Login
Scattered Lapsus$ Hunters may be circling Zendesk users for its latest extortion campaign, with new phishing domains and weaponized helpdesk tickets uncovered by ReliaQuest.β¦
OpenAI says API users may be affected by a recent breach at its former data analytics provider, Mixpanel.β¦
Malicious intruders have hijacked US radio gear to turn emergency broadcast tones into a profanity-laced alarm system.β¦
Asahi has finally done the sums on September's ransomware attack in Japan, conceding the crooks may have helped themselves to personal data tied to almost 2 million people.β¦
Auditors remain concerned about the cyber resilience of a Scottish council as some systems are yet to be fully rebuilt following a ransomware attack in November 2023.β¦
Author here.
Zero the Hero (0tH) is a Mach-O structural analysis tool written in Rust.
It parses FAT binaries, load commands, slices, CodeSignature/SuperBlob, DER entitlements, requirements bytecode, and CodeDirectory versions.
The binary is universal (Intel + ARM64), notarized and stapled.
Motivation: existing tools lack full coverage of modern Mach-O signature internals.
Docs: https://zero-the-hero.run/docs
Happy to discuss signature internals or Mach-O specifics.
Think prepared statements automatically make your Node.js apps secure? Think again.
In my latest blog post, I explore a surprising edge case in the mysql and mysql2 packages that can turn βsafeβ prepared statements into exploitable SQL injection vulnerabilities.
If you use Node.js and rely on prepared statements (as you should be!), this is a must-read: https://blog.mantrainfosec.com/blog/18/prepared-statements-prepared-to-be-vulnerable
Gainsight CEO Chuck Ganapathi downplayed the victim count related to his company's recent breach, saying he's only aware of "a handful of customers" who had their data affected after Salesforce flagged unusual activity involving Gainsight's connected app.β¦
My talk about Lateral Movement in the context of logged in user sessions π
A Mirai-based botnet named ShadowV2 emerged during last October's widespread AWS outage, infecting IoT devices across industries and continents, likely serving as a "test run" for future attacks, according to Fortinet's FortiGuard Labs.β¦
Curious what frameworks people use for desktop application testing. I run a pentesting firm that does thick clients for enterprise, and we couldn't find anything comprehensive for this.
Ended up building DASVS over the past 5 years - basically ASVS but for desktop applications. Covers desktop-specific stuff like local data storage, IPC security, update mechanisms, and memory handling that web testing frameworks miss. Been using it internally for thick client testing, but you can only see so much from one angle. Just open-sourced it because it could be useful beyond just us.
The goal is to get it to where ASVS is: community-driven, comprehensive, and actually used.
To people who do desktop application testing, what is wrong or missing? Where do you see gaps that should be addressed? In the pipeline, we have testing guides per OS and an automated assessment tool inspired by MobSF. What do you use now for desktop application testing? And what would make a framework like this actually useful?
A prolific cybercriminal group that calls itself βScattered LAPSUS$ Huntersβ has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for βRey,β the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father.
Scattered LAPSUS$ Hunters (SLSH) is thought to be an amalgamation of three hacking groups β Scattered Spider, LAPSUS$ and ShinyHunters. Members of these gangs hail from many of the same chat channels on the Com, a mostly English-language cybercriminal community that operates across an ocean of Telegram and Discord servers.
In May 2025, SLSH members launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organizationβs Salesforce portal. The group later launched a data leak portal that threatened to publish the internal data of three dozen companies that allegedly had Salesforce data stolen, including Toyota,Β FedEx,Β Disney/Hulu, andΒ UPS.
The new extortion website tied to ShinyHunters, which threatens to publish stolen data unless Salesforce or individual victim companies agree to pay a ransom.
Last week, the SLSH Telegram channel featured an offer to recruit and reward βinsiders,β employees at large companies who agree to share internal access to their employerβs network for a share of whatever ransom payment is ultimately paid by the victim company.
SLSH has solicited insider access previously, but their latest call for disgruntled employees started making the rounds on social media at the same time news broke that the cybersecurity firm Crowdstrike had fired an employee for allegedly sharing screenshots of internal systems with the hacker group (Crowdstrike said their systems were never compromised and that it has turned the matter over to law enforcement agencies).
The Telegram server for the Scattered LAPSUS$ Hunters has been attempting to recruit insiders at large companies.
Members of SLSH have traditionally used other ransomware gangsβ encryptors in attacks, including malware from ransomware affiliate programs like ALPHV/BlackCat, Qilin, RansomHub, and DragonForce. But last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.
The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle βReyβ and who is currently one of just three administrators of the SLSH Telegram channel. Previously, Rey was an administrator of the data leak website for Hellcat, a ransomware group that surfaced in late 2024 and was involved in attacks on companies including Schneider Electric, Telefonica, and Orange Romania.
A recent, slightly redacted screenshot of the Scattered LAPSUS$ Hunters Telegram channel description, showing Rey as one of three administrators.
Also in 2024, Rey would take over as administrator of the most recent incarnation of BreachForums, an English-language cybercrime forum whose domain names have been seized on multiple occasions by the FBI and/or by international authorities. In April 2025, Rey posted on Twitter/X about another FBI seizure of BreachForums.
On October 5, 2025, the FBI announced it had once again seized the domains associated with BreachForums, which it described as a major criminal marketplace used by ShinyHunters and others to traffic in stolen data and facilitate extortion.
βThis takedown removes access to a key hub used by these actors to monetize intrusions, recruit collaborators, and target victims across multiple sectors,β the FBI said.
Incredibly, Rey would make a series of critical operational security mistakes last year that provided multiple avenues to ascertain and confirm his real-life identity and location. Read on to learn how it all unraveled for Rey.
According to the cyber intelligence firm Intel 471, Rey was an active user on various BreachForums reincarnations over the past two years, authoring more than 200 posts between February 2024 and July 2025. Intel 471 says Rey previously used the handle βHikki-Chanβ on BreachForums, where their first post shared data allegedly stolen from the U.S. Centers for Disease Control and Prevention (CDC).
In that February 2024 post about the CDC, Hikki-Chan says they could be reached at the Telegram username @wristmug. In May 2024, @wristmug posted in a Telegram group chat called βPantifanβ a copy of an extortion email they said they received that included their email address and password.
The message that @wristmug cut and pasted appears to have been part of an automated email scam that claims it was sent by a hacker who has compromised your computer and used your webcam to record a video of you while you were watching porn. These missives threaten to release the video to all your contacts unless you pay a Bitcoin ransom, and they typically reference a real password the recipient has used previously.
βNoooooo,β the @wristmug account wrote in mock horror after posting a screenshot of the scam message. βI must be done guys.β
A message posted to Telegram by Rey/@wristmug.
In posting their screenshot, @wristmug redacted the username portion of the email address referenced in the body of the scam message. However, they did not redact their previously-used password, and they left the domain portion of their email address (@proton.me) visible in the screenshot.
Searching on @wristmugβs rather unique 15-character password in the breach tracking service Spycloud finds it is known to have been used by just one email address: cybero5tdev@proton.me. According to Spycloud, those credentials were exposed at least twice in early 2024 when this userβs device was infected with an infostealer trojan that siphoned all of its stored usernames, passwords and authentication cookies (a finding that was initially revealed in March 2025 by the cyber intelligence firm KELA).
Intel 471 shows the email address cybero5tdev@proton.me belonged to a BreachForums member who went by the username o5tdev. Searching on this nickname in Google brings up at least two website defacement archives showing that a user named o5tdev was previously involved in defacing sites with pro-Palestinian messages. The screenshot below, for example, shows that 05tdev was part of a group called Cyb3r Drag0nz Team.
Rey/o5tdevβs defacement pages. Image: archive.org.
A 2023 report from SentinelOne described Cyb3r Drag0nz Team as a hacktivist group with a history of launching DDoS attacks and cyber defacements as well as engaging in data leak activity.
βCyb3r Drag0nz Team claims to have leaked data on over a million of Israeli citizens spread across multiple leaks,β SentinelOne reported. βTo date, the group has released multiple .RAR archives of purported personal information on citizens across Israel.β
The cyber intelligence firm Flashpoint finds the Telegram user @05tdev was active in 2023 and early 2024, posting in Arabic on anti-Israel channels like βGhost of Palestineβ [full disclosure: Flashpoint is currently an advertiser on this blog].
Flashpoint shows that Reyβs Telegram account (ID7047194296) was particularly active in a cybercrime-focused channel called Jacuzzi, where this user shared several personal details, including that their father was an airline pilot. Rey claimed in 2024 to be 15 years old, and to have family connections to Ireland.
Specifically, Rey mentioned in several Telegram chats that he had Irish heritage, even posting a graphic that shows the prevalence of the surname βGinty.β
Rey, on Telegram claiming to have association to the surname βGinty.β Image: Flashpoint.
Spycloud indexed hundreds of credentials stolen from cybero5dev@proton.me, and those details indicate that Reyβs computer is a shared Microsoft Windows device located in Amman, Jordan. The credential data stolen from Rey in early 2024 show there are multiple users of the infected PC, but that all shared the same last name of Khader and an address in Amman, Jordan.
The βautofillβ data lifted from Reyβs family PC contains an entry for a 46-year-old Zaid Khader that says his motherβs maiden name was Ginty. The infostealer data also shows Zaid Khader frequently accessed internal websites for employees of Royal Jordanian Airlines.
The infostealer data makes clear that Reyβs full name is Saif Al-Din Khader. Having no luck contacting Saif directly, KrebsOnSecurity sent an email to his father Zaid. The message invited the father to respond via email, phone or Signal, explaining that his son appeared to be deeply enmeshed in a serious cybercrime conspiracy.
Less than two hours later, I received a Signal message from Saif, who said his dad suspected the email was a scam and had forwarded it to him.
βI saw your email, unfortunately I donβt think my dad would respond to this because they think its some βscam email,'β said Saif, who told me he turns 16 years old next month. βSo I decided to talk to you directly.β
Saif explained that heβd already heard from European law enforcement officials, and had been trying to extricate himself from SLSH. When asked why then he was involved in releasing SLSHβs new ShinySp1d3r ransomware-as-a-service offering, Saif said he couldnβt just suddenly quit the group.
βWell I cant just dip like that, Iβm trying to clean up everything Iβm associated with and move on,β he said.
The former Hellcat ransomware site. Image: Kelacyber.com
He also shared that ShinySp1d3r is just a rehash of Hellcat ransomware, except modified with AI tools. βI gave the source code of Hellcat ransomware out basically.β
Saif claims he reached out on his own recently to the Telegram account for Operation Endgame, the codename for an ongoing law enforcement operation targeting cybercrime services, vendors and their customers.
βIβm already cooperating with law enforcement,β Saif said. βIn fact, I have been talking to them since at least June. I have told them nearly everything. I havenβt really done anything like breaching into a corp or extortion related since September.β
Saif suggested that a story about him right now could endanger any further cooperation he may be able to provide. He also said he wasnβt sure if the U.S. or European authorities had been in contact with the Jordanian government about his involvement with the hacking group.
βA story would bring so much unwanted heat and would make things very difficult if Iβm going to cooperate,β Saif said. βIβm unsure whats going to happen they said theyβre in contact with multiple countries regarding my request but its been like an entire week and I got no updates from them.β
Saif shared a screenshot that indicated heβd contacted Europol authorities late last month. But he couldnβt name any law enforcement officials he said were responding to his inquiries, and KrebsOnSecurity was unable to verify his claims.
βI donβt really care I just want to move on from all this stuff even if its going to be prison time or whatever they gonna say,β Saif said.
Mobile operators' core cybersecurity spending is projected to more than double by 2030 as threats evolve, while poorly designed and fragmented policy frameworks add extra compliance costs, according to industry group the GSMA.β¦
Towns and cities across the US are without access to their CodeRED emergency alert system following a cyberattack on vendor Crisis24.β¦
The US Navy is scrapping an entire shipbuilding program in an effort to find alternatives that can be delivered faster to counter expected threats.β¦
Two London councils are scrambling for answers after declaring a cybersecurity issue that began on Monday.β¦
FreshRSS