news
Breaking Cyber News From Cyberint
Breaking news feed of the latest cyber incidents, breaches, vulnerabilities, malware, ransomware and so much more.
- All Items
- Shadowpad
- Asia
- Sentinelone
- Government
- Purplehaze
- South-Eastern Asia
- Goreshell
- Movistar Venezuela
- Latin America And The Caribbean
- Telecommunications
- Cypher404X
- Venezuela
- North America
- Phishing
- United States
- Business Services
- Woocommerce
- Middle East
- Paypal
- Israel
- Finance
- Financial Theft
- Pjm Interconnection
- L33Tfg
- Critical Infrastructures
- Automotive
- Dinac
- Gatito_Fbi_Nz
- Paraguay
- Network Denial Of Service
- Arabian_Ghosts
- Mprest
- Israel Port
- Education
- Storm-1977
- Password Spraying
- Resource Hijacking
- Insurance Agents, Brokers And Service
- Israel'S National Insurance
- Chile
- 3Ipe
- Sentap
- Data From Local System
- Lonefleet
- Command And Scripting Interpreter
- Blackshadow
- Web Protocols
- Murkytour
- Match Legitimate Name Or Location
- Malicious File
- Spearphishing Link
- Europe
- Russia
- Eastern Europe
- Eastern Asia
- Technology
- Dji
- China
- R00Tk1T
- Go-Net Software Solutions
- Cyber Toufan Operation
- Kazu
- Nepal
- Nepal Police
- Southern Asia
- Sk Telecom
- South Korea
- Docker
- India
- Indigo
- Energyweaponuser
- Transportation
- Taiwan
- Hong Kong
- Media
- Transportation By Air
- Lotus Blossom
- Vietnam
- Sagerunex
- Philippines
- Construction
- Southern Europe
- Supercard X
- Italy
- Interlock
- Bangchak Corporation Public
- Thailand
- Homepro
- Ingress Tool Transfer
- Exfiltration Over C2 Channel
- Time Based Evasion
- Hidden Files And Directories
- Obfuscated Files Or Information
- Drive-By Compromise
- System Information Discovery
- Scheduled Task
- Os Credential Dumping
- Northern Africa
- Denmark
- Northern Europe
- Brute Force
- Africa
- Japan
- Xor Ddos
- Canada
- Morocco
- Ssh
- Wineloader
- Apt29
- Grapeloader
- Lemonade Insurance Agency
- Exploitation For Defense Evasion
- Visual Basic
- Shortcut Modification
- Shared Modules
- Turkey
- Scripting
- Dns
- Czech Republic
- Registry Run Keys / Startup Folder
- Rundll32
- Junk Data
- Digital Certificates
- Reflective Code Loading
- Spearphishing Attachment
- Deobfuscate/Decode Files Or Information
- Resolverrat
- System Checks
- Indonesia
- Disable Or Modify Tools
- Protocol Impersonation
- Exfiltration Over Alternative Protocol
- Asymmetric Cryptography
- Brazil
- Healthcare
- Debugger Evasion
- Security Software Discovery
- Portugal
- Dll Side-Loading
- Software Packing
- Energy
- Xenorat
- Curlback Rat
- Sparkrat
- Railroad Transportation
- Sidecopy
- Banyuwangixploit
- Powermodul
- Paper Werewolf
- Akirabot
- Spain
- Donalddump
- Endesa S.A
- Access Israel
- Ruskinet
- Magento
- Satanic
- Shadowbits
- Islamic Republic Of Iran
- Mobile Communication Company Of Iran
- Cve-2025-29824
- Software
- Saudi Arabia
- Retail
- Pipemagic
- CVE-2025-29824
- Real Estate
- Storm-2460
- Marssepe
- Mexico
- Ukraine
- Giftedcrook
- Uac-0226
- Israeli Ministry Of Defense
- Islamic Hacker Army
- Ddos Attack Against Israeli Ministry Of Defense
- Credentials From Web Browsers
- Automated Collection
- Javascript
- Upload Malware
- Compromise Software Supply Chain
- Lazarus Group
- Browser Information Discovery
- File And Directory Discovery
- Installer Packages
- Beavertail
- Keychain
- Triada
- Poria.Org.Il
- Vortex
- Account Access Removal
- Authentication Bypass
- Bangladesh
- Bypass User Account Control
- Account Manipulation
- Social Media Accounts
- Red Wolf Team
- Israel-Catalog
- Xinxin Group
- Lucid
- Xmrig
- Jinx-0126
- Ghna
- Royal Mail
- United Kingdom
- Samsung
-
Apr 30, 2025
SentinelOne Uncovers Chinese Espionage Campaign Targeting its Infrastructure and Clients
SentinelOne has identified a China-nexus threat cluster named PurpleHaze, which has been conducting reconnaissance against its infrastructure and high-value customers. This hacking group is loosely associated with the state-sponsored group APT15 and has targeted a South Asian government entity using a Windows backdoor called GoReShell. The attackers have employed an operational relay box network to enhance their cyberespionage capabilities. Previous attacks involved the use of ShadowPad, a backdoor linked to various espionage activities, indicating a potential overlap in operations
-
Apr 30, 2025
Threat Actor Claims to Have Breached Movistar Venezuela
In April 2025, a threat actor named "Cypher404x" claimed to have breached Movistar Venezuela and to have gained access to its database. According to the threat actor, 4,376,105 records belonging to Movistar's customers were taken, including personal data.
-
Apr 29, 2025
Phishing Campaign Targets WooCommerce Users with Fake Security Alerts
Cybersecurity researchers have identified a large-scale phishing campaign targeting WooCommerce users, where victims receive fake security alerts urging them to download a 'critical patch.' This malicious activity, is believed to be a variant of a previous campaign that used a fake CVE to breach sites running the popular content management system. The phishing emails lead users to a spoofed WooCommerce marketplace page, where they inadvertently download malware that creates a new administrator account on their site, allowing attackers remote control to inject spam, redirect visitors, or even launch DDoS attacks.
-
Apr 28, 2025
Phishing Campaign Exploiting ISRAELI COSTUMERS, USING PayPal’s Donation Feature
Over the past 24 hours, a phishing campaign has been circulating in Israel that exploits PayPal’s donation feature to convey an appearance of legitimacy. Attackers send SMS messages demanding payment of shipping fees. Rather than directing recipients to a fraudulent website to steal credit-card details, the message links to a genuine PayPal donation page displaying the same amount requested in the SMS. To bolster perceived legitimacy, threat actors overlay the PayPal interface with familiar logos, such as Israel Post, and copy PayPal’s styling and copy almost verbatim. The attackers rely on the victim’s trust in PayPal’s brand. Once the victim submits payment, the funds are transferred directly into the attacker’s PayPal account.
-
Apr 28, 2025
Threat Actor Claims Breach of PJM Interconnection
In April 2025, a threat actor named l33tfg claimed to have breached PJM Interconnection LLC, the largest electric transmission system in North America, and to have gained access to its database. According to the threat actor, over 4,000 leaked database entries belonging to PJM's customers were taken, including personal information such as names, email addresses, and phone numbers.
-
Apr 28, 2025
Threat Actor Claims to Have Breached DINAC - The National Directory of Civil Aeronautics of Paraguay
In April 2025, a threat actor named Gatito_FBI_Nz claimed to have breached the Dirección Nacional de Aeronáutica Civil (DINAC) in Paraguay and to have gained access to its database. According to the threat actor, a complete leak was extracted from the cloud system, which included several internal documents believed to be related to national security, such as curriculum vitae and other sensitive information.
-
Apr 27, 2025
DDoS Attack on mPrest, an Israeli Technology Company Specializing in Critical Infrastructure
On April 27th, the hacktivist group Arabian Ghosts claimed to have launched a DDoS attack against the website of mPrest, an Israeli technology company specializing in software and smart control systems for sectors such as energy, defense, and critical infrastructure. Using the hashtag #OpIsrael, suggesting a connection to the broader OpIsrael campaign.
-
Apr 27, 2025
DDoS Attack on Israel Ports Company (Israports)
On April 27th, the hacktivist group Arabian Ghosts claimed to have launched a DDoS attack against the website of Israel Ports Company (Israports), the state-owned company responsible for developing and maintaining Israel’s seaport infrastructure. Using the hashtag #OpIsrael , suggesting a connection to the broader OpIsrael campaign.
-
Apr 27, 2025
Storm-1977 Targets Education Sector with Password Spraying Attacks
Investigators have reported that a threat actor known as Storm-1977 has been conducting password spraying attacks against cloud tenants in the education sector over the past year. The attacks utilize a command-line interface tool called azurechecker.exe, which connects to an external server to retrieve AES-encrypted data containing a list of targets. The attackers have successfully compromised accounts, creating resource groups and deploying over 200 containers for illicit cryptocurrency mining.
-
Apr 24, 2025
Phishing Campaign Targets Israelis with Fake Bituach Leumi Emails
CERT-IL warns of a phishing campaign impersonating Israel’s National Insurance Institute. Victims receive fake emails urging them to download a “report,” which installs ScreenConnect RAT, granting attackers remote access. The campaign uses spoofed domains and a disguised .exe file. Authorities urge caution and IOC monitoring.
-
Apr 24, 2025
Threat Actor Sells Data Belonging to 3ipe
In April 2025, a threat actor named Sentap claimed to have breached 3ipe.com and to have gained access to its database. According to the threat actor, 568 GB of exclusive engineering and commercial data belonging to 3ipe's customers was taken, including technical and scientific documents, commercial and project data, visual content, geographic data, management tools, and human resources archives. The threat actor is selling the dataset for 12 thousand dollars.
-
Apr 24, 2025
Iran-Linked Hackers Deploy MURKYTOUR Malware in Fake Job Scheme Targeting Israel
In October 2024, Iranian-aligned threat actor UNC2428 launched a sophisticated cyber espionage campaign against Israel using a backdoor malware named MURKYTOUR. Disguised as a job recruitment effort from Israeli defense contractor Rafael, the attackers lured victims into downloading a fake job application tool called "RafaelConnect.exe." The installer, dubbed LONEFLEET, featured a convincing graphical interface to collect personal data and resumes. Meanwhile, the MURKYTOUR malware was covertly deployed via a launcher known as LEAFPILE, granting the hackers persistent access to infected systems. This campaign, linked to Iran’s Ministry of Intelligence and Security (MOIS), overlaps with activity attributed to the Iranian group Black Shadow and is part of broader Iranian efforts targeting multiple sectors in Israel.
-
Apr 24, 2025
Russian Military Targeted by New Android Spyware Campaign
Cybersecurity researchers have uncovered a malicious campaign targeting Russian military personnel, distributing Android spyware disguised as the Alpine Quest mapping software. The malware, identified as android.spy.1292.origin, is embedded in modified versions of the app and is propagated through Russian app catalogs and fake Telegram channels. Once installed, it collects sensitive data such as phone numbers, contact lists, geolocation, and stored files, while also allowing attackers to exfiltrate files via Telegram and WhatsApp. The campaign exploits the app's popularity among military users, emphasizing the need for caution when downloading apps from untrusted sources.
-
Apr 23, 2025
R00TK1T Claims DJI Customer Data Theft
On April 21, 2025, a threat actor group identifying as "R00TK1T" publicly claimed responsibility for breaching DJI’s systems and exfiltrating a large amount of sensitive customer data. According to their statement, the stolen information includes order details, customer names, tracking numbers, pricing, drone specifications, contact information, and payment methods. The group is allegedly selling the data through a private channel.
-
Apr 23, 2025
Cyber Toufan Claims Breach of Israeli Software Firm 'Go-Net'
The pro-Palestinian hacktivist group Cyber Toufan claimed responsibility for breaching the Israeli software development firm Go-Net Software Solutions, which allegedly provides services to entities such as the IDF, insurance companies, banks, etc. In a Telegram post, the group alleged it had maintained persistent access to Go-Net’s network for over a year, during which it exfiltrated source code and internal databases. A sample of the stolen data was released publicly, with more sensitive material reportedly shared with affiliated threat actors. Go-Net has yet to comment on the incident, and the extent of the breach remains unverified.
-
Apr 23, 2025
Threat Actor Claims to Have Breached The Nepal Police
In April 2025, a threat actor named Kazu claimed to have breached the Nepal Police Central Website and to have gained access to its database. According to the threat actor, over 2 million records belonging to Nepal Police's citizens were taken, including face images, ID cards, passports, and personally identifiable information (PII).
-
Apr 23, 2025
SK Telecom Reports Breach To Customer's USIM Data
In April 2025, SK Telecom became the victim of a data breach when threat actors managed to gain access to its database through a malware infection. According to SK Telecom, sensitive USIM-related information could have been exposed, including international mobile subscriber identity (IMSI), mobile station ISDN number (MSISDN), authentication keys, and network usage data.
-
Apr 23, 2025
New Malware Campaign Targets Docker Environments for Cryptocurrency Mining
Cybersecurity researchers have uncovered a new malware campaign that specifically targets Docker environments using a previously undocumented technique to mine cryptocurrency. This campaign involves deploying a heavily obfuscated Python script through a container image from Docker Hub, which connects to a decentralized service called Teneo to earn rewards without actual data scraping. Unlike traditional cryptojacking methods that utilize miners like XMRig, this approach focuses on exploiting the compute resources of misconfigured Docker instances.
-
Apr 22, 2025
Threat Actor Sells IndiGo Flight Data
In April 2025, a threat actor named "EnergyWeaponUser" claimed to be selling a database allegedly linked to IndiGo flight ticket bookings. The data, reportedly originating from the United Arab Emirates (UAE), includes message delivery logs with headers such as CountryName, Message, DestinationPhone, and DeliveryTime. The threat actor has offered the data for $500.
-
Apr 22, 2025
Lotus Panda Cyber Espionage Campaign Targets Southeast Asia
The China-linked cyber espionage group known as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. Targets included a government ministry, an air traffic control organization, a telecom operator, and a construction company. The attacks utilized various custom tools, including loaders, credential stealers, and a reverse SSH tool. This campaign is seen as a continuation of previous activities by Lotus Panda, which has targeted the government and military sectors in Southeast Asia since 2009. The latest wave of attacks involved sophisticated techniques to sideload malicious files and exfiltrate sensitive information.
-
Apr 22, 2025
Supercard X: New Android Malware Facilitating NFC Relay Attacks
Investigators have discovered a new Android malware-as-a-service platform named Supercard X, which enables threat actors to conduct NFC relay attacks targeting banking customers in Italy. The malware employs social engineering tactics, including smishing and phone calls, to trick victims into installing malicious apps that capture payment card data. By manipulating victims into bringing their cards close to infected devices, attackers can relay card information to conduct unauthorized transactions. The campaign represents a significant financial risk to banking institutions and payment providers, highlighting the effectiveness of combining malware with NFC relay techniques.
-
Apr 21, 2025
Interlock Employs ClickFix Sites In Its Ransomware Attacks
On April 21, 2025, cybersecurity experts warned of a rise in attacks by the Interlock ransomware group, known for its double extortion tactics and a dark web leak site. Active since late 2024, Interlock uses deceptive “ClickFix” sites mimicking tools like Microsoft Teams to trick users into running malicious PowerShell commands. These commands install both legitimate software and hidden malware that steals data, enables remote access, and eventually launches ransomware. The group’s techniques are spreading, with others like Lazarus adopting similar methods.
-
Apr 21, 2025
Bangchak - Breach - 2025-04-09
In April 2025, Bangchak, a major Thai oil and gas company, became the victim of a data breach when threat actors managed to gain access to its customer feedback system. According to Bangchak, approximately 6.5 million customer records were taken, although the initial communication to affected customers did not specify the types of data exposed, stating that no sensitive data or financial transaction information was compromised.
-
Apr 21, 2025
HomePro - Breach - 2025-04-12
In April 2025, a threat actor announced the sale of a database belonging to homepro.co.th, a prominent household company in Thailand specializing in home appliances and decoration tools. The database reportedly contains 17,917,927 individual records, including sensitive information such as phone numbers, usernames, purchased products, addresses, gender, date of birth, and emails. The threat actor is soliciting offers for the database and has indicated that escrow services are accepted for the transaction.
-
Apr 21, 2025
Malvertising Campaign Exploits Node.js for Data Theft
Researchers have raised alarms about an ongoing malvertising campaign that utilizes Node.js to deliver malware aimed at information theft and data exfiltration. First detected in October 2024, the campaign employs cryptocurrency trading lures to trick users into downloading malicious installers from fraudulent websites masquerading as legitimate platforms like Binance and TradingView. The malware, once installed, harvests system information and establishes persistence through scheduled tasks and PowerShell commands, ultimately sending sensitive data to a command-and-control server. Additionally, variations of the attack have been noted, including the use of a fake PDF converter site to deploy the Sectoprat malware, which is known for stealing sensitive data.
-
Apr 21, 2025
Surge in XorDDoS Trojan Attacks Targeting Docker, Linux and IoT
Cybersecurity researchers have reported a significant increase in the prevalence of the Xorddos Trojan, a distributed denial-of-service (DDoS) malware, which has been particularly active between November 2023 and February 2025, with 71.3% of attacks targeting the United States. The malware, which has been affecting Linux systems for over a decade, has expanded its reach to Docker servers and is primarily delivered through SSH brute-force attacks. A new version of the malware's sub-controller has been observed, suggesting that it is being marketed for sale by Chinese-speaking operators. Nearly 42% of compromised devices are located in the U.S., followed by Japan, Canada, Denmark, Italy, Morocco, and China.
-
Apr 20, 2025
APT29's Phishing Campaign Targets European Diplomats with Grapeloader
APT29, a Russian state-sponsored threat actor, is linked to a sophisticated phishing campaign targeting diplomatic entities in Europe using a new variant of Wineloader and a previously unreported malware loader named Grapeloader. The campaign exploits wine-tasting event invitations to trick recipients into downloading a malware-laden zip file, which deploys Grapeloader to collect information and facilitate further attacks. Grapeloader enhances the stealth and anti-analysis capabilities of Wineloader, indicating a significant evolution in the tactics employed by APT29. The campaign primarily focuses on ministries of foreign affairs across multiple European countries, with indications of targeting diplomats in the Middle East as well.
-
Apr 16, 2025
Lemonade Insurance Reports Data Leak Involving Driver License Numbers
Lemonade Insurance has disclosed a potential data leak caused by a technical issue/vulnerability in a third-party vendor’s non-encrypted API. The incident may have exposed customer driver's license numbers. While no misuse has been reported so far, the exposure of this sensitive identifier raises concerns about identity theft risks, especially when combined with other personal data.
-
Apr 16, 2025
ResolverRat: A New Threat to Healthcare Cybersecurity
Cybersecurity researchers have identified a sophisticated remote access trojan named ResolverRat, which is targeting the healthcare and pharmaceutical sectors through fear-based phishing emails. The campaign, observed as recently as March 2025, employs localized phishing lures in various languages to increase infection rates. ResolverRat utilizes advanced techniques such as DLL side-loading, multi-stage bootstrapping, and certificate-based authentication to establish persistent connections with command-and-control servers while evading detection. The malware's goal is to execute commands from the C2 server and exfiltrate data in small chunks to minimize detection risks.
-
Apr 16, 2025
Pakistani Threat Actor Expands Targeting in India with New Malware Techniques
A threat actor linked to Pakistan has been observed targeting various sectors in India, including the railway, oil and gas, and external affairs ministries, using multiple remote access trojans such as Xeno RAT, Spark RAT, and a new malware called Curlback RAT. This activity, detected by Seqrite in December 2024, marks a significant expansion beyond previous targets like government and defense sectors. The group has shifted its tactics from using HTML application files to Microsoft Installer packages for malware deployment and employs sophisticated techniques like DLL side-loading and credential phishing to enhance persistence and evade detection.
-
Apr 14, 2025
Threat Actor Claims Leak of 2GB of Data Belonging to Israeli Entities
On April 10th, 2025, the threat actor named "BanyuwangiXploit" claimed to have a dataset belonging to Israeli entities. According to the threat actor, over 2GB of data were taken and shared on a darknet forum. The data seems to include email addresses, along with private communications.
-
Apr 14, 2025
New Cyber Attacks by Paper Werewolf Targeting Russian Entities
The threat actor known as Paper Werewolf, also referred to as Goffee, has been actively targeting Russian organizations across various sectors, including mass media, telecommunications, construction, government, and energy, with a new implant called Powermodul. Between July and December 2024, Kaspersky reported that Paper Werewolf conducted at least seven campaigns, utilizing phishing emails with macro-laden documents to deploy a PowerShell-based remote access trojan named Powerrat. The attacks often involve a multi-stage infection process, leveraging malicious RAR archives and executable files disguised as documents. The Powermodul backdoor, introduced in early 2024, has been used to download additional payloads like Powertaskel and Flashfilegrabber, which facilitate data exfiltration and further compromise of targeted systems.
-
Apr 14, 2025
AkiraBot: AI-Powered Spam Campaign Targeting Websites
Cybersecurity researchers have uncovered a new AI-powered bot named AkiraBot, which has been actively spamming over 400,000 websites since September 2024. This bot utilizes OpenAI's language models to generate tailored spam messages that bypass traditional spam filters and CAPTCHA protections. Initially known as ShopBot, AkiraBot targets contact forms and chat widgets on small to medium-sized business websites, leveraging a user-friendly interface for mass targeting. The bot's sophisticated design allows it to mimic legitimate user behavior and evade detection, raising concerns about the challenges AI poses in combating spam attacks. In response to these findings, OpenAI has disabled the API key used by the bot's operators.
-
Apr 10, 2025
Endesa ENERGIA XXI- Breach - 2025-04-05
The threat actor known as DonaldDump claims to have breached Spanish utilities company Energía XXI and is selling a database containing 4,015,311 records for 7500$. According to the post, the compromised data includes national ID numbers (DNI), full names, phone numbers, addresses, email addresses, IBANs, and utility identifiers (LUZCUPS or GASCUPS). All records include bank account details (IBANs).
-
Apr 10, 2025
-
Apr 10, 2025
Threat Actor Satanic Leaks Magento CRM Data of 745,000 Users
On April 9th, 2025, the threat actor known as "Satanic" leaked data allegedly stolen from a third-party vendor of Magento. According to the threat actor, over 740 thousand user records were taken, including 430,000 emails and 261,000 phone numbers linked to major global companies—posing serious phishing and fraud risks.
-
Apr 10, 2025
Threat Actors Claim Breach of Iran's Biggest Telecommunications Company
In April 2025, the threat actor group named Shadowbits claimed to have breached Hamrahe Avval (MCI), Iran's largest mobile operator, and to have gained access to its database. According to the threat actor, a substantial amount of data belonging to MCI's customers was taken, including full names, father names, place of birth, gender, national ID numbers, addresses, postal codes, birth dates, mobile numbers, and SIM card information.
-
Apr 10, 2025
Exploitation of Windows Zero-Day Leads to Ransomware Attacks
Microsoft has disclosed that a recently patched zero-day vulnerability in the Windows Common Log File System (CLFS), identified as CVE-2025-29824, was exploited in targeted ransomware attacks against organizations in various sectors including IT, real estate, finance, and retail across the United States, Venezuela, Spain, and Saudi Arabia. The attacks utilized a malware named 'pipemagic' to deliver the exploit and ransomware payloads, with the initial access vector still under investigation. This vulnerability allows for privilege escalation, enabling threat actors to gain system privileges and deploy ransomware effectively within compromised environments.
-
Apr 09, 2025
Threat Actor Claims Breach of 8 Mexican Education Institutes
In April 2025, the threat actor "marssepe" claimed to have breached 8 Mexican Education institutes. The threat actor has claimed to have access to the institutes' internal databases, including students, teachers, and administration information.
-
Apr 09, 2025
New Cyber Attacks Target Ukrainian Institutions with an Infostealer
The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of cyber attacks aimed at Ukrainian institutions, particularly military and law enforcement agencies near the eastern border. These attacks involve phishing emails containing macro-enabled Excel spreadsheets that deploy two types of malware: a PowerShell script that opens a reverse shell and a new stealer called GiftedCrook, which is designed to steal sensitive data from web browsers. The emails are sent from compromised accounts to appear legitimate, and CERT-UA has attributed the activity to a threat cluster identified as UAC-0226.
-
Apr 06, 2025
-
Apr 06, 2025
North Korean Lazarus Group Expands Malicious npm Campaign
The North Korean Lazarus Group has intensified its malicious campaign on the npm ecosystem by releasing new packages that deliver the Beavertail malware and a remote access trojan (RAT) loader. These packages, which masquerade as legitimate utilities, have been designed to evade detection through advanced obfuscation techniques. The campaign aims to infiltrate developer systems under the guise of job interviews, steal sensitive data, and maintain long-term access to compromised systems. Security researchers have identified multiple new npm packages linked to this campaign, indicating the attackers' ongoing efforts to diversify their tactics and increase their success rate.
-
Apr 06, 2025
Emergence of Triada Malware in Counterfeit Android Devices
A new variant of the Triada malware has been discovered preloaded on counterfeit Android smartphones, affecting over 2,600 users, primarily in Russia. This modular malware, first identified in 2016, is capable of stealing sensitive information, manipulating device functions, and enlisting infected devices into a botnet. The malware is distributed through modified apps and has been linked to a broader fraud scheme involving compromised hardware supply chains. Recent analyses indicate that the malware allows attackers to perform various malicious activities, including intercepting messages and hijacking cryptocurrency wallet addresses. The updated version of Triada has reportedly facilitated the transfer of approximately $270,000 in cryptocurrencies to the attackers' wallets between June 2024 and March 2025.
-
Apr 03, 2025
Vortex Telegram group Launches DDoS Attack on Poria Hospital Website
Hacktivists behind the Vortex Telegram group launched a DDoS attack on Poria Hospital's website (poria.org.il), temporarily taking it down. The site has since recovered and is currently active. This incident highlights ongoing cyber threats against Israeli online assets.
-
Apr 02, 2025
Hackers Exploit Voicemail to Hijack Telegram Accounts in Israel
Cybersecurity experts have warned of a surge in Telegram account hijackings targeting Israelis, with attackers exploiting voicemail vulnerabilities to gain unauthorized access. The Israeli Internet Association has reported a significant increase in cases, linking the attacks to hackers in Bangladesh and Indonesia. The method, which relies on social engineering and technical loopholes, allows attackers to seize control of accounts and lock victims out.
-
Apr 02, 2025
-
Apr 02, 2025
Lucid: The New Phishing-as-a-Service Platform Targeting Global Entities
A new phishing-as-a-service (PhaaS) platform named Lucid has emerged, targeting 169 entities across 88 countries through smishing messages sent via Apple iMessage and Android's RCS. Developed by a Chinese-speaking hacking group known as the Xinxin group, Lucid utilizes legitimate communication channels to bypass traditional SMS detection mechanisms, allowing for large-scale phishing campaigns aimed at stealing credit card information and personally identifiable information. The platform offers automation tools for creating customizable phishing websites and includes advanced anti-detection techniques, enabling cybercriminals to monitor victim interactions in real-time. This development highlights the growing sophistication and organization of phishing operations in the cybercrime landscape.
-
Apr 02, 2025
Ongoing PostgreSQL Exploitation Campaign Targets Cryptocurrency Mining
A new campaign targeting exposed PostgreSQL instances aims to gain unauthorized access and deploy cryptocurrency miners. The campaign, attributed to the threat actor known as Jinx-0126, has reportedly affected over 1,500 victims due to weak or predictable credentials. Researchers have noted that the threat actor employs advanced evasion techniques, such as using unique hashes for binaries and executing miner payloads filelessly. The exploitation involves executing arbitrary shell commands through SQL commands, leading to the installation of a cryptocurrency miner and establishing persistence on compromised systems.
-
Apr 01, 2025
Threat Actor Claims to Have Breached Royal Mail Group
On March 31, 2025, the threat actor GHNA leaked 144GB of data from Royal Mail Group, including sensitive customer information, internal documents, and Zoom meeting recordings. The breach exposed personal identifiable information (PII) such as names, addresses, and package details, as well as confidential communications between Spectos and Royal Mail Group. The leak also included a Wordpress SQL database for mailagents.uk, Mailchimp mailing lists, and datasets with delivery/post office locations. The total leak consisted of 293 folders and 16,549 files
-
Mar 31, 2025
Samsung Electronics Germany Data Breach
In March 2025, Samsung Electronics (Germany) experienced a data breach that resulted in the leak of over 270,000 customer satisfaction tickets on BreachForums. The leaked tickets contain sensitive personal information (PII) of customers, including full names, addresses, email addresses, and order numbers. The breach was attributed to threat actor GHNA, who uploaded the data to the forum for public download.
