Cybercrime
-
Alleged WIRED subscriber database of 2.37 million records posted to hacking forum
An alleged WIRED subscriber database of 2,366,576 records was posted to a hacking forum on December 20. Independent analysis matched records to infostealer logs and the dataset is listed on Have I Been Pwned.
-
Lumma Stealer delivered through fake itch.io update links to Patreon
G DATA Security Lab found a campaign using spam comments on itch.io that linked to Patreon downloads of a nexe compiled executable which writes a native module and loads a LummaStealer payload. Samples include six anti analysis checks.
-
China-linked APT used DNS poisoning to deliver MgBot backdoor, Kaspersky says
Kaspersky linked a China-aligned APT known as Evasive Panda to a campaign from November 2022 to November 2024 that used DNS poisoning to deliver an MgBot backdoor to targets in Türkiye, China and India, employing staged loaders, custom encryption and host-specific payloads.
-
Jamf finds MacSync macOS stealer delivered in signed, notarized Swift installer
Jamf researchers found a MacSync macOS stealer variant delivered in a code-signed, notarized Swift installer inside a DMG that could bypass Gatekeeper; Apple revoked the signing certificate and analysis links the payload to the rebranded Mac.c infostealer with remote command-and-control capabilities.
-
SEC Charges Multiple Firms Over $14 Million Artificial Intelligence Crypto Scam
The U.S. Securities and Exchange Commission has charged several firms and investment clubs in an alleged AI-themed cryptocurrency scam that defrauded retail investors of more than $14 million, accusing operators of using WhatsApp groups and fake trading platforms to solicit funds.
-
Two Chrome extensions intercepted traffic and exfiltrated credentials, researchers say
Researchers reported two Chrome extensions named Phantom Shuttle that posed as VPN/speed-test tools but injected hard-coded proxy credentials, routed traffic through attacker-controlled proxies and exfiltrated user credentials and other sensitive data to a command-and-control server.
-
La Poste hit by major network incident, digital services disrupted
La Poste said a “major network incident” knocked its information systems offline, disrupting websites and mobile banking for millions while core banking and in-person services remained available; French outlets reported the outage was caused by a DDoS attack.
-
MacSync Stealer shifts to signed Swift dropper, removing need for terminal commands
MacSync Stealer operators now distribute a code-signed, notarized Swift dropper inside a disk image, removing the need for terminal interaction. The change has enabled rapid infections of macOS systems since mid-2025.
-
Interpol-led Operation Sentinel results in 574 arrests, $3 million recovered and six ransomware strains decrypted
Interpol said Operation Sentinel, conducted across 19 countries between Oct. 27 and Nov. 27, resulted in 574 arrests, about $3 million recovered, more than 6,000 malicious links removed and the decryption of six ransomware variants, with cases linked to over $21 million in losses.
-
Malicious npm WhatsApp API ‘lotusbail’ found stealing tokens and linking attacker devices
A malicious npm package named lotusbail, downloaded more than 56,000 times, masquerades as a WhatsApp API while capturing authentication tokens, messages and contacts and linking an attacker device to victims’ WhatsApp accounts, Koi Security researchers said; ReversingLabs also disclosed related NuGet supply-chain malware.
