#datatheft — Public Fediverse posts

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

Mysterious hacker organization operating secretly for 6 years is exploiting critical cPanel vulnerability to deploy backdoor trojans

A previously unknown threat group designated Mr_Rot13 has been exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel & WHM, to compromise Linux servers globally. Active since at least 2020, the group deploys a Go-based payload installer that plants SSH keys, PHP webshells, malicious JavaScript for credential harvesting, and a cross-platform remote access tool called Filemanager. Stolen data is exfiltrated to attacker-controlled Telegram channels and command servers. The group has maintained operational security for six years with extremely low detection rates. Attack infrastructure includes domains registered as early as 2020, with over 2,000 attacking IP addresses observed worldwide. The campaign primarily targets cPanel installations and WordPress systems, with confirmed compromise of Southeast Asian government and military entities resulting in 4.37GB of sensitive data theft.

Pulse ID: 6a01847e13b4074a8d4b6381
Pulse Link: https://otx.alienvault.com/pulse/6a01847e13b4074a8d4b6381
Pulse Author: AlienVault
Created: 2026-05-11 07:25:50

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #CredentialHarvesting #CyberSecurity #DataTheft #Government #InfoSec #Java #JavaScript #Linux #Military #OTX #OpenThreatExchange #PHP #RAT #RDP #SSH #Telegram #Trojan #Troll #Vulnerability #Word #Wordpress #bot #AlienVault

Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.

Pulse ID: 69fa3aacdd4e111bac9bad11
Pulse Link: https://otx.alienvault.com/pulse/69fa3aacdd4e111bac9bad11
Pulse Author: AlienVault
Created: 2026-05-05 18:45:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DataTheft #Encryption #InfoSec #Linux #Mac #MacOS #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Remcos #RemcosRAT #Rust #SSH #Windows #bot #cryptocurrency #developers #AlienVault

Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft

Trigona ransomware affiliates deployed a custom exfiltration tool called uploader_client.exe during attacks in March 2026, marking a tactical shift from relying on off-the-shelf utilities like Rclone. The tool features parallel streams with five default connections, connection rotation after 2,048 MB transfers to evade network monitoring, and granular filtering to exclude low-value files. Prior to exfiltration, attackers disabled security defenses using kernel-level tools including HRSword, PCHunter, Gmer, YDark, and WKTools with vulnerable drivers. Remote access was established via AnyDesk, while credentials were harvested using Mimikatz and Nirsoft utilities. The custom tooling demonstrates higher technical maturity compared to typical ransomware operations, providing enhanced stealth capabilities while requiring greater development resources. Targeted data included invoices and high-value PDF documents from networked drives.

Pulse ID: 69f4e8812c7240e62187fe72
Pulse Link: https://otx.alienvault.com/pulse/69f4e8812c7240e62187fe72
Pulse Author: AlienVault
Created: 2026-05-01 17:53:05

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AnyDesk #CyberSecurity #DataTheft #ELF #InfoSec #OTX #OpenThreatExchange #PDF #RAT #RCE #RansomWare #Rclone #Trigona #Word #bot #AlienVault

Extortion in the Enterprise: Defending Against BlackFile Attacks

Since February 2026, multiple incidents involving data theft and extortion have been attributed to activity cluster CL-CRI-1116, also known as BlackFile, UNC6671, and Cordial Spider. These financially-motivated attackers, likely associated with "The Com" collective, employ voice-based phishing combined with credential harvesting through fraudulent login pages. They impersonate IT support staff to steal credentials and bypass multi-factor authentication. The attackers focus on Living Off the Land techniques, abusing legitimate APIs like Microsoft Graph to access SharePoint sites and Salesforce data. They search for confidential information and employee data within SaaS environments, then exfiltrate it through browser downloads or API exports. To pressure victims into paying seven-figure ransoms, attackers send demands via Gmail and compromised email accounts, sometimes employing SWATting tactics against executives.

Pulse ID: 69ef8ab862c07db686ca4572
Pulse Link: https://otx.alienvault.com/pulse/69ef8ab862c07db686ca4572
Pulse Author: AlienVault
Created: 2026-04-27 16:11:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CredentialHarvesting #CyberSecurity #DataTheft #Email #Extortion #ICS #InfoSec #Microsoft #OTX #OpenThreatExchange #Phishing #RAT #RCE #bot #AlienVault

Trigona Affiliates Deploy Custom Exfiltration Tool to Streamline Data Theft

Trigona ransomware affiliates have adopted a custom-developed exfiltration tool called uploader_client.exe in attacks observed during March 2026, marking a significant tactical evolution. This command-line utility features parallel data streams, connection rotation to evade network monitoring, and granular file filtering capabilities. The shift from commonly used off-the-shelf tools like Rclone to proprietary malware suggests attackers are attempting to maintain a lower profile during critical attack phases. Prior to data exfiltration, attackers deploy multiple security-disabling tools including HRSword, PCHunter, and various BYOVD utilities to terminate endpoint protection at the kernel level. Remote access is established through AnyDesk, while credential theft is conducted using Mimikatz and Nirsoft utilities. This custom tooling approach demonstrates a higher degree of technical maturity compared to typical ransomware affiliate operations.

Pulse ID: 69ea2ebf9d87464f7c54c08e
Pulse Link: https://otx.alienvault.com/pulse/69ea2ebf9d87464f7c54c08e
Pulse Author: AlienVault
Created: 2026-04-23 14:37:51

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AnyDesk #CyberSecurity #DataTheft #ELF #Endpoint #InfoSec #Malware #OTX #OpenThreatExchange #RAT #RansomWare #Rclone #Trigona #Word #bot #AlienVault

https://www.europesays.com/britain/14632/ UK boards still see cybersecurity as top risk, survey finds #BreachPrevention #CyberRisk #Cybersecurity #DataBreach #DataProtection #DataTheft #DigitalInfrastructure #DigitalRisk #DigitalTransformation #ERM #Infosec #Ireland #ITGovernance #NHS #Ransomware #Regulation #Risk&Compliance #RiskManagement #UK #UnitedKingdom #UnitedKingdom(UK)

DOGE Deposition Leaks & Gets Deleted After Exposing Gross Incompetence #DOGE #Saboteurs #Thieves #Racists #Monsters #Morons #Spies #DataTheft #Elon #GreenNewScam #CleanEnergy #SocialSecurity youtube.com/watch?v=cJhE...

DOGE Deposition Leaks & Gets D...

Anthropic says Chinese companies misused Claude AI; Elon Musk lashes out

Elon Musk on Monday lashed out at Anthropic after the Dario Amodei-led company accused Chinese AI companies of…
#UnitedStates #US #USA #AILabs #anthropicdatastealin #anthropicstealingdata #anthrpoicai #Claude #ClaudeAImodel #claudecod #datatheft #distillation #ElonMusk #elonmuskonanthropic #industrial-scaledistillationattacks #Musk
https://www.europesays.com/2801482/

https://winbuzzer.com/2026/02/19/fake-captcha-trick-installs-stealc-on-windows-pcs-xcxwbn/

Fake CAPTCHA Trick Installs StealC on Windows PCs

#Windows #Security #Cybersecurity #StealC #Malware #Cybercrime #Hackers #WindowsSecurity #PowerShell #Scams #DataTheft #ThreatActors #CyberThreats #Cyberattacks #MicrosoftOutlook #Steam #Cryptocurrency

https://winbuzzer.com/2026/02/19/fake-captcha-trick-installs-stealc-on-windows-pcs-xcxwbn/

Fake CAPTCHA Trick Installs StealC on Windows PCs

#Windows #Security #Cybersecurity #StealC #Malware #Cybercrime #Hackers #WindowsSecurity #PowerShell #Scams #DataTheft #ThreatActors #CyberThreats #Cyberattacks #MicrosoftOutlook #Steam #Cryptocurrency

https://winbuzzer.com/2026/02/19/fake-captcha-trick-installs-stealc-on-windows-pcs-xcxwbn/

Fake CAPTCHA Trick Installs StealC on Windows PCs

#Windows #Security #Cybersecurity #StealC #Malware #Cybercrime #Hackers #WindowsSecurity #PowerShell #Scams #DataTheft #ThreatActors #CyberThreats #Cyberattacks #MicrosoftOutlook #Steam #Cryptocurrency

https://winbuzzer.com/2026/02/19/fake-captcha-trick-installs-stealc-on-windows-pcs-xcxwbn/

Fake CAPTCHA Trick Installs StealC on Windows PCs

#Windows #Security #Cybersecurity #StealC #Malware #Cybercrime #Hackers #WindowsSecurity #PowerShell #Scams #DataTheft #ThreatActors #CyberThreats #Cyberattacks #MicrosoftOutlook #Steam #Cryptocurrency

https://winbuzzer.com/2026/02/19/fake-captcha-trick-installs-stealc-on-windows-pcs-xcxwbn/

Fake CAPTCHA Trick Installs StealC on Windows PCs

#Windows #Security #Cybersecurity #StealC #Malware #Cybercrime #Hackers #WindowsSecurity #PowerShell #Scams #DataTheft #ThreatActors #CyberThreats #Cyberattacks #MicrosoftOutlook #Steam #Cryptocurrency

ChatBots "talking" to ChatBots.

1. Ok, we knew this would happen.
2. It has enormous adoption in the geeksphere - not surprising.
3. It's wickedly insecure.
4. Yes, it can steal your Crypto - not surprising!
5. Yes, there is personal information stealing Malware (see #4 above) masquerading as prediction market trading automation tools - not surprising!
6. The odds of a "Challenger level disaster" happening are real - not surprising!
6. Finally, NO ONE knows where this is stuff will end up.

What is the stage beyond wild wild west? That is where this thing is now. https://simonwillison.net/2026/Jan/30/moltbook/ #OpenClaw #Moltbod #Clawdbot #AI #Opensource #Malware #PromptInjection #DigitalAssistent #ChatBot #SocialNetwork #AIAgents #Security #DataProtection #PersonalData #DataTheft #Crypto #PredictionMarket #Claude

BroadBand Tower Breach Exposes Customer Data and Source Code https://dailydarkweb.net/broadband-tower-breach-exposes-customer-data-and-source-code/ #CloudServiceProvider #BroadBandTowerInc. #UnauthorizedAccess #ITInfrastructure #sourcecodeleak #Cybersecurity #DataBreaches #databreach #datatheft #Japan

Salesforce AI Hack Enabled CRM Data Theft https://www.securityweek.com/salesforce-ai-hack-enabled-crm-data-theft/ #ArtificialIntelligence #promptinjection #SalesforceAI #datatheft #AIhack #AI

Salesforce AI Hack Enabled CRM Data Theft https://www.securityweek.com/salesforce-ai-hack-enabled-crm-data-theft/ #ArtificialIntelligence #promptinjection #SalesforceAI #datatheft #AIhack #AI

Batavia spyware steals data from Russian organizations – Source: securelist.com https://ciso2ciso.com/batavia-spyware-steals-data-from-russian-organizations-source-securelist-com/ #rssfeedpostgeneratorecho #MalwareDescriptions #MalwareTechnologies #CyberSecurityNews #MicrosoftWindows #Targetedattacks #Windowsmalware #securelistcom #spearphishing #PowerShell #datatheft #Malware #Spyware #VBS

British journalist Carole #Cadwalladr who exposed #CambridgeAnalytica is on the #DailyShow with Jon Stewart explaining that what tech bros are doing right now with our data is theft and therefore illegal.

This is not news, but the fact our governments are not defending us and are actually working in collaboration with the tech bros should be making the alarm bells go off in all are heads.

We have to act now.

#DataTheft
#AI

https://m.youtube.com/watch?v=vG7CvbccdVM

British journalist Carole #Cadwalladr who exposed #CambridgeAnalytica is on the #DailyShow with Jon Stewart explaining that what tech bros are doing right now with our data is theft and therefore illegal.

This is not news, but the fact our governments are not defending us and are actually working in collaboration with the tech bros should be making the alarm bells go off in all are heads.

We have to act now.

#DataTheft
#AI

https://m.youtube.com/watch?v=vG7CvbccdVM

British journalist Carole #Cadwalladr who exposed #CambridgeAnalytica is on the #DailyShow with Jon Stewart explaining that what tech bros are doing right now with our data is theft and therefore illegal.

This is not news, but the fact our governments are not defending us and are actually working in collaboration with the tech bros should be making the alarm bells go off in all are heads.

We have to act now.

#DataTheft
#AI

https://m.youtube.com/watch?v=vG7CvbccdVM

British journalist Carole #Cadwalladr who exposed #CambridgeAnalytica is on the #DailyShow with Jon Stewart explaining that what tech bros are doing right now with our data is theft and therefore illegal.

This is not news, but the fact our governments are not defending us and are actually working in collaboration with the tech bros should be making the alarm bells go off in all are heads.

We have to act now.

#DataTheft
#AI

https://m.youtube.com/watch?v=vG7CvbccdVM

British journalist Carole #Cadwalladr who exposed #CambridgeAnalytica is on the #DailyShow with Jon Stewart explaining that what tech bros are doing right now with our data is theft and therefore illegal.

This is not news, but the fact our governments are not defending us and are actually working in collaboration with the tech bros should be making the alarm bells go off in all are heads.

We have to act now.

#DataTheft
#AI

https://m.youtube.com/watch?v=vG7CvbccdVM

Cloud Atlas seen using a new tool in its attacks – Source: securelist.com https://ciso2ciso.com/cloud-atlas-seen-using-a-new-tool-in-its-attacks-source-securelist-com/ #rssfeedpostgeneratorecho #MalwareDescriptions #MalwareTechnologies #CyberSecurityNews #Windowsmalware #Cloudservices #securelistcom #CloudAtlas #PowerShell #datatheft #backdoor #Phishing #Telegram #Malware #DLL #HTA #VBS

PCI DSS 4.0 Client-Side Security Requirements: Experts Address Urgent Compliance Deadline – Source: securityboulevard.com https://ciso2ciso.com/pci-dss-4-0-client-side-security-requirements-experts-address-urgent-compliance-deadline-source-securityboulevard-com/ #rssfeedpostgeneratorecho #SecurityBloggersNetwork #CyberSecurityNews #SecurityBoulevard #datasecurity #datatheft #Resources #Blog #QSA

Probe finds private trust collected Bengaluru voter data illegally and stored in foreign servers

The probe was initiated after an investigative report published by TNM and Pratidvani exposed how a private trust named Chilume had carried out large-scale voter data theft in Bengaluru.

#karnataka #bangalore #bengaluru #VoterData #DataTheft #DataPrivacy #chilume #SamanvayaTrust #BBMP #ECI #HombaleFilms #KGF #kantara #BJP #india

https://www.thenewsminute.com/article/probe-finds-chilume-collected-bengaluru-voter-data-illegally-and-stored-foreign-servers