New Phishing Campaign Exploits LiveChat to Steal Sensitive Data A sophisticated phishing campaign is leveraging LiveChat, a widely used customer service SaaS platform, to deceive victims into surrendering personal and financial information. Unlike traditional phishing attacks that direct users to fake login pages, this operation embeds malicious interactions within legitimate-looking live chat sessions, making detection harder. The campaign targets users through two distinct email lures: 1. A PayPal-themed email claiming a $200 refund, prompting recipients to click a "View Transaction Details" button. 2. A generic order confirmation email urging users to verify a pending order via a "View Update" link, with no brand name visible until after the click. Both emails direct victims to LiveChat-hosted pages under the domain lc[.]chat, where automated chatbots or scripted agents impersonate support representatives from PayPal or Amazon. The PayPal variant uses a chatbot to guide users to a fake login page, capturing credentials and multi-factor authentication (MFA) codes before requesting billing details. The Amazon version collects email, phone number, date of birth, and home address under the guise of identity verification, followed by credit card details for a supposed refund. The attack employs multi-stage data harvesting, with operators using misspelled phrases and awkward phrasing to mimic human interaction. Victims are reassured with false security claims, such as promises of "utmost confidentiality," to encourage compliance. After submitting sensitive data, users are redirected to a confirmation message, obscuring the theft. Security researchers warn that unsolicited refund or order confirmation emails leading to chat interfaces rather than official brand websites should be treated with suspicion. Requests for MFA codes, credit card numbers, or personal details via chat are key indicators of compromise. Organizations are advised to monitor and block traffic to lc[.]chat domains linked to this campaign.

PayPal Data Breach Exposes Customer Information, Leads to Fraudulent Transactions PayPal recently disclosed a data breach affecting a limited number of customers, exposing sensitive personal information and enabling unauthorized transactions. The incident stemmed from a coding error in the PayPal Working Capital (PPWC) loan application, which left customer data vulnerable for nearly six months from July 1 to December 13, 2025. The exposed data included names, email addresses, dates of birth, phone numbers, business addresses, and Social Security numbers (SSNs). While PayPal stated that its systems were not compromised, the breach notification to affected users indicated that unauthorized access to its systems was detected and terminated. A small number of customers experienced fraudulent transactions, prompting PayPal to issue refunds. The company confirmed that roughly 100 customers were impacted and notified. The vulnerability was addressed by rolling back the faulty code and resetting affected users' passwords, though exploitation occurred before the patch was applied. PayPal’s conflicting statements claiming no system compromise while acknowledging terminated unauthorized access have prompted further inquiries from cybersecurity outlets. The incident follows recent PayPal-related threats, including phishing campaigns and malicious NPM packages targeting users.

Socelars Trojan Targets Windows Users with Stealthy Session Hijacking Security researchers are monitoring Socelars, a Windows-focused information-stealing Trojan designed to harvest browser-based session data without damaging files. The malware prioritizes authenticated access, allowing attackers to reuse a victim’s logged-in state to infiltrate online services particularly Facebook Ads Manager where stolen sessions can be exploited for financial fraud via ad account takeovers. First observed in campaigns using a fake PDF reader/editor (PDFreader) as a social engineering lure, Socelars deploys a deceptive installer that creates a pdfreader2019 folder before silently extracting data in the background. The Trojan targets browser cookies from Chrome and Firefox by accessing SQLite databases, enabling attackers to hijack accounts without passwords. Stolen data includes session cookies, access tokens, account IDs, and advertising-related details such as spending limits and payment information from platforms like Facebook and Amazon. Recent sandbox analysis reveals Socelars’ multi-stage attack flow: initial system reconnaissance, privilege escalation via a User Account Control (UAC) bypass using COM auto-elevation (ICMLuaUtil through cmlua.dll), and the creation of a mutex named patatoes. The malware then contacts iplogger[.]org before intentionally crashing to avoid detection. This tactic leaves minimal traces, complicating user awareness of the compromise. For businesses, the primary threat lies in the abuse of stolen ad-session access. Attackers can launch fraudulent ad campaigns, drain budgets, or resell compromised accounts, amplifying financial damage through stolen billing and payment details. The malware’s focus on advertising infrastructure including email addresses, access tokens, and linked credit card or PayPal information highlights its monetization-driven design.

ZeroDayRAT: A Rising Mobile Spyware Threat with Global Reach Since February 2, 2026, ZeroDayRAT, a sophisticated mobile spyware platform, has been sold openly on Telegram channels, offering cybercriminals an accessible tool for large-scale surveillance and financial theft. Developed and marketed through dedicated groups for sales, support, and updates, the malware targets Android (versions 5–16) and iOS (up to version 26, including iPhone 17 Pro) with minimal technical expertise required. Operators gain real-time control via a browser-based dashboard, enabling live spying, data theft, and financial attacks against victims worldwide. Infections typically begin through social engineering tactics, including smishing texts, phishing emails, fake app stores, or malicious links shared on WhatsApp and Telegram. Once installed via an APK on Android or a payload on iOS ZeroDayRAT grants full device access without the victim’s knowledge. ### Surveillance & Data Exfiltration Capabilities The spyware’s dashboard provides a comprehensive overview of compromised devices, including: - Device details: Model, OS version, battery level, country, lock status, SIM/carrier info, and dual-SIM numbers. - User profiling: App usage timelines, peak activity hours, and network providers. - Real-time notifications: Intercepted alerts from WhatsApp, Instagram, Telegram, YouTube, and system events. - Location tracking: GPS data mapped on Google Maps, with historical movement records (e.g., a device in Bengaluru). - Account harvesting: Usernames/emails from Google, WhatsApp, Instagram, Facebook, Amazon, Flipkart, PhonePe, Paytm, and Spotify enabling account takeovers or follow-up phishing. - SMS access: Full inbox search, message spoofing, and OTP interception, bypassing SMS-based two-factor authentication (2FA). ### Advanced Surveillance & Financial Theft ZeroDayRAT escalates beyond passive monitoring with active spying tools: - Live camera/microphone streams (front/back) synced with GPS for real-time tracking. - Keylogging: Captures keystrokes, biometrics, gestures, and app launches, paired with a live screen preview to steal passwords and sensitive inputs. - Crypto theft: Targets wallets like MetaMask, Trust Wallet, Binance, and Coinbase, swapping clipboard addresses to hijack transactions. - Banking attacks: Compromises UPI apps (PhonePe, Google Pay), Apple Pay, and PayPal via credential overlays, blending traditional and cryptocurrency theft. ### Global Impact Evidence from the dashboard shows compromised devices in multiple countries, including India and the U.S., underscoring the spyware’s widespread deployment. With its low barrier to entry and commercial availability, ZeroDayRAT represents a growing threat to individual privacy, financial security, and organizational data integrity.

New Phishing Campaign Exploits Fake PayPal Alerts to Hijack RMM Tools A recent surge in phishing attacks is leveraging fake PayPal alerts to compromise both personal and corporate systems through legitimate remote monitoring and management (RMM) tools. CyberProof’s advisory, published on Tuesday, details a shift from seasonal lures such as holiday invites or tax notices to high-urgency financial scams designed to prompt immediate action. Researchers analyzed six incidents across customer environments, including one case where an employee’s personal PayPal account became the initial entry point. On January 5, 2026, CyberProof’s Managed Detection and Response (MDR) team detected suspicious activity that later escalated into corporate access. The attack began with a fraudulent PayPal email, followed by phone-based social engineering. Posing as support staff, the attacker convinced the victim to install LogMeIn Rescue, later switching to AnyDesk to maintain persistence all without triggering endpoint detection and response (EDR) alerts. The attackers employed a tactic of using one RMM tool to install another, a method also observed in recent Broadcom research. This redundancy may help evade detection and exploit trial licenses before they expire. Artifacts from the attacks included multiple LogMeIn Rescue binaries and evidence of active remote sessions. Persistence was achieved through a scheduled task and a disguised startup shortcut, mimicking legitimate system activity. While the immediate goal appears financial, CyberProof warned that such access could be sold to advanced persistent threat (APT) groups, leading to full corporate compromise or ransomware deployment. The firm highlighted the risks of RMM tool abuse and the need for stronger phishing controls, restricted network access to common RMM ports, and the avoidance of exposed remote services like RDP.

Fallen DNA testing firm 23andMe won court approval of a bankruptcy plan that includes settlements to provide up to $62 million to resolve thousands of data breach claims. Judge Brian C. Walsh of the US Bankruptcy Court for the Eastern District of Missouri approved the plan in a Wednesday order, overruling most creditor objections and challenges from data breach victims. Many of those former customers’ objections were deemed moot or premature, and several of them didn’t appear at a court hearing on the plan. Objections from the Justice Department’s bankruptcy watchdog and a coalition of state attorneys general were resolved ...

Scammers Exploit Apple’s Email Domain in Callback Phishing Attack Cybercriminals have weaponized Apple’s email notification system to launch a callback phishing campaign, tricking victims into revealing sensitive data or granting remote access to their devices. The attack leverages emails sent from Apple’s legitimate email.apple.com domain, falsely alerting recipients of an $899 iPhone purchase made via PayPal. The message includes a phone number for victims to call to "cancel" the transaction a classic callback phishing tactic. Once contacted, scammers manipulate victims into sharing personal information or installing remote access tools, enabling them to drain bank accounts or conduct fraudulent wire transfers. The campaign’s novelty lies in its abuse of Apple’s account creation process. Scammers exploit the first and last name fields during Apple ID registration, which accept excessive characters, allowing them to embed an entire phishing message. By altering the account’s shipping details, they trigger a security alert email but instead of reaching the intended recipient, it lands in the scammer’s inbox. The attackers then distribute the fraudulent emails en masse using mailing lists, a technique previously seen with Google, Amazon, and Microsoft. Apple’s systems were similarly abused in September 2023, when threat actors hijacked iCloud Calendar invites for phishing. While the method is not new, the use of a trusted domain like Apple’s amplifies the deception, making it harder for users to detect the scam. The incident underscores the ongoing risk of phishing attacks leveraging reputable brands to bypass security filters and exploit human urgency.

BlobPhish: A Stealthy, Memory-Resident Phishing Campaign Targeting Microsoft 365 and Financial Institutions Since October 2024, a sophisticated phishing campaign dubbed BlobPhish has been silently harvesting credentials from Microsoft 365 users and major U.S. financial platforms including Chase, Capital One, and PayPal by exploiting browser Blob URL APIs. Unlike traditional phishing attacks, BlobPhish generates malicious login pages entirely in the victim’s browser memory, leaving no disk artifacts, cache traces, or detectable HTTP requests for security tools to flag. The campaign, which surged in activity in February 2026, operates as a well-maintained threat rather than a short-lived attack. Its kill chain begins with phishing emails mimicking financial alerts, invoices, or document shares, often using trusted services like DocSend or shortened URLs (e.g., t.co). Some variants employ PDF attachments with QR codes, particularly targeting the energy sector. Upon clicking the link, victims are redirected to an attacker-controlled HTML page hosting a JavaScript loader. The loader decodes a bundled phishing payload, constructs a Blob object, and forces the browser to navigate to a blob:https:// URL all without user interaction. The phishing page, which impersonates platforms like Microsoft 365, OneDrive, or banking portals, appears legitimate due to the blob URL’s deceptive appearance. A failed-login counter ensures multiple credential entries, while stolen data is exfiltrated via HTTP POST to compromised WordPress sites (e.g., /res.php, /tele.php). BlobPhish’s evasion tactics render traditional defenses ineffective. Since the phishing page never transmits over the network as a standalone HTTP response, URL reputation engines, proxy logs, and secure email gateways fail to detect it. Endpoint solutions find no files on disk, and cache forensics yield no evidence, as the Blob URL is revoked immediately after use. Victims span finance, manufacturing, education, government, and telecommunications sectors, with roughly one-third based in the U.S. Additional activity has been observed in Germany, Poland, Spain, the UK, Australia, and several Middle Eastern and Asian countries. A successful compromise can lead to business email compromise (BEC), Microsoft 365 tenant takeovers, unauthorized wire transfers, or ransomware deployment. Regulatory risks include GDPR breach notifications, SEC cybersecurity disclosures, and FFIEC compliance violations. Key indicators of compromise (IOCs) include loader URLs like hxxps[://]mtl-logistics[.]com/blb/blob[.]html and exfiltration endpoints such as hxxps[://]wajah4dslot[.]com/wp-includes/certificates/tmp//res[.]php. Compromised domains also include larva888[.]com and riobeautybrazil[.]com.

PayPal is notifying 1000 users of data breaches because their accounts were compromised as a result of credential stuffing assaults. Threat actors gained access to user names, addresses, Social Security numbers, personal tax identification numbers, dates of birth, and, of course, transaction histories. The corporation is sending breach notification letters to the impacted clients. When users log in to their accounts for the next time, PayPal will force them to create new passwords as it has reset the passwords of the affected accounts. In addition to fraud warnings and up to $1 million in identity theft insurance coverage for a specific list of out-of-pocket expenses brought on by identity theft, the financial technology business is providing two years of Equifax identity monitoring services to the affected clients.

The California Office of the Attorney General disclosed a data breach affecting PayPal between December 6–8, 2022, where unauthorized actors gained access to customer accounts using compromised login credentials. The incident exposed sensitive personal information, including names, addresses, Social Security numbers, and dates of birth. While no evidence of misuse has been reported, the breach posed a significant risk due to the nature of the exposed data—particularly financial and identity-related details. The attack targeted customer accounts directly, raising concerns over potential fraud, identity theft, or phishing exploits leveraging the stolen data. PayPal likely faced reputational damage and regulatory scrutiny, though the absence of confirmed misuse slightly mitigated immediate financial harm. The breach underscored vulnerabilities in credential security and the broader risks of unauthorized access in digital payment platforms.

Hackers claimed to be selling a dataset of 15.8 million PayPal credentials, including login emails, plaintext passwords, and associated URLs, allegedly stolen in May 2025. The leaked data was advertised for automated credential stuffing and identity theft attacks. However, experts questioned its authenticity due to the small sample size provided for verification, the suspiciously low pricing (unusual for high-value stolen data), and its resemblance to infostealer malware logs from past incidents rather than a direct breach of PayPal’s systems.PayPal denied any new breach, attributing the claims to a 2022 security incident involving credential stuffing that exposed only 35,000 accounts—far fewer than the current claim. The incident highlights risks from reused credentials, as compromised logins from infected user devices (not PayPal’s servers) could still enable fraud. While the legitimacy of the 2025 dataset remains unconfirmed, the scenario underscores persistent threats from stolen credentials circulating on dark web marketplaces, enabling long-term identity theft and financial fraud risks for users who reuse passwords across platforms.

Teenager Arrested in PayPal Hacking Investigation After Police Raid A 15-year-old boy from Astley Road, Knowsley, was arrested on suspicion of hacking multiple UK PayPal accounts under Section 1 of the Computer Misuse Act 1990. The arrest followed a raid by Merseyside Police’s Cyber Dependent Crime Unit and Matrix officers, who executed a search warrant at the property. During the operation, authorities seized high-value electronics, including the latest iPhones, an Apple Watch, Samsung and Sony phones, an iPad, and Apple AirPods. A mini motorbike was also confiscated. The investigation is ongoing, with police linking the suspect to unauthorized access of PayPal accounts earlier this year. Merseyside Police previously advised PayPal users to enable two-factor authentication to mitigate such risks. The case highlights the growing trend of juvenile cybercrime and law enforcement’s efforts to combat digital fraud.

PayPal suffered from a massive data breach incident that exposed 1.6 million customers. The exposed information includes locations that stored personal information of some of TIO’s customers and customers of TIO billers. Moreover, TIO has started working with the businesses it provides services to notify possibly impacted individuals, and PayPal is collaborating with a consumer credit reporting bureau to offer free credit monitoring subscriptions. Direct contact with the impacted people will occur, and they will be given advice on how to sign up for monitoring.