Scammers are using fake October 2025 performance reviews to trick staff into installing Guloader and Remcos RAT malware. Learn how to identify this threat and protect your personal data from remote hackers.

We all know the feeling of waiting for a performance review. It can be a stressful time, and unfortunately, cybercriminals are now using that anxiety to their advantage. A recent report by AhnLab Security Intelligence Center (ASEC) has revealed a clever new email scam, which uses fake employee reports to trick people into installing dangerous software on their computers.

****How the Trap is Set****

The scam starts with an email that looks like it is coming from management or HR. The message mentions the performance reviews for October 2025 and claims that the company is planning to let some people go. To make it feel more urgent, the email tells the reader they need to check an attached file to see where they stand.

This is a classic social engineering trick involving scaring people into thinking their jobs are at risk. The attackers hope you will act quickly and open the attachment without thinking twice.

Phishing email (source: AhnLab)

****The Hidden Danger in the Attachment****

The attached file, as per AhnLab’s report, is usually a zipped or compressed folder in which there’s a file named ‘staff record pdf.exe’. It is worth noting that if your computer is set to hide file extensions, this will look like a regular PDF document. However, in reality, it is an executable program. As soon as the user double-clicks this file, it launches malware known as Guloader.

This software is particularly tricky because it doesn’t immediately show up on your hard drive but hides in the computer’s temporary memory and reaches out to a Google Drive link to download the rest of its tools. By using a trusted site like Google Drive, the hackers can easily bypass basic security filters.

Attached compressed file (Source: AhnLab)

****What Happens if You Get Infected?****

The final goal of this attack is to install Remcos RAT. As soon as this virus is active, it connects back to the hacker’s home base. In this specific case, the malware was found communicating with a server at 196.251.116.219 using ports 2404 and 5000.

This connection allows hackers to watch you through your webcam, listen via your microphone, see every key you type, and even steal your saved passwords and browser history.

To protect yourself, always be wary of unexpected emails about dismissals or reports, especially if they have attachments. Also, make sure your computer is set to show full file extensions so you can spot an ‘.exe’ file pretending to be a document. Regularly changing your passwords and using extra login security can also help keep your data safe if a slip-up happens.

(Photo by Xavier Cee on Unsplash)

Fake Employee Reports Spread Guloader and Remcos RAT Malware

Public sector cybersecurity faces outdated systems, budget gaps, and rising attacks. Learn key challenges, defense strategies, and proven best practices.

Once upon a time, computer crimes were associated with the image of a hacker in a black hoodie working in a dark room by the glow of a monitor. But times have changed, and so have the threats. From simple penetration attempts, cyber attacks have evolved into complex, coordinated operations specifically targeting state systems, rather than pursued merely for entertainment or recognition.

Today, cyber attacks on government structures occur for various reasons. Some attackers are motivated by political pressure, attempting to influence legislative decisions or discredit the authorities. Others seek recognition in the world of cybercriminals, counting on fame and reputation. A third category has purely commercial interests. However, the most prevalent motivation remains the theft of personal data of citizens stored in state registers: medical records, registration documents, and income data. This data is then sold on the dark web, generating millions of dollars in the process.

This is precisely why cybersecurity in the public sector cannot tolerate mistakes. Unlike private companies, which can afford certain risks for the sake of innovation, the public sector opts for verified, tested, and maximally secure solutions. After all, breaches in healthcare systems can cost people their lives, failures in transport systems can lead to road chaos, and compromises of citizen registries leave millions vulnerable to fraud.

Over the past few years, the volume of cyber attacks on state bodies has increased by more than 40 percent. This figure speaks for itself. It is no longer possible to view public sector cybersecurity as a secondary issue to be dealt with later. This is a matter of national security and citizen trust. And this urgency is intensified by the growing digitalization of the public sector.

If you’ve ever watched the series “Black Mirror” or “Mr. Robot,” you know how terrifying scenarios of cyber attacks at the state level can be. Unfortunately, reality is sometimes even worse than fiction, but the sector itself is indeed very conservative.

Therefore, overly untested or innovative ideas are not introduced here. Everything that the state integrates undergoes dozens, and sometimes hundreds, of rounds of verification, testing, and controlled attacks to identify weaknesses.

****Why Governments Become Primary Targets for Hackers****

1.  State and municipal structures attract the attention of cyber attackers for several reasons simultaneously. First, there are enormous volumes of personal data. State registers contain information about every citizen: document numbers, addresses, contacts, medical data, and tax records. One successful breach opens access to tens of millions of records. On the black market, such databases command serious money.
2.  Second, many government systems are built on outdated technologies. “Legacy systems” are windows into the past through which modern hackers can easily penetrate. These systems were often written decades ago, when nobody even thought about internet security as we understand it today. Updating these systems costs millions and proceeds slowly through bureaucratic channels.
3.  Third, state bodies, which are often government agencies, are often underfunded when it comes to preventing cybersecurity threats. Money is allocated to hospitals, schools, and roads, while IT security receives scraps of the budget. The result: a shortage of experts, an absence of a unified defense strategy, and outdated equipment.
4.  Fourth, there is prestige. Every hacker who has cracked a major government portal automatically enters the “ranking” of cybercriminals. This attracts new members to groups, funding, and opportunities.

Real examples illustrate the scale of the problem. In 2021, hackers attacked American healthcare systems, rendering hospitals non-operational. In 2022, the Portuguese tax service was compromised, with data from millions of citizens stolen. In 2019, the United States experienced a powerful attack on Baltimore’s city system, making it difficult for residents to obtain documents.

Groups similar to “Anonymous” deserve special mention. These well-organized cybercriminals are motivated not solely by financial gain. They attack state structures as symbols of systems they wish to destabilize or criticize. Such attacks are harder to predict because the driving force behind them is not just money but ideology. Cybersecurity threats to government from such organized groups represent an unprecedented challenge.

Precisely because of such threats, the state can no longer rely solely on internal resources. The IT departments of government bodies simply do not have sufficient resources and expertise to fight organized groups of cybercriminals. This has created the need for partnerships with private companies specializing in cybersecurity.

Private companies operating in the field of cybersecurity in the public sector have many advantages. They constantly monitor global threats, maintain international networks of experts, and invest in cutting-edge technologies.

Such companies have decades of experience working with government bodies in 70 countries worldwide, understanding the specifics of the public sector far better than those who have never encountered bureaucracy and the peculiarities of state administration. More information can be found at: https://dxc.com/industries/public-sector.

These companies help states not merely react to attacks but develop proactive defense. They integrate modern technologies, establish security centers, train civil servants, and develop strategies that account for the peculiarities of specific countries and government bodies. Without such partnerships, public sector cybersecurity would remain a positional game where attackers always have the advantage.

****Core Challenges of Cybersecurity in the Public Sector****

The first and most obvious challenge is underfunding. Imagine you have a budget of 1 million dollars for IT security. But you need to protect thousands of computers, servers, databases, and web portals. What private companies can solve flexibly, the public sector must handle through lengthy tenders and procurements.

The second challenge is a shortage of experts. A competent cybersecurity specialist on the job market is expensive, and working conditions at private companies are often more attractive than in government agencies. Where will young talent choose to work? In a comfortable office with a salary two or three times higher, or in a government institution with average pay? The result is obvious, and state bodies remain with teams of veterans who often fall behind the pace of technological development.

The third challenge is legacy systems. They drag on like an anchor to the past. These systems were often written in programming languages that are no longer needed, run on outdated equipment, and have architectures that do not adapt to modern patches and updates. Yet rewriting them anew remains impossible because they contain critical data, and any downtime would have catastrophic consequences.

The fourth challenge is the human factor. Most successful cyber attacks do not begin with technical vulnerabilities but with the simple “clicking in the wrong place.” A civil servant receives an email from the “Personnel Management System” asking to update their password. They follow the link, enter their credentials, and the hacker now has access to their account. This then spreads further throughout the organization. Thus begin the most complex attacks.

The fifth challenge is the weight of potential attacks. Hackers are interested precisely in large, important systems. A small company might get by without a leading cybersecurity specialist, but a government structure serving millions of people does not have that luxury. It becomes a magnet for attacks because the stakes are very high for both attackers and defenders.

****From Fighting Fires to Prediction: Building Powerful Cyber Defense****

Consider what happened in the public sector over the last 10-15 years. Previously, everything was about a reactive approach: we wait for something to happen, then fight the fire, fire someone, and promise it won’t happen again. Now everything has changed, and those organizations that have transitioned to preventive thinking are winning.

1.  The first step is centralized monitoring systems. Imagine a nuclear power plant’s control room where every sensor is tracked in real time. In cybersecurity, this works similarly. All systems transmit information to one observation center, where analysts can view it on a single screen. If someone attempts to slip beyond normal parameters, the system alerts them. This allows problems to be caught before they escalate into real attacks.
2.  The second element is cyber education. Not only should the IT department understand how to protect itself, but it should also understand how to protect the organization. Every civil servant, from clerk to minister, must know the basic rules of cybersecurity hygiene. How to recognize phishing, why passwords shouldn’t be written on sticky notes, and what to do if something seems suspicious. Some Czech cities experimented: they informed all agencies that a fake attack would occur for training purposes, but did not say when. The result was striking. In the first wave, 60 percent of people “clicked” on fraudulent links. After six months of training, this figure dropped to 15 percent.
3.  The third factor is the integration of artificial intelligence and machine learning. Modern systems can detect threats in real time by analyzing millions of events per second. AI “learns” from historical attack data and recognizes patterns that the human eye would miss. This is like the difference between a police officer walking a district on foot and a camera system with facial recognition that analyzes every face against a database of wanted persons.

Examples of successful practices can be found in the EU and the US. Estonia, for instance, has built an e-governance system considered one of the most secure in the world. They use cryptography, multi-factor authentication, and continuous monitoring. Every operation leaves a trace that can be verified. If the system detects unauthorized access even years later, it can recover and certify it.

Denmark developed a centralized incident management system for all government bodies. When an attack occurs anywhere, it is immediately transmitted to the center, and on-site specialists can receive assistance, and other bodies receive warnings about potential threats.

****Best Practices for a Secure Digital State****

If you truly want to protect a government system, you must follow verified practices. The first is regular audits. Not just once a year, but continuously. Every quarter, every month, depending on system criticality.

The second practice is regular software updates. It sounds simple, but in reality, it is a serious challenge. Each patch requires testing on thousands of computers and servers. Testing may reveal that some legacy software stops working with the new update. Yet failure to implement updates means leaving doors open to attacks.

The third is the principle of minimum access. In simple terms, every person should have access only to what they need to do their job. A clerk working with registrations should not have access to the medical data of millions of people. A bus driver should not be a database administrator. If a hacker steals a regular employee’s credentials, they will have limited access.

Real cases demonstrate how this works in practice. In the United Kingdom, the Department of Work and Pensions (DWP) entered into multi-year contracts with companies specializing in vulnerability testing. They regularly conduct comprehensive system reviews, essentially posing as hackers. The result is a system that withstands hundreds of attacks per year without compromise. In the Netherlands, the employment service modernized its infrastructure to cloud solutions, which allowed it to update security faster and more efficiently.

Just as ancient cities once built walls against enemies, modern governments are erecting digital fortresses, layer by layer, barrier by barrier, so that an attack requires not only skill but also enormous resources, time, and luck.

****Securing the Future:** **Public Sector Cybersecurity** **as a Long-Term Mission****

Cybersecurity is a constant, continuous process of adaptation, learning, and improvement. 

Technology helps, but the human factor remains critical. You need specialists who understand both technical and organizational aspects. 

The second component is continuous collaboration between sectors. Private companies have specialization and resources; government bodies have access to critical infrastructure and information about real threats. Government administration should accumulate knowledge, hire private experts to solve specific problems, but not rely entirely on external consultants. 

The third component is investment. Building security is not cheap. But it is far cheaper to build it from the start than to later excavate from the ruins of a broken system. 

The fourth component is the legislative framework. Regulations, standards, and norms must be clear and consistent. When an organization knows it will be checked for compliance with certain standards, it takes it more seriously. The European General Data Protection Regulation (GDPR) became revolutionary precisely because it established clear rules and strict penalties for violations.

Let us conclude with one thought often forgotten. Citizen trust in a digital state does not begin with beautiful portal designs or rapid request processing. It begins with one simple feeling: a sense of security with every click. When a person enters personal data on a government website, they must be confident that this data is protected maximally. 

(Photo by Ayrus Hill on Unsplash)

Cybersecurity in the Public Sector: Challenges, Strategies and Best Practices

Everest ransomware claims to have breached Nissan Motor Corporation, alleging the theft of 900GB of internal data, including documents and screenshots.

The notorious Everest ransomware group claims to have breached Nissan Motor Corporation (Nissan Motor Co., Ltd.), the Japanese multinational automobile manufacturer.

The group published its claims on its dark web leak site on January 10, 2026, sharing six screenshots allegedly taken from the stolen data. They also revealed a directory structure showing ZIP archives, text files, Excel sheets, and CSV documents.

Based on the leaked screenshots published by the Everest ransomware group, the material appears to include directory structures and internal records allegedly linked to Nissan. The folder views show organized internal file storage containing reports, data extracts, and dealership-related documentation. File formats visible include .csv, .txt, .pgp, and .xls, suggesting a range of structured data types likely used for reporting, analysis, or internal communication.

Some files are labeled with references to specific programs, dealership information, certification reports, and claims processing. One screenshot includes a spreadsheet listing dealership names, addresses, cities, and state details, potentially linked to regional operations or incentive programs. Other directories include what look like financial records, audit reports, and system folders used in everyday operations.

While no sensitive personal data is shown in the screenshots themselves, the folder names and file types imply access to operational systems and documents that could be used to map internal processes or extract more sensitive information.

The group has given Nissan five days to respond, or the allegedly stolen data will be leaked online.

Screenshot from the dark web leak site of the Everest Ransomware group (Credit: Hackread.com)

****Nissan and Cybersecurity****

Nissan is no stranger to cybersecurity incidents. In August 2025, the Qilin ransomware group claimed to have stolen 4TB of data from Nissan CBI (Creative Box Inc.), a Tokyo-based design subsidiary of Nissan Motor Co., Ltd.

In March 2024, Nissan confirmed that hackers had stolen the personal details of over 100,000 employees and customers following a data breach in December 2023. The incident affected both Nissan Motor Corporation and Nissan Financial Services in Australia and New Zealand.

Back in January 2021, Nissan’s source code was leaked due to a misconfigured Git server. The server had been secured using default login credentials – “admin” as both username and password.

****Everest and High-Profile Data Breaches****

Everest ransomware was one of the most active ransomware groups in 2025, and it appears to be continuing that momentum in 2026. So far, the group has claimed attacks on major organizations, including ASUS, Chrysler, Iberia Airlines, Under Armour, Petrobras, AT&T, Dublin Airport, and others.

As of now, Nissan has not publicly responded to the claims. Whether the data will be released or quietly handled behind the scenes remains to be seen. What’s certain is that groups like Everest are keeping steady pressure on large companies, testing the limits of their security and response.

(Photo by Frank Albrecht on Unsplash)

Everest Ransomware Claims Breach at Nissan, Says 900GB of Data Stolen

Meet OPCOPRO, an online scam that builds a fake AI-run world like The Truman Show using WhatsApp and apps to steal IDs via fake KYC and investments.

A massive fraud operation named OPCOPRO is currently trapping mobile users inside a completely fabricated digital world. According to a recent report by the research firm Check Point, this “Truman Show” scam represents a major shift in crime. Instead of using viruses, these scammers use AI to build fake communities that trick victims into a false sense of security over several weeks.

****A Fake World on WhatsApp****

The trap usually starts with a simple text. Back in October 2025, unsuspecting users began receiving SMS messages that looked like they were from Goldman Sachs, promising stock returns of 70%. However, Goldman Sachs stated it was not a legitimate message from them, Check Point researchers noted, confirming the brand was being impersonated.

If you click the link in that text, you’re dropped into a private WhatsApp group where the ‘show’ starts. The group is run by two main characters: Professor James and his assistant Lily. Though they sound like real professionals, the investigation revealed that their profile photos are AI-generated and they don’t actually exist.

The group might have 90 members, but most are just automated bots. As we know it, humans usually have different ways of talking, but these bots all sound the same, constantly cheering, posting fake profit screenshots, and making the Professor look like a genius. It is worth noting that these bots use internet-based phone numbers that can’t be reached if you try to call them.

****Using Official Apps to Gain Trust****

The most dangerous move in this scam is using the Apple App Store and Google Play Store for legitimacy. After weeks of building trust, victims are told to download the O-PCOPRO app (specifically the com.yme.opcopro version on Android). Most people lower their guard because the app is in an official store.

According to researchers, the scammers even provide a fake Cooperation Agreement and claim they are partnered with Oppenheimer Holdings to keep the lie going. Once the app is installed, the trap springs into action. Victims are asked to complete a KYC process (a key term for Know Your Customer identity checks). This involves uploading a photo of your ID and a liveness selfie.

Attack Chain (Source: Check Point)

****No Trading, Just Theft****

Once they have your ID, the scammers promise returns as high as 370% to 700% to get you to deposit money. However, the app is a total hollow shell. “The mobile apps themselves contain no trading logic,” researchers noted, and are just a WebView (a browser window) showing whatever fake numbers the scammers want you to see.

The fallout is a total nightmare for personal security. With your ID and selfie, these criminals can perform a SIM swap to steal your phone number or even trick your office IT desk into giving them access to your work accounts. Researchers concluded that this is now an industrialized system, capable of being launched in any language, at any time.

(Photo by Christian Wiediger on Unsplash)

New OPCOPRO Scam Uses AI and Fake WhatsApp Groups to Defraud Victim

Instagram’s 17 million user data leak wasn’t a new breach - Hackread.com's in-depth analysis shows it was scraped in 2022, leaked in 2023, and falsely repackaged in 2026.

This week has been a chaotic one, especially for Instagram users, after Malwarebytes announced on the 9th of January that it had tracked a data breach involving the Meta-owned platform. According to the company, hackers had leaked data from 17.5 million Instagram accounts online. The leaked information included usernames, email addresses, phone numbers, and physical addresses.

In Malwarebytes’ own words on X (formerly Twitter), _“_Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more._“_

Malwarebytes on X

The tweet implied that the incident was a recent data breach. That claim is inaccurate. Hackread.com’s investigation confirms that while the data is real and not fabricated, cybercriminals did not steal it, at least not recently.

For your information, Malwarebytes was referring to a BreachForums post published on January 7, 2026, by a user going by the alias Solonik, titled “INSTAGRAM.COM 17M GLOBAL USERS – 2024 API LEAK.”

The post claimed the data was from a 2024 breach and included usernames, emails, phone numbers, user IDs, and partial locations. In reality, Hackread.com’s investigation confirmed it was a repackaged scrape originally collected in 2022.

The same data was first leaked on BreachForums in June 2023 by a user known as “vanz,” and also surfaced on another forum, LeakBase, around the same time. Labeling it as a 2024 leak was a deliberate move to rebrand stale data as new, a tactic often used to inflate credibility and generate attention.

2022 leak in 2023 and then posted in 2026 – Solonik’s post was marked as a repost after being criticized by users (Image credit: Hackread.com)

****Matching the Numbers****

The so-called “latest” Instagram data leak contains 17,017,213 user records. That number exactly matches the data leaked by “vanz” in June 2023 and by “Solonik” in January 2026. Not only is the count identical, but even a quick look at the sample data confirms it’s a direct copy. The format, fields, and entries all match the earlier leak.

Hackread.com cross-checked all 17,017,213 records and can confirm that the “new” leak is nothing more than a re-post of the same data from 2022, repackaged as new.

Matching the numbers and records from the leaked dataset (Image credit: Hackread.com)

****Password Reset Emails and Instagram’s Straight Yet Vague Response****

After reports of the leak resurfaced, some users began receiving password reset emails from Instagram. Initially, there was speculation that these were phishing attempts since the data did not include passwords.

The emails came from Instagram’s official domain and were verified, complete with blue checkmarks, leading many to believe that Instagram had indeed been breached and attackers had accessed real user data.

However, earlier today, on January 11, 2025, Instagram addressed the claims on X. The company denied any breach but acknowledged that an issue had allowed an external party to trigger password reset emails to some users.

“We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems, and your Instagram accounts are secure. You can ignore those emails. Sorry for any confusion,” Instagram tweeted.

Instagram on X

That raises a bigger question: Who was this external party, and how were they able to send legitimate password reset emails? Was someone, or some automated system, exploiting Instagram’s password reset feature using the same usernames from the scraped dataset?

While it remains unclear who was behind the activity, users did receive password reset emails they never requested, which added to the confusion and helped spread breach claims.

****The Tabloidisation of Cybersecurity News****

A growing issue in cybersecurity reporting is the rise of publications that operate more like tabloids than credible sources. These outlets rush to break stories for clicks, often relying on unverified claims from social media or Telegram channels without performing even basic checks on the data.

As the latest Instagram incident shows, no effort was made to confirm the origin, age, or legitimacy of the information before running dramatic headlines about “breaches.” In doing so, they spread panic, confuse readers, undermine actual security research, and damage public understanding of real cybersecurity threats.

****Advice for Instagram Users: Phishing and Smishing Risks Remain****

Nevertheless, even though the leaked data is old, the information it contains is real. That’s all scammers need to launch targeted phishing and smishing campaigns. Instagram users listed in the data should be on alert for suspicious emails pretending to be from Instagram, Meta, or other trusted services.

These messages may try to trick users into entering their passwords, clicking on malicious links, or downloading attachments. The same goes for SMS messages that include links or urgent security warnings. If you receive a password reset email or message you didn’t request, do not click anything. Go directly to the app or site and verify from there. Recycled data still gets used, and often causes damage years after it first leaks.

Instagram’s “17 Million User Data Leak” Was Just Scraped Records from 2022

Authorities caught 34 members of the notorious Black Axe gang in Spain known for stealing millions of Euros through online romance scams and email fraud.

International law enforcement agencies have recently dealt a major blow to one of the world’s most dangerous criminal networks, known as Black Axe. In a coordinated effort led by the Spanish National Police and German authorities from Bavaria, with the help of Europol, officers arrested 34 people across Spain. Most of the arrests happened in Seville, but police also picked up suspects in Madrid, Málaga, and Barcelona.

****Who is Black Axe?****

Black Axe is not a new group. It started in West Africa, specifically Nigeria, and has grown into a massive organisation with roughly 30,000 members worldwide. They are known for being very organised, almost like a dark version of a big corporation, with leaders and strict rules. While they are involved in terrible crimes like human trafficking and armed robbery, they have become especially famous for online fraud.

According to Europol’s press release, these criminals use several tricks to steal money. This includes romance scams, where they trick people into thinking they are in a relationship to get money, and phishing, in which they send fake emails to steal login details. They also use business email compromise (BEC), which involves hacking into company emails to redirect payments to their own accounts.

****Recruiting the Vulnerable****

Further probing revealed that the group’s strategy in Spain was to target people in poor neighbourhoods with high unemployment. These individuals were recruited as money mules– a term for people who let criminals use their bank accounts to move stolen money, making it harder for the police to trace the original crime. Most of these recruits were Spanish locals used by the main group, which included ten Nigerian nationals.

The financial impact of this group is stunning. Authorities believe Black Axe makes billions of euros every year globally. In this specific Spanish case, the fraud caused nearly €6 million in losses. During the raids, police were able to freeze over €119,352 in bank accounts and grabbed more than €66,403 in cash.

By sharing intelligence and working across borders, Europol helped local police map out how this group operates. This teamwork is a crucial link in this operation because Black Axe usually hides its big crimes behind many small, local offenses to avoid getting caught.

“This strategy aims to disrupt the group’s operations and seize assets, addressing the challenges posed by the group’s dispersed small cases, cross-border activity, and the blurring of crimes into ‘ordinary’ local offences,” Europol stated in the press release.

****What Does This Mean for the Future?****

While these arrests are a massive win, it is important to clarify that the entire Black Axe organisation has not been shut down because they operate in dozens of countries. However, this operation has caused significant disruptions to their European activities. This event proves that if cybercriminals are hiding behind a screen thousands of miles away, the law is finding ways to catch up with them.

Europol Raids Disrupt Black Axe Cybercrime Ring in Spain

Database of 323,986 BreachForums users leaked online as forum admins claim the exposed data is partial and dates back to August 2025.

On January 9, 2026, a database belonging to **BreachForums**, a notorious cybercrime and hacker forum available on both clear and the “Dark Web,” was released to the public, putting over 320,000 users in the spotlight.

BreachForums, as we know it, is no stranger to drama. The platform has a history of getting seized by law enforcement authorities or vanishing and reappearing. It had become the go-to site for these activities after the police shut down its predecessor, **RaidForums, back in 2022**. In early April 2025, the forum suddenly disappeared without explanation.

While many suspected a police raid, Hackread.com **reported** at the time that the site disappeared due to a security issue rather than a seizure. By July 2025, the forum was **back online**.

****The Leaked Database****

Resecurity, which shared its research with Hackread.com, found that the leaked file contains information on 323,986 users, including their “metadata extracted from MySQL DB,” which is basically a digital footprint that could help identify the people behind the screens.

The database was published on shinyhunte.rs, a site that has previously hosted stolen datasets and is not recommended for direct access due to the risk of malicious content. The same platform has been used in the **past to leak data** linked to Fujifilm, GAP Inc., Vietnam Airlines, Engie Resources, Qantas Airways Limited, and Albertsons Companies, following incidents tied to a Salesforce-related compromise.

The BreachForums database was accompanied by a valid PGP signature historically associated with previous forum operators, indicating the dataset is authentic and likely originated from internal forum systems.

The leaked database (Image credit: Hackread.com)

For your information, ShinyHunters is part of a constantly shifting alliance. You might hear names like **Scattered Lapsus$ Hunters** or a community called ‘The Com.’ These are not just random names; they represent a ‘supergroup’ of young hackers who have joined forces to share tools and targets.

Researchers explained in another **report** that they use ShinyHunters as a broad label to “illustrate the phenomenon of involving young IT professionals in questionable acts.” By highlighting this, they hope to warn other talented young people to stay away from these criminal circles.

Hackread.com also independently reviewed the leaked dataset and found that, in addition to general profile metadata, it contains user display names, email addresses, Argon2i password hashes, and links to external accounts such as Telegram. While the passwords are not stored in plaintext, the combination of these data points may still carry identification and attribution risks for affected users.

****Response from BreachForums****

A BreachForums administrator using the alias N/A responded to reports of a database leak by claiming the exposed data originated from an old incident in August 2025, during a forum restoration process following the .hn domain takedown. According to the administrator, the users table and the forum’s PGP key were briefly stored in an unsecured directory and downloaded once during that period.

The admin stressed that the incident did not involve server compromise, database access, or exploitation, and described current claims of an active breach as false. They added that passwords in the dataset were stored as Argon2i hashes, IP addresses were largely truncated, and remaining fields consisted of publicly visible information. The forum said all sessions were revoked at the time, and restoration procedures have since been secured.

Admin from BreachForums and their response (Image credit: Hackread.com)

****The “James” Message Circulating With the Leak****

Alongside the leaked database, a lengthy manifesto signed by an individual calling himself “James” was also published on shinyhunte.rs. The text contained dramatic claims, threats, and references to multiple cybercrime figures and groups, presented in a highly theatrical and ideological tone.

There is no independent verification of the claims made in the message, and such manifestos are commonly used within underground forums to provoke attention, spread disinformation, or confuse attribution. The appearance of the text does not confirm the identity of the author or the individuals named and should be treated as unverified rhetoric rather than factual disclosure.

“James” with his story (Image credit: Hackread.com)

****Why This Leak Matters****

As we know it, it is very rare for criminal organisations to be exposed so thoroughly. This incident shows that even the most malicious groups can be vulnerable to the same failures they exploit in others.

Researchers noted that exposure of criminal infrastructure can have a broader defensive impact than typical corporate breaches, as it may **disrupt illicit networks** and deter future recruitment. By sharing the database for independent analysis, researchers hope to break the cycle of cybercrime and discourage future involvement in such communities.

Database of 323,986 BreachForums Users Leaked as Admin Disputes Scope

CISA adds a critical HPE OneView flaw (CVE-2025-37164) to its KEV catalogue with a Jan 28 deadline. Learn how this 10.0 RCE bug puts server infrastructure at risk.

If your office uses Hewlett Packard Enterprise (HPE) OneView to manage its servers and networking, you need to check your software version immediately. A major security flaw has been discovered that enables hackers to take control of systems without requiring a login or password.

The situation is serious enough that the US government has stepped in, giving agencies a strict deadline to update their systems before the end of the month. It has officially added this issue to its Known Exploited Vulnerabilities (KEV) catalogue. As we know it, when CISA puts a flaw on this list, it is a signal for everyone to act immediately.

****The Problem: An Unlocked Door****

The flaw was discovered and reported to HPE by Vietnamese security expert Nguyen Quoc Khanh. It is tracked as CVE-2025-37164 and assigned a perfect CVSS score of 10.0, the highest severity rating possible. It is basically a code injection problem. Simply put, this means a hacker can trick the software into running their own malicious instructions.

An investigation by the team at Rapid7 revealed that the issue is hidden within a feature called ID Pools. Their investigation showed that a specific communication line, known as a REST API endpoint, was left open without a password.

Because this doorway doesn’t require authentication, attackers can send a simple request to take full control of the system. HPE has warned that this “vulnerability could be exploited, allowing a remote unauthenticated user” to cause significant damage.

****Who is most at risk?****

Researchers at Rapid7 noted that while the flaw is present in all versions older than 11.00, it seems to affect certain products more than others. Specifically, they found that all unpatched versions of ‘HPE OneView for HPE Synergy’ are likely vulnerable. For users on virtual machines, version 6.x appears to be the primary target.

For your information, there are no workarounds or settings you can tweak to stay safe. The only solution is a full update. HPE released the necessary fix in mid-December and is urging all users to move to OneView version 11.00 or later immediately.

****A Pattern of Attacks****

This isn’t the only threat on the radar. CISA officials noted that hackers are also still using a much older flaw in Microsoft Office PowerPoint (CVE-2009-0556) to get into networks. According to CISA, these types of gaps are “frequent attack vectors” because hackers know many organisations forget to update older software or continue using “legacy” files that were first exploited years ago.

The government isn’t just suggesting a fix; they are demanding it under Binding Operational Directive 22-01. Whether it is a brand-new bug in your server management tools or a decade-old hole in a presentation app, the message from the authorities is clear: if you do not patch it, someone else will eventually use it to get in.

****Expert Insights****

Sharing comments with Hackread.com, Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck, explained that this case is a perfect example of why security testing is so critical.

“The CVE‑2025‑37164 OneView vulnerability is severe because it allows unauthenticated remote code execution (RCE) through a publicly reachable REST API endpoint,” Constantine noted. She warned that since OneView is central to managing entire environments, “this vulnerability doesn’t just compromise an application, it puts the entire environment at risk.”

Randolph Barr, Chief Information Security Officer at Cequence Security, added that the software’s position within a company’s network makes the situation particularly dangerous. “OneView is a centralized management layer that presents you with a wide view of everything,” Barr stated. “When hackers breach a platform such as HPE OneView, they not only gain access to a single system but also penetrate the core operations of the entire environment.”

Barr advised that companies shouldn’t treat this like a standard update. “Treat it as an urgent management-plan concern,” he urged. “Move quickly, but don’t forget the basics. Understand your deployment, assess your exposure, monitor closely during the patching process, and ensure that a rollback is available.”

CISA Urges Emergency Patching for Actively Exploited HPE OneView Flaw

Large businesses or governments aren’t the only ones threatened by cyber attacks. Every organization is now equally threatened.…

Large businesses or governments aren’t the only ones threatened by cyber attacks. Every organization is now equally threatened. This is because they are operating in an environment where attacks are quicker, more common, and smarter. Conventional security tools belonged to another time, one in which threats were predictable. 

However, this assumption no longer holds. As attackers embrace automation and sophisticated strategies, organizations have to return with correspondingly adaptive defenses. At this point, **AI-driven cyber defens**e shifts its status from a competitive edge to become a business need.

****The Growing Complexity of Modern Cyber Threats****

The contemporary threat environment is characterized by pace and magnitude. Ransomware can cross the networks within minutes. Phishing is no longer generic but a highly targeted message, based on stolen data. **Zero-day threats** present themselves unexpectedly and fast, so manual response is often ineffective.

To make matters worse, it is difficult to separate malicious intent and legitimate bot traffic. Older tools are not very accurate in making these distinctions. Consequently, many threats go unnoticed until the damage is done. For businesses, this means vulnerability to:

*   Regulatory penalties
*   Operational downtime
*   Lasting reputational harm

****What AI-Powered Cyber Defense Really Means****

AI-based cybersecurity is not to replace human expertise. It is about augmenting it. These systems exploit machine learning models to process enormous datasets of network, endpoint, and user behavior information in real time. The rules are not pre-taught. They learn by looking at what normal is like in a particular setting.

AI-driven tools flag deviations immediately. These systems become more accurate over time. As a result, false positives are reduced, and more subtle threats are identified. In practice, **AI-powered solutions** enable security teams to gain more insights and better priorities to focus more on decision-making and less on manual monitoring.

****Key Advantages of AI-Driven Security Solutions****

There are many advantages of AI-based security solutions.

****Real-Time Threat Detection****

AI systems continuously monitor activity across the network. They identify unusual behavior as it happens, not hours or days later. This shortens detection time and limits the potential impact of an attack.

****Predictive Risk Analysis****

Instead of responding to an event, AI examines trends and patterns in order to predict where a vulnerability can arise. This preventative strategy assists companies in dealing with vulnerabilities before they are exploited by attackers.

****Automated Incident Response****

When a threat is confirmed, AI can trigger predefined actions instantly. Compromised accounts may be locked. Suspicious connections can be isolated. This automation minimizes response delays and dependency on human input in times of need.

****Scalability and Efficiency****

As businesses grow, so do their attack surfaces. AI-based systems are more easily scaled than human teams. They do not suffer a performance decline as the volume of data and complexity of the network grow.

****Why Conventional Defenses Are Not Sufficient Anymore****

Legacy security tools were built to detect known threats. They depend heavily on signatures and static rules. This approach fails against novel or evolving attacks. Modern infrastructures generate numerous alerts that human analysts are not able to review.

The result is alert fatigue and missed warnings. When breaches occur, the consequences are severe. Data exposure can lead to financial loss, legal action, and a permanent loss of customer trust. Automation and artificial intelligence are already used by attackers to perfect their approaches. Stagnant defenders are on the losing side.

****Integrating AI Cyber Defense Into Business Strategy****

Adopting AI-driven security requires planning. Organizations must evaluate their risk profile and select solutions that resonate with their operational requirements. Staff should also be trained to collaborate with intelligent systems. AI should support human judgment. Not supersede human judgment. The combination of enhanced technology and transparent governance provides the most effective results in a layer-based approach.

Cyber defense through AI is not a vision anymore. It is a contemporary necessity. Companies that invest in smart security systems enjoy expedited detection, enhanced stability, and confidence levels in their online activities. With threats changing every day, staying still is no longer an option.

Why AI-Powered Cyber Defense Is No Longer Optional for Modern Businesses

Cybersecurity researchers from Huntress detail a major VM Escape attack where hackers took over host servers. Using a secret toolkit called MAESTRO, the attackers stayed hidden for over a year. Read the exclusive details on how this breach was stopped and how to protect your network.

In December 2025, a security team caught a group of hackers just in time. Researchers Anna Pham and Matt Anderson from the firm Huntress recently detailed how these attackers managed to “escape” from a virtual machine to take over an entire host server. This research, shared with Hackread.com, reveals a toolkit that likely operated in secret for years.

As we know it, virtual machines (VMs) are like isolated digital rooms. If one gets a virus, the rest of the building should stay safe. However, these attackers used a VM Escape to break those walls. This allowed them to move from a guest computer into the brain of the main server, known as the ESXi hypervisor.

****How the Attack Started****

The hackers didn’t need a magic trick to get in. For your information, they used a stolen password to enter through a SonicWall VPN, a common tool for remote work. Once inside, they used a toolkit named MAESTRO.

Further probing revealed the hackers targeted a process called VMX. This is the assistant that helps the virtual computer talk to the main server for simple tasks like copying text.

By breaking this assistant, the hackers could give direct orders to the server. Researchers noted the hackers were very smart; they even changed the server’s settings to block it from “calling home” for help while they moved through the network to steal data. It is worth noting that the toolkit was incredibly powerful, working on 155 different versions of VMware software, from version 5.1 to 8.0.

****The Zero-Day Vulnerabilities****

The timeline is the most worrying part. While VMware fixed these holes (labelled CVE-2025-22224, 22225, and 22226) on March 4, 2025, researchers found the toolkit was built as far back as November 2, 2023. This means the attackers were likely using a zero-day (a flaw unknown to the creators) for over a year.

Further investigation revealed that the code contained notes in simplified Chinese, including a folder translated as “All version escape – delivery.” According to researchers, this points to a “well-resourced developer” likely based in a Chinese-speaking region.

Moreover, these hackers used a special invisible path called VSOCK to talk to the server. Most security tools look at normal internet traffic, but VSOCK is like a hidden tunnel inside the machine that firewalls cannot see.

VM Escape exploitation flow (Source: Huntress)

To stay safe, the Huntress team says companies must patch their systems immediately and check servers for strange activity. Although this attack was stopped before it became a ransomware disaster, it shows that even isolated systems need constant care.

Source

HackRead