Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

us marines
Data Breach Hacking Group Handala hackers Iranian hackers MOIS us marines

U.S. Marines Reportedly Targeted by Iranian-Linked Hackers in New Data Exposure Incident

 



Iran-linked hacking group Handala has allegedly leaked personal information belonging to thousands of U.S. Marines deployed across the Persian Gulf region, shortly after American military personnel in the Middle East began receiving threatening messages from the group.

According to posts published on Handala’s website, the hackers claim to have released the names and phone numbers of 2,379 U.S. Marines as proof of what they described as their “intelligence superiority.” The group further claimed that the exposed information represents only a small sample from a much larger collection of data allegedly tied to American military personnel stationed in the region.

Handala asserted that it possesses additional details related to military members and their families, including home addresses, movement patterns, military base affiliations, commuting routines, shopping behavior, and other personal activities. These claims have not been independently verified by U.S. authorities.

The alleged leak surfaced days after several U.S. service members reportedly received threatening WhatsApp messages warning that they were under surveillance. The messages referenced Iranian drone and missile systems and attempted to intimidate military personnel by claiming their identities and movements were being tracked. Similar threatening communications believed to be linked to Handala were also reportedly sent to civilians in Israel earlier this week, suggesting a broader psychological and cyber influence campaign connected to escalating tensions in the Middle East.

Since the regional conflict involving Iran, Israel, and the United States intensified earlier this year, Handala has repeatedly claimed responsibility for several high-profile cyber incidents. Last month, the group allegedly leaked hundreds of emails said to have originated from the personal Gmail account of Kash Patel. The hackers have also been linked to a cyberattack targeting medical technology company Stryker, an operation that reportedly resulted in data being erased from tens of thousands of employee devices globally.

However, questions remain regarding the authenticity and quality of the newly leaked Marine data. An analysis of the published sample reportedly identified multiple inconsistencies, including incomplete phone numbers and entries that appeared to contain military contract identifiers rather than personal names. Several listed numbers reportedly connected only to automated voicemail systems.

In a limited number of cases, voicemail names reportedly matched information included in the leak. One individual contacted by reporters allegedly confirmed their identity before ending the call, while others declined to comment or redirected inquiries to military public affairs officials.

U.S. Central Command referred media questions regarding the incident to the Naval Criminal Investigative Service, which had not publicly commented on the matter at the time of reporting.

The incident comes amid growing concerns over cyber-enabled psychological operations targeting military personnel and their families. Earlier this month, Navy Secretary John Phelan urged sailors to strengthen the security of their mobile devices and social media accounts amid concerns over phishing attacks and malicious online activity. In an internal warning, he noted that threat actors may attempt to manipulate military personnel into opening harmful files or clicking malicious links designed to compromise personal accounts and devices.

Handala publicly portrays itself as a pro-Palestinian hacktivist organization. However, multiple cybersecurity firms and recent assessments from the U.S. Department of Justice have alleged that the group operates as a front tied to Iran’s Ministry of Intelligence and Security (MOIS).

Cybersecurity experts note that modern cyber campaigns increasingly combine data leaks, online intimidation, and misinformation tactics to create psychological pressure rather than relying solely on technical disruption. Analysts also caution that hacker groups sometimes exaggerate the scale or sensitivity of stolen data to amplify fear and media attention.

Although U.S. authorities have previously seized domains associated with Handala, the group continues to remain active by turning to new websites and communication platforms, including Telegram, allowing it to sustain its cyber and propaganda operations online.

Read more »
Whatsapp Scam
Cyber Fraud Cybercrime Investigation Digital Arrest Scam Identity Impersonification Online Financial Crime SIM Verification Social Engineering Attack Whatsapp Scam

Investigation Uncovers Thousands of Accounts Tied to Digital Arrest Fraud Networks

 

Indian authorities have launched a massive enforcement response to the escalation of extortion and impersonation fraud resulting from cyber technology. The government informed the Supreme Court in January 2026 that over 9,400 WhatsApp accounts linked to so-called "digital arrest" scams had been banned following a focused 12-week operation. 

Organizing and implementing a coordinated crackdown on organized fraud networks, in partnership with government agencies, reflects a growing concern about organizations exploiting communication platforms to impersonate law enforcement and regulatory authorities in cybercrime campaigns that are financially motivated. 

The WhatsApp countermeasure strategy consists of a combination of behavioural detection technologies and intelligence-driven monitoring systems. In addition to logo-matching capability, account name logging, large language model-based scam pattern analysis, and a repeat offender database, WhatsApp has implemented a combination of these technologies in its countermeasure strategy, in order to identify and disrupt evolving fraud infrastructures. 

Attorney General Venkataramani explained the government's position before the apex court by stating that the enforcement measures and account suspensions were documented in the detailed status report that the Indian Cybercrime Coordination Centre (I4C) under the Ministry of Home Affairs submitted on February 9th. This submission was made to comply with Supreme Court directives aimed at curbing the rapid increase in digital arrest fraud in the country that were issued on February 9. 

Chief Justice Surya Kant's bench is monitoring the case, which was previously brought up suo motu by another bench, which had taken notice of escalating online financial crimes involving impersonation-based extortion schemes and fraudulent virtual detentions. 

The court, as part of a wider institutional response, directed key regulatory and infrastructure agencies, such as the Reserve Bank of India and the Department of Telecommunications, to develop a unified operational framework for victim compensation and cyber fraud response mechanisms, signaling an emerging policy push towards regulating digital risk and mitigation of financial fraud between agencies. It has been reported that the case relates to a coordinated fraud operation that involves impersonating law enforcement officials to manipulate victims into believing that they are under active investigation. 

The accused individuals allegedly used digital communication platforms to fabricate fear, urgency, and intimidation against potential victims. A former bank official has been arrested along with two suspected associates who were allegedly involved in the execution of the scam infrastructure with the Central Bureau of Investigation. These "digital arrest" schemes typically involve prolonged voice or video interactions that isolate target groups from external verification channels. 

As a result, fraudsters remain psychologically in control while coercing victims to transfer funds in the guise of legal clearances, compliance verifications, or settlements. In light of the involvement of a banking insider, investigators have intensified their investigation into the potential misuse of financial systems, as they examine whether privileged access to transaction mechanisms or sensitive financial data permitted illegal funds to be transferred and withdrawn rapidly. 

Forensic analysis of communication logs, transactional paths, and digital evidence is being conducted as part of the ongoing investigation to map the criminal ecosystem supporting the operation as well as identify additional facilitators, beneficiaries, and individuals affected by it. According to law enforcement agencies, digital arrest frauds are on the rise across the nation, incorporating social engineering, identity appropriation, and coordinated cyber-enabled deception techniques to exploit victims.

In addition, legitimate government agencies will never ask for financial payments in order to prevent criminal or legal action from occurring. When investigative inputs were shared by the Indian Cyber Crime Coordination Centre, the Ministry of Electronics and Information Technology, and the Department of Telecommunications, enforcement efforts intensified, leading to a broader intelligence-driven disruption campaign that targeted the ecosystem of organised digital fraud. 

According to WhatsApp, government-reported accounts are not handled as isolated abuse incidents, but rather are analyzed as behavioural indicators to identify interconnected criminal infrastructures and their associated threat networks.

Nearly 3,800 accounts were originally flagged by the government, but the company's internal detection system greatly expanded the scope of the investigation, leading to the removal of thousands of additional accounts associated with suspected scam activities. 

In conjunction with a parallel preventive strategy, the platform has implemented several product-level safeguards in an effort to intercept fraud attempts during early contact stages of the fraud process. Alerts for suspicious first-time interactions, visibility indicators that provide account age information for unknown users, suppression of profile photographs when high-risk conversations occur, and expanded caller identification features are included in this strategy. 

The company expressed confidence that these interventions could help reduce the number of digital arrest frauds. However, it acknowledged that many operations are supported by cross-border criminal infrastructure, unauthorised payment channels, and external communication networks outside of its direct control, and stressed that multijurisdictional law enforcement actions would be required to prevent long-term disruptions. 

Aside from its submission to the Supreme Court, the Center also proposed the establishment of an extensive multi-agency enforcement framework designed to strengthen telecom verification systems, financial fraud response protocols, and cybercrime prevention systems nationally. Following consultation with regulatory and enforcement stakeholders, the report urged the court to direct telecommunications, electronics, and information technology authorities, as well as the Reserve Bank of India to establish standardized and time-bound safeguards against digital arrest scams. 

An important element of the proposal is the rapid implementation of Telecommunications (User Identification) Rules along with a Biometric Identity Verification System in order to establish nationwide traceability and visibility into SIM issuance processes. 

The Department of Telecommunications has instructed telecom service providers to enforce stricter compliance measures and Point of Sale vendors that activate SIM cards are required to meet enhanced verification and accountability requirements in accordance with a circular dated August 31, 2023 issued by the Department of Telecommunications.

Further, the report recommends that suspicious SIM cards associated with cybercrime investigations are blocked immediately. It also recommends that subscriber activation records and point of sale data be shared in real time with investigative agencies in order to improve the effectiveness of emergency response operations. 

During the course of monitoring the rapid expansion of digital arrest scams across India, the Supreme Court requested coordinated national action and periodic status updates from the enforcement and regulatory bodies responsible for the mitigation of cybercrime in India.

One of India's most significant institutional responses to digital arrest fraud has been the coordinated crackdown, reflecting the increasing convergence of cybercrime enforcement, telecommunication regulation, financial oversight, and platform-level security interventions, as well as the increasing threat of digital arrest frauds.

Investigative agencies continue to trace broader criminal networks, as well as regulatory agencies implementing stricter identity verification and fraud prevention guidelines, authorities believe sustained inter-agency coordination is crucial in disrupting organized scam ecosystems across digital communication networks and financial infrastructures. 

Moreover, these developments suggest that India’s cybercrime response strategy has also evolved, in which technology platforms, telecom operators, banks, and law enforcement agencies are collaborating in an effort to counter increasingly sophisticated forms of cybercrime-enabled financial fraud.
Read more »
Toronto Police
Canada Cyber Crime Cyber Scam SMS Blaster Toronto Police

Canada's First SMS Blaster Bust: 3 Arrested in Toronto Cybercrime Crackdown

 

Toronto police have exposed a first-of-its-kind SMS blaster cybercrime case in Canada, where investigators say three men used a rogue device to mimic a cell tower and push fake texts to nearby phones. The operation, known as Project Lighthouse, reportedly ran across the Greater Toronto Area for months before police arrested the suspects and seized multiple devices. 

The core issue is the use of an SMS blaster, a tool that can trick smartphones into connecting to a fake cellular signal. Once connected, the device can send fraudulent messages that look like they come from banks, delivery services, or other trusted organizations, often leading victims to phishing sites that steal passwords or banking details. Police also said the tactic creates a wider network risk because it can interrupt legitimate mobile connections. 

Investigators say the threat was not small in scale. Reports indicate tens of thousands of devices may have connected to the rogue equipment over several months, and police recorded more than 13 million network disruptions linked to the operation. That disruption is especially serious because it can interfere with emergency access, including the ability to reach 911.

The arrests show how quickly cybercrime is evolving from online-only scams into hybrid attacks that combine physical devices, mobility, and social engineering. Police charged the three suspects with a combined 44 offences, including fraud, mischief, personation, and unauthorized interception-related crimes. The case is being treated as Canada’s first confirmed investigation of this kind, which makes it a warning sign for other cities and countries. 

The broader lesson is that mobile phones can be vulnerable even when users do not click anything suspicious. If a rogue tower is nearby, the attack can start at the network level and then move into fake texts, credential theft, and financial fraud. For readers, the main takeaway is to be cautious with urgent SMS links, verify messages through official apps or websites, and treat unexpected texts from banks or government services as potentially malicious.
Read more »
leaked sensitive data
API API Attack API Keys API security Cyber Security data security government data breaches leaked sensitive data

ClickUp API Key Exposure Leaves Corporate and Government Email Data Public for Over a Year

 

A previously unnoticed weakness in ClickUp’s web infrastructure sat undetected - exposing private data due to an embedded API key left visible on its public site. For over twelve months, access to internal records remained possible because safeguards were missing at a basic level. Emails tied to businesses and official agencies could be pulled by outside parties; no login required. This gap emerged not from complex hacking but from routine coding oversights ignored during deployment. Hidden credentials like these often escape review until examined closely. Months passed before scrutiny revealed what should have been caught earlier. Security gaps of this kind stem less from advanced threats and more from everyday lapses repeated across teams. 

Open talk about the problem began when security analyst Impulsive shared findings showing the leaked credential sat inside a JavaScript file served by ClickUp's site, even before login steps occurred. Since code running in browsers can always be seen, grabbing the API key took little effort and allowed contact with internal servers. Without needing any special access, one basic query allegedly pulled close to a thousand emails plus vast numbers of hidden development settings from the system. The study showed that 959 employee email addresses were part of the leaked data, tied to staff in large companies and public institutions spanning various locations. 

About 3,165 feature flags also turned up in the exposure - visible without restriction. Hidden inside what looks like routine code, these flags might expose how teams test software, plan releases, roll out new tools, or shape future updates. Because of that, malicious actors might mine them to craft deceptive emails, manipulate individuals through tailored messages, or collect insights on rivals’ progress. Surprisingly useful intel often hides where it seems least likely. Early in 2025, news of the exposure surfaced - yet by April 2026, it still hadn’t been fixed, stretching out the time hackers could act. Because access stayed open so long, experts say attackers gained more chances to try breaking in using stolen login details, fake identities, or personalized emails targeting workers linked to the affected websites. 

What happened shows a wider issue for groups depending on cloud-based services. Though easy to avoid, fixed login details remain common in today’s coding practices. When secret access tokens appear in open-source repositories, bots usually find them fast - sometimes in under sixty seconds. Even low-level access codes can lead to large data leaks if internal systems lack strong verification rules. Rotating API keys often helps lower exposure over time. Client-side apps without embedded secrets tend to withstand attacks better. Strict limits on backend access form another layer of defense. 

Protection against phishing gains strength when using tools like DMARC, SPF, or DKIM. Unusual logins catch attention faster with constant tracking. Exposed domains become visible through active threat data streams. Security improves not by one fix alone, but steady adjustments across systems. A quiet mistake lingered unseen within ClickUp's system, revealing data widely before detection. When operations move into shared online environments, oversight gaps often emerge - making careful monitoring essential. Security lapses like this highlight growing pressure on organizations to act earlier, respond smarter, stay alert longer.
Read more »
VECT 2.0 ransomware
Check Point research data wiper malware malware ransomware bug ransomware encryption VECT 2.0 ransomware

VECT 2.0 Ransomware Bug Turns Malware Into a Permanent Data Wiper

Cybersecurity researchers have uncovered a major flaw in the VECT 2.0 ransomware that causes the malware to permanently destroy large files instead of properly encrypting them, making recovery impossible even if victims decide to pay a ransom.

The ransomware operation has reportedly been promoted on newer versions of BreachForums, where the group invited users to join its affiliate program. Interested participants were allegedly given access keys through private messages.

VECT operators also announced a collaboration with TeamPCP, the threat actor linked to recent supply-chain attacks targeting Trivy, LiteLLM, Telnyx, and even the European Commission. According to the announcement, the partnership aimed to exploit victims affected by those supply-chain breaches by deploying ransomware payloads and expanding attacks against additional organizations.

Critical Encryption Flaw Discovered

Researchers found that VECT 2.0 contains a serious issue in how it manages encryption nonces during the file-encryption process. Although the ransomware was designed to speed up encryption for large files, the implementation accidentally overwrites nonce data during each encryption cycle.

Because the malware uses the same memory buffer repeatedly for nonce generation, every newly created nonce replaces the previous one. Once the encryption process is completed, only the final nonce remains stored and is written to disk.

This mistake means that only the last 25% of an affected file can potentially be recovered, while the remaining portions become permanently inaccessible due to the missing nonces.

The problem becomes even more severe because the lost nonces are not sent back to the attackers either. As a result, even the ransomware operators themselves would be unable to decrypt victim files after payment.

Security researchers warned that the flaw effectively transforms the ransomware into a destructive data wiper, particularly in enterprise environments where most valuable assets exceed the malware’s file-size threshold.

“At a threshold of only 128 KB, smaller than a typical email attachment or office document, what the code classifies as a large file encompasses not just VM disks, databases, and backups, but routine documents, spreadsheets, and mailboxes. In practice, almost nothing a victim would care to recover falls below this boundary,” Check Point says.

Researchers also confirmed that the same nonce-management vulnerability exists across all VECT 2.0 variants, including Windows, Linux, and ESXi versions, meaning the irreversible file destruction behavior impacts every platform supported by the ransomware.
Read more »
Technology
cloud act Data Digital Sovereignty Europe Microsoft Technology

Europe Pushes to Reduce Dependence on U.S. Tech as Sovereign Digital Infrastructure Gains Momentum

 




Several European governments are trying to reduce their dependence on American software, cloud platforms, and digital infrastructure as debates around data control, political influence, and technological independence become more intense across the region.

The situation has exposed contradictions in Europe’s relationship with U.S. technology companies. Microsoft chief executive Satya Nadella has largely stayed away from the kind of political messaging often associated with Alex Karp. Despite this difference, France has started moving parts of its public systems away from Microsoft Windows while simultaneously renewing contracts linked to Palantir Technologies through its domestic intelligence agency.

This complicated approach shows how Europe is attempting to distance itself from American tech firms without fully breaking away from them. Many governments now believe that relying too heavily on foreign technology companies can also mean depending on foreign laws, political priorities, and corporate influence. Still, Europe’s response has not followed one common strategy, with many actions appearing fragmented or reactive.

Much of the debate intensified after the U.S. passed the CLOUD Act in 2018 during President Donald Trump’s first term. The law gives American authorities the ability to request data from U.S.-based technology companies even if that information is stored outside the United States. For European officials, this raised concerns that storing data inside Europe may no longer be enough to fully protect sensitive information from foreign legal access.

Healthcare data quickly became one of the strongest examples used in these discussions. Medical records are considered among the most sensitive forms of information governments hold because they contain deeply personal details tied to citizens. Even after the CLOUD Act came into force, the United Kingdom partnered with companies including Google, Microsoft, and Palantir Technologies during the COVID-19 pandemic for projects involving National Health Service data.

Critics have argued that such partnerships could expose public-sector information to outside influence. France later decided that its Health Data Hub would stop using Microsoft Azure infrastructure and move toward what officials described as a sovereign cloud model. The contract was awarded to Scaleway, a cloud provider owned by French telecommunications group Iliad. Scaleway has also been expanding its network of data centers across Europe.

Scaleway later became one of four companies selected in a €180 million sovereign cloud contract backed by the European Commission. The program is intended to support cloud services that operate under European legal and regulatory standards. Notably, the European Sovereign Cloud initiative launched by Amazon Web Services was not included among the selected providers, even though Amazon created the project to answer European concerns about digital sovereignty.

Questions have also emerged around whether some so-called sovereign alternatives remain partly tied to American technology companies underneath. Some observers pointed to S3NS, a joint venture involving French defense company Thales Group and Google Cloud. Critics worry that arrangements like these could still leave room for indirect U.S. access or legal exposure despite being promoted as trusted European solutions.

Europe has faced similar problems in the search engine market. French search company Qwant was previously recommended for public servants in France while relying on Microsoft Bing’s underlying search infrastructure. The relationship later deteriorated after Qwant accused Microsoft of taking advantage of its dominant position in the market. Although French regulators declined to act against Microsoft, Qwant eventually started searching for alternatives on its own.

Qwant later partnered with German nonprofit search platform Ecosia to launch Staan, a Europe-based search index designed to reduce reliance on Google and Bing technologies. The project focuses on privacy and regional control over search infrastructure. Even so, both companies remain far smaller than their American competitors. Ecosia, despite having around 20 million users, still operates on a completely different scale compared to Google’s global user base.

One of the biggest problems facing European technology firms is market dominance from American companies. U.S. providers continue to control large parts of cloud computing, enterprise software, internet search, and artificial intelligence markets because of their global infrastructure, financial resources, and established ecosystems. European officials hope that large public-sector contracts could help regional providers compete more effectively.

Besides Scaleway, the European Commission’s sovereign cloud program also selected French companies Clever Cloud and OVHcloud, along with STACKIT. STACKIT was developed by the Schwarz Group, the parent company of Lidl, originally for its own internal systems before later being turned into a commercial cloud service.

Supporters of the initiative believe government-backed contracts could encourage more European companies to invest in domestic infrastructure instead of depending on foreign cloud providers. Backers of the program have also said the project aims to encourage digital solutions that align with European laws, governance rules, and privacy standards.

Still, Europe’s strategy of distributing contracts across several companies may create another challenge. While diversification could reduce dependence on one dominant provider and improve resilience, it may also make it harder for Europe to build a single technology giant capable of competing globally with firms such as Microsoft, Amazon, or Google.

Some critics also view sovereign tech partly as an economic strategy meant to keep European spending within the region. However, Europe’s attempts to move away from U.S. technology have not always translated into direct support for startups. In several cases, governments have instead turned toward open-source software alternatives.

France has already started replacing parts of its Windows-based systems with Linux. Public institutions in Germany, Denmark, Austria, and Italy are also exploring alternatives to Microsoft’s office software products through platforms such as LibreOffice.

Several governments have also embraced a “build instead of buy” approach by creating internal software tools. That strategy has faced criticism from parts of the technology and financial sectors. France’s Court of Auditors reportedly questioned spending linked to Visio, an internally developed platform intended to act as an alternative to Zoom and Microsoft Teams.

French newspaper Les Echos also reported frustration from parts of the country’s technology sector. Some critics argued that if governments themselves do not consistently adopt domestic technology tools, it becomes difficult to convince large private companies to do the same.

Many giants of European businesses continue selecting American technology providers when they offer stronger technical or commercial advantages. German airline Lufthansa chose Starlink for onboard internet services. Air France also selected Starlink despite partial ownership ties to the French and Dutch governments. Reports have additionally suggested that France’s national railway operator SNCF may eventually adopt similar services.

The debate around European alternatives has become particularly visible in satellite communications. During a disagreement involving Poland, Elon Musk stated publicly that “there is no substitute for Starlink.” European governments are now trying to prove otherwise by investing in domestic telecommunications and space infrastructure projects.

Public sentiment has also started influencing the discussion. After President Trump threatened to take control of Greenland, applications encouraging consumers to boycott American products surged in popularity on Denmark’s App Store rankings. The reaction showed that calls to reduce dependence on U.S. companies are no longer limited to policymakers and regulators.

Pressure is also building on European governments to reconsider contracts involving controversial American firms. Palantir’s recent public messaging and political positioning have drawn criticism inside parts of the European Union and the United Kingdom. At the same time, many European officials and citizens have started distancing themselves from X, formerly Twitter, because of growing dissatisfaction around platform governance and political discourse.

American technology companies have also shown that Europe is not always their top commercial priority. When Meta delayed the European release of Threads because of regulatory concerns tied to EU laws, it reinforced the perception that large U.S. firms can afford to deprioritize the region when legal requirements become too restrictive.

At the same time, this environment is opening new opportunities for companies building products specifically designed for European markets, languages, and legal standards. Supporters of the EuroStack initiative are pushing for rules that would encourage or require public institutions to purchase locally developed technology whenever possible.

Backers of sovereign tech also hope European companies can eventually compete internationally rather than only within domestic markets. French artificial intelligence company Mistral AI has reportedly experienced strong revenue growth as some businesses search for alternatives to OpenAI. Meanwhile, the governments of Canada and Germany are supporting cooperation between Cohere and Aleph Alpha to create what supporters describe as a transatlantic AI platform for governments and businesses.

As geopolitical tensions continue reshaping the global technology industry, some companies are discovering that not being American, Chinese, or Russian is itself becoming a commercial advantage in international markets.

Read more »
WhatsApp Worm
Banking Security Banking Trojan Credential Theft DLL Sideloading Financial Cybercrime malware Outlook Malware TCLBANKER WhatsApp Worm

TCLBANKER Threat Actors Intensify Financial Attacks Using Outlook and WhatsApp Worms


 

Elastic Security Labs has identified TCLBANKER as REF3076, which represents a significant development in Latin American banking malware. In addition to credential theft, remote session control, and worm-like propagation, it has been linked to older Maverick and SORVEPOTEL malware families, but with more sophisticated stealth and self-distribution features. 

By delivering the trojan via trojanized Logitech AI Prompt Builder MSI installer hidden within malicious ZIP archives, the trojan spreads through compromised WhatsApp and Microsoft Outlook accounts. As well as employing extensive anti-analysis protections to evade sandboxes, debugging tools, and security monitoring systems, TCLBANKER targets 59 Brazilian banking, fintech, and cryptocurrency platforms. 

Research has shown that although the campaign is currently focused on Brazil through locale verification and keyboard layout verification checks, its modular architecture is capable of enabling broader international expansion in the future. Researchers have found that the malicious library “screen_retriever_plugin.dll” is executed through the legitimate Logitech application via DLL sideloading. 

The malware only activates when loaded by approved executables such as “logiaipromptbuilder.exe,” allowing it to blend into trusted processes and avoid detection. Watchdog subsystems are included in its loader, which continuously searches for debuggers, sandboxes, antivirus engines, and forensic analysis tools. Also, it removes usermode hooks from “ntdll.dll” and disables Event Tracing for Windows (ETW) telemetry so that endpoint monitoring visibility can be compromised. 

The TCLBANKER software generates an environment-specific hash value by performing multiple anti-debugging, anti-virtualization, disk, and language checks before decrypting its payload. In the event analysis conditions are detected, the payload is intentionally disabled from decrypting, preventing execution in sandboxes. 

Following validation, the malware establishes persistence through scheduled tasks and communicates with external command-and-control infrastructure using HTTP POST requests containing information regarding the system. 

An increasing trend among financially motivated threat actors is to combine enterprise-grade evasion techniques with consumer-centered banking fraud operations, as evidenced by the malware's layered execution model. During their research, researchers found that TCLBANKER did not rely exclusively on credential theft, but rather operated as an interactive remote intrusion platform, maintaining prolonged access to compromised systems. 

In addition to monitoring user behavior in real time, attackers can manipulate banking sessions directly and bypass traditional fraud detection mechanisms that detect automated transactions, allowing them to bypass traditional fraud detection mechanisms. Since the malware executes most of its activity in memory, and limits visible artifacts on disk, it can be detected more easily by conventional anti-virus and endpoint monitoring programs. 

As a consequence of these characteristics, analysts caution that traditional banking trojans and lightweight advanced persistent threat tooling are becoming increasingly blurred, particularly as financial criminals target online banking ecosystems with targeted cybercrime campaigns. With TCLBANKER, users can perform a number of remote fraud functions, including screen capture, live session monitoring, clipboard interception, keylogging, and direct shell command execution. 

During fraudulent activities, the malware blocks shortcuts such as Alt+F4, Escape, PrintScreen, and the Windows key while terminating Task Manager processes repeatedly to prevent user interference. Moreover, the WDA_EXCLUDEFROMCAPTURE flag was used by worms to hide malicious overlays from screen-recording tools. 

TCLBANKER is also known to include two worm modules, Tcl.WppBot and Tcl.WppBot, which spread via WhatsApp Web and Microsoft Outlook. Through phishing links sent through authenticated WhatsApp sessions to victim contacts, as well as through Outlook COM automation, the malware distributes malicious emails from legitimate user accounts using trusted communication channels, thus significantly increasing infection success rates.

As part of its monitoring of activity across Chrome, Firefox, Edge, Brave, Opera, and Vivaldi, TCLBANKER targets 59 Brazilian fintech, banking, and cryptocurrency services specifically. During operation, the malware maintains persistence through a hidden scheduled task called "RuntimeOptimizeService," while monitoring virtualization platforms, debugging tools, and sandbox environments to preserve operational stealth. 

Additionally, researchers stressed the operational advantages created by TCLBANKER's abuse of trusted communication environments. As opposed to traditional phishing campaigns that rely on a large-scale spam infrastructure, this malware uses compromised user accounts to distribute malicious content through existing personal and corporate relationships, leveraging compromised user accounts. 

Social engineering success rates are substantially improved as recipients are more likely to trust links or attachments received from trusted sources. Using WhatsApp Web and Microsoft Outlook also allows the campaign to spread without being dependent on attacker-controlled infrastructure that could otherwise be blocked or blacklisted. 

According to analysts, this propagation strategy represents an evolution in malware delivery operations, as threat actors are increasingly weaponizing legitimate platforms and authenticated sessions in order to bypass spam filtering technologies, reputation-based detection systems, and user suspicion, and to bypass email filtering technologies. 

Additionally, cybersecurity researchers are concerned about the continued abuse of legitimately signed applications within malware delivery chains as a consequence of the campaign. TCLBANKER takes advantage of user trust in recognized brands by embedding malicious components inside authentic Logitech software, thereby decreasing the likelihood of immediate detection during installation. 

DLL sideloading techniques of this kind continue to be particularly effective because they exploit legitimate application behavior instead of exploiting exploits. Due to the combination of signed software abuse, environment-aware payload activation, and memory-resident execution, the malware is much less forensically accessible than traditional commodity banking trojans. 

The analysts believe that the use of these methods will likely continue in future financial malware operations as cybercriminal groups adapt increasingly stealth-oriented intrusion techniques to improve persistence and reduce defence visibility over an infected environment as a result of increasing stealth-oriented intrusion techniques. The TCLBANKER platform has been designed to highlight the increased sophistication of today's banking malware. 

TCLBANKER combines trusted software abuse, advanced defense evasion, and self-propagating distribution methods to create a highly adaptive financial threat platform. Despite the malware's ability to spread through legitimate WhatsApp and Outlook accounts, it reflects the shift toward trust-based infection chains that improve victim engagement and compromise rates. 

While the malware's current operations are mainly targeted at Brazilian financial users, researchers caution that its modular architecture and stealth-focused architecture could allow for broader international targeting in the future. 

According to the findings, hardware and software endpoint monitoring should be strengthened, software validation controls implemented, and user awareness should be increased as financially motivated cyber threats continue to evolve in terms of complexity and extent.
Read more »
Robinhood phishing scam
Cybersecurity Data Phishing Attack Robinhood email exploit Robinhood login alert Robinhood phishing scam

Robinhood Email System Exploited to Deliver Phishing Messages Through Legitimate Alerts

 

Online trading platform Robinhood recently faced a phishing campaign in which cybercriminals manipulated its account creation process to send fake security alerts through legitimate company emails. The incident caused confusion among users, as the fraudulent messages appeared to come directly from Robinhood’s official email system.

The phishing emails carried the subject line “Your recent login to Robinhood” and warned recipients about an “Unrecognized Device Linked to Your Account.” The messages included suspicious IP addresses and partially hidden phone numbers to create a sense of urgency and authenticity.

"We detected a login attempt from a device that is not recognized," reads the phishing email. "If this was not you, please review your account activity immediately to secure your account."

Recipients were directed to click a button labeled “Review Activity Now,” which redirected users to a phishing domain designed to steal login credentials. The malicious site has since been taken offline, though screenshots shared on Reddit suggested it was being used to capture Robinhood account details.

What made the attack particularly convincing was that the emails originated from Robinhood’s legitimate email address, noreply@robinhood.com
, and successfully passed SPF and DKIM authentication checks commonly used to verify email legitimacy.

According to findings by BleepingComputer, attackers exploited a weakness in Robinhood’s onboarding workflow that failed to properly sanitize HTML input during account registration.

During the signup process, Robinhood automatically sends a “Your recent login to Robinhood” notification containing information such as device details, IP address, login time, and approximate location. Threat actors reportedly manipulated the device metadata field by inserting malicious HTML code, which was later rendered inside the email.

This caused the “Device” section of the message to display a fake warning about suspicious account activity, effectively embedding a phishing alert into a legitimate email template.

Researchers believe the attackers may have used previously leaked customer email lists to target existing Robinhood users. In 2021, Robinhood experienced a breach that affected nearly 7 million customers, with stolen information later appearing for sale on hacking forums.

The attackers also reportedly took advantage of Gmail’s dot aliasing feature, which allows email addresses with added periods to still route to the same inbox. This method enabled cybercriminals to create multiple Robinhood accounts using slight variations of real customer email addresses while ensuring delivery to the intended victims.

As a result, many recipients received what looked like a genuine Robinhood login notification containing a fraudulent warning about “unrecognized activity” and instructions to review their accounts immediately.

Robinhood later addressed the incident publicly on X.

"On Sunday evening, some customers received a falsified email from noreply@robinhood.com
 with the subject line 'Your recent login to Robinhood.'," posted RobinHood.

"This phishing attempt was made possible by an abuse of the account creation flow. It was not a breach of our systems or customer accounts, and personal information and funds were not impacted."

The company has since resolved the vulnerability by removing the abused Device field from account creation emails. Robinhood also advised affected users to delete the suspicious email and avoid interacting with any embedded links.
Read more »
User Security
Data Breach Data Theft Medtronic Breach ShinyHunters User Security

Medtronic Confirms ShinyHunters' Theft of 9 Million Records

 

Medtronic, a leading global medical device manufacturer, recently confirmed a significant cybersecurity breach affecting its corporate IT systems. The incident came to light after the notorious hacking group ShinyHunters claimed responsibility, boasting of stealing over 9 million records containing personally identifiable information (PII) and terabytes of internal corporate data. 

On April 17 and 18, 2026, the group listed Medtronic on its Tor-based data leak site, issuing a ransom ultimatum that expired on April 21 without public confirmation of payment or data release. Medtronic publicly disclosed the breach on April 24, 2026, via its website and a U.S. Securities and Exchange Commission Form 8-K filing, acknowledging unauthorized access but emphasizing that the intrusion was contained with no disruption to operations.

The breach targeted non-critical corporate networks, sparing patient-facing systems, medical devices, manufacturing, and distribution channels. Medtronic stated explicitly that products, patient safety, customer connections, financial reporting, and care delivery remained unaffected, as these operate on segregated infrastructure. ShinyHunters, known for high-profile extortion campaigns against over 40 organizations in 2026—including ADT, Amtrak, and Cisco—alleged the haul included sensitive PII from employees, partners, or affiliates, though Medtronic has not verified the exact volume or contents. The group's listing vanished from the leak site shortly after, fueling speculation of behind-the-scenes negotiations.

This incident underscores escalating threats to healthcare giants, where corporate IT often serves as a softer entry point for attackers. ShinyHunters has exploited misconfigured Salesforce Experience Cloud guest permissions in multiple cases, a customer setup issue rather than a platform flaw, according to Salesforce. Medtronic's response involved activating incident protocols with external cybersecurity experts to assess data exfiltration and potential exposure. An ongoing forensic investigation aims to pinpoint compromised information, with commitments to notify and support affected individuals if personal data is confirmed stolen.

The implications ripple beyond Medtronic, highlighting vulnerabilities in the medical technology sector amid rising ransomware and extortion tactics. Law firms like Schubert Jonckheer & Kolbe LLP launched investigations by early May 2026, probing liabilities for the nearly 9 million potentially impacted records. While no widespread data dumps have surfaced publicly, the breach erodes trust in supply chain security, even when clinical operations stay insulated. Healthcare firms face mounting pressure to fortify perimeter defenses as cybercriminals increasingly target administrative data for profit.

To mitigate risks from such incidents, individuals should monitor credit reports, enable two-factor authentication on personal accounts, and freeze credit if notified of exposure. Organizations are advised to segment networks rigorously, conduct regular penetration testing, patch third-party configurations like Salesforce promptly, and develop robust incident response plans. Medtronic's case reinforces the need for proactive cybersecurity hygiene to safeguard sensitive data in high-stakes industries.
Read more »
Hijacking attacks
Account Hijacking Risks Account security account takeover scams Cyber Attacks Cyber Hackers Cyber Phishing Hacker attack Hijacking attacks

Signal Plans New Security Measures After Russian Hackers Hijack Hundreds of Accounts

 

Following revelations that hackers tied to the Russian government breached numerous German users' accounts via focused phishing schemes, Signal, a secure messaging service, moves to strengthen its defenses. Though the core encryption stays intact, manipulation tactics targeting people - not systems - spark renewed alarm among experts. Some reports suggest around 300 people in 

Germany faced incidents, such as prominent politicians. 
The head of the German parliament ranked among them, showing a shift toward targeting authorities, campaigners, and well-known personalities. Though less common before, such actions now point to more deliberate choices by offenders. What happened did not involve any break-in at Signal’s core security setup. Their encryption methods stayed intact throughout the incidents. Hackers found another path - using deceptive messages aimed directly at people. 

These tricks led some users to hand over private login details without realizing it. The app itself remained untouched, including its built-in privacy safeguards. Reportedly, fake messages came from someone pretending to be "Signal Support," arriving straight in user inboxes. Instead of ignoring them, some people gave up their single-use login codes, personal Signal PINs, along with backup account information. 

With that data in hand, intruders then activated the targeted accounts on separate devices. Private conversations became reachable - all because stolen details allowed full transfer control. Earlier warnings came from security experts across Europe, along with U.S. agencies like the FBI, flagging such tactics recently. Phishing efforts resembling these have drawn attention due to their repeated appearance. 

Targets included individuals speaking out against China’s policies, according to reports. These patterns hint at coordinated monitoring backed by governmental support. Observers note the consistency in techniques points beyond random attacks. Human behavior plays a central role in these breaches, differing from conventional hacks targeting code flaws. 

Instead of cracking software defenses, intruders gain access by persuading individuals to disclose credentials. Once granted entry through trust rather than force, encrypted environments offer little resistance. Security analysts observe a shift: tricking people now works better than overcoming digital barriers. What used to require complex tools now succeeds with conversation. Now working on new protections, Signal aims to make scam detection easier for its users. 

Without revealing exact details, the team mentioned updates targeting phishing-driven breaches. These adjustments will start appearing within weeks. Changes are expected to limit how often accounts get compromised through deceptive messages. Although the group operating Signal emphasizes strong privacy safeguards, these very protections reduce how much information they can gather. 

Because messages are secured with end-to-end coding, personal chats remain hidden even from the service itself. Limited access to usage details means deeper inspection of scam attempts becomes difficult. Only minimal traces of activity stay visible, due to built-in system constraints. Later updates show Signal warning people: real support teams won’t message inside the app, on social platforms, by text, or call asking for logins, access codes, or personal IDs. 

Messages from the team arrive strictly via confirmed accounts ending in @signal.org, according to their statement. Communication like this stays limited - no exceptions appear. Despite strong encryption, hacking through stolen credentials shows weaknesses still exist at the human level. With scams now harder to spot, specialists stress vigilance alongside tools like two-step checks - protection depends on behavior, not code alone.
Read more »
Malware Campaign
Banking Cyber Scammers Cybersecurity Discord Illegal Porn malware Malware Campaign

Malware Campaign: Porn Viewers Should Hide Webcams

 

Any users who visit porn sites should be extra careful now. Porn viewers should hide their cameras. If users do not hide their webcams, they risk unpleasant recordings and extortion. Porn viewers should hide their webcams. 

According to a new blog post by security experts at Proofpoint, a new malware type is currently going viral. It is classified as an infostealer that reads various data and sends it in text form. However, there’s more to it. Another component of the new malware campaign specifically hacks the privacy of those impacted. 

Now, porn viewers should immediately protect their cameras. According to the report, the malicious software would immediately detect when someone opens an adult website on compromised browsers.  

Attack tactic 


The malware scans the page for keywords like “sex” or “porn”. In such incidents, it promptly captures a screenshot of the desktop and accesses the webcam to click an image of the person in front of it. 

These screen captures (sometimes nudes) are later used for extortion. Thus, it becomes crucial for porn viewers to at least cover their webcams to protect themselves from unsolicited recordings, from apps like Omegle. This is not the first time porn viewers have been targeted by scammers.  

While malware taking pictures is not a new tactic, it is still comparatively rare. Porn viewers should secure their cameras as much as possible. 

Potential for extensive data theft 


Researchers from Proofpoint explained that there can be extensive data theft, and the information can be disseminated through different platforms. The stolen data comprises: bank details, session cookies, session data, logins, email, access info, and system information keystrokes. The distribution takes place via platforms such as Telegram, SMTP, Discord, or file hosts. 

Phishing emails for malware 


The current malware is based on the open-source malware Stealerium; it is publicly accessible and has been active since 2022. Hackers can easily download and adjust it for their needs. 

Recently, there has been a surge in attacks despite the malware age. From May to August 2025, there was a spike in malware campaigns. The key distribution method of malware was phishing emails concerning legal or banking issues. Impacted users should be careful with messages from unknown senders and recognize phishing emails.  Even a single click could be hazardous.
Read more »
Vulnerability Management
AI Security APRA Artificial Intelligence Banking Security Critical Infrastructure Cyber Threats Cybersecurity Mythos AI Vulnerability Management

Australia Demands Faster Cybersecurity Action to Address Mythos Activity


 

Australian financial regulators are increasingly concerned about the safety of frontier artificial intelligence platforms such as myth, and are reviewing their cybersecurity policies. A strong worded communication issued by the Australian Securities and Investments Commission on Friday stressed that financial institutions should no longer regard artificial intelligence-driven cyber exposure as a future threat, and that defensive controls, governance mechanisms, and operational resilience frameworks must be strengthened immediately. 

According to the regulator, the rapid integration of advanced artificial intelligence technologies within financial ecosystems is increasing the attack surface across critical systems, making robust cybersecurity preparedness an urgent priority. This increased regulatory focus comes as a result of ongoing government engagement with developers of advanced artificial intelligence systems, such as Anthropic, as officials attempt to assess the security implications of increasingly autonomous cyber capabilities. 

Tony Burke's spokesperson confirmed earlier this week that Australian authorities are actively coordinating with software vendors and artificial intelligence firms to ensure they remain informed of newly discovered vulnerabilities and evolving threats affecting critical infrastructure. 

It is unclear whether the government is directly participating in the restricted Mythos Preview platform of Anthropic or is participating only through advisory and intelligence sharing channels. However, the statement underscores growing institutional concerns regarding the operational risks posed by artificial intelligence security tools of the future.

A small group of major technology companies was given access to the platform instead of the platform being made available publicly, a practice that has sparked intense debate within the cybersecurity community. 

Some analysts believe the technology will accelerate vulnerability discovery and defensive research, while others warn that such concentrated offensive capabilities can pose significant systemic risks if compromised or misused. There have also been questions surrounding the credibility of claims made about Mythos’ capabilities, comparing them to previous industry claims about very capable artificial intelligence systems that did not live up to public expectations. 

Concerns raised by the Australian Prudential Regulation Authority have escalated further after it warned that the country's banking sector is falling behind artificial intelligence developments, in particular when it comes to cyber resilience and governance oversight. 

As stated in a formal communication addressed to financial institutions, APRA expressed concern that many existing information security frameworks are not evolving rapidly enough to address the operational risks introduced by frontier AI systems such as Anthropic's Mythos. 

APRA warned that rapidly evolving AI models could significantly increase the speed, scale, and precision of cyber intrusions by enabling automated vulnerability discovery and exploit development. An analysis of the industry by APRA indicated growing concerns regarding the potential material changes to the cybersecurity threat landscape for Australia's financial sector by high-capability AI systems with advanced coding capabilities. 

Project Glasswing, an initiative that involves a number of major technology companies such as Amazon, Microsoft, Nvidia, and Apple, specifically cited Anthropic’s Claude Mythos. A number of security experts have cautioned that systems capable of autonomously analyzing software architectures and identifying vulnerabilities can introduce unprecedented offensive potential if accessed by malicious actors. 

Despite the fact that Anthropic did not respond to the request for comment, regulators continue to assess the implications of artificial intelligence-driven cyber operations, as the scrutiny surrounding the platform continues to intensify. An increasing regulatory focus on frontier artificial intelligence reflects a general shift in cyber risk assessment across the financial sector, in which advanced AI capabilities and critical digital infrastructure are creating an increasingly volatile threat environment as a result of their convergence. 

The Australian government appears increasingly concerned that conventional security models may not be sufficient against AI-assisted intrusion techniques capable of speeding reconnaissance, vulnerability discovery, and large-scale exploitation. 

Since the announcement, there has been considerable debate within the cyber security and artificial intelligence sectors. Supporters have framed Mythos as a potentially transformative platform aimed at accelerating defensive security research and fundamentally transforming vulnerability management. In contrast, critics argue that concentrating such capabilities within a limited ecosystem would pose systemic severe risks if malicious actors were to leak, weaponize or replicate the technology.

A number of people have questioned whether the narrative surrounding Mythos is a reflection of true technological advancement or an attempt to gain market attention through fear-based security messaging. Furthermore, earlier claims regarding advanced AI models in the broader industry have been compared, including statements regarding OpenAI systems which were later criticized for a failure to match the public image of their capabilities with actual performance.

As financial institutions continue integrating AI into critical operations, regulators are signaling that stronger technical oversight, faster defensive adaptation, and deeper executive-level understanding of emerging technologies will become essential to maintaining resilience against increasingly sophisticated cyber threats

Read more »
Vulnerabilities and Exploits
Cisco CVSS DoS Server Software Vulnerabilities and Exploits

Cisco Warns of Network Management Flaw That Can Force Systems Offline Through Remote DoS Attacks




Cisco has disclosed a high-severity vulnerability affecting its network management platforms, Cisco Crosswork Network Controller and Cisco Network Services Orchestrator, which could allow remote attackers to crash vulnerable systems by exhausting their available connection resources.

The security issue, tracked as CVE-2026-20188, carries a CVSS score of 7.5. According to Cisco, the flaw can be exploited remotely without authentication, meaning an attacker does not need valid credentials or prior access to interfere with affected servers.

At the center of the problem is how the platforms manage incoming network connections. Cisco explained that the affected software does not properly control or restrict the rate of connection requests sent to the server. Because of this weakness, a malicious actor can continuously bombard the system with repeated requests until all available connection resources are consumed.

Once the systems run out of resources, both Cisco CNC and NSO can stop responding entirely. Administrators may lose access to management interfaces, while network operations that depend on these platforms can experience abrupt disruption.

Unlike temporary service slowdowns, the systems do not automatically recover after the overload occurs. Cisco stated that administrators must manually reboot the affected platforms to clear the exhausted resources and restore normal operations.

The company internally tracks the issue under Bug ID CSCwr08237. Cisco said the flaw originates from the connection-handling mechanisms used within both products.

Denial-of-service vulnerabilities of this kind are often disruptive because they target system availability rather than data theft. In enterprise environments, orchestration and network control platforms are responsible for coordinating automated processes, monitoring infrastructure, and managing service delivery across large networks. If these systems become unreachable, organizations can temporarily lose visibility into network operations and automated workflows.

Cisco is urging organizations using these products to immediately review their software versions and determine whether their environments are exposed.

For Cisco Crosswork Network Controller, the vulnerability affects version 7.1 and all earlier releases. Cisco confirmed that version 7.2 is not impacted, making upgrades necessary for organizations still operating older deployments.

The issue also affects several release branches of Cisco Network Services Orchestrator. Systems running version 6.3 or earlier remain vulnerable and require immediate updates. Cisco further confirmed that the flaw exists within the 6.4 release branch, although the issue was corrected beginning with version 6.4.1.3. Organizations operating NSO version 6.5 or later are not affected.

Cisco discovered the vulnerability internally while handling a routine Technical Assistance Center support case. At this time, the company’s Product Security Incident Response Team said it has not observed public proof-of-concept exploit code or evidence showing active attacks targeting the flaw.

Even so, the company warned that customers cannot rely on temporary mitigations to reduce exposure. Cisco stated there are currently no workarounds capable of preventing the resource exhaustion issue without affecting legitimate system functionality. Because of this, upgrading to patched software releases remains the only available method for fully securing vulnerable environments.

Security professionals have increasingly warned that resource exhaustion attacks continue to pose operational risks for enterprises because they can interrupt business-critical infrastructure without requiring sophisticated intrusion techniques. Attackers often exploit weaknesses in traffic handling, connection management, or request validation to overwhelm services and force outages.

Cisco is advising affected customers to schedule maintenance windows and deploy the recommended updates as quickly as possible to reduce the risk of service interruptions and administrative lockouts.

Read more »
X Platform
Algorithm Bias Criminal Investigation Cyber Crime Elon Musk French Probe X Platform

French Prosecutors Escalate Elon Musk X Probe to Criminal Investigation

 

French prosecutors have escalated their inquiry into Elon Musk and X into a criminal investigation, widening a case that already included allegations of algorithmic manipulation, improper data extraction, and harmful content on the platform. The move deepens a legal fight that has followed Musk’s company across Europe and adds fresh pressure on X’s leadership as regulators scrutinize how the platform operates inside France. 

Paris prosecutors say the investigation began after complaints in 2025 raised concerns that X’s recommendation systems may have influenced political discourse in France. The case later expanded to examine whether the platform’s chatbot Grok helped generate or spread content such as Holocaust denial, sexually explicit deepfakes, and material involving non-consensual or abusive imagery. French officials have also looked at whether X knowingly facilitated the creation and distribution of such content. 

According to reporting on the case, Musk and former X chief executive Linda Yaccarino were summoned for questioning on April 20, but neither appeared or cooperated with the interview request. Musk has previously rejected the allegations, calling the probe politically motivated and describing earlier enforcement actions as an attack. The French side has continued moving forward despite his objections. 

The investigation has broader implications because it touches on how social media platforms manage algorithms, user data, and AI-generated content. It also reflects a wider regulatory pattern in which governments are testing whether major tech companies can be held responsible for content moderation failures, platform design choices, and possible violations of local law. X has already faced similar scrutiny in other jurisdictions, adding to the company’s legal and reputational burden. 

There is also an international dimension to the dispute. Reports say the U.S. Department of Justice declined to assist French authorities, arguing that France was improperly interfering in an American company’s affairs. That leaves the case positioned not only as a criminal probe of X, but also as a test of how far national regulators can go when platform decisions and AI tools have cross-border effects.
Read more »
Data Stolen
AI Infrastructure Cyber Crime data steal Data Stolen

Hackers Attack School Login Pages After Another Instructure Breach

 

Instructure attacked 


Last week, edtech giant Instructure reported a data breach where threat actors stole students’ personal data: names, email addresses, and conversations between students and teachers. Hackers compromised Instructure again, destroying various schools’ login sites to the platform Canvas. Canvas allows schools to handle coursework and assignments and talk with the students. 

ShinyHunters claim responsibility Cybercrime gang ShinyHunters published a message on Canvas login pages of three distinct schools. An analysis of the compromised portals reveal that the hackers deployed an HTML file that compromised the login screens to show their message.  

According to the message, the hackers have threatened to leak the stolen data on May 12, if the organization does not settle the negotiations. 

Instructure’s website was partially online, and returned “too many requests” error. The organization’s portal showed a notice that said it was “currently undergoing scheduled maintenance.” 

Instructure has not replied to TechCrunch’s request for a comment. 

Attack tactic 


Earlier, ShinyHunters claimed accountability for the real hack, publishing it on its leak site, a website that threat actors use to post stolen data and blackmail victims into paying heavy ransoms. The aim is to extort Instructure into paying by not leaking the information on the web publicly. How threat actors compromised the login pages is still not clear. In a conversation with TechCrunch, ShinyHunter said that they couldn’t give specific details but said that this is a second breach. Extortion and data theft After the original breach at Instructure, threat actors claimed to have extorted information from 9,000 schools globally. The stolen files allegedly comprised data of 231 million people. ShinyHunters gang has attacked scores of victims in the last two years, using the same attack tactic: hack, leak, and extort. 

This took place in a unique hacking campaign, where an anonymous group of threat actors attacked systems already infected by an infamous hacking group called TeamPCP. Once the hackers gained access into these systems. After that, they removed TeamPCP hackers and turned off their tools, according to a report by cybersecurity firm SentinelOne.  

The impact 


Following this, the threat actors use their access to install code built to replicate across distinct cloud infrastructure such as a self-spreading worm, steal different credentials, and send the stolen data back to their infrastructure.  

TeamPCP is a criminal gang that has made headlines in recent times. It is due to their high-profile hacks– a broadcast cyberattack against highly used bug scanner tool Trivvy, a breach of the European Commission’s cloud infrastructure, which impacted any organization that used it: LiteLLM and AI recruiting startup Mercor, besides others.
Read more »
Hacking Group
Cyber Attacks Cyber Outage Digital Learning E-learning Facebook Canvas Hacker attack Hacking Group

Canvas Learning Platform Outage Disrupts Universities After ShinyHunters Cyberattack

 

Midday classes hit pause when Canvas went offline nationwide following a security alert that triggered emergency repairs. Though the issue began in Texas, ripple effects reached campuses far outside, cutting off vital links to homework and recorded lectures. When servers dropped, so did access - assignments vanished from view, gradebooks locked tight. Some professors switched to paper handouts; others postponed deadlines without warning. 

By evening, partial functions returned, though glitches lingered like static on a radio. Not every login worked smoothly, leaving doubts about full recovery. Reports suggest a connection between the incident and ShinyHunters, a hacking collective lately seen exploiting cloud systems by leveraging weak points in external service providers. Though details remain limited, evidence traces back to prior attacks where stolen information was used as leverage against corporate networks. 

Instead of relying on brute force, the group often manipulates access flaws within shared digital environments. While some breaches go unnoticed at first, forensic analysis later reveals patterns matching earlier intrusions tied to similar tactics. Later came confirmation from Instructure - Canvas's developer - that the platform had entered temporary maintenance mode after the event unfolded. Though restoration of service remained possible, according to officials, institutions using the system faced urgent hurdles just when course activities demanded stability. 

Despite assurances, timing turned problematic for schools depending heavily on seamless access at a pivotal point in the term. Midway through the week, campuses like Southern Methodist University felt the strain as systems went offline. Not far behind, the University of North Texas System faced similar disruptions, slowing down daily functions. At Baylor University, staff worked under pressure - rescheduling classes became a priority. Meanwhile, Tarrant County College saw delays ripple across departments. With email and portals unreliable, instructors adapted on the fly while leadership tried to reconnect threads. 

Because updates lagged, many waited hours just to confirm basic plans. Final exams set for Friday at Southern Methodist University got pushed to Sunday after a widespread system failure left services down. Because of the same national disruption, Baylor University rescheduled its tests too, alerting learners that interruptions might stretch on without clear timing. Officials admitted they lacked answers about how long things would stay broken - access may return in hours or drag into multiple days. 

Across town, the University of North Texas System cut off broad access to Canvas until faculty and tech experts figured out next steps for ongoing classes, scores, and year-end tests. Farther south, Tarrant County College acknowledged its digital crews were checking the breach, watching for ripples among learners and workers alike. Unexpected outages reveal how tightly schools now rely on centralised online learning systems. 

Not only do tools such as Canvas support daily teaching tasks, but they also handle submission tracking, feedback cycles, and course materials distribution. Should access fail, functions stall - particularly under pressure, like mid-semester assessments. Interruptions expose fragile infrastructure beneath routine digital workflows. What stands out is how this event ties into a wider pattern - cyber gangs increasingly going after schools and companies that run online platforms. 

Though they hold vast collections of student records and private details, many learning organizations lack strong digital defenses. Because of these gaps, threat actors see them as easier wins when chasing ransom payments. Still probing the incident, campuses now shift toward regular classes - though officials stay alert for leaked data. This disruption highlights once more that when hackers strike common online systems, ripple effects hit countless people at many schools all at once.
Read more »
Subscribe to: Posts (Atom)