Cyberattack hits South Africa’s fourth-largest telecom network Cell C
Cell C, South Africa’s fourth-largest mobile network with 7.7 million subscribers, confirmed a data breach after the ransomware group RansomHouse leaked its stolen data on the dark web.
The attackers reportedly accessed 2TB of data, including sensitive customer information such as names, ID numbers, contact and banking details, medical records and passport numbers. The company admitted that attackers gained unauthorized access to parts of its IT systems but has not revealed whether a ransom was demanded or paid. Cell C is now urging affected individuals to remain vigilant against phishing and identity theft, as the stolen data has been made public.
In response, they are working with global cybersecurity experts, authorities and stakeholders, while also implementing monitoring systems to detect misuse. RansomHouse, known for publicly leaking stolen data instead of encrypting it, has previously targeted major organizations like AMD and Shoprite.
Worldwide pharma and health care orgs attacked by new ResolverRAT malware
ResolverRAT is a newly identified remote access trojan targeting health care and pharmaceutical organizations through phishing emails tailored to the victim’s local language, with confirmed cases in Italian, Czech, Hindi, Turkish and Portuguese.
The attack begins when a user clicks on a link in the phishing email, downloading a legitimate-looking file (hpreader.exe), which is used to inject the malware into memory using reflective DLL loading. Once in memory, ResolverRAT runs stealthily, abusing .NET’s ResourceResolve feature to avoid detection by security tools that monitor API calls or file system activity. It then checks for sandbox or analysis tools and uses complex, misleading code to make analysis more difficult. To maintain persistence, it stores XOR-obfuscated keys in up to 20 Windows Registry locations and copies itself to directories like Startup and LocalAppData.
The malware communicates with its operators at random intervals to avoid detection and executes commands in separate threads to ensure stability. Finally, for data exfiltration, ResolverRAT breaks large files into small chunks (16KB each) and only sends them when the network is ready, allowing stealthy and reliable transfers.
CurlBack RAT and Spark RAT weaponized by Pakistan-linked attackers to hit targets in India
A threat actor linked to Pakistan has been targeting multiple Indian sectors — including railways, oil and gas, and external affairs ministries — using remote access trojans like Xeno RAT, Spark RAT and the newly identified CurlBack RAT.
This campaign, attributed to SideCopy (a subgroup of Transparent Tribe / APT36), marks a shift from earlier focus areas like defense and maritime sectors to a broader range of targets. Researchers noted a tactical change from HTML Application (HTA) files to Microsoft Installer (MSI) packages for malware delivery, alongside advanced methods like DLL side-loading and PowerShell-based AES decryption. SideCopy also uses phishing emails with lure documents — such as fake holiday lists and cybersecurity advisories — to distribute malware.
Recent attacks involve a multistage infection chain deploying tools like Action RAT, ReverseRAT, Cheex, and a .NET-based Geta RAT with capabilities to steal browser data, copy files from USBs and execute commands.
Ransomware attack hits kidney dialysis firm DaVita
DaVita, a leading kidney care provider in the U.S., experienced a ransomware attack over the weekend that encrypted parts of its network and disrupted some operations.
The company, which operates over 2,600 dialysis centers and employs 76,000 people globally, disclosed the incident in an SEC 8-K filing. The attack occurred on a Saturday — timing often chosen by ransomware gangs to attack reduced IT staffing.
Upon discovery, DaVita activated its response protocols, isolated affected systems, and began containment efforts, though a full recovery timeline remains unclear. Despite the disruption, DaVita states that patient care continues across its facilities, with contingency plans in place. An investigation is ongoing, including whether any patient data was stolen, but no ransomware group has yet claimed responsibility.
Russian state-backed spear-fishing campaign Midnight Blizzard targeting European diplomatic entities
Russian state-backed group Midnight Blizzard (also known as APT29 or Cozy Bear) is behind a new spear-phishing campaign targeting European diplomatic entities, including embassies.
Researchers discovered that the operation introduces two new tools: GrapeLoader, a stealthy malware loader, and a new variant of the WineLoader backdoor. The campaign, which began in January 2025, uses fake invitations to a wine-tasting event from spoofed Ministry of Foreign Affairs emails to lure victims. If the targeting conditions are met, the email delivers a ZIP file containing a legitimate PowerPoint executable and DLLs, including the malicious GrapeLoader, which is executed via DLL sideloading. This loader gathers system information, establishes persistence through Registry changes, and stealthily loads shellcode in memory using advanced evasion techniques.
Once embedded, it delivers WineLoader, a modular backdoor disguised as a trojanized VMware Tools DLL, which collects detailed system data to evaluate and profile the target. The new WineLoader variant is heavily obfuscated to resist reverse engineering and string analysis, highlighting the evolving sophistication of APT29’s toolkit and the need for advanced, layered cyber defenses.
