From hackers targeting government services to crippling popular restaurant chains, this week was no different in cyberspace, which sees new threats every day. Following is the weekly phishing and breach-related news roundup from this past week. This highlights the need for greater phishing protection.


Roaming Mantis Campaign: Cybercriminals Target DNS Settings In Wi-Fi Routers, Infecting Victims With Mobile Malware

Researchers recently observed that the Roaming Mantis Campaign’s threat actors are back with an updated version of Wroba. They are deploying their patent mobile malware’s newest version to infiltrate Wi-Fi routers and execute Domain Name System (DNS) hijacking. Kaspersky analyzed the ongoing malware strain and said cybercriminals tweaked the older version to target specific Wi-Fi routers in South Korea.

Roaming Mantis, also called Shaoye, is an ongoing financially motivated operation targeting Android smartphone users with malware. It steals bank account credentials and harvests other sensitive information.

Initially, it was targeting Asian countries from 2018, but from early 2022,  the hacking crew camouflaged the malware as a Google Chrome application and expanded its victim range to France and Germany.


Image sourced from

The recent attacks install malicious APK or redirect victims to phishing websites depending on which OS they are running on their mobile devices. Hackers are using smishing as the initial vector to send booby-trapped URLs to victims.


Cybersecurity Experts Shut Down A Massive Ad Fraud Scheme That Targeted 11 Million Phones

The experts at cybersecurity firm HUMAN Security Inc. recently announced that they took down an organized, sophisticated and large-scale ad fraud campaign that they called VASTFLUX. HUMAN Security is the world’s leading firm which offers its clients advanced defenses against digital attacks. Earlier, its cybersecurity experts reported large-scale scams like Scylla, PARETO, Methbot, and 3ve which involved Android and iOS devices.

How did the experts discover the Ad Fraud?

VASTFLUX combines two terms reflecting its functionality. VAST refers to the Digital Video Ad Serving Template that the cybercriminals exploited in this operation. Furthermore, Flux means the Fast Flux concept, an evasion tactic that the threat actors use.


cybersecurity trends


HUMAN’s Team Satori was investigating an iOS application that was heavily impacted by the app spoofing attack and stumbled upon the VASTFLUX. The researchers discovered it was a highly sophisticated scheme where the threat actors were exploiting the limited signal availability needed by the verification partners in their targeted environment (including the iOS in-app advertising).

The threat actor’s ad fraud later evolved and they started appearing on other platforms, and made cross-platform attacks challenging to detect. The HUMAN team engaged with their partners and obtained further information regarding the campaign’s traffic volumes and the verification tags that the cybercriminals used in the ads.


Costa Rica’s MOPT (Ministry Of Public Works And Transport) Crippled By A Ransomware Attack

The Costa Rican government has been facing a range of Conti ransomware attacks that have crippled several of its ministries. Latest in the line of such wide-ranging attacks, on Tuesday, Costa Rica’s MOPT (Ministry of Public Works and Transport) issued a statement saying 12 of its servers got encrypted.

As a result, all of MOPT’s systems were knocked offline, and the government has informed the Ministry of Science, Innovation, Technology, and Telecommunications and the National Security Directorate. While the government did not comment on the issue, it says that it requested international organizations for support. Currently, the government is conducting the driving tests in person, and the license issuance services are slowly getting resumed.


Ransomware Gang Steals Data From Pizza Hut, Taco Bell, And KFC Brand Owner

Yum! Brands, the brand operator of Pizza Hut, Taco Bell, The Habit Burger Grill, and KFC fast-food restaurant chains, recently became a ransomware attack victim that forced the closure of its 300 restaurant locations in the United Kingdom. Yum! Brands operates over 53,000 restaurants across 155 countries, with a $1.3 billion yearly net profit and over $5 billion in total assets.

Yum! Brands issued a press statement after the attack, “Promptly after detecting the incident, we initiated response protocols. They include enforcing containment measures like implementing enhanced monitoring technology and taking certain systems offline.”

Additionally, Yum! Brands initiated an investigation into the incident and notified Federal law enforcement. It engaged the services of industry-leading forensics and cybersecurity professionals.

The company claims that the impacted restaurants in the UK returned to normal operations and will not face any further problems relevant to the cyberattack. Such ransomware attacks take place to steal data from breached networks and extort their victims.

While Yum! Brands confirmed that the threat actors stole data in the attack; there is no evidence that the attack exposed any customer information.


T-Mobile Says In An SEC Filing That Threat Actors Accessed Personal Information Of 37 Million Customers

T-Mobile revealed in a financial filing recently that a hacker accessed a database containing information of 37 million customers. The telecom giant said in the filing that the data includes “name, email, phone number, billing address, date of birth, T-Mobile account number and information like plan features and the number of lines on the account.” The threat actors had access to the above information since November 25.


phishing emails


T-Mobile further said in the SEC filing that it detected the breach over a month later, on January 5, and quickly responded by fixing the vulnerability that the hacker was exploiting within a day. The cybercriminals, according to T-Mobile, did not breach any organizational system but abused an API (application programming interface).

“The investigation is ongoing, but we fully contained the malicious activity, and there is no evidence that the threat actor breached or compromised our systems or network,” T-Mobile said.


PayPal Informs Its Customers That It Suffered A Large-Scale Credential Stuffing Attack

PayPal recently sent out data breach notifications to its users that hackers launched credential stuffing attacks on their accounts and might have accessed their personal data. In credential stuffing attacks, the hackers attempt to access the victim’s account by trying username and password pairs available on dark websites.

These attacks follow an automated approach with bots trying lists of credentials to “stuff” into the login portals for numerous services. Users who “password recycling” or keep the same password for multiple accounts are more vulnerable.

Close to 35,000 PayPal users were impacted.

PayPal explained in the notification that the attack occurred from December 6 to December 8, 2022. While the company detected and mitigated the attack, it also launched an internal investigation to discover how the attackers accessed the accounts. PayPal’s security experts concluded the investigation by December 20, 2022. They confirmed that unauthorized third parties used valid credentials to log into the accounts.

According to the data breach reporting by PayPal, the incident impacted 34,942 of its users. The cybercriminals maintained access to the following data during the two days:

  •       Account holders’ full names,
  •       Social security numbers,
  •       Dates of birth,
  •       Postal addresses, and
  •       Individual tax identification numbers.


Mailchimp Says It Got Hacked — A Second Notification Within Six Months

Email marketing and newsletter services provider Mailchimp says it got hacked, exposing dozens of customers’ data. It is the second time Mailchimp got hacked in the past six months, and the latest breach appears identical to the previous incident.

The Intuit-owned company described the incident in a blog post that its security team discovered an intruder on January 11. The adversary had unauthorized access to one of its internal tools that Mailchimp uses for customer support and account administration.

While the company did not mention for how long the attacker accessed its systems, it said the hacker targeted its employees and contractors with a social engineering attack. The cybercriminal then used the compromised employee passwords and gained access to data on 133 Mailchimp accounts, whom the company notified about the intrusion.

One of the targeted accounts is of e-commerce giant WooCommerce. In a notice to its customers, WooCommerce said that Mailchimp notified it regarding the breach, in which its customers’ names, email addresses, and store web addresses might have been compromised.


Iranian Government Entities Targeted In A New Wave of BackdoorDiplomacy Attacks

Cybersecurity experts are linking the BackdoorDiplomacy threat actor to a new wave of attacks on Iranian government entities from July to late December 2022.




Palo Alto Networks Unit 42, tracked the group’s activity and said they were observing government domains that were connecting to the malware infrastructure they previously associated with the threat actor.

The Chinese APT Group is also known as APT15, KeChang, Vixen Panda, and NICKEL. Cybersecurity experts say that it has been launching cyber espionage campaigns against government and diplomatic entities in North America, South America, the Middle East, and Africa since 2010.

In June 2021, a Slovak cybersecurity firm ESET discovered that the hacking crew modified its tactics and started using a custom implant called Turian. They used it to execute intrusions against telecommunication companies and diplomatic entities in Africa and the Middle East.