Daily Digest

Over 197,000 Zara customers just had their personal data exposed in a breach linked to the ShinyHunters extortion gang. The hackers didn't get your passwords or credit cards, but they did grab email addresses, purchase histories, and support ticket details. This matters because ShinyHunters is one of the most aggressive cybercrime groups today, targeting everything from Google to hospitals. If you've shopped at Zara or any Inditex brand, your data could be part of a 140GB leak now circulating online.

**What exactly happened** Spanish fast-fashion giant Zara suffered a data breach affecting 197,400 customers, confirmed by Have I Been Pwned. The attack targeted databases hosted by a former technology provider, not Zara's own systems. The ShinyHunters extortion gang claimed responsibility and leaked a massive 140GB archive. They allegedly stole the data from BigQuery instances using compromised Anodot authentication tokens. **Who is affected and how** Anyone who submitted support tickets or made purchases through Zara's customer service channels is potentially impacted. The exposed data includes unique email addresses, geographic locations, product SKUs, order IDs, and support ticket details. Importantly, Inditex confirmed that names, phone numbers, physical addresses, login credentials, and payment information were NOT compromised. This limits the direct financial risk but opens the door for targeted phishing attacks. **The real-world impact and consequences** For customers, the immediate danger is sophisticated phishing emails that reference your actual Zara purchases. Cybercriminals can craft highly convincing messages using your order history and location data. For Zara and Inditex, this is a reputational blow. The breach stems from a third-party vendor, highlighting how supply chain risks can cascade. ShinyHunters has a track record of extorting companies and leaking data when ransoms aren't paid. **Technical breakdown** ShinyHunters gained access by compromising Anodot authentication tokens, which are credentials used to connect cloud services. With these tokens, they accessed BigQuery, Google's data warehouse platform, where Zara's customer support data was stored. The group attempted to steal data from Salesforce instances but was blocked by AI-based detection. They've also been linked to vishing campaigns targeting employee SSO accounts across Microsoft, Okta, and Google platforms. **What should be done — mitigation and recommendations** If you're a Zara customer, watch for suspicious emails referencing your purchases. Never click links or download attachments from unsolicited messages. Enable two-factor authentication on your email account. For businesses, this incident underscores the need to audit third-party access. Revoke tokens from former providers immediately. Implement continuous monitoring for unusual data access patterns, especially in cloud environments like BigQuery. **Why this matters in the bigger cybersecurity landscape** ShinyHunters has claimed dozens of high-profile breaches in recent months, including Google, Cisco, and the European Commission. Their playbook is clear: compromise authentication tokens, steal data from cloud services, and extort victims. This breach also mirrors the MANGO incident, where another Spanish retailer was hacked through a marketing vendor. The fashion industry's reliance on third-party tech providers creates a growing attack surface that cybercriminals are actively exploiting.

Two brothers with a history of cybercrime against the U.S. government got fired—and then got even. Within hours of being terminated, they allegedly wiped nearly 100 federal databases, including sensitive investigative files and DHS records. This isn't a script for a thriller. It's a real case where a former contractor used his access to torch government data in retaliation. If you work with sensitive systems or manage contractor access, this story is a wake-up call about what happens when trust goes bad.

**What exactly happened** Sohaib Akhter, a 34-year-old Virginia man, was just convicted for conspiring to destroy dozens of government databases. The twist? He and his twin brother Muneeb had already served prison time for hacking State Department systems and stealing personal data. After their release, both brothers were rehired by a contractor serving over 45 federal agencies. When the company discovered Sohaib's prior felony, they fired both brothers during a remote meeting on February 18, 2025. The retaliation was immediate and devastating. **Who is affected and how** Within hours of being terminated, the brothers allegedly wiped roughly 96 government databases. These weren't just empty servers—they held sensitive investigative documents from multiple federal agencies and Freedom of Act records. The Department of Homeland Security lost an entire database. The damage cascaded across agencies that relied on the contractor's hosted infrastructure, creating chaos for investigators and FOIA requestors alike. **The real-world impact and consequences** This wasn't a random hack. It was a targeted, insider attack fueled by revenge. The brothers didn't just delete data—they actively tried to cover their tracks. Prosecutors revealed they ran commands to write-protect databases before deletion, ensuring no one could stop the destruction. They even asked an AI assistant how to clear system logs immediately after deleting the DHS database. The brothers also wiped company laptops before returning them and discussed cleaning out their house in anticipation of a police raid. **Technical breakdown (explain the "how" simply)** The attack exploited legitimate access. As contractors, the brothers had credentials to systems hosting government data. After termination, they used those still-active credentials to access computers without authorization. Their method was brutally simple: run commands to make databases unchangeable, then delete them. This prevented any rollback or recovery. They also destroyed evidence on their company-issued laptops, making forensic analysis harder. The AI assistant query about clearing logs shows they were trying to erase digital footprints—a sign of premeditation, not panic. **What should be done — mitigation and recommendations** This case screams for better offboarding procedures. When employees are terminated, especially those with prior cybercrime convictions, access should be revoked instantly—not minutes later. Organizations need automated systems that kill credentials the moment termination is initiated. Manual revocation leaves a dangerous window. Also, monitor for unusual post-termination activity. The brothers acted within hours. Real-time alerts on database deletions or log-clearing attempts could have stopped the damage. **Why this matters in the bigger cybersecurity landscape** The Akhter brothers are a cautionary tale about recidivism in cybercrime. They served time, got rehired, and struck again. This highlights a gap in background checks and ongoing monitoring for contractors with access to sensitive systems. The government's reliance on third-party vendors creates a sprawling attack surface. One contractor's failure to vet its own employees led to the destruction of nearly 100 federal databases. Sohaib faces up to 21 years in prison. Muneeb faces up to 45 years on multiple charges. Their sentencing in 2026 will close this chapter, but the lesson is clear: trust, once broken, can burn everything down.

A massive data extortion attack just hit Canvas, the backbone platform for online learning across America. The cybercrime group ShinyHunters defaced Canvas’s login page with a ransom demand, threatening to leak data on 275 million students and faculty from nearly 9,000 institutions. Schools and universities nationwide were forced offline as parent company Instructure scrambled to respond. If you’re a student, teacher, or administrator using Canvas, your personal information—names, emails, and student IDs—may already be in the hands of criminals. This isn’t just a tech glitch; it’s a crisis that could disrupt education for millions.

**What exactly happened** The Canvas breach unfolded in two brutal stages. First, ShinyHunters claimed they had stolen massive amounts of data from the platform, setting a ransom deadline of May 6. Then, on that very day, they defaced Canvas’s login page with a public ransom note, forcing Instructure to take the entire system offline. Classes ground to a halt as students couldn’t access assignments or coursework. Instructure acknowledged the breach earlier that week, confirming that stolen data includes names, email addresses, and student ID numbers. The company insists no passwords, birth dates, or financial info were taken, but the sheer scale—275 million records—makes this one of the largest education-sector breaches ever. **Who is affected and how** The impact is staggering. Nearly 9,000 educational institutions rely on Canvas, from K-12 school districts to major universities. That means millions of students, teachers, and faculty are directly exposed. For schools, the immediate disruption is chaos: canceled classes, lost assignments, and a scramble to find alternative ways to communicate. But the real danger is long-term. Stolen student IDs and email addresses can fuel identity theft, phishing campaigns, and social engineering attacks. Imagine a student getting a fake “financial aid” email that looks legit because it includes their real student ID number. That’s the kind of nightmare this breach enables. **The real-world impact and consequences** Beyond the immediate outage, the consequences are severe. Schools may face lawsuits from affected students and parents, especially if sensitive data is eventually leaked. Reputation damage is also a factor—parents and students may lose trust in institutions that rely on a single vendor for critical operations. Financially, Instructure could be on the hook for millions in remediation costs, legal fees, and potential ransom payments. And if ShinyHunters follows through on its threat to leak data, the damage multiplies. The group has a history of dumping stolen data publicly, as seen in previous attacks on AT&T and Ticketmaster. **Technical breakdown** How did ShinyHunters pull this off? While details are still emerging, the breach likely involved exploiting vulnerabilities in Canvas’s cloud infrastructure or third-party integrations. The group may have used stolen credentials, SQL injection, or a compromised API to access user data. The defacement itself suggests they had administrative-level access to Canvas’s login portal. This isn’t just a data grab—it’s a demonstration of power. By taking over the login page, ShinyHunters signaled they could disrupt operations at will, raising the stakes for Instructure. **What should be done — mitigation and recommendations** For schools and universities, immediate steps include resetting all user passwords, enabling multi-factor authentication, and monitoring for suspicious activity. Students and faculty should be warned about phishing emails that may reference the breach. Instructure must conduct a full forensic audit, patch any vulnerabilities, and consider offering credit monitoring to affected users. Transparency is key—hiding the full scope of the breach will only erode trust further. The company should also engage law enforcement and consider whether paying the ransom is a viable option, though experts generally advise against it. **Why this matters in the bigger cybersecurity landscape** This breach is a wake-up call for the education sector, which has long been underfunded in cybersecurity. Schools often rely on a handful of vendors for critical services, creating single points of failure. When one platform goes down, millions of students are affected. The ShinyHunters group is also evolving. Their simultaneous campaigns against multiple targets suggest a coordinated, professional operation. For the rest of us, this incident underscores a grim reality: no sector is safe, and the data of the most vulnerable—students—is increasingly a prime target for extortion. The question isn’t if the next big breach will hit, but when.

A new banking trojan called TCLBanker is doing something we rarely see: it spreads itself automatically through WhatsApp and Outlook. This isn’t your average malware—it hijacks your chat apps to infect your contacts without you knowing. The malware targets 59 banks, fintech apps, and crypto platforms, primarily in Brazil right now. But if history teaches us anything, LATAM malware often goes global. If you use Logitech software or handle sensitive financial data, this one’s on your radar.

**What exactly happened** Elastic Security Labs uncovered TCLBanker, a trojan that disguises itself as a legitimate Logitech AI Prompt Builder installer. Once inside, it uses DLL side-loading to run silently within the trusted Logitech process—so security tools don’t raise alarms. The malware is heavily armored against analysis. It checks your timezone, keyboard layout, and locale to confirm it’s in Brazil before activating. If it suspects a sandbox or analyst environment, it simply refuses to decrypt its payload. **Who is affected and how** Right now, the primary targets are in Brazil. But the worm modules for WhatsApp and Outlook make this a potential global threat. The malware hijacks your authenticated WhatsApp Web session through Chromium browser data, then sends spam messages to your Brazilian contacts. For Outlook, it uses COM automation to harvest your address book and send phishing emails from your account. Your friends and colleagues become unwitting distribution channels. **The real-world impact and consequences** This isn’t just about stealing passwords. TCLBanker gives attackers full remote control: live screen streaming, keylogging, clipboard hijacking, and fake overlay screens that mimic bank logins, PIN keypads, or even Windows Update. Victims can lose money directly from their accounts. Worse, the malware kills Task Manager during active sessions, so you can’t easily stop it. And because it spreads through trusted contacts, the infection chain feels legitimate. **Technical breakdown** The banking module monitors your browser address bar every second using Windows UI Automation APIs. When you visit one of 59 targeted platforms, it opens a WebSocket to the command-and-control server and starts remote operations. The overlay system is particularly clever. It uses WPF-based “cutout” overlays that show only selected parts of real applications, hiding malicious prompts behind fake screens. Think fake bank support waiting screens or fake Windows Update progress bars. The self-spreading mechanism is what sets TCLBanker apart. For WhatsApp, it searches Chromium profiles for IndexedDB data, launches a hidden browser instance, and sends messages to filtered contacts. For Outlook, it uses COM automation to send phishing emails from your account. **What should be done** First, verify any Logitech AI Prompt Builder installer you download. Only use official sources. Second, enable multi-factor authentication on all financial and crypto accounts—this stops credential theft from being enough. For organizations, monitor for unusual Outlook activity or unexpected WhatsApp Web sessions. Consider blocking MSI installers from untrusted sources. And educate users: if a friend sends a strange link via WhatsApp or email, verify through another channel. **Why this matters** TCLBanker represents a worrying trend: LATAM malware evolving from regional threats to global-capable tools. The use of AI in its code artifacts suggests lower-tier cybercriminals now have access to features once reserved for elite groups. The self-spreading worm capability is the real game-changer. It turns every victim into an attacker, amplifying the infection chain exponentially. As remote work and digital banking grow, malware that hijacks communication channels will become more common. This isn’t just another banking trojan. It’s a blueprint for the next generation of financially motivated malware. And it’s already here.

A new malware framework called PCPJack is actively stealing credentials from exposed cloud infrastructure—and it's doing something unusual: it's cleaning up infections left by TeamPCP, a notorious threat group. If you're running Docker, Kubernetes, Redis, MongoDB, or RayML services without proper authentication, you're the target. This isn't just about data theft; it's about a turf war in the cloud, where attackers are competing for access to your systems.

**What exactly happened** SentinelLabs researchers uncovered PCPJack, a credential-stealing framework targeting exposed cloud services. It uses a shell script called bootstrap.sh to infect Linux-based systems, then spreads laterally across networks. The twist? PCPJack actively removes TeamPCP's access to infected systems. TeamPCP is a well-known cloud-focused threat group behind high-profile supply-chain attacks on Aqua Security's Trivy scanner and SAP npm packages. **Who is affected and how** Any organization running Docker, Kubernetes, Redis, MongoDB, or RayML without strong authentication is at risk. PCPJack also targets vulnerable web applications. The malware moves laterally once inside, meaning one exposed service can lead to a full network compromise. If you're using these tools in development or production, your credentials are in the crosshairs. **The real-world impact and consequences** SentinelLabs believes PCPJack is designed for large-scale credential theft, likely monetized through financial fraud, spam operations, credential resale, or extortion. This isn't a random attack—it's a calculated operation by someone who knows the cloud landscape intimately. The cleanup of TeamPCP infections suggests a power shift, where a former affiliate or member has started their own operation. **Technical breakdown** The infection begins with bootstrap.sh, which creates a hidden working directory and installs Python dependencies. From there, it scans for exposed services and steals credentials stored in plaintext or weak configurations. PCPJack uses techniques like Redis cron rewrites and privileged container escapes to maintain persistence. The researchers also found a Sliver-based backdoor on the attacker's infrastructure, supporting x86_64, x86, and ARM architectures. **What should be done** SentinelLabs recommends enforcing multi-factor authentication (MFA) everywhere possible. Use IMDSv2 in AWS to protect instance metadata. Ensure Docker and Kubernetes services require proper authentication—no default settings. Follow least-privilege principles: don't give containers or services more access than they need. And critically, never store secrets in plaintext. Use vaults or environment variables instead. **Why this matters** PCPJack shows how cloud threats are evolving from broad attacks to targeted, competitive operations. The fact that it cleans up rival malware signals a maturing underground economy where groups fight over the same vulnerable infrastructure. For defenders, this means staying ahead of both the malware and the shifting alliances behind it. The cloud is no longer just a battleground—it's a marketplace, and your credentials are the currency.

Microsoft just quietly fixed a dangerous API flaw that could let attackers hijack any application on your screen. The GetProcessHandleFromHwnd function was supposed to be a simple tool for developers, but it turned into a backdoor for privilege escalation. If you're running Windows 11 24H2, you're safe now. But older versions? Attackers could steal process handles from any visible window, bypassing security protections that should have stopped them cold. This isn't just a theoretical risk—it was already weaponized in a real UAC bypass using Quick Assist.

**What exactly happened** A security researcher discovered that Microsoft's GetProcessHandleFromHwnd API had a fundamental design flaw. The function was meant to give developers a way to get a process handle from a window handle, but its implementation completely ignored Windows' own security boundaries. The API could return a full-access process handle to any caller, even when the target process was running at a higher integrity level or was a protected process. This meant a low-privilege application could effectively take control of a system-level process. **Who is affected and how** Every Windows user running versions prior to 11 24H2 is potentially at risk. The vulnerability is especially dangerous for enterprise environments where users run both standard and privileged applications. Attackers could exploit this through any application that has a visible window. Malware already running on a system could use this API to elevate privileges or bypass security controls. The Quick Assist UAC bypass showed this was not just theoretical. **The real-world impact and consequences** The most immediate danger is privilege escalation. An attacker who gains initial access to a system could use this API to hijack a process running at a higher integrity level, effectively bypassing User Account Control. Beyond that, the API could be used to steal sensitive data from protected processes, inject malicious code, or maintain persistence by taking over legitimate system processes. The fact that it worked across all visible windows made it a universal attack vector. **Technical breakdown** The API's documentation claimed it used Windows hooks to obtain process handles, which would have required the caller to have UI Access privileges. But the actual implementation was far more dangerous. In reality, GetProcessHandleFromHwnd directly opens a handle to the target process in kernel mode, bypassing all the security checks that would normally apply. It completely ignored User Interface Privilege Isolation (UIPI), which is supposed to prevent lower-integrity processes from interacting with higher-integrity ones. The function also failed to check whether the target process was a protected process, meaning it could return handles with dangerous access rights like PROCESS_VM_READ to non-protected callers. **What should be done** If you're running Windows 11 24H2, you're protected. For everyone else, the only real mitigation is to update to the latest Windows version as soon as possible. Organizations should also review any applications that might be using this API and ensure they're not relying on its flawed behavior. Security teams should monitor for unusual process handle requests or unexpected privilege escalations. **Why this matters** This vulnerability is a perfect example of how seemingly simple API functions can hide dangerous security flaws. The gap between documented behavior and actual implementation created a blind spot that attackers could exploit for years. The fix in Windows 11 24H2, which includes making UIPI permanent and properly checking for protected processes, suggests Microsoft is finally taking these issues seriously. But it also raises questions about how many other similar flaws might still be lurking in the Windows kernel.

Windows just got a shiny new security feature called Administrator Protection. It was supposed to finally lock down UAC, the pop-up gatekeeper that’s been a pain point for years. But researchers found nine ways to bypass it before it even hit the streets. Five of those bypasses share a sneaky root cause: a legacy feature called UI Access. If you’re running Windows, especially in an enterprise environment, this matters. The fix is in, but the story reveals a deeper flaw in how Microsoft handles privilege boundaries.

**What exactly happened** Security researcher James Forshaw uncovered nine distinct bypasses for Microsoft’s new Administrator Protection feature. This feature was designed to create a real security boundary for User Account Control (UAC), which has historically been more of a speed bump than a wall. Five of those bypasses trace back to a single, long-underestimated problem: UI Access. This is a mechanism that allows certain processes to interact with elevated user interfaces, and it’s been quietly undermining Windows security for over a decade. **Who is affected and how** Anyone running Windows with UAC enabled is potentially impacted. The bypasses allow a standard user to escalate privileges to administrator level without triggering the usual consent prompts. This is particularly dangerous in corporate environments where IT relies on UAC as a last line of defense. A malicious app or script running at low integrity can hijack the UI of a privileged process, effectively stealing its power. **The real-world impact and consequences** The consequences are severe. An attacker who gains initial access to a limited user account can use these bypasses to install malware, disable security tools, or move laterally across a network. Because the bypass abuses legitimate Windows features, it can fly under the radar of traditional antivirus. The attack surface is broad, affecting every Windows desktop and server that uses UAC with Administrator Protection enabled. **Technical breakdown** The root cause lies in User Interface Privacy Isolation (UIPI), introduced with Windows Vista to prevent shatter attacks. UIPI uses Mandatory Integrity Control to block lower-integrity processes from sending messages to higher-integrity windows. However, UI Access creates an exception. Processes with the "uiAccess" flag set to true in their manifest can bypass UIPI and interact with elevated windows. The researcher found that this exception is too broad, allowing attackers to abuse it by injecting code into legitimate UI Access processes or by tricking the system into granting this privilege to malicious apps. **What should be done — mitigation and recommendations** Microsoft has already patched all nine bypasses in the latest Windows updates. Users should ensure their systems are fully updated. For administrators, the recommendation is to test and deploy these patches immediately. Additionally, review any applications that request the uiAccess flag and restrict them where possible. Consider using Application Control policies like WDAC to block unauthorized code from running. **Why this matters in the bigger cybersecurity landscape** This research highlights a recurring theme in Windows security: legacy features often undermine modern defenses. UIPI was a good idea in 2006, but UI Access was a compromise that never aged well. Administrator Protection is a step forward, but it’s only as strong as its weakest link. The fact that pre-release testing missed these bypasses suggests Microsoft needs to invest more in adversarial testing. For defenders, this is a reminder that every security boundary is provisional. Stay updated, stay skeptical, and never assume a feature is bulletproof just because it’s new.

Microsoft just shipped a major security upgrade for Windows 11—only for a researcher to punch nine holes straight through it before it even hit the mainstream. Administrator Protection was supposed to be the long-awaited replacement for UAC, giving users temporary admin rights without the nagging prompts. Instead, it turned out to be a fortress with open windows. The vulnerabilities affect every Windows 11 user running the 25H2 preview builds. If you’ve enabled Administrator Protection thinking you’re safe from privilege escalation attacks, think again. A local attacker—or malware already on your machine—could silently seize full admin control without triggering a single alert. This isn’t just a bug; it’s a fundamental design flaw that undermines the entire feature’s purpose.

**What exactly happened** A security researcher discovered nine distinct vulnerabilities in Windows 11’s brand-new Administrator Protection feature, which was introduced in the 25H2 insider preview. This feature was Microsoft’s answer to the long-criticized User Account Control (UAC), promising a more secure way to grant temporary admin privileges. The researcher responsibly disclosed all nine issues to Microsoft, which has since patched them—either before the feature’s official release or in subsequent security bulletins. Notably, Microsoft temporarily disabled Administrator Protection on December 1, 2025, due to an unrelated application compatibility issue. **Who is affected and how** Any Windows 11 user who enabled Administrator Protection in the 25H2 preview builds is at risk. The vulnerabilities allow a local attacker—or malware already running with limited privileges—to silently escalate to full administrator rights. This means a piece of ransomware or a trojan could bypass the very security layer designed to stop them. The attack requires no user interaction, no UAC prompt, and no suspicious pop-ups that might alert a vigilant user. **The real-world impact and consequences** The stakes here are enormous. Administrator Protection was marketed as a hardened replacement for UAC, which Microsoft itself acknowledged was never a true security boundary. If malware can bypass this new feature silently, it effectively renders the entire privilege escalation defense useless. In practice, an attacker could install persistent backdoors, disable security tools, steal credentials, or deploy ransomware—all with full system access. For enterprises testing Windows 11 25H2, this could mean a false sense of security during a critical migration phase. **Technical breakdown (explain the "how" simply)** The vulnerabilities stem from how Administrator Protection handles token assignments and process interactions. Unlike UAC, which relies on a consent prompt, Administrator Protection uses a separate, isolated administrator token that’s only activated when needed. The researcher found ways to trick the system into granting this token without proper authorization. One specific flaw involved manipulating the token’s integrity level through a race condition—essentially, the attacker could sneak in a request between the time the system checks permissions and the time it grants access. Another issue exploited how the feature interacts with the Windows Filtering Platform, allowing a low-privilege process to impersonate an elevated one. **What should be done — mitigation and recommendations** Microsoft has already patched all nine vulnerabilities, so the immediate fix is to install the latest Windows updates. For users still on preview builds, ensure you’ve applied KB5067036 or any subsequent security patches. If you’re an IT admin, consider disabling Administrator Protection until Microsoft resolves the compatibility issue and confirms no further design flaws exist. The safest approach remains the old advice: never run as a full administrator. Use a standard user account for daily tasks, and rely on UAC or Administrator Protection only as a last resort. And of course, maintain robust endpoint protection to catch malware before it can exploit any privilege escalation. **Why this matters in the bigger cybersecurity landscape** This discovery exposes a painful truth: even well-intentioned security features can have hidden cracks. Microsoft’s decision to replace UAC with something stronger was correct, but rushing a complex feature into preview builds without exhaustive testing invites risk. The fact that nine separate bypasses were found by a single researcher suggests there may be more lurking. For the industry, this reinforces that privilege escalation remains one of the hardest problems to solve. It also highlights the importance of responsible disclosure and the need for continuous security research—because the attackers are certainly looking for these holes. As Windows 11 25H2 moves toward general availability, expect more scrutiny on Administrator Protection. For now, the safest bet is to treat any new security feature with healthy skepticism until it’s battle-tested.