The Breach News

New HTML Smuggling Scheme Distributes DCRat Malware to Russian-Speaking Users

On September 27, 2024

GenAI / Cybercrime

A recent campaign is specifically targeting Russian-speaking users by spreading the DCRat malware (also known as DarkCrystal RAT) through a method known as HTML smuggling. This marks the first instance of this malware being delivered via this technique, shifting away from traditional methods such as compromised websites or phishing emails that included malicious PDF attachments or Excel documents with macros. “HTML smuggling serves primarily as a means of delivering the payload,” explained Netskope researcher Nikhil Hegde in an analysis released Thursday. “The payload can either be embedded directly within the HTML or fetched from an external source.” The HTML files can be distributed via fake websites or malicious spam emails. When victims open the file in their web browser, the hidden payload is decoded and downloaded to their system. The success of this attack relies significantly on social engineering tactics to persuade the victim to execute the file.

New HTML Smuggling Campaign Targets Russian-Speaking Users with DCRat Malware September 27, 2024 GenAI / Cybercrime A recent cybersecurity development highlights a targeted campaign aimed at Russian-speaking users, delivering the commodity trojan known as DCRat, also referred to as DarkCrystal RAT, through a method known as HTML smuggling. This represents…

Read More

New HTML Smuggling Scheme Distributes DCRat Malware to Russian-Speaking Users

On September 27, 2024

GenAI / Cybercrime

A recent campaign is specifically targeting Russian-speaking users by spreading the DCRat malware (also known as DarkCrystal RAT) through a method known as HTML smuggling. This marks the first instance of this malware being delivered via this technique, shifting away from traditional methods such as compromised websites or phishing emails that included malicious PDF attachments or Excel documents with macros. “HTML smuggling serves primarily as a means of delivering the payload,” explained Netskope researcher Nikhil Hegde in an analysis released Thursday. “The payload can either be embedded directly within the HTML or fetched from an external source.” The HTML files can be distributed via fake websites or malicious spam emails. When victims open the file in their web browser, the hidden payload is decoded and downloaded to their system. The success of this attack relies significantly on social engineering tactics to persuade the victim to execute the file.

Russia Intensifies Restrictions on End-to-End Encrypted Calls

A recent collaborative investigation by WIRED, The Markup, and CalMatters has unveiled that numerous data brokers are purposefully obscuring their opt-out and data deletion tools from Google Search results. This tactic complicates the ability of consumers to locate and utilize these privacy options, raising significant concerns about data privacy practices.…

Read MoreRussia Intensifies Restrictions on End-to-End Encrypted Calls

How Cybersecurity Positioned Estonia as a Leader in the Space Industry

Explore topics in Governance & Risk Management, Operational Technology (OT), and Video. Insights from Space Policy and Technology Director Paul Liias on Satellite Security Challenges By Tony Morbin (@tonymorbin) • August 15, 2025 Paul Liias, Head of Space Policy and Tech, Estonia The potential disruption of civil and military satellite…

Read MoreHow Cybersecurity Positioned Estonia as a Leader in the Space Industry

Iranian Hacker Admits Guilt in $19 Million Robbinhood Ransomware Attack Targeting Baltimore

Date: May 28, 2025
Category: Ransomware / Data Breach

An Iranian national has acknowledged his involvement in a major ransomware and extortion operation linked to the Robbinhood ransomware in the U.S. Sina Gholinejad (also known as Sina Ghaaf), 37, along with his accomplices, infiltrated the computer networks of multiple U.S. organizations, encrypting files and demanding Bitcoin ransoms. Arrested in North Carolina in early January, Gholinejad pleaded guilty to charges of computer fraud and abuse, as well as conspiracy to commit wire fraud. He faces up to 30 years in prison, with his sentencing set for August 2025. The U.S. Department of Justice reported that these cyberattacks led to significant disruptions and financial losses exceeding $19 million for cities like Greenville, North Carolina, and Baltimore, Maryland.

Iranian Hacker Pleads Guilty in $19 Million Robbinhood Ransomware Attack on Baltimore May 28, 2025 In a significant development in the realm of cybersecurity, an Iranian national, Sina Gholinejad, has entered a guilty plea in the United States for his role in an extensive ransomware operation that leveraged the notorious…

Read More

Iranian Hacker Admits Guilt in $19 Million Robbinhood Ransomware Attack Targeting Baltimore

Date: May 28, 2025
Category: Ransomware / Data Breach

An Iranian national has acknowledged his involvement in a major ransomware and extortion operation linked to the Robbinhood ransomware in the U.S. Sina Gholinejad (also known as Sina Ghaaf), 37, along with his accomplices, infiltrated the computer networks of multiple U.S. organizations, encrypting files and demanding Bitcoin ransoms. Arrested in North Carolina in early January, Gholinejad pleaded guilty to charges of computer fraud and abuse, as well as conspiracy to commit wire fraud. He faces up to 30 years in prison, with his sentencing set for August 2025. The U.S. Department of Justice reported that these cyberattacks led to significant disruptions and financial losses exceeding $19 million for cities like Greenville, North Carolina, and Baltimore, Maryland.

Severe RCE Vulnerabilities in Cisco ISE and ISE-PIC Enable Unauthenticated Attackers to Obtain Root Access

Jun 26, 2025
Vulnerability, Network Security

Cisco has issued updates to resolve two critical security vulnerabilities in the Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that may allow unauthenticated attackers to execute arbitrary commands with root privileges. These vulnerabilities, identified as CVE-2025-20281 and CVE-2025-20282, both carry a maximum CVSS score of 10.0. Here’s a detailed overview of the vulnerabilities:

  • CVE-2025-20281: A remote code execution flaw impacting Cisco ISE and ISE-PIC versions 3.3 and later, enabling an unauthenticated attacker to execute arbitrary code on the system as root.

  • CVE-2025-20282: A remote code execution vulnerability in Cisco ISE and ISE-PIC version 3.4 that allows an unauthenticated attacker to upload arbitrary files to the device and execute them as root.

Cisco has indicated that CVE-2025-20281 stems from inadequate…

Cisco Addresses Critical RCE Vulnerabilities in ISE and ISE-PIC On June 26, 2025, Cisco issued urgent updates to mitigate two severe vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). These flaws could allow unauthenticated remote attackers to execute arbitrary commands with root privileges, potentially jeopardizing…

Read More

Severe RCE Vulnerabilities in Cisco ISE and ISE-PIC Enable Unauthenticated Attackers to Obtain Root Access

Jun 26, 2025
Vulnerability, Network Security

Cisco has issued updates to resolve two critical security vulnerabilities in the Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that may allow unauthenticated attackers to execute arbitrary commands with root privileges. These vulnerabilities, identified as CVE-2025-20281 and CVE-2025-20282, both carry a maximum CVSS score of 10.0. Here’s a detailed overview of the vulnerabilities:

  • CVE-2025-20281: A remote code execution flaw impacting Cisco ISE and ISE-PIC versions 3.3 and later, enabling an unauthenticated attacker to execute arbitrary code on the system as root.

  • CVE-2025-20282: A remote code execution vulnerability in Cisco ISE and ISE-PIC version 3.4 that allows an unauthenticated attacker to upload arbitrary files to the device and execute them as root.

Cisco has indicated that CVE-2025-20281 stems from inadequate…

Microsoft Flags Storm-0501 as a Significant Threat in Hybrid Cloud Ransomware Operations

September 27, 2024
Ransomware / Cloud Security

Microsoft has identified the cyber group Storm-0501 as a noteworthy threat, targeting key sectors such as government, manufacturing, transportation, and law enforcement in the United States. Their sophisticated, multi-stage attack strategy is designed to infiltrate hybrid cloud environments, allowing attackers to move laterally from on-premises systems to the cloud. This approach leads to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. According to Microsoft’s threat intelligence team, Storm-0501 operates as a financially driven cybercriminal organization, utilizing both commodity and open-source tools for their ransomware activities. Active since 2021, they initially focused on educational institutions with the Sabbath ransomware before transitioning to a ransomware-as-a-service (RaaS) model, distributing various ransomware variants including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.

Microsoft Flags Storm-0501 as Significant Threat in Hybrid Cloud Ransomware Incidents On September 27, 2024, Microsoft announced a notable increase in ransomware attacks orchestrated by the threat actor known as Storm-0501, which has predominantly targeted integral sectors such as government, manufacturing, transportation, and law enforcement across the United States. This…

Read More

Microsoft Flags Storm-0501 as a Significant Threat in Hybrid Cloud Ransomware Operations

September 27, 2024
Ransomware / Cloud Security

Microsoft has identified the cyber group Storm-0501 as a noteworthy threat, targeting key sectors such as government, manufacturing, transportation, and law enforcement in the United States. Their sophisticated, multi-stage attack strategy is designed to infiltrate hybrid cloud environments, allowing attackers to move laterally from on-premises systems to the cloud. This approach leads to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. According to Microsoft’s threat intelligence team, Storm-0501 operates as a financially driven cybercriminal organization, utilizing both commodity and open-source tools for their ransomware activities. Active since 2021, they initially focused on educational institutions with the Sabbath ransomware before transitioning to a ransomware-as-a-service (RaaS) model, distributing various ransomware variants including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware.

Reevaluating Security in the Software Supply Chain

Black Hat, Events, Video Cyfinoid’s Shrivastava Advocates for Enhanced Transparency in Software Security Risks Tom Field (SecurityEditor) • August 15, 2025 Anant Shrivastava, Founder & Chief Researcher, Cyfinoid Research Despite the crucial importance of software supply chain security, many organizations approach it with a limited perspective, primarily emphasizing code dependencies…

Read MoreReevaluating Security in the Software Supply Chain

ConnectWise Cyberattack: Nation-State Actor Suspected in Targeted Breach
May 30, 2025 | Vulnerability / Data Breach

ConnectWise, known for its remote access software ScreenConnect, has reported being targeted in a cyberattack believed to be orchestrated by a nation-state actor. On May 28, the company issued a brief advisory detailing that it had identified suspicious activity linked to the threat, which has affected a limited number of ScreenConnect customers. To investigate the incident further, ConnectWise has enlisted Google Mandiant for a forensic examination and has informed all impacted customers. While the company has not disclosed the specific number of affected customers, the timing of the breach, or the identity of the responsible party, it is important to note that just weeks prior, in late April 2025, ConnectWise addressed a high-severity vulnerability (CVE-2025-3935) with a CVSS score of 8.1 in ScreenConnect versions 25.2.3 and earlier.

ConnectWise Reports Cyberattack, Suspected Links to Nation-State Actor May 30, 2025 ConnectWise, known for its remote access and support platform ScreenConnect, has confirmed that it recently fell victim to a cyberattack potentially orchestrated by a nation-state threat actor. In a statement issued on May 28, 2025, the company disclosed that…

Read More

ConnectWise Cyberattack: Nation-State Actor Suspected in Targeted Breach
May 30, 2025 | Vulnerability / Data Breach

ConnectWise, known for its remote access software ScreenConnect, has reported being targeted in a cyberattack believed to be orchestrated by a nation-state actor. On May 28, the company issued a brief advisory detailing that it had identified suspicious activity linked to the threat, which has affected a limited number of ScreenConnect customers. To investigate the incident further, ConnectWise has enlisted Google Mandiant for a forensic examination and has informed all impacted customers. While the company has not disclosed the specific number of affected customers, the timing of the breach, or the identity of the responsible party, it is important to note that just weeks prior, in late April 2025, ConnectWise addressed a high-severity vulnerability (CVE-2025-3935) with a CVSS score of 8.1 in ScreenConnect versions 25.2.3 and earlier.