A hacker using the alias 888 is claiming responsibility for a major data breach affecting the European Space…

A hacker using the alias 888 is claiming responsibility for a major data breach affecting the **European Space Agency** (ESA), alleging theft of more than 200 GB of internal data. The claim surfaced on DarkForums, where the actor states the attack occurred on 18 December 2025 and resulted in the full exfiltration of private development and documentation assets.

The material advertised for sale is described as a one-time package, with payment requested exclusively in Monero (**XMR**). According to the post, the data includes private Bitbucket repositories, internal documentation, infrastructure definitions, and sensitive credentials.

888’s post on DarkForums (Image credit: Hackread.com)

****Sample Screenshots Analysed****

Screenshots shared by the hacker show what appears to be internal ESA-related environments. One image shows a build.properties.dev configuration file referencing PSA ingestion workflows, internal hosts ending in esa.int, SMTP settings, and database connection details.

Several fields are redacted in the screenshots, though directory paths and variable naming conventions are visible. The presence of hardcoded server references and environment-specific parameters suggests material taken directly from development or integration systems.

Another screenshot displays internal technical documentation marked as proprietary and confidential, including documents carrying Thales Alenia Space internal notices and Airbus Defence and Space branding.

These files include spacecraft reference frames, subsystem descriptions, and detailed engineering diagrams typically restricted to partners and internal teams. The documents appear formatted as official deliverables with reference numbers, issue dates, and page counts.

Additional images show what looks like an internal project management and development tooling. A **Jira** instance lists structured subsystem requirements for the Security Operations Centre (**SOC**) and Operations Control and Command System (OCCS) components, covering data reception, validation, orchestration, job execution, and non-functional requirements. The hierarchy and naming conventions indicate active operational or development programs rather than archival material.

A separate screenshot shows a **Bitbucket** project view containing numerous repositories tied to deployment pipelines, Docker images, orchestration services, monitoring components, and data processing chains.

Repository names reference **CI/CD pipelines**, packaging systems, gateway services, and core framework images. This aligns with the actor’s claim of access to source code, automation workflows, and infrastructure logic.

Sample screenshots shared by 888 (Image credit: Hackread.com)

****Big If True****

If authentic, the exposure described would carry serious implications. Source code, CI/CD pipelines, API tokens, access credentials, Terraform definitions, and SQL files together represent a complete attack surface map. Such material could enable follow-on breaches, **supply chain abuse**, or long-term espionage targeting ESA programs and partner organisations.

At the time of writing, the **European Space Agency** has not issued a public statement confirming or denying the breach. The authenticity of the dataset has not been independently verified, though the screenshots show a level of internal detail that would be difficult to fabricate without real access. Hackread.com has reached out to the ESA, and this story will be updated accordingly.

****888 and Previous Breaches****

The alias 888 has surfaced in multiple high-profile incidents prior to the alleged ESA breach. One such case involved **Samsung Medison**, where the attacker claimed access to sensitive data through a compromised third-party service.

The breach exposed internal and customer related information rather than Samsung Medison’s core infrastructure, pointing to an attack path that relied on weaker external dependencies. The entire stolen data was later leaked online.

In a separate breach attributed to the same alias, data belonging to **Microsoft and Nokia employees was leaked** online. The exposed material included internal contact details and corporate information.

Hacker Claims European Space Agency Breach, Selling 200GB of Data

On December 2, 2025, Hackread.com exclusively reported that the Everest ransomware group claimed to have stolen 1TB of…

On December 2, 2025, Hackread.com exclusively reported that the Everest ransomware group claimed to have stolen 1TB of sensitive ASUS data, including information related to the company’s AI models, memory dumps, and calibration files. ASUS later confirmed the report and acknowledged the breach, attributing it to a third-party vendor.

Everest has now leaked the entire dataset online. The release followed the group’s claim that ASUS failed to meet the deadline to initiate contact. Notably, the ransomware gang had given the tech giant 24 hours to respond, following its usual approach of demanding a ransom.

Dark web leak site of the Everest ransomware showing the ASUS leak (Image credit: Hackread.com)

As noted by Hackread.com, the leaked data is now circulating on various Russian-language cybercrime forums, including Exploit and DamageLib (formerly and now seized XSS.IS). According to the hackers, the 1TB dump contains nine files, some of which appear to be from ArcSoft and Qualcomm. However, Hackread.com did not download or analyze the leaked material.

The leaked ASUS data (Image credit: Hackread.com)

This latest leak is part of a series of breaches recently carried out by the Everest ransomware group. Over Christmas, the Russia-linked gang claimed to have breached Chrysler, the American automaker, stating it had stolen 1TB of data. The group described it as a complete database tied to Chrysler operations, along with more than 105GB of Salesforce-related information.

In November 2025, the ransomware group claimed responsibility for breaching Under Armour, stealing 343GB of data, which it later leaked online. The company is now facing multiple lawsuits as a result of the breach. Additional breaches, leaks, and claims by the Everest ransomware group can be found here.

Everest’s latest leak adds to a growing list of big-name targets, and the group shows no signs of slowing down. For ASUS and other companies hit in recent months, the focus should be figuring out exactly what was exposed and increasing their security before it happens again.

Everest Ransomware Leaks 1TB of Stolen ASUS Data

Can you trust your cybersecurity team? A recent federal case reveals how two US-based cybersecurity experts turned into affiliates for the BlackCat ransomware group, extorting over $1.2M in Bitcoin. Read the full story on their 2023 crime spree.

Two Americans who built their careers protecting companies from online threats have admitted to doing the exact opposite. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, pleaded guilty in a Florida federal court this week after they were caught using their professional skills to carry out a string of extortion attacks for the ALPHV (aka BlackCat) ransomware gang throughout 2023.

****Millions in Ransom Collected****

In December 2023, the FBI disrupted the ALPHV ransomware gang. Investigations revealed that Goldberg and Martin operated as “affiliates” for the group. This group uses a ransomware-as-a-service (RaaS) model, where the BlackCat developers provided the malicious software and the platform, while the affiliates (in this case, Goldberg and Martin) identified and attacked the victims.

In exchange, they paid the BlackCat administrators a 20% cut of any money they stole. While these two men focused on targets within the US, the ALPHV BlackCat group was a global menace, hitting over 1,000 victims worldwide, the US Department of Justice’s press release noted.

The scheme proved to be highly lucrative; the group successfully attacked multiple victims across the US. In one of their most profitable hits, the men successfully extorted approximately $1.2 million in Bitcoin from a single company.

After paying the 20% fee to the software creators, the men split the remaining 80% and used various methods to launder the money to hide their tracks. According to court records, the total losses caused by their crimes exceeded $9.5 million.

The seized dark web leak site of the ALPHV Ransomware gang (Screenshot credit: Hackread.com)

****A Betrayal of Trust****

What makes this story hard to believe is that while the pair was attacking businesses, they were also working day jobs at elite firms dedicated to stopping cybercrime. Goldberg was a manager at Sygnia, a firm that helps companies recover after hacking, and Martin worked as a negotiator at DigitalMint, helping victims talk down extortionists.

This means they had insider knowledge of how companies defend themselves, which they used to bypass security. As Assistant Attorney General A. Tysen Duva pointed out that the pair used their experience to carry out crimes “they should have been working to stop.”

The FBI’s Miami Field Office led the probe that eventually brought the operation to an end, and Goldberg and Martin are now facing the long-term reality of their choices. Each has pleaded guilty to conspiracy to affect commerce by extortion. They are currently scheduled for sentencing on March 12, 2026, and face a maximum penalty of 20 years in prison.

2 US Cybersecurity Experts Guilty of Extortion Scheme for ALPHV Ransomware

Korean Air confirms a major data leak affecting 30,000 staff members after the Cl0p gang targeted a catering partner. Learn what data was stolen and the airline’s response to secure its data.

In a worrying turn of events for the aviation industry, Korean Air has confirmed that the personal details of roughly 30,000 current and former employees have been stolen. This news, shared on December 29, 2025, follows a similar security problem at South Korea’s Asiana Airlines earlier this month, where 10,000 staff records were compromised.

****How did the breach happen?****

Korea JoongAng Daily reports that the data was not taken directly from Korean Air’s main systems. Instead, the hackers targeted a company called KC&D Service (Korean Air Catering & Duty-Free).

This company used to be a division of Korean Air but was sold to a private investment group named Hahn & Company in 2020. Despite the sale, KC&D still handles in-flight meals and duty-free goods for the airline, and Korean Air still holds a 20% stake in the business.

“KC&D Service (KC&D)\*, an in-flight meal and in-flight sales company that was spun off from our company in 2020 and operates as a separate entity, was recently attacked by an external hacker group. It is understood that during this process, the personal information (names, account numbers) of our employees stored on that company’s ERP server was leaked,” the notice reads.

Official breach notice from Korean Air (source: Korea JoongAng Daily)

The attackers, reportedly, broke into KC&D’s ERP server (the main system used to manage company resources), likely by exploiting a vulnerability in a popular business software called Oracle E-Business Suite (EBS).

This specific vulnerability, tracked as CVE-2025-61882, may have allowed hackers to bypass security checks and take control of the server without needing a username or password. The same vulnerability had previously allowed attackers to breach Envoy Air, the largest carrier operating under American Airlines.

****Who is Responsible?****

This suspicion arises because the infamous digital extortionist group known as the Cl0p gang has claimed responsibility for this data breach. Hackread.com’s recent reporting reveals that Cl0p, a Russian-speaking gang famous for targeting high-value organisations, has been exploiting this Oracle software flaw since early August.

Korean Air is just one of its many victims as Cl0p has used this same method to target organisations worldwide, including Envoy Air (an American Airlines subsidiary), Harvard University, the University of Pennsylvania, The Washington Post, and Logitech.

In this instance, the group has already started posting nearly 500 GB of stolen files on the dark web because the affected companies refused to pay a ransom.

Cl0p ransomware has leaked ALMOST 456 GB of the Korean Air data (Image credit: Hackread.com)

****What information was taken?****

The stolen data, reportedly, includes very sensitive details like employee names and bank account numbers stored in the company’s resource planning system. While this is a major concern for the staff, the airline has been quick to reassure the public that customer data, such as flight bookings or credit card details, was not affected in this specific incident.

Woo Kee-hong, the vice chairman of Korean Air, sent a personal message to his team explaining that the company is taking the matter “very seriously.”

“Korean Air takes this incident very seriously, especially since it involves employee data, even if it originated from a third-party vendor that was sold off. We are currently focusing all our efforts on identifying the full scope of the breach and who was affected.”

The airline has already finished emergency security updates and cut off digital links with KC&D to stop any more data from leaking. They have also reported the situation to the Korea Internet and Security Agency (KISA), and is now warning employees to be extremely careful about suspicious text messages or emails that might be part of a follow-up scam.

****South Korea and Recent Data Breaches****

South Korea has been the epicentre of large-scale data breaches and cyber attacks. Earlier in December 2025, Coupang, the country’s alternative shopping giant to Amazon, suffered a data breach in which all of its 33.7 million users had their data stolen. Days later, the company’s offices were raided, and its CEO, Park Dae-jun, had to resign.

In May 2025, South Korean telecommunications giant SK Telecom revealed a malware attack that remained hidden for nearly two years, leading to the leaking of 26.69 million IMSI units and 9.82 GB of USIM data.

30,000 Korean Air Employee Records Stolen as Cl0p Leaks Data Online

HoneyMyte (Mustang Panda) is back with a new ToneShell backdoor. Read how this stealthy attack blinds Microsoft Defender to target government entities in Asia.

In a major discovery, cybersecurity researchers at Kaspersky Securelist have found a new espionage activity targeting government offices across Southeast and East Asia. The campaign, which likely began in February 2025, uses a rootkit to hide deep inside a computer’s core, making it invisible to standard security tools.

Kaspersky links the attack to a group known as HoneyMyte (aka Bronze President or Mustang Panda). According to their analysis, the hackers are specifically targeting Myanmar and Thailand using a malicious driver file named ProjectConfiguration.sys.

****Bypassing the Digital Guard****

As we know it, most antivirus programs scan for suspicious files on the surface. However, they fail to identify this attack because the driver registers as a mini-filter, a tool that sits deep in the system’s traffic control.

To look legitimate, the hackers used a stolen digital certificate from Guangzhou Kingteller Technology (Serial: 08 01 CC 11 EB 4D 1D 33 1E 3D 54 0C 55 A4 9F 7F), which, although expired in 2015 but still helps the malware bypass internal warnings.

Source: Kaspersky Securelist

To further hide its tracks, the driver uses dynamic resolution, a technique that scrambles its internal code so security software can’t easily understand what it’s doing. Further probing revealed the driver is incredibly stubborn. If an antivirus tries to delete or rename it, the driver simply blocks the action. It even “blinds” Microsoft Defender by tampering with its “altitude” settings. This basically allows the malware to sit “below” the antivirus in the system, intercepting commands before the security software even sees them, the blog post explains.

****The ToneShell Backdoor****

The ultimate goal of this intrusion is to drop a spy tool known as the ToneShell backdoor, which acts as a secret gateway for hackers to steal files, download data, or run remote commands.

A noteworthy finding is that the group registered their control servers (avocadomechanism.com and potherbreference.com) via NameCheap back in September 2024, months before the actual attacks began.

“This is the first time we’ve seen ToneShell delivered through a kernel-mode loader,” researchers noted, explaining that it gives the spy tool a high level of protection from being caught.

During the attack, the driver delivers two payloads: first, it creates a “host” process (svchost) to act as a decoy, and then it injects the ToneShell backdoor into that process. To keep their communication secret, ToneShell uses a Fake TLS trick, mimicking the markers of secure TLS 1.3 traffic.

ToneShell Backdoor Injection Process (Source: Kaspersky Securelist)

Interestingly, most victims were already infected with older HoneyMyte tools like the ToneDisk USB worm or PlugX. Because the malware runs entirely in the computer’s memory and uses shellcodes to protect its own processes, it is very hard to detect. Therefore, Kaspersky researchers recommend deep memory audits and careful monitoring of network traffic to catch these fake connections.

HoneyMyte (aka Mustang Panda) Deploys ToneShell Backdoor in New Attacks

Warning for EmEditor users: A third-party breach tampered with the official download link between Dec 19–22, 2025. Learn how to identify the fake installer and protect your data from infostealer malware.

If you have downloaded the popular writing and coding tool **EmEditor** recently, you might want to double-check your computer. Between December 19 and December 22, 2025, a security breach on the software’s official website caused the main “Download Now” button to serve a fake, malicious installer instead of the real program.

The developer of the tool, Emurasoft, Inc., discovered that a third party managed to mess with the website’s redirect settings. This meant that while users thought they were getting a safe update, they were actually being sent to a different part of the site to download a file that hadn’t been created by the company at all.

**How to Spot the Fake**

According to Emurasoft’s official **notification**, the fake file looks very convincing. It uses the same name (emed64_25.4.3.msi) and is almost the same size as the real one. However, further probing revealed a major giveaway: the Digital Signature. While legitimate files are signed by Emurasoft, Inc., the suspicious version is signed by an organisation called WALSHAM INVESTMENTS LIMITED.

The Chinese research firm Qianxin’s RedDrip Team **investigated** this “infostealer” malware and found that once it gets onto your system, it looks for login details for apps like Slack, Discord, and Steam, and even targets your browser history, VPN settings, and saved passwords. All this is done while the software continues to install the real EmEditor in the background, making it hard to notice that anything is wrong.

Their analysis reveals that this attack specifically targets technical staff and government offices. Beyond just stealing files, the malware takes screenshots of your desktop and targets specialised tools like Evernote, Notion, PuTTY, and WinSCP. It even has a ‘self-destruct’ feature: if it detects the computer is in a former Soviet region or Iran, it will stop running to avoid detection.

Most concerningly, it installs a fraudulent browser extension called ‘Google Drive Caching.’ It allows hackers to remotely control your browser and actually swap out cryptocurrency addresses while you’re making a payment, sending your money straight to the attackers instead.

**Protecting Your Data**

You are likely safe if you updated through the software’s built-in automatic update tool, used the “Portable” version, or downloaded directly from download.emeditor.info. The issue was specifically tied to the main button on the homepage.

However, if you think you grabbed the wrong file, the best thing to do is right-click the installer, go to Properties, and check the Digital Signatures tab. If you see the wrong company name, or if that tab is missing entirely, delete the file and do not run it.

For those who want to be 100% sure, the fingerprint (SHA-256) of the real file should match this: e5f9c1e9b586b59712cefa834b67f829ccbed183c6855040e6d42f0c0c3fcb3e.

For those who have already installed it, experts recommend disconnecting from the web immediately to stop your data from being sent to hackers. You should then run a full virus scan and change any passwords you have stored on that device, especially if you don’t have two-factor authentication enabled. Emurasoft apologised to its customers for the inconvenience caused and will be releasing updates as these emerge.

“We are continuing to investigate the facts and determine the full scope of impact. We will provide updates on this page and/or through our official channels as soon as more information becomes available. We take this incident very seriously and will implement necessary measures to identify the cause and prevent recurrence. We sincerely apologise again for the inconvenience and concern this may have caused, and we appreciate your understanding and continued support of EmEditor,” Emurasoft’s notice reads.

EmEditor Homepage Download Button Served Malware for 4 Days

Check Point researchers found a phishing scam abusing Google Cloud to target organisations worldwide. Scammers use official domains to steal logins. Read the full details in this exclusive report.

A recent investigation by researchers at Check Point Harmony Email Security uncovered a clever new phishing scam targeting businesses worldwide. Over the last 14 days, it was found that cybercriminals have been abusing Google’s own automated systems to send out thousands of malicious emails that look 100% official.

****How the Attack works****

According to Check Point’s report, this newly discovered campaign uses a tool called Google Cloud Application Integration. This service is normally used by companies to set up workflow automation, like sending automatic alerts. However, scammers have found a way to use this feature to send emails directly from a legitimate Google address: [email protected].

Because the emails come from a real Google domain, they easily bypass traditional security filters. Probing further, researchers found that the messages usually look like standard office notifications, claiming you have a new voicemail or need to view a “Q4” file. As we know it, such content makes the emails look like “routine enterprise notifications,” which is why so many people trust them.

****A Three-Step Trap****

The scammers use a multi-stage process to steal information.  It begins when a user clicks a link or button pointing to a real Google Cloud page (storage.cloud.google.com). From there, they are sent to a second page (googleusercontent.com) showing a fake CAPTCHA test.

Phishing Email Samples (Source: Check Point)

Researchers noted this is done to block security tools while letting real people through. Finally, the user is sent to a fake Microsoft login page for credential harvesting, which is a simple way of saying the scammers record your password the moment you type it.

****Who is Being Targeted?****

Researchers observed that the campaign is truly global. While 48.6% of the targets were in the United States, there was significant activity in Asia-Pacific (20.7%) and Europe (19.8%). In Latin America, Brazil (41%) and Mexico (26%) saw the most hits within that region. It is worth noting that the manufacturing and technology sectors were the biggest targets, at 19.6% and 18.9% respectively, followed by finance and banking at 14.8%.

In total, 9,394 phishing emails were sent to approximately 3,200 customers in just two weeks. Google has since stated that this “activity stemmed from the abuse of a workflow automation tool, not a compromise of Google’s infrastructure.”

While the company has confirmed these specific campaigns are now blocked, this incident reminds us all to remain cautious of any unexpected links, even when they appear to come from a trusted source.

New Google-Themed Phishing Wave Hits Over 3,000 Global Organisations

Crypto phishing scams surged 83% in 2025, targeting wallets with fake sites, approval tricks, and poisoned addresses. One click can drain your funds.

Crypto phishing has gone from geeky corner-case to full-on global headache. According to a 2025 report by cybersecurity firm Kaspersky, crypto-related phishing detections surged by 83.4% compared to 2023. That means you, your abuela, or your friend’s kid could all be targets. Scammers now cast a wide net because even one click can empty a wallet.

Every time someone logs in or signs a transaction while checking the current cryptocurrency prices, they might be letting down their guard, tempted by volatility. A flurry of price charts, notifications, and hype makes wallets feel urgent. And urgency is a scammer’s best friend. As seen in a recent 2025 summary of crypto-security incidents, about 40.8% of all reported cases were social-engineering scams; technical hacks made up another 33.7%.

****What Crypto Phishing Usually Looks Like********Fake Wallets, Fake Sites****

One of the oldest tricks in the book: a phishing site or app pretending to be a legit wallet or service. Clones of genuine wallets or decentralised-app (dApp) front-ends are among the most common crypto phishing vectors. Once you paste your private key or seed phrase, that wallet is theirs. Game over.

A newer, more insidious version: “approval phishing.” In this scam, a fake dApp or token drop asks you to “approve” what looks like a normal transaction, but that approval actually gives scammers unlimited access to your funds. Researchers recently described this as a major threat to networks like Ethereum.

****Transaction Scams Hidden in Plain Sight****

One of the most interesting findings in crypto security came from a 2024 academic study on “payload-based transaction phishing.” This attack doesn’t rely on fake login pages. Instead, it tricks users into signing a transaction that looks harmless but is actually a malicious smart contract call. Over 300 days of blockchain data revealed 130,637 phishing transactions, causing more than US$341.9 million in losses.

So yeah, even if your wallet UI looks solid, signing a contract without checking what you’re signing off on can be as bad as handing over your seed phrase.

****Address Poisoning – Sending Funds to a Copycat Instead of Your Friend****

This one’s spooky clever. It’s called Blockchain address poisoning. Attackers generate “look-alike” wallet addresses (extra zeros, swapped letters, subtle changes) to masquerade as legitimate recipients. Then they sneak those addresses into your transaction history or chat, so you might copy an address manually and still send funds to the wrong place.

In one study, attackers successfully poisoned addresses, leading to at least US$83.8 million lost across tens of millions of victims. It’s a sobering reminder: even if it’s “your own copy-paste job,” you still need to verify address strings every time.

****Why We Keep Falling For It****

*   **Humans under pressure are terrible at checking details** – A 2024 industry survey reaffirmed that social engineering remains the top threat vector, nearly 41% of incidents, while purely technical attacks made up around a third.
*   **Scammers exploit your haste** – When prices swing fast, or an “amazing new token drop” shows up, impulsivity sets in.
*   **Usability sucks in many wallets** – In a 2025 evaluation of 53 popular Ethereum wallets, only three issued explicit warnings when users tried sending funds to known phishing addresses. That’s a lot of wallets failing basic safety checks.

****A Framework That Works****

Think of it as a simple test before you act, call it the “3-Second Wallet Check”:

1.  **Sender & Domain** – Does the link come from a domain you typed yourself?
2.  **Requested Action** – Are you being asked for a seed phrase, full wallet approval, or maximum allowance?
3.  **Address Accuracy** – Did you type the destination address manually and double-check each character?

If you hesitate at any point, stop. Reassess. Log out. Double-check. Call a friend.

****As Crypto Matures, So Do the Scams****

The recent report from Kaspersky recorded steep rises in mobile banking malware and crypto phishing. Scams are less about fancy hacks nowadays, and more about psychological tricks: cloned sites, fake apps, social pressure, and clever contract-wrapping.

And in that light, the comments from crypto-industry leaders make sense. They remind us that adoption comes with responsibility. Security is not just about encryption or private keys. It’s about habit.

Richard Teng, CEO of Binance. said: “Global adoption often starts with a single domino. Now that crypto is being recognised as a legitimate financial instrument within one of the world’s largest retirement systems, the question is no longer what, but when.” Keep that in mind. As crypto becomes mainstream, scammers will get more creative.

And Nils Andersen‑Röed, Binance’s Global Head of FIU, emphasised the need for proactive collaboration between security teams, regulators, and users. It reinforces that education and caution remain your best armour.

****Trust Your Gut****

Crypto phishing doesn’t require a supercomputer or great technical skills. It thrives on two things: human inattention and urgency. If you treat every unexpected link or any request for seed phrases or broad permissions as a red flag, you’ll dodge 80–90% of common scams. Protect your keys like you protect your wallet. If something feels off, walk away or double-check. Stay sharp, stay sceptical, and treat each click like a paid exam question.

(Photo by Kaptured by Kasia on Unsplash)

How to Spot the Most Common Crypto Phishing Scams

Over 87,000 MongoDB instances are at risk from a critical memory leak called MongoBleed. Following the chaos at Ubisoft, see how this zero-password flaw works and how to protect your data.

Thousands of gamers found themselves locked out of their accounts this week after a major security flaw forced Ubisoft to pull the plug on its hit game, Rainbow Six Siege. For those who don’t follow the gaming world, Siege is a massive tactical shooter game where teams work together to storm or defend buildings. It is a flagship title for Ubisoft, but over the holiday weekend, it became the most visible victim of a newly discovered vulnerability in MongoDB software, dubbed MongoBleed.

> We're aware of an incident currently affecting Rainbow Six Siege. Our teams are working on a resolution.
> 
> We will share further updates once available.
> 
> — Rainbow Six Siege X (@Rainbow6Game) December 27, 2025

****What is happening?****

To put it simply, MongoDB is a popular database software used by thousands of companies to store everything from customer addresses to game progress. The problem, officially tracked as CVE-2025-14847, involves a tool called zlib that MongoDB uses to “shrink” data for faster travel.

A mistake in the code allows an outsider to send a corrupted message that tricks the server into “bleeding” out fragments of its own internal memory. Because this happens before the system even asks for a password, it allows unauthenticated hackers to sneak out sensitive information from anywhere in the world. This leaked memory can expose:

*   Clear-text passwords and login keys.
*   Personal customer information (PII).
*   Security tokens that allow hackers to impersonate real users.

****The Chaos at Ubisoft****

You might wonder how a database vulnerability can shut down a video game. Ubisoft uses MongoDB to store player records, like your rank or the items you’ve unlocked. According to the online malware repository, VX-Underground, different hacker groups have so far used the MongoBleed vulnerability to gain a backdoor into the game’s internal systems.

> Clarification post, previous post about Ubisoft lead to some confusion. That's my fault. I'll be more verbose. I was trying to compress the information into 1 singular post without it exceeding the word limit.
> 
> Here's the word on the internet streets:  
> – THE FIRST GROUP of… pic.twitter.com/crsOxCnMWU
> 
> — vx-underground (@vxunderground) December 27, 2025

Once inside, the hackers went on a spree; they hijacked the ban ticker to show fake messages and unban their friends, unlocked every single cosmetic outfit and item for themselves, and gifted a staggering 2 billion R6 Credits (in-game currency) to players.

> Seems like R6 is completely fucked. It’s unreal how bad.
> 
> Hackers have done the following.
> 
> 1\. Banned + unbanned thousands of people.  
> 2\. Taken over the ban feed can put anything.  
> 3\. Gave everyone 2 billion credits + renown.  
> 4\. Gave everyone every skin including dev skins.
> 
> — KingGeorge (@KingGeorge) December 27, 2025

Ubisoft was forced to take the entire game and its Marketplace offline to stop the bleeding. While they won’t punish players who spent the “free” money, they are currently working to roll back all transactions that happened during the breach.

****Active Attacks in the Wild****

While the flaw was first disclosed on December 19, 2025, the situation turned critical on December 26 when researcher Joe Desimone published the attack blueprint (public exploit code) on GitHub. Since the release, experts at Wiz and Censys have noted a massive spike in attacks. They estimate that 42% of cloud setups are at risk, with over 87,000 databases currently sitting exposed on the internet.

****How to Stay Protected****

While older versions (like 3.6 or 4.2) have no official fix, newer versions have been patched. To stay safe, you must update to versions 8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30.

If you cannot update immediately, experts suggest turning off the zlib compression setting in your database as a temporary shield to block attackers.

Image credits: Censys and CyberSecurityNews

Ben Ronallo, Principal Cybersecurity Engineer at Black Duck, a Burlington, Massachusetts-based provider of application security solutions, also commented on the issue, stating, _“_The threat actors were clever; they attacked during the holidays when many companies tend to be less responsive due to employees taking time off. Ubisoft appears to be the highest profile victim at this point._“_

Ronallo also shared steps for security teams to workaround the issue, including:

*   Confirm if you have any internet-facing systems with a vulnerable version of a MongoDB instance attached.
*   If you find any such systems, immediately kick off your incident response efforts to identify any potential compromise and contain the damage.
*   There’s this open-source tool that can be leveraged to analyze MongoDB logs for indicators of compromise.
*   Any vulnerable versions should be patched immediately using official fixes from MongoDB.

Ubisoft Shuts Down Rainbow Six Siege After MongoDB Exploit Hits Players

Researchers reveal CVE-2025-54322, a critical unpatched flaw in XSpeeder networking gear found by AI agents. 70,000 industrial and branch devices are exposed.

Imagine a master key that opens the front door to 70,000 businesses, but the locksmith refuses to fix the vulnerability. This is exactly what’s happening with a security vulnerability found in XSpeeder networking gear. The issue was caught by the research firm pwn.ai, which used its proprietary AI tool, also named pwn.ai, to find the vulnerability before hackers could exploit it.

The vulnerability, tracked as CVE-2025-54322, earned a perfect 10.0 (Critical) score, the highest possible threat rating, because it lets outsiders take total “root” control of a device without needing a password. Root access, as we know it, is the ultimate prize for hackers; it gives them the power to watch traffic, steal data, or shut down systems entirely.

****How the AI Found the Hole****

XSpeeder is a Chinese vendor known for “edge” devices like routers, SD-WAN appliances, and smart TV controllers. Their core software, SXZOS, is used heavily in factories and remote offices.

To find the vulnerability, the pwn.ai tool tasked its “swarm” of AI agents to emulate these devices and hunt for weaknesses. These agents use a custom architecture built on decades of hacking experience to copy a device’s behaviour and scan it for holes.

According to the technical research, which was shared with Hackread.com, the AI targeted a file called vLogin.py. By stuffing malicious code into a data field called the chkid parameter, the tool figured out how to trick the device into running its own commands. Researchers noted this is “the first agent-found, remotely exploitable 0-day” ever made public.

****Seven Months of Silence****

While we often hear about AI being used for malicious purposes, like November 2025’s report from Anthropic about a “highly sophisticated AI-led espionage campaign” by a Chinese state-sponsored group, showing how AI can be a powerful tool for defence, too.

However, for pwn.ai, finding the vulnerability was only half the battle. The team spent over 7 months trying to get XSpeeder to fix the issue, but unfortunately, “no patch or advisory has been issued.”

“We chose it as our first disclosure because, unlike other vendors, we have been unable to get any response from XSpeeder despite more than seven months of outreach. As a result, at the time of publication, this unfortunately remains to be a zero-day vulnerability,” researchers wrote.

It is worth noting that a hacker doesn’t need to be a genius to exploit this; “all the attacker needs to know is the IP of the target,” the blog post revealed.

With no fix in sight and 70,000 systems currently exposed online, the risk to industrial and branch environments is massive. Pwn.ai’s investigation shows that its tool has already found nearly 20 other major vulnerabilities, making it clear that the way we find and fight security vulnerabilities has changed forever.

****Vendors Ignoring Vulnerability Disclosures and Alerts****

While some vendors respond quickly and responsibly to vulnerability reports, others ignore them, downplay the risks, or even lash out at the researchers who report them. A recent example involves Eurostar, the European train service giant, which accused researchers from Pen Test Partners of blackmail after they reported serious flaws in its AI-powered chatbot.

Incidents like this aren’t rare. They’ve happened around the world, which may be why countries like Portugal have started updating their cybercrime laws to protect ethical hackers and researchers from prosecution simply for identifying and reporting security issues

Source

HackRead