KazMunaiGas
May 5, 2025
•[ social, hack, phishing ]
A spear-phishing campaign disguised as internal HR communications delivered multi-stage malware to KMG employees. Attackers used a compromised business email, LNK downloader, PowerShell (DOWNSHELL), and DLL implant to establish reverse shell access. KMG later labeled it a phishing test.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ hack, social, malware ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in United States of America using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, hack, malware ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in United Kingdom using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Government entities (36, Central Asia & APAC)
May 1, 2025
•[ espionage, phishing, malware ]
Phishing lures and Telegram botbased malware were used by the ShadowSilk cluster to compromise 36 government entities across Central Asia and the Asia-Pacific region between May and July 2025. The campaign focused on espionage, enabling unauthorized access and data theft, and was publicly reported in August 2025 by The Hacker News.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, espionage, phishing ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in France using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, hack, phishing ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in Canada using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Defense and critical-infrastructure entities in Armenia
May 1, 2025
•[ phishing, data leak, espionage ]
Rare Werewolf APT, a Russia-aligned espionage group, conducted spear-phishing and remote-administration toolbased intrusions in MayJune 2025 targeting defense and critical-infrastructure entities in Armenia, resulting in unauthorized access and data exfiltration.
Multiple devices at undisclosed telecommunications firm(s)
May 1, 2025
•[ social, hack, malware ]
UNC1549 (Subtle Snail) compromised multiple devices at an undisclosed telecommunications firm in United Arab Emirates using LinkedIn job-lures and the MINIBIKE backdoor; Azure-hosted C2 infrastructure was observed. No confirmed data exfiltration volumes or operational disruption reported.
Defense and critical-infrastructure entities in Ukraine
May 1, 2025
•[ phishing, unauthorized access, data leak ]
Rare Werewolf APT, a Russia-aligned espionage group, conducted spear-phishing and remote-administration toolbased intrusions in MayJune 2025 targeting defense and critical-infrastructure entities in Ukraine, resulting in unauthorized access and data exfiltration.
Defense and critical-infrastructure entities in Kazakhstan
May 1, 2025
•[ phishing, data leak, espionage ]
Rare Werewolf APT, a Russia-aligned espionage group, conducted spear-phishing and remote-administration toolbased intrusions in MayJune 2025 targeting defense and critical-infrastructure entities in Kazakhstan, resulting in unauthorized access and data exfiltration.
Pepe memecoin website
April 12, 2025
•[ website compromise, phishing, malware ]
The official website for the Pepe (PEPE) memecoin was compromised in a front-end attack that redirected visitors to a malicious site. According to Blockaid and Cointelegraph reporting, the compromised front-end contained code associated with the Inferno Drainer family and redirected users to a fake site that injects malicious code intended to drain crypto wallets. Users were advised to avoid interacting with the site while the issue was being addressed; the reporting did not quantify how many users were affected or whether wallet losses occurred.
Jaaved Jaaferi / X (Twitter) account
April 5, 2025
•[ account takeover, phishing, scam ]
On April 5 2025, the verified X (formerly Twitter) account of Indian actor Jaaved Jaaferi was hijacked and used to post cryptocurrency scam and phishing messages. The actor warned followers via Instagram not to engage. Control was restored within hours, and no data theft or cross-platform compromise was reported.
Undisclosed Australian School
March 30, 2025
•[ phishing ]
Hoax school shooting emails were sent after school email accounts were hacked.
The Arc of Palm Beach County
March 28, 2025
•[ phishing ]
Attackers compromised a staff email account at The Arc of Palm Beach County, Florida, and used it to send fraudulent payment instructions that resulted in the theft of approximately US $3 million; no data exfiltration or ransomware reported.
Parcel Plus (Hanover)
March 28, 2025
•[ phishing, data leak ]
York County tax preparer reported spearphishing breach linked to foreign actors.
Troy Hunt's Mailchimp List
March 25, 2025
•[ hack, phishing, technology ]
In March 2025, a phishing attack successfully gained access to Troy Hunt's Mailchimp account and automatically exported a list of people who had subscribed to the newsletter for his personal blog. The exported list contained 16k email addresses and other data automatically collected by Mailchimp including IP address and a derived latitude, longitude and time zone.
Undisclosed European drone manufacturer
March 25, 2025
•[ phishing, social engineering, malware ]
North Korean operators approached European defense engineers with fake job offers, delivering loaders that sideloaded ScoringMathTea and BinMergeLoader/MISTPEN to exfiltrate proprietary UAV designs and manufacturing know-how. Intelligence-collection focus; campaign targets several firms rather than one discrete victim record.
Troy Hunt / Have I Been Pwned Mailing List
March 25, 2025
•[ phishing, data leak, account takeover ]
Phishing led to Mailchimp account takeover and export of subscriber list.
Delta Dental of Virginia
March 21, 2025
•[ phishing, data leak ]
An unauthorized actor accessed a Delta Dental of Virginia employee email account between March 21 and April 23, 2025, viewing or acquiring emails and attachments containing personal, financial, and protected health information for 145,918 individuals. Notification letters were issued on November 21, 2025.
StreamElements
March 20, 2025
•[ phishing, data leak ]
StreamElements confirmed that one of its former third-party service providers experienced a data breach, which led to the exposure of customer information including names, addresses, phone numbers and email addresses. The breach is believed to relate to the period between 2020 and 2024. Although StreamElements stated its own servers were not compromised, it is actively contacting affected customers and warning of increased phishing risk.
