EDR) solutions to monitor application behavior. By disabling those monitoring mechanisms, the attackers reduced the visibility of security software before carrying out the remaining stages of the intrusion.

With endpoint protections weakened, Hyadina expanded its operation using a collection of credential theft and reconnaissance utilities. Investigators observed fourteen open-source tools designed to recover credentials from web browsers, email clients and instant messaging applications, as well as utilities capable of extracting Wi-Fi credentials and capturing live network traffic. All but one of those tools originated from NirSoft, which publishes legitimate Windows administration utilities. The remaining tool, Mimikatz, is widely known for extracting credentials and authentication material from Windows systems and is frequently abused during post-compromise activity.

The attackers also relied on PsExec, Microsoft's remote administration utility, to move laterally across the victim's network. Combined with legitimate remote management software, credential theft utilities and the signed kernel driver, the attackers were able to strengthen their foothold across multiple systems before deploying the GodDamn ransomware payload.

Symantec also examined the origins of PoisonX. The driver was uploaded to GitHub on April 7 by a developer using the name oxfemale, who described it as a research tool. The developer regularly publishes offensive security projects, including exploit proof-of-concepts, credential stealers and software designed to disable antivirus products, while identifying themselves on LinkedIn as a Russian security researcher specializing in reverse engineering and penetration testing. Symantec, however, considers PoisonX to be malware because its primary function is to disable security protections rather than support legitimate defensive research. Researchers said it remains unclear how the driver obtained Microsoft's Hardware Compatibility signature or whether the signing process was manipulated.

Microsoft maintains a Vulnerable Driver Blocklist to prevent known malicious or exploitable drivers from loading, even when they possess valid signatures. However, Symantec noted that newly identified drivers are not added to the blocklist immediately. Updates can take days or, in some cases, weeks to reach enterprise systems, leaving a window during which attackers can continue using newly signed or newly discovered drivers before defensive protections are updated.

Commenting on the broader use of legitimate software during ransomware intrusions, Symantec's Brigid O Gorman noted that nearly any administrative or security tool can become malicious when misused. She said this makes behavioral and adaptive security controls particularly important because they focus on suspicious activity rather than relying solely on known malicious files or applications. In the case of Hyadina, that combination of trusted software, publicly available offensive tools and a signed kernel driver enabled the attackers to disable security protections, steal credentials, move laterally through the environment and ultimately deploy ransomware.

Abbott Investigates Two Cyber Incidents Following Extortion Claims


 

Two separate cybersecurity incidents are being investigated by Abbott Laboratories after threat actors reportedly gained access to the company's systems and accessed sensitive information. While one incident has been linked to the ShinyHunters extortion group, the other involves claims of unauthorized access to Abbott's LabCentral customer portal. The company said both incidents are being investigated, and operations have not been disrupted. 

Both incidents have not adversely affected Abbott's business operations, manufacturing, laboratory services, product availability, or customer support. According to the company, the unauthorized access was restricted to systems that operate independently of Abbott's core infrastructure within its Cancer Diagnostics business, with no impact reported across other business units or sites due to the unauthorized access discovered. 

Several legacy Exact Sciences systems were discovered to have been accessed unauthorizedly by Abbott's Cancer Diagnostics business. As a consequence of the ShinyHunters extortion group listing the company on its data leak site, Abbott confirmed the breach, and threatened to publish allegedly stolen information if negotiations were not held. Exact Sciences is part of Abbott's Cancer Diagnostics division, which the company acquired earlier this year for $21 billion. 

Aside from Abbott's core systems, Exact Sciences' legacy infrastructure operates separately, which limits the scope of the incident. According to Abbott, the incident is isolated to the Cancer Diagnostics division and has not affected manufacturing, laboratory operations, product availability, patient services, or any other Abbott business systems.

A notification was sent to law enforcement, the company activated its incident response procedures, and external cybersecurity experts were engaged. In addition, Abbott stated that the incident will not negatively affect its financial performance. In response to the incident, Abbott has not provided information regarding the type of information that was accessed, noting that its investigation is ongoing. 

The company claims to have gained initial access to a Microsoft Entra single sign-on (SSO) account by launching a voice phishing (vishing) attack targeting Abbott employees in mid-June. A number of enterprise platforms, including Microsoft Entra, ServiceNow, SharePoint, Databricks, and Coupa, were accessed by the group, which alleges that internal documents, contracts, customer information, and millions of medical records containing personally identifiable information (PII) have been exfiltrated. 

These claims have not been independently verified, however. Separately, a threat actor claiming the name ShadowByt3$ has been associated with the breach of Abbott's Core Laboratory Diagnostics business by exploiting compromised customer credentials by accessing the LabCentral customer portal hosted by a third party. It has been claimed that the attacker has obtained technical documentation, manufacturing certificates, regulatory files, and other product-related information. 

LabCentral was investigated by Abbott, but the attacker's claims were disputed, as the portal only contains publicly available technical reference materials such as operating manuals, troubleshooting guides, and product specifications. The company indicated that confidential business information and sensitive customer information are not included in the environment. 

In the LabCentral portal, Abbott explained that it is hosted by a third party provider and serves as a repository of publicly available technical reference documents, including operating instructions, troubleshooting guides, and product specifications. In accordance with the company, sensitive customer information or proprietary business data is not known to have been compromised as a result of the reported incident. 

There has been a growing trend of cyberattacks targeting healthcare and medical technology over the past few years. In recent months, a number of companies, including Clover Health, Stryker, Medtronic, Novo Nordisk, and West Pharmaceutical Services, have reported cybersecurity incidents, illustrating the increasing risks associated with handling patient and healthcare-sensitive data. Several cyber-incidents have occurred in the medical technology sector in recent months, causing significant damage to the industry. 

A number of companies, including Stryker, Medtronic, Intuitive Surgical, iRhythm, and AdaptHealth, have reported cybersecurity incidents as well, underscoring the growing threat landscape for healthcare and medtech organizations. As of yet, neither ShinyHunters nor ShadowByt3$ has disclosed the data that they claim to have stolen. In addition to engaging external cybersecurity experts and notifying law enforcement, Abbott has also continued to investigate the possibility of access to any potentially sensitive information.

In addition, Abbott stated that it does not anticipate either incident to negatively impact its business or financial results. Abbott's ongoing investigations highlight the increasing cybersecurity challenges in the healthcare and medical technologies industries. 

However, despite the company's assurances that operations remain unaffected and that no sensitive customer information has been exposed, the incidents demonstrate how important it is to take quick action, to use robust security measures, and to continuously monitor against cyber threats as they evolve.

Group-IB Uncovers ClickLock macOS Malware Targeting Passwords and Crypto Wallets


An aggressive social engineering technique has been used by ClickLock, an information-stealing macOS malware, to obtain victims' information about their system login passwords. Security researchers at Group-IB report that the malware disables normal system functionality, leaving users with little interaction other than a password prompt designed to harvest their credentials. 


After a malicious shell script was uploaded to VirusTotal in June, ClickLock was discovered to have already compromised 100 computer systems in 33 countries since May after first being identified in June. According to researchers, ClickLock is still undergoing active development and remained undetected by security engines on the platform when it was discovered, showing its ability to evade traditional antivirus solutions. 

Despite analyzing the full payload chain of the malware, the initial lure pages used to deliver the attack have not yet been identified, suggesting that the campaign's distribution infrastructure is still evolving. Despite the complete analysis of the malware chain, investigators have not yet identified the original lure pages that were used to deliver the attack. Group-IB researchers also believe ClickLock is still under active development. 

The compromised websites hosting the malicious payloads have been identified, but the exact methods used to drive victims to those pages remain under investigation. Over half of the known victims are located in Europe, according to Group-IB. Despite the fact that it is unclear how precisely the malware is distributed, researchers believe that it has been active since late May. 

According to experts, the attackers use SEO poisoning, compromised websites, or social media posts to lure users to fake verification pages that send them to malicious websites.

How the Attack Works

According to experts, the infection is believed to have originated through a social engineering campaign similar to ClickFix, in which victims are fooled into copying and pasting a malicious command into the macOS Terminal, pretending to complete a Cloudflare "human verification" process. 

It has not been determined which initial infection source was employed, but it is believed that attackers may have utilized SEO poisoning, compromised websites, or malicious social media posts to redirect victims to a fake verification page that triggers the attack. As soon as the malware has been executed, it suppresses system notifications, hides the Terminal cursor, and silently downloads additional malicious components. 

A script initially executed acts as an orchestrator, downloading four separate components responsible for the theft of credentials, the theft of cryptocurrency, the collection of Keychain data, and the installation of a persistent backdoor, among others. After completing their tasks, data-stealing modules automatically delete themselves in order to reduce forensic evidence; however, the backdoor remains active to allow attackers long-term access to compromised computers.

In addition, it displays a false macOS password prompt based on the victim's actual username and an Apple-style interface in order to make it appear legitimate. After clicking the login button, ClickLock validates the credentials and immediately sends them to the attackers through Telegram. If the prompt is dismissed, the malware establishes persistence via LaunchAgents and repeatedly launches until the correct password is entered. 

System Lockdown and Data Theft

One of ClickLock's most disruptive features is its repeated termination of essential macOS processes, including Finder, Dock, Terminal, Activity Monitor, System Settings, Spotlight, and major web browsers. This malware continuously destroys these applications, causing users to be locked out of their computer for extended periods of time. 

According to researchers, ClickLock is able to exploit vulnerabilities in software without exploiting elevated privileges or exploiting software vulnerabilities. It relies on social engineering to persuade users to execute the malicious command themselves and repeatedly force them to interact with fake authentication prompts until they divulge their login credentials. 

Additionally to stealing login credentials, ClickLock attacks a wide range of sensitive information, including the following: 

  • Browser passwords, cookies, bookmarks, and autofill data. 
  • Cryptocurrency wallet files and browser wallet extensions. 
  • Password manager data. 
  • Shell histories and FileZilla FTP configurations. 
  • Basic system information and the victim's public IP address. 

It is the primary objective of the attackers to obtain the Chrome Safe Storage encryption key. By using this key, cybercriminals can decrypt stolen browser databases offline, allowing them to retrieve saved passwords, cookies, and other encrypted Chromium-based browser data without requiring continued access to the victim's computer. 

A modified version of the open-source GSocket tool is also installed by the malware, allowing attackers to gain persistent remote access to compromised devices by compressing collected data into ZIP archives and exfiltrating it through the Telegram Bot API. A legitimate system authorization prompt provides attackers with persistent remote access to compromised devices in addition to targeting macOS Keychain through a request for Chrome's Safe Storage encryption key. 

Using this malware, attackers can decrypt passwords, cookies, and other sensitive Chromium-based browser data offline if the user grants permission. Researchers noted that instead of exploiting software vulnerabilities, the malware's operators appear to rely exclusively on legitimate Mac OS features. 

ClickLock bypasses many of the operating system's built-in security protections through deception instead of technical exploit by convincing users to execute malicious commands. 

Staying Protected

ClickLock provides a limited detection window due to the fact that most of its components are deleted after execution and are hosted on compromised legitimate websites, according to Group-IB. It is strongly recommended that users should never copy and paste Terminal commands from websites or untrusted sources, regardless of their convincing appearance. Before investigating an infection on macOS, it is recommended that you force a shutdown by pressing the power button and restarting the device in Safe Mode.

AssuranceAmerica Data Breach Exposes Personal Information of Nearly 7 Million Individuals

 

Auto insurance company AssuranceAmerica is notifying almost 6.99 million people of the possible exposure of their private information after experiencing a data breach. The company appeared on the state attorney generals earlier this month to reveal the cyberattack occurred on March 16th 2026. 

Almost 7 million clients’ personal information was copied after hackers infiltrated the system using company employees’ credentials before being discovered a day later; they are now alerting policyholders and advising them to remain wary of contacting financial institutions as imposters may be using the stolen information to impersonate them Company officials stated that the information acquired from the breach includes customer’s name, address, social security numbers, driver license numbers, tax ID numbers, insurance policies, and claims history. 

South Carolina, for instance, has over 611,000 customers affected by the data theft, making it the state with the most affected people. The security analysts note that the exposure of personal information such as social security and driver’s license numbers increases the risk of identity theft since the stolen data provides an avenue for thieves to open credit accounts in someone’s name, take out loans, submit fraudulent taxes, circumvent identification processes, and even more. 

Edelson Lechtzin LLP law firm, which is investigating the exposure case, reports that the collected data can offer a wide window for committing financial fraud crimes against the unsuspecting ones. Though the company responded promptly to the issue by taking down their systems after discovering the unusual activity in their network on March 17th, the day after the cyberattack, customers were not notified of what occurred until mid-June, nearly 3 months later. 

According to the insurer’s report, the review of the compromised data concluded on June 15th, days before the customers were informed of what happened, which prompted consumer advocates to criticize the sluggish response by AssuranceAmerica. Furthermore, even though the company asserts that it has reinforced its system and reminded workers of the importance of cybersecurity awareness, it has not stated whether the affected people will be offered free credit monitoring or other services to guarantee their safety. 

The current case comes at a time when there has been a series of data breaches involving the exposure of people’s identities, with hackers targeting government-issued credentials such as licenses and passports. The attacks have been recorded in various industries, including the hospitality, finance, government, and technology sectors, and put every citizen at risk as their personal information is stored in numerous places. 

For instance, the individuals in the states affected by the breach should remain extra cautious when dealing with financial services, whether online or not, and apply for a security alert for their credit reports to help detect unauthorized applications for credit. They can also turn to their respective state attorney’s office to get more significant help. 

The AssuranceAmerica incident is a sobering reminder that the most effortless way to protect oneself is by changing passwords after such an occurrence, especially since other measures such as social security or driver’s license numbers may take longer to replace if they get into the wrong hands.

AI Agent Runs First End-to-End Ransomware Attack

 

Security researchers have long warned that AI would lower the barrier to cybercrime, but the latest case makes that threat tangible. In the operation described by Sysdig and covered by Forbes, an autonomous agent carried out the technical steps of a ransomware attack from initial access to encryption and ransom-note generation. The group’s analysis suggests the attack was not a simple script; it adapted when it hit obstacles, corrected its own mistakes, and kept moving without a human at the keyboard. 

The campaign reportedly began with an exposed Langflow incident, which the attacker used to gain access through a known vulnerability. From there, the agent searched for secrets, including credentials and cloud keys, then expanded into a production environment and escalated privileges. Researchers said it encrypted more than 1,300 configuration records and generated its own ransom note with a Bitcoin address, showing how an AI system can combine reconnaissance, exploitation, and extortion in one chain. 

What makes the story unsettling is not only the automation, but the speed. One reported login failure was fixed in 31 seconds, a reminder that AI can iterate much faster than a human operator can type, think, or troubleshoot. That kind of responsiveness matters because ransomware succeeds by compressing the defender’s reaction time. If attackers can use agents to scan, pivot, and encrypt at machine speed, security teams will need similarly automated detection, containment, and recovery tools to keep up. 

Still, the incident also shows that “fully autonomous” cybercrime may be more complicated than the headline suggests. Later reporting said humans may have still chosen the target, prepared infrastructure, or supplied stolen credentials, even if the AI handled the intrusion itself. That distinction matters, because it means defenders are not just facing smarter malware, but a new hybrid model in which human planning and AI execution reinforce each other. The lesson for businesses is clear: reduce exposed services, enforce strong credential hygiene, segment critical systems, and assume that the next serious attack may be built and operated with far less human effort than before.

Featured