At least one Claude Code user
April 30, 2026
•[ malware, fake installer, credential harvesting ]
A fake Claude Code installer campaign likely affected many users searching for Anthropic's Claude Code tool, though public reporting did not identify specific victims or quantify the total number infected. The campaign delivered a PowerShell payload that extracted decrypted cookies, saved passwords, and payment data from Chromium-based browsers on infected machines. Public reporting did not identify the specific actor, country, volume of stolen data, or any operational disruption.
Undisclosed Sri Lankan government entity
April 30, 2026
•[ cyber espionage, Shadow-Earth-053, unpatched servers ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Sri Lankan government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Taiwanese government entity
April 30, 2026
•[ espionage, state-sponsored, web shells ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Taiwanese government environment by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Undisclosed Polish defense-sector organization
April 30, 2026
•[ espionage, web shells, ShadowPad ]
Shadow-Earth-053, a China-aligned espionage cluster, was reported to have compromised an undisclosed Polish defense-sector organization by exploiting unpatched Microsoft Exchange and IIS servers, deploying web shells and ShadowPad, collecting credentials, and exporting mailbox contents.
Developers using compromised Lightning and Intercom packages
April 29, 2026
•[ software supply-chain attack, malware, credential harvesting ]
TeamPCP conducted a Mini Shai-Hulud software supply-chain attack by injecting credential-stealing malware into Lightning Python versions 2.6.2 and 2.6.3, intercom-client npm versions 7.0.4 and 7.0.5, and intercom-php 5.0.2. The malware harvested secrets from developer and CI/CD environments and created more than 1,800 GitHub repositories containing stolen credentials.
At least one Facebook Business account owner
April 1, 2026
•[ phishing, account takeover, credential harvesting ]
The AccountDumpling phishing campaign, linked to Vietnamese criminal actors, abused Google AppSheet as a phishing relay to send authenticated phishing emails impersonating Meta/Facebook support. The phishing pages harvested Facebook Business account credentials, recovery information, 2FA codes, and identity documents, enabling account takeover and resale through an illicit storefront. Reporting mapped roughly 30,000 compromised accounts across more than 50 countries.
The Ukrainian State Hydrology Agency
March 19, 2026
•[ phishing, vulnerability exploitation, XSS ]
BleepingComputer reported that Russia-linked APT28 (GRU) exploited a Zimbra Collaboration Suite vulnerability (CVE-2025-66376) in attacks targeting Ukrainian government entities. Researchers described a phishing operation (Operation GhostMail) where a single HTML email body triggered obfuscated JavaScript exploiting the Zimbra XSS flaw when opened in a vulnerable webmail session. The payload was described as harvesting credentials, session tokens, backup 2FA codes, browser-saved passwords, and mailbox contents going back 90 days, with exfiltration over DNS and HTTPS. One referenced target was the Ukrainian State Hydrology Agency.
One Syrian government email account
March 12, 2026
•[ phishing, credential harvesting, account compromise ]
Proofpoint also observed activity from a cluster tracked as UNK_NightOwl that sent phishing emails to a Middle Eastern government ministry using both a compromised Syrian government account and an attacker-controlled address. The emails referenced the escalating conflict and directed recipients to a domain spoofing Microsoft OneDrive that hosted an Outlook Web App-style credential harvesting page before redirecting victims to a legitimate conflict monitoring site.
Undisclosed cryptocurrency organization
March 9, 2026
•[ cryptocurrency, social engineering, cloud compromise ]
The Hacker News reported (citing Google Cloud) that North Korea-linked UNC4899 conducted a sophisticated 2025 cloud compromise targeting an unnamed cryptocurrency organization, stealing millions in cryptocurrency. The intrusion began with social engineering that tricked a developer into downloading a malicious archive for a supposed open-source collaboration; the developer then transferred the file to a work device via AirDrop. After malicious Python code executed and a binary masquerading as kubectl ran, the attackers pivoted into the cloud environment and abused legitimate DevOps workflows to harvest credentials, escape container confines, and tamper with Cloud SQL databases to modify financial logic enabling theft. This is coded as a confirmed successful intrusion with financial theft.
NMCV Business LLC
January 6, 2026
•[ information-stealer malware, initial access broker, credential harvesting ]
SecurityWeek summarized Hudson Rock findings that dozens of major breaches were tied to a single initial access broker using credentials harvested by information-stealer malware (RedLine, Lumma, Vidar). The actor (Zestix/Sentap) was described as using stolen employee credentials to access enterprise file-transfer or file-sharing instances (ShareFile, OwnCloud, Nextcloud), with the lack of MFA being the key enabling control failure. The reporting characterized the actor as both stealing data and monetizing it by selling datasets and/or selling access on closed Russian-language forums, with victim organizations spanning aerospace, government infrastructure, legal, robotics, healthcare and other sectors.
UrbanX.io
January 6, 2026
•[ data leak, initial access broker, information-stealer malware ]
SecurityWeek reported that Hudson Rock linked dozens of major breaches to a single initial access broker operating under the aliases Zestix and Sentap. The actor is described as using credentials harvested via information-stealer malware (including RedLine, Lumma, and Vidar) from infected employee devices to log into enterprise file-transfer/file-sharing environments such as ShareFile, OwnCloud, and Nextcloud when MFA was missing. After gaining access, the actor allegedly exfiltrated sensitive corporate data and monetized it by selling datasets or access on closed Russian-language forums, with victim organizations spanning sectors such as aerospace, government infrastructure, legal services, and robotics.
Undisclosed European telecommunications company
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-nexus operators breached a telecom by exploiting an edge service (e.g., NetScaler/SharePoint), then established persistence with SnappyBee-family tooling, harvested credentials and moved laterally to support systems for intelligence collection. No service interruption reported; primary effect is covert access and data staging.
Undisclosed Ukrainian business services organization
June 27, 2025
•[ webshell, credential harvesting, data leak ]
Symantec-reported intrusion beginning June 27, 2025 used LocalOlive webshell and LOTL techniques to harvest credentials and system data; activity persisted through mid-2025; no disruption reported.
At least one individual in Ukraine
January 6, 2024
•[ phishing, credential harvesting, state-sponsored attack ]
The article reports researchers observed a months-long phishing/credential-harvesting operation targeting users of UKR.NET, a popular Ukrainian webmail and news service. The campaign ran from June 2024 through April 2025 and was attributed to Russian state-backed BlueDelta (APT28/Fancy Bear/Forest Blizzard). Researchers said the actors created multiple fake UKR.NET login pages and sent phishing emails with PDF attachments containing embedded links to the fraudulent portals, with more than 20 linked PDF lure files identified. The purpose was assessed as harvesting credentials and gathering intelligence supporting broader Russian objectives; the reporting did not quantify how many users were successfully compromised.
