Trellix reveals how the India-linked DoNot APT group launched a sophisticated spear-phishing attack on a European foreign affairs…

Trellix reveals how the India-linked DoNot APT group launched a sophisticated spear-phishing attack on a European foreign affairs ministry. Learn about their tactics, the LoptikMod malware, and why this cyber espionage campaign matters for global diplomacy.

A sophisticated campaign by the notorious DoNot APT group, also known by names like APT-C-35 and Mint Tempest, has recently targeted a European foreign affairs ministry. This attack, uncovered by the Trellix Advanced Research Centre, highlights the group’s expanding reach beyond its traditional focus on South Asia.

Active since at least 2016, the DoNot APT group is a persistent threat, primarily known for targeting government, military, and diplomatic organisations. This group is believed to operate with a focus on South Asian geopolitical interests and has been attributed by several vendors to have links to India. This recent incident, however, reveals a broadening of their operations into Europe.

Trellix’s researchers were able to identify this campaign by blocking the initial email chain, which allowed them to analyse the attack’s Tactics, Techniques, and Procedures (TTPs). Reportedly, the attackers employed a highly deceptive spear-phishing tactic, impersonating European defence officials.

These malicious emails, which mentioned a visit to Bangladesh, aimed to trick targets into clicking on a harmful Google Drive link. This method of using common cloud services for initial infection showcases the group’s adaptability in their approach.

The attack unfolded in several calculated steps. The initial spear-phishing email originated from a Gmail address (int.dte.afd.1@gmailcom). It featured a subject line related to diplomatic activities, specifically “Italian Defence Attaché Visit to Dhaka, Bangladesh.” The attackers even used HTML formatting with UTF-8 encoding to properly display special characters like “é” in “Attaché,” signifying attention to detail to increase legitimacy.

Attackers’ TTPs (Source: Trellix)

Upon clicking the Google Drive link, victims downloaded a malicious RAR archive named ‘SyClrLtr.rar,’ containing an executable file disguised as a PDF (notflog.exe). It deployed a batch file and established persistence, meaning the malware would remain active through a scheduled task set to run every 10 minutes.

The malware involved in this campaign is LoptikMod, a tool exclusively associated with the DoNot APT group since 2018. This malware gathers system details such as CPU model, operating system information, username, and hostname.

This information is then encrypted and sent to a command and control (C2) server, which allows the attackers to maintain communication and potentially exfiltrate sensitive data. It is worth noting that beyond LoptikMod, the DoNot APT group also uses custom-built Windows malware, including backdoors like YTY and GEdit.

The targeting of a European foreign affairs ministry highlights the group’s unwavering interest in collecting sensitive information and its increasing global reach. Such attacks on diplomatic entities are classic examples of espionage operations, aiming to gain unauthorised access to classified state communications, policy documents, and intelligence reports.

Organisations, particularly those in government and diplomacy, are, hence, urged to enhance their cybersecurity measures, including stronger email security, network traffic analysis, and endpoint detection and response (EDR) solutions, to defend against these evolving threats.

DoNot APT Hits European Ministry with New LoptikMod Malware

A new report details how the advanced hacking tool Shellter Elite was leaked and is now being used…

A new report details how the advanced hacking tool Shellter Elite was leaked and is now being used by cybercriminals. Learn about its evasion techniques and the infostealer campaigns.

Shellter Elite, a sophisticated tool for cybersecurity professionals, has fallen into the wrong hands, with its leaked copy being actively used by cybercriminals. This disclosure comes after security researchers at Elastic Security Labs identified its use in widespread attacks, leading to the deployment of several notorious infostealers. This research was shared with Hackread.com.

For your information, Shellter Elite is a specialised program intended for ethical hackers, also known as red teams or penetration testers, to help them test the defences of computer systems by deploying hidden software within normal Windows files, enabling evasion of EDR tools.

Elastic’s technical report highlights SHELLTER’s unique capabilities to evade analysis and detection, including polymorphic obfuscation, unhooking system modules, and encrypting payloads using AES-128 CBC.

The Shellter Project, the company behind the software, confirmed that a company which had recently purchased Shellter Elite licenses had leaked their copy. This breach allowed cybercriminals to use the tool for harmful activities, including spreading infostealer malware (software designed to steal sensitive personal information). Shellter stated this is the first known incident of misuse since their strict licensing model was introduced in February 2023, emphasising their strict vetting process.

Evidence from an underground hacker forum, as seen in a screenshot dated May 16, 2025, indicates the Shellter Elite v11.0 version is being offered to serious buyers. The forum post notes its high cost compared to similar tools like Brute Ratel or Cobalt Strike, and highlights its difficulty in obtaining. This online discussion underscores the black market interest in the leaked software.

Source: Elastic Security Labs

Elastic Security Labs publicly reported on July 3 that multiple hacking groups have been exploiting Shellter Elite v11.0 since at least April 2025. They found that this activity started as early as April, with hackers distributing infostealers like Rhadamanthys, Lumma, and Arechclient2, through YouTube comments and phishing emails.

Activity Timeline (source: Elastic Security Labs)

Elastic observed sophisticated evasion techniques in these malicious campaigns, such as API hashing obfuscation and advanced VM/sandbox and debugger detection. Based on unique license details, Elastic researchers believed the hackers were using a single leaked copy, a fact later confirmed by Shellter.

In response, Shellter has released an updated version, Elite 11.1, which will only be provided to carefully checked customers, specifically excluding the one responsible for the leak. Elastic has also developed new ways to detect payloads created with the older, leaked v11.0 version.

However, Shellter accused Elastic of “reckless and unprofessional” conduct, claiming they prioritised a “surprise exposé” over public safety by withholding details for months. This delay, Shellter noted, nearly resulted in the malicious actor receiving a more evasive update.

While criticising Elastic’s approach, Shellter did thank Devon Kerr from Elastic for providing samples that helped them confirm the customer’s identity. The Shellter Project also apologised to its customers and reaffirmed its commitment to cooperating with law enforcement against cybercriminals.

“The abuse of Shellter Elite is an urgent reminder that every security tool built for ethical offence can be weaponised against the organisations it was meant to protect,” said Ronen Ahdut, Head of Cyops at Cynet. “In this way, the hijacking of Shellter Elite exemplifies a structural vulnerability in the supply chain for offensive cybersecurity tools.”

“As Shellter’s compromise is investigated, cybersecurity leaders must take action to strengthen operational defences and increase vendor oversight,” Ronen emphasised.

This isn’t the first time a tool built for ethical hacking has ended up in the wrong hands. Cobalt Strike is one of the best-known examples, originally made for red teams to test network security, has been cracked and spread through underground forums for years.

Today, cybercriminals and ransomware gangs use it to breach systems and deploy malware, turning a tool meant to help companies protect themselves into something attackers use against them.

Leaked Shellter Elite Tool Now Fueling Infostealer Attacks Worldwide

FBI seizes top piracy sites leaking unreleased and pirated video games with millions of downloads and 170 million dollars in losses for developers and publishers.

The Department of Justice and the FBI’s Atlanta Field Office confirmed today that they have seized and dismantled several notorious online marketplaces distributing pirated video games.

The targeted sites had gained popularity for leaking unreleased titles to millions of users worldwide. Visitors who try to reach these domains now see a federal notice stating **“This website has been seized”** and “**This domain has been seized by the Federal Bureau of Investigation”** instead of download links.

The full list of seized websites includes the following:

*   Nswdl.com
*   Nsw2u.com
*   Ps4pkg.com
*   Ps4pkg.net
*   Mgnetu.com
*   Game-2u.com
*   Bigngame.com

According to the FBI’s press release, from late February through May, an estimated 3.2 million illegal downloads took place through just one of the main services connected to these sites. The financial impact stands at roughly $170 million in losses to publishers and developers.

Screenshot from the now-seized and popular Game-2u.com (Image credit: Hackread.com)

The agency further revealed that for more than four years, these networks distributed early copies of some of the most anticipated games, often days or weeks before their official launch.

The FBI’s move to seize the sites’ domains cuts off access to vast libraries of pirated content and removes infrastructure that supported further distribution. The operation involved support from the Dutch FIOD agency (Fiscal Information and Investigation Service).

Game studios have always complained that leaks hurt their sales, drain the hard work of developers and ruin the excitement they build before a big launch. The FBI says grabbing these early copies for free doesn’t just hit big companies but also affects the people who spend years making the games in the first place.

While the domains are now in government hands, the global fight against online piracy will continue. The people behind these sites could face prosecution once investigators finish their work. For now, some of the internet’s busiest sources for leaked games have gone down, cutting off millions of downloads in the process.

FBI Seizes Major Sites Sharing Unreleased and Pirated Video Games

A new SafetyDetectives study reveals the surprising extent of Google tracking across the web in the US, UK, Switzerland, and Sweden. Discover how Google Analytics, AdSense, and YouTube embeds collect your data, even when using DuckDuckGo.

Google and its tracking of user activity is nothing now but a recent study by SafetyDetectives, conducted across the US, UK, Switzerland, and Sweden, reveals the pervasive nature of Google’s tracking mechanisms across the internet.

The research, shared with Hackread.com, indicates that while privacy-focused search engines like DuckDuckGo can reduce exposure, completely escaping Google’s reach remains a significant challenge. The study simulated locations using a virtual machine and VPN to ensure accurate regional data collection.

The findings reveal that Google’s tracking extends far beyond its own products, embedded deeply within countless websites through tools like Google Analytics, AdSense, and YouTube embeds. This data helps Google build detailed user profiles for targeted advertising and personalisation, the researchers claim.

Source: SafetyDetectives

****Google’s Deep Reach and Content-Specific Tracking****

The study highlights that Google tracking can be reduced by 50% with DuckDuckGo, particularly in countries with stronger privacy regulations like Switzerland and Sweden. For instance, Google Analytics, a tool for website traffic analysis, appeared on only 14%–17% of DuckDuckGo visits in these privacy-focused nations, a notable drop from 45%–53% when using Google Search.

However, the report also found that in the US, over 40% of pages still sent data to Google even when DuckDuckGo was used. In the UK, a slight improvement was observed, with tracking dropping from 47% on Google to 29% with DuckDuckGo. Google Analytics, described as “everywhere,” was detected in one in five DuckDuckGo sessions across all four countries.

The research also pinpointed specific content categories where Google tracking is more prevalent. Such as YouTube and product-related searches consistently triggered a higher likelihood of Google tracking, regardless of the search engine used.

Conversely, visits to platforms like Wikipedia and TikTok showed minimal to no Google tracking. This suggests that the type of content accessed plays a crucial role in the extent of data collection by Google.

****Geographic Differences and Tracker Types****

The study emphasises that location significantly influences the degree of Google tracking. In the US, Google trackers were nearly unavoidable, often present on 100% of websites visited in some tests, even when a privacy-focused alternative like DuckDuckGo was employed.

This was primarily due to embedded analytics and ads on news and commercial sites. In contrast, Sweden and Switzerland demonstrated fewer instances of tracking, with DuckDuckGo proving more effective in blocking trackers, especially on news articles and Wikipedia.

Source: SafetyDetectives

Google Analytics emerged as the most widely used tracker across all four countries, appearing on nearly 50% of visited sites, reflecting its deep integration into web infrastructure. Other prominent trackers included Google Services (APIs, Maps, Fonts, Gtag), which are general services integrating Google’s infrastructure. Their integration was particularly high in Sweden and the US.

DoubleClick, an ad tracking service, appeared more frequently in Switzerland, while YouTube embeds, allowing videos to be played on other sites, showed higher usage in the US and UK compared to Sweden or Switzerland.

This comprehensive data highlights that even with privacy regulations like GDPR, Google’s embedded services continue to collect user data, making a complete escape difficult for the average internet user.

New Study Shows Google Tracking Persists Even With Privacy Tools

14 arrested in major HMRC phishing scam raids across UK & Romania. Learn about the multi-million-pound tax fraud operation.

A major international operation has led to the arrest of 14 individuals suspected of involvement in a large-scale phishing attack that defrauded UK taxpayers of an estimated £47 million.

The arrests, primarily in Romania, were the result of a joint effort between criminal investigators from HMRC (Her Majesty’s Revenue and Customs), the UK’s tax authority, and over 100 Romanian police officers.

****Operation Details****

The coordinated raids across Romania led to the detention of 13 people, both men and women, aged between 23 and 53. Separately, a 38-year-old man was arrested in Preston, UK, in connection with the same cybercrime network.

Authorities seized luxury cars and significant amounts of cash during the operations. Those arrested face charges including computer fraud, money laundering, and illegally accessing computer systems.

This action follows earlier arrests in November in Bucharest, where two men, aged 27 and 36, were detained for similar cybercrime and fraud offences. The Romanian authorities have also released a video showcasing the police raids.

The criminal gangs behind the scam used phishing, which involves tricking individuals into revealing their personal information. This stolen data was then used to submit fraudulent claims for tax repayments, including PAYE (Pay As You Earn), VAT (Value Added Tax), and Child Benefit payments, effectively creating new online tax accounts in victims’ names.

****The Cost and Controversy****

The scale of the fraud, which saw over 100,000 taxpayer accounts compromised, has drawn significant attention. The incident became particularly controversial when HMRC’s new chief executive, John-Paul Marks, and his deputy appeared before the Treasury Committee without disclosing details of the breach. Dame Meg Hillier DBE MP, Chair of the Treasury Committee, later sent a letter to HMRC, stating that their failure to report the incident was “unacceptable.”

****Urgent Warning Issued****

Following the arrests, HMRC has issued an urgent warning to the public about tax fraud. Simon Grunwell, Operational Lead in HMRC’s Fraud Investigation Service, emphasised the importance of international cooperation in combating tax crime. He confirmed ongoing investigations and thanked Romanian partners for their support. HMRC stated they have already taken steps to protect customers whose accounts were targeted.

“Phishing is often seen as a low-level threat, because attacks are easy to execute and require no real computing skill; however, the attacks are rife and very successful. Almost every breach today has a human element and it is vital the security industry and government work harder to thwart this threat,” said William Wright, CEO of Closed Door Security.

“Tax scams are one of the biggest risks to citizens in the UK as criminals are adopting tactics to make them highly convincing, often using a mix of emails, post and SMS to send out fraudulent comms,” warned William.

William further warned taxpayers to be cautious of text and phishing messages that ask for their personal or organisational information while pretending to be HMRC. He also stressed the importance of social precautions when filing taxes, especially around deadlines like the self-assessment in January.

14 Arrested in Romania for £47 Million UK Tax Phishing Scam

Disclosure: The information in this article highlights Elsner’s Magento development offerings and related solutions.

Imagine slashing shipping costs by 30% while speeding up deliveries, and watching 4-star reviews roll in. That is the power of Magento 2 shipping automation. It is reshaping how stores handle logistics and how customers experience fulfillment.

For store owners, shipping can be a mess. Too many carriers. Too many zones. Too much manual work. Delays hurt satisfaction. Errors kill trust. And rising shipping fees? They crush margins.

**_Did you know that over 56% of cart abandonments happen due to unexpected shipping costs? That is not just lost revenue, it is lost growth._**

Magento 2 automation fixes this. It connects carriers instantly. It prints labels on its own. It keeps customers updated, without requiring your team to do a thing. You save time. Costs drop. Buyers stay happy. No chaos. No guesswork. Just smart, scalable shipping. This post explores how Magento development services, backed by industry leaders like Elsner, help you unlock that transformation without burning through time or budget.

****Why Automate Shipping in Magento 2?****

Manual carrier selection and rate comparison eat time and cash. Errors happen. And if you cannot show live prices at checkout? You risk abandoned carts. This way, adopting shipping automation:

*   Reduces manual order handling by 40‑60%
*   Enables real‑time carrier rate quotes for transparency
*   Gives you multi‑carrier flexibility, FedEx, UPS, USPS, DHL
*   Integrates returns/refunds directly into your backend
*   Empowers smarter fulfilment decisions: pick‑ups, drop‑offs, regional warehouses

Elsner, a Magento 2 development company, configures dynamic rate logic, labels, and notifications to help merchants stay lean and maintain their margins intact.

****The Elsner Edge: Magento 2 Shipping Automation Approach****

**Step**

**What Elsner Does**

**Your Benefit**

**1\. Discovery**

Assess current logistics, carriers, and volumes

Pinpoint bottlenecks & overspent services

**2\. Carrier Setup**

Connect FedEx, USPS, UPS, DHL, live rates

Offer the best rates & options at checkout

**3\. Custom Logic**

Automate carrier/packaging rules

Maximize profit per order

**4\. Label & Tracking**

Print labels, auto‑email tracking info

Save payroll & delight customers

**5\. Returns Flow**

Generate return labels, dashboards

Simplify reverse logistics

**6\. Testing + Training**

QA in staging, train your team

Smooth go‑live, zero confusion

When you hire dedicated Magento developers from Elsner, they enforce best practices in coding, performance, and security.

****Key Shipping Automation Features Worth Deploying****

These features do not just make shipping easier; they turn it into a competitive edge.

****Real-Time Shipping Rate Quotes****

Show live shipping rates at checkout. No estimates. No surprises. Your customer sees accurate pricing based on their address and selected items. This builds trust and reduces cart abandonment instantly.

****Auto Label Printing****

Let your system handle the paperwork. Once an order is placed, the correct shipping label is automatically generated. Your team does not need to click anything. This saves time and reduces the likelihood of human errors.

****Split Shipment Support****

Not everything comes from the same warehouse. Split shipping ensures that items from different locations are shipped simultaneously. Customers receive packages faster. Inventory stays organised across channels.

****Free Shipping Thresholds****

Offer free shipping, but on your terms. Set rules like “Free shipping over $50” and let the system manage it. No need to manually apply coupons or check eligibility. It just works.

****Smart Packing Logic****

Why ship a small item in a giant box? Packing logic calculates dimensions, weight, and box types. This reduces waste. It also cuts costs on shipping and packaging materials.

****Shipping API Plug-ins****

Connect with top carriers like FedEx, UPS, DHL, and USPS. APIs let your store pull real-time data from these services. This includes rates, transit times, and shipping options.

****Tracking Updates****

Customers want updates. Automation sends real-time tracking links via email or SMS. No one on your team needs to copy-paste or follow up manually. Everyone stays in the loop.

****Return Portal Integration****

Make returns easier for everyone. Add a self-service return portal to your store. Customers download pre-paid labels. You manage returns without emails or support tickets piling up.

Each feature adds a direct benefit to both store owners and customers. These are not just conveniences; they are cost-saving, time-saving essentials when scaling with Magento 2. As a Magento B2B agency, Elsner stands out by building modular features that enable agile and scalable custom Magento E-commerce development.

****How Does This Cut Costs & Boost CX?********Staff Time Saved****

Manual shipping takes time. Clicking through orders. Printing labels. Copy-pasting tracking links. All of it adds up. Shipping automation removes most of these steps. You reclaim hours every day. Labour costs drop. Staff focus shifts to value-driven tasks.

****Lower Shipping Fees****

Not all carriers charge the same. Smart automation tools compare shipping rates in real time. They choose the most affordable shipping method. No guesswork. No overpaying. You save on every package.

****Reduced Errors****

Wrong labels mean delayed packages. Or lost inventory. Or angry customers. Auto-generated labels fix this. The system pulls the right info every time. Accuracy jumps. Mis-shipments go down. Reputation goes up.

****Fewer Cart Abandons****

Customers love clarity. Show them exact shipping rates and delivery estimates at checkout. No surprises. This builds confidence. And when buyers feel informed, they check out faster. Abandonment rates drop noticeably.

****Less Return Stress****

Returns do not need to be a headache. Self-service portals handle it. Customers generate return labels on their own. No back-and-forth, long email chains.  No confusion. It simplifies life for both your team and your buyers.

****Analytics Perks****

Know which carrier delivers fastest. Automation tools come with built-in dashboards. Get detailed analytics and make decisions that support the growth of your business. The track failed deliveries or late shipments. Better data leads to better shipping decisions. That is a long-term win.

All these gains are powered by structured Magento enterprise development. When paired with strategic Magento website development services, your store becomes faster, leaner, and far more customer-focused. The outcome? Lower costs. Better experiences. And ROI keeps climbing.

****Migrating from Magento 1? They’ve Got You Covered****

Elsner often helps merchants with Magento 1 to Magento 2 migration. Here’s how shipping automates post‑migration:

*   Port shipping rules, carrier integrations, and custom logic
*   Rebuild checkout flow to support automation
*   Train staff on new shipping toolsets
*   Validate shipping data using Magento migration service best practices

Elsner’s data migration from Magento 1 to 2 experts makes sure shipping history, customer addresses, and tracking numbers get migrated correctly without any loss of data..

****Hiring the Right Expert: Why Elsner Stands Out?****

You could hire Magento programmers on a freelance basis, but here is what you get with Elsner:

*   Certified Magento team with access to full Magento 2 development services
*   Formal QA, version control, UI/UX testing
*   Clear SLAs and support packages
*   Ownership of delivered code and documentation

Need to hire certified Magento developers? You get seasoned pros who follow Magento’s coding standards. Plus, Elsner’s background as a Magento E‑commerce agency spans from startups to enterprise-level operations.

****Post‑Implementation: Measuring Success****

After Elsner deploys shipping automation, use these KPIs to measure improvement:

*   **Fulfilment time** (hrs/order) – target: < 1 hour
*   **Shipping cost/order** – target: –15‑30% YOY
*   **Order accuracy** – target: 99‑100%
*   **Cart abandonment (shipping step)** – target: < 5%
*   **Return requests** – target: lower than industry avg

With their Magento migration service, Elsner ensures a smooth transition while preserving key shipping configurations, so businesses can track and optimise performance from day one.

****Wrapping Up****

Cutting costs and enhancing customer experience might sound like conflicting goals, but with Magento 2 shipping automation, you can do both. Elsner’s Magento development services and seasoned experts make it happen seamlessly. From live shipping rates at checkout to auto‑generated labels and integrated returns, you deliver an elevated experience while trimming logistics spending.

If you want to hire dedicated Magento developers who build shipping systems tailored to your store, look no further. Ready to make shipping your competitive advantage?

Magento 2 Shipping Automation: Cut Costs While Enhancing Customer Experience

Major security flaw in McDonald’s AI hiring tool McHire exposed 64M job applications. Discover how an IDOR vulnerability…

Major security flaw in McDonald’s AI hiring tool McHire exposed 64M job applications. Discover how an IDOR vulnerability and weak default credentials led to a massive leak of personal data and the swift remediation by Paradox.ai.

A vulnerability in McHire, the AI-powered recruitment platform used by a vast majority of McDonald’s franchisees, exposed the personal information of over 64 million job applicants. The vulnerability, discovered by security researchers Ian Carroll and Sam Curry, allowed unauthorised access to sensitive data, including names, email addresses, phone numbers, and home addresses.

The investigation began after reports surfaced on Reddit about the McHire chatbot, named Olivia and developed by Paradox.ai, giving strange responses. Researchers quickly found two critical weaknesses. First, the administration login for restaurant owners on McHire accepted easily guessable default credentials: “123456” for both username and password. This simple entry granted them administrator access to a test restaurant account within the system.

Source: Reddit

The second, and more serious, issue was an Insecure Direct Object Reference (IDOR) on an internal API. An IDOR means that by simply changing a number in a web address (in this case, a lead\_id tied to applicant chats), anyone with a McHire account could access confidential information from other applicants’ chat interactions.

According to their blog post, researchers noted that this allowed them to view details from millions of job applications, including unmasked contact information and even authentication tokens that could be used to log in as the applicants themselves and see their raw chat messages.

Source: Ian Carroll

The McHire platform, accessible via https://jobs.mchire.com/, guides job seekers through an automated process, including a personality test from Traitify.com. Applicants interact with Olivia, providing their contact details and shift preferences.

It was while observing a test application from the restaurant owner’s side that the researchers stumbled upon the vulnerable API. They noticed a request to fetch candidate information, PUT /api/lead/cem-xhr, which used a lead_id that could be altered to view other applicants’ data.

Upon realising the vast scale of the potential data exposure, the researchers immediately initiated disclosure procedures. They contacted Paradox.ai and McDonald’s on June 30, 2025, at 5:46 PM ET.

McDonald’s acknowledged the report shortly after, and by June 30, 2025, at 7:31 PM ET, the default administrative credentials were no longer functional. Paradox.ai confirmed that the issues had been fully resolved by July 1, 2025, at 10:18 PM ET. Both companies have stated their commitment to data security following the swift remediation of this critical vulnerability.

“This incident is a reminder that when companies rush to deploy AI in customer-facing workflows without proper oversight, they expose themselves and millions of users to unnecessary risk,” said Kobi Nissan, Co-Founder & CEO at MineOS, a global data privacy management firm.

“The issue here isn’t the AI itself, but the lack of basic security hygiene and governance around it. Any AI system that collects or processes personal data must be subject to the same privacy, security, and access controls as core business systems,” explained Kobi.

“That means authentication, auditability, and integration into broader risk workflows, not siloed deployments that fly under the radar. As adoption accelerates, businesses need to treat AI not as a novelty but as a regulated asset and implement frameworks that ensure accountability from the start,” he advised.

McDonald’s AI Hiring Tool McHire Leaked Data of 64 Million Job Seekers

Four suspects arrested by the NCA in April/May 2025 cyberattacks on M&S, Co-op, and Harrods. Learn about the social engineering, ransomware disruption, and estimated £300M impact on M&S.

In a major development, the UK’s National Crime Agency (NCA) has announced the arrest of four individuals in connection with a series of cyberattacks that impacted major UK retailers Marks & Spencer (M&S), Co-op Group, and Harrods in April and May 2025. These arrests mark a crucial step in an ongoing investigation that remains a top priority for the agency.

****The Attacks and Their Impact****

The cyber criminals gained access to the retailers’ computer systems through aggressive social engineering tactics, which involve manipulating individuals to gain confidential information or access. This likely involved exploiting a common third-party supplier. The attacks caused considerable disruption, particularly for M&S, which saw its online shopping suspended and food deliveries affected. Even nearly three months later, M&S has not fully recovered, with its chairman, Archie Norman, estimating a cost of £300 million in lost profits due to the incident.

M&S customers were also instructed to change their account passwords following a significant data theft. The company expects its operations to be affected until late July, with some IT systems not fully operational until October or November.

While Co-op and Harrods also faced intrusions, they proved more resilient, and the impact on their operations was less severe. Co-op had to disconnect some IT systems, and Harrods also shut off systems to mitigate damage. The attacks involved malicious software, or ransomware, which scrambles data and demands payment for its release.

****Suspects Apprehended****

The four individuals, as per the NCA’s press release, including two men aged 19, a 17-year-old male, and a 20-year-old woman, were apprehended early on Thursday morning, July 10, 2025, at their homes across London, Staffordshire, and the West Midlands. One of the 19-year-old men is from Latvia, while the others are British nationals.

They are suspected of multiple offences under the Computer Misuse Act of 1990, a law that criminalises unauthorised access to computer material, as well as blackmail, money laundering, and participating in the activities of an organised crime group. Electronic devices have been seized from their properties for detailed forensic examination.

The NCA’s operation received support from the West Midlands Regional Organised Crime Unit (ROCU) and the East Midlands Special Operations Unit. Paul Foster, Deputy Director of the NCA’s National Cyber Crime Unit, praised the swift progress, stating that “Today’s arrests are a significant step in that investigation.”

He emphasised that the collaboration with affected organisations like M&S, Co-op, and Harrods was vital to the investigation’s success, highlighting the importance of businesses engaging with law enforcement after cyber incidents. The investigation continues with international partners to bring all responsible parties to justice.

UK Arrests Woman and Three Men for Cyberattacks on M&S Co-op and Harrods

Cybersecurity researcher Jeremiah Fowler uncovered a massive 286GB data exposure at Texas-based Rockerbox, a tax credit consultancy. Exposed data includes SSNs, DD214s, and financial details, raising serious identity theft and fraud concerns.

A data exposure has come to light at Rockerbox, a tax credit consultancy based in Texas, USA. Cybersecurity researcher Jeremiah Fowler recently uncovered a non-password-protected database highlighting a significant security lapse, the findings of which were reported by vpnMentor and shared with HackRead.com.

Rockerbox, identified as a tax credit consulting company, helps businesses across the United States identify and manage employer-focused tax incentives through programs like the Work Opportunity Tax Credit (WOTC), Employee Retention Tax Credit (ERTC), R&D credits, and Empowerment Zone credits.

****Scope of Compromised Data****

The exposure involved an alarming 245,949 records, totalling 286.9 GB of data. This extensive dataset comprised various forms of personally identifiable information (PII), including full names, dates of birth (DOB), Social Security Numbers (SSN), and physical addresses.

For your information, PII is information that can identify an individual, directly or indirectly, while SSN is a unique nine-digit identifier used for tracking earnings and for various governmental purposes in the US.

Screenshots of identification documents (Source: vpnMentor)

According to Fowler’s report, the exposed records also contained sensitive identification documents such as driver’s licenses and DD214 forms, which are Certificates of Release or Discharge from Active Duty issued by the US Department of Defence, serving as official documentation of a veteran’s military service.

Furthermore, a wide array of employment and tax-related materials were compromised. This included applications for tax credit programs, alongside official acceptance or denial letters, often containing intricate financial and personal details. While some files were access-denied, many documents were readily available to anyone with internet access.

Even certain password-protected PDF files had their filenames exposed, revealing PII like employer and applicant names. Fowler highlighted a theoretical risk that numeric parts of these filenames could contain passwords, advising against embedding such data.

****Potential Risks for Affected Individuals****

Rockerbox, known for aiding businesses across the US with tax incentives in sectors like restaurant and hospitality, healthcare, manufacturing, food processing, and skilled trades, now faces scrutiny over its data handling. The comprehensive exposure creates significant potential for targeted phishing attacks, identity theft, and financial fraud, as malicious actors could leverage this deep well of personal and financial information for illicit gain.

Fowler immediately notified Rockerbox, and the database was subsequently secured and restricted from public access several days later. However, no reply to his responsible disclosure notice was received. Also, it remains unknown if the database was directly managed by Rockerbox or a third-party contractor, how long it was exposed before discovery, or if other unauthorised parties gained access.

“For companies and organizations that collect and store potentially sensitive personal data in cloud storage repositories, it is important to implement the proper security measures to protect that information. This starts with access controls and limiting who (from both inside and outside of the organization) can see and manipulate which pieces of information,” Fowler concluded.

Server with Rockerbox Tax Firm Data Exposed 286GB of Records

A Chinese state-sponsored hacker, Xu Zewei, 33, has been arrested for his alleged role in the widespread HAFNIUM cyber attacks and theft of COVID-19 research. Learn about the charges and China's Ministry of State Security involvement.

In a significant development in international cybercrime efforts, Xu Zewei, a 33-year-old Chinese national, was apprehended in Milan, Italy, on July 3, 2025. The arrest was made at the request of the United States, where Xu faces serious charges related to widespread computer intrusions.

Xu, alongside his co-defendant Zhang Yu, 44, is named in a nine-count indictment unsealed in the Southern District of Texas. The charges stem from their alleged involvement in cyberattacks carried out between February 2020 and June 2021. These intrusions include the notorious HAFNIUM (aka Silk Typhoon) campaign, which compromised thousands of computers globally, including many within the United States.

According to the US Department of Justice’s July 8 press release, Xu Zewei was directed in his hacking activities by officers from China’s Ministry of State Security (MSS), specifically its Shanghai State Security Bureau (SSSB). It must be noted that MSS and SSSB are intelligence agencies responsible for China’s domestic counterintelligence, non-military foreign intelligence, and aspects of its internal security.

Xu was allegedly employed by Shanghai Powerock Network Co. Ltd. (Powerock), a company identified as one of many “enabling” entities that conduct hacking operations for the Chinese government.

“This arrest underscores the United States’ patient and tireless commitment to pursuing hackers who seek to steal information belonging to U.S. companies and universities,” stated Assistant Attorney General John A. Eisenberg. US Attorney Nicholas Ganjei for the Southern District of Texas added that Xu was allegedly “hacking and stealing crucial COVID-19 research at the behest of the Chinese government.”

****Targeting Vital Research and Global Systems****

The indictment (PDF) details how Xu and his co-conspirators targeted US-based universities, immunologists, and virologists involved in COVID-19 vaccine, treatment, and testing research in early 2020. Xu reportedly confirmed compromising a research university in the Southern District of Texas in February 2020 and was directed to access specific email accounts of researchers.

Later, in late 2020, Xu and his associates exploited vulnerabilities in Microsoft Exchange Server, a widely used email product. This exploitation was central to the HAFNIUM campaign, a large-scale intrusion that became public in March 2021 when Microsoft disclosed it.

“Through HAFNIUM, the CCP targeted over 60,000 US entities, successfully victimizing more than 12,700 in order to steal sensitive information,” noted Assistant Director Brett Leatherman of the FBI’s Cyber Division.

Victims of the HAFNIUM campaign included another university in Texas and a global law firm, where information related to US policymakers and government agencies was sought. Xu faces multiple charges, including conspiracy to commit wire fraud, wire fraud, conspiracy to cause damage to protected computers, and aggravated identity theft.

These charges carry significant penalties, with some counts carrying a maximum of 20 years in prison. Xu is currently awaiting extradition to the US whereas his co-defendant, Zhang Yu, remains at large.