A China-linked cyber espionage operation, tracked as CL-STA-1087, has targeted Southeast Asian military organizations since at least 2020. The campaign, characterized by strategic patience and precision intelligence collection, uses custom malware like AppleChris and MemFun to maintain persistent access and evade detection. The attackers focus on military capabilities, organizational structures, and collaborative efforts with Western forces. The malware employs advanced techniques such as DLL hijacking, process hollowing, and sandbox evasion to avoid detection. The campaign includes the use of Pastebin and Dropbox for command-and-control (C2) communication, with some variants using Pastebin as a fallback. The threat actors also utilize a custom version of Mimikatz, named Getpass, to extract credentials and escalate privileges.

Poland's National Centre for Nuclear Research (NCBJ) reported a cyberattack on its IT infrastructure. The attack was detected and blocked by security systems before causing any impact. The MARIA reactor, used for scientific experiments and medical isotope production, was not affected. The attack has been attributed to potential Iranian involvement, though false flags are being considered. Poland's power grid was previously targeted by the Russian threat group APT44 in January 2026.

Meta has announced it will discontinue end-to-end encryption (E2EE) support for Instagram chats starting May 8, 2026. Users with affected chats will receive instructions to download media or messages they wish to retain. This decision follows Meta's initial rollout of E2EE for Instagram direct messages in 2021, which was later expanded to all adult users in Ukraine and Russia during the Russo-Ukrainian war. The move comes amid ongoing debates over encryption's impact on privacy and law enforcement capabilities. Meta's decision aligns with TikTok's recent stance against implementing E2EE, citing concerns over user safety, particularly for young people. Despite internal warnings in 2019 about the challenges E2EE poses for detecting illegal activities like CSAM and terrorist propaganda, Meta has proceeded with encryption plans for Facebook and Instagram.

Microsoft is investigating multiple issues affecting the classic Outlook desktop email client, including a bug that causes the mouse pointer to disappear, making the app unusable. Additionally, Microsoft is addressing email synchronization and connection problems, such as "Can't connect to the server" errors when creating groups and sync issues with Gmail and Yahoo accounts. The company has acknowledged these problems and provided temporary workarounds while continuing their investigation.

Broadcom's acquisition of VMware in 2023 has triggered widespread migrations to alternative hypervisors, introducing significant technical and operational risks. IT teams face challenges such as price hikes, licensing changes, and operational issues, including VMware Workstation auto-update failures. Gartner predicts VMware will lose 35% of its workloads by 2028, with migrations to platforms like Microsoft Hyper-V, Azure Stack HCI, Nutanix AHV, Proxmox VE, or KVM. These migrations are high-stakes, requiring careful planning to ensure data integrity and availability. The process of migrating hypervisors is technically risky due to incompatibilities in disk formats, hardware abstractions, driver stacks, and networking models. Backup and recovery are critical, with a need for full-image, application-consistent backups that can be restored to dissimilar hardware or virtualization platforms. IT teams must perform recovery drills before migration and maintain parallel protection during transitions. Key risks include underestimating downtime, backup and recovery gaps, and an expanding attack surface. Teams must plan for worst-case scenarios, validate backups, and protect backup images against ransomware. A unified cyber protection platform can simplify the migration process and reduce complexity.

Threat actor Storm-2561 is distributing fake enterprise VPN clients for Ivanti, Cisco, and Fortinet to steal VPN credentials. The attackers use SEO poisoning to redirect victims to spoofed sites mimicking legitimate VPN vendors. The fake VPN clients install a loader and the Hyrax infostealer, capturing and exfiltrating credentials while displaying a legitimate-looking login interface. The malware also steals VPN configuration data and creates persistence via the Windows RunOnce registry key. Microsoft researchers discovered the campaign involved domains related to multiple VPN vendors and provided IoCs and hunting guidance to mitigate the threat. The campaign was first documented by Cyjax in May 2025 and later by Zscaler in October 2025. Microsoft observed the activity in mid-January 2026 and has since taken down the attacker-controlled GitHub repositories and revoked the legitimate certificate to neutralize the operation.

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. Following this, Operation Sentinel, conducted between October 27 and November 27, 2025, led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents. The operation took down more than 6,000 malicious links and decrypted six distinct ransomware variants. The cybercrime cases investigated are connected to more than $21 million in financial losses. Most recently, Operation Red Card 2.0, conducted between December 8, 2025, and January 30, 2026, resulted in the arrest of 651 suspects and the recovery of over $4.3 million. The operation targeted investment fraud, mobile money scams, and fake loan applications, identifying 1,247 victims and seizing 2,341 devices and 1,442 malicious websites, domains, and servers. The operation involved law enforcement agencies from 16 African countries: Angola, Benin, Cameroon, Côte d'Ivoire, Chad, Gabon, Gambia, Ghana, Kenya, Namibia, Nigeria, Rwanda, Senegal, Uganda, Zambia, and Zimbabwe. The operations were supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Cybercrime now accounts for 30% of all reported crime in Western and Eastern Africa and is increasing rapidly elsewhere on the continent. Interpol's 2025 Africa Cyberthreat Assessment Report noted that two-thirds of African member countries claim cyber-related offenses now account for a 'medium-to-high' (i.e., 10-30% or 30%+) share of all crimes. Interpol director of cybercrime, Neal Jetton, warned that the scale and sophistication of cyber-attacks across Africa are accelerating, especially against critical sectors like finance and energy. Additionally, Operation Synergia III, conducted between July 2025 and January 2026, involved authorities from 72 countries. The operation resulted in 94 arrests and 110 suspects under investigation. Police in Togo arrested 10 suspects operating a fraud ring involving social media hacking, romance scams, and sextortion. Bangladeshi police arrested 40 suspects and seized 134 electronic devices related to loan scams, job scams, identity theft, and credit card fraud. Chinese investigators in Macau identified over 33,000 phishing and fraudulent websites impersonating casinos, banks, government sites, and payment services.

Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network. This network relied on edge devices compromised by the AVRecon malware for Linux. The disruption involved taking down multiple servers and domains, freezing cryptocurrency, and disconnecting infected devices. The network had been active for over a decade, offering access to 'clean' IP addresses from major ISPs and facilitating various fraudulent activities. The SocksEscort network had an average of 20,000 infected devices weekly and was used in several high-value fraud cases, including the theft of $1 million in cryptocurrency and losses of $700,000 from a Pennsylvania-based manufacturing business. The network offered access to about 369,000 different IP addresses in 163 countries since summer 2020, with the service listing nearly 8,000 infected routers as of February 2026. The compromised devices were infected through a vulnerability in the residential modems of a specific brand. International law enforcement partners executed Operation Lightning to dismantle the SocksEscort proxy service, which compromised over 360,000 routers and IoT devices in 163 countries since 2020. The operation involved seizing 34 domains and 23 servers in seven countries, freezing $3.5 million in cryptocurrency, and disconnecting all infected devices. The malware enabled various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM). The payment platform for SocksEscort received almost $6 million from proxy service customers.

Google has released emergency updates for Chrome to patch two actively exploited zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910). The first is an out-of-bounds write flaw in Skia, a 2D graphics library, which could lead to browser crashes or code execution. The second is an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine. Both vulnerabilities were discovered and patched within two days of reporting, affecting Windows, macOS, and Linux systems. The updates are rolling out to users, though it may take days or weeks to reach all users. Google has not disclosed further details about the attacks exploiting these vulnerabilities. Google has patched a total of three actively weaponized Chrome zero-days since the start of the year.

A high-severity privilege escalation flaw in the Linux kernel (CVE-2024-1086) is being exploited in ransomware attacks. Disclosed in January 2024, the vulnerability allows attackers with local access to escalate privileges to root level. It affects multiple major Linux distributions, including Debian, Ubuntu, Fedora, and Red Hat. The flaw was introduced in February 2014 and fixed in January 2024. Additionally, nine confused deputy vulnerabilities, codenamed CrackArmor, have been discovered in the Linux kernel's AppArmor module. These flaws, existing since 2017, allow unprivileged users to bypass kernel protections, escalate to root, and undermine container isolation guarantees. The vulnerabilities affect Linux kernels since version 4.11 and impact major distributions like Ubuntu, Debian, and SUSE. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed the exploitation of the initial flaw in ransomware campaigns and added it to its Known Exploited Vulnerabilities (KEV) catalog in May 2024. Federal agencies were ordered to secure their systems by June 20, 2024. Mitigations include blocking 'nf_tables', restricting access to user namespaces, or loading the Linux Kernel Runtime Guard (LKRG) module.

Starbucks disclosed a data breach affecting 889 employee accounts in its Partner Central system. The breach occurred between January 19 and February 11, 2026, after threat actors obtained login credentials through phishing websites impersonating Partner Central. The exposed data includes names, Social Security numbers, dates of birth, and financial account details. Starbucks has notified law enforcement and is offering affected employees two years of free identity theft protection and credit monitoring.

Veeam has released security updates to address multiple critical vulnerabilities in its Backup & Replication software, including seven new RCE flaws. The latest updates patch vulnerabilities (CVE-2026-21666, CVE-2026-21667, CVE-2026-21668, CVE-2026-21669, CVE-2026-21671, CVE-2026-21672, and CVE-2026-21708) that allow low-privileged domain users and Backup Viewers to execute remote code on vulnerable backup servers. Additionally, several high-severity bugs were addressed, which could be exploited to escalate privileges, extract SSH credentials, and manipulate files on Backup Repositories. All vulnerabilities affect earlier versions and have been fixed in versions 12.3.2.4465 and 13.0.1.2067. Veeam has warned admins to upgrade to the latest release promptly, as threat actors often develop exploits post-patch release. Ransomware gangs, including FIN7 and the Cuba ransomware gang, have targeted VBR servers to simplify data theft and block restoration efforts.

Loblaw Companies Limited, Canada's largest food and pharmacy retailer, disclosed a data breach affecting a portion of its IT network. Hackers accessed basic customer information, including names, phone numbers, and email addresses, but no financial or health data was compromised. The breach could be used for phishing and fraudulent activities, prompting Loblaw to log out all customers and advise password changes. The incident did not impact PC Financial, Loblaw's financial services brand, and no threat actor has publicly claimed responsibility.

England Hockey is investigating a potential data breach after the AiLock ransomware gang claimed to have stolen 129GB of data from its systems. The organization is working with external experts and authorities to assess the impact, while AiLock threatens to publish the stolen files unless a ransom is paid. AiLock, a relatively new ransomware operation, uses double-extortion tactics and leverages privacy law violations in negotiations. The ransomware encrypts files with ChaCha20 and NTRUEncrypt, appending the .AILock extension. England Hockey, responsible for field hockey in England, has over 800 clubs and 150,000 registered players, making the potential breach significant.

Hive0163, a financially motivated threat actor, has been observed using a new AI-assisted malware called Slopoly to maintain persistent access in ransomware attacks. The malware, discovered in early 2026, is part of a command-and-control (C2) framework and was deployed during the post-exploitation phase of an attack. Slopoly is believed to have been developed with the help of a large language model (LLM), although it lacks advanced polymorphic capabilities. The malware functions as a backdoor, beaconing system information to a C2 server and executing commands. Hive0163 is also known for using other malicious tools like NodeSnake, Interlock RAT, and JunkFiction loader in their operations. The attack leveraged the ClickFix social engineering tactic to trick victims into running a PowerShell command. Hive0163 uses initial access brokers like TA569 and TAG-124 for establishing a foothold. The Interlock ransomware payload is a 64-bit Windows executable delivered via the JunkFiction loader, and Hive0163 may have associations with the developers behind Broomstick, SocksShell, PortStarter, SystemBC, and the Rhysida ransomware operators.

A new Rust-based malware, codenamed VENON, targets 33 Brazilian banks and digital asset platforms. The malware uses credential-stealing overlays and shares behaviors with known Latin American banking trojans. It employs sophisticated evasion techniques and is distributed via social engineering ploys, including DLL side-loading and a complex infection chain. The malware's developer appears to have used generative AI to rewrite and expand functionalities in Rust, indicating significant technical expertise.

Six new Android malware families have been discovered, targeting Pix payments, banking apps, and cryptocurrency wallets. These malware families include PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, Oblivion RAT, and SURXRAT. They steal data and conduct financial fraud, with some using advanced techniques like real-time screen monitoring and AI integration. PixRevolution specifically targets Brazil's Pix instant payment platform, hijacking money transfers in real-time. It uses an "agent-in-the-loop" model where a remote operator watches the victim's phone screen in near real time and intervenes at the exact moment a payment is processed. BeatBanker spreads via phishing attacks and uses an unusual persistence mechanism involving an almost inaudible audio file. TaxiSpy RAT abuses Android's accessibility service and MediaProjection APIs to collect sensitive data. Mirax and Oblivion are offered as malware-as-a-service (MaaS) with various capabilities. SURXRAT is marketed through a Telegram-based MaaS ecosystem and includes a ransomware-style screen locker module.

The **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** has added **CVE-2025-68613** to its **Known Exploited Vulnerabilities (KEV) catalog**, mandating federal agencies to patch n8n instances by **March 25, 2026**, due to **active exploitation** of this critical remote code execution (RCE) flaw. Meanwhile, **Pillar Security** has disclosed two new critical vulnerabilities (**CVE-2026-27577** and **CVE-2026-27493**), with the latter being a **zero-click, unauthenticated flaw** that allows **full server compromise** via public form endpoints (e.g., a "Contact Us" form) without requiring authentication or user interaction. Over **40,000 unpatched instances** remain exposed globally, with **18,000+ in North America and 14,000+ in Europe**, per Shadowserver data. This development follows a series of **critical n8n vulnerabilities** disclosed since late 2025, including **CVE-2026-21877 (CVSS 10.0)**, **CVE-2026-21858 (unauthenticated RCE)**, and **four March 2026 flaws (CVE-2026-27577, CVE-2026-27493, CVE-2026-27495, CVE-2026-27497)** enabling **sandbox escapes, credential theft, and unauthenticated expression injection**. Affected versions span **<1.123.22, >=2.0.0 <2.9.3, and >=2.10.0 <2.10.1**, with patches available in **1.123.22, 2.9.3, and 2.10.1**. The platform’s widespread use in **AI orchestration and enterprise automation**—coupled with its storage of **API keys, database credentials, and cloud secrets**—makes it a prime target for attackers seeking **full server compromise** or **lateral movement into connected systems**.

Google paid $17.1 million to 747 security researchers in 2025 through its Vulnerability Reward Program (VRP), marking the highest payout in the program's history. The total payouts since 2010 have surpassed $81.6 million. The program expanded in 2025 with new initiatives, including the AI Vulnerability Rewards Program and rewards for OSV-SCALIBR, an open-source tool for finding security flaws in software dependencies. The highest reward in 2025 was $250,000, while the highest reward in 2024 was $100,115 for a MiraclePtr Bypass.

Telus Digital, the business process outsourcing (BPO) arm of Canadian telecommunications provider Telus, has confirmed a security breach after threat actors known as ShinyHunters claimed to have stolen nearly 1 petabyte of data. The breach, which involved unauthorized access to a limited number of Telus Digital's systems, is currently under investigation. ShinyHunters claims to have accessed a wide range of customer data related to Telus' BPO operations and call records for Telus' consumer telecommunications division. The threat actors reportedly used Google Cloud Platform credentials discovered in data stolen during the Salesloft Drift breach to gain initial access. Telus has engaged cyber forensics experts and is working with law enforcement to manage the situation.

Cybercriminals are actively trading compromised airline and hotel loyalty accounts in underground markets, converting stolen miles into real-world travel commodities. The process involves credential compromise, inventory listing, redemption, and resale at discounted rates. This fraudulent activity is structured, with repeated sellers and a focus on major brands like United, American Airlines, Delta, Marriott, and Hilton. The monetization model follows four stages: gaining control over loyalty accounts, identifying valid miles, redeeming miles for travel, and reselling the bookings. The fraud is challenging to detect and recover from due to the conversion of points into tangible assets.

Google's Threat Intelligence Group identified the Coruna exploit kit, targeting iOS versions 13.0 to 17.2.1. The kit includes five exploit chains and 23 exploits, some using non-public techniques. It has been used by multiple threat actors, including government-backed groups and financially motivated actors. The kit was first observed in February 2025 and has since been linked to campaigns involving Russian and Chinese actors. The exploit kit leverages vulnerabilities in WebKit and other components, some of which were patched by Apple but remained undocumented until later. The kit is designed to fingerprint devices and deliver appropriate exploits based on the iOS version. It avoids execution on devices in Lockdown Mode or private browsing. The Coruna exploit kit marks a shift from targeted spyware attacks to broader exploitation of iOS devices, including crypto theft attacks. The kit includes a stager loader called PlasmaGrid, which targets cryptocurrency wallet apps such as MetaMask, Phantom, Exodus, BitKeep, and Uniswap. The exploit kit was used in watering hole attacks targeting iPhone users visiting compromised Ukrainian websites in summer 2025 and on fake Chinese gambling and crypto websites in late 2025. The exploit kit includes a binary loader that deploys the final stage of the attack after the initial browser exploit succeeds. It uses custom encryption and compression methods to deliver payloads and is ineffective against the latest iOS versions. CISA added three of the 23 Coruna vulnerabilities to its catalog of Known Exploited Vulnerabilities, ordering federal agencies to patch the vulnerabilities by March 26, 2026. CISA also urged all organizations to prioritize patching these flaws to secure their devices against attacks. Apple has backported fixes for CVE-2023-43010 to older iOS versions to address vulnerabilities used in the Coruna exploit kit. The vulnerability relates to an unspecified vulnerability in WebKit that could result in memory corruption when processing maliciously crafted web content. The fix was originally shipped in iOS 17.2 on December 11th, 2023, and the latest round of fixes brings the patch to older versions of iOS and iPadOS, including iOS 15.8.7 and iPadOS 15.8.7, and iOS 16.7.15 and iPadOS 16.7.15. Additionally, iOS 15.8.7 and iPadOS 15.8.7 incorporate patches for three more vulnerabilities associated with the Coruna exploit: CVE-2023-43000, CVE-2023-41974, and CVE-2024-23222. Coruna may have been designed by U.S. military contractor L3Harris and passed to Russian exploit broker Operation Zero by Peter Williams. The exploit kit uses two exploits (CVE-2023-32434 and CVE-2023-38606) that were weaponized as zero-days in a campaign dubbed Operation Triangulation targeting users in Russia in 2023. Apple has released security updates to patch older iPhones and iPads against vulnerabilities targeted by the Coruna exploit kit. The patches address vulnerabilities CVE-2023-41974, CVE-2024-23222, CVE-2023-43000, and CVE-2023-43010. The affected devices include a wide range of older models running iOS 15.8.7/16.7.15 and iPadOS 15.8.7/16.7.15. CISA added three of the 23 vulnerabilities targeted by Coruna to its catalog of Known Exploited Vulnerabilities, including CVE-2023-43010. CISA ordered Federal Civilian Executive Branch (FCEB) agencies to patch their iOS devices by March 26, 2026, as mandated by the Binding Operational Directive (BOD) 22-01. Apple has also fixed a zero-day vulnerability (CVE-2026-20700) exploited in an "extremely sophisticated attack" targeting specific individuals and allowing threat actors to execute arbitrary code on compromised devices.

Modern phishing attacks increasingly use trusted infrastructure, legitimate-looking authentication flows, and encrypted traffic to evade traditional detection methods. This poses significant challenges for Security Operations Centers (SOCs), as they struggle to handle the volume and sophistication of these attacks. The consequences include stolen corporate identities, account takeovers, lateral movement through SaaS and cloud platforms, delayed incident detection, operational disruption, financial impact, and regulatory consequences. To address these issues, CISOs are prioritizing the scaling of phishing detection to operate at the same speed and scale as the attacks themselves.

Meta has introduced new tools to protect users of Messenger and WhatsApp from scams. The tools include warnings for screen sharing during video calls on WhatsApp, a scam detection feature on Messenger, and a new security feature to help users spot potential scams when being added to a group chat by unknown contacts. Meta also reported actions taken against fraudulent accounts and scam centers. Meta's efforts are part of ongoing measures to combat scams, including romance baiting schemes operated by cybercrime syndicates in Southeast Asia. These scams often involve psychological manipulation and financial fraud. In 2025, Meta removed over 159 million scam ads and took down over 10.9 million accounts on Facebook and Instagram linked to criminal scam operations. Meta also participated in a global law enforcement operation that led to the arrest of 21 suspects and the shutdown of more than 150,000 accounts linked to scam networks in Southeast Asia. Meta collaborated with the FBI, the DOJ Scam Center Strike Force, and Thai police to disrupt scam centers in Southeast Asia. The operation targeted scam centers that targeted users in the US, UK, and the APAC region. Thai Police arrested 21 suspects and Meta shut down more than 150,000 accounts linked to the scam centers. In a similar operation conducted in December, Meta removed 59,000 accounts, pages, and groups across its platforms.

A large-scale OAuth consent abuse campaign, active in early 2025, involved 19 malicious applications impersonating well-known brands like Adobe, DocuSign, and OneDrive. The campaign targeted multiple organizations, exploiting 'consent fatigue' to gain access to users' sensitive data without needing their passwords. The access token obtained through this method was sent to the attacker's redirect URL, granting them unauthorized access to files or emails. The campaign was documented by Proofpoint in August 2025, highlighting the ongoing threat posed by malicious OAuth applications.

CISA has issued Emergency Directive (ED) 26-03 to mitigate vulnerabilities in Cisco SD-WAN systems, which pose an unacceptable risk to federal networks. The directive requires immediate action from Federal Civilian Executive Branch (FCEB) agencies to inventory, collect artifacts, patch, hunt for evidence of compromise, and implement hardening measures. The directive follows collaborative efforts with international partners and emphasizes the critical need for immediate response due to the ease of exploitation of these vulnerabilities. Attackers are actively exploiting vulnerabilities in Cisco Catalyst SD-WAN infrastructure, with a critical authentication bypass vulnerability (CVE-2026-20127) allowing unauthenticated attackers to obtain administrative access.

FinCEN's report reveals that ransomware gangs extorted over $2.1 billion from 2022 to 2024, with a peak in 2023 followed by a decline in 2024 due to law enforcement actions against major gangs like ALPHV/BlackCat and LockBit. The report details 4,194 ransomware incidents, with manufacturing, financial services, and healthcare being the most targeted industries. The top ransomware families, including Akira, ALPHV/BlackCat, and LockBit, were responsible for the majority of attacks and ransom payments, with Bitcoin being the primary payment method. Recently, the U.S. Department of Justice charged Angelo Martino, a former DigitalMint employee, for his involvement in a scheme with the BlackCat (ALPHV) ransomware operation. Martino shared confidential information with BlackCat operators and was directly involved in ransomware attacks alongside accomplices Kevin Tyler Martin and Ryan Goldberg. The defendants operated as BlackCat affiliates, demanding ransom payments and threatening to leak data stolen from victims' networks.

Attackers are increasingly designing phishing campaigns to overwhelm Security Operations Centers (SOCs) by flooding them with low-sophistication emails, creating an informational denial-of-service (IDoS) condition. This tactic exploits the predictable failure modes of SOCs under high workload, leading to degraded investigation quality and increased risk of missing targeted spear-phishing attacks. The asymmetry in cost between attacker and defender favors attackers, as they can generate thousands of decoy emails at near-zero cost, while defenders incur significant analyst time and cognitive bandwidth. Organizations are now focusing on decision-ready AI triage to maintain investigation quality and speed regardless of volume, flipping the strategic advantage back to defenders.

Police Scotland was fined £66,000 after sharing the entire contents of a female officer's phone with a colleague she accused of rape. The incident, which occurred in early 2021, involved the unauthorized disclosure of medical records, intimate photos, and personal contact details. The Information Commissioner’s Office (ICO) found that the force failed to implement appropriate security measures, minimize data sharing, and report the breach within the required 72-hour timeframe. The victim, a detective constable, was diagnosed with PTSD as a result of the incident.

The Iranian hacktivist group Handala (a.k.a. Handala Hack Team) has claimed responsibility for a data-wiping attack against Stryker, a global medical technology company. The attack reportedly affected over 200,000 systems, servers, and mobile devices across Stryker’s offices in 79 countries. Handala claims to have stolen 50 terabytes of data before wiping tens of thousands of systems and servers. The group cited retaliation for a U.S. missile strike that killed 175 people, including children, as the motive. Stryker’s operations, particularly in Ireland, have been severely disrupted, with over 5,000 workers sent home. The attack utilized Microsoft Intune to issue remote wipe commands, causing significant operational downtime. Stryker confirmed the attack in an 8-K filing with the SEC, noting global disruption to the company’s Microsoft environment. The timeline for a full restoration of affected functions and systems access is not yet known, but Stryker has business continuity measures in place to support its customers and partners. Experts suggest Handala is more than a hacktivist group, with tactics and targeting consistent with Iranian state actors.