< Back
Hacker in front of screens

Tags:

Threat intelligence
07 January 2026

Weekly Summary Cyberattacks January 01-07

Resurgence of Scattered Lapsus$ Hunters  

Recent monitoring of underground forums and Telegram communities has identified the resurgence of the Scattered Lapsus$ Hunters collective, a group historically associated with high-profile intrusions against major global enterprises. The actors have re-emerged after a period of reduced visibility following earlier supply-chain intrusions involving third-party integrations. Current activity shows the group has rebuilt its operational structure and resumed coordinated intrusion efforts through renewed access-broker relationships and consistent posting behavior across closed Telegram clusters and credential-trading channels. The regrouped collective appears to operate with defined functional roles, including social-engineering specialists, intrusion operators, credential brokers, insider-recruitment facilitators, and data-leak amplification nodes, reflecting a more structured, semi-organized operating model. The group is actively seeking Initial Access through commission-based arrangements, openly advertising payments for Active Directory-joined systems and privileged access to identity and cloud platforms.

European Regulators Take Aim at X After Grok Creates Deepfake of Minor  

European regulators are considering enforcement actions against X after its generative AI tool Grok was used to create sexually explicit deepfake images of a minor. The incident has intensified ongoing tensions between European authorities and the platform, owned by Elon Musk, amid broader transatlantic disputes over digital regulation and free speech. Grok triggered widespread outrage after responding to user prompts that digitally removed clothing from an image of a 14-year-old actress, as part of a broader surge in AI-generated "nudification" content targeting women and girls.

DarkSpectre: Unmasking the Threat Actor Behind 8.8 Million Infected Browsers  

According to information dated December 30, 2025, security researchers from KOI Security disclosed a large-scale, long-running browser extension operation attributed to a Chinese-linked threat actor they designate as DarkSpectre, which has infected at least 8.8 million users across Chrome, Edge, Firefox, and Opera over more than 7 years. The investigation attributes three previously separate malware campaigns (ShadyPanda, GhostPoster, and a newly disclosed operation dubbed The Zoom Stealer) to a single, highly organized operator leveraging shared infrastructure, development practices, and operational playbooks. DarkSpectre's campaigns relied on hundreds of browser extensions distributed through official marketplaces, many of which operated legitimately for years before being weaponized through delayed activation, remote configuration, and server-controlled payload delivery.  

900K Users Compromised: Chrome Extensions Steal ChatGPT and DeepSeek Conversations 

A large-scale malicious Chrome extension campaign were disclosed, in which two fraudulent browser extensions impersonating the legitimate AITOPIA AI sidebar were used to exfiltrate user data, including ChatGPT and DeepSeek conversations, from more than 900,000 downloads. The malicious extensions, titled "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" and "AI Sidebar with Deepseek, ChatGPT, Claude and more," harvested complete AI conversations and all active Chrome tab URLs, transmitting the data every 30 minutes to an attacker-controlled command-and-control server. 

Trust Wallet Compromised: Inside the Code That Stole $7M on Christmas Eve  

According to information dated December 26, 2025, Trust Wallet confirmed that a malicious update to its Chrome browser extension led to the theft of approximately $7 million in cryptocurrency, following a supply-chain compromise on December 24, 2025. The affected version, Trust Wallet Chrome extension v2.68.0, was published to the Chrome Web Store shortly before users began reporting that their wallets were being drained after unlocking or interacting with the extension. Trust Wallet acknowledged a "security incident," removed the compromised version, and released version 2.69 as a fix, while advising users to update immediately and migrate remaining funds to new wallets created with fresh seed phrases.