Quiet, Scalable and Persistent Attacks Target Everyday Systems

The Iran-linked threat group MuddyWater conducted a cyber espionage campaign targeting multiple US and allied organisations, deploying stealthy backdoors to maintain long-term access. The operation is notable for its timing, as intrusions began before geopolitical tensions escalated, indicating a deliberate effort to pre-position access rather than react to events.

Targets included organisations across finance, transportation, non-profits, and defence-related sectors, suggesting a broad intelligence gathering objective. By compromising diverse industries, the attackers were able to establish footholds across critical domains and potentially monitor sensitive activities or prepare for future disruption.

A key component of the campaign was a new backdoor called “Dindoor” which uses the Deno runtime to execute commands and evade traditional detection methods. Alongside it, a Python-based tool known as “Fakeset” reflects continuity with previous operations, combining new techniques with established tooling. The attackers also attempted to exfiltrate data using legitimate tools like Rclone, blending malicious actions with normal system activity.

The most significant risk lies in the concept of pre-positioning. By gaining access ahead of potential conflict, attackers can later move quickly within networks, escalate privileges, or launch disruptive actions without needing to reestablish entry. Even if no immediate damage occurs, the presence of persistent access creates long-term exposure for affected organisations.

Overall, the campaign highlights a broader shift in cyber operations toward strategic, long-term positioning aligned with geopolitical objectives, where gaining and maintaining access can be as critical as executing attacks themselves. 

https://www.theregister.com/2026/03/05/mudywater_backdoor_us_networks/

When Systems Fail: The Lloyds Banking Glitch That Exposed Other Customers’ Data

A technical failure within Lloyds Banking Group and its brands, Halifax and Bank of Scotland, led to a serious incident in which customers were briefly shown transaction data belonging to other users. The issue affected both mobile and online banking platforms, creating confusion and concern as individuals noticed unfamiliar payments and account activity appearing in their transaction histories.

The problem wasn’t caused by a cyberattack but by an internal system error that disrupted how account data was displayed. During the outage, some users could see purchases, transfers, and financial details that clearly did not belong to them. In certain cases, this included multiple transactions from entirely different accounts, raising immediate fears of fraud or account compromise. Despite this, account balances themselves remained correct, and there was no evidence that unauthorised parties accessed or moved funds.

The incident appeared suddenly and impacted multiple customers at once, with reports spreading quickly as people tried to understand what was happening. The visibility of other users’ financial data, even for a short period, highlighted a critical failure in data separation within the system. Although the issue was resolved relatively quickly, it exposed how even a temporary malfunction in a digital banking environment can lead to significant privacy concerns.

An apology was issued, and an internal investigation was launched to determine the root cause and prevent similar failures. The situation underscores the importance of system reliability and proper data isolation in financial services, where even minor technical errors can have consequences similar to those of a data breach.

More broadly, the incident illustrates that not all major data exposure events stem from malicious actors. Internal failures, especially in complex, large-scale digital systems, can create comparable risks, affecting user trust and raising questions about operational resilience in modern banking environments. 

https://www.bbc.com/news/articles/c4g23npxpwgo

Mass Extortion at Scale: ShinyHunters’ Campaign Against Salesforce Data

The cybercriminal group ShinyHunters has launched a large-scale extortion campaign claiming to have stolen data from hundreds of organisations through their use of Salesforce platforms. The group alleges that it accessed information from as many as 400 companies and is now threatening to release the stolen data unless ransom demands are met, following its typical “pay or leak” strategy. 

The campaign appears to focus on Salesforce environments, particularly those connected to public-facing portals such as Experience Cloud. Instead of exploiting a direct vulnerability in the core platform, the attackers are believed to have taken advantage of misconfigured settings, especially overly permissive guest user access, which allowed them to extract sensitive customer relationship management (CRM) data without proper authentication. 

The type of data potentially exposed includes customer records, such as names, contact details, and internal business information. While not always financial in nature, this data is still highly valuable, as it can be used for follow-on attacks like phishing, social engineering, or further intrusion into corporate systems. The scale of the campaign significantly increases its impact, as it spans multiple industries and affects both large enterprises and smaller organisations relying on Salesforce infrastructure. 

A key characteristic of this operation is its reliance on relatively simple but effective techniques, rather than highly sophisticated exploits. In many cases, attackers have combined misconfigurations with social engineering methods, such as impersonating IT staff or manipulating access controls, to gain entry into systems. This highlights a recurring weakness in modern cloud environments: security often depends not only on the platform itself, but on how it is configured and managed by each organisation. 

Once access is obtained, the attackers extract data and move quickly to the extortion phase, contacting victims with threats to publish the information. This approach reflects a broader trend in cybercrime, where data theft is immediately monetised through pressure tactics rather than long-term espionage. The credibility of these threats is reinforced by the group’s history of carrying out similar attacks and leaking data when victims refuse to pay. 

The situation also underscores the growing risks associated with SaaS ecosystems, where a single misconfiguration can expose large volumes of centralised data. Because platforms like Salesforce integrate deeply into business operations, they become high-value targets for attackers seeking scalable access across multiple organisations. As a result, even companies with strong internal security can be affected if their cloud environments are not properly configured or monitored.

Overall, the campaign demonstrates how cybercriminal groups are increasingly operating at scale, targeting shared platforms to maximise impact and efficiency. By combining misconfiguration abuse, social engineering, and aggressive extortion tactics, ShinyHunters has created a model that allows them to compromise many organisations simultaneously and pressure them into paying under the threat of widespread data exposure. 

https://hackread.com/shinyhunters-hackers-threat-stolen-salesforce-data/

Hiring as an Attack Vector: How Fake Resumes Are Being Weaponised Against Enterprises

A new phishing campaign is targeting corporate environments by using fake job applications as a delivery mechanism for malware, turning what appears to be a routine hiring process into an entry point for cyber intrusion. Attackers send emails containing resume files that are actually malicious scripts, designed to trick recruiters or HR personnel into opening them. Once executed, these files silently initiate a complex infection chain that enables credential theft, data exfiltration, and cryptocurrency mining within the victim’s system. 

The attack relies on heavily obfuscated Visual Basic Script (VBScript) files disguised as legitimate CV documents. When opened, the file may display a fake error message to avoid suspicion, while in the background it executes malicious code. This code performs environment checks to ensure the target is part of a corporate network, meaning the campaign is specifically optimised to compromise enterprise systems rather than personal devices. 

Once the malware gains execution, it attempts to escalate privileges and disable security protections. It modifies system settings, creates exclusions in security tools, and establishes persistence mechanisms to maintain access. The payload is then expanded by downloading additional components from legitimate services such as cloud storage platforms, allowing the attackers to blend malicious activity with normal network traffic and evade detection. 

The toolkit deployed on infected machines is multi-functional. It includes components designed to steal credentials from browsers, extract files from the system, and send the data back to attacker-controlled infrastructure. At the same time, it installs a cryptocurrency miner, effectively turning compromised enterprise machines into resources for generating illicit profit. This dual monetisation strategy, combining data theft with resource hijacking, maximises the value of each successful compromise. 

One of the most notable aspects of the campaign is its speed and efficiency. The entire attack chain, from opening the malicious resume to completing data exfiltration, can occur in under half a minute. This rapid execution significantly reduces the window for detection and response, making it particularly dangerous for organisations that rely on traditional security monitoring methods. 

After completing its objectives, the malware attempts to remove traces of its activity by deleting temporary tools and cleaning up artifacts, leaving behind only the core components needed for persistence and mining. This deliberate effort to minimise forensic evidence makes incident response and investigation more difficult. 

Overall, the campaign demonstrates how attackers are increasingly exploiting everyday business processes, such as recruitment, to bypass technical defences and directly target human workflows. By disguising malware as resumes and focusing on enterprise environments, this approach combines social engineering with technical sophistication, highlighting a growing trend where routine corporate interactions become high-risk attack surfaces.

https://thehackernews.com/2026/03/hackers-use-fake-resumes-to-steal.html

Fake Apps, Real Surveillance: How Handala Targets Windows Users Through Social Engineering

A warning from the Federal Bureau of Investigation highlights an ongoing cyber campaign by the Iran-linked Handala Hack Team, which is using fake applications to spy on Windows users and steal sensitive information. The operation relies less on exploiting technical vulnerabilities and more on manipulating human behaviour, making it particularly effective against targeted individuals such as journalists, activists, and other high-interest profiles. 

The attackers distribute malware disguised as legitimate software, including fake versions of widely used applications like WhatsApp, Telegram, and password management tools. Victims are typically approached through social engineering tactics, where attackers impersonate trusted contacts or technical support personnel and convince them to download what appears to be a helpful update or utility. In reality, these files are malicious executables designed to install spyware on the victim’s system. 

Once installed, the malware provides extensive surveillance capabilities. It can record screen activity, capture audio, monitor communications, and collect files from the infected device. Some variants are capable of spying on video calls or online meetings without the user’s awareness, significantly increasing the level of intrusion. After gathering data, additional malware components are deployed to package and exfiltrate the information to attacker-controlled servers, enabling long-term intelligence collection. 

This campaign is part of a broader pattern of activity linked to Iranian intelligence operations. The Handala group has been associated with cyber-espionage, data leaks, and disruptive attacks, often aligned with geopolitical objectives. Its operations combine phishing, malware deployment, and psychological tactics, reflecting a hybrid approach that blends traditional cyber intrusion with influence and intimidation strategies. 

A key aspect of the threat is its simplicity. Rather than relying on sophisticated exploits, the attackers exploit trust and routine digital behaviour, such as downloading software or responding to messages from seemingly legitimate sources. This makes the campaign difficult to defend against using purely technical controls, as the initial compromise often depends on user interaction rather than system weaknesses.

The situation underscores a broader trend in cybersecurity, where social engineering is becoming a primary attack vector, especially in targeted espionage campaigns. By disguising malware as familiar applications and leveraging direct communication with victims, attackers can bypass many traditional defences and gain deep access to personal and organisational data.

https://hackread.com/fbi-iran-handala-hack-group-fake-apps-spy-windows/