CyberSecurity news

FlagThis - #cybercrime

@zdnet.com //
Federal cybersecurity agencies, including the FBI and CISA, have issued an urgent advisory regarding the escalating threat of Medusa ransomware. Since its emergence in 2021, Medusa has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. The group's activities have accelerated in recent months, prompting immediate action recommendations for organizations. Medusa operates as a Ransomware-as-a-Service (RaaS) model, now recruiting affiliates from criminal forums to launch attacks, encrypt data, and extort victims worldwide.

Medusa actors leverage common ransomware tactics, including phishing campaigns and exploiting unpatched software vulnerabilities. They employ a double extortion strategy by encrypting victim data and threatening to publicly release it if the ransom is not paid. To mitigate the risk, CISA and the FBI recommend organizations update systems regularly to close known vulnerabilities, implement network segmentation to restrict lateral movement, and enable multi-factor authentication for all services. They also urge organizations to report incidents promptly to aid in tracking and combating the growing threat.

Recommended read:
References :
  • bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
  • www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
  • securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
  • DataBreaches.Net: #StopRansomware: Medusa Ransomware
  • Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
  • securityaffairs.com: SecurityAffairs article: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
  • www.cybersecuritydive.com: Medusa ransomware slams critical infrastructure organizations
  • www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
  • www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
  • : FBI and CISA Warn of Medusa Ransomware Impacting Critical Infrastructure
  • bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
  • The DefendOps Diaries: Explore the impact of Medusa ransomware on critical infrastructure and learn strategies to enhance cybersecurity defenses.
  • www.scworld.com: Medusa ransomware, a ransomware-as-a-service group, has increased attacks targeting critical infrastructure, potentially preparing for geopolitical conflicts. Recent attacks indicate a 150% increase in this activity.
  • Tenable Blog: Tenable article: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
  • SOC Prime Blog: SOC Prime blog: Medusa Ransomware Attacks Covered in AA25-071A Detection
  • be4sec: Medusa Ransomware is Targeting Critical Infrastructure
  • be4sec: This advisory summarizes the key activities of prominent ransomware groups in January 2025, highlighting a significant increase in Medusa attacks.
  • aboutdfir.com: Medusa ransomware group has been actively targeting critical infrastructure organizations, employing a double extortion tactic.
  • www.techradar.com: US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
  • cyble.com: The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a well-timed advisory on the Medusa ransomware group last week, as Cyble has detected an acceleration in the group’s activities in recent months.
  • Email Security - Blog: Medusa Ransomware: Multi-Industry Threat on the Rise
  • techxplore.com: Cybersecurity officials warn against potentially costly Medusa ransomware attacks
  • Security | TechRepublic: Medusa Ransomware Strikes 300+ Targets: FBI & CISA Urge Immediate Action to #StopRansomware
  • eSecurity Planet: Medusa Ransomware Warning: CISA and FBI Issue Urgent Advisory
  • Blue Team Con: CISA and the FBI warn about Medusa ransomware, urging organizations to update security, enable MFA, and report incidents to mitigate the growing threat.
  • thecyberexpress.com: Medusa Ransomware Surge: 60 Victims in 3 Months—Are You Next?
  • www.zdnet.com: How to guard against a vicious Medusa ransomware attack - before it's too late
  • www.cysecurity.news: The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory, warning organizations about the increasing threat of Medusa ransomware.
  • Sam Bent: Cybercriminal Group Medusa Targets Critical Infrastructure Sectors A sophisticated cybercriminal group known as Medusa has been targeting many critical infrastructure sectors in the United States.
  • The Hacker News: Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
  • www.cybersecuritydive.com: Medusa ransomware using malicious driver as EDR killer

@World - CBSNews.com //
References: bsky.app , CyberInsider , bsky.app ...
The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.

The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.

Recommended read:
References :
  • bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
  • CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
  • The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
  • bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
  • The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
  • securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
  • The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
  • DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
  • bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
  • cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
  • Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
  • Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
  • Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
  • BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
  • hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
  • Risky Business Media: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
  • Security | TechRepublic: The article discusses the charges against Chinese hackers for their role in a global cyberespionage campaign.
  • techxplore.com: US indicts 12 Chinese nationals in hacking
  • : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
  • Matthias Schulze: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
  • WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem
  • Blog: FieldEffect blog post about U.S. indicts 12 Chinese nationals for cyber espionage.
  • blog.knowbe4.com: U.S. Justice Department Charges China’s Hackers-for-Hire Working IT Contractor i-Soon
  • Talkback Resources: The article details the indictment of 12 Chinese individuals for hacking activities.
  • Schneier on Security: The article discusses the indictment of Chinese hackers for their involvement in global hacking activities.

do son@Daily CyberSecurity //
The Medusa ransomware operation has significantly impacted critical infrastructure sectors, affecting over 300 organizations in the United States by February 2025. According to CISA, these attacks have targeted essential services across various industries, including medical, education, legal, insurance, technology, and manufacturing. This widespread impact highlights the vulnerability of critical infrastructure and the potential for severe disruptions. The healthcare sector has been a primary target, with ransom demands ranging from $100,000 to $15 million, potentially disrupting patient care and compromising sensitive data.

Educational institutions have also been significantly affected, with 21 attacks reported in February 2025 alone. These attacks disrupt academic activities and compromise personal information of students and staff. In response, CISA, in partnership with the FBI and MS-ISAC, released a joint Cybersecurity Advisory providing tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection methods associated with known Medusa ransomware activity. The advisory encourages organizations to ensure operating systems and software are up to date, segment networks to restrict lateral movement, and filter network traffic to prevent unauthorized access.

Recommended read:
References :
  • Industrial Cyber: Recent findings from Symantec indicate a significant rise in Medusa ransomware activity, which is reportedly being operated as...
  • securityaffairs.com: Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
  • : Symantec found that Medusa has listed almost 400 victims on its data leaks site since early 2023, demanding ransom payments as high as $15m
  • Broadcom Software Blogs: Attacks using this ransomware have displayed consistent TTPs and grown steadily since 2023.
  • bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
  • The DefendOps Diaries: Medusa Ransomware: A Growing Threat to Critical Infrastructure
  • RedPacket Security: CISA: CISA and Partners Release Cybersecurity Advisory on Medusa Ransomware
  • gbhackers.com: Medusa Ransomware Hits 300+ Critical Infrastructure Organizations Worldwide
  • securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
  • www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
  • securityaffairs.com: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
  • Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
  • www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
  • CyberInsider: FBI: Medusa Ransomware Has Breached 300 Critical Infrastructure Organizations
  • www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released - with at least one organisation hit with a "triple-extortion" threat. Read more in my article on the Tripwire State of Security blog.
  • Resources-2: On March 12, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Medusa ransomware [1]. Medusa ransomware emerged as Ransomware-as-a-Service in June 2021 and gained infamy by compromising over 300 victims from critical infrastructure sectors, including healthcare, insurance, technology, manufacturing, legal, and technology.
  • : CISA, FBI Warn of Medusa Ransomware Impacting Critical Infrastructure
  • www.cybersecuritydive.com: The ransomware-as-a-service gang tallied more than 300 victims in industries such as healthcare, manufacturing and technology.
  • The Register - Security: Medusa ransomware affiliate tried triple extortion scam – up from the usual double demand
  • DataBreaches.Net: #StopRansomware: Medusa Ransomware
  • hackread.com: FBI and CISA Urge Enabling 2FA to Counter Medusa Ransomware
  • Talkback Resources: #StopRansomware: Medusa Ransomware | CISA [net] [mal]
  • Tenable Blog: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
  • SOC Prime Blog: Medusa Ransomware Detection: The FBI, CISA & Partners Warn of Increasing Attacks by Ransomware Developers and Affiliates Against Critical Infrastructure
  • www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted

Lorenzo Franceschi-Bicchierai@techcrunch.com //
Rostislav Panev, a dual Russian-Israeli national suspected of being a key developer for the notorious LockBit ransomware operation, has been extradited to the United States. Panev was arrested in Israel in August 2024 following a U.S. provisional arrest request and has now made an initial appearance before a U.S. magistrate, where he was detained pending trial. U.S. authorities allege that Panev played a crucial role in developing the LockBit ransomware from its inception around 2019 through February 2024.

Panev is accused of developing code and maintaining infrastructure for LockBit. The U.S. Department of Justice (DoJ) stated that Panev and his co-conspirators grew LockBit into one of the most active and destructive ransomware groups globally. LockBit operators and affiliates have extracted at least $500 million in ransom payments from victims, causing billions of dollars in lost revenue and recovery costs. The complaint against Panev follows charges brought against other LockBit members, including its alleged primary creator, developer, and administrator, Dmitry Yuryevich Khoroshev, for whom the U.S. is offering a reward of up to $10 million.

Recommended read:
References :
  • bsky.app: A dual Russian-Israeli national, suspected of being a key developer for the LockBit ransomware operation, has been extradited to the United States to face charges.
  • techcrunch.com: The US Department of Justice announced that Rostislav Panev, who developed code and maintained infrastructure for LockBit, is now in U.S. custody.
  • : US authorities have extradited Rostislav Panev on charges of being a developer of the notorious LockBit ransomware
  • securityaffairs.com: LockBit ransomware developer Rostislav Panev was extradited from Israel to the U.S.
  • BleepingComputer: Suspected LockBit ransomware dev extradited to United States
  • The DefendOps Diaries: International Cooperation in Combating Cybercrime: The Extradition of Rostislav Panev
  • thecyberexpress.com: Alleged LockBit Ransomware Developer Extradited to U.S. to Stand Trial
  • DataBreaches.Net: Dual Russian And Israeli National Extradited To The United States For His Role In The LockBit Ransomware Conspiracy
  • The Hacker News: Alleged Israeli LockBit Developer Rostislav Panev Extradited to U.S. for Cybercrime Charges
  • The Record: Rostislav Panev, who was arrested in Israel in August 2024 on U.S. charges related to dozens of LockBit ransomware attacks, has been extradited and appeared in a New Jersey federal court, authorities said.
  • securityonline.info: Major LockBit Ransomware Developer Extradited to U.S.
  • hackread.com: LockBit Developer Rostislav Panev Extradited from Israel to the US
  • Talkback Resources: Ransomware Developer Extradited, Admits Working for LockBit [mal]
  • www.it-daily.net: LockBit ransomware developer extradited to the USA
  • www.scworld.com: US extradites alleged LockBit developer
  • www.itpro.com: Alleged LockBit developer extradited to the US

Shira Landau@Email Security - Blog //
The FBI has issued a warning regarding a new data extortion scam where criminals are impersonating the BianLian ransomware group. These fraudsters are sending physical letters through the United States Postal Service to corporate executives, claiming their networks have been breached. The letters demand Bitcoin payments in exchange for preventing the release of sensitive company data.

Analysis suggests these letters are fraudulent, and organizations, particularly within the US healthcare sector, are advised to report such incidents to the FBI. Security vendors, including Arctic Wolf and Guidepoint Security, have studied these letters and believe the campaign is a ruse by someone pretending to be BianLian. The letters mimic conventional ransom notes, demanding payments of between $250,000 to $350,000 within 10 days.

This activity highlights the evolving tactics of cybercriminals who are now employing postal mail to target high-profile individuals in an attempt to extort money under false pretenses. The FBI urges companies to implement internal protocols for verifying ransom demands and to remain vigilant against these deceptive practices. It’s crucial for organizations to discern fake attacks from real ones amidst the increasing complexity of cybercrime.

Recommended read:
References :
  • Arctic Wolf: Self-Proclaimed “BianLian Groupâ€� Uses Physical Mail to Extort Organizations
  • CyberInsider: Fake BianLian Ransom Notes Delivered to Executives via Post Mail
  • DataBreaches.Net: Bogus ‘BianLian’ Gang Sends Snail-Mail Extortion Letters
  • www.csoonline.com: Ransomware goes postal: US healthcare firms receive fake extortion letters
  • PCMag UK security: Businesses Are Receiving Snail Mail Ransomware Threats, But It's a Scam
  • BrianKrebs: Someone has been snail mailing letters to various businesses pretending to be the BianLian ransomware group.
  • Cyber Security News: FBI Warns of Data Extortion Scam Targeting Corporate Executives
  • gbhackers.com: FBI Warns: Threat Actors Impersonating BianLian Group to Target Corporate Executives
  • techcrunch.com: There is no confirmed link between the campaign and the actual BianLian ransomware group, making this an elaborate impersonation.
  • thecyberexpress.com: FBI Issues Urgent Warning About Data Extortion Scam Targeting Corporate Executives
  • Email Security - Blog: The U.S. Federal Bureau of Investigation (FBI) has recently released an urgent advisory pertaining to a sophisticated email-based extortion campaign.
  • Threats | CyberScoop: The FBI is warning business leaders about the scam perpetrated by an unidentified threat group.
  • gbhackers.com: The novel approach highlights a shift in extortion tactics.
  • Vulnerable U: Executives Receive Fake Snail Mail BianLian Ransomware Notes
  • Malwarebytes: Ransomware threat mailed in letters to business owners
  • www.scworld.com: The FBI is warning of a ransomware operation targeting C-suite executives via the US Postal Service.
  • Cyber Security News: Fake BianLian Ransom Scams Target U.S. Firms Through Mailed Letters
  • borncity.com: CISA warning: Cyber criminals (BianLian Groupe) attempt to blackmail executives
  • Jon Greig: The FBI warned executives of a new scam where people claiming to be part of the BianLian ransomware gang are mailing physical letters with threats Arctic Wolf said it is aware of at least 20 organizations or executives who have received these letters
  • Kali Linux Tutorials: Cyber Threat Group Sends Paper-Based Extortion Letters
  • The DefendOps Diaries: Cybercriminals exploit YouTube's copyright system to extort creators, spreading malware and demanding ransoms.
  • www.bleepingcomputer.com: Cybercriminals are sending bogus copyright claims to YouTubers to coerce them into promoting malware and cryptocurrency miners on their videos.

Mandvi@Cyber Security News //
A new Ransomware-as-a-Service (RaaS) program, VanHelsingRaaS, has rapidly emerged as a significant threat in the cybercrime world. Launched on March 7, 2025, the program has quickly gained traction, infecting three victims within its first two weeks of operation. The service offers affiliates a control panel and a cross-platform locker, VanHelsing, which is capable of targeting a wide variety of systems, including Windows, Linux, BSD, ARM, and ESXi. This broad platform support allows affiliates to target diverse environments, increasing the potential impact of attacks.

The VanHelsingRaaS program requires a $5,000 deposit for new affiliates, while reputable affiliates can join for free. Affiliates earn 80% of the ransom payments, while the core operators receive the remaining 20%. A key restriction is the prohibition of targeting systems in the Commonwealth of Independent States (CIS). Check Point Research has identified two VanHelsing ransomware variants targeting Windows systems, but the RaaS advertisement indicates wider capabilities. This suggests the ransomware is designed to be adaptable and versatile, posing a significant threat to organizations across various industries and operating systems.

Recommended read:
References :
  • gbhackers.com: VanHelsing Ransomware Targets Windows Systems with New Evasion Tactics and File Extension
  • Check Point Research: VanHelsing, new RaaS in Town
  • Christoffer S.: (checkpoint.com) VanHelsingRaaS: Analysis of a New and Rapidly Expanding Ransomware-as-a-Service Program
  • Check Point Blog: The Rise of VanHelsing RaaS: A New Player in the Ransomware Landscape
  • Blog: New ‘VanHelsing’ Raas hunts your data, not vampires
  • The Hacker News: VanHelsing RaaS Launch: 3 Victims, $5K Entry Fee, Multi-OS, and Double Extortion Tactics
  • : VanHelsingRaaS, a new ransomware-as-a-service program, infected three victims within two weeks of release, demanding ransoms of $500,000
  • Talkback Resources: VanHelsing RaaS Launch: 3 Victims, $5K Entry Fee, Multi-OS, and Double Extortion Tactics [mal]
  • The DefendOps Diaries: VanHelsing Ransomware: A Multi-Platform Threat with Sophisticated Tactics
  • Security Risk Advisors: VanHelsing Ransomware hits Windows, Linux, and ESXi with stealthy encryption and demands up to $500K.
  • Broadcom Software Blogs: VanHelsing RaaS is a burgeoning ransomware-as-a-service (RaaS) platform that launched on March 7, 2025.
  • Cyber Security News: VanHelsingRaaS, a newly launched ransomware-as-a-service (RaaS) program, has quickly gained traction in the cybercrime landscape.
  • www.bleepingcomputer.com: New VanHelsing ransomware targets Windows, ARM, ESXi systems
  • securityonline.info: VanHelsingRaaS: A New Player in the Ransomware Game
  • CyberInsider: New VanHelsing ransomware demands $500,000 ransom payments
  • Information Security Buzz: VanHelsingRaaS Strikes: Sinking Its Fangs into Windows, Linux, and More
  • securityonline.info: CYFIRMA’s Research and Advisory Team has uncovered a new ransomware strain, “VanHelsingâ€�.
  • The Register - Security: VanHelsing ransomware emerges to put a stake through your Windows heart
  • www.csoonline.com: New VanHelsing ransomware claims three victims within a month

Andres Ramos@Arctic Wolf //
A resurgence of a fake CAPTCHA malware campaign has been observed, with threat actors compromising widely used websites across various industries. They are embedding a fake CAPTCHA challenge that redirects victims to a site triggering PowerShell code execution. This campaign exploits social engineering tactics and fake software downloads to deceive users into executing malicious scripts.

This tactic is also utilized with fake captchas which resemble legitimate sites. When users attempt to pass the captcha, they are prompted to execute code that has been copied to their clipboard. The OBSCURE#BAT malware campaign is a major cybersecurity threat to both individuals and organizations, primarily due to its ability to compromise sensitive data through advanced evasion techniques, including API hooking. This allows the malware to hide files and registry entries, making detection difficult.

Recommended read:
References :
  • Arctic Wolf: Widespread Fake CAPTCHA Campaign Delivering Malware
  • hackread.com: New OBSCURE#BAT Malware Targets Users with Fake Captchas
  • Security Risk Advisors: 🚩 Fake CAPTCHA Malware Campaign Resurges With Multi-Stage PowerShell Infostealers
  • SpiderLabs Blog: Resurgence of a Fake Captcha Malware Campaign
  • www.zdnet.com: That weird CAPTCHA could be a malware trap - here's how to protect yourself
  • Seceon Inc: Beware of Fake CAPTCHA Scams: How Cybercriminals Are Hijacking Your Clipboard to Steal Data
  • www.cysecurity.news: Fake CAPTCHA Scams Trick Windows Users into Downloading Malware
  • : Attackers Use Fake CAPTCHAs to Deploy Lumma Stealer RAT
  • Broadcom Software Blogs: In a recent surge of sophisticated cyber threats, attackers are exploiting fake CAPTCHA verifications to hijack users’ clipboards, leading to the installation of information-stealing malware.
  • Security Risk Advisors: ClearFake injects JavaScript to show fake CAPTCHAs on compromised sites, tricking users into running PowerShell for Lumma/Vidar malware.
  • www.cisecurity.org: The CIS CTI team spotted a Lumma Stealer campaign where SLTT victims were redirected to malicious webpages delivering fake CAPTCHA verifications.
  • gbhackers.com: Attackers Leverage Weaponized CAPTCHAs to Execute PowerShell and Deploy Malware
  • Sucuri Blog: Sucuri Blog: Fake Cloudflare Verification Results in LummaStealer Trojan Infections
  • securityonline.info: Fake Cloudflare Verification Prompts Deliver LummaStealer Trojan Through Infected WordPress Sites

Amar Ćemanović@CyberInsider //
References: Carly Page , CyberInsider , techcrunch.com ...
Japanese telecom giant NTT Communications has confirmed a data breach impacting nearly 18,000 corporate customers. The company discovered unauthorized access to its internal systems on February 5, 2025. Hackers are reported to have accessed details of these organizations, potentially compromising sensitive data.

The stolen data includes customer names, contract numbers, phone numbers, email addresses, physical addresses, and information on service usage belonging to 17,891 organizations, according to NTT Com. While NTT Com has restricted access to compromised devices and disconnected another compromised device, the specific nature of the cyberattack and the identity of the perpetrators remain unknown. It’s not yet known how many individuals had personal data stolen.

Recommended read:
References :
  • Carly Page: Japanese telecom giant NTT Communications says hackers stole the data of almost 18,000 corporate customers during a February cyberattack. It’s not yet known how many individuals had personal data stolen or who was behind the NTT breach
  • CyberInsider: NTT Communications Suffers Data Breach Impacting 18,000 Companies
  • BleepingComputer: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
  • techcrunch.com: Unidentified hackers breached NTT Com’s network to steal personal information of employees at thousands of corporate customers
  • bsky.app: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
  • The DefendOps Diaries: Lessons from the NTT Data Breach: A 2025 Perspective
  • bsky.app: Japanese telecommunication services provider NTT Communications Corporation (NTT) is warning almost 18,000 corporate customers that their information was compromised during a cybersecurity incident.
  • www.scworld.com: NTT Communications says hackers stole the data of almost 18,000 corporate customers during a February cyberattack
  • securityaffairs.com: Japanese telecom giant NTT suffered a data breach that impacted 18,000 companies
  • The420.in: Japanese Telecom Giant NTT Suffers Data Breach, Impacting 18,000 Companies
  • www.it-daily.net: The Japanese ICT provider NTT Communications (NTT Com) has admitted to a serious security breach that resulted in the loss of information on a total of 17,891 corporate customers.
  • www.scworld.com: Nearly 18K orgs' data compromised in NTT Communications hack

Lily Hay@WIRED //
Cybercriminals have allegedly stolen over $635,000 worth of Taylor Swift concert tickets by exploiting a loophole in an offshore ticketing system. Two individuals, Tyrone Rose, 20, and Shamara Simmons, 31, have been arrested and charged with grand larceny and computer tampering. The scheme involved stealing URLs for nearly 1,000 tickets to various events, including Taylor Swift's Eras Tour, Ed Sheeran concerts, Adele concerts, NBA games, and the US Open Tennis Championships, before reselling them for substantial profit.

Between June 2022 and July 2023, Rose and Simmons allegedly stole the tickets through an offshore ticket vendor and then resold them on StubHub in the US for significant profit. Rose, an employee of Sutherland Global Services, a third-party contractor for StubHub Jamaica, is accused of abusing his access to the network to find a backdoor. Prosecutors say the pair stole the tickets by allegedly intercepting approximately 350 orders from StubHub. The investigation is ongoing to determine if the Swift ticket scam was part of a wider operation.

Recommended read:
References :
  • WIRED: Cybercriminals Allegedly Used a StubHub Backdoor to Steal Taylor Swift Tickets
  • The Register - Security: Alleged cyber scalpers Swiftly cuffed over $635K Taylor ticket heist
  • The DefendOps Diaries: Cybercrime Exposes Vulnerabilities in Ticketing Systems: A Case Study
  • BleepingComputer: Cybercrime 'crew' stole $635,000 in Taylor Swift concert tickets
  • darkmarc.substack.com: Cybercriminals pulled off a massive ATM heist, hackers stole $600K in Taylor Swift concert tickets, and Mark Cuban made a bold move for laid-off tech workers. Instagram users were hit with a disturbing glitch, and Mozilla’s new terms sparked privacy fears. Here’s what happened this week.
  • www.techradar.com: Cybercriminals used vendor backdoor to steal almost $600,000 of Taylor Swift tickets
  • bsky.app: Cybercriminals Allegedly Used a StubHub Backdoor to Steal Taylor Swift Tickets

Dhara Shrivastava@cysecurity.news //
February witnessed a record-breaking surge in ransomware attacks, fueled by the prolific activity of groups like CL0P, known for exploiting MFT vulnerabilities. The ransomware landscape is also seeing significant activity from groups like Akira and RansomHub.

Recent analysis reveals a notable development with the Black Basta and CACTUS ransomware groups, uncovering a shared BackConnect module. This module, internally tracked as QBACKCONNECT, provides extensive remote control capabilities, including executing commands and exfiltrating sensitive data. The Qilin ransomware group has also claimed responsibility for attacks on the Utsunomiya Central Clinic (UCC), a cancer treatment center in Japan, and Rockhill Women's Care, a gynecology facility in Kansas City, stealing and leaking sensitive patient data.

Recommended read:
References :
  • cyble.com: February Sees Record-Breaking Ransomware Attacks, New Data Shows
  • The Register - Security: Qilin ransomware gang claims attacks on cancer clinic, OB-GYN facility
  • iHLS: Ransomware Group Targets Cancer Clinic, Exposes Sensitive Health Data
  • securityaffairs.com: Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
  • thecyberexpress.com: Ransomware attacks set a single-month record in February that was well above previous highs.
  • The DefendOps Diaries: Akira Ransomware: Unsecured Webcams and IoT Vulnerabilities
  • blog.knowbe4.com: A new report from Arctic Wolf has found that 96% of attacks now involve data theft as criminals seek to force victims to pay up.
  • DataBreaches.Net: The Akira ransomware gang exploited an unsecured webcam to bypass EDR and launch encryption attacks on a victim's network.