Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s Bi-Weekly Cyber Roundup. Our mission is to keep you informed with the most pressing developments in the world of cybersecurity. This digest serves as your gateway to critical updates and emerging threats across the industry.
Cyber threats are evolving faster than ever, and the past week has been no exception. From spyware hidden in fake game installers to large-scale data breaches and ransomware groups deploying advanced evasion tactics, the headlines highlight just how diverse and persistent these risks have become. In this post, we’ll break down some of the latest incidents making waves in the cybersecurity world, including a Minecraft-themed spyware campaign, a major financial data breach, city government extortion, sophisticated ransomware activity in the Middle East, and a social app whose users’ trust was shattered by a leak.
- Fake Minecraft Installer Spreads NjRat Spyware to Steal Data
Point Wild’s Lat61 Threat Intelligence Team has uncovered a new cyber threat targeting fans of the popular game Minecraft. Malware disguised as a Minecraft installer is infecting computers, allowing hackers to steal personal data. This research provided to Hackread.com by Point Wild should not come as a surprise, as in 2021, Minecraft was already declared the most malware-infected game ever.
As for the ongoing threat, the malware is hidden inside an unofficial browser-based Minecraft clone called Eaglercraft 1.12 Offline, which is often used in schools and other restricted environments. As millions of gamers, including kids and casual players, download Minecraft-related content during a recent surge of excitement, they are unknowingly putting their computers at risk.
The research reveals that the fake game installer bundles a dangerous type of Remote Access Trojan (RAT) called NjRat, which has been used by cybercriminals for years to take full control of infected devices. This malware can perform several harmful activities without the user’s knowledge. It uses a keylogger to capture every keystroke, allowing it to steal usernames, passwords, and other sensitive information. It can also spy on users by gaining unauthorized access to a computer’s webcam and microphone, enabling attackers to secretly watch and listen.
Additionally, it creates a backdoor by adding a hidden program called WindowsServices.exe to the computer’s start-up files, ensuring it runs each time the system is turned on. To protect itself, the malware is programmed to crash the system with a Blue Screen of Death if it detects security tools like Wireshark, making it harder for experts to analyse.
According to Point Wild’s research, the attack starts with a malicious file disguised as a Minecraft installer. When a user runs it, the computer silently drops several files, including the key malicious program, and distracts the user by opening a browser window to the fake Minecraft game. While the game plays, the hidden program runs in the background. Threat actors are exploiting the popularity of Minecraft mods to spread powerful spyware. What looks like a harmless game is actually turned into a tool for spying and data theft.
- Hackers Leak 2.8M Sensitive Records from Allianz Life in Salesforce Data Breach
Hackers have released 2.8 million sensitive records belonging to Allianz Life, a major U.S. insurance provider, in what appears to be part of a broader wave of Salesforce-related data theft incidents. The exposed information includes details on both customers and business partners.
At the end of July, Allianz Life confirmed that a data breach had impacted the personal information of most of its 1.4 million customers. According to the company, the intrusion occurred on July 16th, 2025, when a cybercriminal gained access to a third-party customer relationship management platform through social engineering. This breach compromised data linked to customers, financial professionals, and some employees.
Allianz stated that it acted swiftly to contain the breach, engaged law enforcement, including the FBI, and confirmed that its internal systems and policy administration platform remain unaffected. Investigations are still in progress, and the company has begun notifying affected individuals, providing them with dedicated support services. The breach was also reported to the Maine Attorney General’s Office.
While Allianz Life has not named the perpetrator, Bleeping Computer reported that the incident is suspected to be linked to the hacking collective ShinyHunters. This group has a track record of selling stolen data from well-known organizations such as Tokopedia, Microsoft, Santander, and AT&T.
Over the weekend, ShinyHunters joined forces with other cybercriminal groups, “Scattered Spider” and “Lapsus$”, creating a Telegram channel titled “ScatteredLapsuSp1d3rHunters.” There, they claimed responsibility for several major breaches, including the Allianz Life incident, and mocked the affected companies.
The attackers claim to have exfiltrated complete Salesforce database tables, including “Accounts” and “Contacts,” containing roughly 2.8 million records. The leaked files reportedly include names, addresses, phone numbers, birth dates, and tax identification numbers, along with professional information such as licenses, firm affiliations, product approvals, and marketing classifications.
- Ransomware Crew Spills Saint Paul’s 43GB of Secrets after City Refuses to Cough up Cash
The Interlock ransomware group has claimed responsibility for stealing 43GB of data from the city of Saint Paul, Minnesota, following a late-July cyber incident that led local officials to declare a state of emergency.
A post appearing on Interlock’s dark web leak site on August 11, reviewed by The Register, claims to contain samples from over 66,000 files allegedly taken from the city. The files reportedly include passport scans, employee records, and various internal documents.
In their posting, Interlock accused Saint Paul’s leadership of negligence, alleging extensive damage to city infrastructure and significant financial losses. The group further claimed that residents were the “worst affected” as their data had been exposed online.
Mayor Melvin Carter confirmed on Monday that Interlock was behind the attack. He noted that the leaked materials seem to have come largely from a shared network drive used by the Parks and Recreation Department and described the data as “varied and unsystematic.” Carter emphasized that residents’ personal and financial data, stored in a secure cloud-based system, remains unaffected. He also stated that the city maintains control of its systems and is conducting a complete reset of servers, devices, and employee credentials.
The mayor made it clear that Saint Paul will not be paying Interlock’s ransom, a position that appears to have prompted the release of the stolen data.
The cyberattack, first disclosed on July 25th, disrupted numerous municipal services, prompting Governor Tim Walz to deploy the Minnesota National Guard’s cyber unit. The outage impacted payment systems, library services, municipal Wi-Fi, and more, many of which remain offline nearly three weeks later. No timeline has been provided for full restoration.
Interlock has been active since at least September 2024 and employs a double-extortion model, pairing data theft with system encryption to increase pressure on victims. On its site, the group portrays itself as a crusader exposing weak security practices, claiming its motives go beyond financial gain. Cybersecurity analysts note that Interlock’s methods resemble those of former ransomware outfits such as BlackCat/ALPHV and LockBit, though no formal connection has been established.
Just a week before this attack, the FBI and CISA issued a warning that Interlock was targeting critical infrastructure with increasingly aggressive campaigns.
- Charon Ransomware Hits Middle East Sectors Using APT-Level Evasion Tactics
Cybersecurity experts have identified a new malicious campaign using a previously unknown ransomware strain called Charon, which is aimed at public sector organizations and the aviation industry in the Middle East.
According to Trend Micro, the group behind these attacks demonstrates techniques commonly associated with advanced persistent threat (APT) actors. These include DLL side-loading, process injection, and strategies for evading endpoint detection and response (EDR) solutions.
The DLL side-loading method is notably similar to those documented in earlier campaigns attributed to Earth Baxia, a China-linked hacking collective. Past activity from this group involved targeting government agencies in Taiwan and the Asia-Pacific region to deliver the EAGLEDOOR backdoor by exploiting a now-fixed vulnerability in OSGeo GeoServer GeoTools.
In this case, the attackers used a legitimate browser-related executable, Edge.exe (originally cookie_exporter.exe), to sideload a malicious DLL (msedge.dll, also known as SWORDLDR). This component then deployed the Charon ransomware payload.
Charon functions like other ransomware variants, with capabilities to disable security services, terminate active processes, and delete shadow copies and backups, making system recovery far more difficult. It also employs multithreading and partial encryption to speed up the file-locking process.
A distinctive feature of Charon is its integration of a driver based on the open-source Dark-Kill project, intended to disable EDR tools through a bring-your-own-vulnerable-driver (BYOVD) technique. However, this capability was not activated during observed executions, suggesting it may still be in development.
Evidence indicates that the campaign is targeted rather than opportunistic. This is supported by the presence of personalized ransom notes that name the victim organization directly, a departure from more generic ransomware messaging. The initial entry method remains unknown.
Trend Micro has outlined three possible explanations for the overlaps with Earth Baxia’s techniques:
Earth Baxia’s direct involvement, a deliberate attempt to mimic Earth Baxia to mislead investigators, or a separate threat actor independently adopting similar methods.
The researchers stress that without stronger links, such as shared infrastructure or consistent targeting patterns, these similarities should be considered as limited but noteworthy convergence with Earth Baxia’s known tactics.
Regardless of attribution, the incident highlights a growing trend in which ransomware operators adopt sophisticated APT-style tradecraft. This blend of advanced evasion techniques with the destructive effects of ransomware encryption increases both the risk and impact for targeted organizations.
- Tea Encouraged its Users to Spill. Then the App’s Data got Leaked
The Tea app promotes itself as “the safest place to spill tea” on potential online dating matches. Subscribers can use it to run background and criminal history checks, perform reverse image searches, and exchange anonymous information about men featured on the platform.
However, a major breach disclosed last month exposed personal details of many users, raising serious concerns about their safety. The incident also revealed the vulnerability of these digital “whisper networks,” which rose to prominence during the Me Too movement, and highlighted the one-sided nature of accusations made against men in these spaces.
In late July, Tea experienced a significant data breach that compromised sensitive user information, including driver’s licenses, selfies, direct messages, and other private records. According to reports from 404 Media, the breach was first detected on the evening of July 25, when users on the message board 4chan gained access to government-issued IDs, originally used for identity verification, and posted them elsewhere online.
Tea confirmed that some private messages were accessed during the attack. In response, the company temporarily disabled the affected system and stated that there was no evidence of intrusion into other parts of its infrastructure. Only accounts created before February 2024 were affected.
The fallout was severe. Some individuals claimed to have extracted photo metadata to map out users’ locations. With over 6.2 million women on the app, Tea is now facing two class-action lawsuits in California.
Tea is one of many systems that attempt to harness word-of-mouth information to make dating safer. Similar initiatives exist on Facebook, where regional groups help women compare dating experiences and verify men’s reputations. At the height of the Me Too era, certain industries even saw anonymous Google Docs emerge to catalog allegations of misconduct.
Once made public, online allegations can spiral into large-scale harassment campaigns. Critics warn that anonymity can encourage false or malicious claims. Emily Laidlaw, a cybersecurity law scholar at the University of Calgary, argues that although platforms like Tea often start with good intentions, unverified accusations can quickly turn toxic and harm both the accused and the accuser.
Past incidents illustrate this danger. An infamous anonymous Google Doc listing alleged misconduct by men in the media industry ultimately led to a costly legal settlement for its creator after a defamation lawsuit.
The Tea breach amplified these risks. Following the leak, some online commentators mocked the affected women and even encouraged retaliation, suggesting that a male-focused version of the app be created using the stolen data. Such reactions underscored how easily platforms designed for protection can be transformed into tools of harm.
As Laidlaw notes, when private gossip becomes a digital free-for-all, it can escalate into something far more damaging than an offhand conversation in a local bar.
References:
https://hackread.com/fake-minecraft-installer-njrat-spyware-steal-data/
https://www.theregister.com/2025/08/13/ransomware_crew_spills_saint_pauls/
https://thehackernews.com/2025/08/charon-ransomware-hits-middle-east.html
https://www.npr.org/2025/08/02/nx-s1-5483886/tea-app-breach-hacked-whisper-networks
