CRRC MA
January 7, 2026
•[ credential theft, information-stealer malware, initial access broker ]
Reporting summarizing Hudson Rock research described an initial access broker believed to be an Iranian national operating under the aliases Zestix and Sentap who repeatedly accessed enterprise file repositories using credentials harvested by information-stealer malware (including RedLine, Lumma, and Vidar). Instead of exploiting a single company-specific vulnerability, the actor leveraged stolen usernames/passwords (some sitting in logs for years) to log into cloud/file-transfer environments lacking multi-factor authentication. The actor was described as exfiltrating large volumes of sensitive corporate data (examples referenced include aviation safety manuals, energy/utility mapping and infrastructure files, and medical/police-related records), then auctioning datasets or selling access on closed forums. Because the article describes a cross-victim pattern/campaign rather than one named-victim incident, this record is coded at the campaign level for a single-actor series of breaches.
Higham Lane School
January 7, 2026
•[ cyberattack, operational disruption, IT outage ]
Cybernews reported that Higham Lane School, a secondary school in Nuneaton, England, temporarily closed due to a cyberattack. According to the headteachers message to parents cited in the article, the school took all IT systems and digital services completely offline as a precaution, including telephones, email, servers, and the schools management system. The report does not identify the threat actor, method of intrusion, or whether data was accessed; the primary confirmed impact is operational disruption and loss of communications/management systems while the school responded.
At least one Booking.com user
January 7, 2026
•[ phishing, social engineering, malware ]
Research summarized by Cybernews described a ClickFix social-engineering campaign abusing Booking.com branding. Victims receive phishing emails about a cancelled reservation and a large charge; clicking through leads to a fake Booking.com page with a fake refresh flow and a simulated Blue Screen of Death. The page instructs the user to paste/run a malicious script (PowerShell) via Windows Run, which then fetches and executes remote code, disables Windows Defender, and establishes persistence with C2 connectivity. The link is campaign/threat-intel reporting and does not provide a single confirmed victim organization or a bounded incident count, but it describes successful infections driven by user-executed commands.
40 Danish websites (ministries, municipalities, businesses; incl. Ministry of Foreign Affairs and Rejsekort named in reporting)
January 7, 2026
•[ DDoS, Russian hacker groups, politically motivated disruption ]
Reporting cited by Denmarks CPH Post said Russian hacker groups carried out DDoS attacks over the prior month against around 40 Danish websites belonging to ministries, municipalities, and companies. The attacks aimed to overload systems and made several sites inaccessible for hours. The report referenced affected entities including Denmarks Ministry of Foreign Affairs and Rejsekort, consistent with politically motivated disruption rather than data theft.
OpenLoop Health
January 7, 2026
•[ data leak, unauthorized access, medical information ]
OpenLoop Health disclosed that an unauthorized third party accessed certain systems between January 7 and January 8, 2026 and removed files containing patient personal and medical information.
Wamtechnik Sp. z o.o.
January 7, 2026
•[ ransomware, data extortion, data leak ]
The Gentlemen ransomware group claimed responsibility for a data-extortion attack against Wamtechnik Sp. z o.o., a Polish battery and industrial power-systems manufacturer, on January 7, 2026 and threatened to publish a full leak unless the company initiated negotiations. Public reporting did not confirm encryption, deletion, operational disruption, or the specific data volume.
Final Fantasy 14's European or Asian servers
January 6, 2026
•[ DDoS attack, service disruption, distributed denial-of-service ]
Reporting described sustained distributed denial-of-service (DDoS) attacks disrupting Final Fantasy XIVs North American servers during the launch window for a newly released savage raid tier. Players reported frequent disconnects and unstable service during peak playtimes, and community tracking cited repeated incidents throughout the day, including reports of around 15 disruptions in a single day. The disruptions affected progression and organized play and persisted over multiple days.
NMCV Business LLC
January 6, 2026
•[ information-stealer malware, initial access broker, credential harvesting ]
SecurityWeek summarized Hudson Rock findings that dozens of major breaches were tied to a single initial access broker using credentials harvested by information-stealer malware (RedLine, Lumma, Vidar). The actor (Zestix/Sentap) was described as using stolen employee credentials to access enterprise file-transfer or file-sharing instances (ShareFile, OwnCloud, Nextcloud), with the lack of MFA being the key enabling control failure. The reporting characterized the actor as both stealing data and monetizing it by selling datasets and/or selling access on closed Russian-language forums, with victim organizations spanning aerospace, government infrastructure, legal, robotics, healthcare and other sectors.
Australian NBN
January 6, 2026
•[ Initial Access Broker, Information-stealer malware, RedLine ]
SecurityWeek summarized Hudson Rock findings that dozens of major breaches were tied to a single initial access broker using credentials harvested by information-stealer malware (RedLine, Lumma, Vidar). The actor (Zestix/Sentap) was described as using stolen employee credentials to access enterprise file-transfer or file-sharing instances (ShareFile, OwnCloud, Nextcloud), with the lack of MFA being the key enabling control failure. The reporting characterized the actor as both stealing data and monetizing it by selling datasets and/or selling access on closed Russian-language forums, with victim organizations spanning aerospace, government infrastructure, legal, robotics, healthcare and other sectors. Because the report is multi-victim and campaign-focused rather than a single victims disclosure, this record is captured as a single-actor campaign entry.
UrbanX.io
January 6, 2026
•[ data leak, initial access broker, information-stealer malware ]
SecurityWeek reported that Hudson Rock linked dozens of major breaches to a single initial access broker operating under the aliases Zestix and Sentap. The actor is described as using credentials harvested via information-stealer malware (including RedLine, Lumma, and Vidar) from infected employee devices to log into enterprise file-transfer/file-sharing environments such as ShareFile, OwnCloud, and Nextcloud when MFA was missing. After gaining access, the actor allegedly exfiltrated sensitive corporate data and monetized it by selling datasets or access on closed Russian-language forums, with victim organizations spanning sectors such as aerospace, government infrastructure, legal services, and robotics.
Netstar Australia
January 5, 2026
•[ ransomware, data leak, financial data ]
Netstar Australia, a Melbourne-based telematics and GPS fleet tracking provider, was named on a ransomware leak site in December 2025 by the Black Shrantac ransomware group. The threat actors alleged they compromised Netstars systems and stole customer, financial, and database information, claiming roughly 800GB of data and posting sample files said to include internal records related to staff, tax, equipment, and customers. Public reporting noted that Netstar had not provided a detailed public statement confirming the claims at the time of publication.
Brightspeed
January 5, 2026
•[ cybersecurity event, extortion, data breach ]
Brightspeed said it is investigating reports of a cybersecurity event after the Crimson Collective extortion group claimed it breached the company and stole personal data tied to more than one million residential customers. Reporting described the attackers claimed dataset as including names, emails, phone numbers, postal addresses, user account information linked to session or user IDs, payment history, partial payment card information, and appointment or order records containing customer information. Brightspeed publicly stated it takes security seriously and is investigating the reports and would keep customers, employees, and authorities informed as it learns more.
At least one hospitality company in Europe
January 5, 2026
•[ phishing, malware, unauthorized access ]
The article reports that Russian-linked threat actors targeted European hospitality companies using phishing emails masquerading as booking inquiries. Victims who opened the attachments triggered malware that displayed a fake blue screen while enabling unauthorized access to internal systems.
Bolttech
January 5, 2026
•[ ransomware, data leak, extortion ]
Cybernews reported that the Everest ransomware group claimed to have stolen about 186GB of data from Bolttech (a global insurance infrastructure platform) and demanded ransom. The group claimed the dataset includes employee/agent account details (emails, names, roles, identifiers), customer information and contact details, policy data, mortgage-related records, insured property addresses, and financial parameters/identifiers. The group posted samples and a countdown timer on its leak site, threatening to publish the data if Bolttech did not respond. The article notes the claim was based on the leak-site post and that confirmation from Bolttech was being sought.
Former Minister Ayelet Shaked
January 3, 2026
•[ data leak, unauthorized access, cyber espionage ]
Iran-linked hacking group Handala claimed it breached the mobile phone of former Israeli minister Ayelet Shaked and published roughly 60 photos and videos it said were stolen from her device. The group alleged it held additional messages, documents, and other confidential material and urged followers to expect further releases. The reported effect is limited to alleged unauthorized access and data theft/exposure involving a single political figure, with no operational disruption to organizations reported.
Venezuelan Power Grid
January 3, 2026
•[ cyber-physical disruption, critical infrastructure, state-led operation ]
Reporting described a U.S. cyber operation on January 3, 2026 that allegedly plunged parts of Venezuelas capital into darkness by disrupting electric power systems and also interfered with military air-defense radar as part of a broader U.S. raid/capture operation. Sources cited in public reporting characterized it as a high-visibility use of offensive cyber capabilities designed to create a temporary but precise disruption window, including the ability to restore systems afterward. The incident is best coded as a state-led cyber-physical disruption targeting critical infrastructure and defense-related systems in support of an operational objective; public reporting did not provide victim counts, exact affected assets, or detailed dwell time.
Prosura
January 2, 2026
•[ Data leak, Cyber incident, Personally Identifiable Information (PII) ]
Prosura, a car rental insurance provider that partners with VroomVroomVroom and trades as Hiccup, reported a cyber incident after a third party accessed its internal IT systems. Cybernews reported that attackers posted what they claimed was stolen Prosura data on a leak forum and described a dataset of roughly 98 million lines. Cybernews said its team reviewed the sample and believed it could be legitimate, noting it included photocopies of drivers licenses and full insurance policies containing personally identifiable information. The article also reported Prosura said it was working to verify the claims, had taken mitigation steps (including halting sales and some self-service functions), and stated that payment information was not exposed because it does not store credit card details.
WhiteDate
January 2, 2026
•[ hacktivism, data leak, data destruction ]
Reporting describes a hacktivist using the pseudonym Martha Root who infiltrated an extremist dating website and related sites and later demonstrated deleting them live on stage during the Chaos Communication Congress. The coverage indicates the actor used automated tools/AI chatbots to extract and download user profile information and then published the acquired dataset. As described, the incident combined disruptive impact (site/service deletion) with unauthorized access and data acquisition affecting site users.
Esquire Brands
January 2, 2026
•[ ransomware, data leak, extortion ]
Cybernews reported that Esquire Brands (a childrens footwear maker operating several brands/licenses) was posted on the Play ransomware leak site, with attackers threatening to publish stolen data shortly thereafter. According to the leak-site post summarized in the article, the attackers claimed they obtained client documents, payroll data, and finance information. The report frames the incident as data theft with extortion leverage (typical double-extortion posture).
