Cybercrime
-
New Python stealer called VVS Stealer harvests Discord tokens and browser data
VVS Stealer is a Python based information stealer that harvests Discord tokens and browser data. A Unit 42 technical analysis found it is Pyarmor obfuscated and offered for sale on Telegram from April 2025.
-
Kimwolf botnet infects more than 2 million devices by tunneling through residential proxy networks
A technical analysis by Synthient found the Kimwolf botnet has infected over 2 million devices by tunneling through residential proxy services into home networks. Many infections involve inexpensive Android TV boxes and digital photo frames with insecure defaults.
-
APT36 uses weaponized LNK files to target Indian government entities
A multi-stage fileless campaign attributed to APT36 used oversized .lnk shortcuts embedding PDFs to deliver HTA loaders and in-memory .NET DLLs targeting Indian government systems. The malware adapts persistence to installed antivirus and uses encrypted C2.
-
Investors in F5 urged to seek lead plaintiff status after BIG-IP breach and 10.9% share drop
A press release said investors in F5 have until February 17, 2026 to seek lead plaintiff status after the company linked weaker fiscal 2026 guidance to a BIG-IP security breach and a 10.9 percent two-day share decline.
-
Hacker Threw MacBook Air in River after Breach that Exposed 33.7 Million Accounts
Investigators recovered a MacBook Air thrown into a river after a breach that exposed data for 33.7 million users. The company detailed a 1.685 trillion won compensation package and a government-led probe to manage the response.
-
Unit 42 analysis finds VVS stealer targets Discord users and exfiltrates tokens and browser data
A Unit 42 technical analysis found VVS stealer, a Python based malware marketed on Telegram in April 2025, targets Discord and browsers to steal tokens and saved credentials and exfiltrates them via Discord webhooks.
-
Handala targeted Telegram accounts of two Israeli officials
In December 2025 Handala posted about 1,900 Telegram chat entries tied to two Israeli officials. Most entries were empty contact cards and only about 40 contained messages, indicating account access rather than full phone compromise.
-
RondoDox botnet exploited React2Shell to enroll IoT devices and web apps
A nine month campaign enrolled IoT devices and web applications into the RondoDox botnet by exploiting React2Shell. About 90,300 hosts remained vulnerable at the end of 2025. Researchers advise patching Next.js and segmenting IoT.
-
Actor Using Alias 888 Offers More Than 200 GB of Alleged ESA Data
An actor using alias 888 posted on DarkForums on 18 December 2025 offering more than 200 GB of data alleged to be from the European Space Agency. The report has not been independently verified.
-
Korean Air says employee data exposed after supplier hack
Korean Air said an internal notice that employee names and bank account numbers in its ERP were compromised after a hack of its supplier KC&D. Local reporting put the number of exfiltrated records at about 30,000.
