LofyGang resurfaces with LofyStealer disguised as Minecraft hack, exfiltrating IBANs and passwords to 24.152.36[.]241, escalating gaming threats.
Category: cybercrime/malcode – Page 13
US reportedly charges Scattered Spider hacker arrested in Finland
A 19-year-old dual United States and Estonian citizen arrested in Finland earlier this month faces federal charges in the U.S. alleging he was a prolific member of the notorious Scattered Spider hacking collective.
According to temporarily unsealed court records obtained by the Chicago Tribune, the suspect (who used the online alias “Bouquet”) helped extort millions of dollars from multiple large corporations worldwide.
The suspected Scattered Spider member, who was allegedly arrested by Finnish law enforcement at Helsinki’s airport on April 10 while attempting to board a flight to Japan, is facing wire fraud, conspiracy, and computer intrusion charges.
PyPI package with 1.1M monthly downloads hacked to push infostealer
An attacker pushed a malicious version of the popular elementary-data package Python Package Index (PyPI) to steal sensitive developer data and cryptocurrency wallets.
The dangerous release is 0.23.3, and it extended to the Docker image due to the package’s workflow that creates the image from the code and uploads it to a container registry for deployment.
Community member crisperik spotted the malicious upload and opened an issue on the project’s GitHub on Saturday, alerting the maintainer and decreasing the exposure window.
Canada arrests three for operating “SMS blaster” device in Toronto
Canadian authorities have arrested three men for operating an “SMS blaster” device that pretends to be a cellular tower to send phishing texts to nearby phones.
Such tools trick devices into connecting to them by emitting signals that mimic a legitimate tower. Mobile phones in its range automatically link to them as there is stronger reception.
Once the connection is established, the operators of these rogue cellular base stations can push SMS messages directly to connected devices, which appear to come from trusted entities such as banks or the government.
Home security giant ADT data breach affects 5.5 million people
The ShinyHunters extortion group stole the personal information of 5.5 million individuals after breaching the systems of home security giant ADT earlier this month, according to data breach notification service Have I Been Pwned.
Founded in 1874 as American District Telegraph, ADT is the oldest and largest home security company in the United States, currently providing monitored security and smart home solutions to over 6 million residential and small-business customers.
ADT has previously disclosed two other data breaches in August 2024 and October 2024 that exposed employee and customer information.
GlassWorm malware attacks return via 73 OpenVSX “sleeper” extensions
A new wave of the Glassworm campaign is targeting the OpenVSX ecosystem with 73 “sleeper” extensions that turn malicious after an update.
Six of the extensions have been activated and deliver malware, while researchers assess with high confidence that the rest of them are dormant or at least suspicious.
When initially uploaded, the extensions are benign but deliver the payload at a later stage, revealing the attacker’s true intention.
The Next Chip Breakthrough Is Not a Machine
Go to https://sintra.ai/intech or use code INTECH to get an exclusive 72% off all plans. 14-day money-back guarantee.
Timestamps:
00:00 — The Limits of Light
07:44 — The Chemistry Hack. How It Works.
My Podcast on Apple: https://podcasts.apple.com/at/podcast… Podcast on Spotify: https://open.spotify.com/show/3drr7A8… Subscribe to my exclusive newsletter: Newsletter: https://anastasiintech.substack.com Let’s connect on LinkedIn: / anastasiintech Instagram:
/ anastasi.in.tech Patreon:
/ anastasiintech.
Newsletter: https://anastasiintech.substack.com.
Let’s connect on LinkedIn: / anastasiintech
Instagram: / anastasi.in.tech
Patreon: / anastasiintech.
Firestarter malware survives Cisco firewall updates, security patches
Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter persisting on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software.
The backdoor has been attributed to a threat actor that Cisco Talos tracks internally as UAT-4356, known for cyberespionage campaigns, including ArcaneDoor.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Center (NCSC) believe that the adversary obtained initial access by exploiting a missing authorization issue (CVE-2025–20333) and/or a buffer overflow bug (CVE-2025–20362).
New BlackFile extortion group linked to surge of vishing attacks
A new financially motivated hacking group tracked as BlackFile has been linked to a wave of data theft and extortion attacks against retail and hospitality organizations since February 2026.
The group, also tracked as CL-CRI-1116, UNC6671, and Cordial Spider, is impersonating corporate IT helpdesk staff to steal employee credentials and demand seven-figure ransoms, according to information shared by cybersecurity firm Palo Alto Networks’ Unit 42 with the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC).
Unit 42 security researchers have also linked BlackFile with moderate confidence to “The Com,” a loose-knit network of English-speaking cybercriminals known for targeting and recruiting young people for extortion, violence, and the production of child sexual exploitation material (CSAM).
Microsoft to roll out Entra passkeys on Windows in late April
Microsoft will roll out passkey support for phishing-resistant passwordless authentication to Microsoft Entra‑protected resources from Windows devices starting late April.
The feature is expected to reach general availability by mid-June 2026 and will also extend passwordless sign-in to unmanaged Windows devices.
Microsoft says that Entra passkeys on Windows will support corporate, personal, and shared devices, with admin controls via Conditional Access and Authentication Methods policies.