WhatsApp warns of a spyware campaign targeting iOS users, with ~200 victims—mostly in 🇮🇹 Italy—tricked into installing a fake app.

Malicious links led to a trojanized version capable of data theft.

Access has been revoked; users urged to install only from official sources. Legal action underway.

U.S. Rep. Randy Fine claims he was targeted by an cyberattack shortly after recent geopolitical escalations involving Iran.

The hacker group Handala released images and personal details of members of IranWire news agency.

The names of these individuals are as follows:
Maryam Dehghardi
Sina Ghanbari-Pour
Maziar Bahari
Mojtaba Hosseini
Solmaz Alakdar
Samaneh Ghadarkhani
Roghayeh Rezaei
Payam Younesi-Pour
Parisa Pourtaherian
Meysam Arshadi
Ebrahim Ramazani
Arezoo Karimi
Ali Roshanfar
Fereydoun Teymouri
Farzan Rouhi
Aylar Fatoorehchian
Aida Ghajeri
Sam Diba
Shima Shahrabi
Hamoun Mersan

#TGITM @TheGhostITM

Cyberattack hits the European Commission: Hacker group “TeamPCP” breached cloud infrastructure using a stolen API key, exposing data across dozens of EU entities.

Leaked emails and user data are now surfacing on the dark web via ShinyHunters.

TA416 is again targeting European governments, using OAuth redirect abuse and cloud-hosted malware to deliver PlugX.

Activity expanded to the Middle East in 2026, tied to conflict-driven intelligence gathering.

Attackers are using HTTP cookies to control PHP web shells on Linux servers.

Malware stays inactive and runs only when specific cookie values are sent, blending into normal traffic. Cron jobs can also recreate it for persistence.

SparkCat malware has reappeared on Apple and Google app stores, hiding inside everyday apps.

It scans photos for crypto recovery phrases and sends them to attackers, using OCR to extract sensitive data from images.

30% of breaches now involve third parties like vendors and SaaS.

The perimeter has shifted outward, and regulations now require continuous oversight. Cynomi shows TPRM is now a core security function, not just compliance.

Apple is testing a safeguard against copy-paste attacks.

macOS 26.4 adds Terminal paste warnings, targeting scams that trick users into running malicious commands. Users can still override.

A threat group exploited a Next.js flaw to compromise 766+ hosts and steal cloud credentials at scale.

Using automated scripts, attackers extracted AWS secrets, SSH keys, and API tokens, all managed through a central dashboard for reuse.

Attackers are weaponizing the Claude Code leak.

Fake GitHub repos now deploy Vidar Stealer and GhostSocks, using trojanized builds that look legitimate.

It turns out Axios npm was compromised via a targeted UNC1069 social engineering attack.

Attackers used a fake Slack + Teams setup to install malware, steal npm credentials, and publish trojanized versions (1.14.1, 0.30.4).

Aftermath of one month of war; 6% decrease in Microsoft stock value

Microsoft stock value in the past month, after the start of the imposed war, has dropped from about $398.55 at the beginning of March to $369.37 on April 1.

Hacktivist group “Mobir” claims responsibility for a cyberattack targeting the UAE Space Agency, alleging the network was taken offline. The group cites UAE cooperation with Israel and the U.S. as motive and warns of further attacks.

#TGITM @TheGhostITM

U.S. officials are investigating a major cyber incident attributed to state actors targeting an internal FBI system containing sensitive law enforcement data. Reports say attackers leveraged commercial ISP infrastructure. Congress was notified in early March.

Israeli sources report over 4,000 cyberattacks during the early phase of the recent conflict, involving 60+ hacktivist groups. Activity includes DDoS, intrusions, and supply chain targeting, with growing use of social engineering against economic sectors.

Cyber Disputes the Israeli report; our own investigation identified over 100,000 cyberattacks conducted by hacktivist groups during Ramadan. Involving 100+ hacktivist groups.

Handala has exposed the identities of 50 senior officers from Israel’s elite Unit 9900 — a key geospatial intelligence unit behind drone surveillance, satellite mapping, and targeted operations. A major escalation in cyber warfare narratives.

#TGITM @TheGhostITM

Handala announces a major breach: identities of 50 top Unit 9900 officers revealed. The group says this shatters the unit’s “invincibility” and sends a message to all cyber warfare actors.

#TGITM @TheGhostITM

Handala announced that this disclosure marks the end of the "myth of invincibility" of this unit and serves as a warning to all players in the cyber warfare arena.

#TGITM @TheGhostITM