Hunters International ransomware leaks 400,000 customer files from Telecom Namibia
Telecom Namibia suffered a ransomware attack by Hunters International, compromising 626.3 GB of data, including over 400,000 customer files.
When the ransom demand was not met, sensitive data such as IDs, banking details, and addresses were leaked and began circulating on social media. Telecom Namibia's CEO assured the public that the company is working with local and international cybersecurity experts to contain the breach and strengthen its systems. The Communications Regulatory Authority of Namibia (RAN) in Namibia has raised concerns about the lack of a dedicated law for cybercrimes in the country. They are calling for more robust national cybersecurity measures to be implemented.
The incident has severely damaged Telecom Namibia's reputation, inviting potential lawsuits and highlighting the need for stronger cybersecurity measures. In addition, the leaked data exposed customers to identity theft, phishing scams and financial fraud.
Brain Cipher ransomware group exposes Rhode Island residents’ PII
Rhode Island has confirmed a data breach affecting its RIBridges system, managed by Deloitte, following a ransomware attack by the Brain Cipher group. RIBridges, a system used to run public assistance programs, was hacked. Deloitte later said that personal information (PII) was stolen. In response, the system has been taken offline to address the threat and restore operations safely.
The breach potentially exposed sensitive data, including names, addresses, Social Security numbers and banking details, impacting programs like Medicaid, SNAP, TANF and others. Affected households will be notified via mail, and a dedicated call center has been established to assist residents.
Deloitte confirmed the attack involved malicious code in RIBridges and acknowledged the breach after earlier denying Brain Cipher’s claims of broader data theft. They are collaborating with Rhode Island authorities and law enforcement to investigate and resolve the issue.
South Asian cyber espionage group Bitter APT targets Turkish defense sector
Researchers discovered that Bitter APT, a South Asian cyber espionage group, targeted a Turkish defense organization using two advanced malware families, WmRAT and MiyaRAT.
The attack began with a malicious RAR archive containing a shortcut (LNK) file that, when executed, created a scheduled task to download further payloads. To deceive victims, the archive included a decoy file about a World Bank infrastructure project in Madagascar, hiding malicious PowerShell code in an alternate data stream.
This technique used NTFS features to conceal malware without altering the file’s appearance, making detection difficult. Once activated, the malware could collect data, execute commands and establish control over the infected system. MiyaRAT, used sparingly, is believed to target high-value victims, suggesting a selective approach to espionage.
Bitter APT has a history of attacks across Asia, often deploying malware to steal sensitive information and intellectual property.
Attackers impersonate employee in a Microsoft Teams meeting to launch AnyDesk and deploy DarkGate malware
A recent attack used social engineering via Microsoft Teams to deploy DarkGate malware. The attackers impersonated a client during a Teams call to gain the victim's trust, then directed them to download AnyDesk for remote access.
Once access was established, they deployed multiple payloads, including a credential stealer and DarkGate, a remote access trojan with capabilities such as keylogging, credential theft and screen capturing. The malware was delivered using an AutoIt script, highlighting a sophisticated approach to initial access and propagation.
DarkGate campaigns illustrate the diversity of phishing lures used to trick victims, including fake partnership proposals sent to YouTube creators, QR-code-based phishing for Microsoft 365 credentials, and malicious email attachments mimicking legitimate documents like invoices. Attackers also exploit trusted platforms like DocuSign and Adobe InDesign to distribute phishing links and impersonate support teams from companies like Okta to breach organizational systems.
Threat actors exploit global events to amplify phishing campaigns, using urgency and emotions to deceive victims.
RevC2 backdoor and Venom Loader linked to More_eggs malware
The More_eggs malware-as-a-service (MaaS) operation has expanded with two new malware families: the RevC2 backdoor and Venom Loader.
RevC2 is an information-stealing backdoor that uses WebSockets for communication and can steal cookies, passwords and proxy network traffic, and enables remote code execution (RCE). Venom Loader is a customizable loader that can be changed based on the victim's computer name. It sends More_eggs lite, a lightweight JavaScript backdoor with RCE capabilities.
Both malware families are deployed using VenomLNK, which displays a decoy PNG image while executing malicious payloads. RevC2 targets Chromium browsers, allowing the theft of sensitive credentials and remote command execution. These developments highlight the threat actors' ability to innovate and expand their toolsets despite previous disruptions to the MaaS platform's operations.
