Mexico Under Siege: Multiple Government Breaches, Qilin & ShinyHunters Active
Summary
Today's threat landscape is defined by a sustained, multi-vector assault on Mexican government and infrastructure entities, with at least 12 events targeting the country. While ransomware and data breach incidents remain the dominant categories, the volume of alleged leaks from state-aligned actors and hacktivists signals a shift toward data-centric warfare. Separately, defenders must contend with active exploitation of critical vulnerabilities in Fortinet and Google Cloud platforms, alongside the continued evolution of malware delivery via the ClickFix campaign.
Today's developments
The most concentrated threat activity today centers on Mexico. Actor "night" claims to have breached multiple Mexican government entities, including the National Epidemiological Surveillance System and the SEAPAL Vallarta water utility. These alleged intrusions, if verified, represent a significant compromise of public health and critical infrastructure data. Actor "MagoSpeak" separately claims a breach of AT&T Mexico, a major telecommunications provider, and the Instituto de Seguridad y Servicios Sociales de los Trabajadores del Estado (ISSSTE), the state workers' social security institute. The targeting of both a major telecom and a social security agency suggests a deliberate campaign to extract high-value personal and operational data from the Mexican state.
Beyond Mexico, the day's events show a broad geographic spread. Actor "cabyc" claims to have breached five Vietnamese financial institutions, including Vietinbank, Vietcombank, and the State Bank of Vietnam, with alleged user record counts in the millions. In the United States, iRhythm Technologies, a healthcare technology firm, reported a cyberattack, while actor "DuckDB" claims a breach of houzz.com involving 55.3 million user records. The education sector is also under pressure, with alleged breaches of the Clark County School District (US), Jambi Education Department (Indonesia), and OSCEstop Education (UK). Actor "ShinyHunters" claims a breach of the Qatar Red Crescent Society, a major humanitarian organization.
Industry analysis provides critical context for these events. Researchers at Palo Alto Networks Unit 42 disclosed a vulnerability in the Google Cloud Vertex AI SDK that could allow attackers to hijack machine learning model uploads, a technique they call "Pickle in the Middle." Separately, threat intelligence firm Defused Cyber reports active exploitation of three Fortinet FortiSandbox vulnerabilities, including a critical path traversal flaw (CVE-2026-39813, CVSS 9.1). The ClickFix campaign continues to expand, with researchers from Morphisec, BlueVoyant, and Huntress independently documenting three new malware loaders -- BabaDeda, Lorem Ipsum, and Potemkin -- targeting education and financial organizations. Finally, ESET researchers have identified an upgraded version of the FishMonger backdoor, named SprySOCKS for Windows, which weaponizes a kernel driver for stealth.
Threat landscape signals
Several actionable patterns emerge from today's data. First, the concentration of events in Mexico (12) and France (23) suggests these are priority targets for both hacktivist and financially motivated actors. The NoName057(16) group, responsible for 12 events, continues to drive DDoS and defacement activity, likely targeting French and other European entities. Second, the volume of alleged data leaks (18) relative to ransomware (50) indicates that data theft and extortion, rather than encryption-only attacks, remain the primary business model for criminal actors. Third, the active exploitation of Fortinet and LiteSpeed cPanel vulnerabilities (CVE-2026-54420) underscores the importance of patching perimeter devices and web plugins. Security teams should prioritize reviewing their exposure to these CVEs and ensure that any use of Google Cloud Vertex AI SDK is updated to the latest patched version.