Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Theft. Show all posts
Stolen Credentials
Cyber Crime Data Theft Infostealer Russian Market Stolen Credentials

Russian Market Sells Millions of Stolen Credentials

 

The "Russian Market" cybercrime marketplace has developed as one of the most popular places for purchasing and selling credentials stolen by info stealer malware. Although the marketplace has been functioning for almost six years and has grown in popularity by 2022, ReliaQuest believes that the Russian market has lately reached new heights.

Part of this spike in popularity can be attributed to the Genesis Market's demise, which left a significant gap in the market. Although the bulk (85%) of credentials provided on the Russian Market are "recycled" from existing sources, it has attracted enormous cybercrime audiences due to its diverse range of commodities for sale and the availability of logs for as little as $2. 

An infostealer log is typically a text file (or numerous files) written by infostealer malware that contains account passwords, session cookies, credit card data, cryptocurrency wallet data, and system profiling data obtained from an infected device. 

Each log includes dozens or even thousands of credentials, bringing the total amount of stolen credentials to hundreds of millions or more. Once captured, the logs are sent to an attacker's server, where they are stored for future nefarious action or sold on marketplaces such as Russian Market. 

Infostealers have become a common tactic for attackers, with numerous campaigns now aimed at the enterprise to steal session cookies and corporate credentials. According to ReliaQuest, this is evident in the Russian market, where 61% of stolen logs include SaaS credentials from platforms such as Google Workspace, Zoom, and Salesforce. Additionally, 77% of the logs had SSO (Single Sign-On) credentials.

Lumma stumbles, Acreed rises

ReliaQuest analysed over 1.6 million posts on the Russian market to chart the growth and decrease in popularity of specific info theft malware. Until recently, Lumma stole the majority of logs, accounting for 92% of all credentials sold on the Russian market. 

Lumma ruled the market when Raccoon Stealer collapsed due to law enforcement action. Lumma may face the same fate, as its operations were recently stopped by a global law enforcement operation that resulted in the seizure of 2,300 domain names.

The long-term outcomes of this operation are unknown, but Check Point said that Lumma's creators are already working to rebuild and resume their cybercrime operations. 

Meanwhile, ReliaQuests reports a significant spike in popularity of a new infostealer named Acreed, which is quickly gaining traction following Lumma's elimination. Acreed's rapid rise in the Russian market is evidenced by the over 4,000 logs submitted in its first week of operation, according to Webz. 

Acreed is similar to a conventional info-stealer in that it targets data stored in Chrome, Firefox, and their derivatives, such as passwords, cookies, cryptocurrency wallets, and credit card information. 

Phishing emails, "ClickFix" attacks, premium software malvertising, and YouTube or TikTok videos are all used by info-stealers to infect consumers. To avoid this broad risk, it is recommended that you be vigilant and use good software download habits.
Read more »
tata company
cyber attack Cyber Attacks Data Theft M&S tata company

TCS Investigates Possible Link to M&S Cyberattack

 

Tata Consultancy Services (TCS), a leading Indian IT services firm under the Tata Group umbrella, is reportedly investigating whether its systems played any role in the recent ransomware attack that disrupted operations at British retail giant Marks & Spencer (M&S). 

The cyberattack, which occurred in late April 2025, was initially described by M&S as a “cyber incident.” However, subsequent reports confirmed it to be a ransomware assault that severely affected both in-store and online operations. Key services such as contactless payments and Click and Collect were disabled, while online orders came to a standstill. 

Several internal systems were reportedly taken offline as a containment measure. The prolonged disruption, lasting several weeks, had a significant impact on M&S’s business. The company’s market capitalization is estimated to have dropped by £1 billion, and there are allegations that customer data may have been compromised in the breach. 

As M&S continues recovery efforts, TCS is conducting a thorough internal investigation to determine whether any part of its infrastructure might have been involved in the incident. TCS has long been a key technology partner for M&S, which adds urgency to the ongoing review. The attack has once again brought cybersecurity solutions into focus. 

Platforms like Keeper Security, known for their zero-knowledge encryption-based password managers and digital vaults, are gaining traction. Keeper offers features such as two-factor authentication, secure file storage, dark web monitoring, and real-time breach alerts—tools that are increasingly vital in defending against sophisticated cyber threats like ransomware. 
Read more »
Ransom
Coinbase Crypto Crypto Wallet cryptocurrency Cyber Security Data Theft Extortion Ransom

$400Million Coinbase Breach Linked to Customer Data Leak from India


Coinbase data breach linked to India

A Reuters investigation revealed that cryptocurrency exchange Coinbase knew in January about a breach affecting outsourced customer support agents in India. Six people who knew about the incident said Coinbase was aware of sensitive user data compromise through its contractor, TaskUs, before it was officially announced in May. 

On 14th May, TaskUs filed an SEC document revealing that an India-based TaskUs employee was found taking pictures of a computer screen with her phone. Five former TaskUs employees confirmed that the worker and one accomplice were bribed by threat actors to get Coinbase user data.

The breach cost $400 million

After this information, more than 200 TaskUs employees were fired in a mass layoff from the Indore center, which drew media attention in India. Earlier, Coinbase suspected ‘overseas support agents’ but now the breach is estimated to cost 400 million dollars.

Coinbase had been a long-term partner of TaskUs, a Texas-based outsourcing firm, cost-cutting labor by giving customer support work to offshore teams. After 2017, TaskUs agents, mostly from developing countries, handled Coinbase customer inquiries. 

In the May SEC filing, Coinbase said it didn’t know about the full scale of the breach until it received an extortion demand of $20 Million on 11th May. As a cautionary measure, Coinbase cut ties with TaskUs employees and other unknown foreign actors. Coinbase has notified regulators, compensated affected users, and taken strict measures to strengthen security. 

In a public statement, TaskUs confirmed it had fired two staff (unnamed) for data theft but didn’t mention Coinbase. The company found the two staff involved in a cyber attack campaign that targeted other service providers linked to the client. 

Hackers use social engineering tactic

Hackers did not breach the Coinbase crypto wallets directly, they cleverly used the stolen information to impersonate the Coinbase employees in a series of social engineering scams. The hackers posed as support agents, fooling victims into transferring their crypto assets. 

According to Money Control, “The person familiar with the matter confirmed that Coinbase was the client and that the incident took place in January. Reuters could not determine whether any arrests have been made. Police in Indore did not return a message seeking comment.”

Read more »
Postal Service
Amazon Brushing Scam customer privacy Cyber Fraud cyber threat Data Fraud data security Data Theft Postal Service

Brushing Scam Targets Amazon Customers with Unsolicited Packages and Hidden Cyber Threats

 

Ray Simmons was confused when he received an unexpected Amazon package containing beet chews. Initially, he thought it might be a joke from someone encouraging him to eat healthier. However, it turned out to be part of a broader scam known as “brushing,” where consumers receive unsolicited deliveries from online sellers attempting to manipulate product ratings and reviews. 

Brushing scams involve third-party sellers who send low-value goods to individuals whose names and addresses are often scraped from publicly available online sources. After the product is delivered, scammers use the recipient’s identity or create a fake account that resembles the recipient to leave positive reviews. These fake reviews can artificially boost a product’s credibility, helping it rank higher in search results and increasing sales. 

While receiving a free item might seem harmless, the scam carries hidden dangers. The U.S. Postal Inspection Service (USPIS) warns that these incidents indicate misuse of personal information. Even more concerning is the potential for packages to include QR codes, which might direct recipients to malicious websites. Scanning such codes can result in the installation of malware or the theft of personal data. 

The scam is a reminder that personal data is often accessible and can be exploited without a consumer’s knowledge. USPIS stresses the importance of not interacting with suspicious elements included in unsolicited packages. Inspector David Gealey noted that even though these items may appear insignificant, they are a signal that someone has unauthorized access to your personal information. 

Fortunately, the package Simmons received did not include a QR code. Nonetheless, he took immediate action by checking his Amazon and banking accounts for any signs of unauthorized access. This kind of vigilance is exactly what USPIS recommends for anyone in a similar situation. 

Authorities advise that recipients of such packages should not scan any QR codes or click on any related links. They also emphasize that there is no obligation to return unsolicited items. Instead, consumers should monitor their financial and e-commerce accounts for any suspicious activity and report the incident to local law enforcement, USPIS, or the Federal Trade Commission.  

Though brushing scams may appear to be minor nuisances, they reflect deeper issues related to data privacy and cyber fraud. Staying informed and cautious can help consumers protect themselves from further harm and support efforts to hold malicious actors accountable.
Read more »
Sensitive data
Cloud Security Cyber Attacks Data Theft Employee Training enterprise cybersecurity fake ads Malicious Ads ransomware attacks Ransomwares Sensitive data

Employee Monitoring Tool Kickidler Targeted in Ransomware Attacks

 

Cybersecurity researchers have discovered that cybercriminals are misusing a legitimate employee monitoring tool called Kickidler to execute targeted ransomware attacks. Originally developed to help businesses track productivity and ensure compliance, Kickidler offers features like real-time screen monitoring, keystroke logging, and activity tracking—functionalities that have now become attractive tools for threat actors. Security firms Varonis and Synacktiv have reported observing these attacks actively taking place. 

The attack campaign begins with malicious advertisements placed on the Google Ads network. These ads are cleverly designed to trick users searching for a legitimate utility called RVTools—a free Windows application used to connect to VMware vCenter or ESXi environments. Victims are lured into downloading a trojanized version of RVTools, which secretly installs a backdoor named SMOKEDHAM. Once SMOKEDHAM gains access to the system, attackers use it to deploy Kickidler, with a focus on targeting enterprise administrators. 

By infiltrating admin machines, the attackers can monitor keystrokes and capture sensitive data, such as credentials for off-site backups or cloud platforms. This method allows them to bypass more secure authentication systems that are often separated from Windows domains, a common defense strategy in many organizations. According to the researchers, the ransomware groups Qilin and Hunters International have been leveraging this approach to expand their reach within enterprise networks. 

These groups appear to be focusing on cloud backup systems and VMware ESXi infrastructure. Hunters International, in particular, was observed using VMware PowerCLI and WinSCP Automation tools to enable SSH access, deploy ransomware, and execute it on ESXi servers. Their payloads encrypted VMDK virtual hard disks, disrupting operations and access to virtual environments. 

One of the most concerning aspects of this campaign is how stealthily it operates. By capturing data directly from administrators’ screens and inputs, the attackers avoid using higher-risk tactics like memory dumps or privilege escalation, which are more likely to be flagged by security systems. The misuse of Kickidler demonstrates a growing trend of cybercriminals weaponizing legitimate enterprise tools to bypass traditional defenses and maintain stealth within targeted networks. 

These attacks highlight the need for increased vigilance around software downloads, especially from third-party sources, and reinforce the importance of strong endpoint protection, regular software audits, and employee awareness training. 

As cyberattacks grow more sophisticated, defenders must adapt by tightening controls, decoupling critical system access from everyday credentials, and monitoring for unusual activity—even from tools considered safe.
Read more »
Sensitive Information
Customer Data Cyber Attacks Data Leak Data protection data security Data Theft Employee Data Identity Theft Prevention Radio Station Sensitive Information

iHeartMedia Cyberattack Exposes Sensitive Data Across Multiple Radio Stations

 

iHeartMedia, the largest audio media company in the United States, has confirmed a significant data breach following a cyberattack on several of its local radio stations. In official breach notifications sent to affected individuals and state attorney general offices in Maine, Massachusetts, and California, the company disclosed that cybercriminals accessed sensitive customer information between December 24 and December 27, 2024. Although iHeartMedia did not specify how many individuals were affected, the breach appears to have involved data stored on systems at a “small number” of stations. 

The exact number of compromised stations remains undisclosed. With a network of 870 radio stations and a reported monthly audience of 250 million listeners, the potential scope of this breach is concerning. According to the breach notification letters, the attackers “viewed and obtained” various types of personal information. The compromised data includes full names, passport numbers, other government-issued identification numbers, dates of birth, financial account information, payment card data, and even health and health insurance records. 

Such a comprehensive data set makes the victims vulnerable to a wide array of cybercrimes, from identity theft to financial fraud. The combination of personal identifiers and health or insurance details increases the likelihood of victims being targeted by tailored phishing campaigns. With access to passport numbers and financial records, cybercriminals can attempt identity theft or engage in unauthorized transactions and wire fraud. As of now, the stolen data has not surfaced on dark web marketplaces, but the risk remains high. 

No cybercrime group has claimed responsibility for the breach as of yet. However, the level of detail and sensitivity in the data accessed suggests the attackers had a specific objective and targeted the breach with precision. 

In response, iHeartMedia is offering one year of complimentary identity theft protection services to impacted individuals. The company has also established a dedicated hotline for those seeking assistance or more information. While these actions are intended to mitigate potential fallout, they may offer limited relief given the nature of the exposed information. 

This incident underscores the increasing frequency and severity of cyberattacks on media organizations and the urgent need for enhanced cybersecurity protocols. For iHeartMedia, transparency and timely support for affected customers will be key in managing the aftermath of this breach. 

As investigations continue, more details may emerge regarding the extent of the compromise and the identity of those behind the attack.
Read more »
Sensitive data
Cyber Attacks Data Leak data security Data Theft Hacker attack Indian Cyber Security Pakistan Hacker Personal Data Sensitive data

Pakistan-Based Hackers Launch Cyber Attack on Indian Defence Websites, Claim Access to Sensitive Data

 

In a concerning escalation of cyber hostilities, a Pakistan-based threat group known as the Pakistan Cyber Force launched a coordinated cyber offensive on multiple Indian defence-related websites on Monday. The group claimed responsibility for defacing the official site of a Ministry of Defence public sector undertaking (PSU) and asserted that it had gained unauthorized access to sensitive information belonging to Indian defence personnel. According to reports, the targeted websites included those of the Military Engineering Service (MES) and the Manohar Parrikar Institute of Defence Studies and Analyses (MP-IDSA), both critical components in India’s defence research and infrastructure network. 

The group’s social media posts alleged that it had exfiltrated login credentials and personal data associated with defence personnel. One particularly alarming development was the defacement of the official website of Armoured Vehicle Nigam Limited (AVNL), a key PSU under the Ministry of Defence. The hackers replaced the homepage with the Pakistani flag and an image of the Al Khalid tank, a symbol of Pakistan’s military capabilities. A message reportedly posted on social platform X read, “Hacked. Your security is illusion. MES data owned,” followed by a list of names allegedly linked to Indian defence staff. 

Sources quoted by ANI indicated that there is a credible concern that personal data of military personnel may have been compromised during the breach. In response, authorities promptly took the AVNL website offline to prevent further exploitation and launched a full-scale forensic audit to assess the scope of the intrusion and restore digital integrity. Cybersecurity experts are currently monitoring for further signs of intrusion, especially in light of repeated cyber threats and defacement attempts linked to Pakistani-sponsored groups. 

The ongoing tensions between the two countries have only heightened the frequency and severity of such state-aligned cyber operations. This latest attack follows a pattern of provocative cyber incidents, with Pakistani hacker groups increasingly targeting sensitive Indian assets in attempts to undermine national security and sow discord. Intelligence sources are treating the incident as part of a broader information warfare campaign and have emphasized the need for heightened vigilance and improved cyber defense strategies. 

Authorities continue to investigate the breach while urging government departments and defense agencies to reinforce their cybersecurity posture amid rising digital threats in the region.
Read more »
Ransomwares
Cyber Attacks data security Data Theft Hacker attack Pharmaceutical Firms Ransom Demand Ransomware attack Ransomwares

Pune-Based Biopharma Company Hit by Ransomware Attack, Hackers Demand $80,000

 

A multinational biopharmaceutical company based in Pune has fallen victim to a sophisticated ransomware attack, with cybercriminals encrypting vital data and demanding $80,000 (over Rs 68 lakh) for its release. The attackers have also threatened to leak the stolen proprietary data on the dark web if the ransom is not paid, according to local police authorities. 

The incident came to light when a senior executive from the company’s Pune office lodged a complaint at the Cyber Crime Police Station of Pimpri Chinchwad on Monday evening. The attack was first identified on Sunday afternoon, prompting immediate concern due to the sensitivity of the data involved. According to initial investigations by cybercrime officials, the breach is believed to have occurred through a compromised endpoint device—most likely via a phishing email containing a malicious link. 

Once the attackers gained access to the internal network, they deployed ransomware to the company’s main server and extended it to more than a dozen connected servers. Sensitive data, including proprietary pharmaceutical formulations, manufacturing protocols, and confidential business documents, was then encrypted and locked. 

“A preliminary probe suggests that vulnerabilities in the company’s cybersecurity setup allowed the attackers to infiltrate its systems,” an officer from the Cyber Police Station said. “Unfortunately, a significant portion of the critical data was not backed up offline, leaving the organization exposed to potential data loss if the ransom is not paid.” The hackers have made it clear that if their ransom demand of $80,000 is not met, the stolen data will be sold on the dark web. 

So far, the company has not paid the ransom, and authorities are currently analyzing IP logs and other digital evidence to trace the origin of the attack. Cybercrime investigators have urged all businesses to strengthen their cybersecurity measures, including regularly backing up data offline, updating firewall configurations, and educating employees about phishing threats. “This incident is a wake-up call for organizations to prioritize robust digital security,” the officer added.  

Deputy Commissioner of Police (Crime) Sandeep Doiphode emphasized the growing need for enterprises to invest in both technology and skilled cybersecurity personnel. “This case underlines the urgent necessity for companies to stay ahead of evolving threats through both infrastructure and human resource development,” he said. Police also noted that ransomware attacks typically use phishing emails and exploit weak security protocols. Payments are often demanded in cryptocurrency, making the attackers harder to trace. 

The investigation remains ongoing.
Read more »
Sensitive Data Leak
cyber attack Cyber Warfare Cybersecurity Data Breach Data Theft Hacker attack Information Security Personal Data Breach Sensitive Data Leak

Jammu Municipal Corporation Targeted in Major Cyberattack, Sensitive Data Allegedly Stolen

 

In a significant breach of digital infrastructure, the Jammu Municipal Corporation (JMC) has fallen victim to a cyberattack believed to have resulted in the loss of vast amounts of sensitive data. According to high-level intelligence sources, the attackers managed to compromise the website, gaining access to critical records and databases that may include personally identifiable information such as Aadhaar numbers, property ownership documents, tax filings, infrastructure blueprints, and internal administrative communications.  

The breach, which occurred on Friday, has prompted an immediate investigation and system lockdown as cybersecurity teams race to contain the damage and begin recovery operations. Officials involved in the incident response have confirmed that website functionality has been suspended as data restoration processes are initiated. Top intelligence sources indicate that the attack bears hallmarks of Pakistan-sponsored cyber operations aimed at undermining India’s administrative framework. “These tactics are consistent with state-backed cyber warfare efforts targeting strategic and sensitive zones like Jammu and Kashmir,” said a senior intelligence official.

“The objective is often to destabilize public services and spread fear among the populace.” The JMC’s website is a key platform used to manage municipal services, property taxes, and local development projects. Its compromise has raised concerns about the broader implications for civic governance and the potential misuse of the stolen data.  

This latest breach follows a series of unsuccessful but alarming hacking attempts by groups linked to Pakistan. Just a day before the JMC attack, hacker collectives such as ‘Cyber Group HOAX1337’ and ‘National Cyber Crew’ reportedly targeted several Indian websites. Cybersecurity teams were able to detect and neutralize these threats before they could cause any major disruption. Among the recent targets were the websites of Army Public School Nagrota and Army Public School Sunjuwan. These were reportedly subjected to defacement attempts featuring inflammatory messages referencing the victims of the Pahalgam terror attack. 

In another incident, a portal catering to the healthcare needs of retired armed forces personnel was compromised and vandalized. Cybersecurity experts warn that such attacks often aim to disrupt not only public trust but also national morale. The recurring pattern of targeting vulnerable groups—such as schoolchildren and elderly veterans—further emphasizes the psychological warfare tactics employed by these groups. 

As recovery efforts continue, the Indian government is likely to review its cybersecurity protocols across public sector systems, especially in high-risk regions. Enhanced defense measures and greater inter-agency coordination are expected to follow. The investigation remains ongoing, and further updates are expected in the coming days.
Read more »
Remote Access Trojan
Data Breach data security Data Theft Fake Documents Fake PDF Info Stealer Malware Attack Malware Trojan Malwares Remote Access Trojan

Malware Hides in Fake PDF to DOCX Converters to Target Crypto Wallets and Steal Data

 

Cybercriminals have launched a deceptive malware campaign that disguises itself as online file converters, specifically targeting users searching for PDF to DOCX tools. This scheme uses convincing replicas of popular converter sites to execute hidden PowerShell scripts and deploy a Remote Access Trojan designed to steal sensitive data, including cryptocurrency wallets and browser credentials. 

Security researchers at CloudSEK investigated the threat following an FBI warning issued last month. They discovered that attackers are using a malware variant called Arechclient2, derived from the known info-stealing family SectopRAT. The campaign works by luring unsuspecting users to malicious websites that impersonate legitimate services like PDFCandy. These fake platforms feature realistic user interfaces, including loading indicators and CAPTCHA forms, to establish trust before delivering the malware. When a user attempts to convert a file, they are redirected multiple times before receiving a ZIP archive named “adobe.zip.” Inside the archive is the malicious payload, which installs the Arechclient2 Remote Access Trojan. 

This malware, active since 2019, is capable of scanning for browser-saved credentials, cryptocurrency wallet seed phrases, and even tapping into decentralized finance tools via Web3 APIs. Stephen Ajayi, Technical Lead at Hacken’s Dapp Audit division, explained that the malware not only lifts crypto wallet details but also enables attackers to “ghost-drain” assets after a transaction approval—making it especially dangerous for Web3 users. CloudSEK advises users to avoid downloading tools from unofficial or unverified sites, particularly free online file converters. Instead, they recommend trusted offline software or tools from official sources. 

They also warn that malicious files often disguise themselves using harmless-looking extensions, so users should inspect file types carefully and use reliable antivirus or endpoint detection software. Ajayi emphasized the importance of a proactive security mindset. “In cybersecurity, trust should be earned. Assume nothing is safe by default,” he said. He advised crypto users and general web users alike to adopt a zero-trust approach, keep their security tools updated, and monitor systems for unusual activity such as rogue msbuild.exe processes. 

As threats like these evolve, staying vigilant, maintaining strong security protocols, and preparing for worst-case scenarios are critical steps for avoiding compromise. Regular training and a well-tested incident response plan remain key defenses against such deceptive but damaging attacks.
Read more »
Ransomwares
Cyber Attacks cybercrime group cybercriminals data security Data Theft DOGE Dogecoin Elon Musk Ransom Demand Ransomware attack Ransomwares

Cybercriminals Behind DOGE Big Balls Ransomware Demand $1 Trillion, Troll Elon Musk

 

A cybercrime group notorious for its outrageous tactics has resurfaced with a ransomware attack demanding an unbelievable $1 trillion from its victims. The group, responsible for the DOGE Big Balls ransomware campaign, has updated its ransom demands with bizarre references to Elon Musk and the Dogecoin meme culture, blending humor with a highly dangerous threat.  

According to a report by Trend Micro researchers Nathaniel Morales and Sarah Pearl Camiling, the attackers are leveraging a modified form of the FOG ransomware to carry out these intrusions. The malware exploits a long-known Windows vulnerability (CVE-2015-2291) through a multi-step PowerShell script that allows deep access into infected systems. Delivered via deceptive shortcut files inside ZIP folders, the malware initiates a chain reaction to execute its payload. Though the ransom note may appear comical—mocking Musk’s past corporate directives and making false claims about stealing “trilatitude and trilongitude” coordinates—the security community warns against taking this threat lightly. 

The ransomware performs environment checks to avoid detection, analyzing machine specs, RAM, and registry entries to detect if it’s being run in a sandbox. If any signs of monitoring are detected, the malware will exit silently. The FBI, in its April 2025 Internet Crime Report, highlighted ransomware—particularly FOG variants—as a dominant threat, impacting critical infrastructure and organizations across the U.S. The report revealed over 100 known FOG ransomware infections between January and March 2025, making it the most reported strain of the year thus far. Beyond encryption, the malware also exfiltrates sensitive data and pressures victims to communicate via the Tor network for instructions. 

The attackers claim stolen files and urge victims not to involve law enforcement, adding a “don’t snitch now” line in their taunting ransom message. Despite its absurd tone, security leaders emphasize the seriousness of the attack. Dr. Ilia Kolochenko, CEO of ImmuniWeb, cautions that many victims discreetly pay ransoms to groups known for not leaking data—urging companies to seek legal and cybersecurity advice before making decisions. 

Although the group hides behind memes and internet jokes, their ability to cause significant operational and financial disruption is very real. Their humor might distract, but the threat demands urgent attention.
Read more »
Ransomware
Data Theft Hunters International malware Ransomware

Cybercrime Group Changes Plans: Drops Ransomware, Focuses on Data Theft

 



A cybercriminal group known for ransomware attacks has decided to stop using those methods and instead focus only on stealing information and demanding money in return. The group, called Hunters International, has rebranded and is now running a new operation.

This group had earlier announced in November 2024 that it would stop its activities. They claimed it was because of low profits and growing attention from police and other authorities. But cybersecurity experts discovered that the group didn’t actually stop – they just changed their approach.

Now, under a new name, World Leaks, the group has returned. Instead of locking people’s files and asking for payment to unlock them, they now secretly steal private data from computers and threaten to release it online unless they’re paid.

According to cybersecurity researchers at Group-IB, the people working with this group are being given a special tool. This software helps them quickly and quietly copy important files from an organization’s systems. It’s believed to be a newer version of a tool they’ve used in the past.

In their earlier version, Hunters International combined two actions: they locked systems (ransomware) and demanded money, and also stole data. But now, they are only stealing data and skipping the system lockout part, which brings less risk and may be harder for authorities to detect.

Hunters International first appeared in late 2023 and was suspected to be connected to an older cyber gang called Hive. Their malware could attack many types of computer systems, including those used by businesses, governments, and servers for virtual machines.

Since then, the group has been behind over 280 attacks on organizations across the globe. They’ve gone after major companies, government bodies, hospitals, and even defense-related firms. In one serious case, they threatened to release personal health records of over 800,000 patients if they weren’t paid.

The group has been targeting companies of all sizes. Experts have seen ransom demands vary, sometimes reaching millions, depending on how large or important the organization is.

Experts say that this shift shows how cybercriminals are always changing tactics to stay ahead. With ransomware becoming riskier and less profitable, many groups may now turn to stealing data as their main method.

To stay safe, organizations should improve their security systems, watch for unusual access, and take steps to protect sensitive data before it’s too late.


Read more »
trending news
cybersecurity news Data Theft malware trending news

ToddyCat Hackers Exploit ESET Vulnerability to Deploy Stealth Malware TCESB

 

A cyber-espionage group known as ToddyCat, believed to have ties to China, has been observed exploiting a security flaw in ESET’s software to deliver a new and previously undocumented malware strain called TCESB, according to fresh findings by cybersecurity firm Kaspersky. The flaw, tracked as CVE-2024-11859, existed in ESET’s Command Line Scanner. 

It improperly prioritized the current working directory when searching for the Windows system file “version.dll,” making it possible for attackers to substitute a malicious version of the file and gain control of the software’s behavior through a method known as DLL Search Order Hijacking. 

ESET has since released security updates in January 2025 to correct the issue, noting that attackers would still require administrative privileges to take advantage of the bug.  
Kaspersky’s research linked this technique to ToddyCat activity discovered in early 2024, where the suspicious “version.dll” file was planted in temporary directories on compromised systems. TCESB, the malware delivered via this method, had not been linked to the group before. It is engineered to evade monitoring tools and security defenses by executing payloads discreetly. 

TCESB is based on a modified version of the open-source tool EDRSandBlast, designed to tamper with low-level Windows kernel structures. It specifically targets mechanisms used by security solutions to track system events, effectively blinding them to malicious activity. To perform these actions, TCESB employs a Bring Your Own Vulnerable Driver (BYOVD) tactic, installing an outdated Dell driver (DBUtilDrv2.sys) that contains a known vulnerability (CVE-2021-36276). 

This method grants the malware elevated access to the system, enabling it to bypass protections and alter kernel processes. Similar drivers have been misused in the past, notably by other threat actors like the North Korea-linked Lazarus Group. Once the vulnerable driver is active, TCESB runs a loop that monitors for a payload file with a specific name. 

When the file appears, it is decrypted using AES-128 encryption and executed immediately. However, the payloads themselves were not recovered during analysis. Security analysts recommend that organizations remain vigilant by tracking the installation of drivers with known weaknesses and watching for kernel-level activity that shouldn’t typically occur, especially in environments not configured for debugging. The discovery further highlights ToddyCat’s ability to adapt and refine its tools. 

The group has been active since at least 2020, frequently targeting entities in the Asia-Pacific region with long-term, data-driven attacks.
Read more »
Smishing attack
cyber attack Data Theft News Smishing attack

Smishing Surge Expected in 2025 Driven by Sophisticated Phishing-as-a-Service Platform

Security researchers are sounding the alarm on a looming global wave of smishing attacks, warning that a powerful phishing-as-a-service (PhaaS) platform named Lucid—run by Chinese-speaking threat actors—is enabling cybercriminals to scale operations across 88 countries. 

According to threat intelligence firm Catalyst, Lucid has evolved from local-level operations into a globally disruptive tool, with a sharp increase in activity anticipated by early 2025. The platform allows attackers to send malicious links via Apple iMessage and Android’s Rich Communication Services, bypassing traditional telecom network filters. It also features a credit card validator, helping criminals confirm stolen financial information in real time. 

Lucid’s architecture offers an automated, subscription-based model that supports customizable phishing campaigns, leveraging anti-detection strategies like IP blocking, user-agent filtering, and time-limited URLs to avoid scrutiny. Threat actors using Lucid are increasingly impersonating trusted entities—such as government agencies, postal services, and toll collection services—to deceive victims and steal sensitive data. 

The U.S. has been hit particularly hard, with smishing scams prompting alerts from the FBI, FTC, state governments, and attorneys general. What sets Lucid apart is its efficiency and scale: researchers say it can send over 100,000 phishing messages per day. Its structure includes roles ranging from administrators to guest users, with weekly licensing options and automatic suspensions for non-renewal. 

These campaigns are notably effective, with a reported success rate of 5%. By operating over the internet and using device fingerprinting and geo-targeted phishing pages, Lucid boosts its reach while staying under the radar. 

It sources phone numbers through data breaches, OSINT, and darknet markets, making it one of the most sophisticated PhaaS platforms today—alongside others like Darcula and Lighthouse. As cybercriminals continue to embrace this plug-and-play model, experts fear smishing will become an even more pervasive threat in the months ahead.
Read more »
Data Theft
cyber attack Cyber Attacks data stone Data Theft

Check Point Downplays Hacker’s Claims Amid Alleged Data Breach

 

A hacker using the alias “CoreInjection” has claimed responsibility for stealing what they describe as a “highly sensitive” dataset from cybersecurity firm Check Point. 
According to several media reports, the alleged stolen data includes user login credentials, employee contracts, and internal network blueprints. Despite these claims, Check Point has downplayed the incident, describing it as an outdated and isolated event involving a single account with restricted access. 

The company emphasized that no customer systems, production environments, or core security infrastructure were affected. In an official statement, Check Point clarified that the incident had occurred months ago and was addressed at the time. 

The firm criticized the hacker’s claims as misleading, suggesting they are reusing old data to create a false narrative. Cybersecurity expert Alon Gal, CTO of Hudson Rock, expressed concerns over the situation, noting that there is a strong possibility the breach involved access to a privileged administrator account—though he acknowledged that the event has yet to be fully confirmed. 

This isn’t the first time Check Point has faced such scrutiny. In 2024, its VPN software was targeted by attackers attempting to exploit it to breach corporate networks. However, those efforts were largely unsuccessful, and the company quickly issued a straightforward fix. 

While Check Point continues to reassure stakeholders that no major security risk was posed, the incident highlights the persistent threats facing even the most established cybersecurity firms.
Read more »
Data Theft
AT&T cloud storage services CyberCrime cybercriminal arrests Data Breach Data Hackers data security Data Theft

Connor Moucka Extradited to U.S. for Snowflake Data Breaches Targeting 165 Companies

 

Connor Moucka, a Canadian citizen accused of orchestrating large-scale data breaches affecting 165 companies using Snowflake’s cloud storage services, has agreed to be extradited to the United States to face multiple federal charges. The breaches, which targeted high-profile companies like AT&T and Ticketmaster, resulted in the exposure of hundreds of millions of sensitive records. 

Moucka, also known by online aliases such as “Waifu,” “Judische,” and “Ellyel8,” was arrested in Kitchener, Ontario, on October 30, 2024, at the request of U.S. authorities. Last Friday, he signed a written agreement before the Superior Court of Justice in Kitchener, consenting to his extradition without the standard 30-day waiting period. The 26-year-old faces 20 charges in the U.S., including conspiracy to commit computer fraud, unauthorized access to protected systems, wire fraud, and aggravated identity theft. Prosecutors allege that Moucka, along with co-conspirator John Binns, extorted over $2.5 million from victims by stealing and threatening to expose their sensitive information. 

The data breaches tied to this cybercrime operation have had widespread consequences. In May 2024, Ticketmaster’s parent company, Live Nation, confirmed that data from 560 million users had been compromised and put up for sale on hacking forums. Other companies affected include Santander Bank, Advance Auto Parts, and AT&T, among others. Moucka and Binns are believed to be linked to “The Com,” a cybercriminal network involved in various illicit activities, including cyber fraud, extortion, and violent crimes. 

Another alleged associate, Cameron Wagenius, a 21-year-old U.S. Army soldier, was arrested in December for attempting to sell stolen classified information to foreign intelligence agencies. Wagenius has since indicated his intent to plead guilty. U.S. prosecutors claim Moucka and his associates launched a series of cyberattacks on Snowflake customers, gaining unauthorized access to corporate environments and exfiltrating confidential data. 
These breaches, described as among the most extensive cyberattacks in recent history, compromised sensitive 
records from numerous enterprises. While the exact date of Moucka’s extradition remains undisclosed, his case underscores the growing threat of cyber extortion and the increasing international cooperation in tackling cybercrime. His legal representatives have not yet issued a statement regarding the extradition or upcoming trial proceedings.
Read more »
Oracle Cloud
Data Breach Data Leak Data Theft Login Servers Oracle Cloud

Oracle Denies Claim of Server Breach

 

Following a threat actor's claim to be selling 6 million data records allegedly stolen from Oracle Cloud's federated SSO login servers, Oracle denies that it was compromised. 

“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data," the company noted. 

This accusation follows the release of many text files yesterday by a threat actor going by the moniker rose87168, which included a sample database, LDAP details, and a list of the businesses they said were pilfered from Oracle Clouds' SSO platform.

The threat actor provided BleepingComputer with this URL as additional evidence that they were able to access Oracle Cloud servers. It displays an Internet Archive URL indicating that they submitted a.txt file to the login.us2.oraclecloud.com server that contained their ProtonMail email address.

The attackers uploaded a text file with their email address without having access to Oracle Cloud servers, as BleepingComputer explained when they got in touch with Oracle once more. 

Alleged Oracle data leak 

Rose87168 is currently offering the allegedly stolen data from Oracle Cloud's SSO service for an undisclosed fee or in exchange for zero-day exploits on the BreachForums hacking community. The information, which included enterprise manager JPS keys, Java Keystore (JKS) files, and encrypted SSO passwords, was allegedly stolen during an intrusion into Oracle servers based in 'login.(region-name).oraclecloud.com'.

"The SSO passwords are encrypted, they can be decrypted with the available files. also LDAP hashed password can be cracked," rose87168 says. "I'll list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees' information from the list before it's sold.” 

They've also promised to share part of the data with anyone who can help decrypt the SSO or LDAP credentials. The threat actor told BleepingComputer that they acquired access to Oracle Cloud servers about 40 days ago and claimed to have emailed the firm after exfiltrating data from the US2 and EM2 regions.

In the email conversation, rose87168 said that they asked Oracle to pay 100,000 XMR for information on how they infiltrated the systems, but the company allegedly refused to pay after requesting for "all information needed for fix and patch.” 

When questioned how they breached the servers, the attackers stated that all Oracle Cloud servers are running a vulnerable version with a public CVE (flaw) that does not yet have a public PoC or exploit. However, BleepingComputer was unable to independently verify whether this was the case.
Read more »
Personal Data
Bank CyberSecurity Bank Data Leak Cleo Server CLOP Customer Data Data Breach Data Leak Data Theft Identity Theft Personal Data

Western Alliance Bank Data Breach Exposes Nearly 22,000 Customers’ Personal Information

 

Western Alliance Bank has alerted nearly 22,000 customers that their personal information was compromised following a cyberattack in October. The breach stemmed from a vulnerability in a third-party vendor’s secure file transfer software, which allowed attackers to gain unauthorized access to the bank’s systems and extract sensitive customer data. 

Western Alliance, a subsidiary of Western Alliance Bancorporation with over $80 billion in assets, first disclosed the incident in a February SEC filing. The bank revealed that hackers exploited a zero-day vulnerability in the software, which was officially disclosed on October 27, 2024. However, unauthorized access to the bank’s systems had already occurred between October 12 and October 24. The breach was only confirmed after the attackers leaked stolen files online. 

According to breach notification letters sent to 21,899 affected customers and filed with the Office of Maine’s Attorney General, the stolen data includes names, Social Security numbers, birth dates, financial account details, driver’s license numbers, tax identification numbers, and passport information if previously provided to the bank. Despite the exposure, Western Alliance stated there is no evidence of fraud or identity theft resulting from the breach. 

To support affected customers, the bank is offering one year of free identity protection services through Experian IdentityWorks Credit 3B. Although Western Alliance did not disclose the name of the compromised software in its SEC filing or customer notifications, the Clop ransomware gang has claimed responsibility for the attack. In January, Clop listed the bank among 58 companies targeted in a campaign that exploited a critical zero-day vulnerability (CVE-2024-50623) in Cleo LexiCom, VLTransfer, and Harmony software. 

The ransomware group had previously leveraged similar security flaws in MOVEit Transfer, GoAnywhere MFT, and Accellion FTA to conduct large-scale data theft operations. Further investigations revealed that Clop exploited an additional zero-day vulnerability (CVE-2024-55956) in Cleo software in December. This allowed them to deploy a Java-based backdoor, dubbed “Malichus,” enabling deeper infiltration into victims’ networks. Cleo, which serves over 4,000 organizations worldwide, confirmed the vulnerability had been used to install malicious backdoor code in affected instances of its Harmony, VLTrader, and LexiCom software. 

The full extent of the breach remains unclear, but it highlights the growing risks posed by vulnerabilities in third-party software. Organizations relying on such solutions must remain vigilant, promptly apply security patches, and implement robust defenses to prevent similar incidents.
Read more »
Malwares
Cyber Attacks cybercriminals data security Data Theft Hackers Infostealer Infostealer Malware Malware attacks Malwares

The Growing Threat of Infostealer Malware: What You Need to Know

 

Infostealer malware is becoming one of the most alarming cybersecurity threats, silently stealing sensitive data from individuals and organizations. This type of malware operates stealthily, often going undetected for long periods while extracting valuable information such as login credentials, financial details, and personal data. As cybercriminals refine their tactics, infostealer attacks have become more frequent and sophisticated, making it crucial for users to stay informed and take preventive measures. 

A significant reason for concern is the sheer scale of data theft caused by infostealers. In 2024 alone, security firm KELA reported that infostealer malware was responsible for leaking 3.9 billion passwords and infecting over 4.3 million devices worldwide. Similarly, Huntress’ 2025 Cyber Threat Report revealed that these threats accounted for 25% of all cyberattacks in the previous year. This data highlights the growing reliance of cybercriminals on infostealers as an effective method of gathering personal and corporate information for financial gain. 

Infostealers operate by quietly collecting various forms of sensitive data. This includes login credentials, browser cookies, email conversations, banking details, and even clipboard content. Some variants incorporate keylogging capabilities to capture every keystroke a victim types, while others take screenshots or exfiltrate files. Cybercriminals often use the stolen data for identity theft, unauthorized financial transactions, and large-scale corporate breaches. Because these attacks do not immediately disrupt a victim’s system, they are harder to detect, allowing attackers to extract vast amounts of information over time. Hackers distribute infostealer malware through multiple channels, making it a widespread threat. 

Phishing emails remain one of the most common methods, tricking victims into downloading infected attachments or clicking malicious links. However, attackers also embed infostealers in pirated software, fake browser extensions, and even legitimate platforms. For example, in February 2025, a game called PirateFi was uploaded to Steam and later found to contain infostealer malware, compromising hundreds of devices before it was removed. Social media platforms, such as YouTube and LinkedIn, are also being exploited to spread malicious files disguised as helpful tools or software updates. 

Beyond stealing data, infostealers serve as an entry point for larger cyberattacks. Hackers often use stolen credentials to gain unauthorized access to corporate networks, paving the way for ransomware attacks, espionage, and large-scale financial fraud. Once inside a system, attackers can escalate their access, install additional malware, and compromise more critical assets. This makes infostealer infections not just an individual threat but a major risk to businesses and entire industries.  

The prevalence of infostealer malware is expected to grow, with attackers leveraging AI to improve phishing campaigns and developing more advanced evasion techniques. According to Check Point’s 2025 Cybersecurity Report, infostealer infections surged by 58% globally, with Europe, the Middle East, and Africa experiencing some of the highest increases. The SYS01 InfoStealer campaign, for instance, impacted millions across multiple continents, showing how widespread the issue has become. 

To mitigate the risks of infostealer malware, individuals and organizations must adopt strong security practices. This includes using reliable antivirus software, enabling multi-factor authentication (MFA), and avoiding downloads from untrusted sources. Regularly updating software and monitoring network activity can also help detect and prevent infections. Given the growing threat, cybersecurity awareness and proactive defense strategies are more important than ever.
Read more »
Sensitive Data Leak
Cyber Attacks Data Leak data security Data Theft IT Systems Ransomware attack Ransomware group Ransomwares Sensitive Data Leak

Tata Technologies Cyberattack: Hunters International Ransomware Gang Claims Responsibility for 1.4TB Data Theft

 

Hunters International, a ransomware group known for high-profile cyberattacks, has claimed responsibility for a January 2025 cyberattack on Tata Technologies. The group alleges it stole 1.4TB of sensitive data from the company and has issued a threat to release the stolen files if its ransom demands are not met. Tata Technologies, a Pune-based global provider of engineering and digital solutions, reported the cyberattack in January. 

The company, which operates in 27 countries with over 12,500 employees, offers services across the automotive, aerospace, and industrial sectors. At the time of the breach, Tata Technologies confirmed that the attack had caused disruptions to certain IT systems but stated that client delivery services remained unaffected. The company also assured stakeholders that it was actively restoring impacted systems and conducting an internal investigation with cybersecurity experts. 

However, more than a month later, Hunters International listed Tata Technologies on its dark web extortion page, taking responsibility for the attack. The group claims to have exfiltrated 730,000 files, totaling 1.4TB of data. While the ransomware gang has threatened to publish the stolen files within a week if a ransom is not paid, it has not provided any samples or disclosed the nature of the compromised documents. Tata Technologies has yet to release an update regarding the breach or respond to the hackers’ claims. 

BleepingComputer, a cybersecurity news platform, attempted to contact the company for a statement but did not receive an immediate response. Hunters International emerged in late 2023, suspected to be a rebranded version of the Hive ransomware group. Since then, it has carried out multiple high-profile attacks, including breaches of Austal USA, a U.S. Navy contractor, and Japanese optics company Hoya. 

The group has gained notoriety for targeting various organizations without ethical restraint, even engaging in extortion schemes against individuals, such as cancer patients from Fred Hutchinson Cancer Center. Although many of the gang’s claims have been verified, some remain disputed. For example, in August 2024, the U.S. Marshals Service denied that its systems had been compromised, despite Hunters International’s assertions.  

With cybercriminals continuing to exploit vulnerabilities, the Tata Technologies breach serves as another reminder of the persistent and evolving threats posed by ransomware groups.
Read more »
Subscribe to: Posts (Atom)