Ransomware/nation-state & data breaches
Key Questions
What major data breaches were reported recently?
Aflac Japan exposed 4.38 million customer records, KDDI exposed 14.22 million email/passwords, and McDonald's had 64 million job applicant records leaked via an AI bot IDOR flaw. Medtronic and Moody Bible Institute breaches also exposed millions of records.
Which ransomware groups are actively targeting organizations?
Warlock exploited SharePoint RCE, BlueHammer used CVE-2026-33825 for SYSTEM access, and new strains like Friends, Gentlemen, and PEAR are active. INC Ransom and Coinbase Cartel focus on pure data extortion without encryption.
How are nation-state actors involved in recent incidents?
Russia-linked hackers are attributed to a $2.5 billion Jaguar Land Rover attack and target Signal backups, while Turla deploys StockStay malware. Armored Likho's Busysnake targets critical infrastructure, and Chinese actors impersonate Indian tax officials.
What trends are emerging in ransomware tactics?
Encryption rates are dropping in favor of data extortion, with healthcare seeing more vendor and small-hospital targeting. FortiBleed campaigns have harvested over 110 million credentials and now work with INC and Lynx ransomware groups.
Which sectors remain most heavily targeted?
Healthcare leads with 4x malware volume and multiple breaches including Huntsville Hospital and AlignHealth. Education, finance, and government entities also face high volumes from groups like Gentlemen ransomware across five continents.
What new malware or campaigns were identified?
StrikeShark uses SharkLoader for Cobalt Strike delivery, Salat Stealer spreads via gaming tools with webcam capture, and Spring Botnet targets exposed IoT. Gaslight macOS malware and QuimaRAT MaaS also emerged with advanced evasion.
Are there any notable law enforcement or government actions?
Canadian CSE disclosed offensive operations against ransomware groups, while the FBI detailed Scattered Spider's help-desk social engineering playbook. NetNut proxy botnet was taken down amid ongoing FortiBleed monetization.
What supply chain or third-party risks are highlighted?
Tata Electronics leaked Apple iPhone details, Singapore Land Authority and Augusta Medical Billing incidents involved vendor environments, and AdaptHealth's breach stemmed from contractor social engineering, reinforcing third-party risk patterns.
Ransomware and nation-state activity. Aflac Japan data breach exposes 4.38M customers (material SEC filing). EMA Engineering breach (Play ransomware, 455 SSNs). Krybit ransomware hits Italian hospital. Warlock ransomware exploited SharePoint RCE CVE-2026-45659 in dual-attacker scenario. BlueHammer CVE-2026-33825 exploited in ransomware for SYSTEM privileges via Microsoft Defender—CISA KEV. Healthcare remains most targeted sector with 4x malware volume, 13.3M UltraVNC exploitation attempts, 243 IoT attack methods (SonicWall). Russia-linked hackers attributed to $2.5B Jaguar Land Rover ransomware/sabotage. FBI reports Russian hackers now target Signal backup recovery keys. Turla deployed StockStay malware via RDP config phishing. New Millenium RAT infects 62K systems. Interlock group exploited Cisco FMC zero-day. Europe ransomware shift confirmed (684 vs 441 attacks YoY). Also: Prinz Eugen, Bajaj Auto/Tata Electronics, Qilin, Gamaredon. Ongoing: Novo Nordisk breach, ShinyHunters, MSG leaks, FortiBleed campaign. StrikeShark campaign using SharkLoader delivers Cobalt Strike via DLL sideloading/API hooking, targeting diplomatic and software dev sectors. ECBM LP data breach exposes 8k individuals (SSNs). FortiBleed campaign harvests 110M+ credentials from FortiGate devices, linked to INC Ransom and Lynx ransomware; active exploitation of CVE-2026-35616 in FortiClient EMS. Healthcare attack landscape shifting—fewer big hospital disruptions, more vendor breaches and small hospital targeting; encryption rates dropping, data extortion rising. Huntsville Hospital breach via Amicus Solutions exposes 10M+ patients. New Friends ransomware strain with .friends124 extension and double-extortion. Weak VPNs and remote access remain prime entry points—55% spike in password spraying against FortiGate. Singapore Land Authority breach via IBM test environment exposes 70k records. AdaptHealth breach via third-party contractor social engineering, ShinyHunters claims credit, material SEC filing. Tata Electronics data leak exposes Apple iPhone 18 Pro supplier details and prototype images (630GB). FortiBleed IAB now confirmed working with Inc and Lynx ransomware gangs, escalating threat to active ransomware deployment. New: KDDI data breach exposes 14.22M customer email/passwords (some plaintext). New: PEAR ransomware group active with victim list. New: Medtronic breach by ShinyHunters—3.8M records, PII/PHI exposed, no OT impact. New: NetNut proxy botnet takedown. New: Armored Likho activity and FortiBleed monetization reported in July 3 roundup. New: Kairos data-theft extortion case—$1M government payment, no encryption, 2TB exfiltrated, 1.6M files. Union County, Ohio suspected. Aligns with trend of encryption rates dropping and data extortion rising. New: Coinbase Cartel ransomware group—pure data extortion, no encryption, 60+ victims, potential ShinyHunters/Scattered Spider/Lapsus$ affiliation. New: Augusta Medical Billing breach—third-party vendor exposes PHI, eight-month notification delay, reinforces third-party risk pattern. New: 24 billion stolen passwords found in one exposed database—6.7B unique, 65% growth in two years, credential-stuffing risk accelerating. New: Medtronic breach by ShinyHunters—3.8M records, PII/PHI exposed, no OT impact. New: Pegasus lawmaker infection via PWNYOURHOME exploit (Citizen Lab) added to this highlight as mercenary spyware incident. New: FortiBleed campaign now confirmed targeting UK government officials, stealing logins to infiltrate email accounts (embassies, local councils). New: Largest US healthcare breach 100M customers (Change Healthcare-like scale) reported. New: Texas data breach 3M license customers via vendor. New: Union County paid $1M to Kairos extortionists—no encryption, pure data theft. New: $263M crypto theft via social engineering/physical burglary—Tangeman guilty plea, RICO case highlights hybrid physical-digital targeting of high-value holders. New: Gentlemen ransomware deep-dive—Go-based, Garble-obfuscated, hybrid Curve25519/XChaCha20 encryption, 21 remote execution techniques, targets education/healthcare/finance across five continents, active since mid-2025, recruiting via BreachForums. New: Carvalima Transportes hit by INC_RANSOM—Brazilian logistics firm, reinforces Latin American ransomware targeting. New: Ill Bloom vulnerability drains $5M+ from crypto wallets via weak seed randomness. New: QuimaRAT MaaS cross-platform RAT with browser-cache loader. New: FortiBleed UK Foreign Office escalation—embassy VPN credentials sold for up to $60k. New: McDonald's 64M applicant data breach via AI bot (IDOR). New: Armored Likho Busysnake stealer campaign targeting corporate networks. New: Spring Botnet (Golang malware) flooding exposed services. New: Ousaban banking trojan targeting Iberian Peninsula. New: North Korean APTs targeting open source developers. New: Crypto exploit losses down 47% but incidents doubled (207 incidents in H1 2026). New: Canadian spy agency (CSE) publicly disclosed offensive cyber ops against ransomware, drug traffickers, extremists. New: Jacksonville, Texas city systems down after cyber incident. New: Fake IT support Teams calls delivering EtherRAT. New: Smishing now 69.3% of mobile phishing vectors. New: Moody Bible Institute breach by ShinyHunters (2.3M records). New: FBI details Scattered Spider help-desk social engineering playbook. New: Bojangles breach lawsuit advances—274-day notification delay, Hunters International attribution, class-action viability. New: Discord token theft campaign using MrBeast lures—tens of thousands of accounts compromised, token theft via fake verification pages. New: Salat Stealer campaign—Go-based infostealer distributed via Xeno Executor gaming tool, live desktop streaming and webcam capture, batch/Rust loaders with Defender evasion. New: Gaslight macOS malware—Rust-based, North Korean, uses prompt injection to evade AI security analysis, steals browser/Keychain/terminal history. Status: developing.