news
Breaking Cyber News From Cyberint
Breaking news feed of the latest cyber incidents, breaches, vulnerabilities, malware, ransomware and so much more.
- All Items
- Ghna
- Retail
- Food And Kindred Products
- Europe
- United Kingdom
- Coca-Cola Europacific Partners
- Automotive
- Southern Europe
- Locauto
- Italy
- Zoldyck
- Whitecoat
- Spain
- Mercadona
- United States
- Ups
- North America
- Healthcare
- Wow Health Solutions
- Rip_Real_World
- Transportation
- Cyprus Airways
- Netsupport Rat
- Education
- Tel Aviv University
- Asia
- Israel
- Illeak
- Middle East
- Desec0X
- Lucky_Gh0$T
- Chaos
- Unc6032
- Cyberlock
- Yashma
- Numero
- Deloitte
- 303
- Business Services
- Gucci
- System Information Discovery
- Command And Scripting Interpreter
- Data From Local System
- Phishing
- User Execution
- Virtualization/Sandbox Evasion
- Password Managers
- Exfiltration Over C2 Channel
- Windows Credential Manager
- Credentials From Password Stores
- Input Capture
- Screen Capture
- Credentials From Web Browsers
- Drive-By Compromise
- Obfuscated Files Or Information
- Eddiestealer
- File And Directory Discovery
- Australia And New Zealand
- Australia
- W_Tchdogs
- Telecommunications
- Superloop
- Remote System Discovery
- Exploitation For Client Execution
- Docker
- Ingress Tool Transfer
- External Remote Services
- Match Legitimate Name Or Location
- Resource Hijacking
- Network Service Discovery
- Exploit Public-Facing Application
- Unix Shell
- Escape To Host
- Lateral Tool Transfer
- Deploy Container
- Smb/Windows Admin Shares
- Change Default File Association
- Web Protocols
- Cameleon
- Romania
- Financial Theft
- Eastern Europe
- Venom Rat
- Bitdefender
- Macao Special Administrative Region
- Technology
- Eastern Asia
- CVE-2023-20118
- Vicioustrap
- Cve-2023-20118
- Cisco
- Uat-6382
- Critical Infrastructures
- Cve-2025-0944
- Trimble
- CVE-2025-0944
- Tetraloader
- Government
- Reflective Code Loading
- China
- Powershell
- Process Discovery
- Valleyrat
- Scheduled Task
- Silver Fox
- Rundll32
- Regsvr32
- Disable Or Modify Tools
- File Deletion
- Masquerade Task Or Service
- Malicious File
- Dynamic-Link Library Injection
- Obfuscated Files Or Information: Encrypted Or Encoded Data
- Danabot
- Warmcookie
- Trickbot
- Bumblebee
- Qakbot
- Cryptocurrency
- Cetus
- Purehvnc
- Manufacturing
- Bytebreaker
- Mexico
- Latin America And The Caribbean
- Telcel
- Viralgod
- Peter Green Chilled
- Cellcom
- Drive-By Target
- Web Services
- Dns
- Browser Extensions
- Javascript
- Time Based Evasion
- Steal Web Session Cookie
- Google Chrome
- Stored Data Manipulation
- Bypass User Account Control
- Domains
- Deobfuscate/Decode Files Or Information
- Windows File And Directory Permissions Modification
- Redis
- Timestomp
- Linux And Mac File And Directory Permissions Modification
- Cron
- Registry Run Keys / Startup Folder
- Xmrig
- Keylogging
- Binary Padding
- Archive Collected Data
- Automated Exfiltration
- Video Capture
- Process Hollowing
- Mshta
- Remcos
- Dynamic Api Resolution
- Adidas Korea
- South Korea
- Helluvahack
- Real Estate
- Irontooth
- Venustech
- Os-Info-Checker-Es6
- Npm Package
- Tourism
- Gambling
- Httpbot
- Nucor
- Spearphishing Attachment
- Horabot
- Os Credential Dumping
- Argentina
- Colombia
- Guatemala
- Visual Basic
- Email Collection
- Email Forwarding Rule
- Peru
- Windows Command Shell
- Chile
- Israel Internet Association (Isoc-Il
- Haxorteam
- Eternal
- Finance
- CVE-2025-27920
- Sea Turtle
- Iraq
- Cve-2025-27920
- Kurdistan
- Xworm
- Noodlophile
- Paraguay
- Mag
- Gatito_Fbi_Nz
- Dooble
- Fedayeen Hackers
- Betway
- Avid Technology
- Japan
- Pr Times
- Im Corporation
- Blf0Ty
- CVE-2024-6047
- CVE-2018-10561
- Geovision
- Cve-2024-11120
- Mirai
- Cve-2018-10561
- Cve-2024-6047
- CVE-2024-11120
- Taiwan
- Uk Government
- Sub-Saharan Africa
- Kazu
- Senegal
- Rhpolice.Sec.Gouv.Sn
- Africa
- Bmci
- Sudo_Xxxx
- Northern Africa
- Morocco
- Telemessage
- Terralogger
- Terrastealerv2
- Golden Chickens
-
Jun 05, 2025
Coca-Cola Europacific Partners - Breach - 2025-05-22
On May 22, 2025, the threat actor Gehenna claimed responsibility for breaching Coca-Cola Europacific Partners’ Salesforce infrastructure, exfiltrating a substantial volume of business data. The breach reportedly includes over 75 million records spanning accounts, contacts, products, and customer service cases from 2016 to 2025, totaling more than 63 GB of sensitive CRM data. Gehenna, linked to previous incidents involving Samsung Germany and Royal Mail, is offering this data for sale, emphasizing the scale and commercial relevance of the compromised information.
-
Jun 05, 2025
Threat Actor Claims Breach of Locauto Rent
In June 2025, a threat actor named Zoldyck claimed to have breached LocautoRent, an Italian car rental company, and to have gained access to its database. According to the threat actor, approximately 850,000 unique records belonging to LocautoRent's customers were taken, including sensitive data such as customer IDs, tax IDs, names, addresses, emails, phone numbers, and payment methods.
-
Jun 05, 2025
Threat Actor Claims Breach of Mercadona's Home Brand - Hacendado
In June 2025, a threat actor named WhiteCoat claimed to have breached Mercadona's home brand Hacendado through a third-party vendor and to have gained access to its database. According to the threat actor, over 27 million unique users' data was taken, including full names, emails, hashed passwords, location data, purchase history, internal employee emails, operational logs, fragmented payment metadata, and tokens and access credentials.
-
Jun 04, 2025
Threat Actor Claims Breach of WoW Health
In June 2025, WoW Health became the victim of a data breach when a threat actor named "ups" managed to gain access to its database. According to the threat actor, approximately 423,650 customers' data was taken, including last names, first names, email addresses, physical addresses, and sensitive healthcare information.
-
Jun 04, 2025
Threat Actor Claims Breach of Cyprus Airways
In June 2025, a threat actor named "Rip_Real_World" claimed to be selling data from Cyprus Airways, including over 45 GB of information. The breach allegedly includes passenger records from 2018 to June 2025, such as names, emails, phone numbers, travel dates, payment amounts, and document details. The actor also claimed to have real-time access to flight systems and data on 12 authorized personnel. The leak comprises 41 GB of passenger data and 2 GB of electronic ticket (ET) data.
-
Jun 04, 2025
New Multi-Stage Powershell Campaign Distributes NetSupport RAT
Threat hunters have identified a new campaign that utilizes deceptive websites to trick users into executing malicious Powershell scripts, ultimately leading to the installation of the NetSupport RAT malware. The campaign features counterfeit sites masquerading as GitCode and DocuSign, where users are misled into running Powershell commands that download additional payloads. The attack employs social engineering tactics, including ClickFix-style captcha verifications, to facilitate clipboard poisoning and automate the execution of malicious scripts. The investigation revealed similarities to previous campaigns, indicating a potential link to established threat groups.
-
Jun 03, 2025
Threat Actor Group Claims Breach of Tel Aviv University
In May 2025, a threat actor named "ILleak" claimed to have breached Tel Aviv University, a major Israeli academic institution. According to the threat actor, the stolen data includes personal information on 24,747 students, such as names, family names, ID numbers, phone numbers, emails, and locations.
-
Jun 03, 2025
Threat Actor Claims Leak of Top Chinese Government Information
In May 2025, a threat actor named Skivon claimed to have breached various top government and private organizations in China and to have gained access to their databases. According to the threat actor, a significant amount of data belonging to these organizations' users was taken, including personal details, phone numbers, technical information, IP addresses of infrastructures and properties, as well as data related to power generation, hospitals, schools, and insurance agencies. The threat actor is selling the dataset for 5000 dollars.
-
Jun 03, 2025
Exploiting AI: The Rise of Fake Installers and Ransomware
A new cybersecurity threat involves fake installers for popular AI tools like ChatGPT and InVideo AI, which are being used to distribute various ransomware families, including Cyberlock and Lucky_gh0$t, as well as a destructive malware called Numero. These fake installers are promoted through SEO poisoning and lure users with claims of free access, only to deploy malicious software that encrypts files and demands hefty ransoms. The threat actors behind this campaign are targeting individuals and organizations in the B2B sales and marketing sectors, and their tactics include using legitimate-sounding filenames and exploiting popular AI tools to gain trust. The campaign has been linked to a threat cluster with a Vietnam nexus, indicating a sophisticated and ongoing operation.
-
Jun 01, 2025
Deloitte Reportedly Breached, Source Code and GitHub Credentials Leaked
A threat actor known as "303" claimed on the dark net forum "darkforums" to have breached "Deloitte," leaking GitHub credentials and internal source code from a "Deloitte" repository. A sample Git configuration file was posted, showing what appears to be access to a private GitHub project related to Deloitte’s U.S. consulting services. "Deloitte," headquartered in London, is one of the "Big Four" accounting and consulting firms, providing services in audit, tax, consulting, risk, and financial advisory across over 150 countries.
-
Jun 01, 2025
Threat Actor Claims Gucci Supplier Data Leak on darkforum
A threat actor known as "303" claimed on the dark net forum "darkforum" to have compromised a subdomain of the luxury fashion brand "Gucci" and leaked internal documents. The alleged data includes detailed information on Gucci’s suppliers, including their addresses, countries, and the percentage of immigrant workers. The post also contains sample images and a pay-to-unlock download link for the full leak.
-
Jun 01, 2025
EDDIESTEALER: New Rust-Based Infostealer Spreads via Fake CAPTCHA Campaigns
"EDDIESTEALER," a sophisticated Rust-based infostealer distributed through fake CAPTCHA verification pages designed to trick users into executing a malicious PowerShell script. Once deployed, the malware targets and exfiltrates sensitive data such as credentials, browser information, and cryptocurrency wallet contents. Communicating with a command and control server, "EDDIESTEALER" uses advanced evasion techniques including string and API obfuscation. It specifically focuses on compromising crypto wallets, browsers, password managers, FTP clients, and messaging apps. Its use of the Rust programming language highlights a growing trend among cybercriminals favoring stealth and resistance to traditional detection methods.
-
May 29, 2025
Threat Actor Sells Access to Superloop
On May 28, 2025, the threat actor w_tchdogs claimed to have breached Superloop, an Australian telecommunications company. The actor is offering access to Superloop’s internal portal, which allegedly includes domain administration tools and other sensitive resources, for $750.
-
May 28, 2025
Cryptojacking Campaign Targets Misconfigured Docker APIs
A new malware campaign has emerged, targeting misconfigured Docker API instances to create a cryptocurrency mining botnet focused on mining Dero currency. The threat actor exploits insecurely published Docker APIs to gain access to running containerized infrastructures, propagating the malware through a worm-like mechanism to infect other exposed Docker instances. The attack utilizes two main components: a propagation malware named 'nginx' that scans for vulnerable Docker APIs, and a 'cloud' Dero cryptocurrency miner. This campaign has been linked to previous cryptojacking operations and poses a significant risk to any network with insecure Docker APIs.
-
May 28, 2025
New Malicious Campaign Exploits Fake Antivirus Website to Distribute Venom RAT
Cybersecurity researchers have uncovered a malicious campaign that utilizes a fraudulent website masquerading as Bitdefender's antivirus software to distribute a remote access trojan known as Venom RAT. The site, bitdefender-download[.]com, tricks users into downloading a zip file containing malware disguised as an installer. This campaign aims to compromise victims' credentials and crypto wallets, highlighting a trend of sophisticated, modular malware that leverages open-source components for more effective attacks.
-
May 26, 2025
Vicioustrap Threat Actor Compromises Thousands of Network Devices
Cybersecurity researchers have uncovered a threat actor known as Vicioustrap, who has compromised approximately 5,300 network edge devices across 84 countries, primarily in Macau. This actor exploits a critical vulnerability (CVE-2023-20118) in various Cisco routers to redirect traffic to a honeypot-like infrastructure, allowing them to monitor and intercept network flows. The attack chain involves executing a shell script that facilitates adversary-in-the-middle attacks, with indications that the actor may be of Chinese-speaking origin. The ultimate goal of the Vicioustrap operation remains uncertain, although it is believed to be focused on creating a honeypot network.
-
May 26, 2025
Chinese Threat Actor UAT-6382 Exploits Vulnerability in Trimble Cityworks
A Chinese-speaking threat actor known as UAT-6382 has been linked to the exploitation of a recently patched remote-code-execution vulnerability (CVE-2025-0944) in Trimble Cityworks. This group successfully targeted enterprise networks of local governing bodies in the United States, deploying various web shells and custom malware, including Cobalt Strike and a Rust-based loader called Tetraloader, to maintain long-term access to compromised systems. The attacks began in January 2025, and the vulnerability was added to the U.S. Cybersecurity and Infrastructure Security Agency's known exploited vulnerabilities catalog in February 2025.
-
May 26, 2025
New Malware Campaign Targets Chinese-Speaking Users with Winos 4.0
Cybersecurity researchers have uncovered a malware campaign that employs fake software installers disguised as popular applications like LetsVPN and QQ Browser to deliver the Winos 4.0 framework. First identified by Rapid7 in February 2025, the campaign utilizes a sophisticated multi-stage loader called Catena, which operates entirely in memory to evade traditional antivirus detection. The malware, attributed to a threat actor known as Silver Fox, specifically targets Chinese-speaking environments and has been active throughout 2025, adapting its tactics to maintain persistence and avoid detection. The campaign leverages trojanized NSIS installers and is characterized by its careful planning and execution.
-
May 25, 2025
Operation Endgame: Major Law Enforcement Crackdown on Ransomware Infrastructure
Operation Endgame, a coordinated effort by law enforcement agencies, has successfully dismantled approximately 300 servers and neutralized 650 domains associated with ransomware activities. Launched in May 2024, this operation specifically targeted new malware variants and groups that emerged after prior takedowns. During the latest phase, which occurred between May 19 and 22, 2025, authorities seized €3.5 million in cryptocurrency, bringing the total to over €21.2 million. Arrest warrants were issued for 20 key actors involved in providing initial access services to ransomware crews, highlighting law enforcement's adaptability in combating cybercrime.
-
May 25, 2025
Cetus Protocol Suffers $223 Million Breach, Offers Threat Actors Legal Amnesty and $5M Bounty for Leads
Decentralized exchange "Cetus Protocol," operating on the Sui and Aptos blockchains, confirmed a $223 million cryptocurrency theft due to a vulnerable package, with $162 million of the funds paused following emergency measures. The platform, which uses a "Concentrated Liquidity Market Maker" (CLMM) model, temporarily halted operations for investigation and has since identified the threat actors’ Ethereum wallet. "Cetus" offers the threat actor a legal amnesty deal if the funds are returned and has issued a $5 million bounty for information leading to their identification and arrest.
-
May 22, 2025
Malware Campaign Exploiting Kling AI to Target Users
A new malware campaign has been identified that uses counterfeit Facebook pages and sponsored ads to lure users to fake websites impersonating Kling AI, an AI-powered platform. The campaign, first detected in early 2025, tricks victims into downloading a malicious file that installs a remote access trojan (RAT) on their systems, allowing attackers to steal sensitive data. The operation is linked to Vietnamese threat actors, who have been increasingly using social engineering tactics to exploit the popularity of generative AI tools. The campaign highlights the growing trend of sophisticated social media-based attacks targeting unsuspecting users.
-
May 21, 2025
Threat Actor Claims to Have Scraped Hundreds of Millions of Facebook Records
In May 2025, a threat actor named ByteBreaker claimed to have scraped accounts from Facebook. According to the threat actor, hundreds of millions of records belonging to Facebook's users were taken, including various types of data scraped by abusing one of their APIs.
-
May 21, 2025
Threat Actor Claims Breach of Mexican Telcel
In May 2025, a threat actor named Eternal claimed to have breached Telcel Mexico and to have gained access to its database. According to the threat actor, 10 million lines of data belonging to Telcel's customers were taken, including phone numbers, tax IDs (RFC), full names, and full addresses.
-
May 21, 2025
Peter Green Chilled Reports Shuts Operations Down Following Ransomware Attack
In May 2025, Peter Green Chilled became the victim of a ransomware attack when yet unknown threat actors managed to gain access to its systems, forcing the company to halt operations. According to Peter Green, the attack has severely disrupted its ability to process orders and manage logistics, impacting its supply chain for fresh products supplied to major retailers such as Aldi, Sainsbury’s, and Tesco.
-
May 21, 2025
Cellcom Reports Data Breach Following Outages
In May 2025, mobile carrier Cellcom became the victim of a cyberattack that caused widespread service outages and disruptions across Wisconsin and Upper Michigan. According to Cellcom, while the incident affected voice and SMS services, there is no evidence that personal information, such as names, addresses, or financial data, was compromised during the attack.
-
May 21, 2025
Malicious Chrome Extensions Target Users with Deceptive Tactics
A recently identified campaign attributed to an unknown threat actor involves the creation of several malicious Chrome browser extensions that disguise themselves as legitimate tools. Since February 2024, these extensions have been designed to exfiltrate user data, execute arbitrary code, and perform various malicious activities such as credential theft and session hijacking. The threat actor has set up over 100 fake websites that lure users into installing these extensions, which are available on the Chrome Web Store. Google has since removed the extensions.
-
May 21, 2025
New Linux Cryptojacking Campaign 'Redisraider' Targets Vulnerable Redis Servers
Cybersecurity researchers have identified a new Linux cryptojacking campaign named 'RedisRaider,' which targets publicly accessible Redis servers. The campaign involves scanning the IPv4 space to find vulnerable systems and executing malicious cron jobs to drop a Go-based payload that deploys an XMRig miner. The attackers use legitimate Redis commands to manipulate the server's configuration and inject a cron job that runs a base64-encoded shell script, ultimately leading to the installation of the malware. Additionally, the campaign employs anti-forensics measures to evade detection and has been linked to a broader strategy that includes a web-based Monero miner.
-
May 19, 2025
New Powershell-Based Malware Campaign Deploys Remcos RAT
Cybersecurity researchers have uncovered a new malware campaign that utilizes a Powershell-based shellcode loader to deploy the Remcos RAT (Remote Access Trojan). The attack employs malicious LNK files embedded in ZIP archives, often disguised as legitimate office documents, to lure victims into executing the malware. The attack chain leverages mshta.exe to execute an obfuscated HTA file that downloads and runs a Powershell script, which ultimately launches the Remcos RAT payload entirely in memory. This malware allows threat actors to gain full control over compromised systems, making it a potent tool for cyber espionage and data theft. The campaign highlights the evolving tactics of cybercriminals, who are increasingly using fileless malware techniques to evade traditional security measures.
-
May 18, 2025
Adidas Korea Reports Data Breach
In May 2025, Adidas became a victim of data breaches when threat actors managed to gain access to their customer databases. According to Adidas, customer data exposed in the breach included names, email addresses, phone numbers, dates of birth, and other personal details, although no financial information was compromised.
-
May 18, 2025
Threat Actor Offers For Sale Access to Israeli Real Estate Company
On May 16th, a threat actor using the alias "HelluvaHack" is selling VPN and RDP access to an Israeli real estate company on forum[.]exploit[.]in for $750 in Bitcoin. The actor, with a zero reputation score, claims the firm is based in Tel Aviv with 57 employees and $29 million in revenue. No proof or company name was provided, raising doubts about legitimacy.
-
May 18, 2025
Threat Actor Claims to Have Breached Venus Tech
In May 2025, a threat actor named IronTooth claimed to have breached the Chinese tech company Venus and to have gained access to its database. According to the threat actor, a collection of leaked documents belonging to Venus was taken, including papers, products sold to the government, client information, and various other sensitive materials.
-
May 18, 2025
New Malware Campaign Disguised as NPM Package
Cybersecurity researchers have identified a malicious NPM package named 'os-info-checker-es6' that masquerades as an operating system information utility while delivering a next-stage payload. The campaign employs sophisticated techniques, including unicode-based steganography and a Google Calendar event short link for dynamic payload delivery. Initially published on March 19, 2025, the package has been downloaded over 2,000 times, and while early versions showed no malicious behavior, a later version included obfuscated code that contacts a remote server. This tactic of using a trusted service like Google Calendar complicates detection and blocking efforts, indicating a potentially evolving threat within the NPM ecosystem.
-
May 18, 2025
Emergence of HTTPBot: A New Threat to Gaming and Technology Industries
Cybersecurity researchers have identified a new botnet malware named HTTPBot that primarily targets the gaming industry, technology companies, and educational institutions in China. First detected in August 2024, HTTPBot utilizes HTTP protocols to conduct distributed denial-of-service (DDoS) attacks with high precision, marking a shift from indiscriminate attacks to targeted business disruptions. The malware operates stealthily by concealing its graphical user interface and manipulating Windows registry settings to ensure it runs automatically. It has been responsible for over 200 attack instructions since April 2025, employing various sophisticated techniques to simulate legitimate traffic and exhaust server resources.
-
May 15, 2025
Nucor Corporation Reports Data Breach
In May 2025, Nucor Corporation became the victim of a cybersecurity incident when unauthorized third-party actors gained access to its information technology systems. According to Nucor, the attack led to considerable operational disruptions, forcing the company to temporarily suspend production at multiple facilities. While the nature and scope of the cyberattack remain undisclosed, it is unclear whether any customer data was exposed or stolen during the breach.
-
May 15, 2025
New Phishing Campaign Distributing Horabot Malware in Latin America
Cybersecurity researchers have uncovered a phishing campaign distributing malware known as Horabot, primarily targeting Windows users in Latin American countries such as Mexico, Guatemala, Colombia, Peru, Chile, and Argentina. The campaign utilizes crafted emails that mimic invoices or financial documents to deceive victims into opening malicious attachments, which can steal email credentials, harvest contact lists, and install banking trojans. The attacks, observed in April 2025, leverage automation to send phishing messages from victims' mailboxes and execute various scripts to conduct reconnaissance and steal credentials. Horabot has been active since at least November 2020 and is believed to be operated by a threat actor from Brazil.
-
May 13, 2025
Threat Actor Sells Access to Israel's Internet Exchange (IIX)
In May 2025, a threat actor group named "HAX0RTeam" claimed to be selling access to Israel’s Internet Exchange (IIX) network for $150,000. According to the listing, the access could enable interception of sensitive communications, traffic manipulation, data theft, malware injection, targeted attacks, and disruption of critical infrastructure. Payment options included Bitcoin and Monero, with escrow services accepted.
-
May 13, 2025
Threat Actor Offers Data From Mexican Companies
In May 2025, a threat actor named "Eternal" claimed to be selling a 200+ GB compilation of private databases from Mexico, containing billions of records. The data reportedly includes electoral records from INE (2008–2019), customer information from major banks such as BBVA, Banamex, and HSBC, Telcel and Telmex telephony data, WhatsApp active numbers in Mexico, university and retail databases, energy company data, and records from government institutions and political party affiliates. The compilation was listed for sale at $5,000 USD.
-
May 13, 2025
Marbled Dust Exploits Zero-Day in Indian Communication Platform for Espionage
A Türkiye-affiliated threat actor, known as Marbled Dust, has exploited a zero-day vulnerability in the Indian enterprise communication platform Output Messenger as part of a cyber espionage campaign targeting Kurdish military personnel in Iraq since April 2024. The vulnerability, identified as CVE-2025-27920, allows remote attackers to access arbitrary files and has been linked to a series of data exfiltration activities. Microsoft reported that the threat actor uses sophisticated techniques, including DNS hijacking, to gain access to user credentials and deploy malicious payloads, indicating an escalation in their operational capabilities.
-
May 13, 2025
New AI-Themed Malware Campaign Distributes 'Noodlophile' Infostealer via Fake Video Tools
A new malware campaign is distributing an information-stealing malware named "Noodlophile" through fake AI-powered video generation sites advertised on Facebook with names like "Dream Machine." These malicious sites trick users into downloading a ZIP archive that contains a disguised executable file posing as a video, which initiates a multi-stage infection process using legitimate tools like "CapCut," "certutil.exe," and Registry modifications for persistence. The final payload, "Noodlophile," exfiltrates browser credentials, session cookies, and cryptocurrency wallets via a Telegram bot and can be bundled with "XWorm" for enhanced remote access. The campaign appears to be linked to Vietnamese-speaking operators offering malware-as-a-service.
-
May 12, 2025
Threat Actor Claims Breach of Paraguay's Ministry of Agriculture
In May 2025, a threat actor named Gatito_FBI_Nz claimed to have breached the Ministry of Agriculture in Paraguay and to have gained access to its database. According to the threat actor, 1,414 records belonging to the ministry's suppliers were taken, including sensitive information such as usernames and passwords.
-
May 11, 2025
Fedayeen Hackers Claim Cyberattack on Israeli Firm Dooble Digital Solutions
On May 9, 2025, hacktivist group Fedayeen Hackers claimed responsibility for a cyberattack on Israeli software company Dooble Digital Solutions. The group alleges it exfiltrated source code, client credentials, internal documents, and other sensitive assets, including data linked to Israeli companies. A partial data leak was shared as proof, though Dooble has not confirmed the breach, and the authenticity of the claims remains unverified. The attack is part of a broader campaign by the group targeting Israeli digital infrastructure since early 2025
-
May 08, 2025
Threat Actor Sells Data Belonging to Avid CRM
In May 2025, a threat actor named "betway" claimed to have breached Avid.com, a U.S.-based media technology company with over $294.1 million in revenue. The threat actor stated they exfiltrated over 10 million rows of user data, including contact information, job titles, addresses, phone numbers, emails, account details, and internal CRM metadata. The dataset was listed for public sale with an asking price starting at $40,000.
-
May 08, 2025
PR Times Reports Data Breach - Exposing Data of 900K
In May 2025, PR TIMES reported it had become the victim of a data breach when threat actors managed to gain access to its database. According to PR TIMES, over 900,000 pieces of data belonging to customers were taken, including personal information from enterprise users, media users, individual users, and sensitive pre-release press materials. The Breach occurred on April 24th, 2025.
-
May 08, 2025
Threat Actor Claims to Have Breached IM Corporation, a Japanese Manufacturing Company
In May 2025, a threat actor named BLF0ty claimed to have breached im-eng.jp and to have gained access to its database. According to the threat actor, 1.88 GB of data belonging to im-eng.jp's customers was taken, including information related to hydraulic cylinder design and the manufacturing and processing of automobile parts.
-
May 07, 2025
Exploitation of Geovision IoT Devices by Mirai Botnet
Threat actors are actively exploiting security vulnerabilities in end-of-life Geovision IoT devices to incorporate them into a Mirai botnet, which is being used to conduct distributed denial-of-service (DDoS) attacks. The exploitation involves command injection flaws that allow attackers to execute arbitrary system commands, specifically targeting the /datesetting.cgi endpoint. As these devices are unlikely to receive patches due to their outdated firmware, users are advised to upgrade to newer models to protect against these threats.
-
May 07, 2025
UK's Legal Aid Agency Reports Data Breach
In May 2025, the UK Legal Aid Agency (LAA) became the victim of a data breach when threat actors managed to gain access to its systems. According to the LAA, there is a risk that financial information belonging to legal aid providers, including barristers and solicitor firms, may have been compromised, although the agency could not confirm if any data was accessed.
-
May 06, 2025
Threat Actor Claims to Have Breached Senegal's National Police, Extracting Over 150 GB of Data
In May 2025, threat actors named "Kazu" and "Joe" claimed to have breached the Senegal National Police's HR portal and to have gained access to its database. According to the threat actor, 152GB of data belonging to the Senegal Police's personnel was taken, including sensitive information such as ID cards, passports, education certificates, birth certificates, certificates of nationality, CVs, personal service records, certificates of good conduct, and authorizations to compete.
-
May 06, 2025
Threat Actor Claims to Have Breached Moroccan BMCI Bank
In May 2025, a threat actor named sudo_xxxx claimed to have breached BMCI Bank and gained access to its database. According to the threat actor, a substantial amount of data belonging to the bank's customers was taken, including client IDs, passwords, and account balances.
-
May 05, 2025
Threat Actor Claims to Have Breached TeleMessage
In May 2025, a threat actor breached TeleMessage, an Israeli company that provides modified versions of messaging apps like Signal, WhatsApp, Telegram, and WeChat to U.S. government agencies for message archiving. The threat actor accessed archived message contents, usernames and passwords for backend systems, and contact details for officials from agencies such as Customs and Border Protection, as well as employees of companies like Coinbase and Galaxy Digital. The data included snapshots of unencrypted messages, backend credentials, and communication metadata stored on TeleMessage’s servers.
-
May 05, 2025
Golden Chickens Unveils New Malware Families: TerrastealerV2 and Terralogger
The threat actor group known as Golden Chickens, also referred to as Venom Spider, has been linked to two new malware families, TerrastealerV2 and Terralogger, which are designed for credential theft and keylogging respectively. TerrastealerV2 collects sensitive data such as browser credentials and cryptocurrency wallet information, while Terralogger functions as a standalone keylogger without exfiltration capabilities. Both malware variants are believed to be in active development, showcasing the group's ongoing efforts to enhance their malware arsenal, which operates under a malware-as-a-service model. The group is reportedly based in Canada and Romania, and their activities have been ongoing since at least 2018.
