Canary Trap’s Bi-Weekly Cyber Roundup
Welcome to Canary Trap’s Bi-Weekly Cyber Roundup. Our mission is to keep you informed with the most pressing developments in the world of cybersecurity. This digest serves as your gateway to critical updates and emerging threats across the industry.
Cyber threats continue to evolve in both scale and sophistication, with recent incidents underscoring the diverse tactics adversaries are using to breach defenses and exploit trust. This week’s cybersecurity roundup explores some of the most pressing developments—from Volvo North America’s data breach following a third-party ransomware attack, to hackers distributing weaponized Microsoft Teams installers, to phishing campaigns targeting influencers with fake Tesla and Red Bull job offers. We also examine DraftKings’ response to a major credential stuffing attempt and the alarming new alliance between ransomware giants LockBit, Qilin, and DragonForce.
- Volvo North America Disclosed a Data Breach Following a Ransomware Attack on IT Provider Miljödata
Volvo Group North America has confirmed a data breach involving the personal information of its employees, following a ransomware attack on its third-party human resources software supplier, Miljödata.
The incident, which occurred in August 2025, was part of a broader ransomware campaign that affected at least 25 organizations, including major entities such as Scandinavian airline SAS, Boliden, and over 200 Swedish municipalities. The compromised systems were primarily used for human resources functions, including medical certificate management, rehabilitation tracking, and workplace injury reporting.
Miljödata responded by launching a detailed investigation with the assistance of cybersecurity professionals. The company has since strengthened its hosted environment and implemented additional security measures to reduce the risk of future intrusions. Responsibility for the attack has been claimed by the ransomware group DataCarry, which reportedly released stolen data on its leak site hosted on the dark web.
According to Volvo Group North America’s disclosure to the Massachusetts Attorney General, the exposed information included employees’ names and Social Security numbers. Importantly, Volvo emphasized that its internal systems were not directly compromised. In a notification letter to affected individuals, Volvo explained that Miljödata first became aware of the ransomware attack on August 23rd, 2025, and informed Volvo Group shortly thereafter on September 2, once it was confirmed that employee data may have been impacted.
Further evidence of the breach surfaced on the data breach monitoring platform “Have I Been Pwned”, which linked the incident to the exposure of approximately 870,000 user accounts. The leaked data reportedly contained a range of personal information, including email addresses, physical addresses, phone numbers, government-issued IDs, dates of birth, and gender.
To mitigate potential harm, Volvo Group has offered impacted employees 18 months of complimentary identity protection and credit monitoring through Allstate’s Identity Protection Pro+ service. The company has urged all affected individuals to remain vigilant by reviewing their financial and credit activity for any unusual transactions.
- Hackers Trick Users into Download Weaponized Microsoft Teams to Gain Remote Access
A new and highly targeted cyber campaign is exploiting user trust in popular collaboration tools, specifically Microsoft Teams, to deploy a remote access backdoor disguised as legitimate software.
Researchers at Blackpoint have uncovered a wave of malicious activity where threat actors are manipulating search results and paid advertisements to trick users into downloading a compromised version of Microsoft Teams. When users search for phrases like “Microsoft Teams download,” they may encounter malicious ads that lead them to fake websites impersonating Microsoft’s official portal. One such domain, teams-install[.]top, was observed distributing a fraudulent installer titled MSTeamsSetup.exe.
To enhance credibility and avoid raising suspicion, these fake installers are often signed with questionable digital certificates from issuers such as “4th State Oy” and “NRM NETWORK RISK MANAGEMENT INC.” Although these certificates appear valid, they serve primarily to bypass basic security measures that flag unsigned software.
Once executed, the installer drops a malicious DLL file, into the %APPDATA%\Roaming directory. The malware then creates a scheduled task named CaptureService, ensuring the DLL runs periodically and persists through reboots. This persistence mechanism helps the malware blend seamlessly into normal Windows operations, making detection more challenging.
The payload at the heart of this operation is the Oyster backdoor, a sophisticated tool that enables attackers to gain remote access, harvest system information, and maintain communication with command-and-control (C2) servers. Blackpoint’s analysis identified that the infected systems were reaching out to C2 domains such as nickbush24[.]com and techwisenetwork[.]com to exfiltrate data and receive additional commands or payloads.
This campaign is part of a broader pattern in which cybercriminals weaponize trusted software brands to compromise users at the initial access stage. The approach mirrors earlier operations involving trojanized installers for tools like PuTTY, WinSCP, and Google Chrome. By leveraging malvertising and SEO poisoning, adversaries capitalize on the credibility of search engines and recognizable enterprise applications to reach a wide pool of potential victims.
What makes this threat particularly worrisome is its connection to ransomware operations. The Oyster backdoor has been associated with groups deploying the Rhysida ransomware, suggesting that these fake installers may serve as an entry point for larger, more destructive attacks.
This evolution marks a strategic shift among threat actors, from relying solely on phishing emails to contaminating the software supply chain at the user-download level. The campaign’s stealth capabilities allow it to evade many traditional antivirus and endpoint detection tools, reinforcing the need for proactive defense strategies.
To minimize exposure, cybersecurity professionals and end users alike should ensure software is downloaded only from verified vendor sources. Bookmarking official download pages and avoiding search engine ads, particularly those labeled as sponsored, can help reduce risk. Above all, maintaining awareness and promoting user education remain crucial in countering this new generation of socially engineered malware campaigns.
- Calling All Influencers: Spear-Phishers Dangle Tesla, Red Bull Jobs
Cybercriminals are once again refining their social engineering tactics, this time by preying on job seekers through highly targeted spear-phishing campaigns that impersonate well-known global brands. Recent investigations by the Cofense Phishing Defense Center reveal that attackers are masquerading as recruiters from companies such as Tesla, Red Bull, and Ferrari to convince professionals to share personal information and upload résumés, data that can later be weaponized in identity theft or future cyberattacks.
Since February, Cofense researchers have tracked this ongoing campaign, which uses convincing branding and domain spoofing to slip past email security filters and earn the trust of recipients. Unlike traditional phishing messages that rely on urgency, these emails employ a subtler psychological approach, reassuring potential victims that there is “no pressure at all” to apply. This deliberate tone shift helps lower skepticism and creates an illusion of authenticity.
The fraudulent emails are carefully crafted to resemble legitimate job offers, complete with brand logos, realistic job descriptions, and links tailored to the company name. For example, phishing messages impersonating Red Bull direct recipients to a URL that includes the brand name in the subdomain. Victims are then guided through what appears to be a normal job application process, including CAPTCHA verification and a fake Glassdoor page. Once there, users are prompted to sign in with email or Facebook credentials, both methods designed to harvest sensitive login information.
In a troubling evolution of the campaign, attackers now request that applicants upload their résumés. This addition strengthens the illusion of legitimacy while providing cybercriminals with a trove of personally identifiable information (PII), names, contact details, and career histories, that can be exploited in later social engineering attempts.
Variants of this same campaign targeting Tesla and Ferrari job seekers follow a nearly identical structure but redirect victims to a counterfeit Facebook login portal. The attackers’ objective remains consistent: gather credentials and detailed personal data under the guise of a professional recruitment process.
Job-related phishing remains a persistent and effective strategy for attackers. Over the years, similar scams have targeted a range of professionals, from HR specialists to software developers. North Korean threat actors, in particular, have gained notoriety for exploiting the hiring process, at times posing as recruiters or even being hired into real companies to infiltrate networks from within.
Cofense has shared a set of indicators of compromise (IoCs) to help organizations detect and block this campaign. Security professionals and job seekers alike should remain vigilant: unsolicited offers, even those that appear to come from reputable brands, warrant careful scrutiny. As a rule, legitimate recruitment communications will never require login credentials or personal documents through unverified links. In an age where opportunity can be faked with a few clicks, skepticism remains one of the most valuable defenses.
- DraftKings Hinders Credential Stuffing Attack, but Urges Password Reset and MFA
The American sports betting giant DraftKings has once again found itself the target of a credential stuffing campaign, an increasingly common cyber threat that exploits reused or compromised passwords from prior data breaches.
On September 2nd, 2025, DraftKings identified unauthorized activity affecting a number of customer accounts. According to the company, attackers used login details stolen from external sources to gain access. DraftKings quickly launched an internal investigation and confirmed that its systems were not directly breached, nor was there evidence of exposure involving highly sensitive data such as government identification numbers or complete financial records.
In a notice to affected customers, the company explained that a limited amount of user information may have been accessed. This data included contact details, dates of birth, partial payment card numbers, and account-related information such as balances and transaction history. The company emphasized that attackers were able to access certain accounts only by using credentials stolen elsewhere, not by breaching DraftKings’ own infrastructure.
As part of its response, DraftKings took immediate containment measures. These included resetting passwords for impacted users, enforcing multi-factor authentication for certain services, and introducing additional technical defenses to reduce the likelihood of similar attacks in the future. Customers were also urged to update passwords and remain vigilant against suspicious account activity.
This is not the first time the company has faced such an incident. In late 2022, DraftKings reported that around 68,000 accounts had been affected by a similar credential stuffing operation. A subsequent investigation led to the arrest of U.S. teenager Joseph Garrison, who later pled guilty in 2023 and received an 18-month prison sentence in early 2024.
The recurring nature of these attacks underscores a growing issue across the online gambling industry—and beyond. As long as users continue to recycle passwords across multiple platforms, cybercriminals will exploit that weakness. DraftKings’ swift response and transparency serve as a reminder of the importance of proactive cybersecurity measures, both by companies and their users.
- LockBit, Qilin, and DragonForce Join Forces to Dominate the Ransomware Ecosystem
A new alliance among three of the most notorious ransomware groups: DragonForce, LockBit, and Qilin, has reignited concerns about the evolving sophistication of the global ransomware ecosystem. According to a recent report by ReliaQuest, the coalition reflects a deliberate move by these financially motivated threat actors to coordinate more effective and wide-reaching ransomware campaigns.
This partnership was announced shortly after LockBit’s return to the cybercrime arena and is expected to enable the groups to pool their resources, tactics, and infrastructure. ReliaQuest’s Q3 2025 Ransomware Report suggests that this collaboration could help LockBit rebuild its tarnished reputation following its 2024 takedown, potentially spurring a new wave of attacks across critical infrastructure and industries that were once considered lower risk.
Qilin’s involvement in this alliance comes as little surprise. The group has been particularly active in recent months, claiming over 200 victims in Q3 2025 alone. ZeroFox reports that Qilin has disproportionately targeted North American organizations since late 2024, with its operational tempo accelerating into 2025.
LockBit’s resurgence is marked by the emergence of LockBit 5.0, a new variant capable of targeting Windows, Linux, and ESXi environments. First promoted on the RAMP darknet forum on September 3rd, 2025, coinciding with the sixth anniversary of LockBit’s affiliate program, the upgrade underscores the group’s determination to reestablish dominance. Despite suffering a major setback during the 2024 “Cronos” law enforcement operation, which dismantled its infrastructure and led to several arrests, LockBit appears to be regaining momentum. At its height, the syndicate is estimated to have attacked more than 2,500 victims worldwide and extorted over $500 million in ransom payments.
Analysts warn that if LockBit succeeds in restoring trust among its affiliates, it could once again emerge as a leading ransomware threat, driven not only by profit but also by retaliation against law enforcement. The timing of this alliance is notable, coinciding with reports that Scattered Spider, another well-known threat actor, is preparing to launch its own ransomware-as-a-service (RaaS) platform, dubbed ShinySp1d3r. This would make it the first major English-speaking collective to operate a RaaS program.
ReliaQuest’s latest tracking reveals that the number of active data leak sites has surged to 81, up from 51 in early 2024. The professional, scientific, and technical services sector remains the most frequently targeted, accounting for over 375 victims, followed closely by industries such as manufacturing, healthcare, finance, education, and retail.
A striking shift in geographic targeting has also been observed. While the U.S., Germany, the U.K., Canada, and Italy remain prime targets, ransomware groups are increasingly expanding operations into countries like Egypt, Thailand, and Colombia to sidestep law enforcement pressure in traditional hotspots.
ZeroFox’s data indicates a total of at least 1,429 ransomware and digital extortion incidents in Q3 2025, a decrease from 1,961 in Q1, but the impact remains significant. Qilin, Akira, INC Ransom, Play, and SafePay collectively accounted for nearly half of all global incidents across Q2 and Q3.
Experts suggest that the heavy focus on North American organizations may stem from both geopolitical sentiment and the region’s extensive digital infrastructure. With widespread adoption of cloud services and IoT technologies, North American entities present lucrative, accessible targets for these increasingly collaborative ransomware operations.
References:
https://cybersecuritynews.com/weaponized-microsoft-teams/
https://www.darkreading.com/remote-workforce/influencers-phishers-tesla-red-bull-jobs
https://thehackernews.com/2025/10/lockbit-qilin-and-dragonforce-join.html
