XSS.IS has been seized after its admin was arrested in Ukraine, however its dark web and mirror domains only show a 504 Gateway Timeout error.

Earlier this morning, it was **reported** that on 22 July 2025, Ukraine arrested a man suspected of being the administrator of XSS.IS, one of the world’s most notorious and sophisticated cybercrime platforms. The arrest was made with the assistance of Europol and French authorities. Now, as seen by Hackread.com, the forum itself has also been seized.

Visitors to XSS.IS now see a seizure notice stating, “This domain has been seized by la Brigade de Lutte Contre la Cybercriminalité with assistance from the SBU Cyber Department.”

The seizure notice on XSS.IS (Image credit: Hackread.com)

The “SBU Cyber Department” refers to the Cyber Security Department of the Security Service of Ukraine (SBU). La Brigade de Lutte Contre la Cybercriminalité (BL2C) is a branch of the French judicial police that specialises in combating cybercrime.

****XSS.IS Dark Web (.onion) and Clearnet Domains Show 504 Gateway Timeout Error****

At the time of writing, the main domain of the forum displays a seizure notice, while its dark web domain and clearnet mirror (XSS.AS) both return a “504 Gateway Timeout” error. Notably, the Telegram channel linked to the XSS.IS administrator shows no signs of seizure and is marked as “recently seen.” It remains unclear whether authorities have access to these domains or control over the forum’s Telegram account.

The dark web domain of the XSS.IS forum (Image credit: Hackread.com)

****Background of XSS.IS****

The XSS.IS forum was originally launched in 2004 under the name DaMaGeLaB, a well-regarded Russian-language hacking community. The site was briefly shut down in December 2017 after one of its administrators, Belarusian national Sergey Yarets, known on the forum as “Ar3s,” was arrested.

In late 2018, a prominent forum administrator acquired a backup of the site and relaunched it under the new name XSS, a reference to the web security vulnerability known as **cross-site scripting**.

The name change served two main purposes. First, it distanced the forum from its past associations with law enforcement under the DaMaGeLaB name. Second, it gave the site a more technical and modern image by referencing a vulnerability familiar to its target audience.

Authorities and the cybersecurity community have long suspected that XSS.IS was operated or supported by Russian intelligence agencies, including the Foreign Intelligence Service (SVR), the Federal Security Service (FSB), and the Main Intelligence Directorate (GRU). However, the administrator was found to be in Ukraine. It remains unconfirmed whether the suspect is a Ukrainian or Russian national.

Authorities are analysing the suspect’s electronic devices (Via Europol)

****A Major Blow to Cybercrime****

Although cybercrime forums frequently **appear** and **disappear**, the seizure of XSS.IS marks a significant setback for the global cybercrime community. The forum had more than 50,000 registered users, with membership granted only after a thorough vetting process. In some cases, users were even required to pay a fee to create an account in order to prevent spam.

XSS.IS became a highly prominent and notorious marketplace for **hijacked system access**, malware, stolen credentials, databases, ransomware kits and an encrypted Jabber channel that hackers used to coordinate deals. The forum generated millions of dollars through advertising and facilitation fees.

According to Europol’s **press release**, authorities have also seized user data, which is now being analysed and will be used to track cybercriminals and support ongoing operations against cybercrime both in Europe and globally.

In the end, the message is clear: if you are involved in crime, especially at the scale of running a major cybercrime forum, authorities will eventually catch up. No matter how high-profile the platform may be, it is only a matter of time before it is taken down.

XSS.IS Cybercrime Forum Seized After Admin Arrested in Ukraine

Suspected admin of XSS.IS, a major Russian-language cybercrime forum, arrested in Ukraine after years of running malware and data trade operations.

Ukrainian authorities, with help from French police and Europol, have arrested a person suspected of running one of the largest Russian-language cybercrime hubs out there, XSS.is.

It all started with a long-running investigation that began in mid‑2021 in France. Prosecutors gradually traced encrypted logs and hacker chatter back to an individual living in Ukraine, culminating in their arrest on July 22, 2025.

Press release of the XSS.IS’ suspect admin arrest from the Paris Public Prosecutor’s Office on LinkedIn

XSS.is has been quietly operating since around 2013. The forum became notorious as a central marketplace for hijacked system access, malware, stolen credentials, ransomware kits and an encrypted Jabber channel hackers used to coordinate deals.

You might wonder how the biggest-ever Russian-language cybercrime board ended up with an admin based in Ukraine. The truth is, cybercriminals aren’t bound by borders. Ukraine’s large tech-savvy population and lax oversight may have created ideal conditions for operators like this to manage illicit activities without raising suspicion for years.

Inside XSS.is, users could browse and buy everything from data dumps and remote access trojans to ransomware deployment tools. Its encrypted Jabber server lets members communicate anonymously, making it a go-to platform for organising global cyberattacks.

As of July 2025, XSS.is had been online for over 12 years. That kind of longevity is rare in cybercrime. This arrest highlights how even entrenched networks can be infiltrated with sustained international cooperation.

Current homepage of the XSS.IS forum

****Ex-DaMaGeLaB****

This is not the first time the forum has had its administrator arrested. The forum originally launched in 2004 under the name DaMaGeLaB, a respected Russian-language hacking community. The site was briefly shut down in December 2017 after one of its administrators, Belarusian national Sergey Yarets, known on the forum as “Ar3s,” was arrested.

In late 2018, another prominent forum admin acquired a backup and relaunched it under the new name XSS, referencing the web‑security vulnerability “cross-site scripting.” Switching to the name XSS had two main purposes. First, it distanced the forum from its law‑enforcement-linked past tied to the DaMaGeLaB name. Second, it adopted a tech‑savvy rebrand by invoking a specific vulnerability known to its audience.

Reboot message from XSS.IS’s admin (Image via: ReliaQuest)

For now, XSS.is’s future looks uncertain. With its alleged administrator in custody, authorities in France and Ukraine have a chance to unravel the forum’s infrastructure and financial trail. Europol’s involvement adds weight to the operation and shows a growing international resolve to tackle cybercriminal networks.

Stay tuned, this article will be updated with more information.

Suspected Admin of XSS.IS Cybercrime Forum Arrested in Ukraine

Microsoft was the most impersonated brand in phishing attacks during Q2 2025, accounting for 25% of all attempts, according to Check Point Research.

According to Check Point Research’s (CPR) latest report, cybercriminals spent the second quarter of 2025 impersonating the world’s most familiar brands to steal credentials and payment information. The data shows a mix of predictable targets and a few surprising returns, with Spotify reappearing as a key lure for the first time in years.

Microsoft once again topped the list, featuring in a quarter of all phishing attacks during Q2. Tech brands remained the primary focus, but cybercriminals also went after streaming services and travel platforms that people use daily without a second thought.

Screenshot of a Microsoft 365 phishing email tricking users into calling fake support. This scam was first reported in March 2025.

While the latest research shows Meta no longer at the top as it was in 2024, Microsoft taking the lead again doesn’t come as a surprise. As of 2025, over 1.6 billion people were using the Windows operating system. On top of that, Microsoft 365 had around 345 million paid subscribers and roughly 321 million active users each month.

That massive user base is exactly why Microsoft Office was the most targeted software in malware attacks back in 2022. It also explains why Microsoft was the most impersonated brand in phishing campaigns during Q2 2023, and why it has returned to the top spot now.

Spotify’s return to phishing charts for the first time since 2019 was linked to a spoofing campaign that mimicked the company’s login flow almost perfectly. The fake page, hosted on a malicious URL, asked victims to input credentials before redirecting them to a counterfeit payment form. Both the design and branding were polished enough to fool unsuspecting users, many of whom may have believed they were logging into their real account.

Spotify phishing login page (Image via CPR)

This renewed targeting of entertainment services shows attackers aren’t just looking at corporate systems anymore. Everyday platforms with large user bases are just as likely to be exploited, especially when those users are less suspicious of messages related to subscriptions or media.

Booking.com was also hit by a surge in impersonation. Researchers flagged over 700 newly registered domains with names resembling real booking confirmation URLs. Compared to previous quarters, that’s a spike by a factor of 100.

As Hackread.com reported on multiple occasions, most recently in June 2025, Booking.com was abused in a ClickFix email scam. Back in April 2025, another ClickFix scam exploited Booking.com to infect unsuspecting users with AsyncRAT.

Booking.com ClickFix phishing scam that delivered AsyncRAT (Image credit: Hackread.com)

These scams used personal details like names and email addresses to create urgency. While the domains have since been taken down, the approach revealed how much more personalised phishing tactics have become.

Outside these two cases, as per CPR’s report, the overall trend remains predictable. The tech sector continues to be the most impersonated, with Microsoft, Google, and Apple taking the top three spots.

Social media platforms like LinkedIn, WhatsApp, and Facebook remain common targets, while retail and travel services like Amazon and Booking.com round out the top ten. It is worth noting that CPR’s report

If you use any of these services, keep in mind that phishing campaigns count on people clicking without thinking. A few simple steps can help protect your data. Start by using multi-factor authentication, double-check URLs, run suspicious links through VirusTotal before opening them, and don’t get caught up in the urgency scammers try to create.

For businesses, keep employees informed and alert on cybersecurity, since phishing is still one of the easiest ways attackers gain access to internal systems. And finally, for ongoing updates and insights on cybersecurity, make sure to follow Hackread.com.

Microsoft Most Phished Brand in Q2 2025, Check Point Research

Coyote Trojan becomes first malware to abuse Microsoft’s UI Automation in real attacks, targeting banks and crypto platforms with stealthy tactics.

A new version of the Coyote banking trojan has been spotted, and what’s noticeable about it is not just who it’s targeting, but how it’s going about it. Cybersecurity researchers at Akamai have confirmed that this variant is the first malware seen actively using Microsoft’s UI Automation (UIA) framework to extract banking credentials. It’s a method that had only been a conceptual risk a few months ago.

Back in December 2024, Akamai warned that Microsoft’s UIA, which helps assistive technologies interact with software, could be misused by threat actors. Until now, that concern remained a proof-of-concept. Things changed when Akamai spotted Coyote using UIA in attacks targeting Brazilian users, aiming to extract sensitive information from browser windows tied to banks and cryptocurrency platforms.

This shows that Coyote trojan is changing the way it operates, making it harder to detect and stop. The malware, first detected in February 2024, is known for phishing overlays and keylogging aimed at Latin American financial targets. But what makes this variant different is its use of UIA to bypass detection tools like endpoint detection and response software.

Instead of relying on conventional APIs to check which banking site a victim is visiting, Coyote now uses UI Automation. When the active window title doesn’t match any of the malware’s preloaded banking or crypto site addresses, it changes its tactics and uses a UIA COM object to start crawling through the sub-elements of the active window, searching for telltale signs of financial activity.

Akamai’s blog post, shared with Hackread.com ahead of publishing on Tuesday, found that Coyote’s hardcoded list includes 75 financial institutions and crypto exchanges. What’s worse, these aren’t just names or URLs. The malware maps them to internal categories, allowing it to prioritise or customise its credential-stuffing attempts. This approach not only increases its chances of hitting the target but also makes it more flexible across browsers and applications.

Normally, an attacker would need detailed knowledge of a specific application’s design. UIA simplifies that process. With this framework, malware can scan the UI of another app, extract content from fields like address bars or input boxes, and use that information to customise attacks or steal login data.

Coyote trojan doesn’t stop at identifying banks. It also sends system details back to its command-and-control infrastructure, including the computer name, username, and browser data. If offline, it still performs many of these checks locally, making it harder to catch through network traffic alone.

According to researchers, the bigger concern here is how UIA could open up new attack paths. Akamai demonstrated this by showing how attackers might not just scrape data but also manipulate UI elements. One proof of concept shows the malware altering a browser’s address bar, then simulating a click to quietly redirect the user to a phishing site, all while looking legitimate on screen.

Akamai’s PoC (Click to Play GIF)

On the defensive side, there are ways to catch this kind of abuse. Akamai recommends monitoring for the loading of UIAutomationCore.dll into unfamiliar processes. They also provide osquery commands to flag processes that interact with UIA-related named pipes. These are early warning signs that an attacker may be snooping on the user interface.

Akamai’s threat hunting service has already started scanning environments for such anomalies. According to their report, customers were alerted when suspicious UIA activity was detected.

Coyote Trojan First to Use Microsoft UI Automation in Bank Attacks

Flowable’s 2025.1 update brings powerful Agentic AI features to automate workflows, boost efficiency, and scale intelligent business operations.

Flowable has taken a significant leap forward in the realm of intelligent process automation with its Summer 2025 release. The update brings a comprehensive set of features centered around agentic AI, signaling a new era where artificial intelligence seamlessly integrates into business workflows as a first-class citizen.

Released on July 22, 2025, the Flowable 2025.1 update will empower businesses to seamlessly integrate AI into workflows, driving greater efficiency, collaboration, and scalability, and will redefine business process automation forever.

****AI Agents as Core Components of Flowable****

The summer 2025 release makes Agentic AI a central element of the Flowable platform. Businesses can now create, orchestrate, and manage AI agents using the same powerful tools they rely on for BPMN and CMMN workflows, providing a unified environment for advanced enterprise process automation.

This new release offers enterprises the opportunity to scale AI adoption and integration, unlocking new levels of productivity and business process optimization.

****Key Features of Flowable’s New AI Agents****

The update includes a range of new features designed to optimize business processes and enhance automation:

*   **Flexible Agent Creation:** Users can create AI agents of varying complexity to work with simple tasks or complex workflows, directly within the Flowable platform.

*   **External AI Integration:** Flowable integrates with external AI services, such as AWS Bedrock, Azure Foundry, and Salesforce Agentforce, enabling businesses to extend their automation capabilities.

*   **Multi-Agent Collaboration:** The platform supports complex workflows with multiple AI agents working together across internally configured and external systems for efficient automation.

*   **AI-Powered Case Management:** The new “AI button” in Flowable’s case automation links cases to AI models, enabling real-time summaries, question answering, actionable suggestions, and autonomous customer communication and task completion.

****AI Agent Autonomy: Adaptive Decision-Making****

Flowable’s new AI agents offer dynamic autonomy, meaning they can adapt their level of decision-making based on the nature of the task at hand. In unpredictable, organic scenarios, agents provide AI-powered assistance. For more structured, well-defined processes, they revert to deterministic solutions, ensuring businesses can handle both structured workflows and complex, evolving situations effectively.

****Document and Data Processing with AI****

A key feature of this update is the Document Agent Type, which automates the processing of unstructured documents. This agent classifies documents, such as invoices, passports, and contracts, extracting relevant information and significantly reducing manual data entry, thereby improving efficiency and reducing errors in document-heavy workflows.

****AI-Driven Contextual Assistance****

The Orchestrator Agent Type provides businesses with an intelligent assistant to manage cases and workflows. It offers capabilities such as:

*   Summarizing case details and providing task overviews.

*   Triggering actions based on user interactions or document uploads, such as initiating an “invoice intent analysis” after an invoice is uploaded.

*   Suggesting or automating steps in workflows based on case events, like starting a “customer escalation” if a customer expresses frustration.

These features enhance case management by improving both responsiveness and decision-making.

****A Suite of AI Agents for Every Business Need****

The Flowable 2025.1 release introduces four powerful types of AI agents, each designed to address specific business needs:

*   **Utility Agent:** Automates tasks like data enrichment, sentiment analysis, and classification.

*   **Document Agent:** Extracts and processes data from unstructured documents such as invoices, contracts, and other records.

*   **Knowledge Agent:** Provides contextual answers by tapping into internal knowledge bases, FAQs, or documentation.

*   **Orchestrator Agent:** Coordinates and manages other agents or tasks based on dynamic inputs, rules, or goals.

****Empowering Enterprises with Intelligent Automation****

Flowable’s latest release enables enterprises to seamlessly integrate agentic AI into their workflows, unlocking new levels of automation and intelligence. By leveraging agentic AI, organizations can enhance decision-making, streamline operations, and drive digital transformation. 

With this next generation of AI-powered automation, businesses are poised to lead the future of intelligent business processes.

****About Flowable****

Flowable is a leader in digital transformation, offering a unified platform for business process management (BPM), business process automation (BPA), case management, and AI-powered automation. Flowable helps organizations streamline operations, improve decision-making, and drive innovation at scale, supporting businesses in their digital transformation journey. 

****Media Contact:****

*   Violet Diamanti-Race
*   Product Marketing Manager
*   Email: \[email protected\]
*   Marketing: \[email protected\]

Flowable’s Summer 2025 Update Introduces Groundbreaking Agentic AI Capabilities

Microsoft reveals Chinese state-backed hacker groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, are exploiting SharePoint flaws, breaching over 100 organisations. Discover threat actors, their tactics and Microsoft's urgent security guidance.

Microsoft’s critical new update reveals that specific Chinese nation-state threat groups are actively exploiting vulnerabilities in its on-premises SharePoint servers. Following an earlier report from Hackread.com, which highlighted the compromise of over 100 organisations globally, Microsoft has now identified the key players behind the intrusions and released comprehensive security updates for all affected SharePoint versions.

The ongoing cyberattacks leverage two distinct zero-day flaws, CVE-2025-49706, a spoofing vulnerability that allows attackers to trick systems, and CVE-2025-49704, a remote code execution (RCE) vulnerability enabling them to run malicious code remotely. These flaws are related to the previously highlighted CVE-2025-53770 and CVE-2025-53771.

> Microsoft is sharing details from ongoing investigations of threat actors exploiting vulnerabilities targeting on-premises SharePoint servers. Linen Typhoon, Violet Typhoon, and Storm-2603 have been observed exploiting the vulnerabilities: https://t.co/oQ2HDZZbJB
> 
> — Microsoft Threat Intelligence (@MsftSecIntel) July 22, 2025

****Named Threat Actors and Attack Tactics****

Microsoft’s Threat Intelligence unit confirms that Chinese nation-state actors Linen Typhoon, Violet Typhoon, and another China-based group tracked as Storm-2603, are exploiting these vulnerabilities. Observed attacks begin with threat actors conducting reconnaissance and sending crafted POST requests to the ToolPane endpoint on SharePoint servers.

These groups are known for espionage, intellectual property theft, and persistently targeting exposed web infrastructure. Attacks are widespread, with CrowdStrike observing hundreds of attempts across over 160 customer environments since July 18, 2025.

Linen Typhoon, active since 2012, focuses on stealing intellectual property from government, defence, and human rights sectors. Violet Typhoon, tracked since 2015, specialises in espionage against former military personnel, NGOs, and financial institutions, often by scanning for and exploiting vulnerabilities.

While Storm-2603 has previously deployed ransomware like Warlock and Lockbit, their current objectives with these SharePoint exploits are still being assessed. Here is a summary of these groups’ activities:

****1\. Linen Typhoon****

*   Chinese state-sponsored group
*   Previously known as Hafnium
*   Target focuses on the Government, defence, NGOs, and education
*   Known for attacks on US critical infrastructure and academic institutions
*   Notable activity includes Exploited Microsoft Exchange vulnerabilities (ProxyLogon)

****2\. Violet Typhoon****

*   Chinese threat actor
*   Previously known as APT41 (also known as Barium or Winnti, depending on activity)
*   Known for a mix of state-backed espionage and financially motivated attacks
*   Target focuses on healthcare, telecom, software, and gaming industries
*   **Notable activity**: includes supply chain compromises, backdoored software updates

****3\. Storm-2603****

*   Believed to be China-linked
*   “Storm” is a temporary name Microsoft uses for emerging or unattributed groups
*   Known for exploiting zero-day vulnerabilities in Microsoft products
*   Target focus includes government and corporate systems
*   Status is under investigation, but early indicators point toward Chinese origin

According to Microsoft’s investigation, attackers are deploying web shells, such as modified spinstall0.aspx files, to steal critical IIS Machine Keys, which can bypass authentication, and early exploitation attempts date back to July 7, 2025. As previously noted by Shadowserver Foundation, these persistent backdoors allow hackers to maintain access even after systems are updated.

****Urgent Fixes and Mitigation Steps****

On July 19, 2025, Microsoft Security Response Centre (MSRC) published security updates for all supported SharePoint Server versions (Subscription Edition, 2019, and 2016). This is a crucial development, as previously, updates for SharePoint 2016 were still pending. Microsoft urges immediate application of these updates.

Other than patching, Microsoft recommends enabling Anti-malware Scan Interface (AMSI) in Full Mode and deploying Microsoft Defender Antivirus or equivalent solutions on all SharePoint servers.

Microsoft Reveals Chinese State Hackers Exploiting SharePoint Flaws

Hackers are exploiting critical SharePoint flaws (CVE-2025-53770/53771) to breach global targets, including governments and corporations. Microsoft urges immediate action. Learn about the active attacks and how to protect your network from credential theft and backdoors.

New information has emerged regarding ongoing cyberattacks against Microsoft’s on-premises SharePoint servers, revealing a wider impact than initially understood. Yesterday, Hackread.com reported on Microsoft’s urgent warnings and new security updates for critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771) that allow attackers to execute malicious code.

Now, cybersecurity researchers have confirmed a significant escalation: approximately 100 organisations worldwide have been successfully breached so far. This widespread exploitation has impacted governments, businesses, and other entities globally.

Victims include national governments in Europe and the Middle East, along with US government systems such as the Department of Education, Florida’s Department of Revenue, and the Rhode Island General Assembly.

A US-based healthcare provider and a public university in Southeast Asia have also been targeted, with attempted breaches observed in countries like Brazil, Canada, Indonesia, Spain, South Africa, Switzerland, and the UK.

Attackers are, reportedly, exploiting zero-day flaws, meaning these weaknesses were previously unknown, allowing spies to gain deep access and potentially install persistent backdoors. Cybersecurity firms like CrowdStrike, Mandiant Consulting, Shadowserver Foundation, and Eye Security are tracking multiple hacker groups involved in these attacks.

Netherlands-based Eye Security first identified active exploitation on Friday, noting that even after initial patches from Microsoft in early July, hackers found “ways around the patches” to continue their intrusions. CrowdStrike also observed active exploitation beginning July 18, 2025, blocking hundreds of attempts across over 160 customer environments.

SharePoint flaws exploitation attempts over time (Source: CrowdStrike)

A common sign of infection is the presence of a suspicious file named “spinstall0.aspx,” which attackers use to steal IIS Machine Keys after being written via PowerShell commands, CrowdStrike found.

****Urgent Call for Action****

The stolen information is highly sensitive, including sign-in credentials like usernames, passwords, and hash codes. SharePoint’s deep integration with other Microsoft services like Office, Teams, OneDrive, and Outlook means a compromise isn’t contained and “opens the door to the entire network,” according to Michael Sikorski of Palo Alto Networks.

While Microsoft released patches over the weekend for SharePoint 2019 and Subscription Edition, updates for SharePoint 2016 are still under development. Organisations are strongly advised to not only apply available patches but also to rotate machine keys and restart their IIS services to fully mitigate the threat.

Adding to these critical steps, the CISA (Cybersecurity and Infrastructure Security Agency) on July 20, 2025, issued its own guidance. They recommend configuring Antimalware Scan Interface (AMSI) in SharePoint, deploying Microsoft Defender AV on all SharePoint servers, and, if AMSI cannot be enabled, disconnecting affected public-facing products until official mitigations are fully applied.

The vast number of potentially vulnerable SharePoint servers, estimated at over 8,000 globally by search engines like Shodan, highlights the urgent need for comprehensive security measures. The breaches have also brought renewed scrutiny to Microsoft’s cybersecurity practices, with a 2024 US government report recommending urgent reforms to its security culture.

“Cryptographic asset theft is the new ‘phishing’, in that, bad actors have learnt that, like stealing passwords, getting an important cryptographic asset like API Keys or a Machine Identity, is much easier than brute force methods,_“_ said Robert Hann, Global VP Technical Solutions at Entrust.

“To protect sensitive data with encryption and HSMs, it’s essential to first understand which cryptographic assets, like private keys, digital certificates, and encryption algorithms, are securing which systems and information. Leveraging an HSM is especially important for data that is sensitive or carries compliance requirements,” Robert advised.

“In addition to HSM protection, it’s crucial for companies to implement other security best practices for SharePoint, such as keeping the software up to date with the latest patches and security updates, using strong passwords, rolling over keys regularly and following secure configuration guidelines,” he emphasised.

According to Andrew Obadiaru, CISO, Cobalt, an offensive security company, “Zero-day vulnerabilities in widely deployed platforms like SharePoint are a goldmine for attackers because they provide immediate, scalable access to high-value environments. The challenge isn’t just patching; it’s that attackers typically implant persistence mechanisms within hours, ensuring long-term footholds._“_

“Defence strategies need to assume breach and validate controls through proactive testing, including red teaming and continuous pentesting, to uncover weaknesses before adversaries do. In today’s threat landscape, reactive security alone is a losing game,” Andrew advised.

Hackers Exploit Microsoft SharePoint Flaws in Global Breaches

Global fashion brand SABO suffers data breach, exposing 3.5+ million customer records including names, addresses, and order details. Learn about the risks and what to do.

A data leak has impacted SABO, a global fashion and design company based in Australia, exposing over 3.5 million customer records. The breach, discovered by cybersecurity researcher Jeremiah Fowler, involved a misconfigured database containing 292 GB of sensitive customer information that was left unsecured and without password protection. The findings were published by vpnMentor and shared with HackRead.com.

The exposed data comprised nearly 3,587,960 records totalling 292 GB of sensitive customer information. It included personally identifiable information (PII) such as customer names, physical and email addresses, phone numbers, and detailed order information for both retail and commercial clients.

Documents like invoices, packing slips, and return documents, dating from 2015 to June 27, 2025, were also part of the exposed records, impacting both retail and commercial customers. Samples from the compromised database provided by Fowler show detailed invoices with specific order dates and product listings.

****Risk to Customers****

While the records pointed to SABO, it remains unclear if the database was directly managed by them or a third party, nor is it known how long it was exposed or if other parties accessed it. Still, the nature of this data exposure should be concerning for the unsuspected affected individuals.

With personal details and purchasing history exposed without encryption, customers are at risk of targeted cyberattacks. With some social engineering, cybercriminals could exploit this information to compose convincing phishing emails, designed to trick individuals into revealing further sensitive data or financial information.

These types of scams often leverage real order numbers and purchase details, making them incredibly difficult to distinguish from legitimate communications, Fowler explained in the blog post.

Other than phishing attacks, the exposed data could also be used for social engineering attacks, where criminals manipulate individuals into revealing confidential information. The threat of financial fraud also looms large, as bad actors could potentially use the stolen PII to attempt unauthorised transactions or account takeovers.

****Protecting Yourself****

Although the exposed database was secured shortly after Fowler’s responsible disclosure to SABO, the exposure goes on to show why data encryption is a must. Therefore, always verify the sender’s email address and ensure it matches the official company domain before clicking on any links or downloading attachments.

Be wary of unexpected communications, especially those asking for personal or financial details. It’s always best to use official communication channels, such as directly visiting the company’s website, to verify any suspicious requests.

Global Fashion Label SABO’s 3.5M Customer Records Exposed Online

Austin, United States / TX, 22nd July 2025, CyberNewsWire

**Austin, United States / TX, July 21st, 2025, CyberNewsWire**

Living Security, the global leader in Human Risk Management (HRM), today released the 2025 State of Human Cyber Risk Report, an independent study conducted by leading research firm Cyentia Institute. The report provides an unprecedented look at behavioral risk inside organizations and reveals how strategic HRM programs can reduce that risk 60% faster than traditional methods.

Drawing on behavioral data from more than 100 enterprises and hundreds of millions of user events, the study offers a first-of-its-kind, data-driven map of where cyber risk actually lives in the workforce and how leading organizations are shrinking it. The report confirms a long-suspected but rarely proven reality: a small fraction of employees (just 10%) are responsible for 73% of risky behavior. According to the findings, it’s clear that protecting the enterprise in 2025 means managing people, not just systems.

> “Security teams have always known the human factor plays a critical role in breaches, but they’ve lacked the visibility to act on it,” said Ashley Rose, CEO and Co-founder of Living Security. “Until now, most insights have relied on anecdotal evidence or narrow indicators like phishing clicks. This report changes that by providing hard data that shows exactly where risk lives, and what actually works to reduce it.”

**Key Findings from the Report:** 

*   Human risk is concentrated, not widespread: Just 10% of employees are responsible for nearly three-quarters (73%) of all risky behavior.
*   Visibility is alarmingly low: Organizations relying solely on security awareness training (SAT) have visibility into only 12% of risky behavior, compared to 5X that for mature HRM programs.
*   Risk is often misidentified: Contrary to popular belief, remote and part-time workers are less risky than their in-office peers.
*   HRM works: Companies using Living Security’s Unify platform cut their risky user population by 50% and reduced high-risk behavior duration by 60%.

**From Awareness to Action: Making Human Risk Measurable**

Unlike traditional reports that focus on external threats or compliance audits, the 2025 State of Human Cyber Risk Report centers on internal risk behaviors and how they change with the right interventions.

The report includes:

*   A detailed breakdown of what constitutes human risk across behaviors, events, and attributes
*   Analysis of how risk is distributed across roles, industries, and access levels
*   Persona-based insights using behavioral alignment models
*   Proof that HRM initiatives, especially behavior-triggered action plans, dramatically reduce organizational risk exposure

**A Call to Cybersecurity Leaders**

With budgets tightening and threats evolving, the stakes are clear: cybersecurity can no longer rely on awareness alone. Leaders must prioritize behavioral visibility, targeted action, and ROI-driven results. 

> “Cybersecurity is no longer just about technology, it’s about behavior,” said Rose. “If we don’t understand who our riskiest users are, why they’re at risk, and how to help them improve, we’ll continue chasing symptoms instead of solving the root problem.”

**Looking Ahead**

These findings come at a time when AI agents and digital co-workers are entering the enterprise and the attack surface is evolving fast. As pioneers in Human Risk Management, Living Security sees this evolution clearly: the future of cyber resilience isn’t just about managing human risk, it’s about managing behavioral risk, wherever it originates. This report not only celebrates measurable progress on the human side, but also signals what comes next: a future where enterprises govern both humans and agents through shared visibility, standards, and accountability.

**About the Report**

The 2025 State of Human Cyber Risk Report was produced in partnership with the Cyentia Institute using anonymized data from Living Security’s Unify platform over the last several years. It reflects hundreds of millions of real-world user events and decisions, collected and analyzed to provide a clear picture of how human risk shows up, and how it can be reduced.

The full report is available for download at: https://www.livingsecurity.com/2025-human-risk-report-key-cybersecurity-insights. For a deeper look at the findings, users can join a live webinar with Cyentia researchers and Living Security CEO Ashley Rose on July 23 at 3PM ET / 12PM PT by registering here.

**About Cyentia Institute**

The Cyentia Institute is a renowned research firm committed to providing high-quality, data-driven insights to help organizations enhance cybersecurity and effectively manage information risks. Through collaborations with leading industry and government entities, Cyentia continually advances cybersecurity knowledge and practice.

**About Living Security**

Living Security is the global leader in Human Risk Management (HRM), providing a risk-informed approach that meets organizations where they are—whether that’s starting with AI-based phishing simulations, intelligent behavior-based training, or implementing a full HRM strategy that correlates behavior, identity, and threat data streams.

Living Security’s Unify platform delivers 3X more visibility into human risk than traditional, compliance-based training platforms by eliminating siloed data and integrating across the security ecosystem. The platform pinpoints the 8–12% of users who pose the greatest risk and automates targeted interventions in real time—reducing exposure to human risk by over 90%. Powered by AI, human analysis, and industry-wide threat telemetry, Unify transforms fragmented signals into intelligent, adaptive defense.

Named a Global Leader in Human Risk Management by Forrester and trusted by enterprises like Unilever, Mastercard, Merck, and Abbott Labs, Living Security helps security teams move from awareness to action—driving measurable behavior change and proving impact at every stage of the journey.

**For more information, users can find them online at livingsecurity.com or follow on** **LinkedIn****.**

**Contact**

**Living Security Press**  
**Living Security**  
**\[email protected\]**

New Report Reveals Just 10% of Employees Drive 73% of Cyber Risk

Former Hunters International ransomware gang, now World Leaks, claims 1.3 TB Dell data breach, leaking over 400K files with internal tools and user data.

World Leaks, the rebranded version of the Hunters International ransomware gang, has leaked 1.3 TB of internal data, which the group claims belongs to Dell Technologies Inc., the American multinational tech giant.

The announcement was made earlier today, Monday, July 21, 2025, on the group’s official dark web leak site. According to information reviewed by Hackread.com, the leak contains 416,103 files, all publicly available for download. Many of these files directly reference Dell Technologies and appear consistent with internal corporate data.

World Leaks’ claims on its dark web leak site (Image credit: Hackread.com)

****Analysis of the File List****

A closer look at the leaked file list shows what appears to be internal data from across Dell Technologies’ global network. The files come from various regional systems, including the Americas, Europe, and Asia-Pacific, and cover everything from employee folders and software tools to infrastructure scripts and backup data.

Many of the files mention Dell Technologies and its products, such as PowerPath, PowerStore, and firmware for Dell-branded hardware. There are also references to VMware tools, automation scripts written in Terraform, and files linked to system monitoring and internal testing.

Some paths point to browser profiles, log files, and software packages used in development or support environments. What stands out is how often Dell’s name and tools appear throughout the directories, along with structured naming that suggests the data is pulled from real corporate systems. All of this supports the group’s claim that the files are indeed from inside Dell’s infrastructure.

Screenshot from the file list published by World Leak (Image credit: Hackread.com)

It’s also worth noting that World Leaks has not disclosed when the breach of Dell Technologies occurred, how it was carried out, or how the company responded to it.

****Dell’s Statement****

In a statement to Hackread.com, Dell confirmed that a threat actor accessed its internal “Solution Center,” an environment used for product demos and testing. The company emphasised that this system is isolated from customer and partner networks and is not part of its service infrastructure.

According to Dell, the data obtained was primarily synthetic, publicly available, or related to internal scripts and testing outputs. While Dell did not use the term “breach,” its response indicates that unauthorised access did occur. The company says its investigation is ongoing.

****Who Is World Leaks and How Is It Connected to the Hunters International Ransomware Group?****

As Hackread.com reported in early July 2025, World Leaks is the new name adopted by the group formerly known as Hunters International. The gang has changed its approach, now focusing solely on data theft and extortion rather than deploying ransomware. Their approach focuses on stealing sensitive data and threatening to leak it unless they are paid by their victims.

This approach is completely different from how Hunters International operated, where file encryption was used alongside extortion. World Leaks has dropped the encryption part entirely and is now gambling everything on the pressure that comes from the threat of public exposure.

The change could be a strategic one, especially with law enforcement agencies becoming more aggressive and ransomware profits facing more obstacles. By cutting out the encryption step, they reduce the chances of getting caught while still profiting from the stolen data.

World Leaks now uses a custom exfiltration tool to automatically extract large volumes of data from compromised networks. This tool seems to be a more advanced version of the data theft software previously used by affiliates of the original Hunters International group.

****Dell and Cybersecurity Incidents: Nothing New****

A company as large as Dell is always an attractive target for cybercriminals, and this isn’t the first time hackers have claimed to breach its systems. On May 9, 2024, a hacker using the alias “Menelik” claimed to be selling data from 49 million Dell customer accounts.

The following day, on May 10, Dell confirmed the breach but downplayed its severity, stating that the compromised data posed “no significant risk.” The exposed information included full names, physical addresses, Dell hardware and order details, service tags, item descriptions, order dates, warranty information, and more.

In September 2024, a hacker using the alias “grep” announced three separate data breaches involving Dell. One of the breaches reportedly exposed data belonging to more than 10,000 Dell employees.