[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"tag:ransomware":3},{"tag":4,"articles":8,"awareness":456,"events":457,"tips":458,"focus_items":459,"total_count":460},{"slug":5,"name":6,"description":7},"ransomware","Ransomware",null,[9,18,27,36,45,54,63,72,81,90,99,108,116,125,134,143,152,161,170,179,188,197,206,215,224,233,242,251,260,269,278,287,296,305,314,323,332,341,350,359,368,377,386,395,404,412,421,430,439,448],{"id":10,"title":11,"slug":12,"brief":13,"ai_summary":14,"url":15,"image_url":16,"published_at":17},"cc033463-8c43-4b80-a8ae-b966a54a41fa","Hackers bypass SonicWall VPN MFA due to incomplete patching","hackers-bypass-sonicwall-vpn-mfa-due-to-incomplete-patching-d03048","SonicWall Gen6 SSL-VPN devices remain vulnerable to MFA bypass despite patching without manual LDAP reconfiguration.","Threat actors exploited CVE-2024-12802 on SonicWall Gen6 SSL-VPN appliances to bypass multi-factor authentication and gain initial network access for ransomware deployment. ReliaQuest documented multiple intrusions between February and March 2026 where attackers successfully authenticated despite MFA being enabled, because organizations patched the firmware but failed to complete required manual LDAP remediation steps. The vulnerability does not affect Gen7\u002FGen8 devices, which are fully mitigated by firmware updates alone.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-bypass-sonicwall-vpn-mfa-due-to-incomplete-patching\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F20\u002FSonicWall.jpg","2026-05-20T21:19:17+00:00",{"id":19,"title":20,"slug":21,"brief":22,"ai_summary":23,"url":24,"image_url":25,"published_at":26},"9abd38af-d31f-4280-88b4-d0c43085eedd","Banana RAT Malware in Fake Invoices Hits Customers at 16 Brazilian Banks","banana-rat-malware-in-fake-invoices-hits-customers-at-16-brazilian-banks-9adceb","Banana RAT malware targets 16 Brazilian banks via fake invoices, stealing data with QR code fraud.","Banana RAT, a remote access trojan linked to threat group SHADOW-WATER-063, is actively targeting customers at 16 Brazilian banks including Itaú, Bradesco, and Santander. The malware is distributed through fake invoice files and security update screens via WhatsApp and phishing, using fileless execution and a custom FastAPI crypter to evade detection. It enables real-time financial fraud by intercepting banking sessions, replacing Pix QR codes, and freezing user input while attackers steal funds.","https:\u002F\u002Fhackread.com\u002Fbanana-rat-malware-fake-invoices-16-brazilian-banks\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fbanana-rat-malware-fake-invoices-16-brazilian-banks.jpg","2026-05-20T09:14:35+00:00",{"id":28,"title":29,"slug":30,"brief":31,"ai_summary":32,"url":33,"image_url":34,"published_at":35},"5eda7515-c525-4c85-a916-0114bd22ad13","7-Eleven confirms data breach claimed by the ShinyHunters gang","7-eleven-confirms-data-breach-claimed-by-the-shinyhunters-gang-09f3cb","7-Eleven confirms cyberattack by ShinyHunters gang that stole 600K+ records from Salesforce systems.","7-Eleven confirmed a data breach discovered on April 8, 2026, where attackers gained unauthorized access to systems storing franchisee documents and personal information. The ShinyHunters extortion group claimed responsibility and allegedly stole over 600,000 records from the company's Salesforce environment, eventually leaking a 9.4GB archive after ransom demands were refused. This marks another major victim in ShinyHunters' ongoing campaign targeting Salesforce customers, joining a long list that includes the European Commission, Vimeo, McGraw-Hill, Medtronic, and others.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002F7-eleven-confirms-data-breach-claimed-by-the-shinyhunters-gang\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F19\u002F7-Eleven-headpic.jpg","2026-05-19T14:16:41+00:00",{"id":37,"title":38,"slug":39,"brief":40,"ai_summary":41,"url":42,"image_url":43,"published_at":44},"8ac27af4-850b-4732-82ba-eae17c80509b","Daily Dose of Dark Web Informer - May 13th, 2026","daily-dose-of-dark-web-informer-may-13th-2026-14aa17","Dark Web Informer daily digest reports multiple breaches, ransomware hits, and supply chain attacks across global","The Daily Dark Web Informer digest for May 13th, 2026 aggregates multiple threat intelligence reports including breaches at Akitatek, Vietnam's Ministry of Health, SIVVI, and others exposing hundreds of thousands of records. Notable incidents include ransomware attacks on NTN Bearing Corporation and Foxconn, a supply chain attack affecting Mistral AI, and the District Health Information Software (DHIS2) breach impacting 30+ national health systems serving 3.2 billion people. The digest also highlights a supply chain attack competition and ongoing dark web marketplace activity.","https:\u002F\u002Fdarkwebinformer.com\u002Fdaily-dose-of-dark-web-informer-may-13th-2026\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002Fsize\u002Fw1200\u002F2026\u002F02\u002F23597862398746923879872364987342598723.png","2026-05-13T22:37:29+00:00",{"id":46,"title":47,"slug":48,"brief":49,"ai_summary":50,"url":51,"image_url":52,"published_at":53},"9864f4a1-c9be-4f1b-98f4-d0d3438e15dc","West Pharmaceutical says hackers stole data, encrypted systems","west-pharmaceutical-says-hackers-stole-data-encrypted-systems-108c94","West Pharmaceutical Services discloses cyberattack with data exfiltration and system encryption.","West Pharmaceutical Services, a major pharmaceutical manufacturer, disclosed a cyberattack detected on May 4, 2026, involving both data exfiltration and system encryption across its global network. The company activated incident response protocols, engaged law enforcement and Palo Alto Networks' Unit 42 for forensics, and has partially restored core manufacturing and shipping systems. No ransomware group has claimed responsibility, and the full scope of stolen data and financial impact remain under investigation.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fwest-pharmaceutical-says-hackers-stole-data-encrypted-systems\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F13\u002FWest.jpg","2026-05-13T22:23:31+00:00",{"id":55,"title":56,"slug":57,"brief":58,"ai_summary":59,"url":60,"image_url":61,"published_at":62},"2b54cbf5-579d-4482-a5e6-634593114da0","Instructure Reaches Deal with ShinyHunters to Prevent Canvas Data Leak","instructure-reaches-deal-with-shinyhunters-to-prevent-canvas-data-leak-520df9","Instructure reaches deal with ShinyHunters to prevent Canvas data leak of 275M student records.","Instructure negotiated an agreement with ShinyHunters ransomware group to retrieve and destroy 275 million stolen student records from Canvas learning platform, preventing public disclosure. The attackers had exploited a vulnerability in \"Free for Teacher\" accounts and defaced login pages at 330 schools before agreeing to delete the data. The company disabled vulnerable accounts and confirmed core learning data was not compromised.","https:\u002F\u002Fhackread.com\u002Finstructure-shinyhunters-deal-prevent-canvas-data-leak\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Finstructure-reaches-deal-with-shinyhunters-to-prevent-canvas-data-leak-2.jpg","2026-05-13T21:10:04+00:00",{"id":64,"title":65,"slug":66,"brief":67,"ai_summary":68,"url":69,"image_url":70,"published_at":71},"06df3c87-01bf-485d-bbe3-29c8481af25f","US govt seeks Instructure testimony on massive Canvas cyberattack","us-govt-seeks-instructure-testimony-on-massive-canvas-cyberattack-35bf5b","US House investigates ShinyHunters' dual Canvas breaches affecting millions of students.","The U.S. House Committee on Homeland Security is demanding testimony from Instructure executives regarding two cyberattacks by the ShinyHunters extortion group targeting the Canvas learning management platform. ShinyHunters breached Instructure twice within a week in April-May 2026, stealing 280 million records from over 8,800 education institutions and defacing Canvas login portals at schools nationwide during final exams. Instructure reportedly reached a settlement with ShinyHunters to halt the data leak and destroy stolen records, though the company has not confirmed whether a ransom was paid.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fus-govt-seeks-instructure-testimony-on-massive-canvas-cyberattack\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F07\u002Fcanvas-logo.jpg","2026-05-12T23:09:55+00:00",{"id":73,"title":74,"slug":75,"brief":76,"ai_summary":77,"url":78,"image_url":79,"published_at":80},"cf6ade62-7b28-4709-bb71-3fac966a8933","\"EtherRAT was installed via a malicious MSI [...] then deployed The Gentlemen ransomware\"\nAlready...","etherrat-was-installed-via-a-malicious-msi-then-deployed-the-gentlemen-ransomwar-28f380","EtherRAT remote access trojan deployed via malicious MSI installer before delivering The Gentlemen ransomware.","Security researchers discovered EtherRAT, a remote access trojan, being delivered through malicious MSI (Windows Installer) packages, which subsequently deployed The Gentlemen ransomware. The samples were shared with security community members in April and additional variants are reportedly in circulation. This represents a multi-stage attack chain combining initial access and lateral movement with ransomware deployment.","https:\u002F\u002Fx.com\u002Fmalwrhunterteam\u002Fstatus\u002F2054247529462591552","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIIkDE7WoAALsnM.png","2026-05-12T17:09:11+00:00",{"id":82,"title":83,"slug":84,"brief":85,"ai_summary":86,"url":87,"image_url":88,"published_at":89},"36510572-f9d4-4f97-9ccb-b2ff7826fa20","Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 Malware","free-onlyfans-lure-used-to-spread-cross-platform-crpx0-malware-01328c","CRPx0 malware campaign uses free OnlyFans lure to target macOS, Windows, and Linux systems.","CRPx0 is a sophisticated, cross-platform malware campaign that uses social engineering (free OnlyFans account offers) to deliver a multi-stage attack. The malware performs cryptocurrency theft via clipboard monitoring, large-scale data exfiltration, and ransomware encryption with double extortion. The campaign operates a leaks site claiming 38 victims and 10,839 terabytes of stolen data, with ransom notes in English, Russian, and Chinese.","https:\u002F\u002Fwww.securityweek.com\u002Ffree-onlyfans-lure-used-to-spread-cross-platform-crpx0-malware\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2024\u002F02\u002FMalware-Hunter-Killer.jpg","2026-05-12T13:46:49+00:00",{"id":91,"title":92,"slug":93,"brief":94,"ai_summary":95,"url":96,"image_url":97,"published_at":98},"524ba4e1-cf2d-4b96-9473-f91eca919f63","Deal Reached With Hackers to Delete Data Stolen From the Canvas Educational Platform","deal-reached-with-hackers-to-delete-data-stolen-from-the-canvas-educational-plat-6b5502","Instructure reaches deal with ShinyHunters to delete Canvas data stolen in breach affecting 9,000 schools.","Instructure, operator of the Canvas online learning platform, announced it reached an agreement with the ShinyHunters threat group to delete data stolen in a cyberattack affecting nearly 9,000 schools and 275 million individuals. The breach exposed student IDs, email addresses, names, and platform messages, but not passwords or financial information. The company received 'shred logs' as digital confirmation of data destruction, though it acknowledged no absolute certainty when dealing with cybercriminals.","https:\u002F\u002Fwww.securityweek.com\u002Fdeal-reached-with-hackers-to-delete-data-stolen-from-the-canvas-educational-platform\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2025\u002F03\u002Fschool-education.jpeg","2026-05-12T13:26:46+00:00",{"id":100,"title":101,"slug":102,"brief":103,"ai_summary":104,"url":105,"image_url":106,"published_at":107},"d7eef910-a7c0-4e2a-b434-c41103859fa5","Instructure reaches 'agreement' with ShinyHunters to stop data leak","instructure-reaches-agreement-with-shinyhunters-to-stop-data-leak-ca69ec","Instructure reaches ransom agreement with ShinyHunters over 30M user data breach.","Instructure, an edtech giant serving 30 million educators and students via Canvas LMS, confirmed it reached an agreement with the ShinyHunters extortion group following a breach that exposed 3.6TB of data stolen through XSS vulnerabilities in its Free-for-Teacher environment. ShinyHunters exploited the same vulnerability twice—initially to steal data and again on May 7 to deface Canvas login portals with extortion messages—before the company negotiated a settlement that reportedly included data destruction. The FBI has historically warned that ransom payments do not guarantee threat actors won't resell stolen data or re-extort victims.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Finstructure-reaches-agreement-with-shinyhunters-to-stop-data-leak\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2025\u002F09\u002F04\u002FSchool_hacker.jpg","2026-05-12T09:23:56+00:00",{"id":109,"title":110,"slug":111,"brief":112,"ai_summary":113,"url":114,"image_url":43,"published_at":115},"95fa124e-5bff-4c88-a958-092b38372ce5","Daily Dose of Dark Web Informer - May 11th, 2026","daily-dose-of-dark-web-informer-may-11th-2026-f920ea","Daily dark web threat digest covering breaches, ransomware claims, and law enforcement actions.","This is a curated daily threat intelligence digest aggregating multiple security incidents from May 11, 2026, including law enforcement takedowns (Crimenetwork platform), major data breaches (BLS International's 29M records, La Suite Numérique's 18M records), ransomware claims (Qilin targeting Keller Williams), and emerging threats (AI-powered remote access malware AIRDC). The post also notes a possible ShinyHunters clearnet domain seizure and reports on Google's discovery of the first AI-developed zero-day exploit.","https:\u002F\u002Fdarkwebinformer.com\u002Fdaily-dose-of-dark-web-informer-may-11th-2026\u002F","2026-05-11T22:37:26+00:00",{"id":117,"title":118,"slug":119,"brief":120,"ai_summary":121,"url":122,"image_url":123,"published_at":124},"58780aee-b4af-485d-97ae-9c2067617c52","Instructure confirms hackers used Canvas flaw to deface portals","instructure-confirms-hackers-used-canvas-flaw-to-deface-portals-265210","Instructure confirms XSS vulnerabilities allowed hackers to deface Canvas portals and extort ransom.","Instructure disclosed that cross-site scripting (XSS) vulnerabilities in its Canvas learning management system enabled attackers to compromise authenticated admin sessions and deface login portals with extortion messages. The threat actor ShinyHunters exploited the same flaws twice—first to steal 3.6TB of data from 8,809 educational organizations, then to demand ransom by defacing Canvas portals with a May 12 payment deadline. The breach potentially impacts 275 million student, teacher, and staff records across schools and universities worldwide.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Finstructure-confirms-hackers-used-canvas-flaw-to-deface-portals\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F01\u002Finstructure-header2.jpg","2026-05-11T15:26:26+00:00",{"id":126,"title":127,"slug":128,"brief":129,"ai_summary":130,"url":131,"image_url":132,"published_at":133},"ca6e43cd-395c-4655-96b9-1d5e718877c1","Canvas System Is Online After a Cyberattack Disrupted Thousands of Schools","canvas-system-is-online-after-a-cyberattack-disrupted-thousands-of-schools-461a13","ShinyHunters hacked Canvas learning platform, affecting ~9,000 schools; system restored after brief outage.","Canvas, a widely-used learning management system, was taken offline Thursday after ShinyHunters exploited a vulnerability in Free-For-Teacher accounts, affecting approximately 9,000 schools globally. The hacking group claimed access to billions of private messages and student records, demanding ransom and threatening data leaks. The system was restored Friday, though concerns remain about compromised personal data and the timing of the attack during final exams.","https:\u002F\u002Fwww.securityweek.com\u002Fcanvas-system-is-online-after-a-cyberattack-disrupted-thousands-of-schools\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2025\u002F12\u002Funiversity.jpg","2026-05-11T08:35:13+00:00",{"id":135,"title":136,"slug":137,"brief":138,"ai_summary":139,"url":140,"image_url":141,"published_at":142},"8f666656-8203-409d-a252-9f700ffd71e2","‼️🇺🇸 Houghton Mifflin Harcourt Company has been added to the ShinyHunters Pay or Leak portal ht...","houghton-mifflin-harcourt-company-has-been-added-to-the-shinyhunters-pay-or-leak-5ef390","Houghton Mifflin Harcourt added to ShinyHunters extortion portal.","Educational publisher Houghton Mifflin Harcourt has been listed on the ShinyHunters Pay or Leak extortion portal, indicating a data breach and extortion threat. ShinyHunters is a known threat actor group operating a public-facing leakage site where stolen data is posted unless ransom demands are met. This suggests the company's data has been compromised and is being used as leverage for payment.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2052933485996695754","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHH18HV-XgAQpfoH.png","2026-05-09T02:07:39+00:00",{"id":144,"title":145,"slug":146,"brief":147,"ai_summary":148,"url":149,"image_url":150,"published_at":151},"0ec24e17-e8bf-4403-9adc-7570c190251d","Trellix source code breach claimed by RansomHouse hackers","trellix-source-code-breach-claimed-by-ransomhouse-hackers-88cf53","RansomHouse threat group claims responsibility for Trellix source code repository breach.","Trellix, a major cybersecurity firm serving Fortune 100 customers, confirmed unauthorized access to its source code repository on May 1st. The RansomHouse extortion group claimed responsibility and posted screenshots as proof, claiming the intrusion occurred on April 17 and resulted in data encryption. Trellix stated it found no evidence that source code was exploited or that its release process was compromised, and notified law enforcement.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ftrellix-source-code-breach-claimed-by-ransomhouse-hackers\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F08\u002FTrellixRansomHouse.jpg","2026-05-08T13:23:23+00:00",{"id":153,"title":154,"slug":155,"brief":156,"ai_summary":157,"url":158,"image_url":159,"published_at":160},"c6c0d9a4-c25e-4445-8db3-4302c02ecf2a","ShinyHunters Defaces Canvas LMS Portal, Thousands of Universities Affected","shinyhunters-defaces-canvas-lms-portal-thousands-of-universities-affected-2b80bc","ShinyHunters breaches Instructure, defaces Canvas LMS portals affecting thousands of universities worldwide.","The ShinyHunters threat group breached Instructure's systems and defaced the Canvas LMS portal, disrupting access for universities globally. The group claims to have exfiltrated 3.65TB of data from nearly 9,000 institutions affecting ~275 million users, including names, email addresses, and student IDs. ShinyHunters left a ransom-style message on canvas.vt.edu demanding contact by May 12, 2026, or threatened public data release.","https:\u002F\u002Fhackread.com\u002Fshinyhunters-defaces-canvas-lms-portal-universities-affected\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fshinyhunters-defaces-canvas-lms-portal-universities-affected.jpeg","2026-05-07T23:55:50+00:00",{"id":162,"title":163,"slug":164,"brief":165,"ai_summary":166,"url":167,"image_url":168,"published_at":169},"e33eda6a-f305-4439-9cc0-129e9920ecf1","MuddyWater hackers use Chaos ransomware as a decoy in attacks","muddywater-hackers-use-chaos-ransomware-as-a-decoy-in-attacks-ef778c","MuddyWater Iranian hackers use Chaos ransomware as cover for cyber-espionage via Teams social engineering.","MuddyWater, an Iranian state-sponsored group, disguised a cyber-espionage operation as a Chaos ransomware attack to complicate attribution and conceal their true objectives. The attackers used Microsoft Teams social engineering to harvest credentials, bypass MFA, and establish persistence through RDP, DWAgent, and AnyDesk, ultimately deploying a custom backdoor (Game.exe) for data exfiltration and extortion. Rapid7 attributes the campaign to MuddyWater based on infrastructure overlap, code-signing certificates, and operational tradecraft consistent with previous MOIS-aligned intrusions.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fmuddywater-hackers-use-chaos-ransomware-as-a-decoy-in-attacks\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2025\u002F06\u002F23\u002FIranian_hacker.jpg","2026-05-06T13:02:52+00:00",{"id":171,"title":172,"slug":173,"brief":174,"ai_summary":175,"url":176,"image_url":177,"published_at":178},"faec48d4-877d-4084-aabb-82c4ec37c420","MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack","muddywater-uses-microsoft-teams-to-steal-credentials-in-false-flag-ransomware-at-1c07d8","MuddyWater conducts false flag ransomware attack using Teams social engineering and credential harvesting.","Iranian state-sponsored group MuddyWater has been attributed to a ransomware campaign disguised as Chaos RaaS activity, using Microsoft Teams social engineering and screen-sharing to harvest credentials and bypass MFA. Rather than traditional file encryption, the attackers exfiltrate data and establish persistence via remote management tools like DWAgent and AnyDesk. The campaign highlights MuddyWater's increasing use of off-the-shelf cybercrime tools to obscure attribution while pursuing strategic objectives.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fmuddywater-uses-microsoft-teams-to.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhjE6bniWklmqJDwZMxQ07Yrb1XNwfkmJE8SGUazlNaXgn1tcbJkvCSjtbo31oAqPZwb9U9KQ-uDMPmQbxwzthxG9J2j65qOUZAph7AAMJOeXYKbcU8jYwIIyjc_i7YnSrOKQ3jPtHAuCs_vdlyWe6O3ViLRYgza2usaIoYA2GgWxKpGGl6u05IZG_QZmP_\u002Fs1600\u002Fteams-hacker.jpg","2026-05-06T13:00:00+00:00",{"id":180,"title":181,"slug":182,"brief":183,"ai_summary":184,"url":185,"image_url":186,"published_at":187},"c9fb1005-6179-46ed-8bd5-5d0ed7ab2c86","Karakurt Ransomware Negotiator Sentenced to Prison","karakurt-ransomware-negotiator-sentenced-to-prison-d92cc7","Latvian Karakurt ransomware negotiator sentenced to 8.5 years in US prison.","Deniss Zolotarjovs, a 35-year-old Latvian member of the Karakurt ransomware gang, was sentenced to 8.5 years in prison after pleading guilty to extortion charges. Operating between June 2021 and March 2023, Zolotarjovs served as the group's negotiator and extortion specialist, handling ransom communications and analyzing stolen data from at least 53 victims, resulting in $56 million in losses. He received 10% of negotiated ransoms in cryptocurrency, including proceeds from pressuring a pediatric healthcare company to pay by threatening to publish patient data.","https:\u002F\u002Fwww.securityweek.com\u002Fkarakurt-ransomware-negotiator-sentenced-to-prison\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2024\u002F10\u002Fhacker-prison-sentence.jpeg","2026-05-05T10:55:00+00:00",{"id":189,"title":190,"slug":191,"brief":192,"ai_summary":193,"url":194,"image_url":195,"published_at":196},"0105612a-83a7-45c5-a1e3-a0be07524dd0","Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools","phishing-campaign-hits-80-orgs-using-simplehelp-and-screenconnect-rmm-tools-c26330","Phishing campaign VENOMOUS#HELPER targets 80+ orgs using SimpleHelp and ScreenConnect RMM tools for persistent access.","An active phishing campaign tracked as VENOMOUS#HELPER (also STAC6405) has compromised over 80 organizations since April 2025, primarily in the U.S., using legitimate RMM software to establish persistent remote access. Attackers impersonate the U.S. Social Security Administration in phishing emails, directing victims to download malware that installs SimpleHelp and ScreenConnect as a redundant dual-channel access architecture. The compromise enables SYSTEM-level privilege escalation, screen reading, keystroke injection, and lateral movement while evading signature-based detection.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fphishing-campaign-hits-80-orgs-using.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjqa_ifaDYXI_GirxdHpZgSiE6fjnNdCmviv3QO9JsRvy1ddAWCRfoNd032ANB7pNfFMS4hLEwkfNHPHC5MNwkhK6XRjbe_y8qzWGpXRsdqhMnnUMGguScuIYtcUNQqQlmZkY4BUXy-ue6fAlor8LOfvEZNZrOq0JrIbOc2jXXAUBarqlodfdsIshRq7dXi\u002Fs1600\u002Fphishing-org.jpg","2026-05-04T18:06:00+00:00",{"id":198,"title":199,"slug":200,"brief":201,"ai_summary":202,"url":203,"image_url":204,"published_at":205},"67bf0469-9b60-4f8c-9e7d-71b87bb3ca58","‼️ 4VPS[.]su a Russian service provider since 2017 used by forums, the com, ransomware groups, an...","4vps-su-a-russian-service-provider-since-2017-used-by-forums-the-com-ransomware--047690","Russian VPS provider 4VPS.su allegedly exit-scams after serving cybercrime ecosystem since 2017.","4VPS.su, a Russian hosting provider operating since 2017, has allegedly executed an exit scam. The service was widely used by cybercriminal forums, ransomware groups, and other threat actors to host malicious infrastructure. The exit scam suggests a sudden disappearance or seizure of the service.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2050636171387044221","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHHVRG4zXIAAmmj6.jpg","2026-05-02T17:58:56+00:00",{"id":207,"title":208,"slug":209,"brief":210,"ai_summary":211,"url":212,"image_url":213,"published_at":214},"6c6b1cbb-82f9-4d7e-873b-b1a884221e7b","‼️ New Ransomware Group and IP Leak: CMD Organization\n\nClearnet: cmdofficial[.]com\nIP: 209[.]99[....","new-ransomware-group-and-ip-leak-cmd-organization-clearnet-cmdofficial-com-ip-20-864702","New ransomware group CMD Organization surfaces with clearnet and onion infrastructure.","A previously unknown ransomware group called CMD Organization has been identified operating infrastructure across clearnet and dark web platforms. The group's primary domain cmdofficial[.]com and associated IP address 209.99.186.211 have been exposed, along with an onion service URL. This appears to be an early-stage threat actor with limited public activity.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2050587180225957977","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHHUmG4aWgAAar8h.png","2026-05-02T14:44:16+00:00",{"id":216,"title":217,"slug":218,"brief":219,"ai_summary":220,"url":221,"image_url":222,"published_at":223},"4496bc96-a2a5-413f-9fdc-6232ee4eeafa","Hackers Use Jenkins Access to Deploy DDoS Botnet Against Gaming Servers","hackers-use-jenkins-access-to-deploy-ddos-botnet-against-gaming-servers-02b5da","Attackers abuse misconfigured Jenkins servers to deploy DDoS botnet targeting gaming infrastructure.","Security researchers at Darktrace detected a campaign on March 18, 2026 exploiting misconfigured Jenkins servers via the scriptText endpoint to deploy a DDoS botnet targeting gaming servers, particularly those running Valve's Source Engine. The attackers used Groovy scripts to achieve Remote Code Execution, dropping malware (w.exe on Windows, bot_x64 on Linux) that communicates via a single IP address (103.177.110.202) in Vietnam. The botnet employs evasion techniques and game-specific DoS attacks like attack_dayz to crash gaming infrastructure.","https:\u002F\u002Fhackread.com\u002Fhackers-jenkins-ddos-botnet-gaming-servers\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fhackers-jenkins-ddos-botnet-gaming-servers.jpg","2026-05-01T17:21:29+00:00",{"id":225,"title":226,"slug":227,"brief":228,"ai_summary":229,"url":230,"image_url":231,"published_at":232},"e89cda7b-db30-4581-82fc-30a2dc44afc6","‼️🇧🇷 Kenlo Imob (formerly inGaia Imob), a leading Brazilian real estate CRM used by brokers and...","kenlo-imob-formerly-ingaia-imob-a-leading-brazilian-real-estate-crm-used-by-brok-ad2aa9","Brazilian real estate CRM Kenlo Imob breached; 6M PII records and 10K+ docs under extortion threat.","Kenlo Imob, a major Brazilian real estate CRM platform (formerly inGaia Imob), has been breached with 6 million personally identifiable information records and over 10,000 documents allegedly stolen. The threat actor is actively demanding payment under extortion, posing a significant risk to real estate brokers, agencies, and their clients whose data is exposed.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2050235074151399693","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHHPl7mtWIAEgkKN.jpg","2026-05-01T15:25:07+00:00",{"id":234,"title":235,"slug":236,"brief":237,"ai_summary":238,"url":239,"image_url":240,"published_at":241},"d61b731e-5bd1-4658-a7e0-993ce871c70a","Former incident responders sentenced to 4 years in prison for committing ransomware attacks","former-incident-responders-sentenced-to-4-years-in-prison-for-committing-ransomw-1373b0","Two former cybersecurity pros sentenced to 4 years for BlackCat ransomware attacks extorting $1.3M.","Ryan Goldberg and Kevin Martin, former incident response and ransomware negotiation professionals, were each sentenced to four years in prison for conducting ransomware attacks using ALPHV\u002FBlackCat malware against five U.S. companies in 2023, extorting $1.3 million from one medical company. Their case reveals a rare but alarming abuse of insider cybersecurity expertise, with Goldberg fleeing to Europe before his arrest and subsequent deportation. Co-conspirator Angelo John Martino III, a ransomware negotiator at DigitalMint, exploited his position to extract $75.3 million from victims by sharing confidential negotiation intelligence.","https:\u002F\u002Fcyberscoop.com\u002Fincident-responders-ryan-goldberg-kevin-martin-sentenced-ransomware\u002F","https:\u002F\u002Fcyberscoop.com\u002Fwp-content\u002Fuploads\u002Fsites\u002F3\u002F2025\u002F11\u002FGettyImages-2199006042.jpg","2026-04-30T23:29:01+00:00",{"id":243,"title":244,"slug":245,"brief":246,"ai_summary":247,"url":248,"image_url":249,"published_at":250},"f3c7997e-f60b-49e1-9f7d-027e330a7bd2","#ClickFix style campaign operated eight bulk registered 588gj*[.]shop lure domains impersonating...","clickfix-style-campaign-operated-eight-bulk-registered-588gj-shop-lure-domains-i-bc4a97","ClickFix-style campaign uses 588 bulk-registered domains impersonating PureClaw AI software to deliver backdoors and","A threat campaign leveraging the ClickFix attack pattern has registered approximately 588 malicious domains mimicking legitimate AI software 'PureClaw' to distribute multi-stage payloads. The injected malware includes backdoors, AI-gateway implants, and ransomware droppers delivered through rotating final-stage payloads. This represents a sophisticated supply-chain-adjacent attack targeting users seeking AI tools.","https:\u002F\u002Fx.com\u002FUnit42_Intel\u002Fstatus\u002F2049994251857952828","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHHMK30WXcAAXJQn.jpg","2026-04-30T23:28:11+00:00",{"id":252,"title":253,"slug":254,"brief":255,"ai_summary":256,"url":257,"image_url":258,"published_at":259},"c90676e1-e4d3-4f08-8244-d6957d4bbd62","When the Defenders Become the Attackers: Two U.S. Cybersecurity Pros Sentenced in BlackCat Ransomware Case","when-the-defenders-become-the-attackers-two-u-s-cybersecurity-pros-sentenced-in--299ab5","Two U.S. cybersecurity professionals sentenced to four years for deploying ALPHV BlackCat ransomware.","Ryan Goldberg and Kevin Martin, both cybersecurity industry workers, were sentenced to four years in prison on April 30, 2026, for deploying ALPHV BlackCat ransomware against multiple U.S. companies in 2023. Working alongside co-conspirator Angelo Martino, they exploited their insider knowledge to conduct extortion attacks, collecting at least $1.2 million in ransom and leaking patient data when negotiations failed. The case highlights the insider threat within cybersecurity and demonstrates law enforcement's improving capacity to pursue ransomware affiliates internationally.","https:\u002F\u002Fdarkwebinformer.com\u002Fwhen-the-defenders-become-the-attackers-two-u-s-cybersecurity-pros-sentenced-in-blackcat-ransomware-case\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002Fsize\u002Fw1200\u002F2026\u002F04\u002Fblackcat_ransomware.jpg","2026-04-30T21:39:03+00:00",{"id":261,"title":262,"slug":263,"brief":264,"ai_summary":265,"url":266,"image_url":267,"published_at":268},"90f8c12d-65d2-45f6-b7c2-b0bb8b27bcd4","Sandhills Medical Says Ransomware Breach Affects 170,000","sandhills-medical-says-ransomware-breach-affects-170-000-10d636","Sandhills Medical discloses ransomware breach affecting 170,000 after nearly one year delay.","South Carolina healthcare provider Sandhills Medical Foundation disclosed a ransomware attack discovered on May 8, 2025, affecting approximately 170,000 individuals. The Inc Ransom cybercrime group claimed responsibility and listed the organization on its leak site in early June 2025. Compromised data includes names, SSNs, driver's licenses, passports, financial information, and personal health records.","https:\u002F\u002Fwww.securityweek.com\u002Fsandhills-medical-says-ransomware-breach-affects-170000\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2025\u002F10\u002Fbank-finance-lender-credit-union-hack.jpeg","2026-04-30T08:35:59+00:00",{"id":270,"title":271,"slug":272,"brief":273,"ai_summary":274,"url":275,"image_url":276,"published_at":277},"c05cfd8a-bfb4-4aee-b573-4198a1c29279","‼️ Aur0ra Ransomware Names Its First Seven Victims\n\nhttp:\u002F\u002Fu6lieui2dakbctcjea2bz4r4q32r7t36nwljov...","aur0ra-ransomware-names-its-first-seven-victims-http-u6lieui2dakbctcjea2bz4r4q32-383377","Aur0ra ransomware group claims first seven victims across US sectors.","Aur0ra ransomware has publicly named its first seven victims on a dark web leak site, targeting organizations across insurance, logistics, food\u002Fmetal manufacturing, and legal services in the United States. The group has established an onion-based leak portal to advertise claimed victims and pressure payment. This marks the initial public operations of the Aur0ra ransomware campaign.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2049645858753511601","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHHHOCB4XMAAxJhr.jpg","2026-04-30T00:23:47+00:00",{"id":279,"title":280,"slug":281,"brief":282,"ai_summary":283,"url":284,"image_url":285,"published_at":286},"f6ef6afd-0a14-41b1-bad9-bb1ef8356f3a","⚠️ A Russian-speaking threat actor group is recruiting an Initial Access Broker (IAB) to supply c...","a-russian-speaking-threat-actor-group-is-recruiting-an-initial-access-broker-iab-2b4c69","Russian-speaking threat actor recruits IAB for corporate network access without ransomware deployment.","A Russian-speaking threat actor group is actively recruiting an Initial Access Broker (IAB) to provide ongoing corporate network access for data exfiltration and extortion campaigns. The group operates under a 'by date, without a locker' model, meaning they steal and extort data from victims without deploying ransomware. This represents a shift toward pure extortion-focused attacks rather than traditional ransomware deployment.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2049554158307680431","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHHF5nclboAAdIpR.jpg","2026-04-29T18:19:24+00:00",{"id":288,"title":289,"slug":290,"brief":291,"ai_summary":292,"url":293,"image_url":294,"published_at":295},"ae0f5f1b-f4ff-4b9c-a7a8-fe396997b5a7","CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV","cisa-adds-actively-exploited-connectwise-and-windows-flaws-to-kev-e9674f","CISA adds ConnectWise ScreenConnect and Windows Shell flaws to KEV catalog due to active exploitation.","CISA added CVE-2024-1708 (ConnectWise ScreenConnect path traversal, CVSS 8.4) and CVE-2026-32202 (Windows Shell spoofing, CVSS 4.3) to its Known Exploited Vulnerabilities catalog following evidence of active exploitation. CVE-2024-1708 has been chained with the critical CVE-2024-1709 by multiple threat actors including Storm-1175 deploying Medusa ransomware, while CVE-2026-32202 represents an incomplete patch for CVE-2026-21510, previously exploited as a zero-day by APT28 against Ukraine and EU countries since December 2025. Federal agencies must patch by May 12, 2026.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fcisa-adds-actively-exploited.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEifGMiUJH-3-Yk7Hnve0k2mPxHZecIbCTTN7z_CosJp8GhI7hira6707ALIDB4skUc8UbRdmWtbhz4n9fe8T-h3OGzul9awiw8DFsnsSORkjKfXr4dgEGX_ncQ7dWBYGAhyU3Efo8-z_YPCEFC_bUDH8eYeX_w6QcDrOWTnpRXqOF_IATm0t-xxMJp6uYWc\u002Fs1600\u002Fwindows-logo.jpg","2026-04-29T08:46:00+00:00",{"id":297,"title":298,"slug":299,"brief":300,"ai_summary":301,"url":302,"image_url":303,"published_at":304},"ace26a2d-6a91-4182-8759-407acf124222","Vimeo Confirms User and Customer Data Breach","vimeo-confirms-user-and-customer-data-breach-6e3f4b","Vimeo confirms data breach via compromised Anodot vendor; ShinyHunters demands ransom by April 30.","Vimeo disclosed a data breach affecting user and customer information after attackers compromised the Anodot analytics platform, a third-party vendor integration. The stolen data includes technical information, video metadata, and email addresses, but excludes video content, credentials, and payment card data. The ShinyHunters cybercrime group has claimed responsibility and is threatening to leak data from Vimeo's Snowflake and BigQuery instances unless a ransom is paid by April 30.","https:\u002F\u002Fwww.securityweek.com\u002Fvimeo-confirms-user-and-customer-data-breach\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F04\u002FVimeo.jpeg","2026-04-28T17:11:55+00:00",{"id":306,"title":307,"slug":308,"brief":309,"ai_summary":310,"url":311,"image_url":312,"published_at":313},"b849d414-da69-46e3-be87-b38b4f9174c8","US reportedly charges Scattered Spider hacker arrested in Finland","us-reportedly-charges-scattered-spider-hacker-arrested-in-finland-a7664f","US charges 19-year-old Scattered Spider member arrested in Finland for extortion breaches.","A 19-year-old dual US-Estonian citizen arrested in Finland on April 10 faces federal wire fraud, conspiracy, and computer intrusion charges for allegedly being a prolific member of Scattered Spider, a financially motivated hacking collective. Court records show the suspect (alias 'Bouquet') participated in at least four breaches targeting major corporations, including a luxury retailer in May 2025 where attackers posed as employees via social engineering and MFA fatigue attacks to steal credentials, demanding $8 million in ransom. Scattered Spider is a loosely knit group of teenagers and young adults known for combining social engineering, MFA bombing, and SMS phishing to extort millions from high-profile victims worldwide.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fus-reportedly-charges-scattered-spider-hacker-arrested-in-finland\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F04\u002F20\u002FHacker-spider-large_blue.jpg","2026-04-28T15:39:52+00:00",{"id":315,"title":316,"slug":317,"brief":318,"ai_summary":319,"url":320,"image_url":321,"published_at":322},"e5787ba7-3c3e-4062-9bf4-d68c2207e382","Medtronic Hack Confirmed After ShinyHunters Threatens Data Leak","medtronic-hack-confirmed-after-shinyhunters-threatens-data-leak-0be119","Medtronic confirms cyberattack by ShinyHunters claiming 9M records stolen.","Medical device manufacturer Medtronic confirmed a breach after the ShinyHunters cybercrime group claimed to have stolen 9 million records containing personal information and corporate data. The attackers demanded ransom by April 21, 2026, and Medtronic's removal from the leak site suggests a potential ransom payment. The company stated no impact to medical devices, patient safety, or critical operations.","https:\u002F\u002Fwww.securityweek.com\u002Fmedtronic-hack-confirmed-after-shinyhunters-threatens-data-leak\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F04\u002FMedtronic.jpeg","2026-04-28T06:35:19+00:00",{"id":324,"title":325,"slug":326,"brief":327,"ai_summary":328,"url":329,"image_url":330,"published_at":331},"d58109e8-83ad-48e1-8ece-3750f88af13e","Medtronic confirms breach after hackers claim 9 million records theft","medtronic-confirms-breach-after-hackers-claim-9-million-records-theft-8158e2","Medtronic confirms breach; ShinyHunters claims 9M records theft and ransom demand.","Medical device manufacturer Medtronic disclosed a breach of corporate IT systems after the ShinyHunters threat group claimed to have stolen over 9 million records containing personally identifiable information. The attackers demanded ransom by April 21 but Medtronic has since been removed from ShinyHunters' public leak site. The company states the breach did not impact patient safety, products, or manufacturing operations, as those systems are segregated from corporate IT networks.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fmedtronic-confirms-breach-after-hackers-claim-9-million-records-theft\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F04\u002F27\u002FMedtronic.jpg","2026-04-27T13:50:42+00:00",{"id":333,"title":334,"slug":335,"brief":336,"ai_summary":337,"url":338,"image_url":339,"published_at":340},"ee0055fb-e307-4408-a44b-31bc63f11cfc","‼️ LAPSUS$ Group claims 3 victims\n\n🇪🇸 MAPFRE\n🇬🇧 Vodafone\n🇮🇱 Checkmarx https:\u002F\u002Ft.co\u002F2C2SWqZMvU","lapsus-group-claims-3-victims-mapfre-vodafone-checkmarx-https-t-co-2c2swqzmvu-c1cc1e","LAPSUS$ claims breaches of MAPFRE, Vodafone, and Checkmarx.","The LAPSUS$ threat group has publicly claimed responsibility for breaching three major organizations across different countries: MAPFRE (Spain), Vodafone (UK), and Checkmarx (Israel). This continues LAPSUS$'s pattern of high-profile attacks targeting large enterprises and critical service providers. The claims typically precede data exfiltration threats or ransom demands.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2048185612209881515","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHGyd4zfWkAAvoSq.png","2026-04-25T23:41:18+00:00",{"id":342,"title":343,"slug":344,"brief":345,"ai_summary":346,"url":347,"image_url":348,"published_at":349},"30cd9135-b2b9-4e5d-aeb7-4f083acf73d2","CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline","cisa-adds-4-exploited-flaws-to-kev-sets-may-2026-federal-deadline-ff0558","CISA adds 4 actively exploited vulnerabilities to KEV catalog with May 2026 federal deadline.","CISA added four vulnerabilities to its Known Exploited Vulnerabilities catalog on April 25, 2026, including critical flaws in SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X routers, all with evidence of active exploitation. The SimpleHelp vulnerabilities (CVE-2024-57726, CVE-2024-57728) have been linked to ransomware campaigns by DragonForce, while Samsung and D-Link flaws are associated with Mirai botnet deployments. Federal agencies must apply patches or discontinue affected appliances by May 8, 2026.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F04\u002Fcisa-adds-4-exploited-flaws-to-kev-sets.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEgBMgO4j_Nf0B9HdU4WtN1axBdJFNJgV6Xvb8pCk0kooK6_-gNIxfURSqLIJuuzaufzvoXVTkFFg9WfMkyHvu4h_DBQK4QMJ21JYdwWtLem-CSOgTEYFhXazp4aSPJJglbiZel1V5aatqMKFCXk3scw-3UmMzQPrmTn-CbgBBjpLu_i4TBfNyS2kgZSkreW\u002Fs1600\u002Fcisa-kev.jpg","2026-04-25T05:08:00+00:00",{"id":351,"title":352,"slug":353,"brief":354,"ai_summary":355,"url":356,"image_url":357,"published_at":358},"fa166854-4990-4634-9cc6-636120076b18","ADT confirms data breach after ShinyHunters leak threat","adt-confirms-data-breach-after-shinyhunters-leak-threat-fc93e0","ADT confirms data breach after ShinyHunters threatens to leak 10M customer records.","Home security company ADT confirmed a data breach on April 20, 2026, after the ShinyHunters extortion group claimed to have stolen over 10 million customer records and threatened to leak the data by April 27 unless ransom is paid. The attackers allegedly gained access via a vishing attack that compromised an employee's Okta SSO account, which was then used to access and exfiltrate data from ADT's Salesforce instance. The stolen data includes names, phone numbers, addresses, and in some cases dates of birth and partial SSNs, but no payment information or security system credentials were compromised.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fadt-confirms-data-breach-after-shinyhunters-leak-threat\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2024\u002F08\u002F08\u002Fadt-sign.jpg","2026-04-24T22:53:14+00:00",{"id":360,"title":361,"slug":362,"brief":363,"ai_summary":364,"url":365,"image_url":366,"published_at":367},"9e56ee7c-90c0-4ec2-bc8b-8a644dab1a83","Dark Web Informer","dark-web-informer-bc931e","Dark Web Informer aggregates breach, ransomware, and vulnerability intelligence from dark web and clearnet sources.","Dark Web Informer is a threat intelligence publication that aggregates and reports on data breaches, ransomware attacks, vulnerability disclosures, and darknet market activity. The excerpt showcases multiple recent breaches (Ledil Immobilier, CIBN Nigeria, Arkansas State Crime Lab, Taiseer) and CVEs including CVE-2026-34197 (Apache ActiveMQ RCE). The service appears to focus on monitoring threat actor activity and leaked datasets across criminal forums.","https:\u002F\u002Fdarkwebinformer.com","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002Fsize\u002Fw1200\u002F2026\u002F01\u002Fnew_profile_image-2.png","2026-04-23T15:32:34+00:00",{"id":369,"title":370,"slug":371,"brief":372,"ai_summary":373,"url":374,"image_url":375,"published_at":376},"fb22fd19-3ddf-473d-a41d-43cd3d9c633e","Third US Security Expert Admits Helping Ransomware Gang","third-us-security-expert-admits-helping-ransomware-gang-3e851a","Third US security expert pleads guilty to aiding BlackCat ransomware gang while working as negotiator.","Angelo Martino, a 41-year-old Florida-based ransomware negotiator, has pleaded guilty to collaborating with the BlackCat\u002FAlphv cybercrime group. While employed to negotiate with attackers on behalf of victims, Martino provided confidential information to the ransomware gang to maximize ransom payments in exchange for a share of the proceeds. This is the third guilty plea in a coordinated insider-threat investigation; law enforcement has seized $10 million in assets from Martino and previously secured guilty pleas from Kevin Martin (Texas) and Ryan Goldberg (Georgia), all facing up to 20 years in prison.","https:\u002F\u002Fwww.securityweek.com\u002Fthird-us-security-expert-admits-helping-ransomware-gang\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2024\u002F03\u002Fhacker-sentenced-prison.jpeg","2026-04-21T14:44:24+00:00",{"id":378,"title":379,"slug":380,"brief":381,"ai_summary":382,"url":383,"image_url":384,"published_at":385},"6cafecca-aefd-42d6-a19f-c8dc5a1ef958","Data Breaches at Healthcare Organizations in Illinois and Texas Affect 600,000","data-breaches-at-healthcare-organizations-in-illinois-and-texas-affect-600-000-121770","Three US healthcare orgs disclose breaches affecting 600K patients in Illinois and Texas.","Three US healthcare organizations—North Texas Behavioral Health Authority (285K victims), Southern Illinois Dermatology (160K), and Saint Anthony Hospital (146K)—disclosed data breaches between October 2025 and February 2025. The incidents exposed personal information including SSNs and health records; Southern Illinois Dermatology was claimed by the Insomnia ransomware group, while Saint Anthony Hospital had two compromised employee email accounts.","https:\u002F\u002Fwww.securityweek.com\u002Fdata-breaches-at-healthcare-organizations-in-illinois-and-texas-affect-600000\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F03\u002Fhealthcare-medical.jpeg","2026-04-21T11:02:29+00:00",{"id":387,"title":388,"slug":389,"brief":390,"ai_summary":391,"url":392,"image_url":393,"published_at":394},"0931e95a-8690-408e-8399-0c3ec07f75b6","Former ransomware negotiator pleads guilty to BlackCat attacks","former-ransomware-negotiator-pleads-guilty-to-blackcat-attacks-51f279","Former ransomware negotiator pleads guilty to BlackCat attacks targeting U.S. companies.","Angelo Martino, a 41-year-old former employee of cybersecurity firm DigitalMint, pleaded guilty to conspiracy and extortion charges for participating in BlackCat (ALPHV) ransomware attacks in 2023. Working alongside two other negotiators, Martino shared confidential victim information and insurance details with BlackCat operators to maximize extortion demands, targeting at least five U.S. organizations including financial services firms and nonprofits. The three defendants collectively collected millions in ransom payments while paying BlackCat administrators 20% of proceeds for access to the ransomware and extortion infrastructure.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fformer-ransomware-negotiator-pleads-guilty-to-blackcat-attacks\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F04\u002F21\u002FBlackCat.jpg","2026-04-21T10:12:21+00:00",{"id":396,"title":397,"slug":398,"brief":399,"ai_summary":400,"url":401,"image_url":402,"published_at":403},"6803b1f9-ca0c-4649-82cd-f4fb625d7d90","Florida Man Working as a Ransomware Negotiator Pleads Guilty to Conspiracy to Deploy Ransomware and Extort U.S. Victims","florida-man-working-as-a-ransomware-negotiator-pleads-guilty-to-conspiracy-to-de-ef8da3","Florida ransomware negotiator pleads guilty to aiding BlackCat attacks and extorting U.S. victims.","Angelo Martino, a 41-year-old Florida man employed as a ransomware negotiator, pleaded guilty to conspiring with BlackCat\u002FALPHV ransomware operators to attack and extort U.S. companies. Between April and November 2023, Martino leaked confidential negotiation data from his incident response firm's clients to BlackCat actors, maximizing ransom demands, and later directly participated in deploying ransomware alongside co-conspirators Ryan Goldberg and Kevin Martin, extorting at least $1.2 million in Bitcoin. Law enforcement has seized over $10 million in assets from Martino, and he faces up to 20 years in prison at sentencing in July 2026.","https:\u002F\u002Fwww.justice.gov\u002Fopa\u002Fpr\u002Fflorida-man-working-ransomware-negotiator-pleads-guilty-conspiracy-deploy-ransomware-and","https:\u002F\u002Fwww.justice.gov\u002Fthemes\u002Fcustom\u002Fusdoj_uswds\u002Fimages\u002Fmetatag-image--press-release.png","2026-04-20T22:09:15+00:00",{"id":405,"title":406,"slug":407,"brief":408,"ai_summary":409,"url":410,"image_url":43,"published_at":411},"ca22dec0-6e7d-4fe7-803f-b55812687e90","Daily Dose of Dark Web Informer - April 20th, 2026","daily-dose-of-dark-web-informer-april-20th-2026-45ae1b","Daily dark web threat digest reports multiple breaches, ransomware claims, and law enforcement actions across global","This daily threat intelligence digest aggregates recent dark web activity, including major data breaches affecting Nigerian bankers, Egyptian investors, Mexican emergency services, Israeli security institute, and Malaysian Agoda users. The report also documents ransomware claims against financial institutions and healthcare providers, plus the guilty plea of a Scattered Spider member involved in wire fraud and identity theft.","https:\u002F\u002Fdarkwebinformer.com\u002Fdaily-dose-of-dark-web-informer-april-20th-2026\u002F","2026-04-20T21:40:24+00:00",{"id":413,"title":414,"slug":415,"brief":416,"ai_summary":417,"url":418,"image_url":419,"published_at":420},"2f7f29a4-f635-4434-b4d0-471ea1b11453","Seiko USA website defaced as hacker claims customer data theft","seiko-usa-website-defaced-as-hacker-claims-customer-data-theft-0fa0c3","Seiko USA website defaced; attackers claim Shopify customer database theft and demand ransom.","The Seiko USA website was defaced over the weekend with attackers claiming they breached the company's Shopify backend and exfiltrated customer data including names, emails, phone numbers, order history, and shipping addresses. The threat actors issued a 72-hour extortion demand, threatening to publicly release the stolen database unless Seiko USA initiates ransom negotiations via a contact email added to a specific customer account. Seiko has removed the defacement but has not publicly confirmed the breach or responded to inquiries about the incident's legitimacy.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fseiko-usa-website-defaced-as-hacker-claims-customer-data-theft\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2023\u002F10\u002F25\u002Fseiko-header-image.jpg","2026-04-20T18:22:31+00:00",{"id":422,"title":423,"slug":424,"brief":425,"ai_summary":426,"url":427,"image_url":428,"published_at":429},"3e253136-a504-4ee0-9457-e840bdd856d3","Hackers Abuse QEMU for Defense Evasion","hackers-abuse-qemu-for-defense-evasion-79138c","Threat actors abuse QEMU emulator in ransomware and RAT campaigns for defense evasion.","Sophos reports that threat actors have been abusing QEMU, an open-source machine emulator, in at least two campaigns to deploy ransomware and remote access tools since late 2025. In campaign STAC4713 (linked to PayoutsKing ransomware), Gold Encounter exploited SonicWall VPN misconfigurations and CVE-2025-26399 in SolarWinds Web Help Desk, using QEMU as a covert reverse SSH backdoor for persistence. A second campaign STAC3725 exploited CVE-2025-5777 (CitrixBleed2) and deployed ScreenConnect alongside QEMU for credential harvesting and Active Directory reconnaissance.","https:\u002F\u002Fwww.securityweek.com\u002Fhackers-abuse-qemu-for-defense-evasion\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2025\u002F03\u002Fkubernetes-cloud.jpeg","2026-04-20T11:35:29+00:00",{"id":431,"title":432,"slug":433,"brief":434,"ai_summary":435,"url":436,"image_url":437,"published_at":438},"e66f10b7-6861-4413-a5f4-6d921bebf948","‼️  Vercel has allegedly been breached by ShinyHunters, with a ransom demand of $2,000,000.\n\nhttp...","vercel-has-allegedly-been-breached-by-shinyhunters-with-a-ransom-demand-of-2-000-d8309c","Vercel allegedly breached by ShinyHunters with $2M ransom demand.","Threat actor group ShinyHunters has claimed responsibility for breaching Vercel, a popular frontend deployment platform, and is demanding $2 million in ransom. The breach potentially affects thousands of developers and organizations that rely on Vercel's services. Details regarding the scope of accessed data and affected systems remain unclear at this stage.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2045893769187275223","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHGR5gMdXAAAQx0C.png","2026-04-19T15:54:20+00:00",{"id":440,"title":441,"slug":442,"brief":443,"ai_summary":444,"url":445,"image_url":446,"published_at":447},"05ff6959-16a4-4023-906b-dc6cf4922dd6","HACKED","hacked-fecb35","Shopify store targeted by extortion-based data breach threatening customer database release.","A threat actor claims to have compromised a Shopify store's customer database containing names, emails, phone numbers, order history, and shipping data. The attacker created a fake customer account (ID: 8069776801871) as a communication vector and issued a 72-hour extortion ultimatum, threatening to publicly release the data unless an agreement is reached. This appears to be a targeted extortion attack leveraging stolen customer data as leverage.","https:\u002F\u002Fseikousa.com\u002Fpages\u002Fpress-lounge","http:\u002F\u002Fseikousa.com\u002Fcdn\u002Fshop\u002Ffiles\u002FSeiko_Logo_Black_360x360_72_RGB_202f7114-83f9-411b-ab8a-ba39c054362a.jpg?v=1622219314","2026-04-18T14:43:44+00:00",{"id":449,"title":450,"slug":451,"brief":452,"ai_summary":453,"url":454,"image_url":43,"published_at":455},"6b1d1f4d-a74e-4bf1-be73-85709ff3f382","Daily Dose of Dark Web Informer - April 14th, 2026","daily-dose-of-dark-web-informer-april-14th-2026-05e0bf","Daily dark web threat digest covering breaches, ransomware, and critical infrastructure incidents across multiple","This is a curated daily threat intelligence digest aggregating multiple breach reports, ransomware claims, and vulnerability disclosures from dark web sources. Key incidents include alleged breaches of France's national ID agency (18M records), Venezuelan critical infrastructure SCADA compromise, Mexican telecom credentials exposure, and multiple ransomware group listings. The digest also covers CVE disclosures, iOS exploit kits, and various data dumps from government and commercial entities globally.","https:\u002F\u002Fdarkwebinformer.com\u002Fdaily-dose-of-dark-web-informer-april-14th-2026\u002F","2026-04-14T22:31:21+00:00",[],[],[],[],50]