RemoteCOM's monitoring software leaked the personal details of suspects, offenders, and the law enforcement officers tracking them.

We’ve covered spyware and stalkerware leaks many times before, but we don’t often see such exposure in software used by law enforcement.

According to a report by Straight Arrow News (SAN), the hacker “wikkid” said the intrusion against RemoteCOM was “one of the easiest” they’d ever carried out.

RemoteCOM describes itself as “the premier computer, smartphone and tablet monitoring service for the management of pretrial, probation and parole clients”. According to a leaked training manual, its software, sold as “SCOUT”, says it can be used to track targets ranging from sex offenders, sex traffickers, and stalkers to terrorists, hackers, and gang members.

Behind its official branding, SCOUT behaves like spyware: it records keystrokes, captures screenshots, and even sends out an alert if the tracked person types certain keywords.

The hacker accessed two key files: “officers” (6,896 entries), containing the names, phone numbers, work addresses, email addresses, unique IDs, and job titles of people working in the criminal justice system who have used RemoteCOM’s services, and “clients” (around 14,000 entries), covering individuals currently or previously monitored by SCOUT; listing names, email addresses, IP addresses, home addresses, and phone numbers, alongside the names and emails of their probation officers.

The files also contained details of the offenses clients were charged with, ranging from sex offenses, weapons, and narcotics cases to terrorism, stalking, domestic violence, sex trafficking, fraud, violence, and hacking.

_Image courtesy of SAN_

This type of data leak can be dangerous for both sides of the app. Clients tagged with the keyword “sex” are not necessarily convicted sex offenders—they could be suspects under surveillance or have not yet been to trial—but that distinction might not stop any vigilantes out there.

For officers, the leak of names, contact details, and workplaces could expose them and their families to threats of violence. One officer even had the app installed on the phones of their sister-in-law and fiancé, making the breach especially personal.

Speaking to SAN, a spokesperson for RemoteCOM said:

> “We are assessing the situation currently along with your article that you posted.”

****Protecting yourself after a data breach****

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable** **two-factor authentication (2FA****).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up** **identity monitoring**, which alerts you if your personal information is found being traded illegally online and helps you recover after.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Sex offenders, terrorists, drug dealers, exposed in spyware breach 

Cybersecurity never stops—and neither do hackers. While you wrapped up last week, new attacks were already underway.
From hidden software bugs to massive DDoS attacks and new ransomware tricks, this week’s roundup gives you the biggest security moves to know. Whether you’re protecting key systems or locking down cloud apps, these are the updates you need before making your next security

⚡ Weekly Recap: Cisco 0-Day, Record DDoS, LockBit 5.0, BMC Bugs, ShadowV2 Botnet & More

eSentire TRU analyses the new DarkCloud V4.2 infostealer, rewritten in VB6. Find out how the malware steals browser data, crypto, and contacts via targeted phishing.

A recent security research from eSentire’s Threat Response Unit (TRU) has revealed the sudden rise of a dangerous information-stealing malware (Infostealer) known as DarkCloud, which cybercriminals are using to grab private data.

TRU Researchers discovered the latest version of DarkCloud Infostealer, version 4.2, during an attempted attack in September 2025 against their customer in the manufacturing industry.

DarkCloud is not new, but it has been completely rewritten using a programming language called VB6. It used to be sold on the Russian cybercrime forum XSS.is, which was shut down by law enforcement back in July 2025.

As Hackread.com reported at the time, the site was seized on July 23, 2025, after authorities arrested a suspected administrator in Ukraine. However, by July 24, the XSS forum was confirmed to be back online using its mirror and .onion domains.

Today, the malware is sold on its own website, darkcloud(.)onlinewebshop(.)net, and is also offered through the messaging app Telegram by a user known as @BluCoder.

DarkCloud website (Source: eSentire)

****Phishing Lure****

eSentire TRU explained that the attack began with a phishing email that looked like it was about financial information and had a malicious compressed file attached. The email was sent by “procure@bmuxitq(.)shop” and was themed with the subject “Swift Message MT103 Addiko Bank ad: FT2521935SVT.” The malicious compressed file attached was named “Swift Message MT103 FT2521935SVT.zip.”

Malicious email (Source: eSentire)

This shows that “phishing emails continue to remain a key vector for malware distribution,” researchers noted in the blog post shared with Hackread.com. This means that these fake emails are still one of the main ways this software gets onto a system. Researchers caught the spam emails and stopped the DarkCloud Infostealer delivery for their client in September 2025.

****What Does DarkCloud Infostealer Steal?****

This malware is designed to steal various kinds of sensitive information. This includes browser passwords, credit card numbers, website cookies, login details for FTP, what you type (keystrokes), and even content from your clipboard.

It also targets files such as documents and spreadsheets (including extensions like .txt, .pdf, .doc, and .xls), cryptocurrency wallets, and extracts contact information from email clients, including Thunderbird, MailMaster, and eM Client. All of this stolen data is then sent to the criminals using channels like Telegram, FTP, email, or even a Web Panel using PHP scripts.

****Fight DarkCloud Infostealer****

eSentire TRU has not only analysed the threat but also released two helpful programs to help other security researchers. One tool can pull out the setup details of the malware, and the other is a Python-based script that can unjumble its secret code. To protect yourself from threats like this, researchers recommend using email protection that blocks suspicious files like compressed folders with executable programs inside.

DarkCloud Infostealer Relaunched to Grab Credentials, Crypto and Contacts

Your logins will live on after you pass on. Make sure they end up in the right hands.

It’s not fun to talk about, but there’s only one thing certain in life. You need to have a plan for your digital legacy, just like you make a plan for your physical assets; otherwise, your accounts, services, and logins will rot away in a data center before they’re inevitably erased by a data retention policy.

Some services recognize how important digital legacy is. Apple and Facebook have legacy contacts that can gain access to your accounts, and the American Bar Association is still grappling with the legalities of accessing online accounts when someone passes away. Most online services don't.

Recognition of digital legacy is still spotty, and without dedicated legacy contacts, accessing the deceased’s online accounts often involves court orders or legal documentation (and plenty of time). Digital legacy doesn’t need to have so many hurdles, though. Password managers have digital legacy features built in that can unlock your digital life in the event of an emergency.

*   **Defining a Digital Legacy**
*   **Password Managers With Digital Legacy Features**
*   **What You Should Store Beyond Passwords**
*   **Pass on Your Passwords When You Pass**

**Defining a Digital Legacy**

There’s a lot that goes into your digital legacy, from your online banking login to any digital assets you own, but even a seemingly straightforward online life can quickly snowball into a mess. Does the Netflix account just keep draining the checking account until you can break in and change the payment option? Are photos that have been uploaded to the cloud now lost in a data center, never to be recovered? Add some passkeys, maybe some social sign-on features, and you have a complex web of data that’s almost impossible to untangle.

So-called digital executors exist, operating in the same way as the executor of the will, just for digital assets. It’s a good idea to set up a digital executor to ensure your digital assets are handled properly, but that doesn’t help in the immediate aftermath of someone passing away. The probate process can take at least a few months, and sometimes several years.

Password managers like Bitwarden offer a shortcut. You can transfer access to a trusted relative, spouse, or even your closest friend, along with a rundown of what to do with your accounts.

The legality of this is a little murky, with the American Bar Association noting that accessing someone else’s account, even with their username and password, isn’t legal if it violates the platform’s terms of service. The law regarding digital assets varies from state to state, so it’s still a good idea to consult an attorney for long-term access.

Here's the advice NordPass gave: “For anyone thinking about digital legacy, the best step is to set up Emergency Access in advance, clearly communicate the use cases of the credentials with your trusted contacts, and follow the terms of service of respective platforms.”

Immediate access is still important, not only in the event of death but also in the event of incapacitation. If you, for whatever reason, can’t access your online accounts, you can transfer those accounts easily using an emergency contact feature available in a password manager.

**Password Managers With Digital Legacy Features**

There are some excellent password managers, and most of them have some way to unlock your account in the event of an emergency. They go about it in different ways, however. Here are the three I recommend for most people. (Read more in our Best Password Managers guide.)

Proton Pass

Proton recently added an emergency access feature, and it’s not just restricted to Proton Pass. Unlike most password managers, Proton Pass is just one app available in the Proton suite. Proton also makes our favorite VPN, and it offers an encrypted crypto wallet, cloud storage, and even a calendar.

Emergency access isn’t restricted to one app with Proton. Rather, it’s access to your entire account, so if you have multiple Proton apps, you can pass them along. It’s not hard to see where this could be useful, especially if you have a lot of data stored in Proton Drive or money in your crypto wallet.

Although Proton’s emergency access is bound to your overall Proton account, you need to set it up through Proton Pass or another Proton app. For Proton Pass, open the app in your browser at account.proton.me. Once you’re in, select the cog icon next to your name in the bottom left corner and choose **Account.**

Proton via Jacob Roach

This will open a new tab. In the new window, select **Recovery** from the menu on the left and scroll down to the **Emergency Access** section. Choose **Add Emergency Contact** and enter the email address you want to share access with. They’ll need a Proton account to accept the invitation. Emergency access is only available for paid Proton members, though you can share access with someone who has a free Proton account.

One of the upsides of Proton compared to 1Password and NordPass (my other two recommendations) is the wait-time setting. When you add an emergency contact, they can request access to your Proton account at any time. After the wait time has passed without a response, however, Proton will automatically give your emergency contacts access. The default time is seven days, but you can set it for as long as 30 days, as well as remove the wait time completely.

1Password

1Password via Jacob Roach

**1Password**

1Password doesn’t have a dedicated digital legacy feature, and if you understand how its security architecture is designed, it’s easy to see why. 1Password has a true zero-knowledge security architecture. Even if 1Password wanted to, and even in the event of a catastrophic emergency, it can’t decrypt someone’s vault. That’s great for security but bad for passing along your passwords.

Instead, 1Password offers an emergency kit, which you can generate and download from my.1password.com. On a device where you’re signed into 1Password, go to that address, select your name in the upper right corner, and choose **Manage Account.** On the next page, select **Save Emergency Kit.**

1Password via Jacob Roach

Your 1Password Emergency Kit is a PDF that includes instructions for logging in, along with your email address, secret key, and a space for you to write (or type) your master password. It also includes a QR code for easy setup, automatically copying your details over, short of your master password.

The Emergency Kit is useful for account recovery, but it’s also one of the more secure options for digital legacy. You can print off a physical copy of your Emergency Kit before wiping any trace of it digitally. I recommend including it as part of your will or trust and storing it somewhere secure, like a safe-deposit box.

Unfortunately, you need to jump through these hoops with 1Password due to how it works. And whoever ends up with your Emergency Kit will have full access to your account, while Proton Pass and NordPass (my next recommendation) provide read-only access. If you use 1Password’s Families plan, however, it’s easy to share vault access with the family members on your account—and you don’t even need to contemplate death to do it.

NordPass

Photograph: Nordpass

NordPass introduced its emergency access feature a few years ago, and it’s simple. You can send invites to one (or more) trusted contacts. They don’t get access to your vault immediately. Instead, they can request access at any time. In the event you don’t deny one of these requests within seven days, Nord automatically unlocks the account for the contact that requested access.

Setting it up is easy. Once you have the NordPass extension installed, open it and select the cog icon near the top left of the window. That will open your settings view in a new tab. All the way at the bottom of the page, you’ll find the **Emergency Access** setting under the **Other** category. Like with Proton Pass, your trusted contact will need a NordPass account to see and accept the invitation.

Nordpass via Jacob Roach

That’s it. Once they accept the invitation, your contact can request access at any time, which you can accept or deny within that seven-day window before your vault is unlocked. Regardless of the situation, if someone gets emergency access to your account, they can only view what’s inside. NordPass locks them out of editing, deleting, sharing, or doing anything else inside your vault.

The obvious downside with NordPass is that you can’t change the amount of time before access is handed over to your emergency contacts. If you, for whatever reason, can’t deny the request within seven days, NordPass unlocks your vault. You can dream up some scenarios where that could become a problem, but it shouldn’t, especially considering you can revoke access for your emergency contacts at any time.

**What You Should Store Beyond Passwords**

Proton Pass, 1Password, and NordPass are my personal favorite password managers, which is why I recommend them over options like Keeper, which also has a digital legacy feature. I also recommend them because they come with additional storage space. 1Password includes 1 GB, NordPass includes 3 GB, and Proton Pass comes with a whopping 10 GB—and that doesn’t include any storage through Proton Drive.

Storing your logins is important, but you can also store a lot of important documents in your password manager. That’s certainly more secure than throwing them in a shared Google Drive folder. If you want to do a digital inventory, here are a few things you should store in your password manager alongside your logins.

**Vehicle information.** You can wrap all of your vehicle information up into a single entry in your password manager. Scan your license and title, add insurance and vehicle information, and maybe loop in personal property tax receipts. NordPass, 1Password, and Proton Pass all allow you to add attachments to entries, as well as notes.

**Software licenses.** Most software today is sold with a software-as-a-service model, so accessing someone’s login is most important. If you have perpetual software licenses, though, you’ll probably want to add them to your vault as an encrypted note.

**Non-account secrets.** This is probably the most practical thing to store in your password manager in the event you need to transfer access. There are a ton of secrets you need to remember that aren’t tied to an online account. I’m talking about gate codes, PINs, and patterns for your devices, recovery codes, lock combinations; the list goes on. Store them in your vault as encrypted notes.

**2FA/MFA details.** A lot of password managers allow you to store 2FA codes, including Proton Pass and 1Password (though not NordPass). It’s not the best idea for security, but in the context of digital legacy, you should store some information about accounts that have 2FA enabled. Add a note to logins that have 2FA enabled, along with recovery information for those accounts.

**Pass on Your Passwords When You Pass**

Death isn’t fun to think about, no, but setting up your digital legacy is only becoming more important. Today, precious little exists only in the physical world; nearly everything is tied to an online account or service in some way. Dealing with who owns your digital assets is something you can define in a will or trust. But that doesn’t always account for the unexpected.

Emergency access is important if you pass away, but it’s also important if you can’t get access to your account for any reason, especially in the aftermath of an emergency.

How to Use a Password Manager to Share Your Logins After You Die (2025)

Microsoft is calling attention to a new phishing campaign primarily aimed at U.S.-based organizations that has likely utilized code generated using large language models (LLMs) to obfuscate payloads and evade security defenses.
"Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure

Microsoft is calling attention to a new phishing campaign primarily aimed at U.S.-based organizations that has likely utilized code generated using large language models (LLMs) to obfuscate payloads and evade security defenses.

"Appearing to be aided by a large language model (LLM), the activity obfuscated its behavior within an SVG file, leveraging business terminology and a synthetic structure to disguise its malicious intent," the Microsoft Threat Intelligence team said in an analysis published last week.

The activity, detected on August 28, 2025, shows how threat actors are increasingly adopting artificial intelligence (AI) tools into their workflows, often with the goal of crafting more convincing phishing lures, automating malware obfuscation, and generating code that mimics legitimate content.

In the attack chain documented by the Windows maker, bad actors have been observed leveraging an already compromised business email account to send phishing messages to steal victims' credentials. The messages feature lure masquerading as a file-sharing notification to entice them into opening what ostensibly appears to be a PDF document, but, in reality, is a Scalable Vector Graphics (SVG) file.

What's notable about the messages is that the attackers make use of a self-addressed email tactic, where the sender and recipient addresses match, and the actual targets were hidden in the BCC field so as to bypass basic detection heuristics.

"SVG files (Scalable Vector Graphics) are attractive to attackers because they are text-based and scriptable, allowing them to embed JavaScript and other dynamic content directly within the file," Microsoft said. "This makes it possible to deliver interactive phishing payloads that appear benign to both users and many security tools."

On top of that, the fact that SVG file format supports features such as invisible elements, encoded attributes, and delayed script execution makes it ideal for adversaries looking to sidestep static analysis and sandboxing, it added.

The SVG file, once launched, redirects the user to a page that serves a CAPTCHA for security verification, completing which, they are likely taken to a fake login page to harvest their credentials. Microsoft said the exact next stage is unclear due to its systems flagging and neutralizing the threat.

But where the attack stands apart is when it comes to its unusual obfuscation approach that uses business-related language to disguise the phishing content in the SVG file -- a sign that it may have been generated using an LLM.

"First, the beginning of the SVG code was structured to look like a legitimate business analytics dashboard," Microsoft said. "This tactic is designed to mislead anyone casually inspecting the file, making it appear as if the SVG's sole purpose is to visualize business data. In reality, though, it's a decoy."

The second aspect is that the payload's core functionality – which is to redirect users to the initial phishing landing page, trigger browser fingerprinting, and initiate session tracking – is also obscured using a long sequence of business-related terms such as revenue, operations, risk, quarterly, growth, or shares.

Microsoft said it ran the code against its Security Copilot, which found that the program was "not something a human would typically write from scratch due to its complexity, verbosity, and lack of practical utility." Some of the indicators it used to arrive at the conclusion include the use of -

*   Overly descriptive and redundant naming for functions and variables
*   Highly modular and over-engineered code structure
*   Generic and verbose comments
*   Formulaic techniques to achieve obfuscation using business terminology
*   CDATA and XML declaration in the SVG file, likely in an attempt to mimic documentation examples

"While this campaign was limited in scope and effectively blocked, similar techniques are increasingly being leveraged by a range of threat actors," Microsoft said.

The disclosure comes as Forcepoint detailed a multi-stage attack sequence that uses phishing emails with .XLAM attachments to execute shellcode that ultimately deploys XWorm RAT by means of a secondary payload, while simultaneously displaying a blank or corrupted Office file as a ruse. The secondary payload functions as a conduit to load a .DLL file in memory.

"The second stage .DLL file from memory uses heavily obfuscated packing and encryption techniques," Forcepoint said. "This second stage .DLL file loaded another .DLL file in memory again using reflective DLL injection which was further responsible for final execution of malware."

"The next and final step performs a process injection in its own main executable file, maintaining persistence and exfiltrating data to its command-and-control servers. The C2s where data was exfiltrated was found to be related to XWorm family."

In recent weeks, phishing attacks have also employed lures related to the U.S. Social Security Administration and copyright infringement to distribute ScreenConnect ConnectWise and information stealers such as Lone None Stealer and PureLogs Stealer, respectively, per Cofense.

"The campaign typically spoofs various legal firms claiming to request the takedown of copyright-infringing content on the victim's website or social media page," the email security company said of the second set of attacks. "This campaign is notable for its novel use of a Telegram bot profile page to deliver its initial payload, obfuscated compiled Python script payloads, and evolving complexity as seen through multiple iterations of campaign samples."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Microsoft Flags AI-Driven Phishing: LLM-Crafted SVG Files Outsmart Email Security

Singapore, Singapore, 29th September 2025, CyberNewsWire

**Singapore, Singapore, September 29th, 2025, CyberNewsWire**

*   Analyzing over 14 billion cyber-attack records daily, ThreatBook ATI is a global solution enriched with granular, local insights; and can offer organizations a truly APAC perspective.
*   Boasting low false positive rates, the solution is highly compatible with existing security stacks.
*   ThreatBook ATI provides actionable insights for threat detection and response, enabling organizations to accelerate their intelligence analysis, and make more informed decisions. 

ThreatBook, a global leader in cyber threat intelligence, detection and response, today announced the worldwide launch of ThreatBook Advanced Threat Intelligence (“ThreatBook ATI”). Spearheaded from its offices in Singapore and Hong Kong, the new service offers unique industry insights for threat intelligence platforms (TIPs), security operation centers (SOCs) and cybersecurity analysts globally.

Of note, ThreatBook ATI is able to capture new, difficult-to-detect threats emanating from within Asia, where coverage from many global vendors remains limited. It is also able to better identify Western attackers targeting Asian organizations as well. ThreatBook ATI’s capabilities are particularly timely, with 34% of cyber-attacks worldwide taking place within the Asia Pacific (APAC).

A further noteworthy feature of ThreatBook ATI are its low false positive rates. ThreatBook’s proprietary intelligence collection systems, which operate globally and in real time, employs dozens of analysis engines to deeply mine enormous raw datasets. False positives are filtered through AI-based models, followed by cross-verification by professional security analysts. ATI also applies AI to classify and label threat reports, transforming unstructured intelligence into structured insights, and features a built-in assistant that can rapidly correlate data to answer analysts’ questions. This layered process ensures the intelligence remains highly accurate and reliable. Over 14 billion attack records are identified daily, including over 80 million malicious inbound internet protocols (IPs), more than six billion malware files, over 7,000 high risk vulnerabilities, and more than 600 zero-day vulnerabilities. 

> “With several billion attack records from all corners of the world analyzed daily, ThreatBook ATI is a truly global solution enriched with granular, local insights,” said Mr. Feng XUE, Chief Executive Officer of ThreatBook.

> “We are of the opinion that Asia Pacific-centric threat intelligence matters, as tactics, techniques, and procedures (TTPs), tooling, language, command and control (C&C) infrastructure, and targeting patterns differ by region – and ATI can offer organizations a truly APAC perspective. We have a track record of exclusive discovery when it comes to cybercriminals, including advanced persistent threat (APT) groups; and at the end of the day, local context quickens threat detection and reduces dwell time.”

Integration with existing security stacks is key. Studies repeatedly find that a single unified platform, which provides a centralized view of cyber risks across the entire organization, is a priority for cybersecurity teams around the world. ThreatBook ATI is highly compatible with existing security stacks. Its output is available in both machine-readable and human-readable formats, making integration straight-forward.

Customer access is hassle-free. For TIPs, ThreatBook ATI can be purchased through platform marketplaces, or can be integrated through feeds or application programming interfaces (APIs). For SOCs, ThreatBook ATI feeds integrate easily with security information and event management (SIEM) solutions, firewalls and other security tools. While for cybersecurity analysts, ThreatBook ATI is accessible globally via a web portal.

> “High quality threat intelligence enhances existing security tools, which often rely on vulnerable rule-based signals, making them more reliable and accurate, and leading to less false positives across the stack,” added Mr. Xue. “By providing actionable insights for threat detection and response, organizations are able to accelerate their intelligence analysis, and make more informed decisions to better manage today’s myriad of cyber risks.”

ThreatBook ATI is a timely addition to the company’s acclaimed suite of cybersecurity solutions. Since 2015, thousands of enterprise organizations globally have placed their trust in Threatbook across the entire threat lifecycle — from detection to analysis, response and protection; all powered by the company’s proprietary intelligence core.

In 2025 alone, leading analyst firms have recognized ThreatBook, featuring the company in Forrester’s Network Analysis And Visibility Solutions Landscape, Q2 2025 report, and the inaugural Gartner Magic Quadrant for Network Detection and Response (NDR). In both instances, ThreatBook was one of a limited number of vendors recognized.

**About ThreatBook**

ThreatBook is a global cybersecurity company specializing in advanced threat intelligence, detection, and response. Founded in 2015, ThreatBook equips enterprises, governments, and service providers with the clarity and context needed to defend against evolving digital risks.

By combining artificial intelligence with deep threat intelligence, ThreatBook delivers real-time visibility, hyper-accurate detections, and early-warning insights against nation-state actors, cybercriminal groups, and emerging attack campaigns. With unique vantage points from across the Asia Pacific region and beyond, ThreatBook provides intelligence coverage that bridges Eastern and Western threat landscapes, offering an unmatched perspective for global defenders.

ThreatBook: Act with Intelligence that Matters. To learn more, users can visit www.threatbook.io or follow them on LinkedIn.

ThreatBook ATI is not available in mainland China.

https://www.ibm.com/thought-leadership/institute-business-value/report/2025-threat-intelligence-index

https://www.msspalert.com/native/the-strategic-shift-toward-unified-cybersecurity-platforms

**Contact**

**Belmont Communications on behalf of ThreatBook**  
**\[email protected\]**

ThreatBook Launches Best-of-Breed Advanced Threat Intelligence Solution

Medusa ransomware group claims 834 GB data theft from Comcast, demanding $1.2M ransom while sharing screenshots and file listings.

The **Medusa** ransomware group is claiming responsibility for a ransomware attack on Comcast Corporation, a global media and technology company best known for its broadband, television, and film businesses.

According to the group’s dark web leak site, they exfiltrated 834.4 gigabytes of data and are demanding $1.2 million for interested buyers to download it. The same sum has been set as ransom for Comcast if the company wants the data deleted rather than leaked or sold.

To back its claims, Medusa has posted around 20 screenshots allegedly showing internal Comcast files. The group also shared a massive file listing of 167,121 entries, suggesting access to actuarial reports, product management data, insurance modelling scripts, and claim analytics.

The sample paths include files such as Esur_rerating_verification.xlsx, Claim Data Specifications.xlsm, and Python, as well as SQL scripts related to auto premium impact analysis.

Medusa Ransomware group’s dark web leak site claiming Comcast as its victim – These claims were published on Friday, September 26, 2025 (Image credit: Hackread.com)

****Comcast and Cybersecurity****

For your information, Comcast owns NBCUniversal, which operates NBC, Telemundo, Universal Pictures, Sky (in Europe), and a wide range of TV networks, film studios, and streaming platforms like Peacock.

Although the company has not been in news over large-scale cyber attacks, a 2015 report published by Hackread.com revealed that over 200,000 Comcast user credentials were leaked on the dark web.

At the time, Comcast stated the data likely came from credential aggregation rather than a direct breach of its systems. The case underscored how previously exposed information can resurface years later, complicating efforts to separate legacy leaks from fresh intrusions.

Medusa ransomware is known for publishing file listings and partial screenshots as proof of compromise while holding back the bulk of the data to increase ransom pressure. In this case, the nature of the files points toward actuarial and financial datasets, some of which appear to involve insurance calculations, customer data processing, and claim management systems.

****Medusa Aims At Top American Firms****

Past Medusa incidents have shown that the group tends to release portions of data if demands are not met, increasing the pressure on victims to negotiate. The cyber criminal group has also been behind several high-profile attacks this year.

On April 8, 2025, the group announced it had **targeted NASCAR** with a $4 million ransom demand. That incident was later **confirmed** as a data breach in July 2025, showing the group had followed through on previous threats when negotiations failed.

At the time of writing, Comcast has not publicly confirmed or denied the breach. The company may face regulatory scrutiny if sensitive customer or financial data is involved, particularly given the sheer size of the alleged leak.

Hackread.com has reached out to Comcast for comment and will continue monitoring the situation for updates on the company’s response and any further releases from Medusa.

Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M

Plus: A ransomeware gang steals data on 8,000 preschoolers, Microsoft blocks Israel’s military from using its cloud for surveillance, call-recording app Neon hits pause over security holes, and more.

New research released this week shows that over the past few years the US Department of Homeland Security has collected DNA data of nearly 2,000 US citizens. The activity raises questions about legality and oversight given that DHS has been putting the information into an FBI crime database. Some of the genetic data is from US citizens as young as 14.

The US Secret Service said on Tuesday that it had discovered facilities across the “New York tristate area” running so-called SIM servers—devices that manage and coordinate 100,000 SIM cards at a time for illicit operations. The Secret Service warned, though, that in addition to being used by cybercriminals for scamming, the apparatuses could also be used to launch critical infrastructure attacks that could disrupt mobile networks.

A cyberattack on the UK-based automaker Jaguar Land Rover has been causing a supply chain meltdown, halting vehicle production, costing JLR tens of millions of dollars, and forcing its parts suppliers to lay off workers. The beleaguered company will have to shoulder the full cost of the attack because of inadequate insurance coverage, prompting talks of possible UK government assistance.

If you’re worried about phone searches while traveling or doing specific activities, the password manager known as 1Password has a Travel Mode feature that can help you manage sensitive data and temporarily remove it from your device. We’ve got advice on how to use the tool most effectively.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

An app used to out those who spoke ill of the murdered right-wing activist Charlie Kirk was found to be leaking its users’ personal information, doxing the very people it had invited to dox its targets.

The app Cancel the Hate, founded in the wake of Kirk’s September 10 assassination, suspended its services this week after it was revealed that security flaws in the website where the app was hosted exposed users’ email addresses and phone numbers. That site had asked its users to collect and share employment and other personal information of critics of Kirk and others “supporting political violence.” But a security researcher who identified themselves only as BobDaHacker demonstrated to news outlet Straight Arrow News that privacy settings on the site didn’t work as advertised, publicly leaking users’ information even when it was set to private. The hacker also reportedly had the ability to delete users’ accounts at will.

Cancel the Hate, which displayed a photo of Kirk on its homepage and was founded by a Kirk supporter who cited his death as the motivation for creating the site, has since taken down its reporting features. It now displays a message on its homepage that it’s moving to a “new service provider.” The page that allows visitors to buy a $23 T-shirt remains online.

**Ransomware Hackers Steal Kids’ Personal Info and Photos in Preschool Breach**

Ransomware groups continued to plumb the depths of abject immorality this week with a new tactic: extorting preschools by stealing toddlers’ personal information and threatening their parents. The BBC reports that a hacker group says it has stolen the names, addresses, and photos of around 8,000 children from the preschool chain Kido, which has sites largely around London but also in the US and India. The hackers are threatening to leak the data if a ransom isn’t paid, going so far as to contact some of the children’s parents to reinforce their threat. The group has also posted sample information and photos of 10 children on their dark-web site.

**Microsoft Blocks Israeli Military From Using Cloud Services for Surveillance**

In August, The Guardian, Israeli-Palestinian publication +972 Magazine, and Hebrew-language publication Local Call revealed how Israeli signals intelligence agency Unit 8200 had built a comprehensive surveillance system to intercept and store Palestinian phone calls. More than “a million calls an hour” could be collected by the system, which reportedly amassed around 8,000 terabytes of call data and stored it in Microsoft’s Azure cloud service in the Netherlands, the publications reported.

This week, following an external investigation commissioned by Microsoft, the company pulled some of the Israeli military’s access to its technology. In a statement, Microsoft president Brad Smith said the firm has taken the decision to “cease and disable” some “specific cloud storage and AI services and technologies” that it was providing to Israeli forces. Microsoft’s action—its investigation is still ongoing—follows a wave of staff protests at its ties to Israel and its ongoing war in Gaza. “We do not provide technology to facilitate mass surveillance of civilians. We have applied this principle in every country around the world, and we have insisted on it repeatedly for more than two decades,” Smith wrote in a statement.

However, while Microsoft has pulled some of the services it provides, The Guardian reports that the surveillance data was likely moved days after its initial investigation was published. Sources told the publication that Unit 8200 was planning to move the data to Amazon’s cloud storage, and move it outside of the European Union, which has strong data protection laws.

**Call-Recording App Neon Pauses Service Over Security Holes**

This week, call-recording app Neon has raced up the free iPhone app charts. But far from being an app for personal use, Neon is one the latest efforts to collect training data for generative AI systems. The startup claims it will sell your call recordings to AI companies and pay you up to $30 per day for the data, raising more than a few privacy and ethics questions.

However, after probing the app, reporters at TechCrunch found that it was possible for “anyone to access the phone numbers, call recordings, and transcripts of any other user” due to security holes in its setup. The app’s creator “temporarily” paused Neon’s operations after TechCrunch got in touch. “Your data privacy is our number one priority, and we want to make sure it is fully secure even during this period of rapid growth,” Neon founder Alex Kiam said in an email to the app’s users, adding “extra layers of security” would be added in the future.

**Chinese Hackers Have a Stealthy New Backdoor to Help Them Steal Data**

For decades, China’s hackers have been breaking into companies around the world and stealing data and intellectual property. Over the past few months, they’ve been using a stealthy new backdoor as part of their hacking operations, Google’s security firm Mandiant reported this week. The malware campaign, dubbed Brickstorm, is linked to the Chinese hacking group UNC5221, Mandiant says, and the company first spotted it being used in March against legal companies, software-as-a-service firms, and tech companies.

“It’s very hard to detect them and to investigate them,” Google threat researcher Austin Larsen told Cyberscoop, and the hackers have been seen to have access to systems for more than 400 days. “These intrusions are conducted with a particular focus on maintaining long-term stealthy access by deploying backdoors on appliances that do not support traditional endpoint detection and response (EDR) tools,” the company wrote in a brief about Brickstorm.

**Crypto Stablecoins Are Helping Russia Evade Sanctions and Interfere in Moldova’s Election**

The A7 group, cofounded by Moldovan fugitive politician and Vladimir Putin ally Ilan Shor, has long been suspected of serving as a vehicle for cryptocurrency-based sanctions evasion. A new leak of internal communications from the company shows the scale of that alleged sanctions circumvention and also spells out how the company, half-owned by Russian state banks, has facilitated Russian interference in Moldovan politics ahead of its election on Sunday. Crypto-tracing firm Elliptic found references to crypto addresses in the leak that allowed it to track nearly $8 billion in payments of crypto stablecoins to the company, including Tether and A7’s own ruble-backed stablecoin A7A5. Most of that money likely passed through A7, says Elliptic’s founder Tom Robinson, and was used to carry out international deals that would otherwise have been blocked by the West’s sanctions on Russia following its 2022 full-scale invasion of Ukraine. But Robinson says some portion of the money has also been used to interfere in Moldovan politics, such as an app called Taito that Moldovan police say was used for illegal campaign financing and bribery of voters.

An App Used to Dox Charlie Kirk Critics Doxed Its Own Users Instead

Companies are going to great lengths to protect the infrastructure that provides the backbone of the world’s digital services—by burying their data deep underground.

Inside the Nuclear Bunkers, Mines, and Mountains Being Retrofitted as Data Centers

Hackers are sending fake invoice emails with malicious Office files that install the XWorm RAT on Windows systems, allowing full remote access and data theft. Learn how the shellcode and process injection are used to steal data, and how to stay safe from this persistent threat.

A new wave of email attacks is on the rise, tricking people with fake invoice documents to install the dangerous **XWorm RAT** (Remote Access Trojan), capable of quietly stealing sensitive information from your computer, reveals the latest research from Forcepoint X-Labs.

The scam starts with an email, often pretending to be about “Facturas pendientes de pago” (Pending Invoices for Payment) from someone named Brezo Sánchez. The email includes an attached Office file that has the extension .xlam.

X-Labs researchers mention that when you open the file, it may look blank or corrupted, but the damage has already started.

Malicious Email (Source: Forcepoint)

****Understanding the Attack Chain****

As we know it, cyberattacks generally follow a chain of steps, and this one is highly detailed. Inside the attached Office file is a hidden component called oleObject1.bin, which contains an encrypted code, called shellcode. This shellcode is a small program that immediately downloads the next part of the attack.

The shellcode reaches out to a specific web address, hxxp://alpinreisan1com/UXOexe, to download the main malicious program, an executable file named UXO.exe. This program then starts the second stage- loading another harmful DLL file into the computer’s memory (DriverFixPro.dll).

This loading happens using reflective DLL injection (a sneaky way to load a harmful program directly into the computer’s memory without saving it as a regular file first). This DLL ultimately performs a process injection, which involves forcing the malicious code to run inside a normal, harmless program on your computer. This final injected code belongs to the XWorm **RAT** family.

****XWorm: A Persistent Threat****

Forcepoint’s senior researcher, Prashant Kumar, explains in the **blog post** that XWorm’s capabilities allow it to take full **remote control** over an infected system, from stealing files to logging keystrokes.

Through process injection, the malware runs secretly within a trusted application and successfully maintains persistence while avoiding detection. Lastly, the XWorm program connects to a Command & Control (C2) server, specifically 158.94.209180, to send all the victim’s stolen data to the attackers.

This important research on the multi-stage attack was shared exclusively with Hackread.com. However, it is worth noting that this is not the first time the XWorm threat has been seen this year.

In January 2025, Hackread.com **reported** an XWorm campaign that compromised over 18,459 devices globally, stealing browser passwords and Discord tokens. Then, in March 2025, Veriti’s **research** revealed that XWorm was using trusted platforms like Amazon Web Services (AWS) S3 storage to distribute its harmful files.

To protect yourself from such attacks, be cautious with attachments, especially those ending in .xlam or .bin, verify unexpected invoices by calling the sender, and regularly update your operating system and security software.

Tag

#web