#ransomware

Klue says the hackers who stole its customer data are deleting it, but a second group has emerged with extortion demands

Klue, the market intelligence firm whose breach exposed customer data at LastPass, HackerOne, and others, says the original hacking group Icarus is now deleting the stolen data. However, a second unnamed hacker group claims to have obtained the data from Icarus and is extorting affected companies directly, demanding payment or threatening to leak everything. Icarus reportedly told Klue the second group only has data samples for a subset of customers, not the full dataset, and instructed Klue to tell customers not to pay the second group. The breach stemmed from a compromised third-party credential from 2022 that was never revoked, granting OAuth access to customers' Salesforce environments. Over a dozen companies including Gong, Jamf, HackerOne, and LastPass have confirmed they were affected.

Evaluating Mexico’s New Cybersecurity Plan

Mexico's 2025–2030 National Cybersecurity Plan, published by the ATDT in December 2025, outlines a six-phase roadmap to modernize the country's cyber posture. The plan addresses top threats including ransomware, financial malware, hacktivism, state-sponsored attacks, and organized crime. Key milestones include passing a General Cybersecurity Law in 2026, establishing a National Center for Cybersecurity Operations, creating a National Cyber Range by 2027, and integrating AI for cyber defense by 2028. Mexico ranks as a Tier 2 nation in the ITU Global Cybersecurity Index but lags in institutional capacity. The 2026 FIFA World Cup co-hosted by Mexico serves as an immediate stress test for its digital infrastructure. Insikt Group recommends organizations in Mexico adopt international standards like NIST CSF or ISO/IEC 27001, conduct scenario-planning exercises, leverage threat intelligence platforms, and invest in public cyber hygiene education.

Akira, LimeWire, and the Sour Taste of Data Exfiltration

A Huntress SOC investigation uncovered an Akira ransomware affiliate using an unusual attack chain: the threat actor accessed a hypervisor, spun up a new virtual machine (bypassing installed security tooling), disabled Microsoft Defender, archived target data with WinRAR, and exfiltrated it via Easyupload.io — a file-sharing site now owned by the rebranded LimeWire platform. The VHDX image of the VM provided forensic analysts a clear timeline of attacker activity, including Active Directory enumeration, lateral movement to file servers, and rapid ransomware deployment. The incident highlights how RaaS affiliates adapt TTPs, including creating new VMs to evade endpoint security stacks, and underscores the need to monitor for new endpoint creation within environments.

Europe Evolves Into Ransomware's Favorite Region

Ransomware attacks in Europe surged 55% in the first four months of 2026 compared to the same period in 2025, with France seeing a 119% increase and Italy 92%. Researchers from Black Kite attribute the shift to US market oversaturation and AI-assisted target research pointing attackers toward European organizations. The number of active ransomware groups has grown from 60 in 2023 to 150 today, filling the vacuum left by law enforcement takedowns of major RaaS operations. Manufacturing and digital services sectors are primary targets, largely because attackers exploit supply chain leverage — breaching one vendor to access hundreds of downstream clients, as demonstrated by the Miljödata attack that exposed data from ~200 Swedish municipalities. Experts recommend organizations map fourth- and fifth-party vendor dependencies and rank vendors by risk proactively rather than reactively.

Be on the lookout for Mistic, a new backdoor used by ransomware broker

Symantec researchers have identified a new backdoor called Mistic, active since April, linked to the initial access broker group Woodgnat (also known as KongTuke). The malware uses DLL sideloading via a legitimate Microsoft Defender executable to load itself in memory, avoiding disk-based detection. It communicates with a C2 server, executes code in memory, and includes a kill switch for stealth. Woodgnat sells network access to ransomware gangs including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Infection chains rely on ClickFix social engineering — fake CAPTCHAs, browser crash lures, and Microsoft Teams impersonation of IT support — to trick users into running malicious PowerShell commands. The report includes indicators of compromise for defenders.

One-two punch delivered in global operation disrupts cybercrime “assembly line”

Cơ quan chức năng toàn cầu cùng các công ty công nghệ, bao gồm Microsoft, đã triệt phá một "dây chuyền lắp ráp" tội phạm mạng bằng cách tấn công đồng thời hai nền tảng malware phổ biến: Amadey (cung cấp dịch vụ malware) và StealC (cung cấp dịch vụ infostealer). Microsoft phát hiện hai công cụ này chia sẻ hạ tầng chung nhờ phân tích AI, hỗ trợ chiến dịch triệt phá phối hợp. Chiến dịch thuộc "Operation Endgame" liên quan đến việc đánh cắp hàng triệu thông tin đăng nhập và hơn 47 triệu USD từ tiền chuộc và gian lận.

Lập trình viên nên đọc bài này để hiểu cách các công ty công nghệ và cơ quan pháp luật sử dụng công nghệ AI và phân tích hệ thống để phát hiện và phá hủy các nền tảng malware được thiết kế để tự động hóa và mở rộng các cuộc tấn công cybercrime, giúp bảo vệ hệ thống của mình trước các mối đe dọa ngày càng phức tạp.

Malicious Edge extension abuses Native Messaging as bridge to malware

A malicious Microsoft Edge extension called 'Edgecution' has been discovered abusing Chrome's Native Messaging protocol to escape the browser sandbox and deploy a Python-based backdoor. The attack chain begins with social engineering via Microsoft Teams, where attackers pose as IT support and direct victims to a fake Microsoft update page. From there, multiple scripts (AutoHotKey, batch, PowerShell) deploy the malware, which runs in a headless Edge browser and communicates with a local Python backdoor capable of executing shell commands, running PowerShell, writing files, and gathering system information. Zscaler researchers link the campaign to an initial access broker connected to the Payouts Kings ransomware operation. Organizations are advised to monitor browser extensions and enforce strict native messaging host controls.

Scattered Spider duo convicted over $38M Transport for London attack

Two members of the Scattered Spider cybercrime collective, Thalha Jubair (20) and Owen Flowers (18), pleaded guilty to hacking Transport for London's network between August 31 and September 3, 2024. The attack disrupted in-station services, online portals, forced 28,000 employees to reset passwords in person, and exposed personal data of an estimated 10 million people. TfL suffered approximately £29 million ($38.2 million) in losses and recovery costs. Forensic evidence found on seized devices also linked Flowers to breaches of US healthcare companies. The convictions are part of a broader wave of prosecutions against Scattered Spider members, whose tactics include social engineering, SIM swapping, and help-desk impersonation to bypass MFA and gain network access.

Amadey, StealC malware operations disrupted in Operation Endgame action

Microsoft, Europol, and international partners have disrupted the Amadey and StealC malware-as-a-service operations as part of Operation Endgame. The action took down 326 servers and 142 domains, identified over €41 million in criminal cryptocurrency, and recovered approximately 27 million stolen credentials from more than 385,000 compromised systems. Microsoft's Digital Crimes Unit identified over 200 malicious C2 domains linked to the two malware families, which infected more than 140,000 devices in just the first two weeks of May 2026. Amadey is used for initial access and deploying additional malware, while StealC steals credentials and cryptocurrency wallets. The operation also targeted SocGholish. Private-sector partners including ESET, Proofpoint, IBM X-Force, and Bitsight contributed intelligence and analysis. Experts note that without arrests, threat actors often rebuild infrastructure and resume attacks.

Stealthy Mistic backdoor linked to ransomware access broker KongTuke

A new stealthy backdoor called Mistic (also tracked as MTLBackdoor by Zscaler) has been linked to KongTuke/Woodgnat, an initial access broker active since 2024 that sells corporate network access to ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Mistic is deployed via DLL side-loading using a legitimate Microsoft executable, disguises itself with names resembling Microsoft endpoint security tooling, and runs payloads entirely in memory with no disk writes. Key capabilities include file operations, C2 beacon interval modification, in-memory code execution, and a kill switch for self-deletion. Notably, it supports Beacon Object Files (BOFs) — a technique common in red team tools like Cobalt Strike — allowing capability expansion without leaving disk artifacts. The backdoor has been observed in attacks targeting insurance, education, IT, and professional services sectors since at least April 2025, often deployed alongside ModeloRAT via ClickFix-style social engineering.

Tata Electronics confirms cyberattack as hackers leak data

Tata Electronics, the Tata Group division that manufactures and assembles Apple iPhones, has confirmed a cyberattack that impacted parts of its IT infrastructure, while stating operations remained unaffected. The World Leaks threat group — a rebrand of the Hunters International ransomware gang that now operates purely as a data extortion group — leaked data allegedly stolen from Tata, including Apple product manufacturing data such as internal component schematics, PCB designs, material specifications, and SDK files. Apple has not yet responded to inquiries about potential exposure of proprietary data. World Leaks has previously claimed breaches at Dell and Nike.

Klue says hackers stole credential from 2022 that led to customer data breaches

Market research company Klue confirmed that hackers used a credential from a 2022 limited pilot to breach its systems on June 12, stealing OAuth tokens that granted access to customer data stored in third-party clouds and databases. Affected customers include LastPass and several other cybersecurity firms. The hacking group Icarus claimed responsibility and is threatening to release stolen data unless a ransom is paid. Klue has not explained why the four-year-old credential was never revoked after the pilot ended, raising serious questions about its credential management and vendor-access controls.

SocGholish Takedown Highlights Malicious TDS Threats

An international law enforcement operation (Operation Endgame) seized 106 servers and numerous domains tied to SocGholish, a JavaScript malware framework used as an initial-access broker for ransomware groups including Evil Corp. The action also remediated nearly 15,000 compromised WordPress websites. SocGholish relies on traffic distribution systems (TDSs) to redirect users from legitimate sites to fake browser update pages, filtering out researchers and bots while targeting domain-joined enterprise systems for deeper intrusion. The FBI issued guidance urging organizations to change default JavaScript file associations, monitor endpoints for suspicious script execution, keep CMS platforms updated, and audit administrator accounts to defend against TDS-based attacks.

SonicWall CVE-2024-40766 Proves Patching Is Not Remediation

A SANS Internet Storm Center audit of 14 SonicWall firewalls patched for CVE-2024-40766 (CVSS 9.8) found that Akira and Fog ransomware operators had compromised several of them post-patch. The core finding: firmware patching alone is not remediation. Attackers pre-created accounts, harvested credentials, and enrolled their own TOTP devices before patches were applied. Key gaps found across audited devices include stale SSLVPN accounts (12/14), no credential rotation post-patch (11/14), overly permissive LDAP group mappings giving all AD users VPN access (9/14), and publicly reachable TOTP enrollment portals (7/14). Gen 6 hardware is now end-of-life with no further firmware fixes. The recommended checklist covers account auditing, credential rotation, LDAP reconfiguration, portal access restriction, upgrading to SonicOS 7.3.0+, and external log forwarding to a SIEM.

Grafana Labs security update: Latest on TanStack npm supply chain ransomware incident

Grafana Labs disclosed a security incident originating from the TanStack npm supply chain attack (Mini Shai-Hulud campaign). Attackers gained unauthorized access to Grafana Labs' GitHub repositories and downloaded source code and internal operational data, then issued a ransom demand. Grafana Labs refused to pay, notified federal law enforcement, and confirmed no customer production systems or Grafana Cloud platform were compromised. Mitigation steps included rotating GitHub workflow tokens, auditing all commits since May 11, enhancing monitoring, and hardening CI/CD pipelines. An external audit by Mandiant is underway, with a post-incident report expected in June 2026.

Unpatched SharePoint servers opened the door to multiple attackers, Microsoft finds

Microsoft's Detection and Response Team (DART) uncovered two separate, unrelated threat actors simultaneously operating inside the same victim network after unpatched on-premises SharePoint servers were exploited. Storm-2603 deployed ransomware using tools like Cloudflare Tunnel and Velociraptor, while a second actor used DLL sideloading, custom backdoors, and attempted Active Directory credential theft. The overlapping intrusions obscured each other, complicating detection and response. DART resolved the case by correlating identity, endpoint, and cloud telemetry. The investigation expanded to a second compromised organization. Key takeaways include prioritizing patching of internet-facing systems, centralizing telemetry, and maintaining tested incident response playbooks.

Tata Electronics breach claims to expose Apple and Tesla trade secrets

India's Tata Electronics has confirmed a cybersecurity incident after ransomware group World Leaks claimed to have stolen over 630GB of data, including purported Apple and Tesla component design files and trade secrets. A 52-page document with Apple's proprietary markings allegedly detailing iPhone circuit-board quality-inspection standards and Tesla Model Y chargeport controller files were listed on a dark-web index. Tata says operations were unaffected, but Apple is investigating and a ransom demand has been received. The authenticity of the files remains unverified. The incident highlights the growing risk of supply chain attacks, where attackers target contract manufacturers to gain leverage over high-profile customers who never directly touched the breached network.