Starbucks
January 19, 2026
•[ phishing, credential theft, data breach ]
Starbucks disclosed a data breach affecting nearly 900 employees after attackers accessed Partner Central (the employee portal used to manage personal details, payroll, and benefits). Starbucks detected the incident on February 6, 2026 and said attackers obtained employee credentials through a phishing attack using fake websites mimicking the Partner Central portal. The company stated unauthorized access to employee accounts occurred between January 19 and February 11, 2026. Starbucks said some employees personal information may have been accessed,including names, Social Security numbers, dates of birth, and bank account and routing numbers, and that affected employees were offered identity-protection services.
Undisclosed strategic advisory firm in the US
January 8, 2026
•[ spearphishing, QR codes, credential theft ]
An FBI flash alert described North Korea-linked Kimsuky (APT43) using spearphishing emails that contain QR codes to lure recipients to fake questionnaires, secure-drive links, or login pages, with the goal of stealing credentials or session tokens and hijacking cloud identities. The warning said the observed targeting includes U.S. organizations involved in North Korea policy/research/analysis such as NGOs, think tanks, academic institutions, strategic advisory firms, and government entities. The alert included examples (e.g., a June 2025 conference-invite lure) and explained that QR-driven flows can bypass traditional email controls by shifting the interaction to unmanaged mobile devices.
Iberia Airlines
January 7, 2026
•[ infostealer, malware, credential theft ]
TechRadar and HackRead summarized Hudson Rock research describing a campaign in which an actor using the alias Zestix (aka Sentap) leveraged credentials harvested by infostealer malware (e.g., RedLine, Lumma, Vidar) to access corporate cloud instances where multi-factor authentication was not enforced. Reporting stated the attacker obtained and attempted to auction or sell large volumes of sensitive corporate files from roughly 50 enterprises worldwide, with at least one victim reportedly losing on the order of 139GB of data. Specific victim impacts vary by organization, and the timing of initial credential theft was not fully specified.
CRRC MA
January 7, 2026
•[ credential theft, information-stealer malware, initial access broker ]
Reporting summarizing Hudson Rock research described an initial access broker believed to be an Iranian national operating under the aliases Zestix and Sentap who repeatedly accessed enterprise file repositories using credentials harvested by information-stealer malware (including RedLine, Lumma, and Vidar). Instead of exploiting a single company-specific vulnerability, the actor leveraged stolen usernames/passwords (some sitting in logs for years) to log into cloud/file-transfer environments lacking multi-factor authentication. The actor was described as exfiltrating large volumes of sensitive corporate data (examples referenced include aviation safety manuals, energy/utility mapping and infrastructure files, and medical/police-related records), then auctioning datasets or selling access on closed forums. Because the article describes a cross-victim pattern/campaign rather than one named-victim incident, this record is coded at the campaign level for a single-actor series of breaches.
Australian NBN
January 6, 2026
•[ Initial Access Broker, Information-stealer malware, RedLine ]
SecurityWeek summarized Hudson Rock findings that dozens of major breaches were tied to a single initial access broker using credentials harvested by information-stealer malware (RedLine, Lumma, Vidar). The actor (Zestix/Sentap) was described as using stolen employee credentials to access enterprise file-transfer or file-sharing instances (ShareFile, OwnCloud, Nextcloud), with the lack of MFA being the key enabling control failure. The reporting characterized the actor as both stealing data and monetizing it by selling datasets and/or selling access on closed Russian-language forums, with victim organizations spanning aerospace, government infrastructure, legal, robotics, healthcare and other sectors. Because the report is multi-victim and campaign-focused rather than a single victims disclosure, this record is captured as a single-actor campaign entry.
At least one unnamed victim organization
January 1, 2026
•[ social engineering, credential theft, MFA manipulation ]
MuddyWater, an Iran-linked APT associated with Iran's Ministry of Intelligence and Security (MOIS), used Microsoft Teams social engineering against an unnamed victim organization in early 2026. The attackers established remote access, stole credentials, manipulated MFA protections, deployed AnyDesk and DWAgent for persistence, moved laterally, harvested VPN configuration files and other sensitive data, and exfiltrated information. The attackers later sent extortion emails referencing Chaos ransomware and directed the victim to a Chaos leak site, but reporting said no file-encrypting ransomware was deployed, indicating the ransomware framing was likely a false flag for espionage activity.
Undisclosed UK Construction Firm
January 1, 2026
•[ malware, botnet, cryptojacking ]
eSentire TRU finds that a UK construction firm discovered Prometei malware on a Windows Server in January 2026. Researchers assessed initial access likely occurred via Remote Desktop Protocol using guessed weak/default credentials. Once inside, Prometei established persistence (service UPlugPlay and file sqhost.exe), downloaded an encrypted payload (zsvc.exe), routed traffic through TOR, and used Mimikatz (labelled miWalk) to steal passwords across the network. The report described Prometei as a Russia-linked botnet used for Monero mining and credential theft, and did not describe customer data exposure or service shutdown.
Undisclosed organization
December 1, 2025
•[ email bombing, Microsoft Teams impersonation, Snow malware ]
UNC6692 used email bombing and Microsoft Teams helpdesk impersonation to deliver the Snow malware suite, moved laterally through the victim environment, reached domain controllers, extracted the Active Directory database and registry hives with FTK Imager, and exfiltrated the files using LimeWire.
At least one policy expert on Iran
November 5, 2025
•[ phishing, credential theft, espionage ]
The Hacker News, citing a Proofpoint investigation, describes a newly identified threat cluster dubbed UNK_SmudgedSerpent conducting credential phishing and remote access operations against more than twenty Iran focused subject matter experts at a U.S. based foreign policy think tank between June and August 2025, amid heightened IranIsrael tensions. Attackers impersonated prominent policy figures and used benign email conversations to lure victims to fake Microsoft Teams and OnlyOffice login pages hosted on health themed domains that captured account credentials. In some cases the operation progressed to deploying legitimate remote monitoring tools such as PDQ Connect and ISL Online for hands on keyboard access, supporting longer term espionage against the target institution and aligning with tactics used by established Iranian cyber intelligence groups.
At least one LastPass user
October 24, 2025
•[ phishing, credential theft, account takeover ]
Phishing emails impersonated password-vault Emergency Access notices using false death claims to coerce replies (e.g., STOP), pivoting victims to a look-alike portal tied to CryptoChameleon infrastructure; harvested credentials enabled vault takeover attempts and secondary account compromise. Campaign reflects profit-seeking credential theft across many individuals rather than a single named organization.
At least one undisclosed Ukraine war-relief organization
October 22, 2025
•[ phishing, credential theft, malware ]
Targeted credential-theft/implant delivery against humanitarian and logistics organizations aiding Ukraine using well-crafted lures, HTML smuggling, and compartmentalized infrastructure. Intent is intelligence collection; campaign report covers multiple organizations without a single verified primary effect to code as an event.
KakaoTalk account of a South Korea–based counselor
September 5, 2025
•[ spear-phishing, malware, credential theft ]
According to research by Genians reported by BleepingComputer, a North Korean activity cluster linked to APT37 and KONNI targets South Koreans via spear-phishing emails that spoof national agencies and deliver signed MSI installers. Once executed, the chain installs a remote access toolkit that steals Google and Naver account credentials, giving attackers full
Undisclosed Indian government or infrastructure organisation(s)
September 1, 2025
•[ espionage, malware, credential theft ]
Pakistan-linked APT36 used themed lures and HTML/shortcut droppers to deliver cross-platform implants on Windows and BOSS Linux systems used by Indian government organizations, enabling credential theft, persistence and covert collection. Activity is espionage-oriented with no reported service outage.
DocketWise
September 1, 2025
•[ unauthorized access, third-party breach, credential theft ]
DocketWise discovered unauthorized access to a third-party partner repository used in a data migration pipeline; an unauthorized actor used valid credentials to clone repositories containing law-firm customer records and personal information of their clients.
One undisclosed university in the United States
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-linked operators abused CVE-2025-53770 (ToolShell) weeks after Microsofts July patch to gain initial access at a telecom, escalate privileges (e.g., PetitPotam), harvest credentials, and deploy ShadowPad/Zingdoor/KrustyLoader for persistent espionage against telecom and government networks. Primary effect was covert access and collection, not service outage.
LG Uplus
July 1, 2025
•[ unauthorized access, data leak, credential theft ]
LG Uplus reported illegal access to internal information after a breach affecting company servers. Investigators said exposed information included server lists, server account credentials, and employees names, and later found forensic reconstruction was hindered after key systems were reinstalled or discarded.
Government of Paraguay (employee workstation compromise)
June 7, 2025
•[ data leak, infostealer, credential theft ]
Infostealer malware installed on a Paraguayan government employees computer harvested credentials and tokens, enabling attackers to exfiltrate databases containing personal information on effectively the entire national population. Security researchers confirmed millions of identity recordsincluding names, national IDs, and contact detailswere leaked online in early June 2025. The Record verified the exposure and found no evidence of ransomware or system disruption.
Undisclosed U.S. government agency (reported as “Department of Government Efficiencyâ€Â)
May 8, 2025
•[ malware, infostealer, credential theft ]
Ars Technica reports a government software engineers workstation was infected with info-stealing malware, with login credentials appearing in multiple stealer-log dumps since 2023; investigation centers on credential exposure rather than confirmed enterprise compromise.
Users of Indian banking mobile apps
February 11, 2025
•[ malware, phishing, data leak ]
Android malware campaign disguised as Indian bank apps, distributed via phishing links and fake APKs to install FinStealer; exfiltration of banking credentials and personal information confirmed by CYFIRMA and other researchers.
Multiple Organizations in Asia
February 6, 2025
•[ espionage, backdoor, credential theft ]
Evasive Panda, a Chinese state-sponsored group operating under the Ministry of State Securitys Guangdong State Security Department / Technical Reconnaissance Bureau, deployed a custom SSH backdoor across enterprise network devices to exfiltrate credentials and maintain long-term covert access in espionage operations identified by Cisco Talos in February 2025.
