news
Breaking Cyber News From Cyberint
Breaking news feed of the latest cyber incidents, breaches, vulnerabilities, malware, ransomware and so much more.
- All Items
- Israel
- Middle East
- Business Services
- Data Encrypted For Impact
- Handala
- Jobinfo
- Asia
- Shelter Locations In Israel
- Saudi Games
- Cyber Fattah Team
- Saudi Arabia
- Retail
- Ben Horin & Alexandrovitz
- Zachary Levi And Sons - Construction
- Sivim It
- Kibbutz Almog
- Government
- Saban Brands Israel
- Manufacturing
- Mprest
- Digitalghost
- The Knesset
- Evil_Byte
- Nobitex
- Gonjeshke Darande
- Sentap
- Indonesia
- Chemicals And Allied Products
- South-Eastern Asia
- exclusive
- Kimia Farma
- Sweden
- Europe
- Transportation
- Northern Europe
- Scania
- Hensi
- Media
- Tbn Israel
- Weizmann Institute Of Science
- Education
- Resistancetrench
- Israeli Air Force
- Dienet
- Israel Antiquities Authority
- United States
- Cve-2025-24016
- Mirai
- Wazuh
- CVE-2025-24016
- North America
- Clayoxtymus1337
- Epsilor Electric Fuel
- Technology
- Advanced Weapons And Equipment India
- Southern Asia
- India
- More_Eggs
- Fin6
- Cryptocurrency
- Alex Lab
- Critical Infrastructures
- United Kingdom
- Edf Energy
- Zoldyck
- Match Legitimate Name Or Location
- Unix Shell
- Credentials In Files
- Spearphishing Link
- Ingress Tool Transfer
- Spectrum
- Disable Or Modify Tools
- Amos
- Sudo And Sudo Caching
- Telecommunications
- Israel Defense Forces
- Ghna
- Food And Kindred Products
- Coca-Cola Europacific Partners
- Italy
- Locauto
- Automotive
- Southern Europe
- Whitecoat
- Spain
- Mercadona
- Healthcare
- Ups
- Wow Health Solutions
- Rip_Real_World
- Cyprus Airways
- Netsupport Rat
- Tel Aviv University
- Illeak
- Desec0X
- Lucky_Gh0$T
- Cyberlock
- Unc6032
- Yashma
- Chaos
- Numero
- Deloitte
- 303
- Gucci
- Exfiltration Over C2 Channel
- Data From Local System
- Windows Credential Manager
- Credentials From Password Stores
- Command And Scripting Interpreter
- Eddiestealer
- Screen Capture
- File And Directory Discovery
- Credentials From Web Browsers
- Phishing
- Virtualization/Sandbox Evasion
- System Information Discovery
- Obfuscated Files Or Information
- Input Capture
- Password Managers
- Drive-By Compromise
- User Execution
- Australia
- Australia And New Zealand
- W_Tchdogs
- Superloop
- Network Service Discovery
- Deploy Container
- Smb/Windows Admin Shares
- External Remote Services
- Escape To Host
- Lateral Tool Transfer
- Exploitation For Client Execution
- Docker
- Remote System Discovery
- Web Protocols
- Change Default File Association
- Resource Hijacking
- Exploit Public-Facing Application
- Romania
- Bitdefender
- Cameleon
- Venom Rat
- Eastern Europe
- Financial Theft
- Vicioustrap
- Eastern Asia
- CVE-2023-20118
- Cisco
- Macao Special Administrative Region
- Cve-2023-20118
- Cve-2025-0944
- CVE-2025-0944
- Trimble
- Tetraloader
- Uat-6382
- File Deletion
- Regsvr32
- Obfuscated Files Or Information: Encrypted Or Encoded Data
- Process Discovery
- China
- Silver Fox
- Powershell
- Rundll32
- Masquerade Task Or Service
- Valleyrat
- Dynamic-Link Library Injection
- Reflective Code Loading
- Malicious File
- Scheduled Task
- Danabot
- Bumblebee
- Warmcookie
- Trickbot
- Qakbot
- Cetus
- Purehvnc
- Bytebreaker
- Mexico
- Latin America And The Caribbean
- Viralgod
- Telcel
- Peter Green Chilled
- Cellcom
-
Jun 24, 2025
Handala Claims Cyberattack on Israeli Recruitment Firm
On June 24, 2025, the pro-Palestinian hacktivist group Handala claimed responsibility for a cyberattack targeting Israel Job Info Ltd, a prominent Israeli recruitment and placement company. The group alleged it had exfiltrated 419 gigabytes of internal data, including resumes, employment contracts, internal communications, and client records, and published over 50,000 documents as proof of compromise. Additionally, They warned of additional leaks to come.
-
Jun 24, 2025
Handala Claims Exposure of Israeli Shelter Locations
On June 24, 2025, the pro-Palestinian hacktivist group Handala claimed responsibility for a large-scale breach involving the exposure of what it describes as a comprehensive database of Israeli shelter locations. The group alleges that the leaked data includes exact geographic coordinates of public and private shelters, structural details, and previously undisclosed emergency infrastructure information.
-
Jun 23, 2025
Cyber Fattah Behind Saudi Games Data Breach
The threat actor group “Cyber Fattah” has allegedly leaked thousands of sensitive records from the Saudi Games, which may include personal information, bank details, and medical certificates of athletes and visitors. The threat actor group gained unauthorized access through phpMyAdmin and exfiltrated data in the form of SQL dumps. The breach is believed to be part of a broader Iranian-led information operation aimed at spreading insecurity and damaging Saudi Arabia’s reputation.
-
Jun 22, 2025
Ben Horin Alexandrovitz Media Firm Alleged Breached by Handala
On June 22, 2025, the pro-Palestinian hacktivist group Handala claimed responsibility for a large-scale breach of Israeli media and communications firm Ben Horin Alexandrovitz Ltd. The group alleges to have exfiltrated 11 TB of internal data, released over 50,000 documents as proof of compromise and disrupted operations by wiping servers and accessing affiliated platforms. The attack was described as targeting the firm’s alleged ties to Israeli intelligence and psychological operations.
-
Jun 22, 2025
Construction Firm Zacharia Levi Ltd Alleged Breached by Handala
On June 21, 2025, the pro-Palestinian hacktivist group Handala claimed responsibility for a breach targeting Israeli construction company Zacharia Levi Ltd. The group alleges to have exfiltrated the company’s entire database, including project files, contracts, financial documents, internal communications, and technical blueprints. Over 20GB of data was leaked as proof of compromise.
-
Jun 22, 2025
-
Jun 22, 2025
Kibbutz Almog Allegedly Breached by Handala
On June 20, 2025, the pro-Palestinian hacktivist group Handala claimed responsibility for an alleged breach targeting Kibbutz Almog, an Israeli communal settlement. The group alleges to have exfiltrated extensive internal materials, including email communications, financial and personnel records, surveillance footage, and backup archives. As proof of compromise, Handala shared over 60,000 documents proof of compromise and threatened further data exposure.
-
Jun 22, 2025
Surveillance Firm Saban Systems Alleged Breached by Handala
On June 19, 2025, the pro-Palestinian hacktivist group Handala claimed responsibility for a breach targeting Israeli surveillance technology provider Saban Systems. The group alleges to have exfiltrated 254GB of confidential data and has released over 50,000 internal documents as proof of compromise.
-
Jun 19, 2025
DigitalGhost Claims Breach of Israeli Iron Dome Contractor
A threat actor operating under the alias "DigitalGhost" has claimed responsibility for allegedly breaching mPrest, an Israeli technology contractor allegedly involved in developing software for the Iron Dome missile defense system. According to the attacker, they managed to access a database containing personal information of individuals connected to the company. No official confirmation has been provided regarding the authenticity or scope of the breach.
-
Jun 19, 2025
Evil_Byte Claims Breach of Israeli Government Body System June
On June 17, 2025, hacktivist group Evil_Byte claimed responsibility for a cyberattack allegedly targeting Israeli government infrastructure. The group asserted that they had gained root-level access and exfiltrated sensitive data, including authentication credentials and phone numbers linked to Mossad and police personnel. No independent verification of unauthorized access or data theft has been confirmed.
-
Jun 18, 2025
Hacktivist Group "Gonjeshke Darande" Claims Cyberattack on Iran’s Nobitex Exchange
The Iranian cryptocurrency exchange Nobitex has allegedly been breached by the anti-regime group “Gonjeshke Darande” (Predatory Sparrow), which claims to have breached the platform’s internal systems in protest against its alleged role in aiding terrorism financing and sanction evasion. As Iran's largest crypto exchange, Nobitex plays a critical role in the country's international financial access, making it a prime target. The group has threatened to release sensitive stolen data, including the exchange’s full source code, internal operations details, and user information.
-
Jun 16, 2025
Data Breach Exposes Over 1 Million Records from Indonesian Pharmacy Giant Kimia Farma
A threat actor named "sentap" is offering a 40GB dataset stolen from "Kimia Farma," Indonesia’s leading state-owned pharmacy network, on the dark forum "darkforumes.me." The leak includes over 1 million records containing detailed pharmaceutical inventory, sales transactions, discount schemes, and high-risk stock information collected between March and July 2024. Validated against Kimia Farma’s ERP system, the data reveals sensitive national-level supply chain and market insights valuable for market analysis, cyber intelligence, and social engineering. The dataset is sold for $10,000 USD in Bitcoin or Monero, with an escrow service ensuring transaction security.
-
Jun 16, 2025
Threat Actor Claims Breach of Scania’s Insurance Arm, 34,000 Files Allegedly Stolen
A threat actor using the alias "hensi" claims to have breached insurance.scania[.]com, a subdomain of Scania Financial Services, allegedly stealing 34,000 previously unpublished files. The breach, which reportedly targeted the Swedish manufacturer’s corporate insurance division, was announced on a forum on the dark web. Scania’s insurance services cover commercial vehicles—suggesting the stolen data may include sensitive customer and vehicle information, such as VINs. The targeted site is currently offline, citing maintenance, and Scania has yet to comment on the incident.
-
Jun 16, 2025
Handala Exposes Alleged Intelligence Ties in TBN Israel Breach
On June 16th, Handala claimed responsibility for hacking TBN Israel, a religious broadcaster they accuse of being a Shin Bet front. The group claims to have stolen 542 gigabytes of internal data revealing intelligence ties, censorship strategies, and information warfare campaigns. Handala has promised to release selected documents soon. TBN Israel has not commented.
-
Jun 16, 2025
Handala Claims Breach of Weizmann Institute, 4TB of Data Stolen
On June 16, 2025, the pro-Palestinian hacktivist group Handala claimed to have breached the Weizmann Institute of Science in Israel, alleging the theft of 4 terabytes of confidential scientific data. The group threatened to publicly release the stolen documents, which they claim include sensitive research and internal communications. This attack follows previous claims by Handala targeting Israel’s security, law enforcement, and even educational systems.
-
Jun 15, 2025
Israeli Air Force Pilot Data Allegedly Leaked by Pro-Iranian Actor
On June 15, 2025, Sensitive data belonging to 40 Israeli Air Force pilots was allegedly leaked by a pro-Iranian source amid the ongoing Israel-Iran conflict. The breach reportedly targeted classified military data within the Israeli Ministry of Defense, exposing highly confidential details such as pilots' full names, ages, combat units, air bases, and field roles. According to the attackers, the pilots operated aircraft including the F-15I Ra’am, F-16I Sufa, and F-35I Adir. The credibility of the leak is challenged by the fact that the identity of the threat actor behind the disclosure was not revealed, and the unknown source of the data further raises questions about its authenticity.
-
Jun 12, 2025
Alleged Data Breach of Israeli Antiquities Authority
On June 11, 2025, a threat actor claimed a data breach targeting the Israeli Antiquities Authority, potentially exposing sensitive archaeological or administrative data. This information is recycled and irrelevant, as the claim lacks credible evidence, appears to be outdated, and has no official confirmation from the authority or cybersecurity agencies.
-
Jun 11, 2025
Exploitation of Wazuh Vulnerability by Mirai Botnet Variants
Researchers have reported that threat actors are exploiting a critical vulnerability (CVE-2025-24016) in Wazuh servers to deploy Mirai botnet variants for conducting distributed denial-of-service (DDoS) attacks. This vulnerability allows remote code execution and has been targeted shortly after its public disclosure in February 2025. The attacks involve two different botnets using malicious shell scripts to download Mirai payloads from external servers. The research indicates that the botnets are leveraging various exploits, including those targeting IoT devices, and have been found to particularly focus on devices in regions such as China, India, and several others. The ongoing exploitation of this vulnerability highlights the rapid response of botnet operators to newly published security flaws.
-
Jun 11, 2025
-
Jun 11, 2025
Hacktivist group Claims Breach of Indian Defense Contractor
In June 2025, a threat actor group named ClayOxtymus1337 claimed to have breached Advanced Weapons and Equipment India Limited (AWEIL) and to have gained access to its database. According to the threat actor, sensitive data belonging to AWEIL was taken, including critical weapon technical specifications, secret R&D projects, arms export contracts worth ₹581 crore, and a list of importing countries that could trigger diplomatic pressure.
-
Jun 11, 2025
Fin6 Leverages Fake Resumes for Malware Delivery
The financially motivated threat actor Fin6 has been observed using fake resumes hosted on Amazon Web Services (AWS) to deliver the malware family known as More_Eggs. By posing as job seekers on platforms like LinkedIn and Indeed, Fin6 builds rapport with recruiters and sends phishing messages that lead to malware downloads. More_Eggs, developed by another cybercrime group called Golden Chickens, is a JavaScript-based backdoor capable of credential theft and system access. Fin6 has a history of targeting e-commerce sites to steal payment card data and has been operational since 2012.
-
Jun 10, 2025
ALEX Protocol Reports Theft of Over 8 Million Dollars
In June 2025, ALEX Protocol became the victim of a data breach when threat actors exploited a vulnerability in the platform's self-listing verification logic, resulting in losses of approximately $8.37 million. According to ALEX Protocol, around 8.4 million stacks (stx) tokens, 21.85 stacks bitcoin (sbtc), 149,850 in USDC and USDT, and 2.8 wrapped bitcoin (wbtc) were taken, including various cryptocurrencies.
-
Jun 10, 2025
Threat Actor Claims Breach of UK-based EDF Energy
In June 2025, a threat actor named Zoldyck claimed to have breached EDF Energy Company and to have gained access to its database. According to the threat actor, over 12 million lines of data belonging to EDF's customers were taken, including sensitive information such as customer IDs, full names, dates of birth, national IDs, addresses, email addresses, phone numbers, and payment details.
-
Jun 10, 2025
New Clickfix Infostealer Campaign Targets macOS Users
Cybersecurity researchers have identified a new malware campaign that uses social engineering tactics to distribute an information stealer known as Atomic macOS Stealer (AMOS) targeting Apple macOS systems. The campaign employs typosquatting domains that mimic the U.S.-based telecom provider Spectrum, tricking users into executing a malicious shell script that steals system passwords and downloads the AMOS variant. The attack begins on a fake webpage that prompts users to complete a CAPTCHA verification, ultimately leading them to execute harmful commands under the guise of fixing a non-existent issue. The campaign is believed to be orchestrated by Russian-speaking cybercriminals, as indicated by the presence of Russian language comments in the malware's code.
-
Jun 09, 2025
Wave of Recycled Data Leaks Targets Israeli Institutions to Simulate Active Breach Campaigns
A possibly coordinated wave of threat activity observed in early June 2025 involves the resurfacing of recycled or publicly available data falsely presented as new breaches targeting Israeli institutions, including the Israel Police, Ministry of Housing, IDF, and National Insurance Institute. Threat actors shared large archives and high-profile claims—such as a 16.9 GB police data leak and an alleged Android zero-day used against IDF personnel—to simulate active cyberattacks, despite forensic analysis confirming that most materials are outdated or previously exposed.
-
Jun 05, 2025
Coca-Cola Europacific Partners - Breach - 2025-05-22
On May 22, 2025, the threat actor Gehenna claimed responsibility for breaching Coca-Cola Europacific Partners’ Salesforce infrastructure, exfiltrating a substantial volume of business data. The breach reportedly includes over 75 million records spanning accounts, contacts, products, and customer service cases from 2016 to 2025, totaling more than 63 GB of sensitive CRM data. Gehenna, linked to previous incidents involving Samsung Germany and Royal Mail, is offering this data for sale, emphasizing the scale and commercial relevance of the compromised information.
-
Jun 05, 2025
Threat Actor Claims Breach of Locauto Rent
In June 2025, a threat actor named Zoldyck claimed to have breached LocautoRent, an Italian car rental company, and to have gained access to its database. According to the threat actor, approximately 850,000 unique records belonging to LocautoRent's customers were taken, including sensitive data such as customer IDs, tax IDs, names, addresses, emails, phone numbers, and payment methods.
-
Jun 05, 2025
Threat Actor Claims Breach of Mercadona's Home Brand - Hacendado
In June 2025, a threat actor named WhiteCoat claimed to have breached Mercadona's home brand Hacendado through a third-party vendor and to have gained access to its database. According to the threat actor, over 27 million unique users' data was taken, including full names, emails, hashed passwords, location data, purchase history, internal employee emails, operational logs, fragmented payment metadata, and tokens and access credentials.
-
Jun 04, 2025
Threat Actor Claims Breach of WoW Health
In June 2025, WoW Health became the victim of a data breach when a threat actor named "ups" managed to gain access to its database. According to the threat actor, approximately 423,650 customers' data was taken, including last names, first names, email addresses, physical addresses, and sensitive healthcare information.
-
Jun 04, 2025
Threat Actor Claims Breach of Cyprus Airways
In June 2025, a threat actor named "Rip_Real_World" claimed to be selling data from Cyprus Airways, including over 45 GB of information. The breach allegedly includes passenger records from 2018 to June 2025, such as names, emails, phone numbers, travel dates, payment amounts, and document details. The actor also claimed to have real-time access to flight systems and data on 12 authorized personnel. The leak comprises 41 GB of passenger data and 2 GB of electronic ticket (ET) data.
-
Jun 04, 2025
New Multi-Stage Powershell Campaign Distributes NetSupport RAT
Threat hunters have identified a new campaign that utilizes deceptive websites to trick users into executing malicious Powershell scripts, ultimately leading to the installation of the NetSupport RAT malware. The campaign features counterfeit sites masquerading as GitCode and DocuSign, where users are misled into running Powershell commands that download additional payloads. The attack employs social engineering tactics, including ClickFix-style captcha verifications, to facilitate clipboard poisoning and automate the execution of malicious scripts. The investigation revealed similarities to previous campaigns, indicating a potential link to established threat groups.
-
Jun 03, 2025
Threat Actor Group Claims Breach of Tel Aviv University
In May 2025, a threat actor named "ILleak" claimed to have breached Tel Aviv University, a major Israeli academic institution. According to the threat actor, the stolen data includes personal information on 24,747 students, such as names, family names, ID numbers, phone numbers, emails, and locations.
-
Jun 03, 2025
Threat Actor Claims Leak of Top Chinese Government Information
In May 2025, a threat actor named Skivon claimed to have breached various top government and private organizations in China and to have gained access to their databases. According to the threat actor, a significant amount of data belonging to these organizations' users was taken, including personal details, phone numbers, technical information, IP addresses of infrastructures and properties, as well as data related to power generation, hospitals, schools, and insurance agencies. The threat actor is selling the dataset for 5000 dollars.
-
Jun 03, 2025
Exploiting AI: The Rise of Fake Installers and Ransomware
A new cybersecurity threat involves fake installers for popular AI tools like ChatGPT and InVideo AI, which are being used to distribute various ransomware families, including Cyberlock and Lucky_gh0$t, as well as a destructive malware called Numero. These fake installers are promoted through SEO poisoning and lure users with claims of free access, only to deploy malicious software that encrypts files and demands hefty ransoms. The threat actors behind this campaign are targeting individuals and organizations in the B2B sales and marketing sectors, and their tactics include using legitimate-sounding filenames and exploiting popular AI tools to gain trust. The campaign has been linked to a threat cluster with a Vietnam nexus, indicating a sophisticated and ongoing operation.
-
Jun 01, 2025
Deloitte Reportedly Breached, Source Code and GitHub Credentials Leaked
A threat actor known as "303" claimed on the dark net forum "darkforums" to have breached "Deloitte," leaking GitHub credentials and internal source code from a "Deloitte" repository. A sample Git configuration file was posted, showing what appears to be access to a private GitHub project related to Deloitte’s U.S. consulting services. "Deloitte," headquartered in London, is one of the "Big Four" accounting and consulting firms, providing services in audit, tax, consulting, risk, and financial advisory across over 150 countries.
-
Jun 01, 2025
Threat Actor Claims Gucci Supplier Data Leak on darkforum
A threat actor known as "303" claimed on the dark net forum "darkforum" to have compromised a subdomain of the luxury fashion brand "Gucci" and leaked internal documents. The alleged data includes detailed information on Gucci’s suppliers, including their addresses, countries, and the percentage of immigrant workers. The post also contains sample images and a pay-to-unlock download link for the full leak.
-
Jun 01, 2025
EDDIESTEALER: New Rust-Based Infostealer Spreads via Fake CAPTCHA Campaigns
"EDDIESTEALER," a sophisticated Rust-based infostealer distributed through fake CAPTCHA verification pages designed to trick users into executing a malicious PowerShell script. Once deployed, the malware targets and exfiltrates sensitive data such as credentials, browser information, and cryptocurrency wallet contents. Communicating with a command and control server, "EDDIESTEALER" uses advanced evasion techniques including string and API obfuscation. It specifically focuses on compromising crypto wallets, browsers, password managers, FTP clients, and messaging apps. Its use of the Rust programming language highlights a growing trend among cybercriminals favoring stealth and resistance to traditional detection methods.
-
May 29, 2025
Threat Actor Sells Access to Superloop
On May 28, 2025, the threat actor w_tchdogs claimed to have breached Superloop, an Australian telecommunications company. The actor is offering access to Superloop’s internal portal, which allegedly includes domain administration tools and other sensitive resources, for $750.
-
May 28, 2025
Cryptojacking Campaign Targets Misconfigured Docker APIs
A new malware campaign has emerged, targeting misconfigured Docker API instances to create a cryptocurrency mining botnet focused on mining Dero currency. The threat actor exploits insecurely published Docker APIs to gain access to running containerized infrastructures, propagating the malware through a worm-like mechanism to infect other exposed Docker instances. The attack utilizes two main components: a propagation malware named 'nginx' that scans for vulnerable Docker APIs, and a 'cloud' Dero cryptocurrency miner. This campaign has been linked to previous cryptojacking operations and poses a significant risk to any network with insecure Docker APIs.
-
May 28, 2025
New Malicious Campaign Exploits Fake Antivirus Website to Distribute Venom RAT
Cybersecurity researchers have uncovered a malicious campaign that utilizes a fraudulent website masquerading as Bitdefender's antivirus software to distribute a remote access trojan known as Venom RAT. The site, bitdefender-download[.]com, tricks users into downloading a zip file containing malware disguised as an installer. This campaign aims to compromise victims' credentials and crypto wallets, highlighting a trend of sophisticated, modular malware that leverages open-source components for more effective attacks.
-
May 26, 2025
Vicioustrap Threat Actor Compromises Thousands of Network Devices
Cybersecurity researchers have uncovered a threat actor known as Vicioustrap, who has compromised approximately 5,300 network edge devices across 84 countries, primarily in Macau. This actor exploits a critical vulnerability (CVE-2023-20118) in various Cisco routers to redirect traffic to a honeypot-like infrastructure, allowing them to monitor and intercept network flows. The attack chain involves executing a shell script that facilitates adversary-in-the-middle attacks, with indications that the actor may be of Chinese-speaking origin. The ultimate goal of the Vicioustrap operation remains uncertain, although it is believed to be focused on creating a honeypot network.
-
May 26, 2025
Chinese Threat Actor UAT-6382 Exploits Vulnerability in Trimble Cityworks
A Chinese-speaking threat actor known as UAT-6382 has been linked to the exploitation of a recently patched remote-code-execution vulnerability (CVE-2025-0944) in Trimble Cityworks. This group successfully targeted enterprise networks of local governing bodies in the United States, deploying various web shells and custom malware, including Cobalt Strike and a Rust-based loader called Tetraloader, to maintain long-term access to compromised systems. The attacks began in January 2025, and the vulnerability was added to the U.S. Cybersecurity and Infrastructure Security Agency's known exploited vulnerabilities catalog in February 2025.
-
May 26, 2025
New Malware Campaign Targets Chinese-Speaking Users with Winos 4.0
Cybersecurity researchers have uncovered a malware campaign that employs fake software installers disguised as popular applications like LetsVPN and QQ Browser to deliver the Winos 4.0 framework. First identified by Rapid7 in February 2025, the campaign utilizes a sophisticated multi-stage loader called Catena, which operates entirely in memory to evade traditional antivirus detection. The malware, attributed to a threat actor known as Silver Fox, specifically targets Chinese-speaking environments and has been active throughout 2025, adapting its tactics to maintain persistence and avoid detection. The campaign leverages trojanized NSIS installers and is characterized by its careful planning and execution.
-
May 25, 2025
Operation Endgame: Major Law Enforcement Crackdown on Ransomware Infrastructure
Operation Endgame, a coordinated effort by law enforcement agencies, has successfully dismantled approximately 300 servers and neutralized 650 domains associated with ransomware activities. Launched in May 2024, this operation specifically targeted new malware variants and groups that emerged after prior takedowns. During the latest phase, which occurred between May 19 and 22, 2025, authorities seized €3.5 million in cryptocurrency, bringing the total to over €21.2 million. Arrest warrants were issued for 20 key actors involved in providing initial access services to ransomware crews, highlighting law enforcement's adaptability in combating cybercrime.
-
May 25, 2025
Cetus Protocol Suffers $223 Million Breach, Offers Threat Actors Legal Amnesty and $5M Bounty for Leads
Decentralized exchange "Cetus Protocol," operating on the Sui and Aptos blockchains, confirmed a $223 million cryptocurrency theft due to a vulnerable package, with $162 million of the funds paused following emergency measures. The platform, which uses a "Concentrated Liquidity Market Maker" (CLMM) model, temporarily halted operations for investigation and has since identified the threat actors’ Ethereum wallet. "Cetus" offers the threat actor a legal amnesty deal if the funds are returned and has issued a $5 million bounty for information leading to their identification and arrest.
-
May 22, 2025
Malware Campaign Exploiting Kling AI to Target Users
A new malware campaign has been identified that uses counterfeit Facebook pages and sponsored ads to lure users to fake websites impersonating Kling AI, an AI-powered platform. The campaign, first detected in early 2025, tricks victims into downloading a malicious file that installs a remote access trojan (RAT) on their systems, allowing attackers to steal sensitive data. The operation is linked to Vietnamese threat actors, who have been increasingly using social engineering tactics to exploit the popularity of generative AI tools. The campaign highlights the growing trend of sophisticated social media-based attacks targeting unsuspecting users.
-
May 21, 2025
Threat Actor Claims to Have Scraped Hundreds of Millions of Facebook Records
In May 2025, a threat actor named ByteBreaker claimed to have scraped accounts from Facebook. According to the threat actor, hundreds of millions of records belonging to Facebook's users were taken, including various types of data scraped by abusing one of their APIs.
-
May 21, 2025
Threat Actor Claims Breach of Mexican Telcel
In May 2025, a threat actor named Eternal claimed to have breached Telcel Mexico and to have gained access to its database. According to the threat actor, 10 million lines of data belonging to Telcel's customers were taken, including phone numbers, tax IDs (RFC), full names, and full addresses.
-
May 21, 2025
Peter Green Chilled Reports Shuts Operations Down Following Ransomware Attack
In May 2025, Peter Green Chilled became the victim of a ransomware attack when yet unknown threat actors managed to gain access to its systems, forcing the company to halt operations. According to Peter Green, the attack has severely disrupted its ability to process orders and manage logistics, impacting its supply chain for fresh products supplied to major retailers such as Aldi, Sainsbury’s, and Tesco.
-
May 21, 2025
Cellcom Reports Data Breach Following Outages
In May 2025, mobile carrier Cellcom became the victim of a cyberattack that caused widespread service outages and disruptions across Wisconsin and Upper Michigan. According to Cellcom, while the incident affected voice and SMS services, there is no evidence that personal information, such as names, addresses, or financial data, was compromised during the attack.
