❗️On 11 July 2024, Belgian police found a dead body on a forest trail.

Initially, they thought it was suicide, but forensic investigation indicated homicide.

The suspected murderer was arrested and later released. He was using a GrapheneOS phone, which he claims did not work as intended.

He says he gave the duress PIN, but the device did not wipe itself, allowing law enforcement to access his data. One year later, the suspect is summoned to appear at the police station in Antwerp, Belgium, on suspicion of premeditated murder.

‼️🇮🇱 Smartphones worldwide were silently infected with Israeli malware via malicious ads

Simply viewing their ads was enough to get infected.

Surveillance company Intellexa gained full access to cameras, microphones, chat apps, emails, GPS locations, photos, files, and browsing activity. Internal leaked company documents, sales and marketing materials, as well as training videos from the “Intellexa Leaks” investigation provide a never-before-seen glimpse into the internal operations of a mercenary spyware company focused on exploiting vulnerabilities in mobile devices to enable targeted surveillance attacks on human rights defenders, journalists, and members of civil society.

‼️🇰🇵 Meet North Korean recruiter 'Aaron,' who infiltrates Western companies by using AI and posing as a remote IT worker using stolen or rented identities.

He was lured into a sandbox by researchers, who observed the wild APT in a controlled setting to see what he would do. He wanders around the web sending messages to people like "I’d like to offer your an opportunity that I think could be interesting.".. Turns out @MauroEldritch likes opportunities.

‼️ This is a story about a dev who got a job interview at xAI, where they stripped him of his knowledge about how he used the user X API to create two impressive projects, hence the job interview.

After they got what they wanted, X sent a cease and desist, and told him he wasn’t hired. Despite the developer being open about his project with X employees from the beginning, and getting a job interview and vouch because of it, Nikita Bier mocked him after he was sent a cease and desist.

Nikita deleted the post, but we still have a copy:

‼️ Secret Chinese documents have been leaked, revealing their internal cyberwarfare training program.

The documents show a focus on products from Cisco, Fortinet, WatchGuard, and Juniper as primary operational targets.

China has built digital cyber ranges that allow operatives to practice on infrastructure closely resembling the critical digital infrastructure of major adversaries. The documents show a network operations training environment capable of supporting 300 users and 10,000 concurrent connections. It includes DNS gateways, a URL classification database with 100 million entries, and support for 50,000 concurrent connections.

‼️ China's largest cybersecurity firm, Knownsec, was breached, exposing details of China's state cyber operations.

The data includes cyberweapon documentation, internal hacking tool source code, and global target lists covering over 20 countries, including Japan, Vietnam, and India.

A spreadsheet lists 80 hacked foreign organizations, plus evidence of 95 GB of stolen Indian immigration data and 3 TB of call records from South Korean mobile operator LG U Plus.

One of the documents mention a malicious power bank, disguised as a charging device.

Knownsec is key to China's cybersecurity, providing advanced defense and offensive capabilities, including espionage tools.

A thread with their tools 🧵 ZoomEye

A global search engine similar to Shodan or Censys, lists vulnerabilities for each host. It claims to scan the entire IPv4 address range in 7-10 days.

‼️ When Collins Aerospace shut down its Multi-User System Environment (MUSE), it informed the press and filed with the SEC, claiming a ransomware attack.

This caused major European airports to halt passenger processing, stranding thousands and delaying numerous flights.

Turns out they didn't have to turn off the systems.

The threat actor claims no ransomware or compromise occurred, alleging Collins Aerospace disabled the servers for insurance money.

They admit breaching an FTP server, exfiltrating data over days until access was blocked, and claim to have obtained 1,533,900 passenger records.

Screenshots of conversations between Everest and RTX, Collins Aerospace's parent company, are included in this post and they don't seem to mention any encrypted data.


This is the compromised SFTP server. Username: aiscustomer, password: muse-insecure. Insecure indeed. Why store sensitive files like passenger data, SQL, service documentation, and configurations on a publicly accessible, insecure SFTP server?

🚨 Multiple cybercriminals were arrested during Operation SIMCARTEL.

Europol and Latvian law enforcement dismantled five servers, seized 1,200 SIM box devices and 40,000 active SIM cards.

The criminals were linked to over 1,700 cyber fraud cases in Austria and 1,500 in Latvia, causing losses of several million euros, including EUR 4.5 million in Austria and EUR 420,000 in Latvia. “Yep, that’s me. You’re probably wondering how I got into this situation …”

🚨 Discord Breach Update

- Discord negotiated with the threat actor for two weeks, promising payment.
- Discord then ceased communication.
- The threat actor, now angry, is releasing files individually.

Leaked tables will be posted next.

https://twitter.com/IntCyberDigest/status/1975846997568737666

Tables:

id
username
email
verifiedlocation
premium_until
premium_type
pending_deletion
country
phone
mfa_enabled
last_seen

🚨 Scattered LAPSUS$ Hunters launched an onion website, listing all victims with a deadline of October 10, 2025.

We've made a thread with screenshots of the victims below 👇 FedEx

‼️🚨 Red Hat breached: Crimson Collective stole 28k private repositories, including credentials, CI/CD secrets, pipeline configs, VPN profiles, and infrastructure blueprints.

Our analysis of obtained data: 👇 The file tree includes thousands of repositories referencing major banks, telecoms, airlines, and public-sector organizations, such as Citi, Verizon, Siemens, Bosch, JPMC, HSBC, Merrick Bank, Telstra, Telefonica, and even mentions the U.S. Senate...

‼️ Meet the Chinese man who has sold over 6,500 counterfeit licenses to Americans and Canadians, making over $750k. He used more than 83 domains and multiple social media accounts to promote his services. He sent every order very discreetly packaged, going to great lengths to hide the true contents: counterfeit IDs.

🚨 UPDATE 🚨 on the Mandiant investigation into the compromise of the Salesforce Drift platform reveals how it was compromised. The attackers initially gained access to Salesloft’s GitHub account, and that’s when things took off… In March through June 2025, the threat actor accessed the Salesloft GitHub account. With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows.

Ladies and gentlemen, we present to you Conti Ransomware group 💀 This group posted videos of their luxurious lifestyles, flying in private jets.

🚨 Nova ransomware gang demanded $30M from Clinical Diagnostics/Eurofins to not leak 480k+ people's sensitive medical data. Allegedly received $50k. Unsatisfied, they now demand more. We're unaccustomed to seeing double or triple extortion from ransomware gangs, as it undermines their business model. Moreover, Nova misrepresented their reasons for demanding more, making them (surprise) an unreliable party.

🚨🔓 Ransomware group Hellcat is uploading @SchneiderElec breach data as we post. What happened?

- How did @SchneiderElec get breached for the third time in a year?
- What can we learn from this breach to better protect ourselves?

🧵 A thread... 1/ Is this really bad for @SchneiderElec? We don't know yet. We've had contact with Hellcat spokesperson @holypryx, he told us 'Today we are leaking everything so samples won't be important anymore right?'