CySecurity News - Latest Information Security and Hacking Incidents: Cyber Attacks

CVE CVE vulnerability Cyber Attacks Cybersecurity Threats Data Breaches enterprise cybersecurity Enterprise Security Risks

ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach Universities and Enterprise Systems

A breach tied to the hacking collective ShinyHunters emerged during a wave of intrusions leveraging an undisclosed weakness in Oracle PeopleSoft platforms. Unauthorized entry occurred because security gaps went unpatched - access followed swiftly after initial compromise. Data theft unfolded across multiple campuses and research-focused entities throughout May into June's first days. Evidence gathered by Google Cloud Mandiant analysts pointed directly toward systemic exploitation prior to any public alert from Oracle. Control over affected servers enabled extraction of confidential information before patches were available.

One security team links these actions to a hacking cluster known internally as UNC6240. Exploiting a weakness labeled CVE-2026-35273, they triggered unauthorized code on Oracle PeopleSoft systems. This issue sits near the top of risk scales - rated 9.8/10 - given how easily it can be abused. With nothing more than an open HTTP connection, intruders bypass login checks entirely. Access unfolds remotely; no clicks or credentials required by victims.

Within the PeopleSoft platform, the weakness lies specifically in the Environment Management Hub. Though Oracle officially acknowledged issues in PeopleTools 8.61 and 8.62, earlier versions - no longer supported - could still face risks. Because exploitation began prior to Oracle's public notice, the vulnerability acted like a real zero-day during the entire attack period. Hidden weaknesses emerged when hackers mistakenly left key systems visible on the web.

A closer look revealed open servers storing malware frameworks, communication hubs, admin utilities masked as legitimate cloud documents, along with automation codes designed to navigate internal corporate environments. Spread through connected devices began once access was gained, followed by bundling sensitive material before sending it toward platforms tied to ShinyHunters’ operations. Mandiant found over 100 groups facing possible system exposure, alerting each to the danger. Higher education made up close to 68% of these cases, primarily within the U.S.

While certain schools stopped threats in time, several faced verified intrusions alongside leaked information. Among the earliest cases made public stood the University of Nottingham. Reports tracking data leaks indicate the exposed records include around 455,000 distinct email addresses, followed by private details such as full names, residential locations, telephone numbers, passport identifiers, ethnic background, and data tied to disabilities. Confirmation of the event came directly from the institution itself.

Turning off the Environment Management Hub service is a step Oracle suggests when feasible, while limiting outside connections to vulnerable endpoints. Experts in cybersecurity point out that checking system logs matters, along with hunting down odd-looking files. Uncommon patterns in data leaving the network should catch attention. Applying fixes from Oracle promptly stands as another measure worth taking.

Surprisingly, ShinyHunters once stuck to phishing, compromised logins, or manipulating people through psychological tricks. Now, though - using a previously unknown flaw in server software suggests their methods have taken a sharper turn. This shift hints at ERP platforms being eyed more closely going forward, even if nothing is certain yet.

Signal Users Targeted in Sophisticated Phishing Campaigns Aimed at Stealing Chat Backups



 

Messaging Security

AI Phishing Attacks Cyber Attacks Cyber Phishing Cyber Scams Encrypted Chats links Malicious Link Messaging Security

Signal Users Targeted in Sophisticated Phishing Campaigns Aimed at Stealing Chat Backups

Recently uncovered cyber threats now focus on people relying on Signal’s encrypted messaging service. Fake notifications, appearing legitimate at first glance, lead recipients to counterfeit pages through deceptive URLs. These attempts aim straight at stored conversation archives linked to user accounts.

Cyber experts highlight how realistic these fake prompts look, mimicking official alerts almost perfectly. One wrong move could expose personal message history without the owner realizing immediately. Deception unfolds quietly - often beginning with an urgent-looking notice arriving unexpectedly. Trusting such messages opens the door to hidden data theft beneath a surface of authenticity.

Now showing up more often, the trend reflects how cyberattacks are changing direction. Instead of cracking tough encryption on private chat apps, criminals lean toward tricks that target people's habits. Starting with fake messages that look familiar, these schemes build pressure through time-sensitive demands. Victims then give away passwords or backup codes - without realizing it was never the real service asking.

Experts say the scam focuses on accounts tied to backups. Messages showing up look real, yet they steer people toward counterfeit sites aiming to grab passwords, restore keys, or similar details. Success means hackers could enter stored backup files online, possibly viewing personal chats once thought secure. Though Signal encrypts messages fully while they move between devices, specialists emphasize that such protection fails when people accidentally hand over private login data. When saved access codes get stolen, chat histories risk exposure even with strong built-in shields.

Despite robust design, a weak link often lies not in code but human action. Warnings emerge from security experts about rising complexity in phishing efforts. These days, fake emails frequently include convincing logos, web pages built to mimic real ones, along with wording nearly identical to legitimate notices. Personalized versions of such scams now exist, tailored to single users - harder to spot when compared to broad, generic blasts sent without targeting. Caution pays off when messages pop up out of nowhere asking you to confirm your account, bring back old data, or open a web address.

Before typing in passwords, take a moment - look closely at where you are online; mimicry sites can look real but aren’t. Never hand over access keys or sign-in details, even if someone sounds trustworthy. When extra safeguards exist inside apps like Signal, turning them on simply makes sense. One more time, an attack shows human behavior often matters more than digital safeguards. When hackers trick someone into sharing private data, even strong software fails.

Because scams grow smarter, staying alert helps block many breaches. Questioning unusual messages first can stop problems later. People stay safer by pausing before reacting to urgent demands.

Play Gang Claims Responsibility for MyPillow Hack, Company CEO Denies the Breach



 

AI Cyber Attacks Data Donald Trump MyPillow Play Gang Ransomware US

Play Gang Claims Responsibility for MyPillow Hack, Company CEO Denies the Breach

The US military has always known that threat actors could use location data to spy on troops’ devices. The military also knows the easy solutions for the problem. But the Pentagon implemented none of these security measures.

Recently, CySecurity reported that threat actors were using digital advertising data to attack US soldiers in war zones. The US law enforcement recently warned about the “anti-tech” extremism because the AI criticism was growing in the country.

Play gang takes responsibility

The Play ransomware hacking group claimed the data theft behind the US pillow manufacturer called MyPillow. It stole personal and private confidential data from the victim.

About the target

MyPillow was founded by 2020 Minnesota gubernatorial candidate and 220 election conspiracy theorist Mike Lindell.

The stolen data claim first surfaced on Play’s blog recently, it threatened that it was able to steal an unknown amount of information which may be exposed soon which may leak “"private and personal confidential data, clients and etc. documents, budget, payroll, IDs, taxes, finance information."

The claim, which appeared on Play's dark web leak portal earlier this week, threatens that an undeclared amount of data will be released on Friday, potentially exposing "private and personal confidential data, clients and etc. documents,budget, payroll, IDs, taxes, finance information."

High profile case

Straight Arrow News first reported about the incident. But MyPillow’s high-profile CEO Mike Lindell has denied claims of any ransomware attack which happened at all.

MyPillow was a lucrative victim for the threat actors, as Lindell’s role in pumping the controversial claims that the 2020 US presidential campaign was rigged against the now President Donald Trump.

According to Straight Arrow News, Lindell claimed in a recent interview on his website, Lindell TV, that political attacks during the previous few years cost MyPillow $400 million in damages.

What next?

Lindell stated that he will submit an application for reimbursement from Trump's $1.8 billion "Anti-Weaponization Fund," which was established as part of Trump's settlement of an Internal Revenue Service lawsuit.

The settlement, according to critics, offered Trump a slush fund to compensate rioters on January 6 and other individuals who have spread election conspiracy theories.

Whether MyPillow was hacked is not confirmed at the time of writing. The company denies the claim, whereas Play gang takes responsibility.

Experts Reveal the DDoS Under Ground Market



 

Internet

AI Cloud Cyber Attacks DDoS Internet

Experts Reveal the DDoS Under Ground Market

Attack tactic

What happens in a typical Distributed Denial-of-Service (DDoS) attack. A website that suddenly stops? Time out of a login page? Not being able to reach an online service when you need it the most? These causes are not internal, and are attributed to DDoS attacks.

Cloudflare reported stopping a 7.3 Tb/s attack last year and said it addressed a 31.4 Tb/s attack in its Q4 2025 DDoS report. According to Microsoft, Azure also blocked a 15.72 Tb/s attack last year in October. The activity was linked to the Aisuru botnet.

Darkweb market selling and buying the service

For all these instances, dark web actors are fighting over the same buyers with pitches. Flare experts analyzed dark web operations and detailed API access, reseller options, botnet-based capacity, monthly plans, Cloudflare bypass claims, and game-server tactics.

A comparative analysis of the DDoS-related dark web operations from the first five months of 2023 and the first five months of 2026 demonstrate how rapidly that offer has evolved. Scripts, tutorials, leaked tools, and sporadic forum posts used to be more common, but these days they are more typically provided as recurring products that are simpler to purchase and use.

What is a DDoS attack?

A DDoS attack tries to crowd an application, network, server, or website with traffic from various servers at one time. Few attacks are aimed at network capacity, while the remaining emphasize on application layer resources like APIs and login pages. The aim is to dismantle any service or activity and make it unavailable, expensive to use, or unstable.

What is DDoS-as-a-service?

DDoS-as-a-service removes the barrier even further, a hacker can choose a victim, pay for accessing a web panel, select timeline, and depend on another person’s botnet, third-party attack infrastructure, or proxy network.

About the attack

A hosting company that employs Magic Transit to protect their IP network and is a Cloudflare user was the target of the attack. According to Cloudflare’s recent DDoS threat assessment, DDoS attacks are increasingly targeting hosting providers and vital Internet infrastructure.

An assault campaign from January and February of 2025 that launched over 13.5 million DDoS attacks on Cloudflare's hosting providers and infrastructure was detailed by the experts on their blog.

CBSE Revaluation Portal Hit by Cyberattack, Payment Gateway Glitch Affects Students



 

Education Sector Cybersecurity

AWS Cyber Attacks Cyber Breach cybersecurity challenges data security Digital Infrastructure Education Sector Cybersecurity

CBSE Revaluation Portal Hit by Cyberattack, Payment Gateway Glitch Affects Students

A breach has surfaced within CBSE's digital infrastructure, casting doubt on transaction reliability during revaluation requests. Officials confirm unusual activity emerged just hours after launch of the updated platform. Instead of standard fees, some users saw inflated amounts appear without explanation. The disruption stemmed from external interference, not internal error, per preliminary assessments. While access resumed quickly, trust in online payments wavered temporarily among applicants. Investigators are now tracing entry points used in the intrusion. Security teams emphasize that only a small fraction faced actual financial impact. Monitoring continues as safeguards undergo review.

Some fifty learners faced disruptions due to the event, officials noted. Payment amounts shifted without warning in these instances - now low at just one rupee, now near sixty-seven or sixty-eight thousand. Unauthorized entry might have paved the way for intentional system interference, according to insiders. Such altered fees possibly stemmed from targeted digital tampering following a breach. Trouble began when the portal’s payment gateway - handled by HDFC Bank - faced glitches after launch. Right away, access problems appeared, blocking user entry without warning.

A few people took advantage while systems faltered, altering charges shown on student records. Officials confirmed irregular fees stemmed from these brief security lapses. Following the event, CBSE along with state bodies began closely examining the system's framework. To support this effort, specialists from IIT Madras, joined by counterparts at IIT Kanpur and the Digital Infrastructure Corporation of India, were invited into the process. With access granted, these teams started analyzing the underlying software structure and identifying weak points.

One main goal drives their work: keeping the service stable under pressure. By reinforcing key defenses now, they aim to block repeat disruptions later. Now live within the platform, four state-run lenders join the network to spread risk beyond one vendor. Among them: State Bank of India, followed by Canara Bank, then Indian Bank, and later Bank of Maharashtra. With more institutions linked, handling payments should run smoother under strain. Built-in backup paths emerge naturally when multiple entry points exist. Stability gains come not from promises but structure - extra layers help maintain flow during outages.

Later came reports of trouble faced by students after results and rechecking, sparking talks between Dharmendra Pradhan and Nirmala Sitharaman. Because of these concerns, officials decided improvements were needed in how payments work across CBSE platforms. So far, reports indicate the updated setup is running smoothly after shifting the platform to Amazon Web Services (AWS). This move comes in response to past issues with traffic handling and long-term flexibility. Teams remain alert, observing both function and protection measures closely during ongoing evaluations.

What happened shows why protecting school systems matters more now, given how much personal information and money flows through them. Even so, officials keep digging into the case even as new security steps go live to reduce risks ahead.

Critical 7-Zip Vulnerability Exposes Millions of Systems to Potential Malware Attacks



 

Malware attacks

7Zip Archive Critical Systems Security Critical Vulnerability Cyber Attacks Malicious Codes Malware attacks

Critical 7-Zip Vulnerability Exposes Millions of Systems to Potential Malware Attacks

A fresh disclosure highlights a security weakness in the popular 7-Zip tool, stirring unease within cyber defense circles due to its potential misuse for spreading harmful software. Though limited to outdated builds of this open compression program, the flaw might let hackers run unauthorized scripts when someone opens manipulated archive files. Because user interaction triggers the problem, deception becomes part of the attack path - simply opening a corrupted file may be enough.

While patches exist for current releases, unpatched systems remain exposed through seemingly harmless data containers. Since many rely on legacy installations unknowingly, risk lingers across personal and business setups alike. Earlier this year, researchers uncovered a weakness labeled CVE-2026-48095, also tracked under GHSL-2026-140. This problem lies in how 7-Zip handles NTFS volume images.

Instead of managing memory safely, it allows excess data to spill past set limits - a behavior known as heap-based buffer overflow. Because memory gets corrupted during file processing, attackers might exploit this to run unauthorized code. Experts warn such flaws carry high risk due to their potential for system takeover. Though details remain limited, the core danger stems from improper boundary checks during archive extraction. Opening an archive with a specially designed NTFS image file sets off the exploit, studies show.

When handling such files, certain editions of 7-Zip fail to compute buffer sizes correctly - evidence points to flawed logic during parsing. As a consequence, allocated memory falls short, leading software to overwrite nearby regions by mistake. Such instability opens paths where malicious inputs might run unchecked or force sudden halts in operation. Back in April, someone alerted the 7-Zip developers about the issue without going public. After that report came through, the team put out version 26.01 - fixing the weakness and shutting down the danger it posed.

Not long afterward, they shared an official notice with everyone; included was a working Python example showing exactly what attackers might do on outdated versions. One way this flaw plays out depends heavily on what kind of setup it's found in, along with how much computing power sits nearby. Sometimes attackers might run their own programs from afar; other times they simply knock apps offline or freeze them completely.

Even when effects differ, moving to the newest 7-Zip build is seen as essential - no workarounds exist once a version falls inside the risk zone. What makes the situation more serious is how common 7-Zip has become. With hundreds of millions of downloads, it runs on many Windows and Linux machines.

Because so much automation depends on its built-in tools, companies often embed its compression features into larger programs. One reason 7-Zip poses risk is how common it has become - flaws could reach millions. When updates lag, experts say, those gaps catch hackers’ attention. Old setups might open doors without warning, especially if archives appear safe at first glance.

GTA 6 Pre-Order Hype Triggers Wave of Scams and Malware Attacks on Fans



 

Malware attacks

Cyber Attacks GTA 6 GTA 6 Scams malware Malware attacks

GTA 6 Pre-Order Hype Triggers Wave of Scams and Malware Attacks on Fans

The excitement around Grand Theft Auto 6 is creating a fresh opportunity for online scammers and hackers. As users search for pre-order news, fake offers are beginning to appear across websites, social platforms, and shady download pages, all designed to steal money or personal data. Mashable reports that the hype has already become a magnet for criminal activity, especially as rumors about pre-orders spread and players rush to secure a copy early.

One of the biggest dangers is the rise of fake pre-order listings. Cybercriminals are posting bogus sales pages that promise early access, special bonuses, or limited-edition copies, even though official pre-orders have not been widely launched yet. Some of these scams try to look legitimate by copying retailer branding or using familiar game-related language, but they often ask for payment details, email addresses, or account logins before any real product exists.

Security researchers have also found more aggressive threats tied to GTA 6 enthusiasm. According to NordVPN-related reporting, attackers are using fake beta-test invitations, malware-laced installers, cloned Android apps, and phishing pages that imitate Rockstar Social Club login screens. In some cases, these files are not games at all but tools for stealing credentials, tracking victims, or pushing adware and subscription traps. That means the risk is not just losing money; it can also involve infected devices and compromised accounts.

Safety tips

The clearest defense is to wait for official announcements from Rockstar and major retailers such as PlayStation, Xbox, Best Buy, Walmart, Amazon, or the Rockstar Store before paying for anything. Third-party sellers claiming to have pre-orders, beta keys, or early access are a major red flag, especially if they ask for payment before Rockstar has confirmed availability. If a page offers a price that seems random, a download that sounds too early, or a “verification” step that leads to more forms or apps, it is best to leave immediately.

For users, the best rule is simple: excitement should not replace caution. Check the source, avoid unofficial links, and never install files or enter passwords from unverified GTA 6 pages. Until the real pre-order window opens, patience is safer than chasing a deal that could end in theft, malware, or both.

Hackers Exploit KnowledgeDeliver Bug to Install Web Shells



 

Phishing

AI Bug Cloud Cyber Attacks Data KnowledgeDeliver Phishing

Hackers Exploit KnowledgeDeliver Bug to Install Web Shells

Threat actors abused a critical zero-day bug in a server that ran a KnowledgeDeliver LMS to install the Godzilla. The bug is a deserialization problem tracked as CVE-2026-5426 and can be abused without verification. It originates from the use of “shared hardcoded machine key in the web portal configuration,” said Bleeping Computer, throughout all KnowledgeDeliver consumer deployments.

Deserialization of ViewState

Hackers found the stolen machine key and used it in ViewState deserialization campaigns to sign infected ViewState payloads and launch remote code execution (RCE) at the OS level.

In 2025, Mandiant responded to a campaign on a KnowledgeDeliver server and said that in the beginning, the bug was abused as a zero-day to deploy a compromised script into the web platform.

Attack tactic

The compromise was also possible as threat actors used “identical pre-shared ASP.NET machine keys across multiple customer deployments,” the experts said.

According to Mandiant, “KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.”

Experts said that the code on the platform lured users to download a malicious installer, which compromised the machine with a Cobalt Strike beacon by deploying a backdoor.

The encrypted payload used a key “that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization,” Mandiant report said.

Similar attacks in 2025

In August last year, experts from ASEC also disclosed that Godzilla was planted in ASP.NET environments in ViewState deserialization attacks against firms in the finance industry.

Threat actors could modify a JavaScript file with code that asked users to run a ‘security authentication plugin’ and install a malicious script from a domain that hackers used.

Hackers targeting unsecured machines

In recent years, threat actors are increasingly exploiting unsafe machine keys in Viewstate deserialization attacks against web platforms for a few products.

Threat actors utilized a hardcoded machine key in March of last year to create a malicious payload that gave them access to Gladinet CenterStack's secure file-sharing servers.

After obtaining the machine key to generate signed malicious ViewState payloads, hackers gained access to 85 Microsoft SharePoint systems in July 2025.

Additionally, state-sponsored actors utilized ViewState deserialization assaults to install WeepSteel, a spying tool that revealed the ASP.NET machine key on Sitecore servers.

GitHub Repo Breach Traced to TanStack NPM Supply-Chain Attack



 

TanStack

Cyber Attacks GitHub Report Breach Supply Chain Attack TanStack

GitHub Repo Breach Traced to TanStack NPM Supply-Chain Attack

GitHub has confirmed that a breach of its internal repositories is directly linked to the TanStack npm supply-chain attack, demonstrating how a single compromised developer tool can cascade into a major security incident. The company stated that the intrusion began when an employee installed a malicious version of the Nx Console Visual Studio Code extension, which had been poisoned during the wider TanStack compromise. This attack chain allowed threat actors to gain initial access to GitHub's internal infrastructure, ultimately exposing approximately 3,800 internal repositories to unauthorized access.

The original TanStack attack occurred on May 11, 2026, when the TeamPCP threat group compromised 42 npm packages and published 84 malicious versions in just six minutes. The attackers exploited a sophisticated combination of GitHub Actions vulnerabilities, including a "Pwn Request" attack using pull_request_target abuse, cache poisoning across fork-to-base trust boundaries, and OIDC token extraction from runner memory. This technique produced the first npm supply-chain attack with valid SLSA Build Level 3 attestations, making the malicious packages appear completely legitimate to security scanners and developers.

The malicious Nx Console extension version 18.95.0 was available on the Visual Studio Marketplace for approximately 18 minutes and on OpenVSX for another 36 minutes before being removed. Despite the short window, the poisoned extension deployed a payload designed to steal credentials and secrets from developer environments, targeting npm, AWS, Kubernetes, GitHub, GCP, and Docker platforms. The Nx development team confirmed that one of their developers was compromised through the TanStack supply-chain leak, which exposed GitHub credentials through the GitHub CLI, allowing attackers to run workflows on their repository as a contributor.

GitHub's Chief Information Security Officer Alexis Wales confirmed that the company secured the compromised device and rotated critical secrets, prioritizing the highest-impact credentials first. While GitHub has not officially attributed the attack to a specific group, TeamPCP claimed access to GitHub source code and approximately 4,000 repositories of private code on the Breached forum, demanding at least $50,000 for the stolen data. The incident also affected other organizations, including UiPath, Guardrails AI, OpenSearch, and Grafana Labs, which confirmed its GitHub environment breach originated from the same TanStack attack.

This incident highlights the severe risks of modern software supply chains, where one compromised dependency can ripple across thousands of developers and organizations faster than security teams can respond. The attack demonstrates that even organizations with strong security practices, including two-factor authentication, remain vulnerable to sophisticated supply-chain attacks that exploit trust relationships between packages, build tools, and automated workflows. Developers and security teams must now prioritize hardening CI/CD pipelines,Token rotation, extension verification, and continuous monitoring of package updates as potential attack vectors.

Enterprise Cyberattacks Accelerate as AI Speeds Threats but Human Errors Remain the Biggest Security Risk



 

vulnerabilities

Attack Vectors Cyber Attacks Security risk Software vulnerabilities

Enterprise Cyberattacks Accelerate as AI Speeds Threats but Human Errors Remain the Biggest Security Risk

Cyberattacks are hitting businesses more often, fueled by automation and AI that accelerate the exploitation of vulnerabilities. Yet despite increasingly sophisticated techniques, experts say human mistakes, weak passwords, and poor access controls remain the biggest causes of successful breaches. While threats continue to evolve, people are still the weakest link in cybersecurity.

A recent report from Mandiant highlights how cybercriminal groups now operate through specialized teams. One group focuses on gaining access through phishing emails, malicious ads, or fake software updates, while another takes over to move through networks, steal data, or deploy ransomware. Attackers are also moving much faster. The average handoff time between criminal groups fell from more than eight hours in 2022 to just 22 seconds in 2025.

Vulnerabilities are increasingly exploited within days of disclosure, leaving organizations little time to patch systems before attacks begin. Cyber threats generally fall into two categories: financially motivated criminals seeking ransom payments or stolen data, and espionage-focused actors aiming for long-term, hidden access. While most intrusions are detected within about two weeks, cyber-espionage campaigns often remain unnoticed for more than three months.

Software vulnerabilities remain the leading attack vector, with technology and financial firms among the most targeted sectors. Researchers also observed a rise in voice-based social engineering, where attackers impersonate employees and contact IT help desks to bypass multi-factor authentication protections. Artificial intelligence is increasingly being used by threat actors for reconnaissance, phishing, and malware development. Some malicious tools even search compromised systems for AI-related credentials and resources.

However, researchers stress that AI is rarely the direct cause of breaches. Most incidents still stem from human error, weak security practices, misconfigurations, and excessive permissions. Ransomware attacks are evolving as well. Instead of only encrypting files, attackers now target backup systems, virtualization platforms, and recovery tools. By disabling recovery options, they increase pressure on victims to pay ransom demands. There are positive signs for defenders.

More organizations are detecting attacks internally through improved visibility, monitoring, and threat detection capabilities. Earlier discovery allows security teams to respond faster and reduce potential damage. Experts recommend stronger identity protection, continuous access verification, isolated backup environments, centralized login management, and behavior-based monitoring systems.

As cyber threats continue to accelerate, many security professionals believe identity security has become the new perimeter, making proactive defense more important than ever.

Iran-Linked Hackers Targeted US Fuel Tank Systems Through Exposed ATG Networks



 

Iran-based hacker group

Critical Infrastructure Cyber Attacks Hacker attack Infrastructure Infrastructure Security Iran hackers Iran-based hacker group

Iran-Linked Hackers Targeted US Fuel Tank Systems Through Exposed ATG Networks

A cyber incident linked to suspected Iranian hackers targeted U.S. gas station fuel monitoring systems, exposing weaknesses in critical infrastructure. Internet-connected ATG systems lacking password protection reportedly allowed attackers to gain access without stolen credentials. Though designed to track fuel levels automatically, these systems became vulnerable because of poor security controls.

The incident highlights how basic operational technology flaws can create major risks. Weakly protected infrastructure remains an attractive target for cyberattacks. Remote access features, while convenient, can become dangerous when left exposed online.

Many of these monitoring tools operate quietly in the background until compromised. Security experts warn that even simple protections could have blocked the intrusion. Each exposed device increases risks across connected infrastructure networks. Although the attackers reportedly altered displayed fuel readings, authorities said the actual fuel levels inside storage tanks were not changed.

Even so, cybersecurity specialists stressed that compromised ATG systems could still disrupt operations or create confusion during emergencies. Experts have warned for years that insecure fuel monitoring systems could become targets for hackers or state-backed groups seeking to impact critical services. Growing tensions involving the United States, Iran, and Israel have fueled suspicions around Iranian-linked cyber activity. Analysts noted similarities between this incident and earlier attacks tied to Iran targeting fuel distribution infrastructure.

While officials have not publicly confirmed attribution, researchers said the timing and techniques resemble previous Iran-associated operations. Cybersecurity and Infrastructure Security Agency acknowledged reports of malicious activity involving automated tank gauge systems across critical sectors. While the agency stopped short of blaming Iran directly, it urged organizations to strengthen protections immediately.

Recommendations included removing ATG systems from direct internet exposure, implementing strong passwords, reviewing logs regularly, and improving monitoring for suspicious behavior. Experts say modern geopolitical conflicts increasingly extend into digital systems supporting everyday life. Attacks targeting fuel infrastructure can trigger economic disruption, supply chain instability, and public panic even without causing physical damage.

A relatively small cyber incident can still send a strategic message by demonstrating access to systems relied upon by millions. Many cybersecurity professionals continue warning that operational technology environments remain especially vulnerable because they often rely on outdated systems, weak segmentation, and limited visibility. Attackers frequently focus on these environments because even simple techniques can produce large-scale disruption.

Researchers also pointed to lessons from the Colonial Pipeline ransomware attack, which caused fuel shortages and emergency declarations across multiple U.S. states in 2021. Experts believe similar attacks today could create ripple effects well beyond the originally targeted facilities.

Security specialists now argue that industrial systems and connected devices should receive the same level of protection as traditional IT networks. Stronger segmentation, automated compliance checks, continuous monitoring, and recovery planning are increasingly viewed as necessary safeguards as cyber threats against critical infrastructure continue to grow.

OpenAI Confirms Employee Devices Hit in TanStack Supply Chain Malware Attack



 

Malware attacks

AI Chatbot ChatGPT. OpenAI Cyber Attacks Digital Supply Chain Risk Hacker attack Malicious Software Malware attacks

OpenAI Confirms Employee Devices Hit in TanStack Supply Chain Malware Attack

A recent software supply-chain breach impacted several companies after hackers targeted widely used open-source tools. Among those affected was OpenAI, where compromised employee devices provided limited access to internal systems. At the center of the attack stood TanStack, a framework heavily relied upon for building websites and integrated across countless technology environments worldwide. Its broad adoption allowed the threat to spread far beyond a single platform.

OpenAI stated that no customer information, production systems, intellectual property, or software releases were compromised. However, attackers did access a limited number of internal code repositories linked to employees whose systems had previously been infected. The company described the exposure as narrow in scope.

The incident surfaced after TanStack disclosed that hackers had uploaded 84 malicious software updates within a six-minute period. Security researchers reportedly identified the suspicious activity within roughly twenty minutes, helping reduce broader impact. The compromised packages were designed to steal credentials from infected devices and quietly spread across connected systems.

Although the breach exposed only a small amount of authentication material, OpenAI responded by rotating cryptographic certificates tied to the affected repositories. Some users running OpenAI applications on Apple devices may need updated installations following the security changes. OpenAI also stated that investigations found no evidence of altered production software or persistent threats within its operational infrastructure. Core systems reportedly remained secure throughout the incident.

The identity of the attackers remains unknown. Researchers say open-source ecosystems are increasingly becoming targets because of how deeply they are embedded across modern technology stacks. Instead of attacking organizations directly, hackers compromise trusted software components and distribute malicious code through official update channels.

One successful breach can therefore impact numerous downstream users simultaneously. Security analysts have linked similar tactics to multiple cyber threat groups over the past year. In March, North Korean-linked hackers reportedly compromised Axios to distribute malware capable of affecting large numbers of developers. More recently, suspected Chinese threat actors targeted Windows users through altered installers connected to DAEMON Tools.

Supply-chain compromises have become particularly dangerous because developers routinely trust updates delivered through official repositories and package managers. Once malicious code enters legitimate distribution systems, organizations may unknowingly install infected software while assuming it is safe. Cybersecurity professionals warn that attacks targeting open-source infrastructure will likely continue increasing as businesses depend more heavily on shared frameworks, collaborative development tools, cloud services, and AI-powered systems.

The same openness that accelerates innovation also creates opportunities for attackers to exploit weak points at scale. The latest incident highlights how even highly advanced technology companies remain vulnerable when trusted third-party tools are compromised. Security experts are now urging stronger oversight across software supply chains, including stricter dependency validation, improved monitoring, and deeper review of external code before deployment into production environments.

Rising Digital Invitation Scams Highlight Need for Strong Cyber Awareness



 

WhatsApp Scam

Android Malware APK Malware Cyber Attacks Cyber Fraud Digital Invitation Scam Mobile Banking Threats OTP Theft UPI Fraud WhatsApp Scam

Rising Digital Invitation Scams Highlight Need for Strong Cyber Awareness

What was once used for birthdays, weddings, corporate events, and social gatherings has increasingly been weaponized by cybercriminals as a sophisticated phishing technique.

The security research community has observed that threat actors are increasingly using commonly used invitation platforms and compromised email accounts to distribute fraudulent event links designed to harvest credential information, financial data, and sensitive personal information by leveraging their credibility.

It is evident how even routine online interactions are becoming part of the modern cyber threat landscape when malicious emails mimic legitimate invitation services and utilize the psychological urgency of social engagement. This highlights how even routine online interactions are now a source of cyber threats.

A cybersecurity investigator has noted that the threat is now extending far beyond deceptive email invitations, as hackers are actively distributing malware-laced Android Package Kit (APK) files disguised as digital event invitations via messaging platforms such as WhatsApp and Telegram.

A malicious file is often accompanied by socially engineered labels, such as wedding invitations, housewarming ceremonies, or private party invitations, which are designed to reduce suspicion and stimulate immediate downloads. It often mimics utility tools, but remains operationally dormant to avoid detection once installed on an Android device.

Once embedded, the rogue application quietly embeds itself among legitimate applications, frequently imitating utility tools. It has been reported that victims unknowingly grant extensive permissions to threat actors, including access to call logs, SMS services, notifications, contacts, and screen recording capabilities, effectively giving them deep surveillance access to their devices.

Several observed cases have demonstrated that the malware can intercept one-time passwords, monitor banking and UPI sessions in real-time, and harvest financial credentials directly from user screen activity. Recently, a Bengaluru-based business owner has experienced the severity of the attack chain after receiving a fraudulent wedding invitation APK through WhatsApp, causing unauthorized access to financial information and a financial loss of approximately 5 lakh before detection of the compromise.

A number of researchers investigating these campaigns have concluded that the attack infrastructure is typically conducted using two highly effective compromise methods that bypass user suspicion and device-level trust mechanisms. As a result of interaction with the malicious invitation link, the link appears broken or inactive. However, behind-the-scenes processes silently deploy credential-stealing malware that harvests passwords, device information, and sensitive personal information.

Secondly, victims are directed to convincingly spoofed login portals in which their account credentials are captured in real time, allowing threat actors access to banking, email, and payment services without their consent.

A number of fraudulent invitations deliberately avoid detailed event information in order to induce impulsive clicks, depending instead on urgency and familiarity. In addition to users being advised to treat unsolicited invitations with caution, particularly those received through messaging applications or from unknown senders, IT security experts also recommend reporting and deleting suspicious e-mails as soon as they become aware of them.

According to threat intelligence firm CloudSEK, these campaigns have resulted in large-scale financial fraud operations. Within 48 hours, one threat group processed transactions worth nearly 25-30,000 crores, emphasizing the rapid scalability of the ecosystem and the high number of victims involved. Specifically, the firm found that the attacks exploit the trust architecture behind SIM-based verification systems commonly used by UPI platforms.

In such systems, device-linked mobile numbers are considered proof of legitimate account ownership. A malicious APK disguised as a traffic violation notice or a digital invitation is often the first step in establishing covert access to a smartphone's messaging features after securing SMS permissions.

After deploying the so-called “Digital Lutera” toolkit, CloudSEK indicated that attackers manipulate identity validations and SMS workflows through a specialized Android framework on separate devices.

With this feature, bank registration messages may be intercepted and OTPs are silently forwarded to attacker-controlled Telegram channels without the victim's knowledge. Additionally, the report revealed that fabricated "sent" SMS records are inserted into message histories in order to maintain an illusion of legitimate activity, such that UPI applications are misled into believing that authentication requests originate from the victim's own smartphone.

Thus, cybercriminals have the opportunity to remotely register and manage the UPI account of a victim even when the original SIM card remains physically in the user's possession. Previously, CloudSEK notified regulators and financial institutions in order to strengthen mitigation frameworks before the threat expands. As part of its responsible disclosure process, it said that it has already notified regulators and financial institutions.

The convergence of digital payment ecosystems and mobile-first communication platforms represents a shift toward socially engineered, device-centric financial attacks, warn cybersecurity experts. Threat actors are increasingly exploiting human behavior and weaknesses in authentication workflows to exploit APK sideloading, SMS intercept frameworks, and compromised messaging channels as a means of exploiting trust-driven human behaviour.

A stronger understanding of user awareness, stricter application permission controls, and enhanced anomaly detection across UPI and telecommunication infrastructure will assist in limiting the operational scale of these fraud networks before they become a more persistent threat to India's rapidly expanding digital sector.

Foxconn Cyberattack Exposes Alleged Intel, Apple, Nvidia and Google Project Data



 

Data Theft

Cyber Attacks Cyber Data Cyber Security Ransomware Attacks CyberCriminal Data protection data security Data Theft

Foxconn Cyberattack Exposes Alleged Intel, Apple, Nvidia and Google Project Data

A wave of digital intrusion lately hit Foxconn, causing interruptions across certain segments of its North American facilities when the Nitrogen ransomware collective admitted involvement - disclosing they had infiltrated systems and extracted vast troves of confidential information. This incident underscores, yet again, how intensifying demands from cybercriminal networks now challenge critical links within international tech logistics, particularly those manufacturers embedded deep inside the production ecosystems serving top-tier technology brands.

Later on, after initial reports emerged, Foxconn confirmed disruptions across multiple sites in North America. Right away, its cyber defense units began executing crisis protocols instead of waiting for further escalation. Because systems required immediate protection, temporary measures went into place to shield manufacturing flow. Even so, certain plants experienced brief halts in daily activity due to digital interference. Gradually now, output levels are stabilizing following those earlier setbacks.

Later, the ransomware operators listed Foxconn on their public leak page, stating they had taken close to 8 terabytes of data - over 11 million individual files. Their claim centers on possession of private technical records: blueprints, project directives meant for internal use, engineering schematics. Information tied to big tech names like Apple, Nvidia, Intel, Google, and Dell reportedly appears within what was pulled. Though unverified, the alleged haul suggests access to development assets considered highly sensitive.

Even though hackers say they took customer data, Foxconn hasn’t said if any was truly exposed. Without a clear statement, it remains unclear how much information may have been reached - or if partner details were touched at all. Ever since 2023, the Nitrogen ransomware crew has operated under suspicion of ties to variants spawned from exposed Conti 2 code. Researchers point out weaknesses in their tools - especially when striking VMware ESXi systems.

Despite handing over payments, certain targets still could not retrieve locked data. This failure stems from defective decryption mechanisms built directly into the malicious software. Recovery gaps appear baked into its flawed design. Should that glitch persist, affected groups might face deeper troubles - offering money to hackers does not always bring back locked data or recover what was taken. Back in 2024, the LockBit group took credit for breaching Foxsemicon Integrated Technology - a firm within the larger Foxconn Technology Group.

It wasn’t an isolated case; a similar unit of Foxconn in Mexico had drawn their attention two years prior. Ransomware attacks on this network are nothing new. The pattern stretches further back than it might first appear. Now worries spread through the hardware world after the recent security incident, given how central Foxconn is to building devices and moving parts for big tech firms worldwide.

When something interferes with its work, delays may ripple into assembly timelines, logistics systems, operational frameworks, even sensitive processes behind upcoming gadgets and corporate tools. Because they rely on many partners, handle valuable technical details, and face tight deadlines when operations fail, factories and logistics companies often attract ransomware groups.

With more strikes hitting essential vendors lately, better separation between internal systems is becoming a priority - alongside stronger crisis plans and tighter protection for confidential design files that could be stolen or leaked.

Microsoft Warns Passwords and SMS-Based 2FA Are No Longer Enough Against Modern Cyberattacks



 

Phishing

2FA Cyber Attacks MFA Microsoft password Phishing

Microsoft Warns Passwords and SMS-Based 2FA Are No Longer Enough Against Modern Cyberattacks

Microsoft is intensifying its push toward passwordless security, warning that traditional passwords and older forms of two-factor authentication are becoming increasingly ineffective against modern phishing attacks powered by artificial intelligence.

In a statement released during World Passkey Day, Microsoft said the cybersecurity industry must reduce dependence on passwords and other “phishable” login methods by accelerating the adoption of passkeys.

For years, technology companies encouraged users to strengthen account security by enabling two-factor authentication (2FA) or multi-factor authentication (MFA). Microsoft itself previously stated that MFA could block more than 99% of password-based attacks. However, cybercriminals have steadily adapted their tactics, particularly targeting SMS-based authentication systems through phishing pages, SIM-swapping schemes, session hijacking, and social engineering attacks.

The company now argues that passwords, even when paired with weak MFA methods like text-message verification codes, continue to leave accounts vulnerable. Microsoft described these older protections as “legacy” authentication methods that can still become entry points for attackers.

Instead, Microsoft is promoting passkeys, which rely on cryptographic authentication rather than memorized passwords. A passkey stores a private digital key directly on a user’s device and only works on the legitimate website or application where it was created. Access is then confirmed through biometric verification, such as fingerprints or facial recognition, or through a device PIN.

Security experts say this approach makes phishing significantly harder because passkeys cannot be reused on fake websites designed to imitate legitimate login pages. Unlike passwords or SMS codes, the authentication process is tied directly to the original domain.

Microsoft also stressed that enabling passkeys alone is not enough if passwords and fallback authentication methods remain active on accounts. According to the company, weak backup options can still be exploited even after stronger protections are introduced. Microsoft has therefore continued removing older authentication systems across its ecosystem, including plans to eliminate security questions from password reset flows beginning in 2027.

The urgency surrounding this transition has increased alongside the rapid growth of AI-generated phishing campaigns. Microsoft cited internal findings showing that AI-assisted phishing operations can achieve click-through rates as high as 54%, meaning more than half of targeted users may interact with malicious messages.

Industry-wide adoption of passkeys is also accelerating. The FIDO Alliance estimates that more than five billion passkeys are already in use globally. Microsoft said hundreds of millions of users now sign into services such as OneDrive, Xbox, and Copilot using passkeys every day.

Internally, Microsoft claims that over 99% of users within its environment now have access to phishing-resistant authentication methods. The company added that account recovery systems remain a critical security challenge because attackers increasingly target recovery processes instead of direct logins.

Researchers and government agencies are broadly supporting the move toward passwordless security. The United Kingdom’s National Cyber Security Centre recently encouraged organizations and consumers to adopt passkeys, citing growing risks from AI-driven phishing and phishing-as-a-service platforms.

Still, cybersecurity researchers caution that passkeys are not completely immune to attack. Recent academic research examining FIDO2 authentication methods found that while passkeys substantially raise the difficulty for attackers, sophisticated compromise techniques involving infected devices, session theft, or manipulated browser environments may still pose risks under certain conditions.

Microsoft maintains that removing passwords and other phishable credentials remains essential as AI systems increasingly act on behalf of users across enterprise environments. If a single digital identity is compromised, attackers could potentially exploit connected AI agents to access systems, trigger workflows, and operate with existing permissions at machine speed.

JDownloader Website Breach Spreads Malware Through Fake Windows and Linux Installers



 

Malware Attack

Cyber Attacks Cyber Breaches Cyber websites data security Fake Windows Linux Linux Malware Malware Attack

JDownloader Website Breach Spreads Malware Through Fake Windows and Linux Installers

In early May 2026, the official website for JDownloader was compromised, causing users to unknowingly download infected installers instead of legitimate software. During the two-day breach window, attackers replaced Windows and Linux setup files with malicious versions carrying hidden malware. Researchers later discovered that the Windows payload deployed a stealthy Python-based remote access trojan capable of giving attackers control over infected systems.

Because the files appeared authentic and came directly from a trusted source, many users installed them without suspicion. JDownloader remains one of the most widely used download automation tools, supporting downloads from hosting services, streaming sites, and premium file-sharing platforms across Windows, Linux, and macOS. Its long-standing reputation and large user base made the attack especially dangerous, as users naturally trusted downloads from the official website.

The issue first gained attention after a Reddit user reported Microsoft Defender warnings while downloading updated installers from the JDownloader website. The files showed suspicious digital signatures linked to unknown names like “Zipline LLC” and “The Water Team” instead of AppWork GmbH, the legitimate developer. Community concern quickly spread online, prompting the development team to investigate.

Soon after, JDownloader confirmed that attackers had exploited an unpatched flaw in the site’s content management system to modify download links and redirect users toward malicious third-party installers. Developers stated that the compromise was limited to public-facing web content and did not extend to deeper server infrastructure or operating system-level access. The team later clarified that only the Windows “Alternative Installer” downloads and Linux shell installer links were affected.

Other distribution channels, including macOS packages, Flatpak, Winget, Snap releases, in-app updates, and the main JAR package, remained secure throughout the incident. Developers urged users to verify installer authenticity by checking digital signatures within file properties. Legitimate files should display a verified signature from AppWork GmbH, while unsigned installers or files signed by unfamiliar publishers should be avoided immediately.

Cybersecurity researcher Thomas Klemenc later analyzed the malicious Windows files and found they acted as loaders for a heavily obfuscated Python-based remote access tool. According to his findings, the malware could execute remote commands through command-and-control servers, silently turning infected devices into attacker-controlled systems. Analysis of the Linux shell installer also uncovered injected malicious code designed to download disguised payloads from suspicious domains.

Once executed, the malware installed hidden binaries, created persistence mechanisms, elevated privileges using root-level configurations, and disguised itself as legitimate Linux system processes to avoid detection. Experts noted that parts of the Linux malware remain difficult to fully understand because the payload was heavily protected using obfuscation tools like Pyarmor, limiting deeper analysis.

Although JDownloader stressed that only users who downloaded and executed installers during the breach window were at risk, security professionals strongly recommend reinstalling operating systems on infected machines. Since arbitrary code execution was possible, experts also advise resetting all passwords after cleaning affected devices due to potential credential theft.

The attack reflects a growing cybersecurity trend in which hackers target trusted software platforms to distribute malware through compromised downloads. Similar incidents recently affected CPU-Z, HWMonitor, and DAEMON Tools, where attackers replaced legitimate installers with infected versions carrying hidden malware.

As supply chain attacks continue increasing, cybersecurity experts stress the importance of checking digital signatures carefully and avoiding suspicious downloads, even on trusted software platforms.

Australia Seizes $4.2 Million in Bitcoin in Major Darknet Crackdown



 

NSW Police cryptocurrency raid

Australia Bitcoin seizure Bitcoin money Cyber Attacks darknet marketplace crackdown NSW Police cryptocurrency raid

Australia Seizes $4.2 Million in Bitcoin in Major Darknet Crackdown

Authorities in the Australian state of New South Wales (NSW) have confiscated 52.3 Bitcoin, valued at more than $4.2 million, following search warrants carried out in Ingleburn on May 4. The seizure is being described as one of the country’s most significant cryptocurrency confiscations to date.

The operation was part of Strike Force Andalusia, an investigation launched in September 2024 after the NSW Police Cybercrime Squad identified a cryptocurrency wallet allegedly linked to proceeds generated through darknet marketplace activities.

As part of the wider probe, investigators had previously searched a residence in Surfside, where they recovered electronic devices and approximately 7.2 grams of cocaine. A forensic review of the seized devices later revealed further cryptocurrency assets connected to the investigation.

Police allege that a 39-year-old man from Ingleburn refused to provide investigators with access to his digital devices at the time of his arrest. He now faces additional charges alongside allegations related to money laundering and drug supply.

Detective Superintendent Matt Craft, commander of the NSW State Crime Command’s Cybercrime Squad, said the case highlights the growing capabilities of law enforcement agencies in tracking illegal cryptocurrency activity.

"Criminals operating on the darknet often believe they are beyond the reach of law enforcement, but this investigation shows that is simply not the case," Craft said. "Darknet marketplaces remain a key enabler of serious criminal activity, and our detectives are actively targeting those who use them to trade illicit goods or launder money."

Australian authorities have stepped up efforts to tackle cryptocurrency-related crimes as digital assets increasingly feature in organized criminal operations. The latest seizure reflects the expanding expertise of both NSW cybercrime investigators and the Australian Federal Police in tracing blockchain transactions and recovering illicit funds.

Recent investigations across Australia have also demonstrated that cryptocurrency transactions on darknet platforms are far less anonymous than many offenders assume, with several cases leading to multimillion-dollar digital asset seizures

ShinyHunters Cyberattack Disrupts Canvas Platform Across Universities and Schools



 

Hacking Group

Canada Cyber Attacks Cyber Breach Digital Security Challenges education sector Education Sector Cybersecurity Hacker attack Hacking Group

ShinyHunters Cyberattack Disrupts Canvas Platform Across Universities and Schools

This week, a significant digital breach affected educational institutions throughout the United States, Canada, and Australia. The incident followed claims by the hacking collective ShinyHunters. Their target: Canvas, a commonly adopted online learning system. Despite its widespread use, the platform proved vulnerable.

Though details remain partial, reports confirm active exploitation of security gaps. While some schools shifted to offline methods, others delayed classes. Because of the reach of the network, effects spread quickly. Since access was blocked at peak hours, confusion grew early. Not every region reported identical issues - some experienced minor delays instead. Even so, trust in ed-tech infrastructure has taken a hit.

As investigations continue, officials are reviewing how data was exposed. Midway through the year’s final academic stretch, a cyberattack triggered broad system failures across roughly 9,000 schools globally. Coursework uploads faltered, exam access vanished, lectures disappeared, grading stalled - student work ground to a halt. Though Instructure owns the platform, control slipped when services went down; officials acknowledged the breach soon after.

Recovery came slowly - Canvas returned for many, yet pockets of disruption lingered on campuses far apart. Midway through tests, alerts flashed unexpectedly - spreading uncertainty among test takers and instructors at multiple campuses. Because of the interference, assessments set for Friday at Mississippi State University got delayed without prior notice. Screens displayed warnings stating “ShinyHunters has breached Instructure (again),” followed by demands for cryptocurrency transfers to prevent data leaks.

Some learners recalled frozen systems right when submitting answers. Though officials confirmed the incident, details remained limited throughout the afternoon. By evening, investigations had begun while backups were reviewed quietly behind closed doors. After finishing their long exam essays, one student - Aubrey Palmer - noticed the ransom note pop up. When doubts emerged about whether files were actually saved, stress began spreading through the group.

Some felt upset right away, others grew uneasy only later. Midterms approached fast when campuses started alerting students about sudden changes. Following technical issues, Sydney advised against accessing Canvas until further details arrived from Instructure. With finals looming, the timing of the outage posed serious challenges. Though routine disruptions happen now and then, this one struck during peak assessment periods.

Among those impacted were Penn State University, Idaho State University, the University of British Columbia, the University of Toronto, UCLA, and the University of Chicago. With IT departments reviewing how far the breach reached, some campuses postponed exams - others called them off entirely. Later on campus, Jacques Abou-Rizk noticed something off after opening an email link - he saw a message that seemed tied to a demand for payment.

Though the note mimicked one from school staff, officials clarified they were already tracking the event. Despite initial concerns, leaders emphasized no additional platforms showed signs of intrusion. Cybersecurity analysts pointed to screenshots suggesting the attacks might have started several days before the public alerts, as seen in timed demands delivered to targeted organizations.

While ransom discussions could still be happening behind the scenes, the hacker collective hasn’t revealed its next steps regarding the data it claims to possess. Besides earlier cases, another breach now ties back to ShinyHunters - a group already connected to several prominent corporate intrusions. While details differ, patterns point to similar tactics used before across large-scale data compromises.

Surprisingly, the widespread outage sparked fresh worries over how ready schools really are when it comes to digital safety. At nearly the same time, officials like Senator Chuck Schumer began pushing for tougher nationwide protection - especially since artificial intelligence-driven attacks and online ransom schemes keep growing across countries.

Poland Water Plant Hacks Expose Growing Cyber Threat to U.S. Infrastructure



 

Water Plant

Critical Infrastructure Cyber Attacks Poland U.S. Threat Water Plant

Poland Water Plant Hacks Expose Growing Cyber Threat to U.S. Infrastructure

Poland has revealed a troubling series of cyberattacks against water treatment plants, underscoring how vulnerable critical infrastructure can become when basic security is neglected. According to reporting on the incident, hackers breached industrial control systems at five facilities and, in some cases, gained the ability to change operational settings that affect pumps, alarms, and treatment equipment.

The most alarming part of the case is not only that the intrusions happened, but that the attackers were able to move beyond simple access and potentially influence the treatment process itself. That raises the stakes from data theft or disruption to a direct public safety concern, because water systems depend on precise controls to keep supply safe and stable.

Investigators say the entry points were surprisingly basic: weak passwords and systems exposed directly to the internet. Those are avoidable failures, which makes the incident more frustrating for defenders and more attractive to attackers looking for easy ways into high-value targets. The fact that the affected facilities were part of essential municipal infrastructure shows how a small security gap can become a large civic risk.

The timing matters because Poland’s experience fits a broader pattern of hostile activity against critical infrastructure across Europe and beyond. Polish authorities have linked parts of the campaign to Russian-aligned threat actors, describing the attacks as part of a wider effort to destabilize public services and test national resilience. Whether the goal is espionage, sabotage, or intimidation, water plants are now clearly on the list of targets.

The United States faces a similar danger. American water utilities have repeatedly drawn warnings from federal agencies, and public reports have shown that many systems still rely on outdated controls, weak access policies, and insecure remote connections. Regulators have also warned that unprotected human-machine interfaces can let unauthorized users view or adjust real-time settings, which is exactly the kind of weakness attackers look for.

The lesson is simple: water security is no longer just an engineering issue, but a cybersecurity priority. Utilities need stronger passwords, network segmentation, tighter remote access controls, and continuous monitoring of industrial systems. If governments and operators do not treat water plants as critical digital assets, the next successful breach could do more than interrupt service; it could threaten public trust in something people depend on every day.

Trojanized DAEMON Tools Used to Deploy Persistent Backdoor Malware



 

Supply Chain Attack

Backdoor Malware Cyber Attacks cybersecurity threat DAEMON Tools information stealer Malware Campaign PowerShell Attack QUIC RAT Software Compromise Supply Chain Attack

Trojanized DAEMON Tools Used to Deploy Persistent Backdoor Malware

An innocent routine software update mechanism has been weaponized by attackers in order to distribute malware through official distribution channels, enabling a stealthy global supply-chain compromise. AVB Disc Soft authenticated digital certificates were used to sign trojanized builds as part of the operation that remained undetected for nearly a month.

By bypassing conventional trust and endpoint security mechanisms, these malicious packages were able to avoid triggering immediate suspicion. Kaspersky discovered that the campaign began on April 8, 2026, and resulted in thousands of infections in over 100 countries before the breach was detected on May 1, 2026.

Almost all infections were characterized by reconnaissance malware intended to gather system intelligence and establish persistence. However, a comparatively small number of carefully selected victims received advanced second-stage backdoors, suggesting a targeted attack on Russian, Belarusian, and Thai organizations involved in government, science, retail, and manufacturing.

Multiple core components of DAEMON Tools were modified, including DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, and malicious functionality was embedded in versions 12.5.0.2421 through 12.5.0.2434, ensuring that execution occurs at startup while maintaining the appearance of legitimate software functionality.

According to the forensic analysis, the attackers had embedded their malicious framework within several trusted DAEMON Tools binaries, including the DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe that can be found within the installation directory of the application. Because the compromised binaries were signed by authentic AVB Disc Soft signing certificates, operating systems and endpoint security products perceived the compromised binaries as trustworthy, reducing the probability of immediate detection.

It has been determined that every time the affected binaries are executed during system startup, the CRT initialization routine initiates hidden backdoor functionality, initiating a dedicated background thread aimed at quietly establishing outbound communication with attacker-controlled infrastructure during system startup.

Throughout the attack, the malware repeatedly sent HTTP GET requests to a typosquatted domain that closely mimicked the legitimate DAEMON Tools download portal, as a method of mixing malicious traffic with expected software communications. According to WHOIS records, the fraudulent domain was registered on March 27, approximately one week before the supply chain intrusion occurred, indicating deliberate preparation of infrastructure prior to the attack by the campaign's operators.

Based on an analysis of the command-and-control infrastructure, it appeared that compromised systems were able to receive remotely issued shell commands via cmd.exe and PowerShell, which would allow attackers to download and execute additional payloads dynamically.

PowerShell's WebClient functionality was utilized to retrieve executable files from an Internet server located at 38.180.107[.]76 before silently executing them from temporary system directories and deleting all traces afterwards. In the course of the investigation, envchk.exe, a .NET-based information collector that researchers determined was intended to perform extensive reconnaissance on infected machines, was identified as one of the primary secondary payloads.

In the malware's source code, embedded Chinese-language strings suggest that the malware's operators are probably Chinese-speaking, but no official affiliation has yet been established for the threat group. This reconnaissance utility collected a broad range of information regarding the host, including MAC addresses, hostnames, DNS domains, installed software inventories, running process lists, system locale configurations, and other host information.

Following data collection, the collected data is transmitted back to attacker-controlled infrastructure via structured HTTP POST requests, providing the operators with a detailed profile of the compromised environment before deciding whether to escalate the intrusion. Unsuspecting users were infected when they downloaded and installed trojanized yet legitimately signed installers for DAEMON Tools, which executed malicious code contained within trusted application components without the user knowing it.

After activation, the implanted payload established persistence mechanisms intended to survive reboots, as well as enabled the installation of a covert backdoor capable of communicating with remote attackers when the system is started.

The command infrastructure was also capable of dynamically delivering additional malware stages based on the victim’s profile and operational significance. It is generally considered to have functioned as a reconnaissance-oriented information stealer tasked with gathering system identifiers, including hostnames, MAC addresses, running processes, installed applications, and locale configurations, before transmitting the harvested telemetry to the operators for the purpose of assessing the environment and prioritizing victims.

The first-stage profiling phase of the investigation resulted in an evaluation of selected systems for further compromise. Using a lightweight backdoor that is capable of executing arbitrary commands, downloading files, and running malicious code directly in memory, selected systems were escalated to a second-stage compromise.

The attack on a Russian educational institution was escalated by the attackers by using QUIC RAT, a remote access malware strain capable of supporting a variety of communication protocols, as well as injecting malicious code into legitimate processes so that they could operate stealthily after the compromise.

Despite utilizing software distributed through official channels, the DAEMON Tools breach remained undetected for nearly a month as a highly coordinated and technically mature supply-chain intrusion. An investigation into DAEMON Tools installations conducted on or after April 8 was advised to conduct extensive threat-hunting operations to monitor for abnormal system behavior and unauthorized network activity related to the compromise period.

Researchers have avoided formally identifying the threat actor behind the campaign, but linguistic artifacts embedded within its first stage strongly suggest that Chinese-speaking operators were responsible. Following earlier compromises involving eScan, Notepad++, and CPU-Z, the incident also illustrates the rising trend of software supply-chain attacks throughout 2026. In parallel with these campaigns, the increasing importance of trusted software ecosystems becoming high-value attack surfaces for sophisticated threat groups continues to be demonstrated, including Trivy, Checkmarx, and Glassworm, which target software repositories, development packages, and browser extensions.

The DAEMON Tools compromise proves that modern supply-chain attacks are not limited to niche targets or underground software ecosystems, but are increasingly exploiting widely used consumer and enterprise applications. The attackers developed their attack strategy by leveraging trusted software certificates and official distribution channels in order to disguise malicious activity as legitimate software behavior while quietly gaining access to potentially high-value environments across multiple countries.

Security researchers have concluded that organizations must evolve beyond traditional trust-based security models and embrace continuous monitoring, behavioral detection, and software integrity validation practices that will enable them to identify malicious activity, even within applications that appear legitimate and have been signed. A contemporary supply-chain intrusion illustrates how a single compromised software update can quickly escalate into a global cyber risk with far-reaching operational and national security consequences.

Search This Blog

Sections

Popular Posts

Blog Archive

Labels

About Me

Footer About

Labels

Showing result(s) for

Popular Posts

Pages

Menu Item

Play gang takes responsibility

About the target

High profile case

What next?

Attack tactic

Darkweb market selling and buying the service

What is a DDoS attack?

What is DDoS-as-a-service?

About the attack

Deserialization of ViewState

Attack tactic

Similar attacks in 2025

Hackers targeting unsecured machines