Find notable cyber news and cases, enriched with sources, timelines, and signals.

Infostealer malware operation targeting online store users

Malware Activity
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

A malware operation using infostealer tools infected users’ devices between 2024 and 2025, stealing browser sessions and account credentials that enabled account theft and unauthorized purchases. The operation affected 28,000 customer accounts, making it a significant credential-theft and fraud event. It also shows how session tokens can be abused to bypass normal account protections.

Related Happenings

Icarus Salesforce data-theft extortion campaign

Campaign
H score42 First: 18.06.2026 17:19 Last: 18.06.2026 17:19 Sources 1

About this happening: The **Icarus** extortion campaign is actively stealing **Salesforce CRM data** from **multiple organizations**, expanding pressure on victims and showing a repeatable cloud-app ab...

Latest development: 23.06.2026 16:58

LastPass says an unauthorized actor used OAuth tokens stolen from Klue to access LastPass customer data in its Salesforce environment, potentially exposing customer names, phone numbers, email addresses, physical addresses, support case information, and sales/CRM data; LastPass says its products, services, infrastructure, and customer vaults were not affected, rotated the exposed API/OAuth tokens, disabled employee access to Klue, and notified law enforcement.

Kali365 Microsoft 365 device-code phishing campaign

Campaign
H score46 First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

An 18-year-old man from had assets seized in suspected infostealer operator investigation

Law Enforcement
H score28 First: 21.05.2026 00:36 Last: 21.05.2026 00:36 Sources 1

How related: At this stage, authorities have identified the suspect, conducted searches, and seized devices and other evidence allegedly linking him to the operation.

About this happening: **Ukrainian cyberpolice** and **U.S. law enforcement** identified a suspected **infostealer** operator and executed **searches and seizures** in a cross-border cybercrime investig...

W3LL Microsoft 365 adversary-in-the-middle phishing campaign

Campaign
H score39 First: 13.04.2026 21:55 Last: 13.04.2026 21:55 Sources 1

About this happening: The **W3LL** phishing operation turned into a high-volume **Microsoft 365** credential-theft campaign, exposing **more than 17,000 victims worldwide** to **BEC** risk. The kit use...

Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations

Threat Actor Meta
H score82 First: 05.03.2026 08:51 Last: 05.03.2026 08:51 Sources 1

About this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....

Latest development: 17.05.2026 17:43

eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.

Timeline

  1. 21.05.2026 00:36 2 articles · 1mo ago

    Ukrainian cyberpolice identify Odesa infostealer suspect

    Initial Disclosure

    Ukrainian cyberpolice working with U.S. law enforcement identified an 18-year-old from Odesa suspected of running an infostealer malware operation targeting users of an online store in California. The operation allegedly used information-stealing malware between 2024 and 2025 to infect devices, steal browser sessions and account credentials, and process stolen session data through online resources and Telegram bots. Authorities said the campaign impacted 28,000 customer accounts, 5,800 accounts were used for unauthorized purchases totaling about $721,000, and direct losses reached $250,000 including chargebacks; police also conducted searches, seized devices and other evidence, and noted that session tokens can sometimes bypass MFA checks.

    Show sources