RansomHouse claimed responsibility for the Trellix breach, adding the security firm to its Tor data leak site and sharing screenshots of internal systems.
The RansomHouse ransomware group has claimed responsibility for the recent cyberattack on cybersecurity firm Trellix. To support its claims, the gang published screenshots allegedly showing access to internal Trellix services.
In early May, the company revealed a breach that allowed unauthorized access to part of its source code re
RansomHouse claimed responsibility for the Trellix breach, adding the security firm to its Tor data leak site and sharing screenshots of internal systems.
The RansomHouse ransomware group has claimed responsibility for the recent cyberattack on cybersecurity firm Trellix. To support its claims, the gang published screenshots allegedly showing access to internal Trellix services.
In early May, the company revealed a breach that allowed unauthorized access to part of its source code repository. The cybersecurity firm said it quickly launched an investigation with forensic experts and notified law enforcement. While the exact data accessed remains unclear, Trellix stated there is no evidence that its source code has been altered or exploited.
“Trellix recently identified unauthorized access to a portion of our source code repository. Upon learning of this matter, we immediately began working with leading forensic experts to resolve it. We have also notified law enforcement.” reads the update published by the security firm. “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited. As part of our commitment to our broader security community, we intend to share further details as appropriate once our investigation is complete.”
The company did not disclose who carried out the attack and how he did it. It is unclear how long attackers had gained access to the repository.
Unauthorized access to part of a source code repository can expose sensitive logic, APIs, or credentials. Attackers may study the code to find vulnerabilities, create exploits, or plan targeted attacks. It can also lead to intellectual property theft, reputational damage, and supply chain risks if tampered code is later distributed to customers or partners.
The cybersecurity firm confirmed that part of its source code repository was breached, but said there is currently no evidence that its code release process or products were compromised.
RansomHouse is a cyber extortion group that emerged in late 2021 and quickly gained attention for targeting large organizations worldwide. Unlike traditional ransomware gangs, it initially focused on stealing data and extorting victims rather than encrypting systems.
The group presents itself as a “professional mediator” exposing poor cybersecurity practices, although researchers classify it as a financially motivated criminal operation. RansomHouse has been linked to attacks on healthcare providers, retailers, government agencies, technology firms, and critical infrastructure operators, claiming breaches involving AMD, Shoprite, and European institutions. The gang typically exploits exposed services, weak credentials, phishing, and vulnerable remote access systems.
Nearly 200,000 Zara customers were exposed in a third-party breach linked to ShinyHunters, revealing emails, purchase history, and support data.
Personal data belonging to nearly 197,000 Zara customers has been compromised following a cyberattack on a former technology provider used by Inditex, the Spanish fashion giant behind some of the world’s most recognized retail brands including Bershka, Pull&Bear, and Massimo Dutti.
The breach came to light last month when Inditex confirmed un
Nearly 200,000 Zara customers were exposed in a third-party breach linked to ShinyHunters, revealing emails, purchase history, and support data.
Personal data belonging to nearly 197,000 Zara customers has been compromised following a cyberattack on a former technology provider used by Inditex, the Spanish fashion giant behind some of the world’s most recognized retail brands including Bershka, Pull&Bear, and Massimo Dutti.
The breach came to light last month when Inditex confirmed unauthorized access to databases hosted by a third-party vendor. The company was careful to limit the alarm: the compromised databases did not contain names, passwords, payment details, addresses, or phone numbers.
“Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally,” reads a statement by Inditex.
“Operations and systems haven’t been affected and customers can continue to access and use its services safely,”
What was exposed, however, tells a different story about the scale of the incident.
The data breach notification service Have I Been Pwned analyzed the stolen dataset and confirmed that 197,400 unique email addresses were among the compromised records, alongside order IDs, product SKUs, geographic locations, purchase history, and customer support tickets, enough to paint a detailed picture of individual shopping habits and interactions with the brand.
The extortion group ShinyHunters claimed the attack and the theft of a 140GB archive from BigQuery instances by exploiting compromised Anodot authentication tokens, the same technique they have used against dozens of other companies.
“Your Bigquery instances data was compromised thanks to Anodot.com.” the cybercrime group wrote on its Tor data leak site. “The company failed to reach an agreement with us despite our incredible patience, all the chances”
The Anodot vector is significant. ShinyHunters has told journalists that stolen Anodot tokens gave them access to analytics infrastructure across multiple large organizations simultaneously, a single point of failure that cascaded into dozens of separate breaches. The gang has also run coordinated vishing campaigns targeting employees’ SSO accounts at Microsoft Entra, Okta, and Google to move laterally into connected SaaS environments.
Inditex has not yet named the compromised provider or attributed the attack to a specific threat actor, despite ShinyHunters having publicly claimed it and released data as proof.
Zara is the flagship fashion brand of Inditex, one of the world’s largest apparel groups. Inditex reported revenue of about €38.6 billion in fiscal 2025 and employs roughly 160,000 people worldwide. Zara operates in more than 90 countries through thousands of stores and online platforms, making it one of the most globally recognized fast-fashion retailers.
Rival retailer Mango disclosed its own data breach last October, after a marketing vendor was hacked and customer data used in promotional campaigns was exposed. In that case, no extortion group has come forward, and the attackers remain unidentified.
Slovakian national Alan Bill, 33, pleaded guilty in January to a conspiracy to distribute controlled substances charge after admitting to his role in running Kingdom Market — a platform used by drug dealers and cybercriminals between March 2021 and December 2023.
Slovakian national Alan Bill, 33, pleaded guilty in January to a conspiracy to distribute controlled substances charge after admitting to his role in running Kingdom Market — a platform used by drug dealers and cybercriminals between March 2021 and December 2023.
A Virginia man was convicted on federal charges Thursday after a jury found him guilty of deleting 96 government databases and stealing an individual’s password, leading their email account to be accessed without permission.
A Virginia man was convicted on federal charges Thursday after a jury found him guilty of deleting 96 government databases and stealing an individual’s password, leading their email account to be accessed without permission.
On Thursday, dozens of students took to social media to say they saw a message from a cybercriminal group as they navigated through Canvas, an educational platform created by Instructure that hosts teaching materials, tests, readings and more.
On Thursday, dozens of students took to social media to say they saw a message from a cybercriminal group as they navigated through Canvas, an educational platform created by Instructure that hosts teaching materials, tests, readings and more.
Researchers at Moscow-based cybersecurity firm Kaspersky said they identified overlapping infrastructure and tools used by both groups — including command-and-control systems operating on the same compromised host — suggesting some coordination.
Researchers at Moscow-based cybersecurity firm Kaspersky said they identified overlapping infrastructure and tools used by both groups — including command-and-control systems operating on the same compromised host — suggesting some coordination.
Incident responders from cybersecurity firm Rapid7 published a report about a recent intrusion that initially appeared to be a Chaos ransomware attack but was later discovered to be an attack attributed to MuddyWater, an Iranian APT group tied to the country’s Ministry of Intelligence and Security (MOIS).
Incident responders from cybersecurity firm Rapid7 published a report about a recent intrusion that initially appeared to be a Chaos ransomware attack but was later discovered to be an attack attributed to MuddyWater, an Iranian APT group tied to the country’s Ministry of Intelligence and Security (MOIS).
In the second timeline of April 2026 I collected 108 events, corresponding to an average of 7.2 events per day, a number that confirms a growing trend, driven by the increasing number of supply chain attacks, compared to the previous timeline, where I collected 94 events (6.27 events/day).
In the second timeline of April 2026 I collected 108 events, corresponding to an average of 7.2 events per day, a number that confirms a growing trend, driven by the increasing number of supply chain attacks, compared to the previous timeline, where I collected 94 events (6.27 events/day).
A new Mirai‑based botnet, xlabs_v1, hijacks ADB‑exposed IoT devices for powerful DDoS attacks, with 21 flooding methods and DDoS‑for‑hire use.
A new Mirai‑derived botnet called xlabs_v1 is hijacking internet‑exposed devices running Android Debug Bridge (ADB) and using them for large‑scale DDoS attacks. Hunt.io discovered the bot on an unsecured server, it includes 21 flood techniques across TCP, UDP, and raw protocols, allowing it to bypass basic protections. It appears to be sold as a DDoS‑
A new Mirai‑based botnet, xlabs_v1, hijacks ADB‑exposed IoT devices for powerful DDoS attacks, with 21 flooding methods and DDoS‑for‑hire use.
A new Mirai‑derived botnet called xlabs_v1 is hijacking internet‑exposed devices running Android Debug Bridge (ADB) and using them for large‑scale DDoS attacks. Hunt.io discovered the bot on an unsecured server, it includes 21 flood techniques across TCP, UDP, and raw protocols, allowing it to bypass basic protections. It appears to be sold as a DDoS‑for‑hire service, especially for targeting game and Minecraft servers.
During routine monitoring, researchers spotted an exposed directory on a Netherlands‑hosted server (176.65[.]139.44) used for bulletproof hosting. The operator had left their entire toolkit publicly accessible over TCP/80 with no authentication, allowing investigators to index everything before the attacker realized it was exposed.
Open access to the server revealed a six‑file toolkit instead of a login page, exposing binaries and text files with no authentication. Two files were auto‑tagged as malicious: arm7 (Mirai) and payloads.txt (exploit content), suggesting the operator was using analyst‑grade tools on an unsecured host. The directory held about 200 KB of data, including the packed ARM bot, an unstripped x86‑64 debug build, ADB infection one‑liners, a SOCKS5 proxy, and a placeholder targets file. The debug build’s intact symbols made reconstructing the bot’s behavior straightforward.
“The xlabs_v1 codebase reads as a focused commercial product rather than an opportunistic Mirai derivative. Its twenty-one flood variants, ChaCha20 string protection, OpenNIC-aware DNS resolution, and Speedtest-driven bandwidth profiling are subsystems aimed at a single outcome: keeping a fleet of compromised IoT devices reachable, accountable, and profitable for the operator. Everything else in the binary serves that goal or protects it.” reads the report published by Hunt.io.
xlabs_v1 botnet is built entirely for commercial DDoS‑for‑hire operations, with no added features like credential theft that could increase detection risk. Its core function is to receive attack commands and launch one of 21 flood variants, many aimed at game servers, including RakNet floods for Minecraft and OpenVPN‑shaped UDP traffic to evade filters. Delivered through ADB exploits, the ARMv7 bot targets Android TVs, set‑top boxes, and IoT hardware, part of a global surface of more than 4 million devices with TCP/5555 exposed.
“nfection vector is Android Debug Bridge on TCP/5555, with multi-architecture builds covering ARM, MIPS, x86-64, ARC, and Android APK, meaning any internet-exposed device running ADB is a potential target: Android TV boxes, set-top boxes, smart TVs, residential routers, and any IoT-grade hardware shipping with ADB enabled by default.” continutes the report.
Once installed, the bot hides infection tags, profiles each device’s bandwidth by opening 8,192 TCP sockets, and reports Mbps to its panel so the operator can assign price tiers. It also kills competing botnets by scanning /proc, terminating rival processes, and removing malware on port 24936.
For resilience, xlabs_v1 resolves its C2 via OpenNIC, falls back to a firewall‑punching SOCKS‑style listener on TCP/26721, and masks itself as /bin/bash to evade casual inspection. Sensitive strings, including the C2 domain xlabslover.lol, the operator handle Tadashi, and the agent tag xlabs_v1, are encrypted with ChaCha20 but easily recovered due to key reuse.
Its command‑and‑control uses a custom TCP protocol, supporting bandwidth probes, updates, self‑restart, and attack dispatch. Together, these techniques reveal a sophisticated, commercially motivated DDoS botnet engineered for persistence, evasion, and profit.
Analysis of the xlabs_v1 botnet’s infrastructure begins with its C2 domain, xlabslover[.]lol, which resolves to a single IP in the Netherlands hosted by Offshore LC. The domain uses Ultahost nameservers, a provider often linked to bulletproof hosting, and shows no prior malware detections, suggesting a recently deployed C2.
Pivoting from the domain to its IP (176.65.139[.]134) reveals SSH as the only open port, plus past honeypot activity involving HTTP and .env‑file scanning. SSL history shows unusual self‑signed certificates, including one with the CN “Godisgood”, previously used on another IP in Germany, indicating the same operator managing multiple servers.
Three hosts within the 176.65.139.0/24 netblock appear tied to the botnet: .44 (staging), .42 (distribution), and .9 (additional distribution). Hunt.io captured open directories on these systems containing Mirai‑tagged binaries, multi‑architecture payloads, and ADB exploitation scripts.
Historical scans confirmed Mirai C2 activity in late March and early April 2026, consistent with the botnet’s active deployment period and revealing a consolidated, bulletproof infrastructure supporting xlabs_v1.
The operator behind the botnet uses the handle Tadashi, embedded in each build, while the botnet brand xlabs_v1 appears in every C2 registration, hinting at future versions. A development tag, aterna, shows earlier branding before release. OSINT searches linking “Tadashi,” “xlabs,” and “xlabslover” may reveal the operator’s DDoS‑for‑hire storefront. A decrypted banner also exposes hostility toward a rival fork, xlab 2, suggesting a code split or underground feud. Nearby infrastructure in the same netblock has hosted cryptojacking tools, though overlap with the xlabs operation remains unconfirmed.
“In commercial-criminal terms, xlabs_v1 is mid-tier. It is more sophisticated than the typical script-kiddie Mirai fork (which would lack the ChaCha20 layer, the multi-architecture binary set, the bandwidth profiling, and the registered-attack diversity), but less sophisticated than the top tier of commercial DDoS-for-hire operations (which would use TLS on the C2 channel, would not ship a debug build to production paths, would rotate cryptographic material across builds, and would not ship a hard-coded competitor-rivalry banner).” concludes the report. “This operator is competing on price and attack variety, not technical sophistication. Consumer IoT devices, residential routers, and small game-server operators are the target. Treat it accordingly.”
Taiwan high‑speed rail was disrupted after a 23‑year‑old student spoofed signals and triggered an emergency alarm, stopping four trains for nearly an hour.
Taiwan high‑speed rail system, one of the most important pieces of national infrastructure, was thrown into chaos during the Qingming Festival holiday when several trains suddenly came to an unexpected halt. Experts initially investigated a technical glitch but soon discovered the incident was caused by a cyber intrusion carried out by a
Taiwan high‑speed rail was disrupted after a 23‑year‑old student spoofed signals and triggered an emergency alarm, stopping four trains for nearly an hour.
Taiwan high‑speed rail system, one of the most important pieces of national infrastructure, was thrown into chaos during the Qingming Festival holiday when several trains suddenly came to an unexpected halt. Experts initially investigated a technical glitch but soon discovered the incident was caused by a cyber intrusion carried out by a 23-year-old university student.
“The Ministry of Transportation and Communications yesterday pledged to submit a report on ways to harden the communication security of railway systems after a university student hacked into Taiwan High Speed Rail Corp’s (THSRC) radio communications system and disrupted operations of four high-speed rail trains last month.” reported the Taipei Times. “Investigation by the police and prosecutors found that the university student and radio enthusiast, surnamed Lin (林), first used a software-defined radio (SDR) filter to analyze THSRC signals, downloaded the data to a computer, cracked the parameters and then programmed the codes into his radio devices.”
Authorities revealed that the student, identified only by his surname Lin, used radio equipment and software tools bought online to imitate the communication signals used inside Taiwan High-Speed Rail (THSR). By doing so, he triggered a general emergency alarm, forcing train operators to stop four trains, disrupting service for nearly an hour and delaying hundreds of passengers heading home from the holiday.
The student exploited weaknesses in TETRA, the radio communication system used by THSR for nearly two decades. Before transmitting anything, Lin reportedly intercepted and decoded the system’s parameters using software‑defined radio (SDR) tools. He analyzed the structure of the signals, then programmed the same parameters into handheld radios to impersonate legitimate THSR beacons.
Using these cloned signals, he sent a high‑priority “General Alarm” message. In the THSR safety protocol, this alarm is treated as a potential life‑or‑death alert: trains in the affected zone must immediately switch to manual emergency stop mode. The attack caused three trains to stop instantly, and a fourth received the same instruction shortly after. In total, THSR recorded 48 minutes of disruption.
What stood out most to investigators was not the complexity of the act, but the long‑standing vulnerability that made it possible. Local reports highlight that the same system parameters had been used for 19 years and were never rotated. This meant that once Lin decoded the information, nothing prevented him from reusing it without detection.
Police say Lin also received help from a 21‑year‑old acquaintance, who provided some of the technical details needed for the intrusion.
Once THSR staff realized the alarm did not match any assigned radio device, they checked their equipment and quickly concluded that the signal must have come from an unauthorized source. They contacted police, who examined station CCTV and radio network logs.
These traces eventually led investigators to Lin’s residence, where they recovered 11 handheld radios, an SDR receiver, and a laptop used for the attack.
The police arrested the student on April 28 and later released him on NT$100,000 bail, pending further investigation.
Prosecutors say Lin may have violated several laws, including articles dealing with interference with public transportation, use of unauthorized equipment, and exploiting vulnerabilities in a protected computer system. Together, the charges could result in up to 10 years in prison.
Beyond the dramatic nature of the event, the hack has sparked a broader debate in Taiwan. Politicians and cybersecurity experts questioned how a national high-speed rail system, carrying more than 80 million passengers a year, could be compromised using consumer‑grade hardware.
Investigators emphasized that even if Lin intended the act as a prank, interfering with public transportation is dangerous and illegal. The District Prosecutors Office warned that any disruption to transport networks will be prosecuted aggressively to protect public safety.
The incident ultimately highlights a simple truth: in a world where cheap radio tools and open‑source software are widely accessible, even long‑trusted systems must be updated and continuously tested. Otherwise, critical infrastructure remains exposed, not only to hostile actors, but to anyone curious enough to experiment.
Romanian citizen Gavril Sandu was extradited to the U.S. nearly 17 years after a hacking scheme. He was indicted in 2017 and arrested in 2026.
Romanian national Gavril Sandu, 53, has been extradited to the United States for his role in a hacking scheme that took place 17 years ago.
“On November 14, 2017, a federal grand jury in Charlotte returned a criminal indictment charging Gavril Sandu, 53, with one count of conspiracy to commit bank fraud and one count of bank fraud. Sandu was arres
Romanian citizen Gavril Sandu was extradited to the U.S. nearly 17 years after a hacking scheme. He was indicted in 2017 and arrested in 2026.
Romanian national Gavril Sandu, 53, has been extradited to the United States for his role in a hacking scheme that took place 17 years ago.
“On November 14, 2017, a federal grand jury in Charlotte returned a criminal indictment charging Gavril Sandu, 53, with one count of conspiracy to commit bank fraud and one count of bank fraud. Sandu was arrested in Romania on January 9, 2026. He was extradited to the United States on April 30, 2026.” reads the press release published by DoJ.
The move closes a long-running cybercrime investigation revealed by the Justice Department.
The man appeared in a U.S. court after being extradited from Romania to face charges of bank fraud and conspiracy for his role in an international vishing scheme. Indicted in 2017, Sandu was arrested in Romania on January 9, 2026, and transferred to U.S. custody on April 30, 2026.
According to prosecutors, between May 2009 and October 2010, Sandu and co-conspirators hacked into small businesses’ VoIP systems, using them to make spoofed phone calls that impersonated banks and tricked victims into revealing debit card and PIN numbers. The stolen credentials were used to access accounts and steal funds.
“Greed crosses borders, but so does our relentless pursuit of justice,” said U.S. Attorney Russ Ferguson, emphasizing that international cyberscammers will face prosecution no matter where they operate.
The case underscores how global cooperation and timely extraditions remain vital to combating cyber-enabled financial fraud.
Investigators allege that Sandu collected these stolen credentials, used them to forge magnetic stripe cards, and acted as a money mule, withdrawing cash from compromised ATMs and bank accounts. He then split the proceeds with his co‑conspirators.
Following his extradition from Romania, Sandu was placed in federal custody awaiting trial. If convicted, he faces up to 30 years in prison.
“Scams originating outside of our country are out of control. Wherever scammers operate – here or abroad – we will use every tool available to bring them to justice.” concludes U.S. Attorney Ferguson.
The agency did not publicly attribute the incidents to a specific group or country but said Poland faced intensified hostile cyber activity in 2024 and 2025, “with particular emphasis on the special services of the Russian Federation.”
The agency did not publicly attribute the incidents to a specific group or country but said Poland faced intensified hostile cyber activity in 2024 and 2025, “with particular emphasis on the special services of the Russian Federation.”
A patch for the bug, tracked as CVE-2026-0300, has not been published yet and Palo Alto Networks said it will be included in releases over the next two weeks.
A patch for the bug, tracked as CVE-2026-0300, has not been published yet and Palo Alto Networks said it will be included in releases over the next two weeks.
The initiative, named CI Fortify, focuses on isolation and recovery efforts that would see critical infrastructure organizations proactively disconnect from third-party dependencies and find ways to operate without reliable telecommunications and internet.
The initiative, named CI Fortify, focuses on isolation and recovery efforts that would see critical infrastructure organizations proactively disconnect from third-party dependencies and find ways to operate without reliable telecommunications and internet.
In London, becoming a licensed cab driver used to require passing an exam called “The Knowledge.” Candidates spent three to four years memorizing 25,000 streets, 100,000 landmarks and thousands of optimal routes. Neuroscience researchers at University College London found that cabbies who passed had measurably enlarged hippocampi from the cognitive load.
GPS made the entire achievement irrelevant in a single software update. Not gradually. Not partially. A driver on thei
In London, becoming a licensed cab driver used to require passing an exam called “The Knowledge.” Candidates spent three to four years memorizing 25,000 streets, 100,000 landmarks and thousands of optimal routes. Neuroscience researchers at University College London found that cabbies who passed had measurably enlarged hippocampi from the cognitive load.
GPS made the entire achievement irrelevant in a single software update. Not gradually. Not partially. A driver on their first day with a nav app could match a cabbie who had studied for four years. The skill did not get cheaper. It stopped mattering.
That same structural collapse just happened to cyberattack expertise.
The skill floor fell through the floor
For two decades, the most dangerous attack techniques were gated by skill and time. Adversary-in-the-middle phishing, polymorphic malware, living-off-the-land scripting, autonomous exploit development — nation-state groups ran these operations because they alone had practitioners who could execute them.
AI removed the gate. The same way GPS never taught anyone cartography — it made cartography optional.
IBM X-Force quantified one dimension: AI generates convincing phishing lures in five minutes versus sixteen hours for an experienced human operator. That’s a 192x reduction in time cost for a single task. Multiply it across reconnaissance, lure generation, payload evasion and exploit development, and you get a capability transfer from specialized actors to anyone motivated enough to open a Telegram channel.CrowdStrike’s 2026 Global Threat Report documented the result: An 89% year-over-year surge in AI-augmented attacks, alongside a 29-minute average eCrime breakout time — 65% faster than 2024.
Three techniques show how completely the collapse ran.
Adversary-in-the-middle phishing once required an operator who understood reverse proxy architecture, SSL certificate management and session token mechanics. Platforms like Tycoon 2FA packaged all of that into a browser dashboard with tiered pricing and customer support. The required skill dropped to “credit card and intent.” The result: 40,000 AiTM incidents daily across Microsoft environments, and 84% of compromised accounts had MFA enabled. The authentication was genuine. The theft happened after it succeeded.
AI spear phishing once required a skilled analyst spending two to four hours per target. AI automated the entire pipeline — LinkedIn scraping, lure generation, style-matching — producing messages with zero grammatical errors that reference real projects and mimic specific colleagues. A 2025 campaign targeted 800 accounting firms simultaneously with emails referencing each firm’s specific state registration details and hit a 27% click rate. Running 800 firm-specific, research-backed campaigns at once was previously not operationally feasible below nation-state level.
Autonomous exploit development may be the starkest case.Anthropic’s Mythos model demonstrated fully autonomous discovery and exploitation of unknown vulnerabilities — independently finding a 17-year-old remote code execution flaw in FreeBSD’s NFS server that human researchers had missed for years. Cost: under $20,000. That replaced months of nation-state research effort.
Eight major attack categories show the same pattern across 2025 and 2026 data. The skill that gated each attack stopped being required.
The auto-tune problem
Auto-tune didn’t make singers cheaper to hire. It made pitch control irrelevant. A tone-deaf performer with the plugin produces the same output as a conservatory graduate. The listener cannot tell the difference.
That’s the detection problem in one sentence.
Traditional defenses work by finding a signal: A known malicious hash, a grammar error in the lure, a failed authentication attempt. AI lets attackers strip those signals out. AiTM removes failed logins. AI-generated lures remove grammatical errors. Polymorphic malware removes stable code signatures. Automated reconnaissance removes advance warning entirely — it runs in public data sources the target cannot monitor.
The attack that succeeds now is the one designed to look completely normal. Pattern-matching fails when the patterns have been intentionally removed.
The architecture was built for a world that no longer exists
The defense stack most organizations run rests on three assumptions that held for two decades and are now false.
First, that sophisticated attacks are rare. They’re not — volume now scales to commodity levels. Second, that attacks contain detectable quality signals. They don’t — the absence of awkward phrasing or mismatched domains isn’t exculpatory. It’s the attack working as designed. Third, that human investigation speed is fast enough. A 29-minute breakout time and a 21-second average time-to-click leave no margin for a 15-minute triage cycle.
These weren’t bad assumptions when architects made them. But the architecture built on top of them doesn’t degrade gracefully when they fail. It fails structurally.
What still works — and why
The controls that survive share one trait: They depend on properties attackers cannot strip from the signal.
FIDO2 security keys bind authentication cryptographically to the legitimate origin domain. When an AiTM proxy intercepts the flow, the challenge comes from the proxy’s domain. The key refuses to sign. No AI-generated polish changes the domain mismatch at the cryptographic layer. Deploy it for all privileged accounts and disable fallback to phishable MFA methods — Proofpoint has already documented FIDO2 downgrade attacks in Microsoft Entra.
But hardware controls address only the front door. The deeper fix is a different detection philosophy: Reasoning about what the attacker is trying to accomplish rather than what the attack looks like. In January 2026, a mid-market financial firm caught an active AiTM operation before any payment moved. Their pipeline correlated an email click, a new-IP authentication and an inbox rule creation within a 90-second window — flagging the sequence as a single credential-theft operation. Their legacy email gateway evaluated the same email and generated no alert. SPF, DKIM and DMARC all passed. The link resolved to a legitimate SharePoint domain. The difference wasn’t a better product. It was a better question: One system asked what the email looked like; the other asked what the attacker was trying to accomplish.
That’s the architecture shift — from “does this match a known threat pattern” to “is this sequence of actions consistent with credential theft, regardless of what the initial email looked like.” Most SOCs present those as four unrelated alerts triaged by different analysts. The attacker’s operational logic is more coherent than the defender’s detection pipeline.
The capability transfer is permanent
London didn’t rebuild its transportation system assuming most drivers still couldn’t navigate. It accepted the collapse and adapted. The cabbies who survived stopped competing on memorization and shifted to what GPS couldn’t replicate: Judgment, local knowledge, reading the situation in real time.
The security equivalent is the same pivot. Stop competing on pattern recognition — the skill AI just made irrelevant for both sides — and shift to what attackers cannot automate away: Understanding what normal looks like inside your specific organization, connecting signals across kill chain stages, and reaching a verdict at machine speed.
The Knowledge took four years to master. One software update made it obsolete. The question for security leaders isn’t whether the same thing happened to APT tradecraft. The data says it did. The question is whether your architecture still assumes it didn’t.
This article is published as part of the Foundry Expert Contributor Network. Want to join?
The post “AccountDumpling” Hijacked Google Infrastructure to Steal 30,000 Facebook Accounts appeared first on Daily CyberSecurity.
Related posts:
Haozi Returns: The Phishing-as-a-Service Platform Making Cybercrime Easy
ClickFix and CORNFLAKE.V3: Mandiant Uncovers a New Wave of Access-as-a-Service Campaigns
The Reversed Phishing Attack: New Campaign Triggers Victims to Call Hackers
A malicious PyTorch Lightning update (v2.6.3) on PyPI spread briefly, stealing credentials and raising major concerns about AI supply chain security.
A malicious update of the PyTorch Lightning library exposed developers to credential theft and remote compromise. Attackers uploaded version 2.6.3 to the Python Package Index (PyPI), where it spread among developers before maintainers removed it at the end of April.
PyTorch Lightning is an open-source framework built on top of PyTorch that
A malicious PyTorch Lightning update (v2.6.3) on PyPI spread briefly, stealing credentials and raising major concerns about AI supply chain security.
A malicious update of the PyTorch Lightning library exposed developers to credential theft and remote compromise. Attackers uploaded version 2.6.3 to the Python Package Index (PyPI), where it spread among developers before maintainers removed it at the end of April.
PyTorch Lightning is an open-source framework built on top of PyTorch that simplifies how developers train and deploy deep learning models.
Given the library’s popularity in AI development, the incident raised serious concerns about the security of software supply chains.
The compromised package executed hidden code as soon as developers imported it. It launched a background process, downloaded a JavaScript runtime (Bun), and ran a large, heavily obfuscated payload. Microsoft identified the malware as ShaiWorm, a credential stealer designed to extract sensitive information from infected systems.
“lightning==2.6.3 (published on PyPI as py3-none-any wheel) contains a hidden execution chain that silently downloads a JavaScript runtime (Bun) and executes an 11.4 MB heavily obfuscated JavaScript payload upon import lightning. This payload contains credential-stealing functionality targeting cloud providers, browsers, and environment files.” reads the advisory.
Microsoft Defender detected and protected customers against a new software supply chain compromise affecting the "pytorch-lightning" package and immediately reported the issue to the repository maintainers for takedown: https://t.co/yDdIftxQRE.
At the time the compromised…
— Microsoft Threat Intelligence (@MsftSecIntel) May 2, 2026
The malware targeted a wide range of data. It searched for .env files, API keys, GitHub tokens, and credentials stored in browsers like Chrome, Firefox, and Brave. It also collected access keys for major cloud platforms, including AWS, Azure, and Google Cloud. Beyond data theft, the malware allowed attackers to execute arbitrary commands on the system, effectively giving them full control over compromised environments.
Lightning AI quickly warned users about the risk. The company advised anyone who used version 2.6.3 to rotate all credentials and secrets immediately. It removed the malicious release and replaced it with a safe version. At the same time, Microsoft Defender detected and blocked the threat on affected endpoints, limiting its spread to a relatively small number of systems.
It is still unclear how attackers managed to insert the backdoor. Lightning AI continues to examine whether a compromised developer account, build system, or third-party dependency enabled the attack. The company also audits other recent releases to ensure no additional malicious code remains.
“Observed activity remains limited to a small number of devices and appear contained to a narrow set of environments.” states Microsoft. “We are also investigating container-based telemetry and registry-related signals that may indicate potential compromise in some scenarios.”
This incident shows how attackers increasingly target trusted components in the AI and Python ecosystems. Widely used libraries offer an efficient entry point, allowing attackers to reach many developers at once. It highlights the need for stronger safeguards, including dependency verification, runtime monitoring, and stricter controls around software distribution and updates.
Deniss Zolotarjovs was sentenced to 8.5 years in the U.S. after pleading guilty to money laundering and fraud tied to ransomware.
Deniss Zolotarjovs, a Latvian national linked to the Karakurt ransomware gang, has been sentenced to 8.5 years in U.S. prison, marking a significant step in efforts to combat global ransomware operations.
“A Latvian national was sentenced today to 102 months in prison for his role in a major Russian ransomware organization that stole from and extorted over 54 c
Deniss Zolotarjovs was sentenced to 8.5 years in the U.S. after pleading guilty to money laundering and fraud tied to ransomware.
Deniss Zolotarjovs, a Latvian national linked to the Karakurt ransomware gang, has been sentenced to 8.5 years in U.S. prison, marking a significant step in efforts to combat global ransomware operations.
“A Latvian national was sentenced today to 102 months in prison for his role in a major Russian ransomware organization that stole from and extorted over 54 companies.” reads the press release published by DoJ.
In August 2024, the man was charged with money laundering, wire fraud, and extortion. He was arrested in Georgia in December 2023 and extradited to the U.S. in 2014.
In 2025, he pleaded guilty to money laundering and wire fraud conspiracy. Rather than carrying out technical intrusions, Zolotarjovs acted as a negotiator and strategist.
He analyzed stolen data, set ransom demands, and communicated directly with victims, earning about 10% of ransom payments through cryptocurrency laundering. Prosecutors described him as a key intermediary within a broader cybercrime ecosystem tied to former members of the Conti ransomware group.
Between 2021 and 2023, the group targeted over 54 organizations, causing over $56 million in losses. Victims included businesses, government entities, and even a pediatric healthcare provider.
“According to court documents, Deniss Zolotarjovs (Денисс Золотарёвс), 35, of Moscow, Russia, was a member of a ransomware organization led by former leaders of the Conti ransomware group. Brands used to identify the organization in ransom notes to their victims during the time of his involvement include Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira, among others.” continues the press release. “During the time of Zolotarjovs’s active participation in the organization, approximately June 2021 to August 2023, the organization stole data from over 54 companies, including many in the United States. “
In one case, Zolotarjovs suggested leaking children’s medical data to pressure payment, highlighting the coercive tactics used. Another attack disrupted a U.S. 911 emergency dispatch system, underscoring the real-world impact of these operations.
“In one attack on a pediatric healthcare company, Zolotarjovs deliberately leveraged children’s health information for extortion.” DoJ states. “When he failed in extracting a ransom from this victim, he urged coconspirators to be “DESTROYERS” and to leak or sell copies of these pediatric health records to sow fear among future victims.”
Authorities say the case reflects the increasingly organized and professional nature of ransomware groups, which operate like businesses with defined roles such as negotiators, operators, and data brokers. It also demonstrates growing international cooperation, particularly between U.S. agencies and Georgian authorities, in tracking and prosecuting cybercriminals.
Officials from the Federal Bureau of Investigation emphasized that this sentencing sends a strong message: even individuals operating within Russia-linked cybercrime networks can be identified, pursued, and brought to justice. The case highlights both the human cost of ransomware attacks and the expanding reach of global law enforcement in tackling cyber extortion.
“With this sentence, a cruel, ruthless, and dangerous international cybercriminal is now behind bars,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Deniss Zolotarjovs helped his ransomware gang profit from hacks of dozens of companies, and even on a government entity whose 911 system was forced offline. He also used stolen children’s health information to increase his leverage to extort victim payments. The Criminal Division will continue to investigate and prosecute international hackers and extortionists from around the world, no matter where they live or operate.”
Accenture researchers first detailed the activity of the sophisticated financially motivated threat actor in December 2021. The group’s activity was first spotted in June 2021, but the group has been more active in Q3 2021.
Zolotarjovs is the first member of the Karakurt group to be sentenced in the United States.
Most of the known victims are based in North America, while the remaining are in Europe.
The analysis of the attack chain associated with this threat actor revealed that it primarily leverages VPN credentials to gain initial access to the target’s network.
In the initial attacks, the group gained persistence by using the popular post-exploitation tool Cobalt Strike. Later, the group switched on the VPN IP pool or AnyDesk software to establish persistence and avoid detection.
Once access is gained to the target network, the group used various tools to escalate privileges, including Mimikatz or PowerShell to steal ntds.dit that contains Active Directory data.
However, the threat group in most attacks escalated privileges using previously obtained credentials.
For data exfiltration the group used 7zip and WinZip for compression, as well as Rclone or FileZilla (SFTP) to upload data to Mega.io cloud storage.
The Karakurt cyber extortion group typically gave victims one week to pay a ransom, which ranges from $25,000 to $13 million in Bitcoin. This information comes from a joint alert issued by the FBI, CISA, the Department of the Treasury, and FinCEN.
Entrar
