bleepingcomputer.com
By Lawrence Abrams
November 11, 2025
The Rhadamanthys infostealer operation has been disrupted, with numerous
The Rhadamanthys infostealer operation has been disrupted, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers.
Rhadamanthys is an infostealer malware that steals credentials and authentication cookies from browsers, email clients, and other applications. It is commonly distributed through campaigns promoted as software cracks, YouTube videos, or malicious search advertisements.
The malware is offered on a subscription model, where cybercriminals pay the developer a monthly fee for access to the malware, support, and a web panel used to collect stolen data.
According to cybersecurity researchers known as g0njxa and Gi7w0rm, who both monitor malware operations like Rhadamanthys, report that cybercriminals involved in the operation claim that law enforcement gained access to their web panels.
In a post on a hacking forum, some customers state that they lost SSH access to their Rhadamanthys web panels, which now require a certificate to log in rather than their usual root password.
"If your password cannot log in. The server login method has also been changed to certificate login mode, please check and confirm, if so, immediately reinstall your server, erase traces, the German police are acting," wrote one of the customers.
Another Rhadamanthys subscriber claimed they were having the same issues, with their server's SSH access now also requiring certificate-based logins.
"I confirm that guests have visited my server and the password has been deleted.rootServer login became strictly certificate-based, so I had to immediately delete everything and power down the server. Those who installed it manually were probably unscathed, but those who installed it through the "smart panel" were hit hard," wrote another subscriber.
A message from the Rhadamanthys developer says they believe German law enforcement is behind the disruption, as web panels hosted in EU data centers had German IP addresses logging in before the cybercriminals lost access.
G0njxa told BleepingComputer that the Tor onion sites for the malware operation are also offline but do not currently have a police seizure banner, so it is unclear who exactly is behind the disruption.
Multiple researchers who have spoken to BleepingComputer believe this disruption could be related to an upcoming announcement from Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.
Operation Endgame has been behind numerous disruptions since it launched, including against ransomware infrastructure, and the AVCheck site, SmokeLoader, DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC malware operations.
The Operation Endgame website currently has a timer stating that new action will be disclosed on Thursday.
BleepingComputer contacted the German police, Europol, and the FBI, but has not received a reply at this time.
bleepingcomputer.com
By Sergiu Gatlan
November 7, 2025
Cisco warned this week that two vulnerabilities, which have been used in zero-day attacks, are now being exploited to force ASA and FTD firewalls into reboot loops.
The tech giant released security updates on September 25 to address the two security flaws, stating that CVE-2025-20362 enables remote threat actors to access restricted URL endpoints without authentication, while CVE-2025-20333 allows authenticated attackers to gain remote code execution on vulnerable devices.
When chained, these vulnerabilities allow remote, unauthenticated attackers to gain complete control over unpatched systems.
The same day, CISA issued an emergency directive ordering U.S. federal agencies to secure their Cisco firewall devices against attacks using this exploit chain within 24 hours. CISA also mandated them to disconnect ASA devices reaching their end of support (EoS) from federal organization networks.
Threat monitoring service Shadowserver is currently tracking over 34,000 internet-exposed ASA and FTD instances vulnerable to CVE-2025-20333 and CVE-2025-20362 attacks, down from the nearly 50,000 unpatched firewalls it spotted in September.
Now exploited in DoS attacks
"Cisco previously disclosed new vulnerabilities in certain Cisco ASA 5500-X devices running Cisco Secure Firewall ASA software with VPN web services enabled, discovered in collaboration with several government agencies. We attributed these attacks to the same state-sponsored group behind the 2024 ArcaneDoor campaign and urged customers to apply the available software fixes," a Cisco spokesperson told BleepingComputer this week.
"On November 5, 2025, Cisco became aware of a new attack variant targeting devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases affected by the same vulnerabilities. This attack can cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions."
CISA and Cisco linked the attacks to the ArcaneDoor campaign, which exploited two other Cisco firewall zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide starting in November 2023. The UAT4356 threat group (tracked as STORM-1849 by Microsoft) behind the ArcaneDoor attacks deployed previously unknown Line Dancer in-memory shellcode loader and Line Runner backdoor malware to maintain persistence on compromised systems.
On September 25, Cisco fixed a third critical vulnerability (CVE-2025-20363) in its Cisco IOS and firewall software, which can allow unauthenticated threat actors to execute arbitrary code remotely. However, it didn't directly link it to the attacks exploiting CVE-2025-20362 and CVE-2025-20333, saying that its Product Security Incident Response Team was "not aware of any public announcements or malicious use of the vulnerability."
Since then, attackers have started exploiting another recently patched RCE vulnerability (CVE-2025-20352) in Cisco networking devices to deploy rootkit malware on unprotected Linux boxes.
More recently, on Thursday, Cisco released security updates to patch critical security flaws in its Contact Center software, which could enable attackers to bypass authentication (CVE-2025-20358) and execute commands with root privileges (CVE-2025-20354).
"We strongly recommend all customers upgrade to the software fixes outlined in our security advisories," Cisco added on Thursday.
bleepingcomputer.com By Bill Toulas
October 10, 2025
The FBI has seized last night all domains for the BreachForums hacking forum operated by the ShinyHunters group mostly as a portal for leaking corporate data stolen in attacks from ransomware and extortion gangs.
The FBI seized a BreachForums domain used by the ShinyHunters group as a data leak extortion site for the widespread Salesforce attacks, with the threat actor stating that law enforcement also stole database backups for the notorious hacking forum.
The domain, Breachforums.hn, was previously used to relaunch the hacking forum this summer, but the site was soon taken offline again after some of its alleged operators were arresteds.
In October, the domain was converted into a Salesforce data leak site by Scattered Lapsus$ Hunters, a gang claiming to consist of members linked to the Shiny Hunters, Scattered Spider, and Lapsus$ extortion groups, to extort companies impacted by the Salesforce data theft attacks.
On Tuesday, both the clearnet breachforums.hn data leak site and its Tor counterpart went offline. While the Tor site was quickly restored, the breachforums domain remained inaccessible, with its domains switched to Cloudflare nameservers previously used for domains seized by the U.S. government.
Last night, the FBI completed the action, adding a seizure banner to the site and switching the domain's name servers to ns1.fbi.seized.gov and ns2.fbi.seized.gov.
According to the seizure message, law enforcement authorities in the U.S. and France collaborated to take control of the BreachForums web infrastructure before the Scattered Lapsus$ Hunters hacker began leaking data from Salesforce breaches.
However, with the Tor dark web site still accessible, the threat actors claim they will begin leaking Salesforce data tonight at 11:59 PM EST for companies that do not pay a ransom.
Backups since 2023 under FBI control
In addition to taking down the data leak site, ShinyHunters confirmed that law enforcement gained access to archived databases for previous incarnations of the BreachForums hacking forum.
In a Telegram message confirmed by BleepingComputer to be signed with ShinyHunters' PGP key, the threat actor said the seizure was inevitable and added that "the era of forums is over."
From the analysis conducted after law enforcement's action, ShinyHunters concluded that all BreachForums database backups since 2023 have been compromised, along with all escrow databases since the latest reboot.
The gang also said that the backend servers have been seized. However, the gang's data leak site on the dark web is still online.
The ShinyHunters team stated that no one in the core admin team has been arrested, but they will not launch another BreachForums, noting that such sites should be viewed as honeypots from now on.
According to the threat actor's message, after RaidForum's takedown, the same core team planned multiple forum reboots, using admins like pompompurin as fronts.
The cybercriminals emphasized that the seizure does not affect their Salesforce campaign, and the data leak is still scheduled for today at 11:59 PM EST.
The gang's data leak site on the dark web shows a long list of companies affected by the Salesforce campaing, among them FedEx, Disney/Hulu, Home Depot, Marriott, Google, Cisco, Toyota, Gap, McDonald's, Walgreens, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, Transunion, HBO MAX, UPS, Chanel, and IKEA.
According to the hackers, they stole more than one billion records containing customer information.
The most recent relaunch of the BreachForums in its classic form was announced by ShinyHunters in July 2025, a few days after law enforcement authorities in France arrested four administrators of previous reboots, including the individuals with the usernames ShinyHunters, Hollow, Noct, and Depressed.
At the same time, U.S. authorities announced charges against Kai West, a.k.a. 'IntelBroker,' a high-profile member of the BreachForums cybercrime ecosystem.
In mid-August, BreachForums went offline, and ShinyHunters published a PGP-signed message stating that the forum's infrastructure had been seized by France's BL2C unit and the FBI, warning that there would be no further reboots.
Update 10/10/25: Updated story with more details.
bleepingcomputer.com
By Sergiu Gatlan
September 3, 2025
Update September 04, 06:27 EDT: Updated the list of cybersecurity companies whose Salesforce instances were breached in the Salesloft supply chain attack.
Workiva, a leading cloud-based SaaS (Software as a Service) provider, notified its customers that attackers who gained access to a third-party customer relationship management (CRM) system stole some of their data.
The company's cloud software helps collect, connect, and share data for financial reports, compliance, and audits. It had 6,305 customers at the end of last year and reported revenues of $739 million in 2024.
Its customer list includes 85% of the Fortune 500 companies and high-profile clients such as Google, T-Mobile, Delta Air Lines, Wayfair, Hershey, Slack, Cognizant, Santander, Nokia, Kraft Heinz, Wendy's, Paramount, Air France KLM, Mercedes-Benz, and more.
According to a private email notification sent to affected Workiva customers last week and seen by BleepingComputer, the threat actors exfiltrated a limited set of business contact information, including names, email addresses, phone numbers, and support ticket content.
"This is similar to recent events that have targeted several large organizations. Importantly, the Workiva platform and any data within it were not accessed or compromised," the company explained. "Our CRM vendor notified us of unauthorized access via a connected third-party application."
Workiva also warned impacted customers to remain vigilant, as the stolen information could be used in spear-phishing attacks.
"Workiva will never contact anyone by text or phone to request a password or any other secure details. All communications from Workiva come through our trusted official support channels," it said.
Salesforce data breaches
While Workiva didn't share more details regarding this attack, BleepingComputer has learned that this incident was part of the recent wave of Salesforce data breaches linked to the ShinyHunters extortion group that impacted many high-profile companies.
Most recently, Cloudflare disclosed that it was forced to rotate 104 Cloudflare platform-issued tokens stolen by ShinyHunters threat actors, who gained access to the Salesforce instance used for customer support and internal customer case management in mid-August.
ShinyHunters has been targeting Salesforce customers in data theft attacks using voice phishing (vishing) since the start of the year, impacting companies such as Google, Cisco, Allianz Life, Farmers Insurance, Workday, Qantas, Adidas, and LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.
More recently, the extortion group has shifted to using stolen OAuth tokens for Salesloft's Drift AI chat integration with Salesforce to gain access to customer Salesforce instances and extract sensitive information, such as passwords, AWS access keys, and Snowflake tokens, from customer messages and support tickets.
Using this method, ShinyHunters also gained access to a small number of Google Workspace accounts in addition to stealing Salesforce CRM data and breaching the Salesforce instances of multiple cybersecurity companies, including Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Rubrik, Cato Networks, and Palo Alto Networks.
Unknown threat actors have breached the National Nuclear Security Administration's network in attacks exploiting a recently patched Microsoft SharePoint zero-day vulnerability chain.
NNSA is a semi-autonomous U.S. government agency part of the Energy Department that maintains the country's nuclear weapons stockpile and is also tasked with responding to nuclear and radiological emergencies within the United States and abroad.
A Department of Energy spokesperson confirmed in a statement that hackers gained access to NNSA networks last week.
"On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including the NNSA," Department of Energy Press Secretary Ben Dietderich told BleepingComputer. "The Department was minimally impacted due to its widespread use of the Microsoft M365 cloud and very capable cybersecurity systems."
Dietderich added that only "a very small number of systems were impacted" and that "all impacted systems are being restored."
As first reported by Bloomberg, sources within the agency also noted that there's no evidence of sensitive or classified information compromised in the breach.
The APT29 Russian state-sponsored threat group, the hacking division of the Russian Foreign Intelligence Service (SVR), also breached the U.S. nuclear weapons agency in 2019 using a trojanized SolarWinds Orion update.
Attacks linked to Chinese state hackers, over 400 servers breached
On Tuesday, Microsoft and Google linked the widespread attacks targeting a Microsoft SharePoint zero-day vulnerability chain (known as ToolShell) to Chinese state-sponsored hacking groups.
"Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers," Microsoft said.
"In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities. Investigations into other actors also using these exploits are still ongoing."
Dutch cybersecurity firm Eye Security first detected the zero-day attacks on Friday, stating that at least 54 organizations had already been compromised, including national government entities and multinational companies.
Cybersecurity firm Check Point later revealed that it had spotted signs of exploitation going back to July 7th targeting dozens of government, telecommunications, and technology organizations in North America and Western Europe.
Arla Foods has confirmed to BleepingComputer that it was targeted by a cyberattack that has disrupted its production operations.
The Danish food giant clarified that the attack only affected its production unit in Upahl, Germany, though it expects this will result in product delivery delays or even cancellations.
"We can confirm that we have identified suspicious activity at our dairy site in Upahl that impacted the local IT network," stated an Arla spokesperson.
"Due to the safety measures initiated as a result of the incident, production was temporarily affected."
Arla Foods is an international dairy producer and a farmer-owned cooperative with 7,600 members. It employs 23,000 people in 39 countries.
The firm has an annual revenue of €13.8 billion ($15.5 billion), and its products, including the brands Arla, Lurpak, Puck, Castello, and Starbucks, are sold in 140 countries worldwide.
The company told BleepingComputer that it is currently working to resume operations at the impacted facility, which should bring results before the end of the week.
"Since then, we've been working diligently to restore full operations. We expect to return to normal operations at the site in the next few days. Production at other Arla sites is not affected."
Considering that the first reports about a disruption at Arla's production operations surfaced on Friday, it is bound to cause shortages in some cases.
"We have informed our affected customers about possible delivery delays and cancellations," explained Arla's spokesperson.
BleepingComputer has asked the firm if the attack involved data theft or encryption, both staples of a ransomware attack, but Arla declined to share any additional information at this time.
Meanwhile, there have been no announcements about Arla on ransomware extortion portals, so the type of attack and the perpetrators remain unknown.
A hacker breached the GitLab repositories of multinational car-rental company Europcar Mobility Group and stole source code for Android and iOS applications, as well as some personal information belonging to up to 200,000 users.
#Android #Breach #Code #Computer #Data #Europcar #GitLab #InfoSec #Security #Source #iOS
A hacker claims to have stolen thousands of internal documents with user records and employee data after breaching the systems of Orange Group, a leading French telecommunications operator and digital service provider.
#Breach #Computer #Data #Email #Extortion #InfoSec #Jira #Leak #Orange #Ransom #S.A. #Security
CISA and the FBI said attackers deploying Ghost ransomware have breached victims from multiple industry sectors across over 70 countries, including critical infrastructure organizations.
#CISA #Computer #Cring #Critical #FBI #Ghost #InfoSec #Infrastructure #Ransomware #Security
A help desk phishing campaign targets an organization's Microsoft Active Directory Federation Services (ADFS) using spoofed login pages to steal credentials and bypass multi-factor authentication (MFA) protections.
#ADFS #Account #Computer #InfoSec #Lateral #MFA #Microsoft #Notification #Phishing #Push #Security #Takeover
Security researchers have discovered an arbitrary account takeover flaw in Subaru's Starlink service that could let attackers track, control, and hijack vehicles in the United States, Canada, and Japan using just a license plate.
#Account #Canada #Car #Computer #Hacking #InfoSec #Japan #Security #Starlink #Subaru #Takeover #USA
Apple recently addressed a macOS vulnerability that allows attackers to bypass System Integrity Protection (SIP) and install malicious kernel drivers by loading third-party kernel extensions.
#Apple #Computer #InfoSec #Integrity #Microsoft #Protection #SIP #Security #System #Vulnerability #macOS
A large-scale malvertising campaign distributed the Lumma Stealer info-stealing malware through fake CAPTCHA verification pages that prompt users to run PowerShell commands to verify they are not a bot.
Ascension, one of the largest private U.S. healthcare systems, is notifying over 5.6 million patients and employees that their personal and health data was stolen in a May cyberattack linked to the Black Basta ransomware operation.
The Microsoft 365 Admin Portal is being abused to send sextortion emails, making the emails appear trustworthy and bypassing email security platforms.
T-Mobile confirms it was hacked in the wave of recently reported telecom breaches conducted by Chinese threat actors to gain access to private communications, call records, and law enforcement information requests.
A new phishing campaign dubbed 'CRON#TRAP' infects Windows with a Linux virtual machine that contains a built-in backdoor to give stealthy access to corporate networks.
More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a publicly available exploit.
