Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Data Theft. Show all posts
Ransomware attack
Data Breach Data Theft DCS J Group Ransomware attack

Ransomware Gang Claims Boeing, Samsung Supplier Breach in 11GB Data Theft

 

A ransomware group named J GROUP claims to have breached Dimensional Control Systems (DCS), stealing 11GB of sensitive data, including proprietary software architecture, client metadata, and internal security procedures. 

DCS, a Michigan-based provider of dimensional engineering software, serves major clients such as Boeing, Samsung, Siemens, and Volkswagen across aerospace, automotive, and electronics sectors.

Alleged data exposure

J GROUP published sample files on its leak site to substantiate the attack, comprising a text file and a compressed folder containing documents with employee names and expense reports. Cybernews researchers analyzed the samples but could not verify their authenticity, cautioning that cybercriminals often reuse data from past breaches to falsely support new extortion claims.

Company response and risks

As of the report, DCS has neither confirmed nor denied the breach, maintaining public silence. Local media outlets in Michigan contacted the company for comment but received no response. 

If the breach is confirmed, it could lead to severe consequences, including intellectual property theft, supply chain vulnerabilities, exposure of client data, and regulatory repercussions. The incident may also damage DCS’s reputation, eroding client trust and questioning its technical and security reliability.

Rising threat 

This incident aligns with a growing trend of ransomware attacks targeting third-party vendors to access high-value industrial clients. Previous attacks on firms like Nissan and Dell highlight similar tactics, where threat actors exploit service providers to infiltrate larger organizations. 

The alleged breach underscores the need for stringent cybersecurity measures across extended supply chains, particularly in manufacturing and engineering sectors reliant on specialized software. 

Organizations are urged to audit vendor security protocols and enhance monitoring for early threat detection. The situation remains ongoing, with no official statement from DCS as of publication.
Read more »
harrods
cyber attack cyberattack news Data Breach Data Theft harrods

Harrods Confirms Data Breach Exposing 430,000 Customer Records

 

Luxury retailer Harrods has confirmed a new data breach that exposed the personal details of around 430,000 e-commerce customers after hackers compromised one of its third-party suppliers. 

The company clarified that this incident is separate from the cyberattack it faced in May, which was attributed to the hacker group Scattered Spider. 

In a statement to publications, Harrods said it informed affected customers on Friday that their personal details, including names and contact information, were accessed following a breach at a third-party provider. 

The retailer did not disclose the name of the compromised vendor but said it has taken immediate steps to contain the situation and alert authorities. The company reassured customers that the leaked data does not include passwords, payment details, or purchase histories. 

However, some customer records contained internal tags and marketing labels used by Harrods for service management. These labels may reference customer tier levels or affiliations with Harrods’ co-branded credit cards, though the company said such information would be difficult for unauthorised parties to interpret accurately. 

Cybersecurity experts have linked the breach to a wider supply chain attack that affected multiple companies globally over the summer. The incident, believed to involve the Salesloft platform, saw hackers use stolen OAuth tokens to access Salesforce systems and extract customer data. 

Harrods also confirmed that the threat actor behind the latest breach had reached out to the company directly, apparently seeking extortion. 

The retailer stated it would not engage in any communication or negotiation with the attacker. Authorities and cybersecurity professionals have been notified, and Harrods said it continues to work closely with them to ensure customer protection and prevent future incidents. 

The company has also advised customers to remain alert to phishing attempts and avoid clicking on links or sharing information with unknown sources. 

Despite the breach, Harrods’ online services remain operational. The company said it remains committed to maintaining the trust of its customers and strengthening its digital security systems to safeguard sensitive information.
Read more »
Red Hat
Cyberattacks Data Breach Data Theft Red Hat

Red Hat Confirms Breach of GitLab Instance Linked to Consulting Team

 

Red Hat has acknowledged a cybersecurity incident involving one of its GitLab instances after a hacker group calling itself Crimson Collective claimed to have stolen a significant amount of company data. 

The enterprise software provider clarified that the breach did not affect its GitHub repositories, as initially reported, but rather a GitLab instance used internally by its Consulting division. 

According to the attackers, they obtained around 570 GB of compressed data from roughly 28,000 private repositories, which allegedly contained source code, credentials, configuration files, and customer engagement reports (CERs). 

The group also asserted that the stolen information gave them access to customer systems. Reports indicate that the hackers attempted to extort Red Hat, but the company did not comply. 

Sources told International Cyber Digest that Red Hat had minimal contact with the threat actors and refused to meet their demands. A separate analysis by SOCRadar suggested that data from as many as 800 Red Hat customers could have been exposed. 

The list of potentially affected entities reportedly includes large corporations such as IBM, Siemens, Verizon, and Bosch, as well as several U.S. government bodies, including the Department of Energy, NIST, and the NSA. 

In a blog post addressing the incident, Red Hat explained that the compromised GitLab system was used mainly for collaborative consulting work and contained materials such as sample code, project details, and internal communications. 

The company emphasised that the instance does not usually store personal or highly confidential information and that no evidence of sensitive data exposure has been found so far. 

“At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain,” Red Hat said in a statement shared with SecurityWeek. 

While Red Hat has not directly addressed claims that customer infrastructure was accessed, cybersecurity experts note that ransomware and extortion groups often exaggerate such assertions to increase pressure on victims. 

The company has confirmed that an internal investigation is ongoing to assess the full extent of the breach and strengthen its systems against future threats.
Read more »
State-Sponsored Espionage
AI Misuse Cybersecurity Data Theft Deepfake Attacks Generative AI Kimsuky malware North Korean Hackers Phishing Campaigns State-Sponsored Espionage

North Korean Threat Actors Leverage ChatGPT in Deepfake Identity Scheme


North Korean hackers Kimsuky are using ChatGPT to create convincing deepfake South Korean military identification cards in a troubling instance of how artificial intelligence can be weaponised in state-backed cyber warfare, indicating that artificial intelligence is becoming increasingly useful in cyber warfare. 

As part of their cyber-espionage campaign, the group used falsified documents embedded in phishing emails targeting defence institutions and individuals, adding an additional layer of credibility to their espionage activities. 

A series of attacks aimed at deceiving recipients, delivering malicious software, and exfiltrating sensitive data were made more effective by the use of AI-generated IDs. Security monitors have categorised this incident as an AI-related hazard, indicating that by using ChatGPT for the wrong purpose, the breach of confidential information and the violation of personal rights directly caused harm. 

Using generative AI is becoming increasingly common in sophisticated state-sponsored operations. The case highlights the growing concerns about the use of generative AI in sophisticated operations. As a result of the combination of deepfake technology and phishing tactics, these attacks are harder to detect and much more damaging. 

Palo Alto Networks' Unit 42 has observed a disturbing increase in the use of real-time deepfakes for job interviews, in which candidates disguise their true identities from potential employers using this technology. In their view, the deepfake tactic is alarmingly accessible because it can be done in a matter of hours, with just minimal technical know-how, and with inexpensive consumer-grade hardware, so it is alarmingly accessible and easy to implement. 

The investigation was prompted by a report that was published in the Pragmatic Engineer newsletter that described how two fake applicants who were almost hired by a Polish artificial intelligence company raised suspicions that the candidates were being controlled by the same individual as deepfake personas. 

As a result of Unit 42’s analysis, these practices represent a logical progression from a long-standing North Korean cyber threat scheme, one in which North Korean IT operatives attempt to infiltrate organisations under false pretences, a strategy well documented in previous cyber threat reports. 

It has been repeatedly alleged that the hacking group known as Kimsuky, which operated under the direction of the North Korean state, was involved in espionage operations against South Korean targets for many years. In a 2020 advisory issued by the U.S. Department of Homeland Security, it was suggested that this group might be responsible for obtaining global intelligence on Pyongyang's behalf. 

Recent research from a South Korean security firm called Genians illustrates how artificial intelligence is increasingly augmented into such operations. There was a report published in July about North Korean actors manipulating ChatGPT to create fake ID cards, while further experiments revealed that simple prompt adjustments could be made to override the platform's built-in limitations by North Korean actors. 

 It follows a pattern that a lot of people have experienced in the past: Anthropic disclosed in August that its Claude Code software was misused by North Korean operatives to create sophisticated fake personas, pass coding assessments, and secure remote positions at multinational companies. 

In February, OpenAI confirmed that it had suspended accounts tied to North Korea for generating fraudulent resumes, cover letters, and social media content intended to assist with recruitment efforts. These activities, according to Genians director Mun Chong-hyun, highlight the growing role AI has in the development and execution of cyber operations at many stages, from the creation of attack scenarios, the development of malware, as well as the impersonation of recruiters and targets. 

A phishing campaign impersonating an official South Korean military account (.mil.kr) has been launched in an attempt to compromise journalists, researchers, and human rights activists within this latest campaign. To date, it has been unclear how extensive the breach was or to what extent the hackers prevented it. 

Officially, the United States assert that such cyber activities are a part of a larger North Korea strategy, along with cryptocurrency theft and IT contracting schemes, that seeks to provide intelligence as well as generate revenue to circumvent sanctions and fund the nuclear weapons program of the country. 

According to Washington and its allies, Kimsuky, also known as APT43, a North Korean state-backed cyber unit that is suspected of being responsible for the July campaign, was already sanctioned by Washington and its allies for its role in promoting Pyongyang's foreign policy and sanction evasion. 

It was reported by researchers at South Korean cybersecurity firm Genians that the group used ChatGPT to create samples of government and military identification cards, which they then incorporated into phishing emails disguised as official correspondence from a South Korean defense agency that managed ID services, which was then used as phishing emails. 

Besides delivering a fraudulent ID card with these messages, they also delivered malware designed to steal data as well as allow remote access to compromised systems. It has been confirmed by data analysis that these counterfeit IDs were created using ChatGPT, despite the tool's safeguards against replicating government documents, indicating that the attackers misinterpreted the prompts by presenting them as mock-up designs. 

There is no doubt that Kimsuky has introduced deepfake technology into its operations in such a way that this is a clear indication that this is a significant step toward making convincing forgeries easier by using generative AI, which significantly lowers the barrier to creating them. 

It is known that Kimsuky has been active since at least 2012, with a focus on government officials, academics, think tanks, journalists, and activists in South Korea, Japan, the United States, Europe, and Russia, as well as those affected by North Korea's policy and human rights issues. 

As research has shown, the regime is highly reliant on artificial intelligence to create fake summaries and online personas. This enables North Korean IT operatives to secure overseas employment as well as perform technical tasks once they are embedded. There is no doubt that such operatives are using a variety of deceptive practices to obscure their origins and evade detection, including artificial intelligence-powered identity fabrication and collaboration with foreign intermediaries. 

The South Korean foreign ministry has endorsed that claim. It is becoming more and more evident that generative AI is increasingly being used in cyber-espionage, which poses a major challenge for global cybersecurity frameworks: assisting citizens in identifying and protecting themselves against threats not solely based on technical sophistication but based on trust. 

Although platforms like ChatGPT and other large language models may have guardrails in place to protect them from attacks, experts warn that adversaries will continue to seek out weaknesses in the systems and adapt their tactics through prompt manipulation, social engineering, and deepfake augmentation in an effort to defeat the system. 

Kimsuky is an excellent example of how disruptive technologies such as artificial intelligence and cybercrime erode traditional detection methods, as counterfeit identities, forged credentials, and distorted personas blur the line between legitimate interaction and malicious deception, as a result of artificial intelligence and cybercrime. 

The security experts are urging the public to take action by using a multi-layered approach that combines AI-driven detection tools, robust digital identity verification, cross-border intelligence sharing, and better awareness within targeted sectors such as defence, academia, and human rights industries. 

Developing AI technologies together with governments and private enterprises will be critical to ensuring they are harnessed responsibly while minimising misuse of these technologies. It is clear from this campaign that as adversaries continue to use artificial intelligence to sharpen their attacks, defenders must adapt just as fast to maintain trust, privacy, and global security as they do against adversaries.
Read more »
Sim Cloning
Aadhaar Scam Amroha Cyber Crime Data Theft Sim Cloning

SIM Cloning and Aadhaar Data Theft Expose Massive Cyber Heist in Amroha

 

A sophisticated cyber heist in Amroha, Uttar Pradesh, has exposed critical vulnerabilities in India's Aadhaar biometric identification system, where cybercriminals successfully cloned SIM cards and stole biometric data from over 1,500 citizens across 12 states. This elaborate fraud network, operating primarily from Badaun and Amroha districts, represents one of the most significant identity theft operations uncovered in recent years.

The criminal enterprise was masterminded by Ashish Kumar, a BTech dropout, who developed sophisticated counterfeit websites that closely resembled official Aadhaar and Passport Seva portals. These fake platforms enabled the gang to input fraudulent data and generate forged documents, including passports, with access sold to a network of 200 to 300 agents spread across multiple states.

The cybercriminals employed advanced technical methods to bypass UIDAI security systems, including cloning credentials of authorized Aadhaar operators and copying sensitive biometrics like iris scans. They utilized specialized software to overcome geo-fencing restrictions that normally prevent remote access to Aadhaar portals, allowing them to upload tampered biometric data from unauthorized locations. 

A key component of their operation involved manipulating fingerprint scanners to accept silicone-molded fingerprints created from impressions collected from legitimate operators and vulnerable individuals, many from underprivileged backgrounds. These altered scanners successfully fooled the system's biometric authentication, bypassing Aadhaar's real-time security locks. 

The fraud network charged clients between ₹2,000 and ₹5,000 for illegally updating personal details such as names, birth dates, addresses, or mobile numbers on Aadhaar cards. The operation extended beyond Aadhaar manipulation to include creating fake birth certificates and ration cards to support fraudulent identity changes. 

Following stricter verification protocols introduced in December 2024, the gang adapted their tactics, using forged documents on third-party platforms to create over 20 fake passports, several of which were successfully uploaded into the UIDAI system. Investigators recovered at least 400 forged supporting documents during the investigation.

The joint cyber team, supervised by SP Sambhal Krishna Kumar Bishnoi and ASP Anukriti Sharma, arrested four key players: Ashish Kumar, Dharmender Singh, and Raunak Pal from Badaun, and Kasim Hussain from Amroha. All accused face charges under the Aadhaar Act, Information Technology Act, and Passport Act for identity theft, cheating, and unauthorized access to protected systems. 

This case highlights significant security gaps in India's digital identity infrastructure and the sophisticated methods employed by cybercriminals to exploit biometric authentication systems.
Read more »
Phishing Attack
Browser Security Browser Vulnerability Cyber Attacks cybercriminals data attacks data security Data Theft Phishing Attack

Browser-Based Attacks in 2025: Key Threats Security Teams Must Address

 

In 2025, the browser has become one of the primary battlefields for cybercriminals. Once considered a simple access point to the internet, it now serves as the main gateway for employees into critical business applications and sensitive data. This shift has drawn attackers to target browsers directly, exploiting them as the weakest link in a highly connected and decentralized work environment. With enterprises relying heavily on SaaS platforms, online collaboration tools, and cloud applications, the browser has transformed into the focal point of modern cyberattacks, and security teams must rethink their defenses to stay ahead. 

The reason attackers focus on browsers is not because of the technology itself, but because of what lies beyond them. When a user logs into a SaaS tool, an ERP system, or a customer database, the browser acts as the entryway. Incidents such as the Snowflake customer data breach and ongoing attacks against Salesforce users demonstrate that attackers no longer need to compromise entire networks; they simply exploit the session and gain direct access to enterprise assets. 

Phishing remains one of the most common browser-driven threats, but it has grown increasingly sophisticated. Attackers now rely on advanced Attacker-in-the-Middle kits that steal not only passwords but also active sessions, rendering multi-factor authentication useless. These phishing campaigns are often cloaked with obfuscation and hosted on legitimate SaaS infrastructure, making them difficult to detect. In other cases, attackers deliver malicious code through deceptive mechanisms such as ClickFix, which disguises harmful commands as verification prompts. Variants like FileFix are spreading across both Windows and macOS, frequently planting infostealer malware designed to harvest credentials and session cookies. 

Another growing risk comes from malicious OAuth integrations, where attackers trick users into approving third-party applications that secretly provide them with access to corporate systems. This method proved devastating in recent Salesforce-related breaches, where hackers bypassed strong authentication and gained long-term access to enterprise environments. Similarly, compromised or fraudulent browser extensions represent a silent but dangerous threat. These can capture login details, hijack sessions, or inject malicious scripts, as highlighted in the Cyberhaven incident in late 2024. 

File downloads remain another effective attack vector. Malware-laced documents, often hidden behind phishing portals, continue to slip past traditional defenses. Meanwhile, stolen credentials still fuel account takeovers in cases where multi-factor authentication is weak, absent, or improperly enforced. Attackers exploit these gaps using ghost logins and bypass techniques, highlighting the need for real-time browser-level monitoring. 

As attackers increasingly exploit the browser as a central point of entry, organizations must prioritize visibility and control at this layer. By strengthening browser security, enterprises can reduce identity exposure, close MFA gaps, and limit the risks of phishing, malware delivery, and unauthorized access. The browser has become the new endpoint of enterprise defense, and protecting it is no longer optional.
Read more »
Zscaler
Cybersecurity Attack Data Breach Data Theft trending news Zscaler

Zscaler Confirms Data Breach Linked to Salesloft Drift Supply-Chain Attack

 

Cybersecurity firm Zscaler has revealed it suffered a data breach after attackers exploited a compromise in Salesloft Drift, an AI-driven Salesforce integration tool. The incident is part of a larger supply-chain attack in which stolen OAuth and refresh tokens were leveraged to gain unauthorized access to Salesforce environments across multiple organizations. 

Zscaler confirmed that its Salesforce instance was one of the targets, resulting in the exposure of sensitive customer details. According to the company, the information accessed by threat actors included customer names, job titles, business email addresses, phone numbers, and geographic details. In addition, data related to Zscaler product licensing, commercial agreements, and content from certain support cases was also stolen. 

While Zscaler has not disclosed the number of affected customers, it emphasized that the breach was limited to its Salesforce system and did not compromise any of its products, services, or underlying infrastructure. 

The company stated that the unauthorized data access primarily took place between August 13 and 16, 2025, with some attempts occurring earlier. Although Zscaler has not detected any misuse of the stolen data, it has urged its customers to remain cautious of phishing emails and social engineering campaigns that could exploit the compromised information. 

In response to the incident, Zscaler has taken several steps to mitigate risks, including revoking all Salesloft Drift integrations with Salesforce, rotating API tokens across its systems, and implementing stricter customer authentication protocols when handling support requests. 

An internal investigation into the full scope of the breach is ongoing. The attack has been linked to a campaign attributed to the threat group UNC6395, which was previously flagged by Google Threat Intelligence. This group is believed to have targeted Salesforce support cases to collect highly sensitive credentials such as AWS access keys, passwords, and Snowflake tokens. 

Google researchers also noted that the attackers attempted to cover their tracks by deleting query jobs, although audit logs remained available for review. The compromise of Salesloft Drift has had wide-reaching consequences across the SaaS ecosystem, impacting companies including Google, Cisco, Workday, Adidas, Qantas, Allianz Life, and LVMH subsidiaries. 

In many of these cases, attackers used vishing tactics to trick employees into authorizing malicious OAuth applications, enabling large-scale data theft later exploited in extortion schemes. 

Both Google and Salesforce have since suspended their Drift integrations while investigations continue. Security experts warn that this incident highlights the growing risks of supply-chain attacks and the urgent need for stronger oversight of third-party integrations.
Read more »
Personal Information
Dark Web Data Breach data security Data Theft Discord Discord Users leaked sensitive data personal data security Personal Information

Nearly Two Billion Discord Messages Scraped and Sold on Dark Web Forums

 

Security experts have raised alarms after discovering that a massive collection of Discord data is being offered for sale on underground forums. According to researchers at Cybernews, who reviewed the advertisement, the archive reportedly contains close to two billion messages scraped from the platform, alongside additional sensitive information. The dataset allegedly includes 1.8 billion chat messages, records of 35 million users, 207 million voice sessions, and data from 6,000 servers, all available to anyone willing to pay. 

Discord, a platform widely used for gaming, social communities, and professional groups, enables users to connect via text, voice, and video across servers organized around different interests. Many of these servers are open to the public, meaning their content—including usernames, conversations, and community activity—can be accessed by anyone who joins. While much of this information is publicly visible, the large-scale automated scraping of data still violates Discord’s Terms of Service and could potentially breach data protection regulations such as the EU’s General Data Protection Regulation (GDPR) or California’s Consumer Privacy Act (CCPA).

The true sensitivity of the dataset remains unclear, as no full forensic analysis has been conducted. It is possible that a significant portion of the messages and voice records were collected from publicly accessible servers, which would reduce—but not eliminate—the privacy concerns. However, the act of compiling, distributing, and selling this information at scale introduces new risks, such as the misuse of user data for surveillance, targeted phishing, or identity exploitation. 

Discord has faced similar challenges before. In April 2024, a service known as Spy.Pet attempted to sell billions of archived chat logs from the platform. That operation was swiftly shut down by Discord, which banned the associated accounts and confirmed that the activity violated its rules. At the time, the company emphasized that automated scraping and self-botting were not permitted under its Terms of Service and stated it was exploring possible legal action against offenders. 

The recurrence of large-scale scraping attempts highlights the ongoing tension between the open nature of platforms like Discord and the privacy expectations of their users. While public servers are designed for accessibility and community growth, they can also be exploited by malicious actors seeking to harvest data en masse. Even if the information being sold in the latest case is largely public, the potential to cross-reference user activity across communities raises broader concerns about surveillance and abuse. 

As of now, Discord has not issued an official statement on this latest incident, but based on previous responses, it is likely the company will take steps to disrupt the sale and enforce its policies against scraping. The incident serves as another reminder that users on open platforms should remain mindful of the visibility of their activity and that service providers must continue to balance openness with strong protections against data misuse.
Read more »
Passkeys
browser extensions Browser Security Cyber Security data security Data Theft Malicious Browser Extension Passkey Security Passkeys

SquareX Warns Browser Extensions Can Steal Passkeys Despite Phishing-Resistant Security

 

The technology industry has long promoted passkeys as a safer, phishing-resistant alternative to passwords. Major firms such as Microsoft, Google, Amazon, and Meta are encouraging users to abandon traditional login methods in favor of this approach, which ties account security directly to a device. In theory, passkeys make it almost impossible for attackers to gain access without physically having an unlocked device. However, new research suggests that this system may not be as unbreakable as promised. 

Cybersecurity firm SquareX has demonstrated that browser-based attacks can undermine the integrity of passkeys. According to the research team, malicious extensions or injected scripts are capable of manipulating the passkey setup and login process. By hijacking this step, attackers can trick users into registering credentials controlled by the attacker, undermining the entire security model. SquareX argues that this development challenges the belief that passkeys cannot be stolen, calling the finding an important “wake-up call” for the security community. 

The proof-of-concept exploit works by taking advantage of the fact that browsers act as the intermediary during passkey creation and authentication. Both the user’s device and the online service must rely on the browser to transmit authentication requests accurately. If the browser environment is compromised, attackers can intercept WebAuthn calls and replace them with their own code. SquareX researchers demonstrated how a seemingly harmless extension could activate during a passkey registration process, generate a new attacker-controlled key pair, and secretly send a copy of the private key to an external server. Although the private key remains on the victim’s device, the duplicate allows the attacker to authenticate into the victim’s accounts elsewhere. 

This type of attack could also be refined to sabotage existing passkeys and force users into creating new ones, which are then stolen during setup. SquareX co-founder Vivek Ramachandran explained that although enterprises are adopting passkeys at scale, many organizations lack a full understanding of how the underlying mechanisms work. He emphasized that even the FIDO Alliance, which develops authentication standards, acknowledges that passkeys require a trusted environment to remain secure. Without ensuring that browsers are part of that trusted environment, enterprise users may remain vulnerable to identity-based attacks. 

The finding highlights a larger issue with browser extensions, which remain one of the least regulated parts of the internet ecosystem. Security professionals have long warned that extensions can be malicious from the outset or hijacked after installation, providing attackers with direct access to sensitive browser activity. Because an overwhelming majority of users rely on add-ons in Chrome, Edge, and other browsers, the potential for exploitation is significant. 

SquareX’s warning comes at a time when passkey adoption is accelerating rapidly, with estimates suggesting more than 15 billion passkeys are already in use worldwide. The company stresses that despite their benefits, passkeys are not immune to the same types of threats that have plagued passwords and authentication codes for decades. As the technology matures, both enterprises and individual users are urged to remain cautious, limit browser extensions to trusted sources, and review installed add-ons regularly to minimize exposure.
Read more »
Ransom Demands
Azure Cloud Cloud Attacks Cloud Security Cyber Security Data Theft Microsoft Microsoft Azure Ransom Demands

Microsoft Warns Storm-0501 Shifts to Cloud-Based Encryption, Data Theft, and Extortion

 

Microsoft has issued a warning about Storm-0501, a threat actor that has significantly evolved its tactics, moving away from traditional ransomware encryption on devices to targeting cloud environments for data theft, extortion, and cloud-based encryption. Instead of relying on conventional ransomware payloads, the group now abuses native cloud features to exfiltrate information, delete backups, and cripple storage systems, applying pressure on victims to pay without deploying malware in the traditional sense. 

Storm-0501 has been active since at least 2021, when it first used the Sabbath ransomware in attacks on organizations across multiple industries. Over time, it adopted ransomware-as-a-service (RaaS) tools, deploying encryptors from groups such as Hive, BlackCat (ALPHV), Hunters International, LockBit, and most recently, Embargo ransomware. In September 2024, Microsoft revealed that the group was expanding into hybrid cloud environments, compromising Active Directory and pivoting into Entra ID tenants. During those intrusions, attackers established persistence with malicious federated domains or encrypted on-premises devices with ransomware like Embargo. 

In its latest report, Microsoft highlights that Storm-0501 is now conducting attacks entirely in the cloud. Unlike conventional ransomware campaigns that spread malware across endpoints and then negotiate for decryption, the new approach leverages cloud-native tools to quickly exfiltrate large volumes of data, wipe storage backups, and encrypt files within the cloud itself. This strategy both accelerates the attack and reduces reliance on detectable malware deployment, making it more difficult for defenders to identify the threat in time. 

Recent cases show the group compromising multiple Active Directory domains and Entra tenants by exploiting weaknesses in Microsoft Defender configurations. Using stolen Directory Synchronization Accounts, Storm-0501 enumerated roles, users, and Azure resources with reconnaissance tools such as AzureHound. The attackers then identified a Global Administrator account without multifactor authentication, reset its password, and seized administrative control. With these elevated privileges, they maintained persistence by adding their own federated domains, which allowed them to impersonate users and bypass MFA entirely. 

From there, the attackers escalated further inside Azure by abusing the Microsoft.Authorization/elevateAccess/action capability, granting themselves Owner-level roles and taking complete control of the target’s cloud infrastructure. Once entrenched, they began disabling defenses and siphoning sensitive data from Azure Storage accounts. In many cases, they attempted to delete snapshots, restore points, Recovery Services vaults, and even entire storage accounts to prevent recovery. When these deletions failed, they created new Key Vaults and customer-managed keys to encrypt the data, effectively locking companies out unless a ransom was paid. 

The final stage of the attack involved contacting victims directly through Microsoft Teams accounts that had already been compromised, delivering ransom notes and threats. Microsoft warns that this shift illustrates how ransomware operations may increasingly migrate away from on-premises encryption as defenses improve, moving instead toward cloud-native extortion techniques. The report also includes guidance for detection, including Microsoft Defender XDR hunting queries, to help organizations identify the tactics used by Storm-0501.
Read more »
Open Source
Brute-force attack Credential stealing Data Breach data security Data Theft Golang Malicious Bots Open Source

Malicious Go Package Disguised as SSH Tool Steals Credentials via Telegram

 

Researchers have uncovered a malicious Go package disguised as an SSH brute-force tool that secretly collects and transmits stolen credentials to an attacker-controlled Telegram bot. The package, named golang-random-ip-ssh-bruteforce, first appeared on June 24, 2022, and was linked to a developer under the alias IllDieAnyway. Although the GitHub profile tied to this account has since been removed, the package is still accessible through Go’s official registry, raising concerns about supply chain security risks for developers who might unknowingly use it. 

The module is designed to scan random IPv4 addresses in search of SSH services operating on TCP port 22. Once it detects a running service, it attempts brute-force login using only two usernames, “root” and “admin,” combined with a list of weak and commonly used passwords. These include phrases such as “root,” “test,” “password,” “admin,” “12345678,” “1234,” “qwerty,” “webadmin,” “webmaster,” “techsupport,” “letmein,” and “Passw@rd.” If login succeeds, the malware immediately exfiltrates the target server’s IP address, username, and password through Telegram’s API to a bot called @sshZXC_bot, which forwards the stolen information to a user identified as @io_ping. Since Telegram communications are encrypted via HTTPS, the credential theft blends into ordinary web traffic, making detection much more difficult. 

The design of the tool helps it remain stealthy while maximizing efficiency. To bypass host identity checks, the module disables SSH host key verification by setting ssh.InsecureIgnoreHostKey as its callback. It continuously generates IPv4 addresses while attempting concurrent logins in an endless loop, increasing the chances of finding vulnerable servers. Interestingly, once it captures valid credentials for the first time, the malware terminates itself. This tactic minimizes its exposure, helping it avoid detection by defenders monitoring for sustained brute-force activity. 

Archival evidence suggests that the creator of this package has been active in the underground hacking community for years. Records link the developer to the release of multiple offensive tools, including an IP port scanner, an Instagram parser, and Selica-C2, a PHP-based botnet for command-and-control operations. Associated videos show tutorials on exploiting Telegram bots and launching SMS bomber attacks on Russian platforms. Analysts believe the attacker is likely of Russian origin, based on the language, platforms, and content of their activity. 

Security researchers warn that this Trojanized Go module represents a clear supply chain risk. Developers who unknowingly integrate it into their projects could unintentionally expose sensitive credentials to attackers, since the exfiltration traffic is hidden within legitimate encrypted HTTPS connections. This case underscores the growing threat of malicious open-source packages being planted in widely used ecosystems, where unsuspecting developers become conduits for large-scale credential theft.
Read more »
images
Adversarial attacks AI tools algorithms Data Breach Data Theft images

How Image Resizing Could Expose AI Systems to Attacks



Security experts have identified a new kind of cyber attack that hides instructions inside ordinary pictures. These commands do not appear in the full image but become visible only when the photo is automatically resized by artificial intelligence (AI) systems.

The attack works by adjusting specific pixels in a large picture. To the human eye, the image looks normal. But once an AI platform scales it down, those tiny adjustments blend together into readable text. If the system interprets that text as a command, it may carry out harmful actions without the user’s consent.

Researchers tested this method on several AI tools, including interfaces that connect with services like calendars and emails. In one demonstration, a seemingly harmless image was uploaded to an AI command-line tool. Because the tool automatically approved external requests, the hidden message forced it to send calendar data to an attacker’s email account.

The root of the problem lies in how computers shrink images. When reducing a picture, algorithms merge many pixels into fewer ones. Popular methods include nearest neighbor, bilinear, and bicubic interpolation. Each creates different patterns when compressing images. Attackers can take advantage of these predictable patterns by designing images that reveal commands only after scaling.

To prove this, the researchers released Anamorpher, an open-source tool that generates such images. The tool can tailor pictures for different scaling methods and software libraries like TensorFlow, OpenCV, PyTorch, or Pillow. By hiding adjustments in dark parts of an image, attackers can make subtle brightness shifts that only show up when downscaled, turning backgrounds into letters or symbols.

Mobile phones and edge devices are at particular risk. These systems often force images into fixed sizes and rely on compression to save processing power. That makes them more likely to expose hidden content.

The researchers also built a way to identify which scaling method a system uses. They uploaded test images with patterns like checkerboards, circles, and stripes. The artifacts such as blurring, ringing, or color shifts revealed which algorithm was at play.

This discovery also connects to core ideas in signal processing, particularly the Nyquist-Shannon sampling theorem. When data is compressed below a certain threshold, distortions called aliasing appear. Attackers use this effect to create new patterns that were not visible in the original photo.

According to the researchers, simply switching scaling methods is not a fix. Instead, they suggest avoiding automatic resizing altogether by setting strict upload limits. Where resizing is necessary, platforms should show users a preview of what the AI system will actually process. They also advise requiring explicit user confirmation before any text detected inside an image can trigger sensitive operations.

This new attack builds on past research into adversarial images and prompt injection. While earlier studies focused on fooling image-recognition models, today’s risks are greater because modern AI systems are connected to real-world tools and services. Without stronger safeguards, even an innocent-looking photo could become a gateway for data theft.


Read more »
protect user privacy
Chrome Extensions customer data privacy data security Data Theft Free VPN free VPN risks online privacy concerns Privacy protect user privacy

FreeVPN.One Chrome Extension Caught Secretly Spying on Users With Unauthorized Screenshots

 

Security researchers are warning users against relying on free VPN services after uncovering alarming surveillance practices linked to a popular Chrome extension. The extension in question, FreeVPN.One, has been downloaded over 100,000 times from the Chrome Web Store and even carried a “featured” badge, which typically indicates compliance with recommended standards. Despite this appearance of legitimacy, the tool was found to be secretly spying on its users.  

FreeVPN.One was taking screenshots just over a second after a webpage loaded and sending them to a remote server. These screenshots also included the page URL, tab ID, and a unique identifier for each user, effectively allowing the developers to monitor browsing activity in detail. While the extension’s privacy policy referenced an AI threat detection feature that could upload specific data, Koi’s analysis revealed that the extension was capturing screenshots indiscriminately, regardless of user activity or security scanning. 

The situation became even more concerning when the researchers found that FreeVPN.One was also collecting geolocation and device information along with the screenshots. Recent updates to the extension introduced AES-256-GCM encryption with RSA key wrapping, making the transmission of this data significantly more difficult to detect. Koi’s findings suggest that this surveillance behavior began in April following an update that allowed the extension to access every website a user visited. By July 17, the silent screenshot feature and location tracking had become fully operational. 

When contacted, the developer initially denied the allegations, claiming the screenshots were part of a background feature intended to scan suspicious domains. However, Koi researchers reported that screenshots were taken even on trusted sites such as Google Sheets and Google Photos. Requests for additional proof of legitimacy, such as company credentials or developer profiles, went unanswered. The only trace left behind was a basic Wix website, raising further questions about the extension’s credibility. 

Despite the evidence, FreeVPN.One remains available on the Chrome Web Store with an average rating of 3.7 stars, though its reviews are now filled with complaints from users who learned of the findings. The fact that the extension continues to carry a “featured” label is troubling, as it may mislead more users into installing it.  

The case serves as a stark reminder that free VPN tools often come with hidden risks, particularly when offered through browser extensions. While some may be tempted by the promise of free online protection, the reality is that such tools can expose sensitive data and compromise user privacy. As the FreeVPN.One controversy shows, paying for a reputable VPN service remains the safer choice.
Read more »
Privacy Threat
Data Breach Data Leak Data Theft KLM Alerts Privacy Threat

KLM Alerts Customers After Data Theft by Fraudsters


On Wednesday, Air France and KLM announced a breach of a customer service platform, compromising the personal data of an undisclosed number of customers. The breach highlights the increasing cybersecurity challenges faced by the aviation industry. Air France–KLM Group, the company founded in 2004, is a multinational airline holding company with a French–Dutch core. It is known as one of the largest airline holding companies in the world. 


The two carriers, along with Transavia, operate under it. During the year 2024, the airline company could transport 98 million passengers worldwide through its fleet of 564 aircraft, a workforce of 78,000 employees, and a network that extended to 300 destinations in 90 countries. As a result of this incident, customers as well as the industry as a whole should be concerned. 

There was a report of a breach at an airline group's external customer service platform which gave attackers access to sensitive information, including customer names, contact information, frequent flyer records, and recent transaction history, by accessing an external customer service platform. Although Air France and KLM emphasised that no internal systems or financial data had been compromised, they also confirmed that they were taking immediate steps to prevent any further unauthorised access to their systems. 

Security analysts note that the incident appears to have echoes of the ShinyHunters cybercrime group, an organisation notorious for exploiting platforms like Salesforce through phishing and social engineering campaigns. Regulatory authorities in France and the Netherlands have been notified, and affected passengers have been notified directly. 

There have been several breaches that have impacted major global brands over the year, including Google, Adidas, and many luxury fashion houses, and the group has previously been linked to many such breaches. There has been no confirmation by the airline group whether Salesforce was involved in this attack, but the techniques and the timing of the attack appear consistent with the group's activities. 

Recently, such threats have risen to a large extent, including WestJet and Hawaiian Airlines, which experienced similar breaches in the past few months. These developments have led to the recommendation that customers remain vigilant against possible phishing attacks in light of the recent developments, while industry experts suggest that third-party platforms should be audited rigorously, access controls should be enhanced, and strong cybersecurity frameworks should be implemented in order to protect against future threats. 

Interestingly, the breach bears striking similarities to one disclosed by the Australian carrier Qantas in July, which also involved the compromise of a third-party customer service platform. In that case, hackers were able to gain access to personal information, including the names, dates of birth, e-mail addresses, telephone numbers, and frequent flyer membership numbers of customers. 

It has come to our attention that the attackers had also gotten residential and business addresses as well as hotel delivery addresses associated with lost baggage, and in a few cases, even the meal preferences of passengers, according to a subsequent investigation. According to Qantas, approximately six million people were affected by this attack. 

There is a rise in fraudulent activity that has been targeting the airline's customers, urging passengers to be vigilant against communications from individuals impersonating the airline in the future. According to security sources, the breach is part of a larger wave of attacks attributed to ShinyHunters, a threat actor known for exploiting Salesforce environments through vishing and social engineering techniques, which has been linked to numerous attacks over the years. 

The campaign has also hurt several high-profile organisations, including Adidas, Qantas, Allianz Life, Louis Vuitton, Dior, Tiffany & Co., Chanel, and most recently, Google, which has been among the organisations affected. An Air France–KLM spokesman declined to provide further details, citing the ongoing investigation, when asked whether the breach involved a compromised Salesforce instance or how many individuals were affected. 

Several other aviation-related breaches have been linked to the Scattered Spider hacker collective, which has recently turned its attention to targeting airlines and transportation businesses, including this incident. In the past, the Scattered Spider group had attacked insurance companies and retail firms, but in recent months it has been compromising carriers such as WestJet and Hawaiian Airlines. In response to the incident, KLM informed the Dutch Data Protection Authority of the breach, whereas Air France informed the French Data Protection Authority of the breach. 

There is a direct message being sent by both carriers to all of their customers about the compromise, and they are encouraging them to be vigilant against any emails or phone calls that could be influenced by the compromise. Air France–KLM Group, the parent company of the airlines, along with Transavia, operates as a multinational carrier established in 2004. 

Air France–KLM employs approximately 78,000 people and transports millions of passengers every year, all across the globe. There has been no confirmation regarding who perpetrated the breach, however cybersecurity analysts have suggested that it may have been connected to a group called ShinyHunters that have previously infiltrated Salesforce environments to steal data from major brands like Chanel, Tiffany & Co., and Dior to steal their data. 

A cybersecurity expert at Immersive, Ben McCarthy, commented on the possible link between the two systems by explaining that campaigns targeting SaaS platforms like Salesforce underscore how much threat actors value these systems, since a single breach could lead to the access of the data of multiple organisations. This incident is a stark reminder of the security risks inherent in the increasingly complex digital ecosystem, which airlines are increasingly relying on. 

A growing number of carriers are using interconnected platforms and third-party services to enhance customer experiences, but they are also increasing the attack surface that is available to threat actors. It is well known that to protect such large networks, not just advanced technical safeguards are needed, but also continuous collaboration is needed between aviation companies, regulators, and cybersecurity experts.

A number of attacks have demonstrated both persistence and adaptability, so the industry faces a growing need to anticipate threats rather than merely reacting to them. Passengers have a crucial line of defence in the form of heightened awareness, as even the most sophisticated security systems can be compromised by a single successful phishing attack or a manipulated interaction with customers. 

The latest breach in the ever-evolving landscape of cyber threats illustrates what is now becoming a growing reality, which is that trust and security are now equally as essential to the journey as the aircraft themselves, especially in the field of aviation.
Read more »
Personal Data Breach
Data Breach Data Leak Data protection data security Data Theft Italy Personal Data Personal Data Breach

Venice Film Festival Cyberattack Leaks Personal Data of Accredited Participants

 

The Venice Film Festival has reportedly been hit by a cyberattack, resulting in the leak of sensitive personal data belonging to accredited attendees. According to The Hollywood Reporter, the breach exposed information including names, email addresses, contact numbers, and tax details of individuals registered for this year’s event. The affected group includes both festival participants and members of the press who had received official accreditation. News of the incident was communicated through an official notification. 

The report states that unauthorized actors gained access to the festival’s servers on July 7. In response, the event’s IT team acted swiftly to contain the breach. Their immediate measures included isolating compromised systems, securing affected infrastructure, and notifying relevant authorities. Restoration work was launched promptly to minimize disruption. Those impacted by the incident have been advised to contact the festival at privacy@labiennale.org for more information and guidance. 

Organizers assured that the breach would not affect payment processing, ticketing, or booking systems. This means that preparations for the upcoming 82nd edition of the Venice Film Festival will continue as scheduled, with the event set to run from August 27 to September 9, 2025, in Venice, Italy. As in previous years, the program will feature an eclectic mix of global cinema, spanning independent works, arthouse creations, and major Hollywood productions. 

The 2025 lineup boasts notable names in international filmmaking. Hollywood will be represented by directors such as Luca Guadagnino, Guillermo del Toro, Yorgos Lanthimos, Kathryn Bigelow, Benny Safdie, and Noah Baumbach. Baumbach’s new film Jay Kelly features a star pairing of George Clooney and Adam Sandler, alongside a supporting cast that includes Laura Dern, Greta Gerwig, Riley Keough, Billy Crudup, Eve Hewson, Josh Hamilton, and Patrick Wilson. 

Following last year’s Queer, Guadagnino returns with After The Hunt, a morally complex drama starring Ayo Edebiri, Julia Roberts, and Andrew Garfield, screening in the Out of Competition category. Benny Safdie will present The Smashing Machine, featuring Dwayne Johnson and Emily Blunt in a tense sports drama — his first solo directorial effort after his collaborations with brother Josh on acclaimed films like Uncut Gems and Good Time. 

Festival director Alberto Barbera has hinted at a strong awards season presence for several films in the lineup. He cited The Smashing Machine, Kathryn Bigelow’s latest feature, and Guillermo del Toro’s adaptation of Frankenstein as potential Oscar contenders. Despite the cyberattack, the Venice Film Festival remains on track to deliver one of the year’s most anticipated cinematic showcases.
Read more »
PWA
Browser Browser Security Client Accounts Cyber Attacks cybercriminals Data protection data security Data Theft Mobile Security PWA

Cybercriminals Escalate Client-Side Attacks Targeting Mobile Browsers

 

Cybercriminals are increasingly turning to client-side attacks as a way to bypass traditional server-side defenses, with mobile browsers emerging as a prime target. According to the latest “Client-Side Attack Report Q2 2025” by security researchers c/side, these attacks are becoming more sophisticated, exploiting the weaker security controls and higher trust levels associated with mobile browsing. 

Client-side attacks occur directly on the user’s device — typically within their browser or mobile application — instead of on a server. C/side’s research, which analyzed compromised domains, autonomous crawling data, AI-powered script analysis, and behavioral tracking of third-party JavaScript dependencies, revealed a worrying trend. Cybercriminals are injecting malicious code into service workers and the Progressive Web App (PWA) logic embedded in popular WordPress themes. 

When a mobile user visits an infected site, attackers hijack the browser viewport using a full-screen iframe. Victims are then prompted to install a fake PWA, often disguised as adult content APKs or cryptocurrency apps, hosted on constantly changing subdomains to evade takedowns. These malicious apps are designed to remain on the device long after the browser session ends, serving as a persistent backdoor for attackers. 

Beyond persistence, these apps can harvest login credentials by spoofing legitimate login pages, intercept cryptocurrency wallet transactions, and drain assets through injected malicious scripts. Some variants can also capture session tokens, enabling long-term account access without detection. 

To avoid exposure, attackers employ fingerprinting and cloaking tactics that prevent the malicious payload from triggering in sandboxed environments or automated security scans. This makes detection particularly challenging. 

Mobile browsers are a favored target because their sandboxing is weaker compared to desktop environments, and runtime visibility is limited. Users are also more likely to trust full-screen prompts and install recommended apps without questioning their authenticity, giving cybercriminals an easy entry point. 

To combat these threats, c/side advises developers and website operators to monitor and secure third-party scripts, a common delivery channel for malicious code. Real-time visibility into browser-executed scripts is essential, as relying solely on server-side protections leaves significant gaps. 

End-users should remain vigilant when installing PWAs, especially those from unfamiliar sources, and treat unexpected login flows — particularly those appearing to come from trusted providers like Google — with skepticism. As client-side attacks continue to evolve, proactive measures on both the developer and user fronts are critical to safeguarding mobile security.
Read more »
Everest Group
Cyber Crime cybersecurity news Data Theft Everest Group

Cybercrime Group Claims Theft of MailChimp Client Data

 

The Russian-speaking cybercrime group Everest says it has stolen a large trove of data from email marketing giant Mailchimp, but the company has denied any evidence of a security incident. Everest announced the alleged breach on its dark web leak site, claiming to possess a 767 MB database with 943,536 rows of information. 

The group said the stolen material includes internal company documents alongside a “wide variety” of customer data. However, cybersecurity analysts examining a sample of the leaked files found the contents less alarming than Everest’s claims suggest. According to reports, the dataset appears to be structured business information rather than highly sensitive internal records. 

The entries include domain names, corporate email addresses, phone numbers, locations, GDPR region tags, social media profiles, and hosting provider details. Many records also list the technology stacks used by the companies such as Shopify, WordPress, Amazon, Google Cloud, and PayPal, hinting that the information may have originated from a marketing or CRM export instead of Mailchimp’s core systems. 

In a statement to media, Mailchimp’s parent company Intuit said: “The security of our products and our customers’ data are among our highest priorities. We are aware of the claims regarding Intuit Mailchimp’s systems. Based on our investigation at this time, we have no evidence to suggest any security incidents or exfiltration of data from our systems.” 

What's about the Everest Group?

Active since late 2020, Everest has historically used a double-extortion model, encrypting victims’ data while threatening to leak it unless a ransom is paid. Past targets have included the Brazilian government and NASA. From late 2022 onward, the group has increasingly operated as an Initial Access Broker (IAB), selling access to compromised networks instead of deploying ransomware directly. 

Recently, it has acted more as a data broker, publishing stolen material from companies such as Coca-Cola, the Saudi Arabian Rezayat Group, and other high-profile organizations. While the true origin and sensitivity of the Mailchimp-linked dataset remain unconfirmed, security experts warn that even non-sensitive business data could be leveraged in phishing or social engineering campaigns.
Read more »
Katz
Atlantis AIO CaaS Credentials Theft CyberCrime cybercriminals Cybersecurity Data Breach Data Harvesting SDK data security Data Theft Flashpoint infostealers Katz

Cybercrime-as-a-Service Drives Surge in Data Breaches and Stolen Credentials

 

The era of lone cybercriminals operating in isolation is over. In 2025, organized cybercrime groups dominate the threat landscape, leveraging large-scale operations and sophisticated tools to breach global organizations. Recent intelligence from Flashpoint reveals a troubling surge in cyberattacks during just the first half of the year, showing how professionalized cybercrime has become — particularly through the use of Cybercrime-as-a-Service (CaaS) offerings. 

One of the most alarming findings is the 235% rise in data breaches globally, with the United States accounting for two-thirds of these incidents. These breaches exposed an astounding 9.45 billion records. However, this number is eclipsed by the dramatic 800% increase in stolen login credentials. In total, threat actors using information-stealing malware compromised more than 1.8 billion credentials in just six months. 

These tools — such as Katz Stealer or Atlantis AIO — are widely accessible to hackers for as little as $30, yet they offer devastating capabilities, harvesting sensitive data from commonly used browsers and applications. Flashpoint’s report emphasizes that unauthorized access, largely facilitated by infostealers, was the initial attack vector in nearly 78% of breach cases. 

These tools enable threat actors to infiltrate organizations and pivot across networks and supply chains with ease. Because of their low cost and high effectiveness, infostealers are now the top choice for initial access among cybercriminals. This rise in credential theft coincides with a 179% surge in ransomware attacks during the same period. 

According to Ian Gray, Vice President of Cyber Threat Intelligence Operations at Flashpoint, this dramatic escalation highlights the industrial scale at which cybercrime is now conducted. The report suggests that to counter this growing threat, organizations must adopt a dual strategy: monitor stolen credential datasets and set up alert systems tied to specific compromised domains.  

Furthermore, the report advocates for moving beyond traditional password-based authentication. Replacing passwords and basic two-factor authentication (2FA) with passkeys or other robust methods can help reduce risk. 

As cybercriminal operations grow increasingly professional, relying on outdated security measures only makes organizations more vulnerable. With CaaS tools making sophisticated attacks more accessible than ever, companies must act swiftly to enhance identity protection, tighten access controls, and build real-time breach detection into their infrastructure. 

The rapid evolution of cybercrime in 2025 is a stark reminder that prevention and preparedness are more critical than ever.
Read more »
Malware Threat
Browser Credential Theft Cyber Attacks CyberThreat Data Theft Information Security Infostealer Infostealer Malware Malicious Browsers Malware Attack Malware Threat

Shuyal Malware Targets 19 Browsers with Advanced Data Theft and Evasion Capabilities

 

A newly discovered infostealing malware named “Shuyal” has entered the cyber threat landscape, posing a serious risk to users by targeting a wide range of web browsers and deploying sophisticated evasion methods. Identified by researchers at Hybrid Analysis, Shuyal is capable of stealing credentials and sensitive information from 19 different browsers, including lesser-known privacy-focused options like Tor and Brave. 

The malware is named after identifiers found in its code path and represents a new generation of data stealers with expanded surveillance capabilities. Unlike traditional malware that only focuses on login credentials, Shuyal goes deeper—harvesting system-level information, capturing screenshots, monitoring clipboard activity, and sending all of it to cybercriminals using a Telegram bot-controlled infrastructure. 

In his analysis, Vlad Pasca from Hybrid Analysis highlighted that Shuyal performs extensive system reconnaissance. Once it infects a device, it disables the Windows Task Manager to prevent users from detecting or ending the malware’s process. It also hides its tracks by removing evidence of its activities through self-deleting mechanisms, including batch scripts that erase runtime files once the data has been exfiltrated. 

Among the browsers targeted by Shuyal are mainstream options such as Chrome and Edge, but it also compromises more obscure browsers like Waterfox, OperaGx, Comodo, Falko, and others often marketed as safer alternatives. This wide reach makes it particularly concerning for users who believe they are using secure platforms. 

Shuyal collects technical details about the system, including hard drive specifications, connected input devices like keyboards and mice, and display configurations. It compresses all collected data using PowerShell into a temporary folder before transmitting it to the attackers. This organized method of data collection and transfer demonstrates the malware’s highly stealthy design. 

The malware also ensures it remains active on compromised machines by copying itself into the Startup folder, allowing it to launch each time the system is rebooted. 

Although researchers have not yet pinpointed the exact methods attackers use to distribute Shuyal, common delivery vectors for similar malware include phishing emails, malicious social media posts, and deceptive captcha pages. Experts caution that infostealers like Shuyal often serve as precursors to more serious threats, including ransomware attacks and business email compromises. 

Hybrid Analysis encourages cybersecurity professionals to study the published indicators of compromise (IOCs) associated with Shuyal to strengthen their defense strategies. As cyber threats evolve, early detection and proactive protection remain essential.
Read more »
Technology
AI ChatGPT Data Data Theft Internet Technology

A Massive 800% Rise in Data Breach Incidents in First Half of 2025


Cybersecurity experts have warned of a significant increase in identity-based attacks, following the revelation that 1.8 billion credentials were stolen in the first half of 2025, representing an 800% increase compared to the previous six months.

Data breach attacks are rising rapidly

Flashpoint’s Global Threat Intelligence Index report is based on more than 3.6 petabytes of data studied by the experts. Hackers stole credentials from 5.8 million compromised devices, according to the report. The significant rise is problematic as stolen credentials can give hackers access to organizational data, even when the accounts are protected by multi-factor authentication (MFA).

The report also includes details that concern security teams.

About the bugs

Until June 2025, the firm has found over 20,000 exposed bugs, 12,200 of which haven’t been reported in the National Vulnerability Database (NVD). This means that security teams are not informed. 7000 of these have public exploits available, exposing organizations to severe threats.

According to experts, “The digital attack surface continues to expand, and the volume of disclosed vulnerabilities is growing at a record pace – up by a staggering 246% since February 2025.” “This explosion, coupled with a 179% increase in publicly available exploit code, intensifies the pressure on security teams. It’s no longer feasible to triage and remediate every vulnerability.”

Surge in ransomware attacks

Both these trends can cause ransomware attacks, as early access mostly comes through vulnerability exploitation or credential hacking. Total reports of breaches have increased by 179% since 2024, manufacturing (22%), technology (18%), and retail (13%) have been hit the most. The report has also disclosed 3104 data breaches in the first half of this year, linked to 9.5 billion hacked records.

2025 to be record year for data breaches

Flashpoint reports that “Over the past four months, data breaches surged by 235%, with unauthorized access accounting for nearly 78% of all reported incidents. Data breaches are both the genesis and culmination of threat actor campaigns, serving as a source of continuous fuel for cybercrime activity.” 

In June, the Identity Theft Resource Center (ITRC) warned that 2025 could become a record year for data cyberattacks in the US.

Read more »
Subscribe to: Posts (Atom)