Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label Cyber Attacks. Show all posts

Helix Data Extortion Group Targets Microsoft SharePoint Using Vishing and MFA Abuse

 

Cybersecurity researchers have discovered a new data extortion group called Helix that has been targeting companies by using user credentials rather than software vulnerabilities. Helix has been employing voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to target Microsoft 365 and steal data from the company’s SharePoint service. 

According to the researchers at ReliaQuest, Helix has been attacking the company by first calling an employee and posing as their manager or another executive and tricking them into approving device code authentication and granting access to their Microsoft accounts. In some cases, the attackers used the manager’s name or changed the caller ID to disguise their location as the manager’s office. The attackers then register their own MFA Authenticator application on the victim’s account to ensure continued access to the Microsoft 365 platform even if the user changes their password. 

The intruders then proceed to conduct reconnaissance on the SharePoint servers, enumerating and downloading all the available data, including documents, before the company detects the breach. The data is then used to demand ransom from the victim organization by threatening to publish the information if the company does not pay a certain amount of cryptocurrency. In some instances, the attackers sell the data to other bad-actor groups. 

Researchers have noted that Helix’s automated SharePoint discovery has been one of the group’s most identifiable features. In one of the attacks, the attackers used automated search queries to find the SharePoint content before launching a large-scale data exfiltration campaign from the same IP address using a Python Requests user agent. ReliaQuest researchers suspect that Helix may be linked to the ShinyHunters and BlackFile data extortion groups due to the similarity in attack techniques. 

Although there is no conclusive evidence that the groups are connected, researchers have discovered similar infrastructure and tactics used by Helix and ShinyHunters. Some of the organizations that have fallen victim to Helix include Medtronic, Nissan, the National Association of Insurance Commissioners (NAIC), Kodak, Infinite Campus, and the University of Nottingham. These companies were previously targeted by the ShinyHunters group and confirmed the breach on their websites. 

In addition, ReliaQuest researchers discovered that one of the Helix’s exfiltration servers was hosted on an autonomous system previously used by the BlackFile infrastructure. Since BlackFile’s servers were shut down earlier this year, researchers suspect that Helix may have links to the BlackFile group or be an offshoot of the former group. However, other data extortion groups such as Pink and Redact may also be linked to BlackFile. 

The campaign that targets Microsoft 365 is similar to the ShinyHunters ransomware attack in several ways, including impersonating employees, targeting the Microsoft 365 platform, stealing data from SharePoint servers, and using social engineering to trick employees into giving access to the company’s network. Researchers have also discovered that Helix uses the NICENIC domain registrar, which has been used in some of the ShinyHunters attacks. 

Experts recommend that organizations disable device code authentication if possible and only allow managed devices to access the Microsoft SharePoint service. In addition, the company should monitor Microsoft 365 authentication activities and restrict all communications except those from trusted domains to protect their data from being exfiltrated by Helix or other cybercriminal groups. 

The discovery of the Helix campaign shows how cybercriminals are increasingly targeting user credentials to access sensitive information rather than exploiting software vulnerabilities.

Abbott Investigates Two Cyber Incidents Following Extortion Claims


 

Two separate cybersecurity incidents are being investigated by Abbott Laboratories after threat actors reportedly gained access to the company's systems and accessed sensitive information. While one incident has been linked to the ShinyHunters extortion group, the other involves claims of unauthorized access to Abbott's LabCentral customer portal. The company said both incidents are being investigated, and operations have not been disrupted. 

Both incidents have not adversely affected Abbott's business operations, manufacturing, laboratory services, product availability, or customer support. According to the company, the unauthorized access was restricted to systems that operate independently of Abbott's core infrastructure within its Cancer Diagnostics business, with no impact reported across other business units or sites due to the unauthorized access discovered. 

Several legacy Exact Sciences systems were discovered to have been accessed unauthorizedly by Abbott's Cancer Diagnostics business. As a consequence of the ShinyHunters extortion group listing the company on its data leak site, Abbott confirmed the breach, and threatened to publish allegedly stolen information if negotiations were not held. Exact Sciences is part of Abbott's Cancer Diagnostics division, which the company acquired earlier this year for $21 billion. 

Aside from Abbott's core systems, Exact Sciences' legacy infrastructure operates separately, which limits the scope of the incident. According to Abbott, the incident is isolated to the Cancer Diagnostics division and has not affected manufacturing, laboratory operations, product availability, patient services, or any other Abbott business systems.

A notification was sent to law enforcement, the company activated its incident response procedures, and external cybersecurity experts were engaged. In addition, Abbott stated that the incident will not negatively affect its financial performance. In response to the incident, Abbott has not provided information regarding the type of information that was accessed, noting that its investigation is ongoing. 

The company claims to have gained initial access to a Microsoft Entra single sign-on (SSO) account by launching a voice phishing (vishing) attack targeting Abbott employees in mid-June. A number of enterprise platforms, including Microsoft Entra, ServiceNow, SharePoint, Databricks, and Coupa, were accessed by the group, which alleges that internal documents, contracts, customer information, and millions of medical records containing personally identifiable information (PII) have been exfiltrated. 

These claims have not been independently verified, however. Separately, a threat actor claiming the name ShadowByt3$ has been associated with the breach of Abbott's Core Laboratory Diagnostics business by exploiting compromised customer credentials by accessing the LabCentral customer portal hosted by a third party. It has been claimed that the attacker has obtained technical documentation, manufacturing certificates, regulatory files, and other product-related information. 

LabCentral was investigated by Abbott, but the attacker's claims were disputed, as the portal only contains publicly available technical reference materials such as operating manuals, troubleshooting guides, and product specifications. The company indicated that confidential business information and sensitive customer information are not included in the environment. 

In the LabCentral portal, Abbott explained that it is hosted by a third party provider and serves as a repository of publicly available technical reference documents, including operating instructions, troubleshooting guides, and product specifications. In accordance with the company, sensitive customer information or proprietary business data is not known to have been compromised as a result of the reported incident. 

There has been a growing trend of cyberattacks targeting healthcare and medical technology over the past few years. In recent months, a number of companies, including Clover Health, Stryker, Medtronic, Novo Nordisk, and West Pharmaceutical Services, have reported cybersecurity incidents, illustrating the increasing risks associated with handling patient and healthcare-sensitive data. Several cyber-incidents have occurred in the medical technology sector in recent months, causing significant damage to the industry. 

A number of companies, including Stryker, Medtronic, Intuitive Surgical, iRhythm, and AdaptHealth, have reported cybersecurity incidents as well, underscoring the growing threat landscape for healthcare and medtech organizations. As of yet, neither ShinyHunters nor ShadowByt3$ has disclosed the data that they claim to have stolen. In addition to engaging external cybersecurity experts and notifying law enforcement, Abbott has also continued to investigate the possibility of access to any potentially sensitive information.

In addition, Abbott stated that it does not anticipate either incident to negatively impact its business or financial results. Abbott's ongoing investigations highlight the increasing cybersecurity challenges in the healthcare and medical technologies industries. 

However, despite the company's assurances that operations remain unaffected and that no sensitive customer information has been exposed, the incidents demonstrate how important it is to take quick action, to use robust security measures, and to continuously monitor against cyber threats as they evolve.

Why Digital Supply Chain Attacks Are Emerging as the Biggest Cybersecurity Threat for Businesses

 

As businesses strengthen their internal cybersecurity defenses, cybercriminals are increasingly shifting their focus to a more vulnerable target—the digital supply chain. Rather than attempting to breach organizations directly, attackers are exploiting trusted third-party vendors, software providers, cloud services, and open-source components that already have authorized access to critical systems and sensitive data.

Traditional cybersecurity strategies have long emphasized protecting internal networks through firewalls, encryption, access controls, and employee awareness programs. However, the growing reliance on interconnected digital ecosystems means these measures alone are no longer enough. Organizations now depend on a broad network of suppliers and technology partners, creating multiple entry points that hackers can exploit.

How Digital Supply Chain Attacks Work

Instead of targeting businesses head-on, cybercriminals increasingly infiltrate suppliers and service providers that support an organization's operations. These may include software vendors, web development companies, cloud storage providers, testing platforms, or third-party integrations.

A supply chain attack typically compromises one or more components that organizations rely on to deliver products or services. Attackers may introduce malicious software updates, steal login credentials, exploit insecure integrations, or take advantage of vulnerable open-source software libraries.

Open-source components present a particularly significant risk. Software developers often integrate publicly available libraries into applications to accelerate development. If attackers successfully insert malicious code into these widely used components, every organization that later incorporates them into their software may unknowingly introduce a serious security vulnerability.

One notable example occurred in 2024, when malicious code was embedded into XZ Utils, a widely used open-source compression utility for Linux systems. Rather than directly hacking organizations, attackers compromised the software supply chain itself. Although the affected versions had not yet reached widespread production deployment, they had already been integrated into development versions of major Linux distributions, forcing maintainers to rebuild packages after the vulnerability was identified.

Computer scientist Alex Stamos warned that if the attack had gone unnoticed, it would have “given its creators a master key to any of the hundreds of millions of computers around the world that run SSH”.

Once attackers successfully compromise a supplier's products or services, they can use that trusted access to infiltrate customer environments. In many cases, these attacks remain undetected until operations are disrupted, sensitive information is stolen or encrypted, or ransomware demands are issued. The XZ Utils compromise itself was only uncovered after a developer noticed unusual system performance during routine testing.

By the time organizations discover such incidents, significant operational and financial damage has often already occurred.

Cyberattacks frequently result in substantial financial losses. Organizations may face costly ransom demands, especially when attackers recognize that disruptions affect multiple customers or essential business services.

Even when no ransom is paid, businesses incur significant expenses related to operational downtime, system restoration, cybersecurity investigations, legal support, and business recovery.

For companies operating primarily through digital platforms, even short periods of downtime can severely impact revenue. Following a cyberattack in 2025, retailer Co-op reported that the incident “impacted both financial and operational areas”, leading to at least £206 million in lost revenue.

Operational disruptions can be equally damaging. If a critical supplier suspends services while containing a cyber incident, organizations may lose access to essential systems, preventing order fulfillment, transaction processing, and other core business functions.

A major example occurred in 2025 when Marks & Spencer (M&S) temporarily suspended online orders for nearly two months and relied on manual processing following a cyberattack. Rather than directly targeting M&S infrastructure, attackers exploited vulnerabilities in MoveIt, a widely used enterprise file transfer platform.

The breach exposed sensitive employee and customer information, including contact details, payroll records, and in certain cases, National Insurance numbers. Although payment information was reportedly unaffected, the scale of the incident triggered formal investigations, internal reviews, and regulatory scrutiny from the Information Commissioner's Office (ICO). The retailer estimated the financial impact at approximately £300 million in lost profits.

Beyond financial losses, reputational harm often proves to be the most enduring consequence of supply chain cyberattacks.

Customers generally do not distinguish between an organization and its suppliers when services fail. Regardless of where the breach originated, customers typically hold the business responsible.

Poor communication or delayed responses following an incident can rapidly erode trust that may have taken years to build. Restoring customer confidence often requires significant investment in communication, service improvements, and strengthened security measures, while long-term effects on customer loyalty and commercial relationships may continue long after systems have recovered.

Growing Regulatory Expectations

Regulators worldwide are increasingly emphasizing digital supply chain resilience as cyber risks extend beyond internal IT environments.

Under the UK's implementation of the General Data Protection Regulation (GDPR) through the Data Protection Act 2018, organizations acting as data controllers remain responsible for protecting personal information, even when third-party providers process that data on their behalf.

This means organizations must ensure their suppliers implement appropriate technical and organizational security measures while also reporting data breaches without unnecessary delay. Failure to meet these obligations can result in regulatory enforcement, financial penalties, and reputational damage.

The EU Artificial Intelligence Act follows a similar principle for AI technologies. Organizations deploying AI systems—including those supplied by external vendors—are expected to understand how those systems function, the associated cybersecurity risks, and how they are secured, particularly when high-risk AI applications are involved.

As a result, regulators increasingly expect businesses to actively manage cyber and AI risks throughout their digital supply chains rather than relying solely on vendor assurances.

Organizations are therefore encouraged to establish comprehensive cybersecurity governance frameworks that include supplier due diligence, continuous monitoring, documented risk management processes, and clearly defined incident response procedures.

Best Practices to Reduce Supply Chain Cyber Risks

While eliminating supply chain risk entirely is impossible, organizations can significantly reduce exposure by adopting proactive security measures, including:

  • Performing comprehensive cybersecurity due diligence before engaging suppliers.
  • Verifying vendors maintain strong security controls such as patch management, employee training, access management, and multi-factor authentication.
  • Conducting regular risk assessments across the supply chain to identify critical vulnerabilities.
  • Including clear cybersecurity obligations, incident reporting requirements, liability provisions, audit rights, and data protection clauses within supplier contracts.
  • Thoroughly testing systems and software developed by external vendors before deployment.
  • Providing guidance and collaboration to strengthen cybersecurity across supplier networks.
  • Developing and regularly updating incident response plans that specifically address third-party cyber incidents, customer communications, regulatory reporting, and ransomware scenarios.
  • Promoting cybersecurity awareness through continuous education and information sharing among internal teams and external partners.
  • Investing in cyber insurance while ensuring key suppliers also maintain appropriate coverage.
As organizations become increasingly dependent on interconnected technologies, digital platforms, and external suppliers, cybersecurity has evolved into a broader governance challenge rather than simply an IT responsibility.

Recent cyber incidents demonstrate how weaknesses within trusted supplier networks can rapidly escalate into severe financial losses, operational disruptions, and long-term reputational damage.

Regulators now expect organizations to proactively identify, assess, and manage supply chain cyber risks before incidents occur. Businesses that invest in stronger supplier oversight, robust governance, and comprehensive risk management strategies will be better positioned to safeguard operations, meet regulatory obligations, and preserve customer trust in an increasingly connected digital landscape.

UK Court Sentences Two Hackers to 5.5 Years for Transport for London Cyberattack That Caused £29 Million in Damages

 

Two hackers have been sentenced to five and a half years in prison each for carrying out the 2024 cyberattack on Transport for London (TfL), in what the UK's National Crime Agency (NCA) has described as the country's largest cybercrime prosecution to date.

Owen Flowers, 18, and Thalha Jubair, 20, received their sentences at Woolwich Crown Court on July 16, 2026. The duo had pleaded guilty on June 22, 2026, to an offence under Section 3ZA of the Computer Misuse Act 1990, acknowledging they acted recklessly and created a significant risk of serious harm to public welfare.

The cyberattack, which lasted from August 31 to September 3, 2024, severely disrupted TfL's operations. Around 148 systems were taken offline, forcing all 27,000 employees to report to offices in person to reset their passwords. Authorities estimate the attack resulted in approximately £29 million in financial losses and recovery costs.

Transport for London, which manages nearly 9 million passenger journeys daily, experienced widespread service disruptions. Dial-a-Ride services for vulnerable passengers became unavailable, digital payment systems were affected, concessionary travel card issuance was interrupted, Oyster photocard applications were suspended, and refunds faced significant delays.

The breach also exposed customer information, including names, email addresses, and, where stored, home addresses. Additionally, Oyster refund records containing bank account details and sort codes of approximately 5,000 customers may have been compromised.

According to prosecutors, messages exchanged between the defendants suggested they intended to erase their access before leaving the network. Investigators noted that a complete shutdown of TfL's systems could have caused economic losses of up to £56 billion. However, those damages were avoided after TfL proactively disconnected its own network to contain the intrusion.

Flowers was arrested on September 6, 2024, just days after the TfL breach ended. The NCA said officers found him actively targeting two U.S. healthcare organisations—SSM Health Care Corporation and Sutter Health—during the arrest.

Authorities recovered multiple digital devices, including laptops, desktop computers, hard drives, and USB storage devices. Evidence included screenshots showing access to TfL infrastructure and videos allegedly recorded by Flowers documenting Jubair's activity inside TfL systems. Investigators also uncovered Telegram conversations and an online collaboration platform used during the attacks.

The prosecution established that Flowers had access to the remote infrastructure used to launch all three cyberattacks, while evidence connecting Jubair to the TfL breach was obtained through international law enforcement cooperation.

Flowers also admitted to two additional cybercrime offences linked to attacks on the U.S. healthcare organisations. Prosecutors stated that he threatened to lock down healthcare systems while acknowledging in online conversations that it "might kill some 90-year-old on life support." Authorities said his arrest prevented those attacks from progressing further.

The NCA identified both individuals as senior members of the cybercrime group Scattered Spider, also known as Octo Tempest, UNC3944, and 0ktapus. However, the Crown Prosecution Service (CPS) stated only that the defendants had claimed affiliation with a group investigators believe was responsible for hundreds of cyberattacks between 2022 and 2025. The FBI has linked the group to data extortion, SIM swapping, and social engineering campaigns.

While authorities have not disclosed the exact method used to compromise TfL's network, Google has recommended strengthening identity verification procedures during password resets, device enrolment, and MFA changes to defend against such attacks.

Paul Foster, head of the NCA's National Cyber Crime Unit, urged organisations to contact law enforcement as soon as they detect cyber incidents, noting that the successful prosecution would likely not have been possible without TfL's prompt reporting.

Following the sentencing, the City of London Police also renewed calls for the introduction of Cyber Crime Risk Orders, which would allow courts to impose restrictions on offenders' access to digital devices, online services, and technology based on the level of cyber risk they pose. Commander Ollie Shaw described the proposed measures as a "digital prison" for cyber offenders. The two convicted hackers were 17 and 18 years old when the offences were committed.

Dutch Authorities Arrest Multiple Suspects in Global Investment Fraud Investigation


 

Dutch authorities have arrested multiple suspects as part of an international investigation into an alleged investment fraud network that investigators believe defrauded victims worldwide through fake online investment schemes, with the operation at one point generating more than €100 million in monthly proceeds.

According to the Dutch Police, the criminal organization is suspected of operating an extensive network of approximately 20 call centers staffed by more than 700 individuals who allegedly posed as professional financial advisers. Investigators said the operation targeted victims across multiple countries, with teams assigned to specific regions and responsibilities to maximize the effectiveness of the fraudulent campaigns.

The investigation's primary suspect, a 46-year-old dual Israeli-Polish national, was arrested in Poland on May 26 before being extradited to the Netherlands, where he has been placed in pre-trial detention. Dutch authorities allege that he played a central technical role in building and maintaining the infrastructure that enabled the organization to conduct its activities while making it more difficult for law enforcement agencies to identify those involved.

Police also noted that publicly available information indicates the suspect had previously faced prosecution in connection with cyberattacks targeting several foreign government organizations. Authorities now believe he occupied an indispensable position within the investment fraud network.

The investigation expanded further between July 7 and July 10, when law enforcement officers arrested several Dutch and Belgian nationals in Cyprus, Greece, and Belgium for their suspected involvement in the scheme. Officials said the investigation remains active and additional arrests are possible as authorities continue to identify other members of the organization.

Investigators describe the alleged operation as a highly organized criminal enterprise that functioned similarly to a legitimate international business. Multiple call centers reportedly operated under centralized coordination while individual teams focused on victims in different countries. Employees allegedly used false identities, pseudonyms, and technical measures designed to conceal both their real identities and their physical locations during communications with potential victims.

According to investigators, the fraud relied heavily on long-term social engineering rather than immediate financial deception. Victims were first approached by individuals presenting themselves as experienced investment advisers who gradually established trust through repeated conversations. Once that trust had been developed, victims were encouraged to invest relatively small amounts through professional-looking online investment platforms that appeared to display genuine market activity and growing returns.

Authorities said these platforms did not reflect legitimate investments. Instead, the displayed profits were fabricated to create the impression of successful trading and encourage victims to continue depositing larger sums. Many of the payments were made using cryptocurrency, making it incredibly more difficult to recover stolen funds after they had been transferred. While victims believed their portfolios were increasing in value, investigators said the money was instead diverted directly to the criminal organization.

Dutch investigators have linked at least 550 fraud reports and approximately €25 million in reported losses in the Netherlands to the organization. Belgian authorities have also connected around 200 complaints to the same network. Police believe these figures represent only a fraction of the total impact, estimating that the operation may have claimed tens of thousands of victims globally, with many individuals losing more than €10,000 each.

Authorities believe the organization has been active since at least 2021 and employed sophisticated operational security practices to avoid detection. Investigators said members routinely relied on pseudonyms, concealed calling locations, and other technical methods to obscure their identities while communicating with victims.

The investigation ultimately progressed after authorities traced digital evidence, including IP addresses, financial transaction routes, and other forensic artifacts that helped identify critical infrastructure associated with the operation. The examination of technical equipment provided investigators with additional insight into how the organization functioned and helped establish the locations of several suspects.

Dutch Police said the investigation was conducted in cooperation with international law enforcement partners, while commercial service providers also assisted in disrupting elements of the group's digital infrastructure. Authorities emphasized that efforts to identify additional suspects and victims remain ongoing.

Police have also warned the public to remain cautious of so-called recovery services that claim they can retrieve money lost to investment scams. Investigators noted that, in some cases, such offers are themselves fraudulent attempts to exploit victims a second time by demanding additional payments under the false promise of recovering stolen funds.

Counterfeit USB Drives Spread China-Linked Virus in Japan’s Military

 

Counterfeit USB flash drives supplied to Japan’s Ground Self-Defense Force (JGSDF) in March 2024 spread a China-linked computer virus across secure military networks for nearly a year before the breach was finally detected. The incident, first reported by Japan’s Nikkei newspaper in June 2026, highlights how seemingly innocuous hardware can compromise even tightly controlled, air-gapped systems when supply-chain oversight and procurement protocols are insufficient. 

The infected drives were distributed to the JGSDF during earthquake relief operations in central Japan and were assumed to be legitimate, low-cost storage devices. An internal review later determined that six of eight USB sticks tested contained embedded malware that activated automatically upon insertion into a computer. Despite existing protocols that required scanning of external drives both upon receipt and during use, the infection remained undetected until February 2025, when a soldier in Itami, near Osaka, noticed unusually sluggish computer performance and initiated a diagnostic scan.

By that time, more than 50 of roughly 480 computers at the regional command had connected to the compromised drives, with nearly half of them handling classified information such as troop movements and operational plans. Forensic analysis by the JGSDF’s cyber defense unit revealed that the devices were counterfeit, using cheaper, slower microSD cards instead of standard memory chips and preloaded with malicious code. 

Security researchers linked the malware to Mustang Panda, also known as Earth Preta or Camaro Dragon, a China-associated advanced persistent threat (APT) group previously observed targeting government, education, and telecommunications sectors in Vietnam and Australia. Japanese officials stated there was no confirmed evidence of data exfiltration or external command-and-control communication, but the episode demonstrated how supply-chain compromises can silently bridge isolated networks without triggering conventional defenses. 

The fallout extended well beyond the military, as identical counterfeit USB drives were found circulating on major e-commerce platforms such as Amazon and Rakuten, priced 30 to 50 percent below authentic brands and traced to seller accounts in China. Reports of similar infections emerged in Japanese factories, research laboratories, and hospitals—environments that rely on removable media to transfer data across segmented or legacy systems. Security experts warn that such attacks exploit the tension between operational necessity and security policy: while outright bans on USB drives are often impractical in critical infrastructure, trusting removable media without rigorous, purpose-built validation leaves sensitive systems exposed to persistent threats. 

The JGSDF incident underscores three enduring lessons for organizations and governments: verify hardware provenance through trusted suppliers, treat all removable media as untrusted until scanned by dedicated security tools, and assume air gaps are permeable wherever physical media can cross them. For cybersecurity professionals and content creators tracking evolving threats, this case illustrates that supply-chain risk is not an abstract concept but a tangible vulnerability embedded in everyday devices—from USB sticks to firmware updates—demanding layered defenses that combine procurement discipline, technical controls, and continuous monitoring to protect critical networks.

AI Agent Executes End-to-End Ransomware Attack Without Human Intervention, Researchers Say

 

Cybersecurity researchers have uncovered what they believe is the first ransomware attack conducted by an autonomous artificial intelligence agent which they named JADEPUFFER. It is notable because the AI performed all stages of the attack, from targeting and compromising the system to installing and using ransomware, without requiring any human input. 

The researchers noted that JADEPUFFER targeted a vulnerability in the open-source application Langflow which was used to design and build various AI applications and tools. The vulnerability was already patched but many internet-facing instances of the application remained unpatching, giving the AI agent an entry point. Many such instances host API keys, cloud service credentials, and database tokens, making them an attractive target for bad actors.

After compromising the target, the AI agent began scanning the system for any valuable information, including cloud service credentials, wallet addresses, API keys, and database passwords. It also located a storage server which had default administrator credentials. Researchers noted that JADEPUFFER used this server as a foothold to pivot to other systems on the network. 

The AI agent managed to establish persistence on the compromised system by implanting a backdoor which sent out requests to a remote command and control server. It then lateraled to the production database server and used the administrative privileges to exploit another vulnerability in the system configuration service. 

It then created its own administration account in the server using a default signing key and altered other configurations in the system. JADEPUFFER proceeded to encrypt over 1300 configuration entries, deleting them before encrypting more data and displaying a ransom note demanding payment in Bitcoins. However, the researchers noted that the ransomware used a randomly generated encryption key which was only viewable once. 

In addition, the ransomware did not store or transmit the decryption key in any way, meaning that the victims would be unable to recover their data even if they paid the ransom. In addition to encrypting data, JADEPUFFER also deleted several databases after claiming that it had backed up the data elsewhere. However, researchers at Sysdig found no evidence that the data had been successfully backed up or transferred. This indicated that the attackers might have been trying to extort more money from the victims, potentially by threatening to delete all data or hinder recovery efforts. 

The researchers concluded that the ransomware attack was performed by an artificial intelligence due to the nature of certain observed behaviors. They noted that most of the ransomware’s behaviors were documented in natural language within the malware’s code, a practice common in many large language models. Additionally, the AI was able to resolve some of its own errors, such as failed authentication attempts, without requiring human intervention. The researchers estimated that over 600 discrete actions had been taken by the AI during the attack. 

The researchers added that while many of the techniques used by JADEPUFFER had been seen in other ransomware attacks, the fact that an autonomous AI agent had been able to use them in succession to launch a major ransomware attack was notable. They believe that such an attack has significant implications for the future of ransomware attacks, as it reduces the level of expertise needed to launch such an attack and allows attacks to occur at a much faster rate than would otherwise be possible. 

The researchers recommended that organizations reduce the risk of falling victim to similar attacks by ensuring that all software is updated to the latest versions, keeping administration systems offline when possible, protecting cloud service credentials, and monitoring systems for signs of unauthorized automated activity. Sysdig noted that JADEPUFFER was a warning about the potential threat posed by agentic AI ransomware in the future as the technology becomes more advanced.

Rogue Agent Bug Could Have Let Attackers Hack AI Conversations


A critical vulnerability in Google’s Dialogflow could have let a hacker exploit other Code-Block-enabled agents via one Code Block-power agent, in one Google Cloud project.

After this, the attacker could read chats, steal user data, and command bots to send hacker-written texts such as re-entering a password.

Discovery of the bug

Cyber security firm Varonis discovered the tactic and called it ‘Rogue Agent.’ The bug impacted only businesses that make agents with custom Code Blocks and Dialogflow’s Playbooks, which allows hackers to add their own Python. The attack was not remote, or unauthorized.

For the attack to happen, it required the dialogflow.playbooks.update green light one such agent, which restricts the hacker to an infected insider or a breached developer account, not some stranger on the web. From that point, the reach extended to every agent inside the project.

Google has patched the bug, and Varonis and Google have said there are no signs that the flaw was deployed in a real attack or campaign.

Single writable file prompted each agent Code Blocks

Dialogflow’s Code Blocks allows developers to add custom Python to a chatbot’s flow to test input, invoke defined tools, and control behavior. 

The code runs within a Google-operated Cloud Run environment, and every agent that uses Code Blocks in the similar Google Cloud project shares one incident of it. The customer cannot control or see the environment that Google runs, meanwhile Varonis discovered no real separation between the agents within it.

Attack tactic

When the agent runs a Code Block, the code is added to internal setup code and sent to Python’s exec()function. The functions and variables that block can touch are defined by the setup. 

Functions consist(), which makes the bot reply with a given string, whereas variables consist of a history of full chats and state for session information such as the session ID.

Varonis discovered code_execution_env.py, the file that does this wrapping, lying in the shared environment with write access. 

As the file was writable, a single Code Block could change it. The block downloads an altered code_execution_env.py from a threat actor-controlled server and overwrites the original within the running container.

After that, the attacker’s variant commands every Code Block deployment throughout every agent that shares the environment. The attacker’s code sits in the same place as the real code, with similar access to respond(), state, and history, 

Romania’s Hospital Cyberattack Highlights Growing Ransomware Threats to Healthcare Systems

 

A large-scale ransomware attack that took place in the healthcare system of Romania in February 2024 makes for textbook material on how to respond to such incidents, as well as the challenges they present. The ransomware attack scenario started when criminals got hold of a hospital management system called Hippocrates and, using it as a vector, distributed BackMyData ransomware to encrypt data. 

One of the software’s main functions is processing and storing information on laboratory results, pharmacy claims, payroll, admission and discharge of patients, doctors, and other medical staff. After being locked, the hospitals had to pay nearly 160 thousand euros to decrypt the data, which is in Bitcoin. When some hospitals reported the ransomware attack, the National Computer Security Center (DNSC) took an extraordinary measure to order over a hundred facilities to disconnect from the internet to prevent the virus from spreading to other institutions. 

Consequently, the hospitals’ systems became unable to provide access to email, the Internet, and interconnected medical devices. To manage patients and keep the critical functions running, doctors and nurses used paper-based solutions to write down and manually input lab results, physician orders, and treatment plans. In parallel, hospital staff worked on taking down the ransomware and securing the system. 

Authorities eventually found out that the ransomware infection was confirmed in 26 hospitals, where the ransomware attack response team with the help of the system supplier isolated the contaminated systems from the network. After decrypting files and securing the system, the technicians returned the hospitals to the network and ensured there were no other problems. 

Throughout the ransomware incident, authorities provided the public with updates on the ransomware situation, telling the people to avoid visiting the facilities if possible and advising the hospitals not to give in to the attackers’ demands. Nevertheless, the response to the challenge was far from perfect, as Romania continues to face challenges with cybercrime. The patients complained about the inconvenience of standing in queues and having their tests processed manually, but the government did not go through with paying off the ransom. 

At the same time, it is worth noting that having up-to-date data backups allowed the hospitals to quickly restore their vital functions without having to wait for decrypting tools from hackers. Five days after the ransomware attack, most of the affected facilities had already returned to normal operations. At the same time, there were no reports of patient deaths or damage to health caused by the ransomware attack. Still, doctors and nurses had to manually enter a lot of the patient’s personal data, which took them several more weeks to finish, while some of the relevant information was lost altogether. 

So far, the ones behind the ransomware attack have not been revealed. Still, it has been reported that some of the suspects’ resources in Russia have been shut down by the police, while others are currently detained abroad. It is not yet known whether they will be brought to justice in Romania. The ransomware attack on the healthcare system of Romania serves as a reminder of how fragile our systems are and the importance of protecting them. 

In many ways, hospitals are a critical infrastructure component, meaning that potential attackers will always attempt to take advantage of them by holding vital functions hostage until they get a hefty ransom. Even though the ransomware response team handled the situation in Romania efficiently, the ransomware incidents in the UK and the US show that problems of that sort are far from being exclusive to Romania.

Critical Bugs In Cursor IDE via Zero-Click Prompt Injection Can Launch RCE


CATO AI labs discovered two critical flaws in the famous AI code editor ‘Cursor’ that could result in remote code execution (RCE) outside the IDE’s sandbox. 

Duneslide

The IDE is employed by more than half of the Fortune 500. Both RCE flaws, called “DuneSlide,” were given a 9.8 CVSS score. The security bugs are tracked as CVE-2026-50548 and CVE-2026-50549.

The bugs demonstrated how prompt injection can move beyond the LLM layer and reveal classical bugs in code paths that were earlier not thought of as part of the attack surface.

A threat actor can exploit either of these bugs to overwrite critical system files (such as cursorsandbox binary), changing sandboxed comments into unsandboxed RCE and resulting in a full system hack on both the victim device and linked SaaS workspaces.

Key takeaways

Bugs found: Cato AI Labs found two separate, critical bugs in Cursor IDE, resulting in non-sandboxed RCEs on the victim’s system.

Arbitrary file write through prompt injection: Via zero-click prompt injection, these bugs could let a threat actor use zero-click prompt injections to write arbitrary files on the target’s local system.

Escaping sandbox and RCE: If leveraged, a threat actor can jump out of the terminal sandbox and attain a full RCE and a complete device exploit.

Zero-click attack vector: The exploit doesn’t need any prior user privileges or particular interaction. It is prompted when a target makes an “makes an innocuous prompt that inadvertently ingests a threat actor-controlled payload from an untrusted source, such as an MCP server or a web search result,” Cato AI Labs reported.

First vulnerability: Parameter altering

The first bug surfaces from how the sandbox creates its security boundaries based on tool parameters. If a sandbox command is executed, Cursor creates a seatbelt policy that allows writing into the present working directory.

This means that a remote hacker cannot command the working directory of a sandboxed operation because coding agents are a unique part of software. But, in this bug, a prompt injection works as the passageway to that part of the code.

Second vulnerability: Symlink failure

The second vulnerability is fully independent of the first and exists in Cursor’s file path resolution edge instances.  It allows hackers to avoid beyond-limits write restrictions via symbolic links.

In most traditional software, an external hacker cannot remotely generate symlinks on the target's system.  In this scenario, a prompt injection changed the Cursor agent to a bridgehead for non-trivial activities that end in a full system compromise. 

Google Targets NetNut Residential Proxy Network Operating Across Two Million Devices


 

Several international authorities have coordinated operations to disrupt the infrastructure behind a large residential proxy network, also known as Popa, after Google dealt a significant blow to one of the internet's largest residential proxy ecosystems. 

Through the action, which was conducted in collaboration with Lumen Technologies, the FBI, and other industry partners, millions of compromised Android-powered devices, including smart TVs, streaming boxes, and other internet-connected consumer hardware, were prevented from accessing the network. This significantly reduced the network's operational capacity. 

In the network, ordinary household devices were covertly transformed into proxy relays that permitted cybercriminals and state-linked threat actors to route malicious activity through legitimate residential IP addresses while masking their identities while provoking suspicions among unsuspecting individuals. 

According to security researchers, there are at least two million compromised devices worldwide comprised of the botnet, indicating both its scope and the growing misuse of consumer IoT infrastructure in modern cyber campaigns. In addition to its sheer scale, NetNut has become an integral component of the underground residential proxy market, providing infrastructure to hundreds of cybercriminals and espionage-linked threat actors. 

Several domains were used to conduct the operations of the service, including netnut.com, seized as a result of the FBI's disruption efforts. Researchers at the Google Threat Intelligence Group (GTIG) observed 316 distinct threat clusters that leveraged suspected NetNut exit nodes during one week last month, illustrating the platform's substantial operational reach. 

As a result of the analysis, attackers were not only able to hide access to their own infrastructure, but also were able to conduct password-spreading campaigns and establish covert connections into targeted environments by using trusted residential IP addresses. NetNut operators are dependent on Google to provide malware command-and-control (C2) services, so Google disabled their accounts and cloud services, effectively cutting them off from their critical backend infrastructure. 

The company notified affected Android users and deactivated malicious applications associated with the botnet simultaneously through Google Play Protect, and it distributed technical intelligence on NetNut's software development kits (SDKs) and C2 architecture to platform providers, law enforcement agencies, and cybersecurity researchers in order to strengthen coordination in detection and mitigation. 

Moreover, Google emphasized that the disruption is likely to spread beyond a single botnet, as NetNut's reseller model has provided infrastructure to multiple residential proxy providers for many years, making the operation potentially significant for the entire illicit proxy ecosystem. Investigations into the operation have also highlighted the commercial infrastructure that underpins the proxy network. 

A report from Qurium, Synthient, Nokia Deepfield, and Spur in June linked the Popa botnet to NetNut, an Israeli public company owned by Alarum Technologies. During controlled testing, Synthient demonstrated that traffic routed through NetNut's commercial gateway originated from a device that was intentionally enrolled in the Popa network, providing evidence that the commercial proxy service was directly connected to compromised endpoints. 

In addition to the researchers refraining from attribution of intent or operational knowledge to Google, Google stated that its own threat intelligence was consistent with the public findings, treating NetNut and Popa as components of the same network and supporting the research team's assessment of proxy infrastructure construction. 

In contrast, Alarum has firmly rejected those conclusions, rejecting the categorization of NetNut as a botnet, and stating that the research is based on "unverified facts, as opposed to demonstrably inaccurate assertions and flawed deductions." In addition to maintaining that its platform operates as a legitimate, consent-based bandwidth-sharing service, the company maintains that it does not compromise user devices or function without authorization. 

Synthient's analysis challenged that position, revealing that none of the twenty examined applications related to the ecosystem provided meaningful consent prompts before enrolling users' devices in bandwidth sharing operations, raising further questions about transparency in the software distribution process. 

Aside from cautioning that removing NetNut represents only the first phase of a much larger effort, Google also stressed that the company operates a large white-label reseller program that allows third parties to market access to the same residential proxy infrastructure under a variety of brand names. As the company points out, a number of residential proxy services which appear to be independent ultimately draw connectivity from the NetNut device pool, so disruptions can affect multiple brands simultaneously if one provider is disrupted. 

However, Google characterized the latest actions as degradation, not a complete takedown, pointing out that operators have previously restored capacity through the use of competing proxy providers to source infrastructure. As evidence of the resilience of these interconnected ecosystems, the company cited its disruption of the China-linked IPIDEA residential proxy network in January and its subsequent legal action against the operators of the BadBox 2.0 botnet, whose Android TV infrastructure is similar to Popa, which was launched in July 2025. 

In order to create long-term impact, sustained, coordinated disruption across multiple providers must be undertaken. According to researchers, consumers' access to residential proxy networks is most commonly facilitated by applications that offer financial rewards for "unused bandwidth" or "sharing internet access." It is highly recommended that security teams only install apps from trusted app stores, carefully review VPN and proxy software permission requests, enable protections such as Google Play Protect, and purchase smart TVs and streaming devices from reputable manufacturers to minimize the risk of preloaded or malicious software being installed. 

Additionally, the report warns that residential IP addresses will not be in short supply in the cybercriminal ecosystem following NetNut's disruption. In order to identify any reemergence of NetNut-related traffic, continued monitoring of reseller brands and successor infrastructure is essential. 

According to Alarum's corporate legal counsel, Omer Weiss, a statement following the operation was issued by the company in which it was made aware of the FBI's seizure of certain NetNut-related domains on July 2, 2026. According to Weiss, Alarum is seriously concerned about the matter and will work closely with law enforcement authorities to investigate any misuse of its infrastructure and support the pursuit of accountability for those responsible. 

 As a result of NetNut's disruption, an important step in challenging the growing abuse of residential proxy infrastructure has been achieved, but the disruption also underscores the increasingly interconnected nature of commercial services, compromised consumer devices, and cybercriminal operations as well.

In a rapidly evolving proxy ecosystem characterized by reseller networks and shared infrastructure, sustained collaboration between technology providers, law enforcement agencies, and cybersecurity professionals will remain crucial. Maintaining trusted software sources, enforcing built-in security protections, and monitoring for unauthorized network activity remain practical safeguards against a threat landscape that is becoming increasingly adaptable.

Hackers Breached Kubota, Employee Data Compromised


Kubota North America Corporation revealed that threat actors compromised its network systems and accessed few resources for over a month in the beginning of 2026.

After an investigation of the breach, the organization discovered that between March and April, the hacker accessed files carrying personal data of employees.

About Kubota 

It is a Japanese industrial manufacturer famous for its construction and agricultural work. Kubota has plants in 120 counties and currently employs over 52,000 people. Kubota has an annual revenue of $20 billion.

The North American division consists of facilities that make utility vehicles, tractors, and mowers. 

About the data leak

“We discovered that files maintained by our human resources team were accessed as part of this incident. We carefully reviewed these files, and on June 16, 2026, we determined that one or more files may have contained personal information related to certain employees and their dependents,” Kubota reported on its site.

What may have been leaked?

As per the announcement posted on the Kubota USA portal, the following employee information may have been revealed:

  • Social security numbers (for dependents too)
  • Full employee names (for dependents too)
  • Dates of birth (for dependents too)
  • IDs of taxpayers
  • Bank account details of direct deposit
  • Corporate payment card details
  • Benefits enrollment data and limited claims information (for dependents too)
  • Driver’s license details or other government IDs

Attack tactic

The specific data that was exposed varies per person. Kubota also started sending personalised mails to inform the individuals about the exact impact on them.

The notification information consists step by step instructions for using Kroll identity protection to help the targets address the threats coming from the leak of their personal data. 

Kubota has specially advised people to look out for bank accounts and  healthcare related statements and promptly report any malicious activity to the concerned authorities.

Safety measures

Kubot has implemented robust security measures to avoid such incidents from happening in the future. 

No cybercrime gangs, data extortion gangs, or ransomware gangs have claimed responsibility for the Kubota breach.

Kubota did not report any operational or business disruptions due to the breach.

On ensuring employee safety, Kubota said, “We take the privacy and confidentiality of our employees’ information very seriously. To help prevent something like this from happening again, we have taken and will continue to take steps to further enhance our existing security measures.” 

BlueHammer Microsoft Defender Vulnerability Linked to Ransomware Attacks After CISA Confirms Active Exploitation

 

Microsoft Defender users are advised to update their software after discovering a security flaw known as BlueHammer was used in ransomware attacks. The weakness with identifier CVE-2026-33825 has been added to the list of flaws actively used by malicious actors. It is part of the growing trend of ransomware attackers using zero-day issues. 

The issue was uncovered after the cybersecurity researcher, otherwise known as Chaotic Eclipse or Nightmare Eclipse, shared the information regarding another vulnerability before the update was released. The same individual has criticized Microsoft several times over their approach to disclosure of security weaknesses. The researcher has published multiple posts about actively used problems prior to the official date of their resolution. 

Microsoft published the details regarding BlueHammer on April 2nd, whereas the security update was released on April 14th. The flaw was categorized as a privilege escalation vulnerability with the ability to escalate the privileges of an authenticated attacker. However, Microsoft updated the description, specifying the risk as more likely than not, while refraining from officially acknowledging active exploitation. 

According to the independent security researchers, the vulnerability was actively used by ransomware operators before the release of the mentioned security update. The evidence came from the report by the Huntress team, which discovered multiple attacks that incorporated CVE-2026-33825 as a zero-day exploit. This information has prompted the addition of the weakness to the CISA’s Known Exploited Vulnerabilities (KEV) list on April 22nd, with the updated listing providing the additional context of ransomware attacks. 

Despite the confirmation of ransomware attacks, the one issued by CISA does not indicate what group may be responsible for them. There is no public evidence linking BlueHammer to any known ransomware group or family. In spite of that, the weakness has been actively used in ransomware operations. At the same time, it is unclear whether other ransomware groups have used it or may be using it currently. The issue has also prompted the debate over the response to such incidents, with the critics suggesting that the defenders and security researchers are not notified when the weaknesses are added to the ransomware operations. 

In practice, the CISA only updates the KEV list periodically. It does not provide threat intelligence and response support for individual organizations every time when the weakness is added to the list. Some security experts have stated that the better alternative would be to notify the defenders directly. In the meantime, a threat intelligence company GreyNoise has announced the availability of a free service that monitors the KEV list for changes, indicating when the weakness is updated to include the details of a ransomware attack. 

The discovery of BlueHammer presents an illustrative example of how fast the ransomware attackers can adopt and incorporate the newly discovered vulnerabilities into their operations. Experts advise the defenders to always remain alert, apply the Microsoft security updates in a timely manner and monitor the threats intelligence channels for the relevant weaknesses. The ransomware operators continue to pursue the opportunities, which render the prompt response to the updates crucial.

Iran-Linked Cyberattacks Against Israel Triple as Critical Infrastructure Faces Rising Threats

 

Surging numbers of cyber intrusions tied to Iran have been logged by Israeli officials, revealing persistent digital hostilities despite lulls in physical warfare. The National Cyber Directorate notes attacks on critical systems now occur at almost three times the frequency seen twelve months ago - this escalation suggests online defenses are just as vital as traditional security setups. While battlefield activity slows, unseen operations thrive behind screens. 

Back in June 2026, Israel saw nearly 4,800 hostile cyber events, according to Yossi Karadi, head of the country's National Cyber Directorate. That number comes from remarks he shared with the German publication Die Welt. Compared to just 1,600 incidents logged one year earlier - during June 2025 - the rise is sharp. 

At that time, Israeli forces were carrying out military actions targeting Iran. Even when fighting slows on the ground, digital clashes do not pause. Though truces might calm frontlines, hacking efforts persist without rest. Karadi pointed out that numerous hacker collectives operate with high-level skills. Despite strong national safeguards, these actors demand ongoing attention. Round-the-clock watch remains necessary, he emphasized. 

One Israeli official noted that the assaults hit many types of groups, not just state bodies. Beyond governmental units, vital utility providers found themselves under pressure. Public administrative hubs also faced repeated digital intrusions. Smaller commercial ventures weren’t spared either - many reported breaches. Accounting practices appeared on the list of compromised entities recently. Legal consultancies showed up frequently in incident reports too. 

So far, Israeli officials say key systems have stayed safe even as attack attempts increase. Confidence in defense strength comes through clearly in Karadi’s remarks - yet he points out dangers still linger. Vigilance must hold steady, because risks remain real and constant. Even when some breaches on vital systems were stopped, firms with poor digital safeguards faced harsher outcomes. 

Some businesses, noted Karadi, fell harder because they were simpler targets - leading to total erasure of their networks after hackers got in. The names of those hit stayed undisclosed. Technical specifics about how it happened? Left out too. 

Across global tensions, digital attacks now routinely accompany physical warfare. Rather than staying separate, hacking efforts blend into modern conflict strategies. Government-linked hackers shift toward striking infrastructure, officials, and corporate networks - often at the same time as troop movements. 

These actions aim less at immediate damage, more at stealing secrets or wiping records clean. Public trust erodes when utilities or institutions face repeated intrusions. Hidden agendas drive many breaches, masking long-term influence goals behind technical exploits. Even though Iran denies launching cyber operations against other nations, it often highlights attacks aimed at its domestic institutions. 

Assigning blame for digital intrusions among states is rarely straightforward - officials commonly reject accusations, leaving experts to piece together evidence using forensic data and collected insights. Despite shifts in traditional combat, cyber operations show no slowdown - recent data from Israel’s National Cyber Directorate confirms their steady rise. 

With global friction still simmering, state-backed hacking efforts keep mounting. Institutions across sectors find themselves under growing strain to adapt defenses accordingly. Sophistication matters more than size when confronting these digital intrusions. Readiness now hinges on responsiveness, not just preparation.

Edgecution Malware Exploits Microsoft Edge Extension to Deploy Python Backdoor in Ransomware Attack

 

One way hackers adapt is by twisting legitimate features into tools for harm. A recent example shows a malicious Microsoft Edge extension escaping the browser’s restricted environment to establish persistent access on infected systems. 

Researchers named the campaign Edgecution, which abuses built-in browser functionality rather than software flaws. The payload deploys a Python-based backdoor capable of silently executing commands on compromised devices. Researchers at Zscaler believe the campaign is linked to an Initial Access Broker associated with the Payouts Kings ransomware operation. 

Instead of exploiting vulnerabilities, the attackers rely on social engineering and legitimate browser capabilities to gain deeper access to victim systems. The attack begins with someone impersonating IT support on Microsoft Teams, directing employees to a fake Microsoft update page under the pretense of installing an email security update. 

Victims see what appears to be an official Outlook update portal, but clicking its buttons instead downloads malware, copies malicious scripts to the clipboard, or requests Microsoft 365 and Outlook credentials. What looks like a routine update quickly turns into a compromise. The downloaded package contains intentionally malformed ZIP headers to evade security scanners. 

Once executed, scripts repair the archive, extract hidden files, configure the system, and create scheduled tasks that silently launch Microsoft Edge in the background. Inside the package are two main components: a malicious Microsoft Edge extension disguised as an Edge Monitoring Agent and a Python-based backdoor. The extension communicates with attacker-controlled servers, receiving commands and sending back results. 

Although browser extensions normally operate inside isolated sandboxes, this attack bypasses those restrictions. Attackers abuse Chrome’s Native Messaging protocol—a legitimate feature that allows browser extensions to communicate with trusted desktop applications. By leveraging this mechanism, the malicious extension launches the bundled Python backdoor as a native application, escaping the browser’s security boundaries.  

Once active, the Python backdoor enables attackers to execute shell commands, run PowerShell and arbitrary Python code, write files, enumerate running processes, and collect system information. Helper scripts generate the Native Messaging manifest and batch files needed to connect the extension with the local application. 

The malicious extension runs inside a headless Microsoft Edge session, remaining invisible to users while maintaining persistent access that is difficult to detect. Zscaler also identified unused commands within both malware components, indicating the framework is still under development and could gain additional capabilities in future versions. 

According to researchers, Edgecution highlights the growing sophistication of ransomware campaigns. Rather than relying solely on traditional malware, attackers increasingly exploit trusted browser features and enterprise collaboration platforms to bypass security defenses. 

To reduce the risk, organizations should closely monitor browser extensions, restrict Chrome Native Messaging where possible, review native messaging host configurations, and train employees to recognize social engineering attempts delivered through platforms such as Microsoft Teams. Zscaler has also published indicators of compromise, including malicious extension hashes and command-and-control servers, to help defenders identify affected systems.

Tata Electronics Confirms Cybersecurity Incident, Says Business Operations Remain Unaffected

 

Tata Electronics has acknowledged that it recently experienced a cybersecurity incident affecting certain parts of its IT infrastructure. However, the company stated that the event did not disrupt its business activities or day-to-day operations.

Addressing the incident, a company spokesperson told BleepingComputer, "A few weeks ago, Tata Electronics identified a cybersecurity incident on some of our systems," adding, "Our response protocols were deployed immediately, and the incident has had no impact on our operations across businesses, which remain unaffected."

Tata Electronics, a subsidiary of the Tata Group, specializes in semiconductor production and electronic component manufacturing. Established in 2020, the company has rapidly expanded its footprint in India's technology manufacturing sector and is currently involved in the production and assembly of Apple iPhones and related components.

While the company has not identified the threat actor behind the attack, its statement follows claims made by the World Leaks cybercrime group, which allegedly published data stolen from Tata Electronics.

According to reports, the leaked material includes folders and documents that purportedly contain manufacturing-related information linked to Apple products. The exposed files are said to feature internal component schematics, printed circuit board (PCB) designs, material specifications, and software development kit (SDK) files.

BleepingComputer has reportedly reached out to Apple for clarification regarding the alleged exposure of proprietary information but has not yet received a response.

World Leaks is widely believed to be the successor to the Hunters International ransomware operation, which ceased activities in July 2025. Unlike its predecessor, which encrypted victims' systems, World Leaks focuses solely on data theft and extortion, threatening to release stolen information publicly unless demands are met.

The group has previously been linked to attacks on several major organizations. Among its notable victims are Dell, which confirmed a cybersecurity breach in July 2025, and Nike, which initiated an investigation after cybercriminals claimed to have stolen 1.4 terabytes of company data in January 2026.

French Government Messaging Platform Tchap Breached After Hijacked User Account Attack

 

A surprise alert came from Paris when officials revealed a security flaw in Tchap, the nation’s encrypted chat system. Through a hijacked login, intruders slipped inside without immediate detection. Only later did analysts at the country's cyber defense unit spot unusual activity. Their probe began quietly, tracing paths taken and files touched during the unauthorized visit. Questions now linger about what data could have been seen or copied in the gap before discovery. 

Starting in 2018, France's DINUM introduced Tchap alongside the country’s cybersecurity body, ANSSI. Built using the Matrix framework, this tool serves only state workers and official institutions through secure chats and teamwork functions. Since launch, usage expanded - now counting above 300,000 people logging in each month, with half a million installs just on Android. Growth picked up speed when Prime Minister François Bayrou advised staff to switch work conversations to Tchap rather than rely on non-European apps. 

Later that week, signs of intrusion appeared on the interface - ANSSI spotted irregular behavior tied to one logged-in profile. That channel got shut down fast, stopping extra breaches. From there, scrutiny turned to stored records, checking what exchanges or documents might have leaked. Though control slipped briefly, response narrowed the risk without delay. Even though no breach occurred, France's digital agency reached out to CNIL due to possible exposure of personal details via the app. 

While public discussions remain accessible to verified participants, those conversations lack encryption safeguards. Because privacy risks exist, officials emphasize handling delicate data strictly within protected one-on-one exchanges. Only secured channels offer the level of protection needed for such content. Over the weekend, someone took credit for the incident, saying they got in by manipulating people rather than exploiting code. 

Though officials haven’t shared specifics about how it happened, the claim points to deception as the entry method. Access reportedly began with an account tied to Tchap’s school-focused systems. From there, information visible within that account was gathered without permission. Among the claims made was access to fixed LDAP login details, left visible inside a PowerShell file circulated by someone working for the state. 

It followed that large volumes of data - over 13 gigabytes - were reportedly copied, spanning both documents and multimedia content. From those materials emerged close to 650,000 individual messages. Account-related records tied to over seventy-three thousand users were pulled apart, revealing emails, affiliations, scheduled call URLs, plus background system logs. 

A separate assertion pointed to how easily such scripts could expose sensitive internal structures. Still examining the reports, investigators work to measure how far the effects reach. When hackers trick users or steal logins, even coded messaging apps can fail - this case shows it once again.