‼️ When Collins Aerospace shut down its Multi-User System Environment (MUSE), it informed the press and filed with the SEC, claiming a ransomware attack.

This caused major European airports to halt passenger processing, stranding thousands and delaying numerous flights.

Turns out they didn't have to turn off the systems.

The threat actor claims no ransomware or compromise occurred, alleging Collins Aerospace disabled the servers for insurance money.

They admit breaching an FTP server, exfiltrating data over days until access was blocked, and claim to have obtained 1,533,900 passenger records.

Screenshots of conversations between Everest and RTX, Collins Aerospace's parent company, are included in this post and they don't seem to mention any encrypted data.

This is the compromised SFTP server. Username: aiscustomer, password: muse-insecure. Insecure indeed. Why store sensitive files like passenger data, SQL, service documentation, and configurations on a publicly accessible, insecure SFTP server?

We couldn't fully confirm this story's validity, but it's unclear why the threat actor would strongly oppose ransomware and deny deploying it on Collins Aerospace's systems if untrue. No definitive evidence confirms or refutes its deployment.

It's uncertain why @enisa_eu confirmed the ransomware deployment to Reuters. Did @enisa_eu investigate and confirm the ransomware, or did they relay RTX's statement?

cc @RTX_News @CollinsAero, a lessons-learned session detailing the deployed malware (so we can all learn) would be appreciated. Thanks!

🚨 Multiple cybercriminals were arrested during Operation SIMCARTEL.

Europol and Latvian law enforcement dismantled five servers, seized 1,200 SIM box devices and 40,000 active SIM cards.

The criminals were linked to over 1,700 cyber fraud cases in Austria and 1,500 in Latvia, causing losses of several million euros, including EUR 4.5 million in Austria and EUR 420,000 in Latvia.

“Yep, that’s me. You’re probably wondering how I got into this situation …”

🚨 Discord Breach Update

- Discord negotiated with the threat actor for two weeks, promising payment.
- Discord then ceased communication.
- The threat actor, now angry, is releasing files individually.

Leaked tables will be posted next.

https://twitter.com/IntCyberDigest/status/1975846997568737666

Tables:

id
username
email
verifiedlocation
premium_until
premium_type
pending_deletion
country
phone
mfa_enabled
last_seen

cc @discord

🚨 Scattered LAPSUS$ Hunters launched an onion website, listing all victims with a deadline of October 10, 2025.

We've made a thread with screenshots of the victims below 👇

FedEx

Toyota Motor Corporation

‼️🚨 Red Hat breached: Crimson Collective stole 28k private repositories, including credentials, CI/CD secrets, pipeline configs, VPN profiles, and infrastructure blueprints.

Our analysis of obtained data: 👇

The file tree includes thousands of repositories referencing major banks, telecoms, airlines, and public-sector organizations, such as Citi, Verizon, Siemens, Bosch, JPMC, HSBC, Merrick Bank, Telstra, Telefonica, and even mentions the U.S. Senate...

What's in the file tree dump?

Inventories, hosts, Ansible playbooks, OpenShift install blueprints, CI/CD runners, VPN profiles, Quay/registry configs, Vault integrations, backups, and exported GitHub/GitLab configs.

‼️ Meet the Chinese man who has sold over 6,500 counterfeit licenses to Americans and Canadians, making over $750k. He used more than 83 domains and multiple social media accounts to promote his services.

He sent every order very discreetly packaged, going to great lengths to hide the true contents: counterfeit IDs.

He has 24/7 chat support and even a video manual on how to unpack the fake IDs.