Android attackers use fake apps and droppers to spread the Wonderland SMS stealer, stealing OTPs, SMS data, and bank funds, mainly in Uzbekistan.
Category: cybercrime/malcode
Nissan says thousands of customers exposed in Red Hat breach
Nissan Motor Co. Ltd. (Nissan) has confirmed that information of thousands of its customers has been compromised after the data breach at Red Hat in September.
The Japanese multinational automobile manufacturer headquartered in Yokohama, Japan, produces more than 3.2 million cars a year. The company employs 120,000 people and has a strong presence in Japan, North America, Europe, and Asia.
In an announcement yesterday, Nissan informed that it was indirectly impacted by a security breach incident at the U.S.-based enterprise software company Red Hat.
New MacSync malware dropper evades macOS Gatekeeper checks
The latest variant of the MacSync information stealer targeting macOS systems is delivered through a digitally signed, notarized Swift application.
Security researchers at Apple device management platform Jamf say that the distribution method constitutes a significant evolution from past iterations that used less sophisticated “drag-to-Terminal” or ClickFix tactics.
“Delivered as a code-signed and notarized Swift application within a disk image named zk-call-messenger-installer-3.9.2-lts.dmg, distributed via https://zkcall.net/download, it removes the need for any direct terminal interaction,” the researchers say in a report today.
Interpol-led action decrypts 6 ransomware strains, arrests hundreds
An Interpol-coordinated initiative called Operation Sentinel led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents.
Between October 27 and November 27, the investigation, which involved law enforcement in 19 countries, took down more than 6,000 malicious links and decrypted six distinct ransomware variants.
Interpol says that the cybercrime cases investigated are connected to more than $21 million in financial losses.
Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers
A suspected Russia-aligned group has been attributed to a phishing campaign that employs device code authentication workflows to steal victims’ Microsoft 365 credentials and conduct account takeover attacks.
The activity, ongoing since September 2025, is being tracked by Proofpoint under the moniker UNK_AcademicFlare.
The attacks involve using compromised email addresses belonging to government and military organizations to strike entities within government, think tanks, higher education, and transportation sectors in the U.S. and Europe.
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks
Authorities in Nigeria have announced the arrest of three “high-profile internet fraud suspects” who are alleged to have been involved in phishing attacks targeting major corporations, including the main developer behind the RaccoonO365 phishing-as-a-service (PhaaS) scheme.
The Nigeria Police Force National Cybercrime Centre (NPF–NCCC) said investigations conducted in collaboration with Microsoft and the Federal Bureau of Investigation (FBI) led to the identification of Okitipi Samuel, also known as Moses Felix, as the principal suspect and developer of the phishing infrastructure.
“Investigations reveal that he operated a Telegram channel through which phishing links were sold in exchange for cryptocurrency and hosted fraudulent login portals on Cloudflare using stolen or fraudulently obtained email credentials,” the NPF said in a post shared on social media.
Microsoft 365 accounts targeted in wave of OAuth phishing attacks
Multiple threat actors are compromising Microsoft 365 accounts in phishing attacks that leverage the OAuth device code authorization mechanism.
Attackers trick victims into entering a device code on Microsoft’s legitimate device login page, unknowingly authorizing an attacker-controlled application and granting them access to the target account without stealing credentials or bypassing multi-factor authentication (MFA).
Although the method isn’t new, email security firm Proofpoint says that these attacks have increased significantly in volume since September, and involve both financially motivated cybercriminals like TA2723 and state-aligned threat actors.
Over 25,000 FortiCloud SSO devices exposed to remote attacks
Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability.
Fortinet noted on December 9th, when it patched the security flaw tracked as CVE-2025–59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025–59719 (FortiWeb), that the vulnerable FortiCloud SSO login feature is not enabled until admins register the device with the company’s FortiCare support service.
As cybersecurity company Arctic Wolf reported on Monday, the vulnerability is now actively exploited to compromise admin accounts via malicious single sign-on (SSO) logins.