Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Theft. Show all posts
Data Theft
CISA CISA advisory CVE CVE exploits CVEs Cyber Attacks Cyber Exploits Cyber flaws Cyber Vulnerabilities Data protection data security Data Theft

CISA Urges Immediate Patching of Critical SysAid Vulnerabilities Amid Active Exploits

 

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert about two high-risk vulnerabilities in SysAid’s IT service management (ITSM) platform that are being actively exploited by attackers. These security flaws, identified as CVE-2025-2775 and CVE-2025-2776, can enable unauthorized actors to hijack administrator accounts without requiring credentials. 

Discovered in December 2024 by researchers at watchTowr Labs, the two vulnerabilities stem from XML External Entity (XXE) injection issues. SysAid addressed these weaknesses in March 2025 through version 24.4.60 of its On-Premises software. However, the urgency escalated when proof-of-concept code demonstrating how to exploit the flaws was published just a month later, highlighting how easily bad actors could access sensitive files on affected systems. 

Although CISA has not provided technical specifics about the ongoing attacks, it added the vulnerabilities to its Known Exploited Vulnerabilities Catalog. Under Binding Operational Directive 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to patch their systems by August 12. CISA also strongly recommends that organizations in the private sector act swiftly to apply the necessary updates, regardless of the directive’s federal scope. 

“These vulnerabilities are commonly exploited by malicious cyber actors and present serious threats to government systems,” CISA stated in its warning. SysAid’s On-Prem solution is deployed on an organization’s internal infrastructure, allowing IT departments to manage help desk tickets, assets, and other services. According to monitoring from Shadowserver, several dozen SysAid installations remain accessible online, particularly in North America and Europe, potentially increasing exposure to these attacks. 

Although CISA has not linked these specific flaws to ransomware campaigns, the SysAid platform was previously exploited in 2023 by the FIN11 cybercrime group, which used another vulnerability (CVE-2023-47246) to distribute Clop ransomware in zero-day attacks. Responding to the alert, SysAid reaffirmed its commitment to cybersecurity. “We’ve taken swift action to resolve these vulnerabilities through security patches and shared the relevant information with CISA,” a company spokesperson said. “We urge all customers to ensure their systems are fully up to date.” 

SysAid serves a global clientele of over 5,000 organizations and 10 million users across 140 countries. Its user base spans from startups to major enterprises, including recognized brands like Coca-Cola, IKEA, Honda, Xerox, Michelin, and Motorola.
Read more »
Windows
Coyote Data Theft malware Microsoft UIA Windows

New Coyote Malware Variant Exploits Windows Accessibility Tool for Data Theft

 




A recently observed version of the banking malware known as Coyote has begun using a lesser-known Windows feature, originally designed to help users with disabilities, to gather sensitive information from infected systems. This marks the first confirmed use of Microsoft’s UI Automation (UIA) framework by malware for this purpose in real-world attacks.

The UI Automation framework is part of Windows’ accessibility system. It allows assistive tools, such as screen readers, to interact with software by analyzing and controlling user interface (UI) elements, like buttons, text boxes, and navigation bars. Unfortunately, this same capability is now being turned into a tool for cybercrime.


What is the malware doing?

According to recent findings from cybersecurity researchers, this new Coyote variant targets online banking and cryptocurrency exchange platforms by monitoring user activity on the infected device. When a person accesses a banking or crypto website through a browser, the malware scans the visible elements of the application’s interface using UIA. It checks things like the tab names and address bar to figure out which website is open.

If the malware recognizes a target website based on a preset list of 75 financial services, it continues tracking activity. This list includes major banks and crypto platforms, with a focus on Brazilian users.

If the browser window title doesn’t give away the website, the malware digs deeper. It uses UIA to scan through nested elements in the browser, such as open tabs or address bars, to extract URLs. These URLs are then compared to its list of targets. While current evidence shows this technique is being used mainly for tracking, researchers have also demonstrated that it could be used to steal login credentials in the future.


Why is this alarming?

This form of cyberattack bypasses many traditional security tools like antivirus programs or endpoint detection systems, making it harder to detect. The concern grows when you consider that accessibility tools are supposed to help people with disabilities not become a pathway for cybercriminals.

The potential abuse of accessibility features is not limited to Windows. On Android, similar tactics have long been used by malicious apps, prompting developers to build stricter safeguards. Experts believe it may now be time for Microsoft to take similar steps to limit misuse of its accessibility systems.

While no official comment has been made regarding new protections, the discovery highlights how tools built for good can be misused if not properly secured. For now, the best defense remains being careful, both from users and from developers of operating systems and applications.



Read more »
protecting sensitive data
Data Breach Data Sale data security Data Stolen Data Theft Database Leaked Database Security Infostealer Personal Data Personal Information protecting sensitive data

Startup Sells Stolen Personal Data Online for $50, Raising Alarms Over Privacy and Ethics

 

A new controversy is brewing over a U.S.-based startup accused of making stolen personal data widely accessible—for as little as $50. Farnsworth Intelligence, founded by 23-year-old Aidan Raney, is openly marketing a product called “Infostealers,” which allows customers to search a massive database of sensitive information, including passwords, browser autofill data, and private account credentials. 

According to investigative reporting by 404 Media, this information isn’t simply scraped from public directories or legally collected sources. Instead, it appears to come directly from major data breaches—information illegally obtained from hacked websites and platforms. Users can buy access through the company’s online portal, Infostealers.info, raising serious questions about the legality and ethics of such transactions. 

While services like people-search websites have long existed, Farnsworth’s platform seems to go far beyond what’s commonly available. Some of the information for sale includes usernames, passwords, browser history, addresses saved in auto-fill fields, and more—data types typically leaked only after breaches. Their advanced offering, the Infostealer Data Platform, promises even deeper access. Although not available to everyone, it can be granted upon request for uses like journalism, cybersecurity, private investigations, or law enforcement. The company doesn’t appear to require a court order or warrant for access. 

Farnsworth Intelligence makes bold claims about its reach and capabilities. Its website boasts about human intelligence operations and even claims to have infiltrated a North Korean laptop farm via social engineering. It promotes use cases like “corporate due diligence,” “background checks,” and “asset searches,” without clearly explaining how it acquires its “trillions” of data points. The lack of transparency, coupled with the open sale of sensitive data, is alarming. 

Experts argue that while security researchers and cybersecurity firms often monitor breach data to help protect users, monetizing it so brazenly is a different matter entirely. As Cooper Quintin from the Electronic Frontier Foundation notes, “It would be illegal and unethical to sell stolen cell phones even if you didn’t steal them yourself, and I don’t see how this is any different.”  

Even more concerning is the potential for abuse. With no real verification or oversight, bad actors—including stalkers or authoritarian agencies—could exploit this platform to target individuals, especially those already at risk. The implications for personal safety, privacy rights, and digital ethics are profound. 

This development underscores how data breaches don’t just disappear—they become weapons for profit in the wrong hands.
Read more »
protecting sensitive data
Chinese Hackers Cyber Attacks cyber espionage cybercriminal group Cyberthreatm Salt Typhoon Hacks data security Data Theft DHS Hacker attack Hacker group protecting sensitive data

Chinese Hacker Group Salt Typhoon Breaches U.S. National Guard Network for Nine Months

 

An elite Chinese cyber-espionage group known as Salt Typhoon infiltrated a U.S. state’s Army National Guard network for nearly nine months, according to a classified Pentagon report revealed in a June Department of Homeland Security (DHS) memo. The memo, obtained by the nonprofit Property of the People through a freedom of information request, indicates the hackers had deep access between March and December 2024, raising alarms about compromised military or law enforcement data. 

Salt Typhoon has previously been linked to some of the most expansive cyber-intrusions into American infrastructure. This latest revelation suggests their reach was even broader than earlier believed. Authorities are still investigating the full extent of data accessed, including sensitive internal documents, personal information of service members, and network architecture diagrams. The affected state’s identity remains undisclosed. 

The Department of Defense declined to comment on the matter, while a spokesperson from the National Guard Bureau confirmed the breach but assured that the incident did not hinder any ongoing state or federal missions. Investigations are ongoing to determine the scope and potential long-term impact of the breach. 

China’s embassy in Washington did not directly deny the allegations but claimed the U.S. had not provided concrete evidence linking Salt Typhoon to the Chinese government. They reiterated that cyberattacks are a global threat and that China also faces similar risks. 

Salt Typhoon is particularly notorious for its ability to infiltrate and pivot across different networks. In a prior campaign, the group was linked to breaches at major telecom companies, including AT&T and Verizon, where hackers allegedly monitored text messages and calls tied to U.S. political figures, including both Trump and Harris campaigns and Senate Majority Leader Chuck Schumer’s office.

The hybrid structure of the National Guard — functioning under both federal and state authority — may have provided a wider attack surface. According to the DHS memo, the group may have obtained intelligence that could be used to compromise other states’ National Guard units and their local cybersecurity partners. Fourteen state National Guard units reportedly share intelligence with local fusion centers, potentially magnifying the risk. 

In January 2025, the U.S. Treasury Department sanctioned a company in Sichuan believed to be facilitating Salt Typhoon operations for China’s Ministry of State Security. Past incidents have shown that Salt Typhoon can maintain access for years, making complete removal and defense particularly challenging.
Read more »
Russian APT28
Data Theft LameHug LLM malware Russian APT28

LameHug Malware Crafts Real-Time Windows Data-Theft Commands Using AI LLM

 

LameHug, a novel malware family, generates commands for execution on compromised Windows systems using a large language model (LLM). 

Russia-backed threat group APT28 (also known as Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, and Forest Blizzard) was attributed for the assaults after LameHug was identified by Ukraine's national cyber incident response team (CERT-UA). Written in Python, the malware communicates with the Qwen 2.5-Coder-32B-Instruct LLM via the Hugging Face API, which allows it to generate commands in response to prompts. 

Alibaba Cloud developed the LLM, which is open-source and designed to produce code, reason, and follow coding-focused instructions. It can translate natural language descriptions into executable code (in several languages) or shell commands. CERT-UA discovered LameHug after receiving reports on July 10 of malicious emails received from hacked accounts impersonating ministry officials and attempting to disseminate malware to executive government organisations.

The emails include a ZIP attachment that contains a LameHub loader. CERT-UA identified at least three variants: 'Attachment.pif,' 'AI_generator_uncensored_Canvas_PRO_v0.9.exe,' and 'image.py.’ 

With a medium degree of confidence, the Ukrainian agency links this action to the Russian threat group APT28. In the reported attacks, LameHug was tasked with carrying out system reconnaissance and data theft directives generated dynamically by the LLM. LameHug used these AI-generated instructions to gather system information and save it to a text file (info.txt), recursively search for documents in critical Windows directories (Documents, Desktop, Downloads), then exfiltrate the data over SFTP or HTTP POST. 

LameHug is the first publicly known malware that uses LLM to carry out the attacker's duties. From a technical standpoint, this could signal a new attack paradigm in which threat actors can modify their techniques throughout a compromise without requiring new payloads. 

Furthermore, employing Hugging Face infrastructure for command and control may help to make communication more stealthy, allowing the intrusion to remain undetected for a longer period of time. The malware can also avoid detection by security software or static analysis tools that search for hardcoded commands by employing dynamically generated commands. CERT-UA did not specify if LameHug's execution of the LLM-generated commands was successful.
Read more »
Ransomwares
Cyber Attacks Data Leak data security Data Theft DragonForce DragonForce Ransomware Group Hacker attack Hacking Group Ransomware attack Ransomware group Ransomwares

Belk Hit by Ransomware Attack as DragonForce Claims Responsibility for Data Breach

 

The department store chain Belk recently became the target of a ransomware attack, with the hacking group DragonForce taking responsibility for the breach. The cybercriminals claim to have stolen 156 GB of sensitive data from the company’s systems in early May. 

JP Castellanos, Director of Threat Intelligence at cybersecurity firm Binary Defense, stated with high confidence that DragonForce is indeed behind the incident. The company, based in Ohio, specializes in threat detection and digital forensics. During an investigation of dark web forums on behalf of The Charlotte Observer, Castellanos found that DragonForce had shared samples of the stolen data online. 

In a message directed at Belk, the group stated that its original aim wasn’t to damage the company but to push it into acknowledging its cybersecurity failures. DragonForce claims Belk declined to meet ransom demands, which ultimately led to the data being leaked, affecting numerous individuals. 

Following the breach, Belk has been named in multiple lawsuits. The complaints allege that the company not only failed to protect sensitive personal information but also delayed disclosing the breach to the public. Information accessed by the attackers included names, Social Security numbers, and internal documentation related to employees and their families. 

The cyberattack reportedly caused a complete systems shutdown across Belk locations between May 7 and May 11. According to a formal notice submitted to North Carolina’s Attorney General, the breach was discovered on May 8 and disclosed on June 4. The total number of affected individuals was 586, including 133 residents of North Carolina. 

The stolen files contained private details such as account numbers, driver’s license data, passport information, and medical records. Belk responded by initiating a full-scale investigation, collaborating with law enforcement, and enhancing their digital security defenses. On June 5, Belk began notifying those impacted by the attack, offering one year of free identity protection services. These services include credit and dark web monitoring, as well as identity restoration and insurance coverage worth up to $1 million. 

Despite these actions, Belk has yet to issue a public statement or respond to ongoing media inquiries. DragonForce, identified by experts as a hacktivist collective, typically exploits system vulnerabilities to lock down company networks, then demands cryptocurrency payments. If the demands go unmet, the stolen data is often leaked or sold. 

In Belk’s case, the group did not list a price for the compromised data. Castellanos advised anyone who has shopped at Belk to enroll in credit monitoring as a precaution. Belk, which was acquired by Sycamore Partners in 2015, has been working through financial challenges in recent years, including a short-lived bankruptcy filing in 2021. 

The retailer, now operating nearly 300 stores across 16 southeastern U.S. states, continues to rebuild its financial footing amid cybersecurity and operational pressures.
Read more »
Patient Data
Data Analytics Agency Data Breach Data Leak Data Privacy data security Data Theft Healthcare Healthcare Data Healthcare Security Patient Data

Episource Healthcare Data Breach Exposes Personal Data of 5.4 Million Americans

 

In early 2025, a cyberattack targeting healthcare technology provider Episource compromised the personal and medical data of over 5.4 million individuals in the United States. Though not widely known to the public, Episource plays a critical role in the healthcare ecosystem by offering medical coding, risk adjustment, and data analytics services to major providers. This makes it a lucrative target for hackers seeking access to vast troves of sensitive information. 

The breach took place between January 27 and February 6. During this time, attackers infiltrated the company’s systems and extracted confidential data, including names, addresses, contact details, Social Security numbers, insurance information, Medicaid IDs, and medical records. Fortunately, no banking or payment card information was exposed in the incident. The U.S. Department of Health and Human Services reported the breach’s impact affected over 5.4 million people. 

What makes this breach particularly concerning is that many of those affected likely had no direct relationship with Episource, as the company operates in the background of the healthcare system. Its partnerships with insurers and providers mean it routinely processes massive volumes of personal data, leaving millions exposed when its security infrastructure fails. 

Episource responded to the breach by notifying law enforcement, launching an internal investigation, and hiring third-party cybersecurity experts. In April, the company began sending out physical letters to affected individuals explaining what data may have been exposed and offering free credit monitoring and identity restoration services through IDX. These notifications are being issued by traditional mail rather than email, in keeping with standard procedures for health-related data breaches. 

The long-term implications of this incident go beyond individual identity theft. The nature of the data stolen — particularly medical and insurance records combined with Social Security numbers — makes those affected highly vulnerable to fraud and phishing schemes. With full profiles of patients in hand, cybercriminals can carry out advanced impersonation attacks, file false insurance claims, or apply for loans in someone else’s name. 

This breach underscores the growing need for stronger cybersecurity across the healthcare industry, especially among third-party service providers. While Episource is offering identity protection to affected users, individuals must remain cautious by monitoring accounts, being wary of unknown communications, and considering a credit freeze as a precaution. As attacks on healthcare entities become more frequent, robust data security is no longer optional — it’s essential for maintaining public trust and protecting sensitive personal information.
Read more »
North Korea cyberattack
Apple Apple MacOS Blockchain Blockchain Technology Crypto Attack crypto community cryptocurrency Cyber Attacks data security Data Theft Mac Mac Malware Malware Attack Malwares North Korea cyberattack

North Korean Malware Targets Mac Users in Crypto Sector via Calendly and Telegram

 

Cybersecurity researchers have identified a sophisticated malware campaign targeting Mac users involved in blockchain technologies. According to SentinelLabs, the attack has been linked to North Korean threat actors, based on an investigation conducted by Huntabil.IT. 

The attack method is designed to appear as a legitimate interaction. Victims are contacted via Telegram, where the attacker impersonates a known associate or business contact. They are then sent a meeting invite using Calendly, a widely-used scheduling platform. The Calendly message includes a link that falsely claims to be a “Zoom SDK update script.” Instead, this link downloads malware specifically designed to infiltrate macOS systems. 

The malware uses a combination of AppleScript, C++, and the Nim programming language to evade detection. This mix is relatively novel, especially the use of Nim in macOS attacks. Once installed, the malware gathers a broad range of data from the infected device. This includes system information, browser activity, and chat logs from Telegram. It also attempts to extract login credentials, macOS Keychain passwords, and data stored in browsers like Arc, Brave, Firefox, Chrome, and Microsoft Edge. Interestingly, Safari does not appear to be among the targeted applications. 

While the campaign focuses primarily on a niche audience—Mac users engaged in crypto-related work who use Calendly and Telegram—SentinelLabs warns that the tactics employed could signal broader threats on the horizon. The use of obscure programming combinations to bypass security measures is a red flag for potential future campaigns targeting a wider user base. 

To safeguard against such malware, users are advised to avoid downloading software from public code repositories or unofficial websites. While the Mac App Store is considered the safest source for macOS applications, software downloaded directly from reputable developers’ websites is generally secure. Users who rely on pirated or cracked applications remain at significantly higher risk of infection. 

Cyber hygiene remains essential. Never click on suspicious links received via email, text, or social platforms, especially from unknown or unverified sources. Always verify URLs by copying and pasting them into a text editor to see their true destination before visiting. It’s also crucial to install macOS security updates promptly, as these patches address known vulnerabilities.  

For additional protection, consider using trusted antivirus software. Guides from Macworld suggest that while macOS has built-in security, third-party tools like Intego can offer enhanced protection. As malware campaigns evolve in complexity and scope, staying vigilant is the best defense.
Read more »
trending cybersecurity news
Data Breach Data Leakage Data Theft News Ransomware trending cybersecurity news

Chaos Ransomware Strikes Optima Tax Relief, Leaks 69GB of Sensitive Customer Data

 

In a significant cybersecurity incident impacting the financial services sector, U.S.-based tax resolution firm Optima Tax Relief has reportedly suffered a ransomware attack orchestrated by the Chaos ransomware group. The attackers have allegedly exfiltrated and leaked approximately 69GB of data, including confidential corporate records and sensitive personal tax files.

The exposed information reportedly includes Social Security numbers, home addresses, phone contacts, and banking details — all highly valuable to identity fraudsters. Given the nature of tax records, cybersecurity experts caution that the risks for affected individuals could extend for years, as this type of data cannot simply be changed like passwords.

Chaos Group Increases Aggression 

The ransomware group behind the attack, known as Chaos, has been active since March 2025 and is rapidly gaining notoriety for targeting organisations with vast stores of personally identifiable information (PII). Unlike the earlier Chaos ransomware builder seen in 2021, this iteration appears to be a more organised threat actor, employing a strategic approach in selecting its victims. This isn’t their first major claim. In May, Chaos asserted responsibility for a breach involving The Salvation Army, though that incident has yet to be independently verified. 

Silence from Optima Raises Questions 

Optima Tax Relief has yet to release a public statement or acknowledge the breach, prompting concerns among cybersecurity professionals and affected customers. It is still unclear whether the company has reported the incident to federal authorities or regulators. The lack of transparency is drawing criticism over potential lapses in consumer notification, data handling, and compliance with data protection regulations. 

Recommendations for Affected Individuals For anyone who has previously engaged Optima's services, cybersecurity analysts recommend treating their personal information as compromised. Immediate protective steps include: 

1. Enrolling in identity theft protection services that offer credit and SSN monitoring 

2. Reviewing bank statements and credit card activity for suspicious transactions 

3. Requesting credit freezes or fraud alerts from financial institutions 

4. Using data removal tools to reduce digital exposure Installing reputable antivirus software to fend off phishing or malware threats 

5. Enabling two-factor authentication on all financial and sensitive accounts 

A Warning for the Financial Sector 

This breach is part of a growing pattern in which ransomware groups are aggressively targeting organisations that store large volumes of sensitive consumer data — particularly in tax, legal, and healthcare sectors. Experts point out that financial firms, especially those involved in tax resolution, remain prime targets due to their often under-resourced cybersecurity infrastructure.

As investigations continue, pressure is mounting on Optima Tax Relief to disclose the extent of the damage and take accountability for customer safety moving forward.
Read more »
Ransomwares
Data Breach Data Privacy data security Data Theft Healthcare Data healthcare data breach Healthcare Industry Personal Information Ransomware attack Ransomwares

Horizon Healthcare RCM Reports Ransomware Breach Impacting Patient Data

 

Horizon Healthcare RCM has confirmed it was the target of a ransomware attack involving the theft of sensitive health information, making it the latest revenue cycle management (RCM) vendor to report such a breach. Based on the company’s breach disclosure, it appears a ransom may have been paid to prevent the public release of stolen data. 

In a report filed with Maine’s Attorney General on June 27, Horizon disclosed that six state residents were impacted but did not provide a total number of affected individuals. As of Monday, the U.S. Department of Health and Human Services’ Office for Civil Rights had not yet listed the incident on its breach portal, which logs healthcare data breaches affecting 500 or more people.  

However, the scope of the incident may be broader. It remains unclear whether Horizon is notifying patients directly on behalf of these clients or whether each will report the breach independently. 

In a public notice, Horizon explained that the breach was first detected on December 27, 2024, when ransomware locked access to some files. While systems were later restored, the company determined that certain data had also been copied without permission. 

Horizon noted that it “arranged for the responsible party to delete the copied data,” indicating a likely ransom negotiation. Notices are being sent to affected individuals where possible. The compromised data varies, but most records included a Horizon internal number, patient ID, or insurance claims data. 

In some cases, more sensitive details were exposed, such as Social Security numbers, driver’s license or passport numbers, payment card details, or financial account information. Despite the breach, Horizon stated that there have been no confirmed cases of identity theft linked to the incident. 

The matter has been reported to federal law enforcement. Multiple law firms have since announced investigations into the breach, raising the possibility of class-action litigation. This incident follows several high-profile breaches involving other RCM firms in recent months. 

In May, Nebraska-based ALN Medical Management updated a previously filed breach report, raising the number of affected individuals from 501 to over 1.3 million. Similarly, Gryphon Healthcare disclosed in October 2024 that nearly 400,000 people were impacted by a separate attack. 

Most recently, California-based Episource LLC revealed in June that a ransomware incident in February exposed the health information of roughly 5.42 million individuals. That event now ranks as the second-largest healthcare breach in the U.S. so far in 2025. Experts say that RCM vendors continue to be lucrative targets for cybercriminals due to their access to vast stores of healthcare data and their central role in financial operations. 

Bob Maley, Chief Security Officer at Black Kite, noted that targeting these firms offers hackers outsized rewards. “Hitting one RCM provider can affect dozens of healthcare facilities, exposing massive amounts of data and disrupting financial workflows all at once,” he said.  
Maley warned that many of these firms are still operating under outdated cybersecurity models. “They’re stuck in a compliance mindset, treating risk in vague terms. But boards want to know the real-world financial impact,” he said. 

He also emphasized the importance of supply chain transparency. “These vendors play a crucial role for hospitals, but how well do they know their own vendors? Relying on outdated assessments leaves them blind to emerging threats.” 

Maley concluded that until RCM providers prioritize cybersecurity as a business imperative—not just an IT issue—the industry will remain vulnerable to repeating breaches.
Read more »
Mozilla Firefox
Crypto Wallets cryptocurrency cryptocurrency wallet Cyber Fraud Data Theft Extensions Fake Extension Firefox Firefox Hacks Firefox Security Mozilla Firefox

Fake Firefox Extensions Mimic Crypto Wallets to Steal Seed Phrases

 

Over 40 deceptive browser extensions available on Mozilla Firefox’s official add-ons platform are posing as trusted cryptocurrency wallets to steal user data, according to security researchers. These malicious add-ons are camouflaged as popular wallet brands such as MetaMask, Coinbase, Trust Wallet, Phantom, Exodus, MyMonero, OKX, and Keplr. 

Behind their familiar logos and fake five-star reviews lies code designed to exfiltrate wallet credentials and seed phrases to servers controlled by attackers. Cybersecurity firm Koi Security, which discovered this threat campaign, suspects a Russian-speaking hacking group is responsible. In a report shared with BleepingComputer, the firm revealed that the fraudulent extensions were modified versions of legitimate open-source wallets, altered to include stealthy monitoring code. 

These extensions monitor browser input for strings that resemble wallet keys or recovery phrases — often identified by their length and character patterns. Once such sensitive input is detected, the information is covertly sent to attackers. To avoid suspicion, the extensions suppress error messages or alerts by rendering them invisible. The most critical data targeted are seed phrases — multi-word recovery codes that serve as master keys for crypto wallets. Anyone with access to a seed phrase can irreversibly drain all assets from a user’s wallet. 

The campaign has reportedly been active since at least April 2025, and new malicious add-ons continue to appear. Some were added as recently as last week. Despite Mozilla’s efforts to flag and remove such add-ons, Koi Security noted that many remained live even after being reported through official channels. The fake extensions often feature hundreds of fraudulent five-star reviews to build trust, although some also have one-star ratings from victims warning of theft. 

In many cases, the number of reviews far exceeds the number of downloads — a red flag missed by unsuspecting users. Mozilla responded by confirming that it is aware of ongoing threats targeting its add-ons ecosystem and has already removed many malicious listings. The organization has implemented a detection system that uses automated tools to flag suspicious behavior, followed by manual review when necessary.

In a statement to BleepingComputer, Mozilla emphasized its commitment to user safety and stated that additional measures are being taken to improve its defense mechanisms. As fake wallet extensions continue to circulate, users are urged to verify the authenticity of browser add-ons, rely on official websites for downloads, and avoid entering recovery phrases into any untrusted source.
Read more »
Mobile Virus
Android Antivirus Apps Antivirus Detection data security Data Theft Identity Theft iPhone Mobile Malwares Mobile Security Mobile Virus

Signs Your Phone Has a Virus and How to Remove It Safely

 

In today’s world, our phones are more than just communication devices — they’re essential for work, banking, shopping, and staying connected. That makes it all the more alarming when a device begins to behave strangely. 

One possible cause? A virus. Mobile malware can sneak into your phone through suspicious links, shady apps, or compromised websites, and can create problems ranging from poor performance to data theft and financial loss. There are several red flags that suggest your phone might be infected. A rapidly draining battery could mean malicious software is operating in the background. Overheating, sluggish performance, frequent app crashes, or screen freezes may also be signs of trouble. You might notice strange new apps that you don’t remember installing or unexpected spikes in mobile data usage. 
In some cases, your contacts could receive strange messages from you, or you might find purchases on your accounts that you never made. If your phone shows any of these symptoms, quick action is essential. 

The first step is to scan your device using a trusted antivirus app to locate and remove threats. Check your device for unfamiliar apps and uninstall anything suspicious. You should also notify your contacts that your device may have been compromised to prevent the spread of malware through messaging apps. Updating your passwords should be your next priority. Make sure each password is strong, unique, and ideally protected with two-factor authentication. After that, review your online accounts and connected devices for signs of unauthorized activity. Remove unknown devices from your phone account settings and confirm your personal and security information hasn’t been altered. 

Depending on your phone’s operating system, the process of virus removal can vary slightly. iPhone users can try updating to the latest iOS version and removing suspicious apps. If the problem persists, a factory reset might be necessary, though it will erase all stored data unless a backup is available. While iPhones don’t include a built-in virus scanner, some reliable third-party tools can help detect infections. For Android users, antivirus apps often offer both detection and removal features. Rebooting the device in safe mode can temporarily disable harmful third-party apps and make removal easier. Clearing the browser cache and cookies is another useful step to eliminate web-based threats. 

If all else fails, a factory reset can clear everything, but users should back up their data beforehand. Preventing future infections comes down to a few key practices. Always download apps from official stores, keep your operating system and apps updated, and limit app permissions. Avoid clicking on links from unknown sources, and monitor your phone’s performance regularly for anything out of the ordinary. 

Whether you use Android or iPhone, dealing with a virus can be stressful — but with the right steps, it’s usually possible to remove the threat and get your phone back to normal. By staying alert and adopting good digital hygiene, you can also reduce your chances of being targeted again in the future.
Read more »
Stolen Credentials
Cyber Crime Data Theft Infostealer Russian Market Stolen Credentials

Russian Market Sells Millions of Stolen Credentials

 

The "Russian Market" cybercrime marketplace has developed as one of the most popular places for purchasing and selling credentials stolen by info stealer malware. Although the marketplace has been functioning for almost six years and has grown in popularity by 2022, ReliaQuest believes that the Russian market has lately reached new heights.

Part of this spike in popularity can be attributed to the Genesis Market's demise, which left a significant gap in the market. Although the bulk (85%) of credentials provided on the Russian Market are "recycled" from existing sources, it has attracted enormous cybercrime audiences due to its diverse range of commodities for sale and the availability of logs for as little as $2. 

An infostealer log is typically a text file (or numerous files) written by infostealer malware that contains account passwords, session cookies, credit card data, cryptocurrency wallet data, and system profiling data obtained from an infected device. 

Each log includes dozens or even thousands of credentials, bringing the total amount of stolen credentials to hundreds of millions or more. Once captured, the logs are sent to an attacker's server, where they are stored for future nefarious action or sold on marketplaces such as Russian Market. 

Infostealers have become a common tactic for attackers, with numerous campaigns now aimed at the enterprise to steal session cookies and corporate credentials. According to ReliaQuest, this is evident in the Russian market, where 61% of stolen logs include SaaS credentials from platforms such as Google Workspace, Zoom, and Salesforce. Additionally, 77% of the logs had SSO (Single Sign-On) credentials.

Lumma stumbles, Acreed rises

ReliaQuest analysed over 1.6 million posts on the Russian market to chart the growth and decrease in popularity of specific info theft malware. Until recently, Lumma stole the majority of logs, accounting for 92% of all credentials sold on the Russian market. 

Lumma ruled the market when Raccoon Stealer collapsed due to law enforcement action. Lumma may face the same fate, as its operations were recently stopped by a global law enforcement operation that resulted in the seizure of 2,300 domain names.

The long-term outcomes of this operation are unknown, but Check Point said that Lumma's creators are already working to rebuild and resume their cybercrime operations. 

Meanwhile, ReliaQuests reports a significant spike in popularity of a new infostealer named Acreed, which is quickly gaining traction following Lumma's elimination. Acreed's rapid rise in the Russian market is evidenced by the over 4,000 logs submitted in its first week of operation, according to Webz. 

Acreed is similar to a conventional info-stealer in that it targets data stored in Chrome, Firefox, and their derivatives, such as passwords, cookies, cryptocurrency wallets, and credit card information. 

Phishing emails, "ClickFix" attacks, premium software malvertising, and YouTube or TikTok videos are all used by info-stealers to infect consumers. To avoid this broad risk, it is recommended that you be vigilant and use good software download habits.
Read more »
tata company
cyber attack Cyber Attacks Data Theft M&S tata company

TCS Investigates Possible Link to M&S Cyberattack

 

Tata Consultancy Services (TCS), a leading Indian IT services firm under the Tata Group umbrella, is reportedly investigating whether its systems played any role in the recent ransomware attack that disrupted operations at British retail giant Marks & Spencer (M&S). 

The cyberattack, which occurred in late April 2025, was initially described by M&S as a “cyber incident.” However, subsequent reports confirmed it to be a ransomware assault that severely affected both in-store and online operations. Key services such as contactless payments and Click and Collect were disabled, while online orders came to a standstill. 

Several internal systems were reportedly taken offline as a containment measure. The prolonged disruption, lasting several weeks, had a significant impact on M&S’s business. The company’s market capitalization is estimated to have dropped by £1 billion, and there are allegations that customer data may have been compromised in the breach. 

As M&S continues recovery efforts, TCS is conducting a thorough internal investigation to determine whether any part of its infrastructure might have been involved in the incident. TCS has long been a key technology partner for M&S, which adds urgency to the ongoing review. The attack has once again brought cybersecurity solutions into focus. 

Platforms like Keeper Security, known for their zero-knowledge encryption-based password managers and digital vaults, are gaining traction. Keeper offers features such as two-factor authentication, secure file storage, dark web monitoring, and real-time breach alerts—tools that are increasingly vital in defending against sophisticated cyber threats like ransomware. 
Read more »
Ransom
Coinbase Crypto Crypto Wallet cryptocurrency Cyber Security Data Theft Extortion Ransom

$400Million Coinbase Breach Linked to Customer Data Leak from India


Coinbase data breach linked to India

A Reuters investigation revealed that cryptocurrency exchange Coinbase knew in January about a breach affecting outsourced customer support agents in India. Six people who knew about the incident said Coinbase was aware of sensitive user data compromise through its contractor, TaskUs, before it was officially announced in May. 

On 14th May, TaskUs filed an SEC document revealing that an India-based TaskUs employee was found taking pictures of a computer screen with her phone. Five former TaskUs employees confirmed that the worker and one accomplice were bribed by threat actors to get Coinbase user data.

The breach cost $400 million

After this information, more than 200 TaskUs employees were fired in a mass layoff from the Indore center, which drew media attention in India. Earlier, Coinbase suspected ‘overseas support agents’ but now the breach is estimated to cost 400 million dollars.

Coinbase had been a long-term partner of TaskUs, a Texas-based outsourcing firm, cost-cutting labor by giving customer support work to offshore teams. After 2017, TaskUs agents, mostly from developing countries, handled Coinbase customer inquiries. 

In the May SEC filing, Coinbase said it didn’t know about the full scale of the breach until it received an extortion demand of $20 Million on 11th May. As a cautionary measure, Coinbase cut ties with TaskUs employees and other unknown foreign actors. Coinbase has notified regulators, compensated affected users, and taken strict measures to strengthen security. 

In a public statement, TaskUs confirmed it had fired two staff (unnamed) for data theft but didn’t mention Coinbase. The company found the two staff involved in a cyber attack campaign that targeted other service providers linked to the client. 

Hackers use social engineering tactic

Hackers did not breach the Coinbase crypto wallets directly, they cleverly used the stolen information to impersonate the Coinbase employees in a series of social engineering scams. The hackers posed as support agents, fooling victims into transferring their crypto assets. 

According to Money Control, “The person familiar with the matter confirmed that Coinbase was the client and that the incident took place in January. Reuters could not determine whether any arrests have been made. Police in Indore did not return a message seeking comment.”

Read more »
Postal Service
Amazon Brushing Scam customer privacy Cyber Fraud cyber threat Data Fraud data security Data Theft Postal Service

Brushing Scam Targets Amazon Customers with Unsolicited Packages and Hidden Cyber Threats

 

Ray Simmons was confused when he received an unexpected Amazon package containing beet chews. Initially, he thought it might be a joke from someone encouraging him to eat healthier. However, it turned out to be part of a broader scam known as “brushing,” where consumers receive unsolicited deliveries from online sellers attempting to manipulate product ratings and reviews. 

Brushing scams involve third-party sellers who send low-value goods to individuals whose names and addresses are often scraped from publicly available online sources. After the product is delivered, scammers use the recipient’s identity or create a fake account that resembles the recipient to leave positive reviews. These fake reviews can artificially boost a product’s credibility, helping it rank higher in search results and increasing sales. 

While receiving a free item might seem harmless, the scam carries hidden dangers. The U.S. Postal Inspection Service (USPIS) warns that these incidents indicate misuse of personal information. Even more concerning is the potential for packages to include QR codes, which might direct recipients to malicious websites. Scanning such codes can result in the installation of malware or the theft of personal data. 

The scam is a reminder that personal data is often accessible and can be exploited without a consumer’s knowledge. USPIS stresses the importance of not interacting with suspicious elements included in unsolicited packages. Inspector David Gealey noted that even though these items may appear insignificant, they are a signal that someone has unauthorized access to your personal information. 

Fortunately, the package Simmons received did not include a QR code. Nonetheless, he took immediate action by checking his Amazon and banking accounts for any signs of unauthorized access. This kind of vigilance is exactly what USPIS recommends for anyone in a similar situation. 

Authorities advise that recipients of such packages should not scan any QR codes or click on any related links. They also emphasize that there is no obligation to return unsolicited items. Instead, consumers should monitor their financial and e-commerce accounts for any suspicious activity and report the incident to local law enforcement, USPIS, or the Federal Trade Commission.  

Though brushing scams may appear to be minor nuisances, they reflect deeper issues related to data privacy and cyber fraud. Staying informed and cautious can help consumers protect themselves from further harm and support efforts to hold malicious actors accountable.
Read more »
Sensitive data
Cloud Security Cyber Attacks Data Theft Employee Training enterprise cybersecurity fake ads Malicious Ads ransomware attacks Ransomwares Sensitive data

Employee Monitoring Tool Kickidler Targeted in Ransomware Attacks

 

Cybersecurity researchers have discovered that cybercriminals are misusing a legitimate employee monitoring tool called Kickidler to execute targeted ransomware attacks. Originally developed to help businesses track productivity and ensure compliance, Kickidler offers features like real-time screen monitoring, keystroke logging, and activity tracking—functionalities that have now become attractive tools for threat actors. Security firms Varonis and Synacktiv have reported observing these attacks actively taking place. 

The attack campaign begins with malicious advertisements placed on the Google Ads network. These ads are cleverly designed to trick users searching for a legitimate utility called RVTools—a free Windows application used to connect to VMware vCenter or ESXi environments. Victims are lured into downloading a trojanized version of RVTools, which secretly installs a backdoor named SMOKEDHAM. Once SMOKEDHAM gains access to the system, attackers use it to deploy Kickidler, with a focus on targeting enterprise administrators. 

By infiltrating admin machines, the attackers can monitor keystrokes and capture sensitive data, such as credentials for off-site backups or cloud platforms. This method allows them to bypass more secure authentication systems that are often separated from Windows domains, a common defense strategy in many organizations. According to the researchers, the ransomware groups Qilin and Hunters International have been leveraging this approach to expand their reach within enterprise networks. 

These groups appear to be focusing on cloud backup systems and VMware ESXi infrastructure. Hunters International, in particular, was observed using VMware PowerCLI and WinSCP Automation tools to enable SSH access, deploy ransomware, and execute it on ESXi servers. Their payloads encrypted VMDK virtual hard disks, disrupting operations and access to virtual environments. 

One of the most concerning aspects of this campaign is how stealthily it operates. By capturing data directly from administrators’ screens and inputs, the attackers avoid using higher-risk tactics like memory dumps or privilege escalation, which are more likely to be flagged by security systems. The misuse of Kickidler demonstrates a growing trend of cybercriminals weaponizing legitimate enterprise tools to bypass traditional defenses and maintain stealth within targeted networks. 

These attacks highlight the need for increased vigilance around software downloads, especially from third-party sources, and reinforce the importance of strong endpoint protection, regular software audits, and employee awareness training. 

As cyberattacks grow more sophisticated, defenders must adapt by tightening controls, decoupling critical system access from everyday credentials, and monitoring for unusual activity—even from tools considered safe.
Read more »
Sensitive Information
Customer Data Cyber Attacks Data Leak Data protection data security Data Theft Employee Data Identity Theft Prevention Radio Station Sensitive Information

iHeartMedia Cyberattack Exposes Sensitive Data Across Multiple Radio Stations

 

iHeartMedia, the largest audio media company in the United States, has confirmed a significant data breach following a cyberattack on several of its local radio stations. In official breach notifications sent to affected individuals and state attorney general offices in Maine, Massachusetts, and California, the company disclosed that cybercriminals accessed sensitive customer information between December 24 and December 27, 2024. Although iHeartMedia did not specify how many individuals were affected, the breach appears to have involved data stored on systems at a “small number” of stations. 

The exact number of compromised stations remains undisclosed. With a network of 870 radio stations and a reported monthly audience of 250 million listeners, the potential scope of this breach is concerning. According to the breach notification letters, the attackers “viewed and obtained” various types of personal information. The compromised data includes full names, passport numbers, other government-issued identification numbers, dates of birth, financial account information, payment card data, and even health and health insurance records. 

Such a comprehensive data set makes the victims vulnerable to a wide array of cybercrimes, from identity theft to financial fraud. The combination of personal identifiers and health or insurance details increases the likelihood of victims being targeted by tailored phishing campaigns. With access to passport numbers and financial records, cybercriminals can attempt identity theft or engage in unauthorized transactions and wire fraud. As of now, the stolen data has not surfaced on dark web marketplaces, but the risk remains high. 

No cybercrime group has claimed responsibility for the breach as of yet. However, the level of detail and sensitivity in the data accessed suggests the attackers had a specific objective and targeted the breach with precision. 

In response, iHeartMedia is offering one year of complimentary identity theft protection services to impacted individuals. The company has also established a dedicated hotline for those seeking assistance or more information. While these actions are intended to mitigate potential fallout, they may offer limited relief given the nature of the exposed information. 

This incident underscores the increasing frequency and severity of cyberattacks on media organizations and the urgent need for enhanced cybersecurity protocols. For iHeartMedia, transparency and timely support for affected customers will be key in managing the aftermath of this breach. 

As investigations continue, more details may emerge regarding the extent of the compromise and the identity of those behind the attack.
Read more »
Sensitive data
Cyber Attacks Data Leak data security Data Theft Hacker attack Indian Cyber Security Pakistan Hacker Personal Data Sensitive data

Pakistan-Based Hackers Launch Cyber Attack on Indian Defence Websites, Claim Access to Sensitive Data

 

In a concerning escalation of cyber hostilities, a Pakistan-based threat group known as the Pakistan Cyber Force launched a coordinated cyber offensive on multiple Indian defence-related websites on Monday. The group claimed responsibility for defacing the official site of a Ministry of Defence public sector undertaking (PSU) and asserted that it had gained unauthorized access to sensitive information belonging to Indian defence personnel. According to reports, the targeted websites included those of the Military Engineering Service (MES) and the Manohar Parrikar Institute of Defence Studies and Analyses (MP-IDSA), both critical components in India’s defence research and infrastructure network. 

The group’s social media posts alleged that it had exfiltrated login credentials and personal data associated with defence personnel. One particularly alarming development was the defacement of the official website of Armoured Vehicle Nigam Limited (AVNL), a key PSU under the Ministry of Defence. The hackers replaced the homepage with the Pakistani flag and an image of the Al Khalid tank, a symbol of Pakistan’s military capabilities. A message reportedly posted on social platform X read, “Hacked. Your security is illusion. MES data owned,” followed by a list of names allegedly linked to Indian defence staff. 

Sources quoted by ANI indicated that there is a credible concern that personal data of military personnel may have been compromised during the breach. In response, authorities promptly took the AVNL website offline to prevent further exploitation and launched a full-scale forensic audit to assess the scope of the intrusion and restore digital integrity. Cybersecurity experts are currently monitoring for further signs of intrusion, especially in light of repeated cyber threats and defacement attempts linked to Pakistani-sponsored groups. 

The ongoing tensions between the two countries have only heightened the frequency and severity of such state-aligned cyber operations. This latest attack follows a pattern of provocative cyber incidents, with Pakistani hacker groups increasingly targeting sensitive Indian assets in attempts to undermine national security and sow discord. Intelligence sources are treating the incident as part of a broader information warfare campaign and have emphasized the need for heightened vigilance and improved cyber defense strategies. 

Authorities continue to investigate the breach while urging government departments and defense agencies to reinforce their cybersecurity posture amid rising digital threats in the region.
Read more »
Ransomwares
Cyber Attacks data security Data Theft Hacker attack Pharmaceutical Firms Ransom Demand Ransomware attack Ransomwares

Pune-Based Biopharma Company Hit by Ransomware Attack, Hackers Demand $80,000

 

A multinational biopharmaceutical company based in Pune has fallen victim to a sophisticated ransomware attack, with cybercriminals encrypting vital data and demanding $80,000 (over Rs 68 lakh) for its release. The attackers have also threatened to leak the stolen proprietary data on the dark web if the ransom is not paid, according to local police authorities. 

The incident came to light when a senior executive from the company’s Pune office lodged a complaint at the Cyber Crime Police Station of Pimpri Chinchwad on Monday evening. The attack was first identified on Sunday afternoon, prompting immediate concern due to the sensitivity of the data involved. According to initial investigations by cybercrime officials, the breach is believed to have occurred through a compromised endpoint device—most likely via a phishing email containing a malicious link. 

Once the attackers gained access to the internal network, they deployed ransomware to the company’s main server and extended it to more than a dozen connected servers. Sensitive data, including proprietary pharmaceutical formulations, manufacturing protocols, and confidential business documents, was then encrypted and locked. 

“A preliminary probe suggests that vulnerabilities in the company’s cybersecurity setup allowed the attackers to infiltrate its systems,” an officer from the Cyber Police Station said. “Unfortunately, a significant portion of the critical data was not backed up offline, leaving the organization exposed to potential data loss if the ransom is not paid.” The hackers have made it clear that if their ransom demand of $80,000 is not met, the stolen data will be sold on the dark web. 

So far, the company has not paid the ransom, and authorities are currently analyzing IP logs and other digital evidence to trace the origin of the attack. Cybercrime investigators have urged all businesses to strengthen their cybersecurity measures, including regularly backing up data offline, updating firewall configurations, and educating employees about phishing threats. “This incident is a wake-up call for organizations to prioritize robust digital security,” the officer added.  

Deputy Commissioner of Police (Crime) Sandeep Doiphode emphasized the growing need for enterprises to invest in both technology and skilled cybersecurity personnel. “This case underlines the urgent necessity for companies to stay ahead of evolving threats through both infrastructure and human resource development,” he said. Police also noted that ransomware attacks typically use phishing emails and exploit weak security protocols. Payments are often demanded in cryptocurrency, making the attackers harder to trace. 

The investigation remains ongoing.
Read more »
Subscribe to: Posts (Atom)