Medical Practice of Dr. Richard Swift
January 12, 2026
•[ malware, cyberattack, data leak ]
DataBreaches reported on a class action lawsuit alleging that a Manhattan plastic surgery practice run by Dr. Richard Swift was compromised by a malware-related cyberattack in 2025 and that sensitive patient information was posted online. The suit alleged that a site hosted outside the U.S. displayed personal identifiers and medical record details for at least 22 patients, and that affected patients only learned about the breach after attackers contacted them directly. DataBreaches noted the same threat actors were linked to attacks on other plastic surgery practices and described a recurring pattern where attackers approached patients with demands in exchange for removing posted information. Public reporting did not confirm whether the practice paid, and the article noted the leak site later appeared offline.
Langley Twigg Law
January 11, 2026
•[ cyberattack, data breach, malware ]
Langley Twigg Law (Napier, New Zealand) stated it was hit by a cyberattack on January 11, 2026. The firm said digital forensics and cyber specialists confirmed a malicious third-party launched a virus on its IT network, which was not protected by its cybersecurity software at the time. The firm reported the attacker extracted a portion of data from its file server containing internal operational information and some client documents. Langley Twigg said it disconnected its network from the internet, notified the Privacy Commissioner and police, and was working to determine exactly what information was affected before contacting impacted clients.
At least one Telecom company in South Asia
January 8, 2026
•[ espionage, malware, threat intelligence ]
The Hacker News summarized Cisco Talos research attributing espionage-focused intrusions to a China-nexus actor tracked as UAT-7290. The campaign reportedly targets telecom entities in South Asia and Southeastern Europe, performing extensive reconnaissance followed by compromise activity that can lead to deployment of malware families including RushDrop, DriveSwitch, and SilentRaid. The article is threat-intelligence reporting focused on actor behavior, tooling, and geographic targeting, and it does not provide a bounded, single victim incident record with confirmed impact metrics (e.g., downtime or specific data stolen) for one named organization.
Iberia Airlines
January 7, 2026
•[ infostealer, malware, credential theft ]
TechRadar and HackRead summarized Hudson Rock research describing a campaign in which an actor using the alias Zestix (aka Sentap) leveraged credentials harvested by infostealer malware (e.g., RedLine, Lumma, Vidar) to access corporate cloud instances where multi-factor authentication was not enforced. Reporting stated the attacker obtained and attempted to auction or sell large volumes of sensitive corporate files from roughly 50 enterprises worldwide, with at least one victim reportedly losing on the order of 139GB of data. Specific victim impacts vary by organization, and the timing of initial credential theft was not fully specified.
At least one Booking.com user
January 7, 2026
•[ phishing, social engineering, malware ]
Research summarized by Cybernews described a ClickFix social-engineering campaign abusing Booking.com branding. Victims receive phishing emails about a cancelled reservation and a large charge; clicking through leads to a fake Booking.com page with a fake refresh flow and a simulated Blue Screen of Death. The page instructs the user to paste/run a malicious script (PowerShell) via Windows Run, which then fetches and executes remote code, disables Windows Defender, and establishes persistence with C2 connectivity. The link is campaign/threat-intel reporting and does not provide a single confirmed victim organization or a bounded incident count, but it describes successful infections driven by user-executed commands.
At least one hospitality company in Europe
January 5, 2026
•[ phishing, malware, unauthorized access ]
The article reports that Russian-linked threat actors targeted European hospitality companies using phishing emails masquerading as booking inquiries. Victims who opened the attachments triggered malware that displayed a fake blue screen while enabling unauthorized access to internal systems.
At least one PT Taspen customer
January 1, 2026
•[ scam, phishing, malware ]
The online scam involving PT Taspen, which involved sending APK files to retirees, represents an increasingly structured and dangerous form of cybercrime, particularly as it involves the specific exploitation of personal data. The malicious APK applications sent to victims were designed to resemble official PT Taspen apps and were used to trick users into unknowingly granting access to various sensitive elements on their Android devices.
Undisclosed UK Construction Firm
January 1, 2026
•[ malware, botnet, cryptojacking ]
eSentire TRU finds that a UK construction firm discovered Prometei malware on a Windows Server in January 2026. Researchers assessed initial access likely occurred via Remote Desktop Protocol using guessed weak/default credentials. Once inside, Prometei established persistence (service UPlugPlay and file sqhost.exe), downloaded an encrypted payload (zsvc.exe), routed traffic through TOR, and used Mimikatz (labelled miWalk) to steal passwords across the network. The report described Prometei as a Russia-linked botnet used for Monero mining and credential theft, and did not describe customer data exposure or service shutdown.
At least one government official
January 1, 2026
•[ espionage, phishing, surveillance tools ]
A Mustang Panda espionage campaign (late Dec 2025 to mid-Jan 2026) using fake diplomatic briefing documents to trick high-level targets into installing surveillance tools. It does not provide a single named victim organization with a confirmed primary effect suitable for one incident record; it is campaign-level reporting.
Passenger ferry owned by GNV
December 17, 2025
•[ malware, foreign interference, sabotage ]
French authorities reported that the passenger ferry 'Fantastic' (operated by Italian shipping company Grandi Navi Veloci, GNV) was infected with malware while docked in the port of Ste, France. Officials stated the malware could have enabled the ship to be remotely controlled, prompting an investigation into possible foreign interference. Prosecutors said a Latvian national was arrested and charged after the malware was discovered.
The Minersville School District
December 15, 2025
•[ malware ]
Minersville Area School District reported a cybersecurity incident after security tools detected attempts to install malware on certain district systems on Monday, December 15, 2025. As a precaution, the district took its computer network offline to contain any potential infection and engaged cybersecurity specialists to investigate the activity, validate system integrity, and plan a safe restoration. The network shutdown disrupted district operations and led to the closure of schools on Tuesday, December 16, 2025. Public reporting did not confirm whether data was accessed or exfiltrated, and the incident was described primarily as a malware-install attempt and precautionary outage.
Undetermined government and diplomatic entities (Oman, Morocco, Palestinian Authority)
December 12, 2025
•[ malware, information theft, espionage ]
The Record summarized threat-intelligence reporting alleging a Hamas-affiliated group (called Ashen Lepus) used malware-laden documents to compromise multiple government and diplomatic entities tied to Oman, Morocco, and the Palestinian Authority, including a malware strain referred to as AshTag used for information theft.
China Xinchuang Initiative (at least one affiliated organization)
December 9, 2025
•[ phishing, malware, espionage ]
Security researchers reported a spear-phishing and malware campaign attributed to APT32 that successfully compromised at least one organization within Chinas Xinchuang Initiative IT ecosystem, resulting in unauthorized access for espionage purposes.
Apex Spine and Neurosurgery
December 9, 2025
•[ unauthorized access, malware, ransomware ]
An unauthorized actor accessed part of Apex Spine and Neurosurgerys computer network, copied files, and deployed malware that locked files on computer systems. The practice said the incident affected 2,500 individuals.
Milano Ristorazione
November 24, 2025
•[ ransomware, malware ]
On November 24, 2025, Milano Ristorazione experienced operational malfunctions caused by a LockBit 5.0 malware infection impacting internal systems. The disruption affected catering and restaurant service operations and triggered an investigation by authorities. No data theft or encryption was reported.
At least one Andorid user in Latin America
November 12, 2025
•[ malware, ransomware, phishing ]
The Record described a newly identified Android malware/ransomware campaign (DroidLock) distributed through phishing websites that trick users into installing fake apps and then lock devices behind a ransom message. The reporting focuses on a broad campaign targeting Spanish-speaking users rather than a single named victim organization with a discrete primary effect suitable for this datasets event unit. Because there is no specific victim organization, confirmed disruption window, or bounded impact scope for one entity, it is not coded here as an individual cyber event record.
At least one individual dowloading One Battle After Another torrent
November 12, 2025
•[ malware, trojan ]
This article summarizes Bitdefenders reporting on a malware distribution campaign that uses fake torrents claiming to contain a Leonardo DiCaprio film (One Battle After Another). The torrent bundle reportedly contains shortcut and script components that trigger a multi-stage infection chain leveraging PowerShell and other built-in Windows utilities, culminating in memory-resident deployment of the Agent Tesla remote access trojan
Knownsec
November 9, 2025
•[ data leak, cyber espionage, malware ]
According to coverage in The Register of research by Chinese blog MXRN, attackers breached the systems of Beijing linked security company Knownsec and leaked more than twelve thousand classified documents describing Chinese state cyber weapons, internal tools and global targeting lists, along with code for remote access trojans that can compromise major desktop and mobile operating systems; the cache also reportedly includes a spreadsheet of 80 successfully attacked overseas targets and massive datasets such as Indian immigration records, South Korean telecom call logs and Taiwanese road planning information that Knownsec had previously obtained in offensive operations, some of which were briefly published to GitHub before being removed.
Abraham Andreu's computer (part of Andromeda botnet)
November 6, 2025
•[ botnet, malware ]
A ComputerHoy journalist describes deliberately infecting a Windows PC in 2025 with the Andrmeda malware, which enrolls machines into a botnet so attackers can download additional payloads and execute arbitrary files remotely. The piece walks through how the author obtained the malware sample, how the infection behaves on the system, the use of Spains INCIBE antibotnet service and security tools to detect and remove Andrmeda, and what readers should do if they discover their own devices are part of the botnet. This is a self-inflicted test infection rather than an unsolicited attack on an organization.
Nikkei
November 4, 2025
•[ malware, data leak ]
Japanese media conglomerate Nikkei disclosed on 4 November 2025 that attackers had compromised its Slack messaging environment after malware on an employee's computer stole authentication credentials, which were then used to access multiple Slack accounts. The breach, discovered in September, exposed data for 17,368 employees and business partners, including their names, email addresses and chat histories. Nikkei forced password resets, reported the incident to Japan's Personal Information Protection Commission despite believing the stolen data falls outside formal reporting rules, and said no information related to confidential journalistic sources or reporting activities has been confirmed leaked.
