The European Commission, the European Union’s main executive body, is investigating a security breach after a threat actor gained access to the Commission’s Amazon cloud environment.
Although the EU’s executive cabinet has yet to disclose the incident publicly, BleepingComputer has learned that the breach affected at least one of the Commission’s AWS (Amazon Web Services) accounts.
“AWS did not experience a security event, and our services operated as designed,” an AWS spokesperson told BleepingComputer after publishing time.
Sources familiar with the incident have told BleepingComputer that the attack was quickly detected and that the Commission’s cybersecurity incident response team is now investigating.
While the Commission has yet to share any details about this breach, the threat actor who claimed responsibility for the attack reached out to BleepingComputer earlier this week, stating that they had stolen over 350 GB of data (including multiple databases).
They didn’t disclose how they breached the affected accounts, but they provided BleepingComputer with several screenshots as proof that they had access to information belonging to European Commission employees and to an email server used by Commission employees.
The threat actor also told BleepingComputer that they will not attempt to extort the Commission using the allegedly stolen data as leverage, but intend to leak the data online at a later date.
The Commission disclosed another data breach in February after discovering on January 30 that the mobile device management platform used to manage its staff’s devices had been hacked.
The January incident appears to be linked to similar attacks targeting other European institutions (including the Dutch Data Protection Authority and Valtori, a government agency of Finland’s Ministry of Finance) that exploit code-injection vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software.
These recent security breaches come on the heels of the Commission’s January 20 proposal for new cybersecurity legislation to strengthen defenses against state-backed actors and cybercrime groups targeting Europe’s critical infrastructure.
Last week, the Council of the European Union also sanctioned three Chinese and Iranian companies for orchestrating cyberattacks targeting the critical infrastructure of member states.
Update March 27, 13:56 EDT: Added Amazon statement.
Popular anime streaming platform Crunchyroll is investigating a breach after hackers claimed to have stolen personal information for approximately 6.8 million people.
“We are aware of recent claims and are currently working closely with leading cyber security experts to investigate the matter,” Crunchyroll told BleepingComputer.
This statement comes after a threat actor contacted BleepingComputer last Thursday and claimed they breached Crunchyroll on March 12th at 9 PM EST, after gaining access to the Okta SSO account of a support agent working for Crunchyroll.
This support agent is allegedly an employee of the Telus International business process outsourcing (BPO) company, who has access to Crunchyroll support tickets. The threat actors claimed to have used malware to infect the agent’s computer and gain access to their credentials.
From screenshots shared with BleepingComputer, these credentials gave access to various Crunchyroll applications, including Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jiro Service Management, and Slack.
Using this access, the attackers say they downloaded 8 million support ticket records from Crunchyroll’s Zendesk instance. Of these records, there are allegedly 6.8 million unique email addresses.
Samples of the support tickets seen by BleepingComputer and then deleted contain a wide variety of information, including the Crunchyroll user’s name, login name, email address, IP address, general geographic location, and the contents of the support tickets.
While other reports on the incident claim that credit card information was exposed, BleepingComputer has confirmed that credit card details were exposed only when the customer shared them in the support ticket.
For the most part, this included only basic information, such as the last four digits or expiration dates, and only a few contained full card numbers, according to the threat actor.
The support tickets seen by BleepingComputer all reference Telus, supporting the threat actor’s claim that they compromised a BPO employee.
The attacker says their access was revoked after 24 hours, letting them steal data up to mid-2025.
The hacker claims to have sent extortion emails to Crunchyroll, demanding $5 million in exchange for not publicly leaking the data, but did not receive a response from the company.
While this attack targeted a Telus employee, BleepingComputer was told it was not related to the massive breach at Telus Digital by the ShinyHunters extortion gang.
BPOs are a high-value target
Business process outsourcing companies have become high-value targets for threat actors over the past few years, as they often handle customer support, billing, and internal authentication systems for multiple companies.
As a result, threat actors can compromise a single BPO employee and gain access to large amounts of customer and corporate data across multiple companies.
In the past year, threat actors have exploited BPOs by bribing insiders with legitimate access, social engineering support staff into granting unauthorized access, and compromising BPO employee accounts to reach internal systems.
In one of the most prominent cases, attackers posed as an employee and convinced a Cognizant help desk support agent to grant them access to a Clorox employee account, allowing them to breach the company’s network.
Major retailers also confirmed that social engineering attacks against support personnel enabled ransomware and data theft attacks.
Marks & Spencer confirmed that attackers used social engineering to breach its networks, while Co-op disclosed data theft following a ransomware attack that similarly abused support staff’s access.
In response to the attacks on M&S and Co-op retail companies, the U.K. government issued guidance on social engineering attacks against help desks and BPOs.
In October, Discord disclosed a data breach that allegedly exposed data from 5.5 million unique users after its Zendesk support system instance was compromised.
Cybersecurity researchers are calling attention to an active device code phishing campaign that’s targeting Microsoft 365 identities across more than 340 organizations in the U.S., Canada, Australia, New Zealand, and Germany.
The activity, per Huntress, was first spotted on February 19, 2026, with subsequent cases appearing at an accelerated pace since then. Notably, the campaign leverages Cloudflare Workers redirects with captured sessions redirected to infrastructure hosted on a platform-as-a-service (PaaS) offering called Railway, effectively turning it into a credential harvesting engine.
Construction, non-profits, real estate, manufacturing, financial services, healthcare, legal, and government are some of the prominent sectors targeted as part of the campaign.
“What also makes this campaign unusual is not just the device code phishing techniques involved, but the variety of techniques observed,” the company said. “Construction bid lures, landing page code generation, DocuSign impersonation, voicemail notifications, and abuse of Microsoft Forms pages are all hitting the same victim pool through the same Railway.com IP infrastructure.”
Device code phishing refers to a technique that exploits the OAuth device authorization flow to grant the attacker persistent access tokens, which can then be used to seize control of victim accounts. What’s significant about this attack method is that the tokens remain valid even after the account’s password is reset.
At a high level, the attack works as follows –
Threat actor requests a device code from the identity provider (e.g, Microsoft Entra ID) via the legitimate device code API.
The service responds with a device code.
Threat actor creates a persuasive email and sends it to the victim, urging them to visit a sign-in page (“microsoft[.]com/devicelogin”) and enter the device code.
After the victim enters the provided code, along with their credentials and two-factor authentication (2FA) code, the service creates an access token and a refresh token for the user.
“Once the user has fallen victim to the phish, their authentication generates a set of tokens that now live at the OAuth token API endpoint and can be retrieved by providing the correct device code,” Huntress explained. “The attacker, of course, knows the device code because it was generated by the initial cURL request to the device code login API.”
“And while that code is useless by itself, once the victim has been tricked into authenticating, the resulting tokens now belong to anyone who knows which device code was used in the original request.”
The use of device code phishing was first observed by Microsoft and Volexity in February 2025, with subsequent waves documented by Amazon Threat Intelligence and Proofpoint. Multiple Russia-aligned groups tracked as Storm-2372, APT29, UTA0304, UTA0307, and UNK_AcademicFlare, have been attributed to these attacks.
The technique is insidious, not least because it leverages legitimate Microsoft infrastructure to perform the device code authentication flow, thereby giving users no reason to suspect anything could be amiss.
In the campaign detected by Huntress, the authentication abuse originates from a small cluster of Railway.com IP addresses, with three of them accounting for roughly 84% of observed events –
162.220.234[.]41
162.220.234[.]66
162.220.232[.]57
162.220.232[.]99
162.220.232[.]235
The starting point of the attack is a phishing email that wraps malicious URLs within legitimate security vendor redirect services from Cisco, Trend Micro, and Mimecast so as to bypass spam filters and trigger a multi-hop redirect chain featuring a combination of compromised sites, Cloudflare Workers, and Vercel as intermediaries before taking the victim to the final destination.
“The observed landing sites prompt the victim to proceed to the legitimate Microsoft device code authentication endpoint and input a provided code in order to read some files,” Huntress said. “The code is rendered directly on the page when the victim arrives.”
“This is an interesting iteration of the tactic, as, normally, the adversary must produce and then provide the code to the victim. By rendering the code directly on the page, likely by some code generation automation, the victim is immediately provided with the code and pretext for the attack.”
The landing page also comes with a “Continue to Microsoft” that, when clicked, spews a pop-up window rendering the legitimate Microsoft authentication endpoint (“microsoft[.]com/devicelogin”).
Almost every device code phishing site has been hosted on a Cloudflare workers[.]dev instance, illustrating how the threat actors are weaponizing the trust associated with the service in enterprise environments to sidestep web content filters. To combat the threat, users are advised to scan sign-in logs to hunt for Railway IP logins, revoke all refresh tokens for affected users, and block authentication attempts from Railway infrastructure if possible.
Huntress has since attributed the Railway attack to a new phishing-as-a-service (PhaaS) platform known as EvilTokens, which made its debut last month on Telegram. Besides advertising tools to send phishing emails and bypass spam filters, the EvilTokens dashboard provides customers with open redirect links to vulnerable domains to obscure the phishing links.
“In addition to rapid growth in tool functionality, the EvilTokens team has spun up a full 24/7 support team and a support feedback channel,” the company said. “They also have customer feedback.”
The disclosure comes as Palo Alto Networks Unit 42 also warned of a similar device code phishing campaign, highlighting the attack’s use of anti-bot and anti-analysis techniques to fly under the radar, while exfiltrating browser cookies to the threat actor on page load. The earliest observation of the campaign dates back to February 18, 2026.
The phishing page “disables right-click functionality, text selection, and drag operations,” the company said, adding it “blocks keyboard shortcuts for developer tools (F12, Ctrl+Shift+I/C/J) and source viewing (Ctrl+U)” and “detects active developer tools by utilizing a window size heuristic, which subsequently initiates an infinite debugger loop.”
Voice-based phishing, a form of social engineering where attackers call employees or IT help desks under false pretenses in an attempt to gain access to victim networks, surged in 2025, Mandiant said Monday in its annual M-Trends report.
These points of intrusion, which have been a hallmark of attacks attributed to members of the cybercrime collective The Com, including offshoots such as Scattered Spider, accounted for 11% of all incidents Mandiant investigated last year.
Exploited vulnerabilities remained the top initial access vector for the sixth-consecutive year, giving attackers footholds in 32% of all incidents last year, the company said. Yet, the rise of voice phishing marks a concerning shift in tactics, especially in large-scale attacks with sweeping impacts.
“This type of social engineering attack is extremely powerful. It is more time consuming, obviously it requires skills and impersonation skills that the threat actors need to have, especially when they contact their IT help desk,” Jurgen Kutscher, vice president at Mandiant, told CyberScoop. “We’ve clearly seen several threat actors being very specialized and very successful with this type of attack.”
Voice-based phishing was at the root of multiple attack sprees Mandiant responded to last year, including campaigns targeting Salesforce customers attributed to threat groups Google Threat Intelligence Group tracks as UNC6040 and UNC6240.
This global shift in attacks was most clearly seen in the sharp drop in email-based phishing. For years, phishing has been a popular method because it’s cheap and requires little technical skill. It works much like high-volume advertising — a spray-and-pray strategy focused on reaching as many people as possible rather than specific targeting.
Email phishing is no longer a top initial access vector, according to Mandiant. The incident response firm said it was only responsible for 6% of intrusions last year, down from 14% in 2024 and 22% in 2022.
“The higher the investment, the higher the payout needs to be,” Kutscher said. “[Interactive phishing] takes a significant amount of time and investment. So as an attacker, you’ve got to do that when you believe that there’s a significant return.”
These techniques are difficult to defend against because they’re designed to exploit human instincts and bypass many security controls. “We’ve always said, unfortunately the human tends to be the weakest link,” Kutscher said.
Social engineering, of course, wasn’t the only way attackers gained access to victim networks last year. Exploited defects remain a persistent problem.
The top three vulnerabilities Mandiant observed as the initial access vector in 2025 include CVE-2025-31324 in SAP NetWeaver, CVE-2025-61882 in Oracle E-Business Suite and CVE-2025-53770 in Microsoft SharePoint.
Attackers of various origins and objectives exploited all three of the vulnerabilities en masse and as zero-days.
Mandiant clocked 500,000 combined hours of incident response investigations globally last year, up from 450,000 hours in 2024.
Technology companies were the most frequently attacked in 2025, accounting for 17% of all incidents. The following most-targeted industries included finance at 14.6%, business and professional services at 13.3% and health care at 11.9%.
Cybersecurity researchers have uncovered malicious artifacts distributed via Docker Hub following the Trivy supply chain attack, highlighting the widening blast radius across developer environments.
The last known clean release of Trivy on Docker Hub is 0.69.3. The malicious versions 0.69.4, 0.69.5, and 0.69.6 have since been removed from the container image library.
“New image tags 0.69.5 and 0.69.6 were pushed on March 22 without corresponding GitHub releases or tags. Both images contain indicators of compromise associated with the same TeamPCP infostealer observed in earlier stages of this campaign,” Socket security researcher Philipp Burckhardt said.
The development comes in the wake a supply chain compromise of Trivy, a popular open-source vulnerability scanner maintained by Aqua Security, allowing the threat actors to leverage a compromised credential to push a credential stealer within trojanized versions of the tool and two related GitHub Actions “aquasecurity/trivy-action” and “aquasecurity/setup-trivy.”
The attack has had downstream impacts, with the attackers leveraging the stolen data to compromise dozens of npm packages to distribute a self-propagating worm known as CanisterWorm. The incident is believed to be the work of a threat actor tracked as TeamPCP.
According to the OpenSourceMalware team, the attackers have defaced all 44 internal repositories associated with Aqua Security’s “aquasec-com” GitHub organization by renaming each of them with a “tpcp-docs-” prefix, setting all descriptions to “TeamPCP Owns Aqua Security,” and exposing them publicly.
It’s worth noting that the “aquasec-com” account is distinct from the cloud security vendor’s other well-known GitHub organization account, “aquasecurity,” which hosts the impacted Trivy scanner and GitHub Actions, along with various open-source projects. The newly compromised organization contains proprietary source code, including source code for Tracee, internal Trivy forks, CI/CD pipelines, Kubernetes operators, and team knowledge bases.
All the repositories are said to have been modified in a scripted 2-minute burst between 20:31:07 UTC and 20:32:26 UTC on March 22, 2026. It’s been assessed with high confidence that the threat actor leveraged a compromised “Argon-DevOps-Mgt” service account for this purpose.
“Our forensic analysis of the GitHub Events API points to a compromised service account token — likely stolen during TeamPCP’s prior Trivy GitHub Actions compromise — as the attack vector,” security researcher Paul McCarty said. “This is a service/bot account (GitHub ID 139343333, created 2023-07-12) with a critical property: it bridges both GitHub orgs.”
“One compromised token for this account gives the attacker write/admin access to both organizations,” McCarty added.
The development is the latest escalation from a threat actor that’s has built a reputation for targeting cloud infrastructures, while progressively building capabilities to systemically exposed Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers to steal data, deploy ransomware, conduct extortion, and mine cryptocurrency.
Their growing sophistication is best exemplified by the emergence of a new wiper malware that spreads through SSH via stolen keys and exploits exposed Docker APIs on port 2375 across the local subnet.
A new payload attributed to TeamPCP has been found to go beyond credential theft to wiping entire Kubernetes (K8s) clusters located in Iran. The shell script uses the same ICP canister linked to CanisterWorm and then runs checks to identify Iranian systems.
“On Kubernetes: deploys privileged DaemonSets across every node, including control plane,” Aikido security researcher Charlie Eriksen said. “Iranian nodes get wiped and force-rebooted via a container named ‘kamikaze.’ Non-Iranian nodes get the CanisterWorm backdoor installed as a systemd service. Non-K8s Iranian hosts get ‘rm -rf / –no-preserve-root.’
Given the ongoing nature of the attack, it’s imperative that organizations review their use of Trivy in CI/CD pipelines, avoid using affected versions, and treat any recent executions as potentially compromised.
“This compromise demonstrates the long tail of supply chain attacks,” OpenSourceMalware said. “A credential harvested during the Trivy GitHub Actions compromise months ago was weaponized today to deface an entire internal GitHub organization. The Argon-DevOps-Mgt service account — a single bot account bridging two orgs with a long-lived PAT — was the weak link.”
“From cloud exploitation to supply chain worms to Kubernetes wipers, they are building capability and targeting the security vendor ecosystem itself. The irony of a cloud security company being compromised by a cloud-native threat actor should not be lost on the industry.
An information stealer called VoidStealer uses a new approach to bypass Chrome’s Application-Bound Encryption (ABE) and extract the master key for decrypting sensitive data stored in the browser.
The novel method is stealthier and relies on hardware breakpoints to extract the v20_master_key, used for both encryption and decryption, directly from the browser’s memory, without requiring privilege escalation or code injection.
A report from Gen Digital, the parent company behind the Norton, Avast, AVG, and Avira brands, notes that this is the first case of an infostealer observed in the wild to use such a mechanism.
Google introduced ABE in Chrome 127, released in June 2024, as a new protection mechanism for cookies and other sensitive browser data. It ensures that the master key remains encrypted on disk and cannot be recovered through normal user-level access.
Decrypting the key requires the Google Chrome Elevation Service, which runs as SYSTEM, to validate the requesting process.
Overview of how ABE blocks out malware Source: Gen Digital
However, this system has been bypassed by multiple infostealer malware families and has even been demonstrated in open-source tools. Although Google implemented fixes and improvements to block these bypasses, new malware versions reportedly continued to succeed using other methods.
“VoidStealer is the first infostealer observed in the wild adopting a novel debugger-based Application-Bound Encryption (ABE) bypass technique that leverages hardware breakpoints to extract the v20_master_key directly from browser memory,” says Vojtěch Krejsa, threat researcher at Gen Digital.
VoidStealer is a malware-as-a-service (MaaS) platform advertised on dark web forums since at least mid-December 2025. The malware introduced the new ABE bypass mechanism in version 2.0.
Cybercriminals advertising ABE bypass in VoidStealer version 2.0 Source: Gen Digital
Stealing the master key
VoidStealer’s trick to extract the master key is to target a short moment when Chrome’s v20_master_key is briefly present in memory in plaintext state during decryption operations.
Specifically, VoidStealer starts a suspended and hidden browser process, attaches it as a debugger, and waits for the target browser DLL (chrome.dll or msedge.dll) to load.
When loaded, it scans the DLL for a specific string and the LEA instruction that references it, using that instruction’s address as the hardware breakpoint target.
VoidStealer’s target string Source: Gen Digital
Next, it sets that breakpoint across existing and newly created browser threads, waits for it to trigger during startup while the browser is decrypting protected data, then reads the register holding a pointer to the plaintext v20_master_key and extracts it with ‘ReadProcessMemory.’
Gen Digital explains that the ideal time for the malware to do this is during browser startup, when the application loads ABE-protected cookies early, forcing the decryption of the master key.
The researchers explained that VoidStealer likely did not invent this technique but rather adopted it from the open-source project ‘ElevationKatz,’ part of the ChromeKatz cookie-dumping toolset that demonstrates weaknesses in Chrome.
Although there are some differences in the code, the implementation appears to be based on ElevationKatz, which has been available for more than a year.
BleepingComputer has contacted Google with a request for a comment on this bypass method being used by threat actors, but a reply was not available by publishing time.
Threat actors affiliated with Russian Intelligence Services are conducting phishing campaigns to compromise commercial messaging applications (CMAs) like WhatsApp and Signal to seize control of accounts belonging to individuals with high intelligence value, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) said Friday.
“The campaign targets individuals of high intelligence value, including current and former U.S. government officials, military personnel, political figures, and journalists,” FBI Director Kash Patel said in a post on X. “Globally, this effort has resulted in unauthorized access to thousands of individual accounts. After gaining access, the actors can view messages and contact lists, send messages as the victim, and conduct additional phishing from a trusted identity.”
CISA and the FBI said the activity has resulted in the compromise of thousands of individual CMA accounts. It’s worth noting that the attacks are designed to break into the targeted accounts and do not exploit any security vulnerability or weakness to crack the platforms’ encryption protections.
While the agencies did not attribute the activity to a specific threat actor, prior reports from Microsoft and Google Threat Intelligence Group have linked such campaigns to multiple Russia-aligned threat clusters tracked as Star Blizzard, UNC5792 (aka UAC-0195), and UNC4221 (aka UAC-0185).
In a similar alert, the Cyber Crisis Coordination Center (C4), part of the National Cybersecurity Agency of France (ANSSI), warned of a surge in attack campaigns targeting instant messaging accounts associated with government officials, journalists, and business leaders.
“These attacks – when successful – can allow malicious actors to access conversation histories, or even take control of their victims’ messaging accounts and send messages while impersonating them,” C4 said.
The end goal of the campaign is to enable the threat actors to gain unauthorized access to victims’ accounts, enabling them to view messages and contact lists, send messages on their behalf, and even conduct secondary phishing against other targets by abusing trusted relationships.
As recently alerted by cybersecurity agencies from Germany and the Netherlands, the attack involves the adversary posing as “Signal Support” to approach targets and urge them to click on a link (or alternatively scan a QR code) or provide the PIN or verification code. In both cases, the social engineering scheme allows the threat actors to gain access to the victim’s CMA account.
However, the campaign has two different outcomes for the victim depending on the method used –
If the victim opts to provide the PIN or verification code to the threat actor, they lose access to their account, as the attacker has used it to recover the account on their end. While the threat actor cannot access past messages, the method can be used to monitor fresh messages and send messages to others by impersonating the victim.
If the victim ends up clicking the link or scanning the QR code, a device under the control of the threat actor gets linked to the victim’s account, allowing them to access all messages, including those sent in the past. In this scenario, the victim continues to have access to the CMA account unless they are explicitly removed from the app settings.
To better protect against the threat, users are advised to never share their SMS code or verification PIN with anyone, exercise caution when receiving unexpected messages from unknown contacts, check links before clicking them, and periodically review linked devices and remove those that appear suspicious.
“These attacks, like all phishing, rely on social engineering. Attackers impersonate trusted contacts or services (such as the non-existent ‘Signal Support Bot’) to trick victims into handing over their login credentials or other information,” Signal said in a post on X earlier this month.
“To help prevent this, remember that your Signal SMS verification code is only ever needed when you are first signing up for the Signal app. We also want to emphasize that Signal Support will *never* initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal-related code, it is a scam.”
North Carolina musician Michael Smith has pleaded guilty to collecting over $10 million in royalty payments through a massive streaming royalty fraud scheme on Spotify, Apple Music, Amazon Music, and YouTube Music.
54-year-old Smith bought hundreds of thousands of songs generated using artificial intelligence (AI) from an accomplice, uploaded them to these streaming platforms, and used automated AI bots to stream the AI-generated tracks billions of times.
According to court documents unsealed when he was charged in September 2024, Smith fraudulently inflated listening stats on his songs on these digital platforms between 2017 and 2024 with the help of an unnamed music promoter and the Chief Executive Officer of an AI music company. To avoid detection by anti-fraud systems, Smith also had the bots access the streaming platforms using virtual private networks (VPNs).
On October 4, 2018, he emailed his coconspirators to say, “to not raise any issues with the powers that be we need a TON of content with small amounts of Streams,” and added that, “We need to get a TON of songs fast to make this work around the anti fraud policies these guys are all using now.”
At the peak of the operation, Smith was using over 1,000 bot accounts to artificially boost streams. On October 20, 2017, he also emailed himself a financial breakdown outlining how he operated 52 cloud service accounts, each with 20 bot accounts.
He estimated that each bot could stream around 636 songs per day, for a total of approximately 661,440 streams per day. With an average royalty rate of half a cent per stream, the daily earnings would reach $3,307.20, the monthly earnings would reach $99,216, and the annual earnings would exceed $1.2 million, according to Smith.
“Michael Smith generated thousands of fake songs using artificial intelligence and then streamed those fake songs billions of times. Although the songs and listeners were fake, the millions of dollars Smith stole was real,” said U.S. Attorney Jay Clayton on Wednesday. “Millions of dollars in royalties that Smith diverted from real, deserving artists and rights holders. Smith’s brazen scheme is over, as he stands convicted of a federal crime for his AI-assisted fraud.”
Prosecutors said that Smith fraudulently collected over $10 million in royalty payments after having his bots stream hundreds of thousands of AI-generated songs billions of times. In a February 2024 email, confirmed these claims boasting that the songs generated “over 4 billion streams and $12 million in royalties since 2019.”
Smith has agreed to pay $8,091,843.64 in forfeiture and faces a maximum sentence of 5 years in prison after pleading guilty to one count of conspiracy to commit wire fraud.
New Android malware hiding in streaming apps to spy on users’ personal notes
A newly discovered Android malware is masking itself within television streaming apps in order to steal users’ passwords and banking data and spy on their personal notes, researchers have found.
The malware, dubbed Perseus by researchers at ThreatFabric, is being actively distributed in the wild and primarily targets users in Turkey and Italy, according to a report released on Thursday.
Perseus builds on the leaked code of older Android banking trojans, including Cerberus, a prolific malware family whose source code was exposed in 2020.
To infect devices, attackers disguise the malware inside apps that appear to offer IPTV services — platforms that stream television content over the internet. These apps are also widely used to stream pirated content and are often downloaded outside official marketplaces like Google Play, making users more accustomed to installing them manually and less likely to view the process as suspicious.
Once installed, Perseus can monitor nearly everything a user does in real time. It uses overlay attacks — placing fake login screens over legitimate apps — and keylogging capabilities to capture credentials as they are entered.
The malware’s most unusual feature, according to ThreatFabric, is its focus on personal note-taking applications.
Perseus actively scans infected devices for apps such as Google Keep, Evernote, and Simple Notes, then opens them and extracts stored content. Notes can contain highly sensitive information, including passwords, financial details, and recovery phrases, making them a valuable target for attackers, researchers said.
Android malware is continually evolving, incorporating new techniques and features to gain victims’ trust and evade detection, according to ThreatFabric.
Earlier in October, researchers identified another Android banking trojan, Herodotus, capable of mimicking human behavior to evade detection during remote device control. Another malware, known as Crocodilus, can manipulate victims’ contact lists, enabling attackers to impersonate trusted entities such as banks.
Medusa ransomware gang claims attacks on prominent Mississippi hospital, New Jersey county
A prominent ransomware gang has taken credit for a devastating attack on the biggest hospital in Mississippi and a large county in New Jersey.
The Medusa ransomware operation, which experts believe is run out of Russia, said recently it was behind the cyberattack on the University of Mississippi Medical Center (UMMC).
UMMC is one of the most important healthcare organizations in the state — employing 10,000 people and housing Mississippi’s only children’s hospital, only Level I trauma center, only Level IV neonatal intensive care unit and the state’s only organ transplant programs.
The entire organization went dark for nine days at the end of February, forcing nurses and doctors to operate sophisticated systems with analog tools. The cancer infusion center had to reschedule patients while other units had to find ways to manage supplies and treatment with paper and pen.
“We created a fully functional, urgent infusion clinic operating entirely offline. We found smart, secure ways to access critical vendor data,” said Devika Das, division director of hematology and oncology at the hospital, said two weeks ago.
UMMC’s hospitals and emergency departments remained operational but it closed all 35 of its clinic locations. The FBI and Department of Homeland Security were brought in to assist in the recovery effort.
The hospital fully reopened on March 2, and the Medusa ransomware gang claimed the attack last Thursday, demanding an $800,000 ransom. The hackers threatened to leak data stolen from the hospital by March 20.
A UMMC spokesperson declined to comment on the ransom threat.
Experts believe the Medusa operation is based in Russia due to its avoidance of targets in Commonwealth of Independent States, its Russian-language forum activity and the use of Cyrillic script in operational tools.
The group, which emerged in 2021, has repeatedly shown a willingness to target healthcare facilities and municipal governments across the U.S. On Tuesday, the group claimed an attack on New Jersey’s Passaic County and demanded an $800,000 ransom.
The county said it was dealing with a “malware attack” two weeks ago that took down phone lines and IT systems used across government offices. It is home to nearly 600,000 people.
We use cookies to optimize our website and our service. Read more
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
