ADT Breached by ShinyHunters, China's Covert Router Networks Exposed, and New 'FIRESTARTER' Backdoor Hits US Gov

ADT Confirms Data Breach After ShinyHunters Threatens to Leak 10 Million Records

Home security giant ADT has confirmed a data breach orchestrated by the notorious ShinyHunters extortion group. The attackers gained initial access by compromising an employee's Okta single sign-on (SSO) account through a sophisticated voice phishing (vishing) attack. This access allowed them to pivot to ADT's Salesforce environment and exfiltrate a large volume of customer data. ShinyHunters listed ADT on its data leak site, claiming to have stolen 10 million records and threatening to release them if a ransom is not paid. ADT's investigation revealed that the compromised information includes names, phone numbers, addresses, and in some cases, dates of birth and the last four digits of Social Security numbers. The company has assured that no financial data or customer security system information was affected and is notifying all impacted individuals.

Data BreachShinyHuntersVishingOktaSalesforce +1 more

7 min read

ADT Confirms Data Breach by ShinyHunters After Vishing Attack Compromises Okta and Salesforce

CISA Discovers 'FIRESTARTER' Backdoor on Federal Cisco Firewall; Malware Survives Patches

CRITICAL

CISA Reveals FIRESTARTER Backdoor on Federal Agency's Cisco Firewall

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed that a Cisco Firepower device at an unnamed federal agency was compromised with a new, sophisticated backdoor named FIRESTARTER. An Advanced Persistent Threat (APT) actor exploited two critical vulnerabilities, CVE-2025-20333 and CVE-2025-20362, to deploy the malware. The most alarming feature of FIRESTARTER is its persistence mechanism, which allows it to survive firmware updates and security patches by hooking into the device's core processing engine. The attackers used this persistent access to deploy a post-exploitation toolkit called LINE VIPER and re-entered the network months after the initial compromise.

FIRESTARTERLINE VIPERCISACiscoBackdoor +3 more

CISA Discovers 'FIRESTARTER' Backdoor on Federal Cisco Firewall; Malware Survives Patches

26 Malicious 'FakeWallet' Crypto Apps Found on Apple App Store, Stealing Seed Phrases

26 Malicious 'FakeWallet' Apps Discovered on Apple's Official App Store

A coordinated malware campaign dubbed "FakeWallet" has been discovered on Apple's official App Store, involving 26 fraudulent applications that impersonated popular cryptocurrency wallets. Active since at least fall 2025, these malicious apps were designed to steal users' sensitive recovery phrases, seed phrases, and private keys. The campaign primarily targeted users in China, where many legitimate wallet apps are restricted, but posed a global risk. The apps, which mimicked well-known wallets like MetaMask and Coinbase, have since been removed by Apple following disclosure from Kaspersky researchers.

FakeWalletAppleApp StoreMalwareCryptocurrency +3 more

26 Malicious 'FakeWallet' Crypto Apps Found on Apple App Store, Stealing Seed Phrases

Indian Finance Minister Warns of AI-Driven Cyberattacks and Deepfakes Threatening Financial Markets

INFORMATIONAL

Indian Finance Minister Urges SEBI to Bolster Cyber Defenses Amid AI Threats

At the 38th Foundation Day of the Securities and Exchange Board of India (SEBI), Union Finance Minister Nirmala Sitharaman delivered a stark warning about the growing threat of sophisticated cyberattacks on India's financial markets. She highlighted the risks posed by AI-led attacks, deepfake videos used for investment fraud, and unlicensed 'fin-fluencers'. Sitharaman called for exceptional vigilance from the regulator and launched "Mission Jagrook," a nationwide investor awareness campaign to combat misinformation and protect the country's rapidly growing investor base.

IndiaSEBIAIDeepfakeCybersecurity Policy +2 more

4 min read

Indian Finance Minister Warns of AI-Driven Cyberattacks and Deepfakes Threatening Financial Markets

Pre-Stuxnet Cyber Sabotage Malware 'fast16' Discovered, Dating Back to 2005

INFORMATIONAL

Researchers Uncover 'fast16', a Cyber Sabotage Malware That Predates Stuxnet

Security researchers at SentinelOne have unearthed 'fast16', a previously unknown malware framework from 2005 designed for industrial sabotage. This Lua-based malware predates the infamous Stuxnet worm by at least five years and was engineered to subtly manipulate the output of high-precision calculation software in engineering environments. The discovery rewrites the timeline of state-sponsored cyber-physical attacks, showing that the concepts behind digital weapons like Stuxnet were developed and deployed much earlier than previously thought.

fast16StuxnetFlameICSSCADA +3 more

Pre-Stuxnet Cyber Sabotage Malware 'fast16' Discovered, Dating Back to 2005

Cherokee Federal Achieves CMMC Level 2 Certification, Preparing for Upcoming DoD Contract Requirements

INFORMATIONAL

Cherokee Federal Achieves Key CMMC Level 2 Cybersecurity Certification

Cherokee Federal, the federal contracting division of Cherokee Nation Businesses, has successfully achieved Cybersecurity Maturity Model Certification (CMMC) Level 2. This critical certification, which is aligned with NIST SP 800-171, validates the company's implementation of 110 rigorous security controls. The achievement, assessed by an authorized C3PAO, positions Cherokee Federal as a secure partner for the Department of Defense (DoD) and gives it a competitive advantage as the DoD begins to phase in CMMC Level 2 as a contract requirement starting in November 2026.

CMMCDoDNIST 800-171ComplianceRegulatory +2 more

4 min read

Cherokee Federal Achieves CMMC Level 2 Certification, Preparing for Upcoming DoD Contract Requirements

Coinbase Cartel Ransomware Group Claims Attack on Engineering Firm Aptim, Threatens Data Leak

Engineering Firm Aptim Targeted by 'Coinbase Cartel' Ransomware Group

The ransomware group known as 'Coinbase Cartel' has claimed responsibility for a cyberattack against Aptim, a U.S.-based engineering, program management, and construction firm. On April 23, the group posted the claim on its leak site, threatening to release confidential data if its ransom demands are not met. The attackers also included a technical detail—what appears to be a Kerberos pre-authentication hash—suggesting they may have compromised account credentials within Aptim's network through a Kerberoasting attack.

Coinbase CartelRansomwareAptimKerberoastingData Breach +1 more

5 min read

Coinbase Cartel Ransomware Group Claims Attack on Engineering Firm Aptim, Threatens Data Leak

Qilin Ransomware Group Targets City of Napoleon, Ohio, Threatening Municipal Data Leak

City of Napoleon, Ohio Hit by Qilin Ransomware Attack

The City of Napoleon, Ohio, has become the latest government entity to be targeted by the Qilin ransomware group. The group claimed responsibility for the cyberattack on April 23, 2026, adding the city to its data leak site. Qilin is employing a double extortion tactic, threatening to publish sensitive municipal data if the city does not enter into negotiations for a ransom payment. This incident highlights the persistent and escalating threat that ransomware poses to U.S. municipalities and critical local government services.

QilinRansomwareCyberattackGovernmentOhio +1 more

Qilin Ransomware Group Targets City of Napoleon, Ohio, Threatening Municipal Data Leak

TeamPCP Weaponizes npm with Malicious Bitwarden CLI in Sophisticated Supply Chain Attack

Unit 42 Details TeamPCP's Wormable npm Malware Campaign Impersonating Bitwarden

A sophisticated supply chain attack targeting the npm ecosystem has been uncovered by Unit 42, attributed to the threat actor group TeamPCP. The attackers published a malicious package, `@bitwarden/cli` version `2026.4.0`, which perfectly impersonates the legitimate Bitwarden command-line tool. Upon installation, the package executes a multi-stage, heavily obfuscated payload designed to harvest credentials from developer workstations, cloud environments (AWS, Azure, Google Cloud), and CI/CD pipelines. The malware exhibits worm-like capabilities, inspired by the 2025 "Shai-Hulud" worm, by automatically backdooring and republishing other npm packages to which the compromised developer has access, ensuring its rapid propagation. The campaign, which also targeted other distribution channels like a VS Code extension, utilized a centralized C2 infrastructure at `audit.checkmarx[.]cx`, indicating a coordinated effort to compromise developer tooling.