Login
The Cyber Express Weekly Roundup: Escalating Breaches, Regulatory Crackdowns, and Global Cybercrime Developments
13 February 2026 at 05:53
Normal view
Received yesterday — 13 February 2026
Received before yesterday
Taiwan Government Agencies Faced 637 Cybersecurity Incidents in H2 2025
12 February 2026 at 02:21
Illegal Intrusion Leads the Wave of Cybersecurity Incidents
Illegal intrusion remains the leading category among reported cybersecurity incidents affecting government agencies. While the term may sound broad, it reflects deliberate attempts by attackers to gain unauthorized access to systems, often paving the way for espionage, data theft, or operational disruption. The CSAA identified four recurring attack patterns behind these incidents. The first involves the distribution of malicious programs disguised as legitimate software. Attackers impersonate commonly used applications, luring employees into downloading infected files. Once installed, these malicious programs establish abnormal external connections, creating backdoors for future control or data exfiltration. This tactic is particularly concerning for government agencies, where employees frequently rely on specialized or internal tools. A single compromised endpoint can provide attackers with a foothold into wider networks, increasing the scale of cybersecurity incidents.USB Worm Infections and Endpoint Vulnerabilities
The second major pattern behind these cybersecurity incidents involves worm infections spread through portable media devices such as USB drives. Though often considered an old-school technique, USB-based attacks remain effective—especially in environments where portable media is routinely used for operational tasks. When infected devices are plugged into systems, malicious code can automatically execute, triggering endpoint intrusion and abnormal system behavior. Such breaches can lead to lateral movement within networks and unauthorized external communications. This pattern underscores a key reality: technical sophistication is not always necessary. In many cybersecurity incidents, attackers succeed by exploiting routine workplace habits rather than zero-day vulnerabilities.Social Engineering and Watering Hole Attacks Target Trust
The third pattern involves social engineering email attacks, frequently disguised as administrative litigation or official document exchanges. These phishing emails are crafted around business topics highly relevant to government agencies, increasing the likelihood that recipients will open attachments or click malicious links. Such cybersecurity incidents rely heavily on human psychology. The urgency and authority embedded in administrative-themed emails make them particularly effective. Despite years of awareness campaigns, phishing remains one of the most successful entry points for attackers globally. The fourth pattern, known as watering hole attacks, adds another layer of complexity. In these cases, attackers compromise legitimate websites commonly visited by government officials. During normal browsing, malicious commands are silently executed, resulting in endpoint compromise and abnormal network behavior. Watering hole attacks demonstrate how cybersecurity incidents can originate from seemingly trusted digital environments. Even cautious users can fall victim when legitimate platforms are weaponized.Critical Infrastructure Faces Operational Risks
Beyond government agencies, cybersecurity incidents reported by non-government organizations primarily affected critical infrastructure providers, particularly in emergency response, healthcare, and communications sectors. Interestingly, many of these cases involved equipment malfunctions or damage rather than direct cyberattacks. System operational anomalies led to service interruptions, while environmental factors such as typhoons disrupted critical services. These incidents highlight an important distinction: not all disruptions stem from malicious activity. However, the operational impact can be equally severe. The Cybersecurity Research Institute (CRI) emphasized that equipment resilience, operational continuity, and environmental risk preparedness are just as crucial as cybersecurity protection. In an interconnected world, digital security and physical resilience must go hand in hand.Strengthening Endpoint Protection and Cyber Governance
In response to the rise in cybersecurity incidents, experts recommend a dual approach—technical reinforcement and management reform. From a technical perspective, endpoint protection and abnormal behavior monitoring must be strengthened. Systems should be capable of detecting malicious programs, suspicious command execution, abnormal connections, and risky portable media usage. Enhanced browsing and attachment access protection can further reduce the risk of malware downloads during routine operations. From a governance standpoint, ongoing education is essential. Personnel must remain alert to risks associated with fake software, social engineering email attacks, and watering hole attacks. Clear management policies regarding portable media usage, software sourcing, and external website access should be embedded into cybersecurity governance frameworks. The volume of cybersecurity incidents reported in just six months sends a clear message: digital threats targeting public institutions are persistent, adaptive, and increasingly strategic. Governments and critical infrastructure providers must move beyond reactive responses and build layered defenses that address both technology and human behavior.The Cyber Express Weekly Roundup: Global Cybersecurity Incidents and Policy Shifts
6 February 2026 at 06:21
The Cyber Express Weekly Roundup
Cyberattack Disrupts Spain’s Ministry of Science Operations
Spain’s Ministry of Science, Innovation, and Universities confirmed that a cyberattack forced a partial shutdown of its IT systems, disrupting digital services relied upon by researchers, universities, students, and businesses nationwide. Initially described as a technical incident, the disruption was later acknowledged as a cybersecurity event that required the temporary closure of the ministry’s electronic headquarters. Read more..OpenAI Expands Controlled Access to Advanced Cyber Defense Models
OpenAI announced the launch of Trusted Access for Cyber, a new initiative designed to strengthen defensive cybersecurity capabilities while limiting the potential misuse of highly capable AI systems. The program provides vetted security professionals with controlled access to advanced models such as GPT-5.3-Codex, which OpenAI identifies as its most cyber-capable reasoning model to date. Read more..French Authorities Escalate Investigations Into X and Grok AI
French police raided offices belonging to the social media platform X as European investigations expanded into alleged abuses involving its Grok AI chatbot. Authorities are examining claims that Grok generated nonconsensual sexual deepfakes, child sexual abuse material (CSAM), and content denying crimes against humanity, including Holocaust denial. Read more..AI-Generated Platform Moltbook Exposes Millions of Credentials
Security researchers disclosed that Moltbook, a viral social network built entirely using AI-generated code, exposed 1.5 million API authentication tokens, 35,000 user email addresses, and thousands of private messages due to a database misconfiguration. Wiz Security identified the issue after discovering an exposed Supabase API key embedded in client-side JavaScript, which granted unrestricted access to the platform’s production database. Read more..Substack Discloses Breach Months After Initial Compromise
Substack revealed that attackers accessed user email addresses, phone numbers, and internal metadata in October 2025, though the breach went undetected until February 3, 2026. CEO Chris Best notified affected users, stating, “I’m incredibly sorry this happened. We take our responsibility to protect your data and your privacy seriously, and we came up short here.” Read more..Weekly Takeaway
This Cyber Express weekly roundup highlights a clear takeaway for the global cybersecurity community: digital expansion without equivalent security investment increases organizational and systemic risk. AI-built platforms, advanced security tooling, and large-scale public-sector systems are being deployed rapidly, often without adequate access controls, monitoring, or testing. As recent incidents show, these gaps lead to data exposure, prolonged breach detection, and service disruption. To reduce risk, organizations must embed security controls, clear ownership, and continuous monitoring into system design and daily operations, rather than relying on post-incident fixes or policy statements.What the Incognito Market Sentencing Reveals About Dark Web Drug Trafficking
5 February 2026 at 01:22
How Incognito Market Became a Global Narcotics Hub
Launched in October 2020, Incognito Market was designed to look and feel like a legitimate e-commerce platform, only its products were heroin, cocaine, methamphetamine, MDMA, LSD, ketamine, and counterfeit prescription drugs. Accessible through the Tor browser, the dark web marketplace allowed anyone with basic technical knowledge to buy illegal narcotics from around the globe. At its peak, Incognito Market supported over 400,000 buyer accounts, more than 1,800 vendors, and facilitated 640,000 drug transactions. Over 1,000 kilograms of cocaine, 1,000 kilograms of methamphetamine, and fentanyl-laced pills were likely sold, the authorities said. This was not a fringe operation—it was a global supply chain built on code, crypto, and calculated harm.Also read: “Incognito Market” Operator Arrested for Running $100M Narcotics Marketplace
“Pharaoh” and the Business of Digital Drug Trafficking
Operating as “Pharaoh,” Lin exercised total control over Incognito Market. Vendors paid an entry fee and a 5% commission on every sale, creating a steady revenue stream that funded servers, staff, and Lin’s personal profit—more than $6 million by prosecutors’ estimates. The marketplace had a very professional-looking modus operandi from branding, customer service, vendor ratings, and even its own internal financial system—the Incognito Bank—which allowed users to deposit cryptocurrency and transact anonymously. The system was designed to remove trust from human relationships and replace it with platform-controlled infrastructure. This was not chaos. It was corporate-style crime.Fentanyl, Fake Oxycodone, and Real Deaths
In January 2022, Lin explicitly allowed opiate sales on Incognito Market, a decision that proved deadly. Listings advertised “authentic” oxycodone, but laboratory tests later revealed fentanyl instead. In September 2022, a 27-year-old man from Arkansas died after consuming pills purchased through the platform. This is where the myth of victimless cybercrime collapsed. Incognito Market did not just move drugs—it amplified the opioid crisis and directly contributed to loss of life. U.S. Attorney Jay Clayton stated that Lin’s actions caused misery for more than 470,000 users and their families, a figure that shows the human cost behind the transactions.Exit Scam, Extortion, and the Final Collapse
When Incognito Market shut down in March 2024, Lin didn’t disappear quietly. He stole at least $1 million in user deposits and attempted to extort buyers and vendors, threatening to expose their identities and crypto addresses. His message was blunt: “YES, THIS IS AN EXTORTION!!!” It was a fittingly brazen end to an operation built on manipulation and fear. Judge Colleen McMahon called Incognito Market the most serious drug case she had seen in nearly three decades, labeling Lin a “drug kingpin.” The message from law enforcement is unmistakable: dark web platforms, cryptocurrency, and blockchain are not shields against justice.The Cyber Express Weekly Roundup: Threats, Regulations, and Digital Security Trends
30 January 2026 at 07:18
The Cyber Express Weekly Roundup
Cyberattack Hits Russian Security Firm Delta
On January 26, 2026, Delta, a Russian alarm and vehicle security provider, suffered a major cyberattack, disrupting alarms, vehicle systems, and company communications for tens of thousands of customers. While no confirmed customer data breach occurred, an unverified leak circulated online. Read more...Ad Fraud and Data Privacy: Brands Must Act Now
Ad fraud is escalating, costing the digital advertising industry billions and eroding consumer trust. Experts like Dhiraj Gupta of mFilterIt emphasize that brands can no longer rely on platform-reported metrics alone. Independent verification, real-time audits, and continuous monitoring of data flows are now essential to ensure privacy, enforce purpose limitations, and maintain accountability across complex advertising ecosystems. Read more…Ivanti Patches Critical Mobile Manager Zero-Days
Ivanti released emergency fixes for two critical zero-day code injection vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Endpoint Manager Mobile. These flaws allow attackers to execute arbitrary code, access sensitive device and user data, and track locations. CISA added CVE-2026-1281 to its KEV catalog with a two-day remediation deadline for federal agencies. Read more...Cyble Discovers ShadowHS, a Stealthy Linux Post-Exploitation Framework
Cyble Research & Intelligence Labs uncovered ShadowHS, a fileless, in-memory Linux framework providing attackers with long-term, operator-controlled access. ShadowHS uses AES-encrypted payloads and stealthy memory execution to evade traditional antivirus software, enabling credential theft, lateral movement, privilege escalation, cryptomining, and covert data exfiltration. Read more...EU Data Breach Notifications Rise Amid GDPR Reform Talks
Data breach notifications in the EU surged 22% over the past year, averaging over 400 per day. GDPR fines remained high at approximately €1.2 billion in 2025. Discussions on the Digital Omnibus legislation highlight a need to balance efficiency in reporting with protecting fundamental privacy rights amid NIS2, DORA, and ongoing cybersecurity threats. Read more...New Cyberattacks Target U.S. Companies
Several U.S. companies, including Bumble, Panera, Match Group, and CrunchBase, faced phishing and vishing attacks against employees. Bumble reported brief unauthorized access to a small portion of its network, while other firms experienced limited exposure. The ShinyHunters hacking group claims responsibility and has issued extortion demands, emphasizing social engineering as a growing threat to high-profile organizations. Read more...Weekly Takeaway
The last week of January 2026 stresses that cybersecurity is no longer just a technical concern. From attacks on critical infrastructure in Russia to post-exploitation Linux frameworks, ad fraud, and regulatory scrutiny in the EU, organizations must combine technology, governance, and proactive monitoring to protect data, trust, and operations.Cyble Research Discovers ShadowHS, an In-Memory Linux Framework for Long-Term Access
30 January 2026 at 03:25
Fileless Execution and Weaponized Hackshell
The ShadowHS Linux framework operates entirely in memory, leaving no persistent binaries on disk. CRIL’s analysis revealed that the framework uses an encrypted shell loader to deploy a heavily modified version of hackshell, enabling an interactive post-exploitation environment. The loader decrypts and reconstructs the payload in memory using AES‑256‑CBC encryption, Perl byte skipping, and gzip decompression. The payload is executed via /proc/<pid>/fd/<fd> with a spoofed argv[0], ensuring that no filesystem artifacts remain. [caption id="" align="alignnone" width="918"] Payload Reconstruction & Fileless Execution (Source: CRIL)[/caption]
Once active, ShadowHS prioritizes reconnaissance, fingerprinting host security measures, evaluating prior compromises, and providing an operator-controlled interface. Its runtime behavior is deliberately restrained, allowing attackers to selectively invoke capabilities such as credential access, lateral movement, privilege escalation, cryptomining, and covert data exfiltration.
CRIL Observations on Operator-Centric Design
According to CRIL, ShadowHS reflects mature operator tradecraft rather than the patterns of opportunistic Linux malware. Its in-memory design allows operators to assess system security posture while avoiding traditional detection mechanisms. The payload performs aggressive EDR and AV fingerprinting, checking for commercial endpoint tools such as CrowdStrike, Tanium, Sophos, and Microsoft Defender, as well as cloud and OT/ICS telemetry agents. [caption id="" align="alignnone" width="903"] Runtime Dependency Validation (Source: CRIL)[/caption]
“ShadowHS demonstrates a clear separation between restrained runtime activity and extensive dormant capabilities,” CRIL notes. “This is indicative of a deliberate operator-driven post-exploitation platform rather than automated malware.”
Covert Data Exfiltration
One of ShadowHS’s most notable features is its ability to exfiltrate data without using standard network channels. The Linux framework implements user-space tunneling over GSocket, replacing rsync’s default transport. This allows files to be transferred stealthily across firewalls and restrictive network environments. CRIL observed two variants: one using DBus-based tunneling and another employing netcat-style GSocket tunnels, both preserving timestamps, permissions, and partial transfer state.Dormant Capabilities and Lateral Movement
ShadowHS also contains dormant modules that operators can activate on demand. These include:- Memory dumping for credential theft
- SSH-based lateral movement and brute-force scanning
- Privilege escalation using kernel exploits
- Cryptocurrency mining via XMRig, GMiner, and lolMiner
Implications for Threat Defense
The discovery of ShadowHS stresses the challenges organizations face in defending Linux environments against fileless, in-memory threats. CRIL notes that traditional signature-based antivirus solutions and file-based detection mechanisms are insufficient to detect frameworks like ShadowHS. Effective defense requires monitoring process behavior, kernel-level telemetry, and memory-resident activity. “ShadowHS represents a fully operator-controlled, adaptive Linux framework designed for stealth and long-term access,” CRIL stated. “Its use of a weaponized hackshell, fileless execution, and exfiltration methods highlights the growing need for proactive threat intelligence and advanced monitoring strategies.” See ShadowHS and new cyber threats in action, schedule your Cyble demo today, and gain real-time visibility into cyber risks before they impact your organization.The Year Ransomware Went Fully Decentralized: Cyble’s 2025 Threat Analysis
19 January 2026 at 05:54
Artificial intelligence further reshaped attacker operations. Cyble observed AI-assisted automation being embedded into multiple stages of the kill chain. Negotiation workflows were partially automated. Malware became more polymorphic. Intrusion paths were adapted in real time as defenses responded. These developments increased attack velocity while compressing dwell time, forcing defenders to operate with narrower margins for response.
Measured Threat Activity Across Underground Ecosystems
CRIL tracked 9,817 confirmed cyber threat incidents across forums, marketplaces, and leak sites during 2025. These incidents impacted organizations spanning critical infrastructure, government agencies, and law enforcement entities. [caption id="attachment_108748" align="aligncenter" width="946"] sectors and regions targeted by threat actors in 2025 (Source: Cyble)[/caption]
The breakdown of activity was heavily skewed toward monetized data exposure. 6,979 incidents involved breached datasets or compromised information advertised for sale. Another 2,059 incidents centered on the sale of unauthorized access, including credentials, VPN entry points, and administrative footholds. Government, law enforcement agencies (LEA), BFSI, IT & ITES, healthcare, education, telecommunications, and retail remained in the most consistently targeted sectors.
Geographic analysis showed a clear concentration of activity in Asia, where 2,650 incidents affected organizations through breaches, leaks, or access sales. North America followed with 1,823 incidents, while Europe and the United Kingdom recorded 1,779 incidents. At the country level, the United States, India, Indonesia, France, and Spain experienced the highest volume of targeting during the year.
Ransomware Growth and Structural Expansion
Cyble’s Annual Threat Landscape Report quantifies the scale of ransomware’s expansion over time. From 2020 to 2025, ransomware incidents increased by 355%, rising from roughly 1,400 attacks to nearly 6,500. While 2023 marked the largest year-over-year surge, 2025 produced the second-largest spike, with 47% more attacks than observed across the prior two years combined. The ransomware landscape also broadened structurally. CRIL identified 57 new ransomware groups and 27 new extortion-focused groups emerging in 2025 alone. More than 350 new ransomware strains surfaced during the year, many derived from established codebases such as MedusaLocker, Chaos, and Makop. Rather than consolidating, the ecosystem continued to fragment, complicating attribution and enforcement.Affiliate Mobility and Repeat Victimization
One of the most consequential trends documented in the Annual Threat Landscape Report was the recurrence of victim targeting. CRIL observed 62 organizations listed by multiple ransomware groups within the same year, sometimes within weeks. Across a five-year window, more than 250 entities suffered ransomware attacks more than once. [caption id="attachment_108750" align="aligncenter" width="945"] Ransomware attack trends between 2020 and 2025 (Source: Cyble)[/caption]
This pattern reflected widespread affiliate mobility. Ransomware-as-a-Service operators shared affiliates who moved between platforms, relisted victims, and reused stolen data to sustain pressure. Groups such as Cl0p, Qilin, Lynx, INC Ransom, Play, LockBit, and Crypto24 repeatedly claimed overlapping victims during short timeframes.
Several new groups, including Devman and Securotrop, initially operated within established RaaS programs before developing independent tooling and infrastructure. This progression blurred the line between affiliate and operator and further decentralized the ransomware landscape.
Law Enforcement Pressure and Criminal Countermoves
Law enforcement activity intensified throughout 2025. Authorities disrupted operations tied to CrazyHunters and 8Base and arrested or indicted affiliates associated with Black Kingdom, Conti, DoppelPaymer, RobbinHood, Scattered Spider, DiskStation, Ryuk, BlackSuit, and Yanluowang. These actions forced tactical changes but did not suppress activity. CRIL confirmed insider recruitment efforts by Scattered Spider, LAPSUS$ Hunters, and Medusa. Other groups, including Play and MedusaLocker, publicly referenced similar recruitment strategies through announcements on their data leak sites. The ransomware landscape responded to enforcement pressure by becoming opaquer rather than less active.Tactical Shifts Toward Extortion-Only Models
Operational realignment became more visible in 2025. Hunters International abandoned its RaaS model and rebranded as World Leaks, repositioning itself as an Extortion-as-a-Service provider while maintaining cross-relationships with RaaS operators such as Secp0. Analysis also indicated that Everest redirected part of its activity toward extortion-only campaigns, reducing reliance on encryption payloads. [caption id="attachment_108751" align="aligncenter" width="291"] Rebranded ransomware groups reported in 2025 (Source: Cyble)[/caption]
The year also saw widespread rebranding. Hunters International became World Leaks. Royal re-emerged as Chaos. LockBit 3.0 evolved into LockBit 4.5 and later 5.0. HelloKitty resurfaced as Kraken. At the same time, numerous groups dissolved or ceased operations, including ALPHV/BlackCat, Phobos/8Base, Cactus, RansomHub, and CrazyHunter.
Victimology and Sector Impact
Ransomware victimology data revealed 4,292 victims in the Americas, 1,251 in Europe and the UK, 589 across Asia and Oceania, and 202 within META-region organizations. The United States accounted for 3,527 victims, followed by Canada (360), Germany (251), the United Kingdom (198), Brazil (111), Australia (98), and India (67). Sectoral impact remained uneven but severe. Manufacturing recorded 600 impacted entities, with industrial machinery and fabricated metal manufacturers bearing the brunt. Healthcare followed with 477 victims, where general hospitals and specialty clinics were repeatedly targeted to exploit the sensitivity of Personal Health Information. Construction, professional services, IT & ITES, BFSI, and government organizations also experienced sustained pressure.Supply Chain Exploitation and Infrastructure Risk
Supply chain compromise emerged as a defining feature of the 2025 ransomware landscape. Cl0p’s exploitation of the Oracle E-Business Suite vulnerability CVE-2025-61882 affected more than 118 entities worldwide, primarily in IT & ITES. Among these victims were six organizations classified as critical infrastructure industries. Fog ransomware actors compounded supply chain risk by leaking GitLab source code from multiple IT firms. Government and law enforcement agencies in the United States were targeted aggressively, with more than 40 incidents impacting essential public services. Semiconductor manufacturers in Taiwan and the United States remained priority targets due to their role as global production hubs. European semiconductor developers also faced attacks, though at lower volumes.High-Impact Incidents and Strategic Targeting
Healthcare attacks continued to cause operational disruption, with repeated exposure of PHI used to intensify extortion pressure. Telecom providers faced sustained risk due to large-scale theft of customer PII, which threat actors actively traded and reused for downstream fraud. In several cases, ransomware groups removed breach disclosures from leak sites shortly after publication, suggesting successful ransom payments or secondary data sales. Aerospace and defense organizations experienced fewer incidents but higher impact. One of the most significant events in 2025 was the attack on Collins Aerospace, which disrupted operations across multiple European airports and exposed proprietary defense technologies. Telemetry indicated disproportionate targeting of NATO-aligned defense developers. Cyble’s Annual Threat Landscape Report makes one conclusion unavoidable: ransomware is no longer a disruption-driven threat; it is an intelligence-led, adaptive business model that thrives under pressure. The data from 2025 shows an ecosystem optimized for speed, affiliate mobility, and supply-chain leverage, with AI now embedded deep into extortion workflows and intrusion paths. The Cyble Annual Threat Landscape Report provides complete datasets, regional breakdowns, threat actor analysis, and tactical intelligence drawn directly from CRIL’s monitoring of underground ecosystems. Readers can download the report to access the detailed findings, charts, and threat mappings referenced throughout this analysis. Organizations looking to operationalize this intelligence can also book a Cyble demo to see how Cyble’s AI-powered threat intelligence platform translates real-world adversary data into actionable defense, combining automated threat hunting, supply-chain risk visibility, and predictive analytics driven by Cyble’s latest generation of agentic AI.The Cyber Express Weekly Roundup: Leadership Changes, Blackouts, Malware, and AI Safety Actions
16 January 2026 at 06:24
The Cyber Express Weekly Roundup
X Tightens Grok AI Restrictions
X (previously Twitter) introduced new restrictions on its AI chatbot Grok to prevent the creation of nonconsensual sexualized images, including content that may constitute child sexual abuse material. Measures include blocking sexualized image edits of real people, limiting image generation to paid users, and applying geoblocking where such content is illegal. The changes follow widespread abuse reports and ongoing investigations by U.S. and European authorities. Read more…NSA Appoints Timothy Kosiba as Deputy Director
The National Security Agency announced the appointment of Timothy Kosiba as its 21st Deputy Director, making him the agency’s senior civilian official responsible for strategy execution, policy, and operational priorities. Kosiba brings more than 30 years of experience across the U.S. intelligence community, including senior roles at the NSA and U.S. Cyber Command, overseas liaison assignments, and leadership of major operational units. Read more…Iran Enters Fourth Day of Nationwide Internet Blackout
Iran entered a fourth day of a nationwide internet blackout amid widespread unrest linked to the collapse of the rial, now trading at 1.4 million to the U.S. dollar. Authorities reduced national connectivity to approximately 1%, cutting off communications for more than 80 million people. Reports indicate thousands have been detained and hundreds killed since protests began, drawing international concern over censorship, human rights, and crisis communications. Read more…Dr. Amit Chaubey Warns of Expanding “Business Blast Radius”
In an interview with The Cyber Express, Dr. Amit Chaubey said cyber incidents in 2026 are creating a broader “business blast radius,” extending beyond IT into national resilience, legal exposure, operational continuity, and public trust. He identified failures in external dependencies, such as cloud services, identity systems, connectivity, and key suppliers, as the primary drivers of large-scale disruption, warning that many organizations remain unprepared for sustained degraded operations. Read more…Endesa Data Breach Affects Energía XXI Customers
Spanish energy provider Endesa disclosed a data breach involving unauthorized access to its commercial platform, impacting customers of its regulated operator Energía XXI. Exposed data includes identification details, contact information, national identity numbers, contract data, and possible payment information such as IBANs. Endesa stated that account passwords were not compromised and reported no evidence of data misuse as investigations continue. Read more…New Android Banking Malware deVixor Identified
Cyble researchers identified a new Android banking malware called deVixor, a remote access trojan combining credential theft, device surveillance, and ransomware functionality. Active since October, the malware targets Iranian users through phishing sites distributing malicious APKs and is operated as a service-based criminal platform using Telegram and Firebase infrastructure. Researchers noted the malware’s scalability and long-term operational design. Read more…Microsoft Disrupts RedVDS Cybercrime Platform
Microsoft announced the takedown of RedVDS, a cybercrime-as-a-service platform costing $24 per month that provided criminals with disposable virtual machines for fraud operations. In coordination with international law enforcement, Microsoft seized infrastructure linked to an estimated $40 million in reported U.S. fraud losses, with victims across healthcare, real estate, nonprofit, and other sectors. The action marks Microsoft’s 35th civil case against cybercrime infrastructure. Read more…Weekly Roundup Takeaway
This week’s events highlight how cybersecurity in 2026 directly affects governance, economic stability, civil rights, and technology accountability. From intelligence leadership changes and state-imposed internet shutdowns to advanced malware, large-scale fraud platforms, and AI safety enforcement, cyber risks now demand coordinated action across policy, regulation, and operations rather than technical controls alone.The Cyber Express Weekly Roundup: Schools, Hacktivists, and National Cyber Overhauls
9 January 2026 at 05:46
The Cyber Express Weekly Roundup
Higham Lane School Cyberattack Forces Temporary Closure
Higham Lane School in Nuneaton, England, closed temporarily after a cyberattack disrupted IT systems, affecting 1,500 students. Staff and students must avoid platforms like Google Classroom while cybersecurity experts and the Department for Education investigate. Read more...Hacktivist Takes Down White Supremacist Websites Live at Conference
Hacktivist Martha Root gained attention by deleting white supremacist websites live at the Chaos Communication Congress in Hamburg. Targeted platforms included WhiteDate, WhiteChild, and WhiteDeal. Root also exposed partial data from over 6,000 WhiteDate profiles, sharing it with controlled-access platforms DDoSecrets and HaveIBeenPwned. Read more...UK Announces £210 Million Cybersecurity Overhaul
The UK government announced a £210 million cybersecurity initiative to address “critically high” risks across public sector systems, many of which rely on vulnerable legacy platforms. The plan includes creating a Government Cyber Unit for cross-department coordination and accountability, establishing the Government Cyber Coordination Centre (GC3) for strategic defense, and launching the first Government Cyber Profession to tackle skills shortages, supported by a Cyber Resourcing Hub. Read more...Australian Insurer Prosura Suffers Cyber Incident
In Australia, Prosura temporarily shut down online policy management and claim portals following unauthorized access to internal systems on January 3, 2026. Customer names, emails, phone numbers, and policy details may have been exposed, though payment information remained secure. Read more...U.S. Withdraws from International Cyber Coalitions
The United States announced its withdrawal from 66 international organizations related to cybersecurity, digital rights, and hybrid threat cooperation. These include the Hybrid CoE, GFCE, and Freedom Online Coalition. Officials cited misalignment with U.S. interests, raising concerns over reduced intelligence sharing and potential gaps in global cyber defense. Read more...Weekly Takeaway
This week’s cybersecurity news from The Cyber Express shows that 2026 is already marked by complex threats. From school closures and corporate breaches to government reforms and international policy shifts, data breaches impact education, public services, and businesses. Protecting digital systems now requires vigilance, technical skill, and proactive governance, making strong cybersecurity strategies essential to protect operations, trust, and public safety worldwide.European Space Agency Confirms Cybersecurity Breach on External Servers
5 January 2026 at 01:19
Source: ESA Twitter Handle[/caption]
ESA said it will provide further updates as additional details become available.
Threat Actor Claims Data Theft
The confirmation follows claims posted on BreachForums and DarkForums, where a hacker using the alias “888” alleges responsibility for the cybersecurity breach. According to the posts, the attack occurred on December 18, 2025, and resulted in the full exfiltration of internal ESA development assets. The threat actor claims to have stolen over 200 GB of data, including private Bitbucket repositories, source code, CI/CD pipelines, API tokens, access tokens, configuration files, Terraform files, SQL files, confidential documents, and hardcoded credentials. “I’ve been connecting to some of their services for about a week now and have stolen over 200GB of data, including dumping all their private Bitbucket repositories,” the actor wrote in one forum post. The stolen data is reportedly being offered as a one-time sale, with payment requested exclusively in Monero (XMR), a cryptocurrency commonly associated with underground cybercrime marketplaces. [caption id="attachment_108222" align="aligncenter" width="832"] Source: Data Breach Fourm[/caption]
ESA has not verified the authenticity or scope of the claims made by the threat actor.
So far, ESA has not disclosed which specific external servers were compromised or whether any credentials or development assets referenced by the threat actor were confirmed to be exposed.
Founded 50 years ago and headquartered in Paris, the European Space Agency is an intergovernmental organization that coordinates space activities across 23 member states.
Given ESA’s role in space exploration, satellite systems, and scientific research, cybersecurity incidents involving the agency carry heightened strategic and reputational significance.
Previous European Space Agency Cybersecurity Incidents
This is not the first cybersecurity breach involving ESA in recent years. In December 2024, the agency’s official web shop was compromised after attackers injected malicious JavaScript code designed to steal customer information and payment card data during checkout. That incident raised concerns around third-party systems and external-facing infrastructure, an issue that appears relevant again in the current breach involving non-corporate servers.What Happens Next
While ESA insists the compromised systems hosted only unclassified data, the ongoing forensic investigation will be critical in determining the true scope and impact of the breach. As threat actors continue to publish claims on hacking forums, the incident highlights the growing cybersecurity risks facing large scientific and governmental organizations that rely heavily on collaborative and distributed digital environments. ESA has said further updates will be shared once more information becomes available.59,000 Servers Breached: Operation PCPcat Targets React and Next.js at Internet Scale
24 December 2025 at 07:19
Exploited Vulnerabilities and Initial Access
The attackers behind PCPcat are exploiting two critical vulnerabilities identified as CVE-2025-29927 and CVE-2025-66478. Both flaws reportedly impact Next.js deployments and allow attackers to execute arbitrary code remotely. The attack begins with a mass scanning of publicly exposed domains running vulnerable React frameworks. Once a susceptible server is identified, the attackers use a technique known as prototype pollution, a well-known JavaScript vulnerability class. By injecting malicious payloads through crafted JSON data, the attackers manipulate JavaScript object prototypes, ultimately tricking the server into executing unauthorized commands. This approach allows the attackers to bypass traditional authentication mechanisms and gain full control of the affected React Servers without needing valid credentials.Credential Theft and Post-Exploitation Activity
Once access is achieved, the malware deployed by Operation PCPcat behaves as a highly efficient credential stealer. It immediately searches for sensitive data stored on the system, including:- .env configuration files
- SSH private keys
- Cloud service credentials
- System environment variables
Centralized Command-and-Control Infrastructure
The compromised servers are managed through a centralized C2 server located at 67.217.57.240, hosted in Singapore. This server coordinates the operation by assigning new scanning targets and collecting stolen data from infected machines. Notably, the attackers left an internal statistics dashboard publicly accessible, allowing researchers to directly observe the scope of the operation in real time. The dashboard confirmed the scale of the campaign and revealed how efficiently PCPcat was spreading across vulnerable React Servers.Persistence and Self-Sustaining Propagation
To maintain long-term access, the malware installs proxy tools such as GOST and Fast Reverse Proxy on infected systems. These tools are configured as systemd services, ensuring that the malware automatically restarts whenever the server reboots. Each compromised machine is also programmed to request 2,000 new target IPs every 45 minutes from the C2 server. This design creates a self-sustaining infection loop, allowing Operation PCPcat to expand rapidly without direct operator involvement. This level of automation suggests a highly organized and well-resourced threat actor rather than an opportunistic attack.Detection and Defensive Measures
As Operation PCPcat evolves, organizations running React frameworks and React Servers should assume potential exposure and act quickly by auditing .env files, rotating credentials, reviewing logs for suspicious activity, monitoring outbound traffic to known C2 infrastructure, and using YARA signatures to detect the PCPcat credential stealer. The campaign highlights the growing risk to modern JavaScript ecosystems, where widespread React and Next.js adoption, combined with misconfigurations or unpatched flaws, enables large-scale compromise, with possible long-term impacts on cloud and enterprise environments. To stay ahead as attackers adapt their tactics, security teams can strengthen detection and response with Cyble’s AI-powered threat intelligence and book a free demo with Cyble to gain real-time visibility into new cyber threats and protect their infrastructure proactively.Indian Vehicle Owners Warned as Browser-Based e-Challan Phishing Gains Momentum
24 December 2025 at 02:44
How the e-Challan Phishing Campaign Operates
[caption id="" align="aligncenter" width="683"] e-Challan Phishing Chain (Source: Cyble)[/caption]
The e-challan phishing campaign primarily targets Indian vehicle owners through unsolicited SMS messages. These messages claim that a traffic violation fine is overdue and must be paid immediately to avoid legal consequences. The SMS typically contains threatening language referencing court action, license suspension, or additional penalties.
A shortened or deceptive URL, crafted to resemble an official e-challan domain, is embedded in the message. Notably, the messages lack personalization, allowing attackers to distribute them at scale. The sender appears as a regular mobile number rather than an identifiable shortcode, which increases delivery success and reduces immediate suspicion.
[caption id="attachment_108077" align="aligncenter" width="960"] Deceptive traffic fine SMS carrying a malicious e-Challan payment link (Source: Cyble)[/caption]
Clicking the link redirects the victim to a fraudulent e-challan portal hosted on the IP address 101[.]33[.]78[.]145. The phishing page closely mimics the branding and structure of legitimate government services, visually replicating official insignia, references to the Ministry of Road Transport and Highways (MoRTH), and National Informatics Centre (NIC) branding.
[caption id="" align="aligncenter" width="1024"] Fake e-Challan landing page (Source: Cyble)[/caption]
Technical analysis revealed that the page content was originally authored in Spanish and later translated into English via browser prompts, suggesting that attackers are reusing phishing templates across regions.
Fabricated Challans and Psychological Manipulation
Once on the fake portal, users are prompted to enter basic details such as a vehicle number, challan number, or driving license number. Regardless of what information is entered, the system generates a convincing-looking challan record. [caption id="" align="aligncenter" width="1024"] Fraudulent e-Challan record generated (Source: Cyble)[/caption]
The fabricated record typically displays a modest fine amount, such as INR 590, along with a near-term expiration date. Prominent warnings about license suspension, court summons, or legal proceedings are displayed to heighten urgency.
This step is purely psychological. No real backend verification occurs. The goal is to convince victims that the challan is legitimate and time-sensitive, a hallmark of effective e-challan phishing and other RTO-themed threats.
Card Data Harvesting and Payment Abuse
When victims click “Pay Now,” they are taken to a payment page that claims to offer secure processing through an Indian bank. [caption id="" align="aligncenter" width="1024"] Fake e-Challan payment page limited to credit and debit card payments (Source: Cyble)[/caption]
However, the page only accepts credit or debit card payments, deliberately excluding UPI or net banking options that might leave clearer transaction trails. No redirection to an official payment gateway occurs. Instead, victims are asked to enter full card details, including card number, expiry date, CVV, and cardholder name.
Testing showed that the page accepts repeated card submissions without error, regardless of transaction outcome. This behavior indicates that all entered card data is transmitted directly to attacker-controlled servers, confirming the campaign’s focus on financial theft rather than legitimate payment processing.
Shared Infrastructure and Campaign Expansion
CRIL’s infrastructure analysis revealed that the same hosting environment is being used to support multiple phishing lures beyond e-challan scams. Another attacker-controlled IP address, 43[.]130[.]12[.]41, was found hosting domains impersonating India’s e-Challan and Parivahan services. [caption id="attachment_108078" align="aligncenter" width="960"] Additional phishing infrastructure backing fraudulent e-Challan portals (Source: Cyble)[/caption]
Several domains closely resemble legitimate branding, including lookalikes such as parizvaihen[.]icu. These domains appear to be automatically generated and rotated, suggesting the use of domain generation techniques to evade takedowns and blocklists.
Further investigation into IP address 101[.]33[.]78[.]145 uncovered more than 36 phishing domains impersonating e-challan services alone. The same infrastructure also hosted phishing pages targeting the BFSI sector, including HSBC-themed payment lures, as well as logistics companies such as DTDC and Delhivery.
[caption id="" align="aligncenter" width="1024"] Phishing page mimicking a DTDC failed delivery alert (Source: Cyble)[/caption]
Consistent user interface patterns and identical payment-harvesting logic across these campaigns confirm the existence of a shared phishing backend supporting multiple fraud verticals.
