ShinyHunters, TEAM R99 HACKERS Target US Gov, Retail; Crypto Clipper Campaigns S
Summary
Today's threat landscape is defined by a convergence of high-profile data breach claims from established actors and a surge in financially motivated malware campaigns. ShinyHunters and TEAM R99 HACKERS are driving significant exposure events against US retail and government targets, while a coordinated crypto clipper campaign is abusing legitimate platforms for distribution. Defenders should prioritize patching a newly disclosed Microsoft Defender zero-day and monitoring for worm-like propagation techniques.
Today's developments
ShinyHunters claims to have breached two major US entities: Victoria's Secret & Co (Fashion & Apparel) and eBay Inc (E-commerce). Separately, the actor also claims a breach of Vietnam's Ministry of Education. These allegations, if validated, represent a significant expansion of the actor's targeting scope into both retail and government sectors. TEAM R99 HACKERS is also highly active, claiming breaches against multiple US government administration targets, including Traverse County, the Office of the Texas Lieutenant Governor, the City of Moraine, and the Florida Institute for Human & Machine Cognition. This concentration on US local and state government suggests a deliberate campaign against lower-resourced public sector entities.
A coordinated crypto clipper campaign is drawing industry attention. Microsoft Threat Intelligence analyzed a campaign that combines clipboard theft with Tor-based communications and worm-like propagation for persistence. Industry researchers at Check Point further detail that the threat actor is abusing fake reviews, AI narrators, and VirusTotal comments to distribute the malware via legitimate news sites, GitHub, and SourceForge. This multi-platform distribution strategy makes detection and takedown more challenging.
Critical infrastructure warnings are escalating. The UK's NCSC CEO warned that nation-state adversaries are "prepositioning" throughout British critical infrastructure, with hostile states behind three-quarters of attacks. Separately, the EU has granted Ukraine access to its cybersecurity reserve for major attacks, integrating Kyiv with pre-approved incident response firms.
Vulnerability exploitation is active. Microsoft confirmed a Defender zero-day (CVE-2026-50656, CVSS 7.8) codenamed RoguePlanet, a privilege escalation flaw in the Microsoft Malware Protection Engine, with a patch in development. Multiple firms have also observed active exploitation of two critical FortiSandbox vulnerabilities that Fortinet disclosed in April, with attacks originating from multiple sources.
Supply chain risks are emerging through developer tools. Researchers flagged 15 malicious JetBrains plugins on the official marketplace that steal AI API keys, while Chrome extensions are being used to capture chatbot chats. This highlights the growing attack surface in AI-assisted development workflows.
Threat landscape signals
Actor concentration is notable today. NoName057(16) leads with 9 events (primarily DDoS), but the critical exposure landscape is dominated by TEAM R99 HACKERS (5 events) and ShinyHunters (2 high-profile claims). The United States is the most targeted country with 15 events, followed by France (11) and Chile (8). Government Administration is the most impacted industry, with multiple US local government breaches.
Data leak vs. breach dynamics are balanced (19 leaks vs. 20 breaches), but the sale of stolen payment card and EBT data, alongside French ID cards and passports, indicates a thriving underground market for personally identifiable information. The alleged leak of a breachforums database suggests ongoing internal conflicts within the cybercriminal ecosystem.
Ransomware activity is relatively low today (7 events), but the crypto clipper campaign represents a shift toward financially motivated malware that prioritizes persistence and lateral movement over immediate encryption. Defenders should treat any clipboard monitoring or unexpected Tor traffic as a potential indicator of this campaign.