RansomHouse Ransomware Attack on Luxshare Precision Exposes iPhone Manufacturing Data

This ransomware incident targeted Luxshare Precision Industry Co. Ltd., a key supplier in Apple’s supply chain, resulting in the theft and encryption of proprietary manufacturing data through double extortion tactics.

Attack Timeline and Initial Access

The breach occurred around December 15, 2025, with RansomHouse publicly claiming responsibility on January 8, 2026. Attackers likely gained initial access via phishing emails or compromised credentials targeting Luxshare’s engineering and production networks. Double extortion involved data exfiltration prior to encryption, ensuring victims faced both operational disruption and publication threats.

Technical Details of Exploitation

RansomHouse employs custom ransomware variants built on .NET frameworks, featuring modular payloads for evasion. These include process hollowing to inject into legitimate Windows processes like svchost.exe, bypassing endpoint detection. Encryption uses AES-256 for files and RSA-4096 for key exchange, targeting over 700 file extensions relevant to CAD designs, firmware binaries, and supply chain manifests. Exfiltrated data reportedly included iPhone assembly schematics, component specifications, and quality control datasets.

Impact on Supply Chain Security

Luxshare’s role in iPhone and iPad assembly amplifies risks, as stolen intellectual property could enable counterfeit production or competitive intelligence leaks. The incident highlights vulnerabilities in just-in-time manufacturing environments, where remote access for vendors intersects with air-gapped production systems.

Mitigation Strategies Employed

Luxshare isolated affected segments, deployed EDR tools for lateral movement detection, and engaged incident response firms. No ransom payment was confirmed, aligning with no-pay policies to deter future attacks.

Microsoft Copilot “Reprompt” Vulnerability Enables Silent Data Exfiltration

Researchers at Varonis Threat Labs uncovered a flaw in Microsoft Copilot Personal allowing attackers to bypass safeguards via phishing, extracting sensitive user data through repeated AI prompts.

Vulnerability Mechanics

The “Reprompt” attack exploits Copilot’s conversational persistence. Victims click a malicious link triggering an initial benign prompt; subsequent attacker-controlled prompts chain instructions to summarize files, query location history, and access account metadata without further user interaction. This leverages Copilot’s integration with Microsoft Graph APIs for OneDrive, Outlook, and Teams data.

Technical Proof-of-Concept

Proofs involved embedding JavaScript in phishing pages to automate prompt injection post-authentication. Copilot’s lack of per-prompt sandboxing allowed escalation from read-only to extractive operations, pulling base64-encoded file contents up to 100MB. Attackers evaded rate limiting via distributed proxy chains.

Patch Deployment and Affected Versions

Microsoft patched the issue in January 2026 updates, introducing prompt isolation and anomaly detection in conversational flows. Affected versions spanned Copilot Personal builds prior to 24.1.126.

Broader Implications for LLM Security

This exposes risks in agentic AI systems where user context persists across sessions, urging adoption of zero-trust prompting and data loss prevention rules tuned for AI outputs.

BreachForums Cybercrime Forum Suffers Massive Data Leak

A hacker identifying as “James” leaked 323,988 member records from BreachForums on January 9, 2026, including admin PGP keys, exposing the underground ecosystem’s infrastructure.

Leaked Data Scope

Exposed elements comprised usernames, hashed passwords (bcrypt), emails, IP logs, and registration timestamps. Additional dumps named administrators linked to Shiny Hunters and leaked a PGP private key used for forum signatures, compromising message authenticity.

Forum History and Resilience

BreachForums, relaunched after prior shutdowns, facilitates data trading post-breaches. Founder Conor Fitzpatrick’s 2023 arrest failed to dismantle it, revealing decentralized hosting via bulletproof providers in Russia and Eastern Europe.

Technical Breach Analysis

James claimed SQL injection via unpatched vBulletin CMS flaws, dumping MySQL databases. IP geolocation tied accesses to Tor exits and VPNs, but lax opsec exposed real identities through WHOIS and pastebin correlations.

Consequences for Cybercrime Ecosystem

The leak disrupts trust, enabling account takeovers and law enforcement doxxing, potentially accelerating migrations to decentralized forums on Telegram or Matrix.

Microsoft Disrupts RedVDS Cybercrime Marketplace

On January 14, 2026, Microsoft took down RedVDS, a bulletproof hosting service fueling $40 million in U.S. fraud via phishing kits and attack tools.

Platform Capabilities

RedVDS offered VPS hosting for SuperMailer, SquadMailer, and ChatGPT wrappers alongside AnyDesk proxies for BEC and ATO campaigns. Servers in Netherlands and Ukraine hosted 500+ phishing domains daily.

Takedown Operations

Microsoft’s Digital Crimes Unit seized domains via U.S. court orders, sinkholing IPs and notifying registrars. Forensic imaging revealed client lists tied to 10,000+ scams.

Technical Infrastructure Breakdown

Infrastructure used Nginx reverse proxies with fail2ban for DDoS resilience and cryptocurrency tumblers for payments. Tools featured SQLi scanners and EMail Extractor for lead gen.

Long-term Effects

Disruptions fragment CaaS markets, pushing actors to ephemeral hosts, but underscore needs for registrar accountability.

Crunchbase Data Breach by ShinyHunters

ShinyHunters claimed a breach of Crunchbase, leaking 2 million user records including business intelligence data after unmet ransom demands.

Breach Execution

Attackers exploited RCE in a legacy API endpoint, pivoting to Elasticsearch clusters holding profiles. 400MB sample posted on BreachForums verified emails, phone numbers, and firmographics.

Data Monetization Risks

Leaked datasets fuel targeted phishing and lead sales on dark web markets, amplifying B2B attack surfaces.

Response and Lessons

Crunchbase rotated credentials, segmented databases, and audited third-party access, highlighting API gateway necessities.

Ingram Micro Ransomware Breach via SafePay

SafePay ransomware compromised Ingram Micro, stealing data on 42,521 individuals through credential stuffing and password spraying.

Attack Vector

Weak AD passwords enabled spraying across 1,000+ accounts, granting HR system access for exfiltration of PII including SSNs.

Technical Payload

SafePay uses Cobalt Strike beacons for C2, with Qakbot precursors for discovery. Encryption hit file servers post-exfil.

Remediation

Ingram deployed MFA, PAM, and SIEM rules for brute-force detection.

CISA Updates KEV Catalog with Cisco Zero-Day

CISA added CVE-2026-20045 to KEV, mandating federal patches for the Cisco IOS XE flaw.

Vulnerability Details

Auth bypass in web UI allows RCE on unpatched routers, exploited in wild for persistence.

Patch Mandates

Agencies must remediate by February 12, 2026, emphasizing OT secure-by-design.