Chinese cybercriminals are back with a sophisticated malware threat that targets users globally. Dubbed MoqHao, the malware targets Android users via SMS phishing and DNS hijacking techniques. Meanwhile, the BlackCat ransomware group introduced a new macOS malware called RustDoor, masquerading as a Visual Studio update. Adding to the woes is a network of 70,000+ compromised websites used to distribute malware and phishing pages.

On the bugs side, ExpressVPN removed the split tunneling feature from its latest software after a flaw exposed users' visited domains to DNS servers. Windows users need to upgrade to the latest version or disable split tunneling to fend off the threat.

Top Breaches Reported in the Last 24 Hours

Half of French citizens suffered breach

Nearly 33 million of France's population has been impacted by a significant security breach at healthcare payment servicers Viamedis and Almerys. The breach, disclosed by CNIL, compromised data dates of birth, SSNs, and insurance details. Although banking and medical data remained untouched, the breach marks France's largest cybersecurity incident. Viamedis fell victim to a phishing attack targeting healthcare professionals, while Almerys' breach method remains undisclosed.

Ransomware attack paralyzes 18 hospitals

A ransomware attack targeted the Hipocrate Information System (HIS), crippling 18 hospitals in Romania, including critical facilities like cancer treatment centers. HIS is used for managing medical activity and patient data. The Romanian Ministry of Health confirmed the attack, stating that the system is offline, files encrypted, and recovery efforts are underway. Affected hospitals are advised not to engage with IT teams to prioritize restoration efforts.

Security lapse exposes casino app users

An unsecured database belonging to Nevada software startup Dexiga (developer of the My WinStar app for the WinStar casino resort) exposed customers' personal information, including names, phone numbers, emails, and addresses. Dexiga claimed the database contained publicly available information, but researchers said that sensitive data was also exposed. The victim firm stated that the incident stemmed from a log migration in January.

Cybercriminals leak Facebook Marketplace data

The notorious IntelBroker group claimed responsibility for leaking a partial database of Facebook Marketplace, containing the sensitive personal information of approximately 200,000 users. The breach, allegedly orchestrated by a cybercriminal using the alias "algoatson," targeted a contractor managing Facebook's cloud services in October 2023. While passwords were not exposed, the leaked data includes full names, Facebook IDs, phone numbers, and physical IDs.

Top Malware Reported in the Last 24 Hours

MoqHao malware targets multiple countries

Security researchers discovered a new variant of Android malware called MoqHao, which automatically executes upon installation without user interaction. Associated with the Chinese cluster Roaming Mantis, the malware targets Android users in France, Germany, India, Japan, and South Korea. The latest iteration of MoqHao employs smishing techniques with hidden links and prompts victims to grant risky permissions silently.

Network of infected websites distributing malware

Researchers uncovered VexTrio, a network of over 70,000 legitimate websites hijacked to distribute malware, phishing pages, and other illicit content. The operation, active since at least 2017, employs traffic distribution systems similar to those used in marketing to redirect visitors to harmful sites. With at least 60 affiliates involved, VexTrio profits by directing web traffic to fraudulent sites and scam pages. Malware like SocGholish is pushed via VexTrio, affecting Windows machines worldwide.

Rust-based macOS malware linked to BlackCat

A new macOS malware dubbed RustDoor, written in Rust, is being distributed disguised as a Visual Studio update. The malware provides backdoor access to compromised systems and is linked to infrastructure associated with the BlackCat ransomware gang. RustDoor communicates with C2 servers and has persistence mechanisms to ensure it survives system reboots. Bitdefender researchers have identified three variants of RustDoor and provided indicators of compromise for detection.

Top Vulnerabilities Reported in the Last 24 Hours

ExpressVPN’s feature exposed user domains

A bug was found in the split tunneling feature of ExpressVPN that exposed users' visited domains to configured DNS servers. The bug, affecting Windows versions 12.23.1–12.72.0, allowed DNS requests to bypass ExpressVPN's infrastructure and go to the user's ISP. This leak potentially exposed browsing history, breaking VPN privacy promises. After its discovery, the malware was removed from the latest software version. Users must upgrade to version 12.73.0 or disable split tunneling until a fix is implemented.