🗾 🍆 Happy Valentine’s Day — Sex toy maker Tenga alerted customers that a hacker accessed an employee email account and may have stolen names, emails, and past order or support messages. The attacker also sent spam to the compromised contacts. Tenga reset credentials, enabled multi-factor authentication, and urged customers to change passwords and watch for suspicious emails.

🇰🇷 💍 South Korea fined Louis Vuitton, Dior, and Tiffany $25 million for poor security that let hackers access customer data. The breaches exposed names, contacts, addresses, and purchase histories for over 5.5 million people. Authorities said using SaaS does not remove companies’ duty to protect data.

🇷🇴 🛢 Romania's oil pipeline operator Conpet confirmed it was hit by a Qilin ransomware attack that stole company data. The company says operations were not affected but it is working with national cyber authorities to investigate. Leaked documents may contain sensitive personal and financial information, so people should be wary of suspicious requests.

🇳🇱 Dutch telecom Odido says a cyberattack exposed personal data of about 6.2 million customers. The breach hit their customer contact system and may include names, addresses, emails, phone numbers, IBANs, and ID numbers. Odido blocked access, alerted authorities, and is notifying affected customers.

🇺🇸 🥼 A May 2025 cyberattack on ApolloMD exposed PII and PHI for 626,540 people — Stolen data included names, addresses, dates of birth, medical and insurance details, and possibly Social Security numbers. ApolloMD notified affected parties, offered free credit monitoring, and the Qilin group posted the breach online.

🇺🇸 🚗 Volvo Group North America had personal data of about 17,000 customers and staff exposed after a breach at service provider Conduent. The stolen data included names, Social Security numbers, birthdates, IDs, and medical and insurance details. Conduent is notifying affected people and offering identity and credit monitoring.

👀 A hacktivist scraped about 536,000 payment records from a vendor of stalkerware apps, exposing customers’ email addresses and partial card details. The data covered services like uMobix, Xnspy, Geofinder and Peekviewer and was verified by TechCrunch. The vendor appears linked to companies called Ersten Group and Struktura, which did not respond to requests for comment.

→ Hacked, leaked, exposed: Why you should never use stalkerware apps

🇪🇺 👀 The European Commission’s CERT-EU found signs of a cyberattack on its IT systems used for mobile device management. The incident was contained and cleaned within nine hours, and no mobile devices were compromised. Some staff names and phone numbers may have been accessed and a full review is underway.

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign (July 2 - August 13)

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🇵🇰 🇮🇳 Pakistan-linked groups SideCopy and APT36 are running cross-platform campaigns targeting Indian defense and government organizations. They use phishing lures to deliver remote access trojans (Geta RAT, Ares RAT, DeskRAT) for long-term data theft and access on Windows and Linux. The attacks use stealthy techniques and trusted regional lures to maintain persistence and avoid detection.

🇳🇱 Dutch police arrested a 21-year-old seller accused of offering JokerOTP, a phishing tool that intercepts one-time passcodes to hijack accounts. The JokerOTP service reportedly caused over $10 million in losses across 28,000+ attacks by automating calls that trick victims into revealing OTPs. Authorities dismantled the operation after a three-year probe and say more suspects and buyers will be prosecuted.

🇨🇳 ⚖ 🇺🇸 Daren Li, a dual Chinese and St. Kitts and Nevis national, was sentenced in absentia to 20 years for his role in a cryptocurrency "pig butchering" scam that stole over $73 million from U.S. victims. The scheme used romance and messaging apps to launder funds through shell companies, banks, and crypto platforms. Li fled before sentencing after cutting off his ankle monitor, and investigators found hundreds of millions in related crypto wallets.

🇨🇳 🇸🇬 Singapore's Cyber Security Agency says China-linked UNC3886 targeted the country's four major telcos. Attackers used advanced tools, a zero-day exploit, and rootkits to gain access to network systems. CSA says no customer data was seen taken and has closed the attackers' access.

🇺🇸 ⚖ Two Connecticut men are accused of using about 3,000 stolen identities to create fake accounts and steal roughly $3 million from FanDuel and other gambling sites. They allegedly bought PII on darknet and Telegram, used background-check services to pass verifications, and tracked victims in a spreadsheet. Prosecutors charged them with multiple counts including wire fraud, identity fraud, and money laundering.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

🎩 Hacker Vincenzo Iozzo (@_snagg), linked in newly released documents to Jeffrey Epstein, was removed from Black Hat and Code Blue conference websites. Iozzo says he only knew Epstein for business, denies wrongdoing, and welcomes an investigation. Conferences say his name was taken off their review boards amid the document release and unrelated membership updates.

🛑 💬 🇷🇺 Russia is trying to fully block WhatsApp and has already throttled Telegram to push users onto the state-backed MAX app. WhatsApp and Telegram say this move harms privacy and safety and they will try to keep users connected. People in Russia can still use VPNs or external DNS for now, but those tools are also under pressure.

🇺🇸 Nevada announced a new statewide data classification policy to standardize how agencies label and protect information. Data must be placed into four categories—public, sensitive, confidential, or restricted—with unclear items treated as more restrictive. The policy aims to improve cybersecurity and guide future protections after a disruptive cyberattack.

🇪🇺 🤝 The EU gave unconditional approval for Google’s $32 billion buyout of cloud security firm Wiz — Regulators found no competition concerns and said customers have credible alternatives. Google says Wiz will stay available on all major clouds, though some worry about lost neutrality.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🏦 Security researchers say a threat actor called UAT-9921 is using a new modular malware framework named VoidLink to target technology and financial firms. VoidLink provides stealthy, compile-on-demand implants and plugins for Linux, Windows, and cloud environments, lowering the skill needed to build hard-to-detect malware. Talos warns the framework includes RBAC, evasion features, and C2-driven plugin delivery, enabling broad reconnaissance and persistent access.

🧩 Researchers found 30 fake Chrome extensions, called AiFrame, that pose as AI assistants and have over 300,000 installs. The extensions load remote iframes and steal page content, credentials, and Gmail messages, sending data to a single malicious domain. Users should check the indicators, remove any infected extensions, and reset passwords.

✉ 🧩 A hijacked Outlook add-in called AgreeTo was turned into a phishing kit that stole over 4,000 Microsoft account credentials. The attacker claimed the add-in's abandoned hosting URL, served a fake Microsoft login in Outlook, and exfiltrated data via a Telegram bot. Microsoft removed the add-in after researchers at Koi Security discovered the breach; users should uninstall AgreeTo and reset passwords.

ℹ Lumma Stealer, the malware that stole passwords and files from Windows PCs, infected hundreds of thousands of machines before last year. Authorities seized much of its infrastructure in May, but researchers say Lumma is back and spreading again. The malware uses lure sites and a cloud-based service model to make infections hard to stop.

🇰🇵 North Korean hackers (UNC1069) used deepfake video and social engineering to deliver new macOS and Windows malware against crypto targets. Researchers found seven distinct macOS malware families that steal credentials, browser data, and files for financial theft. The attack aimed to steal cryptocurrency and gather data to enable future scams.

👨‍⚕ Your AI doctor doesn’t have to follow the same privacy rules as your real one — AI tools from OpenAI, Anthropic, and Google are being used for medical advice but often are not legally bound by HIPAA. That means these apps may collect, share, or sell sensitive health data with weaker protections. People use them because they are cheap and convenient, but that creates real privacy risks.

🇨🇳 🇮🇷 🇰🇵 🇷🇺 State-backed hackers from China, Iran, North Korea, and Russia are using Google’s Gemini AI to help plan and carry out cyberattacks. They use it for reconnaissance, phishing, coding, vulnerability testing, and data exfiltration. Google says it has blocked abused accounts and added defenses but warns AI misuse and model theft remain serious risks.

🦞 🦠 OpenClaw now scans all ClawHub skills with VirusTotal to block or flag malicious uploads. The move follows findings that many skills hide backdoors, data exfiltration, or prompt-injection attacks. Despite scanning, OpenClaw warns risks remain and will publish a security roadmap and reporting process.

➝ From the Patching Department:

💥 Attackers are exploiting two severe Ivanti EPMM zero-day flaws, spreading to dozens of victims including government agencies. Researchers found about 86 confirmed compromises and hundreds of attack attempts, with many exposed instances still online. Ivanti released detection tools but has not provided a full victim count.

→ Dutch Authorities Confirm Ivanti Zero-Day Exploit Exposed Employee Contact Data

→ 83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure

⚠ BeyondTrust warned of a critical remote code execution flaw (CVE-2026-1731) in its Remote Support and Privileged Remote Access software that lets unauthenticated attackers run OS commands. The company patched cloud systems and urged on-premises customers to update to fixed versions immediately. Past BeyondTrust vulnerabilities have been exploited by threat actors, including incidents linked to state-backed groups.

🩹 ICS Patch Tuesday — Major industrial vendors — Siemens, Schneider Electric, Aveva, and Phoenix Contact — released Patch Tuesday advisories fixing multiple ICS/OT vulnerabilities. The flaws can allow unauthorized access, DoS, code execution, XSS, and privilege escalation. CISA and other vendors (Mitsubishi, Moxa, VDE CERT) also published related advisories.

🇺🇸 💬 CISA issues warning to U.S. audience — A destructive cyberattack on Poland’s power grid targeted 30 wind and solar sites and damaged control systems. CISA warned U.S. infrastructure operators that vulnerable internet-facing edge devices and OT/ICS systems are at risk. Security firms and foreign agencies say this shows distributed energy resources are now prime targets and must be secured.

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.