A cybercriminal operating under the alias ByteToBreach has emerged as a notable threat actor in the underground market, actively selling and leaking sensitive data from airlines, banks, universities, and government entities worldwide.

Active since at least June 2025, this threat actor runs a cross-platform operation that combines technical skill with aggressive self-promotion across DarkForums, Dread, Telegram, and even a public WordPress website.

The actor’s targets span multiple countries, including Ukraine, Kazakhstan, Cyprus, Poland, Chile, Uzbekistan, and the United States. Leaked datasets include airline passenger manifests, banking employee records, healthcare databases, and government-related files.

Affected organizations have corroborated several of these breaches or contain verifiable technical artifacts, confirming the legitimacy of the claims.

KELA security researchers identified and traced ByteToBreach through extensive investigation.

The actor uses a combination of technical approaches, including exploiting known vulnerabilities in cloud and corporate infrastructure, reusing stolen credentials from infostealers and phishing campaigns, and leveraging brute force or misconfiguration-based access to gain entry.

Once inside, the focus shifts to data exfiltration, targeting employee records, databases, backups, and sensitive documents.

OSINT Traces and Digital Footprint

In August 2025, ByteToBreach established a website under the name “Pentesting Ltd” built on WordPress. The site was designed to resemble a professional service provider, displaying logos of companies he claimed to have hacked as “clients.”

Banners featured provocative phrases such as “Let Me Harm Your Data” and “Industry-leading Threat Actor.”

The actor communicates through multiple channels, including ProtonMail, Tuta, Gmail, Telegram (@ByteToBreach), Signal, and Session. KELA’s datalake analysis linked the actor to two infostealer-infected machines originating from Algeria.

One machine was infected with Raccoon in September 2022, and another with StealC in February 2024. The former Telegram username “inesslopez” and a phone number directly tied to ByteToBreach’s Telegram account were found in the bot data.

This case highlights how modern threat actors blend legitimate technical capabilities with criminal intent, using marketing-first approaches to monetize stolen data across global markets.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post ByteToBreach Cybercriminal Selling Sensitive Global Data from Airlines, Banks, and Governments appeared first on Cyber Security News.

Threat actors continue to exploit a dangerous vulnerability in user behavior by deploying fake software updates to deliver the SocGholish malware.

This malware delivery framework has evolved significantly since its discovery in 2017, transforming from a simple web-based nuisance into a powerful tool that enables major ransomware operations targeting organizations worldwide.

Recent campaigns demonstrate how easily legitimate users can fall victim to convincing fake update prompts, leading to complete system compromise and network-wide attacks.

SocGholish operates as a sophisticated malware-as-a-service platform where threat actors compromise legitimate websites and inject malicious JavaScript code into their pages.

When unsuspecting users visit these compromised websites, they encounter fake update notifications that appear authentic and urgent.

These deceptive prompts trick users into downloading malicious payloads, often disguised as browser updates for Chrome, Firefox, or other popular applications.

Arctic Wolf security analysts identified a significant incident in September 2025 where SocGholish was used to deliver RomCom’s Mythic Agent to a United States-based engineering company with ties to Ukraine.

The malware’s impact extends far beyond the initial infection. Once executed, SocGholish establishes a direct connection to command-and-control servers, allowing operators to execute commands remotely and gather sensitive data from compromised systems.

Organizations encountering SocGholish should treat this as a critical warning sign, as the malware frequently serves as a gateway for ransomware deployment.

Fake Update Lures

The financial impact can be devastating, with businesses facing not only system encryption but also extended downtime and potential data theft.

Understanding SocGholish’s infection mechanism reveals the sophistication of modern attack chains. The malware begins with obfuscated JavaScript that executes automatically when a user clicks the fake update button.

This JavaScript connects to malicious servers and retrieves additional payloads, including reconnaissance tools and loaders.

Arctic Wolf researchers observed attackers using PowerShell commands with subtle detection evasion techniques, inserting quotation marks into commands to bypass security monitoring.

The operator then deploys secondary payloads and establishes persistence through scheduled tasks, ensuring long-term access even after system reboots.

The persistence mechanism proves particularly dangerous. Attackers schedule Python-based backdoors to run automatically at regular intervals, creating a resilient foothold that remains active until detected and removed.

This approach gives threat actors unlimited time to conduct hands-on-keyboard operations, exfiltrate data, and prepare the system for ransomware deployment.

Organizations must implement robust endpoint detection and response solutions, maintain current patch levels, and conduct regular security awareness training to defend against this evolving threat landscape.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Leverage Fake Update Lures to Deliver SocGholish Malware appeared first on Cyber Security News.

Cybercriminals are launching increasingly sophisticated attacks against the telecommunications and media industry, focusing their efforts on deploying malicious payloads that compromise critical infrastructure.

Recent security analysis reveals a concerning trend where threat actors are systematically targeting network operators, media platforms, and broadcasting services to gain unauthorized access and establish persistent command-and-control mechanisms.

The attack campaigns against this sector have shown remarkable consistency over the past three months, with advanced persistent threat actors demonstrating coordinated efforts to breach security defenses.

These operations involve multiple stages, beginning with initial reconnaissance of network vulnerabilities, followed by strategic payload deployment designed to maintain long-term access.

The sophistication of these attacks suggests that well-resourced threat actors are prioritizing the telecommunications and media sector for maximum operational impact.

Cyfirma security analysts noted that the telecommunications and media industry featured in 10 out of 18 observed advanced persistent threat campaigns over the past 90 days, representing 56 percent of all tracked campaigns.

This elevated presence underscores the industry’s critical importance as a target for nation-state actors and financially motivated cybercriminal groups operating across multiple continents.

Ransomware Deployment Strategy and Persistence Mechanisms

The primary infection mechanism deployed by attackers involves exploiting vulnerabilities in web-facing applications and network infrastructure.

Once initial access is established, threat actors employ several persistence tactics to maintain their presence within compromised systems.

These methods include modifying system registry entries, establishing scheduled tasks for automatic execution, and injecting malicious code into legitimate system processes.

The deployment phase typically begins with memory-based execution, where malicious payloads operate entirely in RAM, leaving minimal traces on disk storage.

This technique allows attackers to evade traditional file-based detection systems. Following successful deployment, the malware establishes encrypted communication channels back to command servers, enabling remote operators to execute additional commands or extract sensitive data.

Recent statistics reveal that ransomware gangs have compromised 65 verified victims within the telecommunications and media industry in the last 90 days.

The Qilin gang emerged as the most active threat actor with 12 recorded victims, while emerging groups like Nightspire and Beast demonstrated significant focus on this sector.

Geographic analysis shows that the United States accounted for 40 victims, or 62 percent of all recorded incidents globally.

The convergence of multiple threat actors targeting a single industry segment indicates a coordinated effort to destabilize critical communication infrastructure.

Organizations must prioritize the immediate implementation of advanced threat detection solutions and maintain comprehensive security monitoring across all network segments to identify and respond to compromise attempts before attackers establish persistent access.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Actively Attacking Telecommunications & Media Industry to Deploy Malicious Payloads appeared first on Cyber Security News.