Infosec News

cyclone

Russian-linked Infostealer Hiding in Blender 3D Files

Morphisec recently tracked a campaign weaponizing malicious .blend files uploaded to 3D model marketplaces like CGTrader. These models contain embedded Python that executes automatically when Blender’s Auto Run feature is enabled.

Once opened, the script pulls a loader from a Cloudflare Workers domain, which then delivers a PowerShell stage responsible for fetching two ZIP payloads (ZalypaGyliveraV1 and BLENDERX). These unpack into %TEMP%, create Startup LNKs for persistence, and drop both StealC V2 and an auxiliary Python-based stealer.

StealC’s latest version extends support for data theft from:

• 23+ browsers, including Chrome 132+
• 100+ crypto wallet extensions and 15+ standalone crypto apps
• Telegram, Discord, Tox, Pidgin, VPN clients (ProtonVPN, OpenVPN), and mail clients (Thunderbird)
• UAC bypass

The variant analyzed reportedly had zero detections on VirusTotal, highlighting how quickly StealC’s developers are iterating.

Because Blender can auto-execute Python and marketplaces cannot inspect uploaded scripts, 3D assets now pose real supply-chain risk. Anyone pulling models from untrusted sources should disable auto execution:

• Blender → Edit → Preferences → uncheck “Auto Run Python Scripts”

Treat .blend files as potentially executable content and test untrusted assets in sandboxes or isolated VMs.

Source:

• https://www.infosecurity-magazine.com/news/russian-malware-blender-3d-files/
• https://www.bleepingcomputer.com/news/security/malicious-blender-model-files-deliver-stealc-infostealing-malware/

cyclone

ShadyPanda Extension Campaign Hits 4.3 Million Users Across Chrome and Edge

Security researchers at Koi Security have uncovered a long-running browser extension operation known as ShadyPanda, affecting over 4.3 million installs across Google Chrome and Microsoft Edge.

The campaign operated in four phases beginning in 2018. Many extensions originally appeared legitimate, with some even gaining trust badges and large userbases before receiving malicious updates.

Key Findings

• 145 total malicious extensions were identified (20 Chrome, 125 Edge).
• Early activity (2023) involved affiliate fraud by injecting tracking codes into eBay, Booking.com, and Amazon links.
• Search hijacking (2024) redirected queries through trovi.com while exfiltrating cookies and search data.
• Five extensions were later updated with a full backdoor, checking api.extensionplay[.]com hourly to download and execute arbitrary JavaScript with full browser API access.
• Stolen data included browsing history, search queries, cookies, fingerprinting data, keystrokes, and mouse clicks.
• Data was sent to multiple servers, including api.cleanmasters[.]store and 17 domains in China.
• One extension, Clean Master, was previously featured and verified by Google before being weaponized.
• WeTab 新标签页 (3 million installs) and Infinity New Tab (Pro) (650k installs) remain live on the Microsoft Edge Add-ons store at the time of reporting.

Impact

The malicious updates allowed:
• Remote code execution through hourly payload retrieval
• Browser-level surveillance
• Search hijacking and manipulation
• Potential credential theft via adversary-in-the-middle techniques

Recommendations

Users who installed any affected extensions should:

1. Remove them immediately
2. Reset all account passwords
3. Monitor accounts for unusual activity

Koi Security notes that the abuse of the browser auto-update pipeline allowed attackers to weaponize trusted extensions without user interaction. Google has removed the known malicious Chrome extensions; Microsoft has been notified but some listings remain active.

---

Sources:

• https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/
• https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html

freeroute

Record 29.7 Tbps DDoS Attack Linked to AISURU Botnet with up to 4 Million Infected Hosts

Cloudflare on Wednesday said it detected and mitigated the largest ever distributed denial-of-service (DDoS) attack that measured at 29.7 terabits per second (Tbps).

The activity, the web infrastructure and security company said, originated from a DDoS botnet-for-hire known as AISURU, which has been linked to a number of hyper-volumetric DDoS attacks over the past year. The attack lasted for 69 seconds. It did not disclose the target of the attack.

The botnet has prominently targeted telecommunication providers, gaming companies, hosting providers, and financial services. Also tackled by Cloudflare was a 14.1 Bpps DDoS attack from the same botnet. AISURU is believed to be powered by a massive network comprising an estimated 1-4 million infected hosts worldwide.
...
As many as 36.2 million DDoS attacks were thwarted in 2025, of which 1,304 were network-layer attacks exceeding 1 Tbps, up from 717 in Q1 2025 and 846 in Q2 2025. Some of the other notable trends observed in Q3 2025 are listed below -

• The number of DDoS attacks that exceeded 100 million packets per second (Mpps) increased by 189% QoQ.

• Most attacks, 71% of HTTP DDoS and 89% of network layer, end in under 10 minutes.

• Seven out of the 10 top sources of DDoS are locations within Asia, including Indonesia, Thailand, Bangladesh, Vietnam, India, Hong Kong, and Singapore. The other three sources are Ecuador, Russia, and Ukraine.

• DDoS attacks against the mining, minerals, and metals industry surged, making it the 49th most attacked sector globally.

• The automotive industry saw the largest increase in DDoS attacks, placing it as the sixth most attacked sector globally.

• DDoS attack traffic against artificial intelligence (AI) companies spiked by 347% in September 2025

• Information technology, telecommunications, gambling, gaming, and internet services topped the list of most attacked sectors.

• China, Turkey, Germany, Brazil, the U.S., Russia, Vietnam, Canada, South Korea, and the Philippines were the most attacked countries.

• Nearly 70% of HTTP DDoS attacks originated from known botnets.

---

Source:

• https://thehackernews.com/2025/12/record-297-tbps-ddos-attack-linked-to.html?m=1

freeroute

Critical flaw in WordPress add-on for Elementor exploited in attacks

Attackers are exploiting a critical-severity privilege escalation vulnerability (CVE-2025–8489) in the King Addons for Elementor plugin for WordPress, which lets them obtain administrative permissions during the registration process.

The threat activity started on October 31, just a day after the issue was publicly disclosed. So far, the Wordfence security scanner from Defiant, a company that provides security services for WordPress websites, has blocked more than 48,400 exploit attempts.

King Addons is a third-party add-on for Elementor, a popular visual page builder plugin for WordPress sites. It is used on roughly 10,000 websites, providing additional widgets, templates, and features.

CVE-2025–8489, discovered by researcher Peter Thaleikis, is a flaw in the plugin’s registration handler that allows anyone signing up to specify their user role on the website, including the administrator role, without enforcing any restrictions.

According to observations from Wordfence, attackers send a crafted ‘admin-ajax.php’ request specifying ‘user_role=administrator,’ to create rogue admin accounts on targeted sites.
The researchers noticed a peak in the exploitation activity between November 9 and 10, with two IP addresses being the most active: 45.61.157.120 (28,900 attempts) and 2602:fa59:3:424::1 (16,900 attempts).

Wordfence provides a more extensive list of offensive IP addresses and recommends that website administrators look for them in the log files. The presence of new administrator accounts is also a clear sign of compromise.

Website owners are advised to upgrade to version 51.1.35 of King Addons, which addresses CVE-2025–8489, released on September 25.

Wordfence researchers are also warning of another critical vulnerability in the Advanced Custom Fields: Extended plugin, active on more than 100,000 WordPress websites, which can be exploited by an unauthenticated attacker to execute code remotely.

The flaw affects versions 0.9.0.5 through 0.9.1.1 of the plugin and is currently tracked as CVE-2025-13486. It was discovered and reported responsibly by Marcin Dudek, the head of the national computer emergency response team (CERT) in Poland.

The vulnerability is "due to the function accepting user input and then passing that through call_user_func_array(),” Wordfence explains.

“This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts.”

The security issue was reported on November 18, and the plugin vendor addressed it in version 0.9.2 of Advanced Custom Fields: Extended, released a day after receiving the vulnerability report.

Given that the flaw can be leveraged without authentication only through a crafted request, the public disclosure of technical details is likely to generate malicious activity.

Website owners are advised to move to the latest version as soon as possible or disable the plugin on their sites.

---

Source: https://www.bleepingcomputer.com/news/security/critical-flaw-in-wordpress-add-on-for-elementor-exploited-in-attacks/

cyclone

Massive 16 Terabyte Database With 4.3 Billion-Records Leaked

A massive unprotected MongoDB instance containing over 4.3 billion records and totaling roughly 16 TB of data was discovered exposed online. The dataset included highly structured professional and corporate intelligence data, much of it clearly scraped from LinkedIn and enriched through lead-generation pipelines. The exposed collections contained PII such as full names, emails, phone numbers, LinkedIn profile URLs, employment history, skills, education, location data, and even photographs.

The leak, uncovered by cybersecurity researcher Bob Diachenko on November 23rd, 2025, consisted of nine major collections. Three of those - profiles, unique_profiles, and people - alone contained nearly 2 billion individual PII-rich entries. The dataset also referenced an “Apollo ID”, suggesting potential linkage to Apollo-style sales intelligence ecosystems or enrichment tools.

The structured nature of the data, combined with its massive scale, makes it extremely attractive to threat actors. Attackers could weaponize the PII for targeted phishing, CEO fraud, corporate reconnaissance, credential stuffing, and AI-assisted social engineering at unprecedented volume. With up-to-date professional metadata, malicious operators can automatically craft convincing spear-phishing messages or build large internal mapping structures of corporate roles and contacts.

The exposed database was secured on November 25th, the day after responsible disclosure, but it is unknown how long it had been publicly accessible. Given the size and organization of the dataset, researchers warn that malicious parties may have already accessed it.

This exposure adds to a growing trend of massive, scraping-driven data leaks, which now routinely exceed billions of records and blur the line between legally scraped data and high-risk breach material.

---

Sources:

• https://cybernews.com/security/database-exposes-billions-records-linkedin-data/
• https://www.tomsguide.com/computing/online-security/4-3-billion-job-documents-left-unsecured-online-names-emails-phone-numbers-and-linkedin-data-exposed

cyclone

SoundCloud Confirms Data Breach

SoundCloud has confirmed a security breach after users reported widespread outages and 403 errors when accessing the platform through VPNs. According to the company, the issues were caused by its incident response after detecting unauthorized access to an ancillary service dashboard.

SoundCloud stated that a threat actor accessed a limited database containing user email addresses and information already visible on public profiles. The company said no passwords, financial data, or other sensitive information were exposed.

Sources cited by BleepingComputer estimate the breach impacts roughly 20 percent of SoundCloud’s user base, potentially affecting around 28 million accounts. SoundCloud says all unauthorized access has been blocked and that there is no ongoing risk.

As part of its response, SoundCloud implemented security configuration changes that disrupted VPN connectivity. The company has not provided a timeline for restoring full VPN access. It also reported experiencing denial-of-service attacks following the incident, briefly affecting site availability.

While SoundCloud has not named the attackers, BleepingComputer reports that the ShinyHunters extortion group is allegedly behind the breach and is attempting to extort the company after stealing user data.

---

Sources:

• https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-after-member-data-stolen-vpn-access-disrupted/
• https://cyberinsider.com/soundcloud-users-with-active-vpn-connections-are-getting-403-errors/

cyclone

2025 Cybersecurity Predictions vs Reality

This article reviews 90+ predictions from 36 cybersecurity experts and compares them to what actually occurred in 2025. The main finding: most predictions were accurate, especially those focused on AI amplifying existing threats rather than creating new ones.

Key Outcomes

1. AI Amplified Existing Attacks

• AI was widely adopted by attackers to scale and automate known techniques.
• Observed uses included AI-assisted phishing, automated recon, and malware with runtime code mutation to evade detection.
• Underground markets began selling configurable AI-powered attack tools.
• AI reduced the skill barrier and increased attack speed and volume.

Result: Prediction confirmed. AI increased efficiency, not novelty.

---

2. SaaS, Cloud, and Identity Became the Main Attack Surface

• SaaS misconfigurations, excessive permissions, insecure APIs, and third-party integrations were major breach drivers.
• Identity and access failures eclipsed traditional perimeter security issues.
• Large-scale cloud outages were often caused by configuration errors.

Result: Prediction confirmed. Identity and SaaS security became critical weaknesses.

---

3. Ransomware Fragmented Further

• Law enforcement pressure led to more, smaller ransomware groups rather than fewer.
• 30 to 40 percent increase in active ransomware operators.
• Affiliates increasingly moved between groups, complicating attribution.

Result: Prediction confirmed. Ransomware evolved into a fragmented ecosystem.

---

4. Supply Chain Attacks Increased

• Enterprises were compromised through trusted vendors and enterprise software.
• SaaS and third-party providers became common initial access vectors.

Result: Prediction confirmed. Vendor risk became a primary concern.

---

5. Data Became the Core Security Asset

• Data protection and governance overtook infrastructure as the main security focus.
• Large credential leaks and AI training on sensitive data accelerated this shift.
• Data visibility and classification became prerequisites for AI use.

Result: Prediction confirmed. Data security underpins most modern risks.

---

6. Regulation Added Complexity Without Reducing Attacks

• Increased compliance and reporting requirements did not deter attackers.
• Regulatory burden primarily impacted internal operations, not threat actors.

Result: Prediction confirmed. Regulation did not materially change the threat landscape.

---

Bottom Line
2025 validated long-standing warnings rather than introducing new threat classes.
The biggest risks were known problems amplified by AI, automation, and scale, not futuristic scenarios.

---

Source:

• https://cybernews.com/news/did-cybersecurity-expert-predictions-2025-come-true/

cyclone

Verizon Nationwide Outage (Jan. 14, 2026)

Verizon Communications experienced a major nationwide wireless network outage beginning around midday on January 14, 2026, disrupting voice, text, and mobile data services across the United States for approximately ten hours. Customers reported their phones showing “SOS” or “SOS-only” status in place of normal signal bars, indicating loss of cellular connectivity.

Outage monitoring sites such as DownDetector logged hundreds of thousands of reports at the peak, with impacts reported coast-to-coast in major metropolitan areas including New York City, Chicago, Boston, Atlanta, Dallas, and others. Some local officials warned that emergency calls (911) for Verizon users could be unreliable during the disruption, recommending alternatives such as landlines or other carriers where possible.

Verizon acknowledged the outage via social media and later confirmed that service was restored late Wednesday night. The company apologized for the interruption and stated it will issue account credits to affected customers. Verizon did not immediately disclose a specific technical cause, though internal reviews are expected.

The Federal Communications Commission (FCC) indicated it would review the outage’s impact on network reliability and public safety communications.

Sources:

• https://www.techbuzz.ai/articles/verizon-s-nationwide-outage-hits-260k-reports-mid-january
• https://apnews.com/article/verizon-cellular-outage-85d658a4fb6a6175cae8981d91a809c9
• https://www.verizon.com/about/news/update-network-outage

cyclone

Atomic Wallet - Where Did My XMR Go?

Many Atomic Wallet users recently logged in to find their Monero (XMR) balances missing or incorrect, causing understandable concern.

According to Atomic Wallet support, this is a display and synchronization issue specific to Monero, not a loss of funds. Atomic states that all XMR remains safe on-chain and that their development team is working on a fix. Once synchronization is corrected, balances and transaction history should update normally.

Users can independently confirm their funds by restoring their XMR wallet in another trusted Monero wallet using their existing keys or seed phrase. Multiple users report that their full balances appear correctly when checked outside Atomic, confirming the issue is isolated to Atomic’s wallet interface.

Given Atomic Wallet’s 2023 security breach, users are understandably cautious. While this situation appears unrelated and no theft has been reported, verifying balances independently is recommended.

---

Summary

• Issue affects XMR balance display in Atomic Wallet
• Funds are still on-chain and under user control
• Atomic says a fix is in progress
• Users can verify funds using another Monero wallet
• Use caution, verify independently, and never share your private keys or seed phrase with anyone

---

Sources:

• @cyclone (independent verification with Atomic)
• https://x.com/AtomicWallet/status/2011796132112826643

oe3p32wedw

haahahahahah