TamperedChef malware spread via fake PDF editors from June 26 to August 21, stealing credentials and cookies.

The financially motivated threat actor known as Storm-0501 has been observed refining its tactics to conduct data exfiltration and extortion attacks targeting cloud environments.
“Unlike traditional on-premises ransomware, where the threat actor typically deploys malware to encrypt critical files across endpoints within the compromised network and then negotiates for a decryption key, cloud-based ransomware introduces a fundamental shift,” the Microsoft Threat Intelligence team said in a report shared with The Hacker News.
“Leveraging cloud-native capabilities, Storm-0501 rapidly exfiltrates large volumes of data, destroys data and backups within the victim environment, and demands ransom — all without relying on traditional malware deployment.”
Microsoft warns that a threat actor tracked as Storm-0501 has evolved its operations, shifting away from encrypting devices with ransomware to focusing on cloud-based encryption, data theft, and extortion.
The hackers now abuse native cloud features to exfiltrate data, wipe backups, and destroy storage accounts, thereby applying pressure and extorting victims without deploying traditional ransomware encryption tools.
Storm-0501 is a threat actor who has been active since at least 2021, deploying the Sabbath ransomware in attacks against organizations worldwide. Over time, the threat actor joined various ransomware-as-a-service (RaaS) platforms, where they used encryptors from Hive, BlackCat (ALPHV), Hunters International, LockBit, and, more recently, Embargo ransomware.
Threat researchers discovered the first AI-powered ransomware, called PromptLock, that uses Lua scripts to steal and encrypt data on Windows, macOS, and Linux systems.
The malware uses OpenAI’s gpt-oss:20b model through the Ollama API to dynamically generate the malicious Lua scripts from hard-coded prompts.
The U.S. National Security Agency (NSA), the UK’s National Cyber Security Centre (NCSC), and partners from over a dozen countries have linked the Salt Typhoon global hacking campaigns to three China-based technology firms.
According to the joint advisories [NSA, NCSC], Sichuan Juxinhe Network Technology Co. Ltd., Beijing Huanyu Tianqiong Information Technology Co., and Sichuan Zhixin Ruijie Network Technology Co. Ltd. have provided cyber products and services to China’s Ministry of State Security and the People’s Liberation Army, enabling cyber espionage operations tracked as Salt Typhoon.
Since at least 2021, the Chinese threat actors have breached government, telecommunications, transportation, lodging, and military networks worldwide, stealing data that can be used to track targets’ communications and movements worldwide.