Threats Tagged 't1486'

LastPass experienced a security incident through Klue, a third-party market intelligence platform integrated with its Salesforce and Gong systems. On June 12, 2026, LastPass was notified that an unauthorized actor exploited stolen OAuth tokens held by Klue to access customer relationship management data within LastPass's Salesforce environment. The exposed information includes customer names, email addresses, phone numbers, physical addresses, support case data, and sales records. Multiple Klue customers were affected by this supply chain attack. LastPass confirmed no Gong data was accessed, and customer vaults, master passwords, and encrypted vault data remain unaffected. The company has terminated Klue access, rotated compromised API tokens, and is cooperating with law enforcement while warning customers about potential phishing attempts using the exposed contact information.

Global law enforcement, including agencies from the Netherlands, Canada, United States, and Germany, coordinated Operation Endgame to disrupt TA569, a prominent cybercriminal group tracked since 2018. The operation targeted SocGholish infrastructure, taking down over 100 servers and domains while remediating 14,971 compromised websites. TA569 pioneered web inject techniques using fake browser updates to distribute malware, often leading to ransomware attacks. The group compromised high-traffic websites across multiple industries, affecting millions of visitors globally. Their attack chains involved traffic distribution systems like Keitaro TDS and ParrotTDS, delivering GhoLoader payloads that could lead to ransomware deployment in enterprise environments. Law enforcement actions included server disruption and website disinfection, significantly impacting the threat actor's operations, infrastructure, and reputation within the cybercriminal ecosystem.

MediumMalwareUnited StatesAustraliaCanada+2#gholoader#operation endgame#ransomhub

Iran's Ministry of Intelligence has broadened its Handala brand beyond cyber operations to include physical threats and influence campaigns targeting US and Israeli interests. The expansion encompasses multiple personas: Handala Popular Resistance Front claiming physical attacks inside Israel, VIPEmployment recruiting proxies globally for espionage and sabotage, and MOISIRAN conducting surveillance operations. These entities engage in coordinated amplification across platforms, soliciting individuals to conduct attacks for financial rewards. The consolidation creates a multi-domain threat combining hacktivist activities with physical operations, espionage recruitment, and influence campaigns. This approach leverages Handala Hack Team's recognition to amplify recruitment efforts while increasing risks to law enforcement, military, intelligence personnel, and critical infrastructure across targeted regions.

MediumMalwareUnited StatesAlbaniaIsrael#hprf#void manticore#proxy recruitment

The Gentlemen is a ransomware-as-a-service operation tracked as Storm-2697, distinguished by combining robust per-file encryption using Curve25519 with XChaCha20 stream cipher alongside aggressive self-propagation capabilities designed for broad network compromise. Emerging in mid-2025 and transitioning to RaaS by September 2025, the operation recently partnered with BreachForums to recruit affiliates including penetration testers and initial access brokers. Written in Go and obfuscated with Garble, the ransomware employs double extortion tactics, encrypting data while exfiltrating sensitive information. It utilizes 21 distinct lateral movement techniques per target host, including PsExec, WMI, scheduled tasks, services, and PowerShell remoting. The malware disables defenses, deletes shadow copies and forensic artifacts, and can optionally wipe free disk space to prevent recovery, impacting organizations globally across education, transportation, healthcare, and finance sectors.