Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Crimson Collective campaign expands across multiple victims

Campaign
First reported
Last updated
Happening score
H score 43
2 unique sources, 2 articles

Summary

Hide ▲

Crimson Collective is running an active AWS cloud extortion campaign that targets cloud environments to steal data and pressure companies for payment. The operation has been unfolding over the past weeks, creating multi-victim risk across exposed cloud accounts. It has been tied to the Red Hat breach claim, where the group said it exfiltrated 570 GB from thousands of private GitLab repositories. The campaign combines credential abuse, privilege escalation, data theft, and extortion messaging.

Related Happenings

CISA contractor GitHub repository exposed internal credentials

Data Leak
First: 18.05.2026 23:48 Last: 18.05.2026 23:48 Sources 1

About this happening: A **CISA contractor** left a public **GitHub repository** exposing **AWS GovCloud credentials** and internal access material, creating a serious **data leak** involving sensitive...

Latest development: 22.05.2026 19:34

On May 19, Sen. Maggie Hassan and Rep. Bennie Thompson, with Rep. Delia Ramirez co-signing Thompson’s letter, sent separate letters to CISA demanding answers about the Private-CISA GitHub leak and warning that the credential exposure raised serious concerns about CISA’s internal policies, contract support, and security culture.

Open Happening

PCPJack credential theft framework worms across exposed cloud infrastructure

Malware Activity
First: 08.05.2026 12:00 Last: 08.05.2026 12:00 Sources 1

About this happening: The **PCPJack** malware activity is extending a **credential-theft** operation across **exposed cloud infrastructure**, stripping **TeamPCP** artifacts and stealing access from se...

Open Happening

PCPJack TeamPCP-targeting cloud credential theft campaign

Campaign
First: 08.05.2026 12:00 Last: 08.05.2026 12:00 Sources 1

About this happening: A new **PCPJack** campaign is targeting **TeamPCP victims** by **worming across exposed cloud infrastructure**, creating a fresh risk of credential theft and unauthorized reuse of...

Open Happening

Amazon SES phishing and BEC abuse campaign

Campaign
First: 04.05.2026 23:03 Last: 04.05.2026 23:03 Sources 1

About this happening: A phishing campaign is abusing Amazon Simple Email Service (SES) to send convincing emails that can bypass standard authentication and reputation-based defenses. Attackers are usi...

Open Happening

Triad Nexus investment scam and brand impersonation campaign targeting emerging markets

Campaign
First: 14.04.2026 15:00 Last: 14.04.2026 15:00 Sources 1

About this happening: The **Triad Nexus** campaign is continuing to run **large-scale investment scams** and **brand impersonation**, expanding into **emerging markets** and driving higher fraud losses...

Open Happening

Timeline

  1. 08.10.2025 20:33 3 articles · 7mo ago

    Crimson Collective AWS cloud extortion campaign

    Campaign Scope Update

    Crimson Collective is targeting AWS cloud environments over the past weeks to steal data and extort companies, including a claim that it exfiltrated 570 GB from thousands of private GitLab repositories in the Red Hat case and pressured the company for ransom. The operation abuses long-term AWS access keys and IAM accounts, uses TruffleHog to find exposed AWS credentials, creates new IAM users and access keys, attaches AdministratorAccess, modifies RDS master passwords, exports snapshots to S3, snapshots EBS volumes, launches EC2 instances, and sends extortion notes through AWS Simple Email Service (SES).

    Show sources
    Open in new tab